Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A couple of problems


  • This topic is locked This topic is locked
24 replies to this topic

#1 gbartlett23

gbartlett23

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 16 April 2010 - 09:46 AM

I have a few problems:

1. When I try to open a browser (usually Firefox) it almost opens and then closes and I get a warning from something like (windows security 2010 (the name changes)). Then another window pops up and appears to be doing a scan of my computer for malware. When this happens I noticed a "ave.exe" showing up in my task manager (processes). If I end the process then the pop up windows close. Also, when this happens (when firefox shuts down) I get a Security Center icon showing up in my task pane. When I end the process that icon goes away. I have scanned (in normal mode and safemode) with Super anti-sypware Hitman pro 3.5, and malwarebytes. They tend to find an av or ave file. I remove it and reboot and all seems to be well. Then when I reboot up the next day the problem starts all over again. Really frustrating and wasting TONS of time. When all of this happens I think the first thing it does is turn off my Firewall.

2. When I search for something in google it seems to operate as usual and comes back with a list of pages. When I click on a link it doesn't take me to the page as shown, but rather some entirely random website. If I right click on the link and paste it into the address bar it goes where it is supposed to go (hence my finding this website).

3. My computer won't go into hibernation mode.

I went through the preparation guide and have attempted to comply as far as possible. However, when I ran GMER in normal mode (tried 5 times) my computer would run the program (sometimes for a short time, some times for up to 30 minutes or so) and then would appear to just shut down (black screen, no other noises coming from the computer). I finally ran GMER in safe mode, but don't know if that is useful or not (took over 4 hours to complete). I also ran HiJack this and will include that log just in case you want/need it.

Any assistance you can provide would be VERY appreciated. I am a doctoral student and am having a very difficult time working on my dissertation while all of this is going on. I am also paranoid about paying bills online right now with all of this going on.

DDS log:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Geoffrey D. Bartlett at 8:33:22.21 on Thu 04/15/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.183 [GMT -7:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\dla\DLACTRLW.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr .exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\Pharos\Bin\PSNotify.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\Program Files\MobiPocket.com\MobiPocket Reader\webcomp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\TOSHIBA\ConfigFree\CFXFER.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\Documents and Settings\Geoffrey D. Bartlett\My Documents\Downloads\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT1098640
uSearch Page = hxxp://my.juno.com/s/search?r=minisearch
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = local.,;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://my.juno.com/s/search?r=minisearch
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: URLSearchHook Class: {37d2cdbf-2af4-44aa-8113-bd0d2da3c2b8} - c:\program files\netzero\SearchEnh1.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: ZeroBar: {f0f8ecbe-d460-4b34-b007-56a92e8f84a7} - c:\program files\netzero\Toolbar.dll
TB: JunoBar: {5854fac4-5bf0-47dd-b5a9-a5ea8cff3cf4} - c:\program files\juno\Toolbar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr .exe" /background
uRun: [Eraser] c:\program files\eraser\eraser.exe -hide
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
mRun: [TFncKy] TFncKy.exe
mRun: [TDispVol] TDispVol.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [dla] c:\windows\system32\dla\DLACTRLW.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [CFSServ.exe] CFSServ.exe -NoClient
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask .exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\geoffr~1.bar\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palmone\HOTSYNC.EXE
StartupFolder: c:\docume~1\geoffr~1.bar\startm~1\programs\startup\mobipo~1.lnk - c:\program files\mobipocket.com\mobipocket reader\webcomp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\cleana~1.lnk - c:\program files\cisco systems\clean access agent\CCAAgent.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pharos~1.lnk - c:\program files\pharos\bin\PSNotify.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {6054D082-355D-4B47-B77C-36A778899F48} - hxxp://qmedia.xlontech.net/100348/qm/latest/qsp2ieFull06061501.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-03.sun.com/s/ESD5/JSCDL/jdk/6u10/jinstall-6u10-windows-i586-jc.cab?e=1225751239030&h=faab986115c93fd0e1a71cfa9cb91dd9/&filename=jinstall-6u10-windows-i586-jc.cab
DPF: {A8683C98-5341-421B-B23C-8514C05354F1} - hxxp://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\geoffr~1.bar\applic~1\mozilla\firefox\profiles\w24v0g30.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.byu.edu/webapp/home/index.jsp
FF - plugin: c:\documents and settings\geoffrey d. bartlett\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\geoffrey d. bartlett\application data\mozilla\firefox\profiles\w24v0g30.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071302000002.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint_.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-9-8 65584]

=============== Created Last 30 ================

2010-04-15 15:16:13 20 ----a-w- c:\documents and settings\geoffrey d. bartlett\defogger_reenable
2010-04-15 14:49:58 0 d-----w- c:\program files\TrendMicro
2010-04-14 13:30:19 0 d-----w- c:\docume~1\alluse~1\applic~1\avG
2010-04-13 14:29:36 230 ----a-w- c:\windows\system32\.crusader
2010-04-12 22:34:03 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-04-12 22:33:39 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-04-12 19:52:04 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-04-12 19:49:41 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-04-12 19:38:04 112 ----a-w- c:\docume~1\alluse~1\applic~1\45vHau2.dat
2010-04-12 16:46:41 1100 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-08 23:51:20 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-08 23:51:05 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-04-08 23:51:04 0 d-----w- c:\program files\Hitman Pro 3.5
2010-04-08 22:37:53 880640 ----a-w- c:\windows\system32\UniBox10.ocx
2010-04-08 22:37:53 212992 ----a-w- c:\windows\system32\UniBoxVB12.ocx
2010-04-08 22:37:53 1101824 ----a-w- c:\windows\system32\UniBox210.ocx
2010-04-08 22:37:51 0 d-----w- c:\program files\common files\PC Tools
2010-04-08 13:32:40 0 d-----w- c:\docume~1\geoffr~1.bar\applic~1\Malwarebytes
2010-04-08 13:32:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-08 13:31:55 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-08 13:31:51 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-08 13:31:50 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-05 18:56:40 0 d-----w- c:\docume~1\geoffr~1.bar\applic~1\Facebook
2010-03-30 11:27:25 0 d-----w- c:\windows\system32\%%DATA_DIR%%

==================== Find3M ====================

2010-04-13 20:01:01 11648 ----a-w- c:\windows\system32\drivers\acpiec.sys
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 17:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-19 23:47:50 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2006-06-28 18:19:36 251 -c--a-w- c:\program files\wt3d.ini
2009-02-05 17:15:26 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009020520090206\index.dat

============= FINISH: 8:36:33.62 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:31 AM

Posted 20 April 2010 - 12:29 AM

Hi,

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.


Please continue as follows:
  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 gbartlett23

gbartlett23
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 20 April 2010 - 11:07 AM

Thank you for responding. The problems cropped up again this morning and I was forced to deal with it using Super anti-spyware, Malewarebytes, and Hitman pro. Then I was able to get on the internet and find your post. Interestingly, as soon as combofix was finished it opened wordpad and posted the log file, but did not reboot the machine (it did reboot when it first started running because of "rootkit" activity). Instead, the same problem occurred (false security center popups and face scans). I rebooted the computer after that. Here are the results:

Combo Fix Log:

ComboFix 10-04-19.07 - Geoffrey D. Bartlett 04/20/2010 8:25.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.606 [GMT -7:00]
Running from: c:\documents and settings\Geoffrey D. Bartlett\Desktop\ComboFix.exe
.
The following files were disabled during the run:
c:\progra~1\PHAROS~1\Core\PRNTRACK.DLL


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Geoffrey D. Bartlett\Application Data\ezpinst.log
c:\documents and settings\Geoffrey D. Bartlett\Application Data\inst.exe
c:\documents and settings\Geoffrey D. Bartlett\Local Settings\Temporary Internet Files\PMH54.tmp
c:\recycler\S-1-5-21-3868997124-911790988-508925577-500
c:\windows\eSellerateEngine.dll
c:\windows\system32\26500.exe
c:\windows\system32\csftxctl.ocx
c:\windows\system32\TDispVol .exe
c:\windows\system32\Thumbs.db
c:\windows\system32\TPSMain .exe
c:\windows\system32\zlibwapi.dll

Infected copy of c:\windows\system32\drivers\acpiec.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-03-20 to 2010-04-20 )))))))))))))))))))))))))))))))
.

2010-04-20 14:19 . 2010-04-20 14:19 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-20 12:59 . 2010-04-20 12:59 75264 ------w- c:\windows\system32\aeda.sys
2010-04-15 14:54 . 2010-04-15 14:55 -------- d-----w- c:\program files\Safari
2010-04-15 14:51 . 2010-04-15 14:51 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-04-15 14:49 . 2010-04-15 14:49 388096 ----a-r- c:\documents and settings\Geoffrey D. Bartlett\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-04-15 14:49 . 2010-04-15 14:49 -------- d-----w- c:\program files\TrendMicro
2010-04-14 18:46 . 2010-04-14 18:46 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-04-14 13:30 . 2010-04-14 13:30 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\avG
2010-04-14 13:30 . 2010-04-14 13:30 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-04-12 22:34 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-04-12 22:33 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-04-12 19:52 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-04-12 16:46 . 2010-04-13 14:18 1100 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-08 23:51 . 2010-04-20 14:38 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-08 23:51 . 2010-04-09 00:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-04-08 23:51 . 2010-04-13 14:31 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-08 22:37 . 2010-04-08 22:37 -------- d-----w- c:\program files\Common Files\PC Tools
2010-04-08 22:30 . 2010-04-08 22:35 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-08 13:32 . 2010-04-08 13:32 -------- d-----w- c:\documents and settings\Geoffrey D. Bartlett\Application Data\Malwarebytes
2010-04-08 13:32 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-08 13:31 . 2010-04-08 13:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-08 13:31 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-08 13:31 . 2010-04-13 14:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-07 20:08 . 2010-04-09 13:48 52224 ----a-w- c:\documents and settings\Geoffrey D. Bartlett\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-05 18:56 . 2010-04-05 18:56 50354 ----a-w- c:\documents and settings\Geoffrey D. Bartlett\Application Data\Facebook\uninstall.exe
2010-04-05 18:56 . 2010-04-05 18:56 -------- d-----w- c:\documents and settings\Geoffrey D. Bartlett\Application Data\Facebook
2010-03-30 11:27 . 2010-03-30 11:27 -------- d-----w- c:\windows\system32\%%DATA_DIR%%

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-20 15:20 . 2001-08-17 13:57 11648 ----a-w- c:\windows\system32\drivers\acpiec.sys
2010-04-20 15:09 . 2007-08-31 19:29 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-20 13:04 . 2009-04-17 14:21 117760 ----a-w- c:\documents and settings\Geoffrey D. Bartlett\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-20 13:04 . 2009-02-06 00:11 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-19 15:12 . 2009-01-15 19:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-15 18:28 . 2006-02-25 07:02 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-15 14:48 . 2009-09-10 16:50 -------- d-----w- c:\program files\iTunes
2010-04-13 21:07 . 2006-02-16 16:59 77256 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-13 16:14 . 2006-02-16 10:39 -------- d-----w- c:\program files\Microsoft Works
2010-04-13 15:14 . 2009-04-21 00:28 -------- d-----w- c:\program files\Microsoft IntelliPoint
2010-04-13 15:14 . 2006-02-15 16:28 -------- d-----w- c:\program files\ltmoh
2010-04-13 14:33 . 2009-09-10 16:02 -------- d-----w- c:\program files\QuickTime
2010-04-13 00:10 . 2010-04-12 19:38 112 ----a-w- c:\documents and settings\All Users\Application Data\45vHau2.dat
2010-04-12 22:06 . 2006-06-14 14:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-12 19:35 . 2007-02-23 14:13 -------- d-----w- c:\program files\Windows Defender
2010-03-30 11:38 . 2009-11-16 13:25 79488 ----a-w- c:\documents and settings\Geoffrey D. Bartlett\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-30 11:28 . 2007-12-19 18:57 -------- d-----w- c:\program files\Microsoft Silverlight
2010-03-10 06:15 . 2006-02-15 14:04 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-06 05:30 . 2010-03-06 05:30 847040 ----a-w- c:\documents and settings\Geoffrey D. Bartlett\Application Data\Facebook\axfbootloader.dll
2010-03-06 05:30 . 2010-03-06 05:30 5582848 ----a-w- c:\documents and settings\Geoffrey D. Bartlett\Application Data\Facebook\npfbplugin_1_0_3.dll
2010-02-25 06:24 . 2006-02-15 14:04 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 17:16 . 2009-10-06 18:46 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 13:11 . 2006-02-15 14:03 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-16 14:08 . 2006-02-15 14:03 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2006-02-15 14:01 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2006-02-15 14:04 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2006-06-28 18:19 . 2006-06-28 18:19 251 -c--a-w- c:\program files\wt3d.ini
2009-09-13 06:05 . 2009-09-13 06:05 124240 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
2009-09-13 06:06 . 2009-09-13 06:06 13136 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2009-09-13 06:06 . 2009-09-13 06:06 70488 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2009-09-13 06:06 . 2009-09-13 06:06 91480 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2009-09-13 06:06 . 2009-09-13 06:06 22360 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2009-09-13 06:07 . 2009-09-13 06:07 255312 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2009-09-13 06:06 . 2009-09-13 06:06 31064 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2009-09-13 06:06 . 2009-09-13 06:06 40280 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2009-08-14 20:33 . 2009-08-14 20:33 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2009-09-13 06:06 . 2009-09-13 06:06 23896 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.
CODE
<pre>
c:\program files\Alcohol Soft\Alcohol 52\axcmd .exe
c:\program files\Citrix\ICA Client\concentr .exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier .exe
c:\program files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
c:\program files\Google\Gmail Notifier\gnotify .exe
c:\program files\Hitman Pro 3.5\HitmanPro35[1] .exe
c:\program files\Intel\Wireless\Bin\ifrmewrk .exe
c:\program files\Intel\Wireless\Bin\ZCfgSvc .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\ltmoh\Ltmoh .exe
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\Microsoft IntelliPoint\ipoint .exe
c:\program files\MySpace\IM\MySpaceIM .exe
c:\program files\QuickTime\QTTask       .exe
c:\program files\QuickTime\QTTask      .exe
c:\program files\QuickTime\QTTask     .exe
c:\program files\QuickTime\QTTask    .exe
c:\program files\QuickTime\QTTask   .exe
c:\program files\QuickTime\QTTask  .exe
c:\program files\QuickTime\QTTask .exe
c:\program files\Spybot - Search & Destroy\TeaTimer .exe
c:\program files\SUPERAntiSpyware\SUPERAntiSpyware .exe
c:\program files\Synaptics\SynTP\SynTPEnh .exe
c:\program files\Synaptics\SynTP\SynTPLpr .exe
c:\program files\Tech\MagicBall\2.3\LWBWHEEL .exe
c:\program files\TOSHIBA\TOSCDSPD\toscdspd .exe
c:\program files\TOSHIBA\TOSHIBA Applet\thotkey .exe
c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView .exe
c:\program files\TOSHIBA\Tvs\TvsTray .exe
c:\program files\Windows Defender\MSASCui .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\windows\ehome\ehtray .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-20 2010864]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-11-25 3176408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CFSServ.exe"="CFSServ.exe -NoClient" [X]
"QuickTime Task"="c:\program files\QuickTime\QTTask .exe -atboottime" [X]
"TFncKy"="TFncKy.exe" [N/A]
"TDispVol"="TDispVol.exe" [N/A]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 88203]
"NDSTray.exe"="NDSTray.exe" [N/A]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [N/A]
"dla"="c:\windows\system32\dla\DLACTRLW.exe" [2005-10-06 122940]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2005-07-23 176128]
"RTHDCPL"="RTHDCPL.EXE" [2008-11-07 17421824]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Clean Access Agent.lnk - c:\program files\Cisco Systems\Clean Access Agent\CCAAgent.exe [2007-9-17 2056275]
Pharos Notify.lnk - c:\program files\Pharos\Bin\PSNotify.exe [2007-10-9 405504]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-2-15 155648]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2010-04-20 13:04 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ WinCinema Manager.lnk
backup=c:\windows\pss\ WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Geoffrey D. Bartlett^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\Geoffrey D. Bartlett\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Geoffrey D. Bartlett^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Geoffrey D. Bartlett^Start Menu^Programs^Startup^Mobipocket Web Companion.lnk]
path=c:\documents and settings\Geoffrey D. Bartlett\Start Menu\Programs\Startup\Mobipocket Web Companion.lnk
backup=c:\windows\pss\Mobipocket Web Companion.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Geoffrey D. Bartlett^Start Menu^Programs^Startup^Webshots.lnk]
backup=c:\windows\pss\Webshots.lnkStartup
path=c:\documents and settings\Geoffrey D. Bartlett\Start Menu\Programs\Startup\Webshots.lnk
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 05:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
c:\program files\AIM6\aim6.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
2005-12-10 14:57 133016 -c--a-w- c:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
2006-04-19 16:30 728176 -c--a-w- c:\program files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]
2007-12-22 23:03 916240 ----a-w- c:\program files\Eraser\Eraser.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2003-10-24 02:51 233472 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2003-06-25 18:24 49152 -c--a-w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-09 04:09 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Juno_uoltray]
2007-03-08 01:38 1629184 -c--a-w- c:\program files\Juno\exec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 23:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
c:\program files\MySpace\IM\MySpaceIM.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetZero_uoltray]
2007-03-07 00:00 1629184 -c--a-w- c:\program files\NetZero\exec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
c:\program files\Picasa2\PicasaMediaDetector.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
c:\program files\QuickTime\QTTask.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2005-11-10 20:03 36975 -c--a-w- c:\program files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\GospeLink 2001\\LP\\Bin\\LPLocal.exe"=
"c:\\Program Files\\Ruckus Player\\Ruckus.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"=
"c:\\Program Files\\Pharos\\Bin\\PSNotify.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 7.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

R1 aeda;aeda;c:\windows\system32\aeda.sys [4/20/2010 5:59 AM 75264]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [9/8/2009 6:13 PM 65584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [1/15/2009 4:17 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/15/2009 4:17 PM 66632]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 12:03 PM 169312]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [4/8/2010 3:37 PM 632792]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/29/2007 7:05 PM 24652]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 IndiAvIn;TDK INDI AV-IN USB Device;c:\windows\system32\drivers\IndiAvIn.sys [7/15/2006 1:00 PM 86016]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/15/2009 4:17 PM 12872]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/12/2006 8:00 AM 716272]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-04-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT1098640
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = local.,;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://my.juno.com/s/search?r=minisearch
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
DPF: {6054D082-355D-4B47-B77C-36A778899F48} - hxxp://qmedia.xlontech.net/100348/qm/latest/qsp2ieFull06061501.cab
FF - ProfilePath - c:\documents and settings\Geoffrey D. Bartlett\Application Data\Mozilla\Firefox\Profiles\w24v0g30.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.byu.edu/webapp/home/index.jsp
FF - plugin: c:\documents and settings\Geoffrey D. Bartlett\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\Geoffrey D. Bartlett\Application Data\Mozilla\Firefox\Profiles\w24v0g30.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071302000002.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint_.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-HitmanPro35 - c:\program files\Hitman Pro 3.5\HitmanPro35[1].exe
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9b.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-20 08:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x87279AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf75e2f28
\Driver\ACPI -> ACPI.sys @ 0xf7535cb8
\Driver\atapi -> atapi.sys @ 0xf74a9852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
NDIS: IntelŽ PRO/Wireless 3945ABG Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf7342bb0
PacketIndicateHandler -> NDIS.sys @ 0xf7331a0d
SendHandler -> NDIS.sys @ 0xf7345b40
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\mchInjDrv]
"ImagePath"="\??\c:\windows\TEMP\mc21.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(920)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'lsass.exe'(980)
c:\windows\system32\WININET.dll
.
Completion time: 2010-04-20 08:46:04
ComboFix-quarantined-files.txt 2010-04-20 15:45

Pre-Run: 22,276,718,592 bytes free
Post-Run: 23,897,653,248 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - 013E74D87AF5B01B2FC17F56C7603EF8


New DDS Log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Geoffrey D. Bartlett at 8:59:17.20 on Tue 04/20/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.353 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\dla\DLACTRLW.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\Pharos\Bin\PSNotify.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\TOSHIBA\ConfigFree\CFXFER.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Geoffrey D. Bartlett\My Documents\Downloads\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT1098640
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = local.,;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://my.juno.com/s/search?r=minisearch
uURLSearchHooks: URLSearchHook Class: {37d2cdbf-2af4-44aa-8113-bd0d2da3c2b8} - c:\program files\netzero\SearchEnh1.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: ZeroBar: {f0f8ecbe-d460-4b34-b007-56a92e8f84a7} - c:\program files\netzero\Toolbar.dll
TB: JunoBar: {5854fac4-5bf0-47dd-b5a9-a5ea8cff3cf4} - c:\program files\juno\Toolbar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [TFncKy] TFncKy.exe
mRun: [TDispVol] TDispVol.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [dla] c:\windows\system32\dla\DLACTRLW.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [CFSServ.exe] CFSServ.exe -NoClient
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask .exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\cleana~1.lnk - c:\program files\cisco systems\clean access agent\CCAAgent.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pharos~1.lnk - c:\program files\pharos\bin\PSNotify.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {6054D082-355D-4B47-B77C-36A778899F48} - hxxp://qmedia.xlontech.net/100348/qm/latest/qsp2ieFull06061501.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-03.sun.com/s/ESD5/JSCDL/jdk/6u10/jinstall-6u10-windows-i586-jc.cab?e=1225751239030&h=faab986115c93fd0e1a71cfa9cb91dd9/&filename=jinstall-6u10-windows-i586-jc.cab
DPF: {A8683C98-5341-421B-B23C-8514C05354F1} - hxxp://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\geoffr~1.bar\applic~1\mozilla\firefox\profiles\w24v0g30.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.byu.edu/webapp/home/index.jsp
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aeda;aeda;c:\windows\system32\aeda.sys [2010-4-20 75264]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-9-8 65584]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-1-15 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 66632]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2010-4-8 632792]
R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 52\starwind\StarWindServiceAE.exe [2007-5-28 275968]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-10-29 24652]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 12872]
S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]
S3 IndiAvIn;TDK INDI AV-IN USB Device;c:\windows\system32\drivers\IndiAvIn.sys [2006-7-15 86016]

=============== Created Last 30 ================

2010-04-20 15:15:14 0 d-sha-r- C:\cmdcons
2010-04-20 15:13:10 98816 ----a-w- c:\windows\sed.exe
2010-04-20 15:13:10 77312 ----a-w- c:\windows\MBR.exe
2010-04-20 15:13:10 261632 ----a-w- c:\windows\PEV.exe
2010-04-20 15:13:10 161792 ----a-w- c:\windows\SWREG.exe
2010-04-20 14:19:41 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-20 12:59:52 75264 ------w- c:\windows\system32\aeda.sys
2010-04-15 15:16:13 20 ----a-w- c:\documents and settings\geoffrey d. bartlett\defogger_reenable
2010-04-15 14:49:58 0 d-----w- c:\program files\TrendMicro
2010-04-14 13:30:19 0 d-----w- c:\docume~1\alluse~1\applic~1\avG
2010-04-13 14:29:36 230 ----a-w- c:\windows\system32\.crusader
2010-04-12 22:34:03 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-04-12 22:33:39 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-04-12 19:52:04 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-04-12 19:49:41 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-04-12 19:38:04 112 ----a-w- c:\docume~1\alluse~1\applic~1\45vHau2.dat
2010-04-12 16:46:41 1100 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-08 23:51:20 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-08 23:51:05 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-04-08 23:51:04 0 d-----w- c:\program files\Hitman Pro 3.5
2010-04-08 22:37:53 880640 ----a-w- c:\windows\system32\UniBox10.ocx
2010-04-08 22:37:53 212992 ----a-w- c:\windows\system32\UniBoxVB12.ocx
2010-04-08 22:37:53 1101824 ----a-w- c:\windows\system32\UniBox210.ocx
2010-04-08 22:37:51 0 d-----w- c:\program files\common files\PC Tools
2010-04-08 13:32:40 0 d-----w- c:\docume~1\geoffr~1.bar\applic~1\Malwarebytes
2010-04-08 13:32:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-08 13:31:55 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-08 13:31:51 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-08 13:31:50 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-05 18:56:40 0 d-----w- c:\docume~1\geoffr~1.bar\applic~1\Facebook
2010-03-30 11:27:25 0 d-----w- c:\windows\system32\%%DATA_DIR%%

==================== Find3M ====================

2010-04-20 15:20:13 11648 ----a-w- c:\windows\system32\drivers\acpiec.sys
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 17:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 13:11:07 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 23:47:50 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2006-06-28 18:19:36 251 -c--a-w- c:\program files\wt3d.ini
2009-02-05 17:15:26 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009020520090206\index.dat

============= FINISH: 9:01:38.73 ===============

Attached Files


Edited by gbartlett23, 20 April 2010 - 11:10 AM.


#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:31 AM

Posted 20 April 2010 - 12:13 PM

Hi again,

Upload c:\windows\system32\aeda.sys file to http://www.virustotal.com and post back the results.

Run GMER with "sections" option enabled and post the report.


Open notepad and copy/paste the text in the quotebox below into it:

CODE
File::
c:\documents and settings\All Users\Application Data\45vHau2.dat
RenV::
c:\program files\Alcohol Soft\Alcohol 52\axcmd .exe
c:\program files\Citrix\ICA Client\concentr .exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier .exe
c:\program files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
c:\program files\Google\Gmail Notifier\gnotify .exe
c:\program files\Hitman Pro 3.5\HitmanPro35[1] .exe
c:\program files\Intel\Wireless\Bin\ifrmewrk .exe
c:\program files\Intel\Wireless\Bin\ZCfgSvc .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\ltmoh\Ltmoh .exe
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\Microsoft IntelliPoint\ipoint .exe
c:\program files\MySpace\IM\MySpaceIM .exe
c:\program files\QuickTime\QTTask       .exe
c:\program files\QuickTime\QTTask      .exe
c:\program files\QuickTime\QTTask     .exe
c:\program files\QuickTime\QTTask    .exe
c:\program files\QuickTime\QTTask   .exe
c:\program files\QuickTime\QTTask  .exe
c:\program files\QuickTime\QTTask .exe
c:\program files\Spybot - Search & Destroy\TeaTimer .exe
c:\program files\SUPERAntiSpyware\SUPERAntiSpyware .exe
c:\program files\Synaptics\SynTP\SynTPEnh .exe
c:\program files\Synaptics\SynTP\SynTPLpr .exe
c:\program files\Tech\MagicBall\2.3\LWBWHEEL .exe
c:\program files\TOSHIBA\TOSCDSPD\toscdspd .exe
c:\program files\TOSHIBA\TOSHIBA Applet\thotkey .exe
c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView .exe
c:\program files\TOSHIBA\Tvs\TvsTray .exe
c:\program files\Windows Defender\MSASCui .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\windows\ehome\ehtray .exe



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Do you use Adobe Acrobat for other duties than pdf conversions?


Uninstall old Adobe Reader versions and get the latest one (9.3 + update 9.3.2) here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.

Uninstall your current Adobe shockwave player and get the fresh one here if needed.

Uninstall vulnerable Flash versions by following instructions here. Fresh version can be obtained here.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 20.
  • Click the
    Download
    button to the right.
  • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.



Download ATF (Atribune Temp File) CleanerŠ by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.

Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.


Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 gbartlett23

gbartlett23
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 21 April 2010 - 07:43 PM

I apologize for the delay. All of the scans take a bit of time, but I'm very grateful for your help!!!

I only use Adobe Acrobat for .pdf conversions.

I uninstalled old versions of Adobe Reader and haven't installed new ones yet.

I uninstalled the Adobe Shockwave Player and haven't installed the new one yet.

I uninstalled flash players and haven't installed the new one yet.

I uninstalled old Java and installed the current version.

I ran ATF.

My computer doesn't appear to like GMER (crashes while using in normal mode). Consequently, I ran it in safe mode, ran it in normal mode with only "sections" selected, and ran it in normal mode but stopped the scan once it started scanning registry items. I have attached all three logs to this post. The other scan results are posted directly as follows:

Virustotal log for aeda.sys:

0 bytes size received / Se ha recibido un archivo vacio

Combofix log:

ComboFix 10-04-20.04 - Geoffrey D. Bartlett 04/21/2010 10:03:15.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.604 [GMT -7:00]
Running from: c:\documents and settings\Geoffrey D. Bartlett\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Geoffrey D. Bartlett\Desktop\CFScript.txt

FILE ::
"c:\documents and settings\All Users\Application Data\45vHau2.dat"
.
The following files were disabled during the run:
c:\progra~1\PHAROS~1\Core\PRNTRACK.DLL


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\45vHau2.dat
c:\documents and settings\NetworkService\Local Settings\Application Data\ave.exe

Infected copy of c:\windows\system32\drivers\acpiec.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-03-21 to 2010-04-21 )))))))))))))))))))))))))))))))
.

2010-04-20 22:09 . 2010-04-20 22:11 -------- d-----w- c:\documents and settings\Geoffrey D. Bartlett\.SunDownloadManager
2010-04-20 14:19 . 2010-04-20 14:19 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-20 12:59 . 2010-04-20 12:59 75264 ------w- c:\windows\system32\aeda.sys
2010-04-15 14:54 . 2010-04-15 14:55 -------- d-----w- c:\program files\Safari
2010-04-15 14:51 . 2010-04-15 14:51 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-04-15 14:49 . 2010-04-15 14:49 388096 ----a-r- c:\documents and settings\Geoffrey D. Bartlett\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-04-15 14:49 . 2010-04-15 14:49 -------- d-----w- c:\program files\TrendMicro
2010-04-14 18:46 . 2010-04-14 18:46 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-04-14 13:30 . 2010-04-14 13:30 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\avG
2010-04-14 13:30 . 2010-04-14 13:30 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-04-12 22:34 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-04-12 22:33 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-04-12 19:52 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-04-12 16:46 . 2010-04-13 14:18 1100 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-08 23:51 . 2010-04-20 14:38 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-08 23:51 . 2010-04-09 00:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-04-08 23:51 . 2010-04-21 17:02 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-08 22:37 . 2010-04-08 22:37 -------- d-----w- c:\program files\Common Files\PC Tools
2010-04-08 22:30 . 2010-04-08 22:35 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-08 13:32 . 2010-04-08 13:32 -------- d-----w- c:\documents and settings\Geoffrey D. Bartlett\Application Data\Malwarebytes
2010-04-08 13:32 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-08 13:31 . 2010-04-08 13:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-08 13:31 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-08 13:31 . 2010-04-21 17:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-07 20:08 . 2010-04-09 13:48 52224 ----a-w- c:\documents and settings\Geoffrey D. Bartlett\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-05 18:56 . 2010-04-05 18:56 50354 ----a-w- c:\documents and settings\Geoffrey D. Bartlett\Application Data\Facebook\uninstall.exe
2010-04-05 18:56 . 2010-04-05 18:56 -------- d-----w- c:\documents and settings\Geoffrey D. Bartlett\Application Data\Facebook
2010-03-30 11:27 . 2010-03-30 11:27 -------- d-----w- c:\windows\system32\%%DATA_DIR%%

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-21 17:02 . 2007-02-23 14:13 -------- d-----w- c:\program files\Windows Defender
2010-04-21 17:02 . 2009-02-06 00:11 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-21 17:02 . 2006-06-14 14:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-21 17:02 . 2009-09-10 16:02 -------- d-----w- c:\program files\QuickTime
2010-04-21 17:02 . 2009-04-21 00:28 -------- d-----w- c:\program files\Microsoft IntelliPoint
2010-04-21 17:02 . 2006-02-15 16:28 -------- d-----w- c:\program files\ltmoh
2010-04-21 17:02 . 2009-09-10 16:50 -------- d-----w- c:\program files\iTunes
2010-04-21 16:57 . 2001-08-17 13:57 11648 ----a-w- c:\windows\system32\drivers\ACPIEC.sys
2010-04-21 16:51 . 2007-08-31 19:29 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-21 13:18 . 2009-04-17 14:21 117760 ----a-w- c:\documents and settings\Geoffrey D. Bartlett\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-20 22:25 . 2007-04-20 17:57 -------- d-----w- c:\program files\MySpace
2010-04-20 22:19 . 2006-02-16 09:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-04-20 22:19 . 2006-02-16 09:55 -------- d-----w- c:\program files\Viewpoint
2010-04-20 22:14 . 2006-02-16 09:34 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-20 20:44 . 2006-02-25 07:02 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-19 15:12 . 2009-01-15 19:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-13 21:07 . 2006-02-16 16:59 77256 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-13 16:14 . 2006-02-16 10:39 -------- d-----w- c:\program files\Microsoft Works
2010-03-30 11:38 . 2009-11-16 13:25 79488 ----a-w- c:\documents and settings\Geoffrey D. Bartlett\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-30 11:28 . 2007-12-19 18:57 -------- d-----w- c:\program files\Microsoft Silverlight
2010-03-10 06:15 . 2006-02-15 14:04 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-06 05:30 . 2010-03-06 05:30 847040 ----a-w- c:\documents and settings\Geoffrey D. Bartlett\Application Data\Facebook\axfbootloader.dll
2010-03-06 05:30 . 2010-03-06 05:30 5582848 ----a-w- c:\documents and settings\Geoffrey D. Bartlett\Application Data\Facebook\npfbplugin_1_0_3.dll
2010-02-25 06:24 . 2006-02-15 14:04 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 17:16 . 2009-10-06 18:46 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 13:11 . 2006-02-15 14:03 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-16 14:08 . 2006-02-15 14:03 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2006-02-15 14:01 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2006-02-15 14:04 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2006-06-28 18:19 . 2006-06-28 18:19 251 -c--a-w- c:\program files\wt3d.ini
2009-09-13 06:05 . 2009-09-13 06:05 124240 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
2009-09-13 06:06 . 2009-09-13 06:06 13136 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2009-09-13 06:06 . 2009-09-13 06:06 70488 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2009-09-13 06:06 . 2009-09-13 06:06 91480 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2009-09-13 06:06 . 2009-09-13 06:06 22360 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2009-09-13 06:07 . 2009-09-13 06:07 255312 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2009-09-13 06:06 . 2009-09-13 06:06 31064 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2009-09-13 06:06 . 2009-09-13 06:06 40280 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2009-08-14 20:33 . 2009-08-14 20:33 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2009-09-13 06:06 . 2009-09-13 06:06 23896 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-04-20_15.39.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-02-16 17:03 . 2005-08-05 21:56 64512 c:\windows\system32\dllcache\ehtray.exe
- 2005-08-05 21:56 . 2005-08-05 21:56 64512 c:\windows\system32\dllcache\ehtray.exe
+ 2006-02-16 17:03 . 2005-08-05 21:56 64512 c:\windows\ehome\ehtray.exe
- 2005-08-05 21:56 . 2005-08-05 21:56 64512 c:\windows\ehome\ehtray.exe
+ 2006-02-15 07:29 . 2010-04-21 13:15 2175512 c:\windows\system32\FNTCACHE.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1830128]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-11-25 3176408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CFSServ.exe"="CFSServ.exe -NoClient" [X]
"QuickTime Task"="c:\program files\QuickTime\QTTask .exe -atboottime" [X]
"TFncKy"="TFncKy.exe" [BU]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 88203]
"NDSTray.exe"="NDSTray.exe" [BU]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]
"dla"="c:\windows\system32\dla\DLACTRLW.exe" [2005-10-06 122940]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2005-07-23 176128]
"RTHDCPL"="RTHDCPL.EXE" [2008-11-07 17421824]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Clean Access Agent.lnk - c:\program files\Cisco Systems\Clean Access Agent\CCAAgent.exe [2007-9-17 2056275]
Pharos Notify.lnk - c:\program files\Pharos\Bin\PSNotify.exe [2007-10-9 405504]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-2-15 155648]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2010-04-20 13:04 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ WinCinema Manager.lnk
backup=c:\windows\pss\ WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Geoffrey D. Bartlett^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\Geoffrey D. Bartlett\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Geoffrey D. Bartlett^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Geoffrey D. Bartlett^Start Menu^Programs^Startup^Mobipocket Web Companion.lnk]
path=c:\documents and settings\Geoffrey D. Bartlett\Start Menu\Programs\Startup\Mobipocket Web Companion.lnk
backup=c:\windows\pss\Mobipocket Web Companion.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Geoffrey D. Bartlett^Start Menu^Programs^Startup^Webshots.lnk]
backup=c:\windows\pss\Webshots.lnkStartup
path=c:\documents and settings\Geoffrey D. Bartlett\Start Menu\Programs\Startup\Webshots.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
2005-12-10 14:57 133016 -c--a-w- c:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
2006-04-19 16:30 728176 -c--a-w- c:\program files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]
2007-12-22 23:03 916240 ----a-w- c:\program files\Eraser\Eraser.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2003-10-24 02:51 233472 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2003-06-25 18:24 49152 -c--a-w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-09 04:09 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Juno_uoltray]
2007-03-08 01:38 1629184 -c--a-w- c:\program files\Juno\exec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetZero_uoltray]
2007-03-07 00:00 1629184 -c--a-w- c:\program files\NetZero\exec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-04-12 22:31 41476 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\GospeLink 2001\\LP\\Bin\\LPLocal.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"=
"c:\\Program Files\\Pharos\\Bin\\PSNotify.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 7.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

R1 aeda;aeda;c:\windows\system32\aeda.sys [4/20/2010 5:59 AM 75264]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [9/8/2009 6:13 PM 65584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [1/15/2009 4:17 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/15/2009 4:17 PM 66632]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 12:03 PM 169312]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [4/8/2010 3:37 PM 632792]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 IndiAvIn;TDK INDI AV-IN USB Device;c:\windows\system32\drivers\IndiAvIn.sys [7/15/2006 1:00 PM 86016]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/15/2009 4:17 PM 12872]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/12/2006 8:00 AM 716272]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-04-21 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT1098640
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = local.,;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://my.juno.com/s/search?r=minisearch
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
DPF: {6054D082-355D-4B47-B77C-36A778899F48} - hxxp://qmedia.xlontech.net/100348/qm/latest/qsp2ieFull06061501.cab
FF - ProfilePath - c:\documents and settings\Geoffrey D. Bartlett\Application Data\Mozilla\Firefox\Profiles\w24v0g30.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.byu.edu/webapp/home/index.jsp
FF - plugin: c:\documents and settings\Geoffrey D. Bartlett\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\Geoffrey D. Bartlett\Application Data\Mozilla\Firefox\Profiles\w24v0g30.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071302000002.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-TDispVol - TDispVol.exe
MSConfigStartUp-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
MSConfigStartUp-Aim6 - c:\program files\AIM6\aim6.exe
MSConfigStartUp-MsnMsgr - c:\program files\Windows Live\Messenger\msnmsgr .exe
MSConfigStartUp-MySpaceIM - c:\program files\MySpace\IM\MySpaceIM.exe
MSConfigStartUp-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.5.0_06\bin\jusched.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-21 10:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x87283AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf75e2f28
\Driver\ACPI -> ACPI.sys @ 0xf7535cb8
\Driver\atapi -> atapi.sys @ 0xf74a9852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
NDIS: Intel® PRO/Wireless 3945ABG Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf7342bb0
PacketIndicateHandler -> NDIS.sys @ 0xf7331a0d
SendHandler -> NDIS.sys @ 0xf7345b40
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\mchInjDrv]
"ImagePath"="\??\c:\windows\TEMP\mc21.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(920)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'lsass.exe'(980)
c:\windows\system32\WININET.dll
.
Completion time: 2010-04-21 10:23:17
ComboFix-quarantined-files.txt 2010-04-21 17:23
ComboFix2.txt 2010-04-20 15:46

Pre-Run: 26,833,985,536 bytes free
Post-Run: 26,799,685,632 bytes free

Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - EF1EE386E825D764FAD0DBA2AFD302BD

Kaspersky log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, April 21, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, April 21, 2010 13:39:37
Records in database: 3957819
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
F:\

Scan statistics:
Objects scanned: 150832
Threats found: 7
Infected objects found: 20
Suspicious objects found: 0
Scan duration: 05:58:37


File name / Threat / Threats count
C:\Documents and Settings\Geoffrey D. Bartlett\Application Data\Sun\Java\Deployment\cache\6.0\54\164c176-57b2725c Infected: Exploit.Java.CVE-2009-3867.c 1
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe.vir Infected: Packed.Win32.Katusha.j 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\acpiec.sys.vir Infected: Rootkit.Win32.TDSS.ap 1
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP1000\A0105683.exe Infected: Packed.Win32.Katusha.j 1
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP1002\A0105858.exe Infected: Trojan.Win32.Powp.c 1
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP1002\A0105926.com Infected: Trojan.Win32.Powp.a 1
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP1003\A0106037.exe Infected: Trojan.Win32.Powp.c 1
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP1003\A0106879.exe Infected: Packed.Win32.Katusha.j 1
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP1006\A0109841.exe Infected: Packed.Win32.Katusha.j 1
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP1007\A0111995.exe Infected: Packed.Win32.Katusha.j 1
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP1008\A0113059.exe Infected: Packed.Win32.Katusha.j 1
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP1011\A0115310.dll Infected: Trojan.Win32.FraudPack.aqsu 1
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP1011\A0115311.exe Infected: Packed.Win32.Krap.an 1
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP1011\A0115312.exe Infected: Packed.Win32.Krap.an 1
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP1012\A0115502.sys Infected: Rootkit.Win32.TDSS.ap 1
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP1012\A0116525.exe Infected: Packed.Win32.Katusha.j 1
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP1019\A0119631.sys Infected: Rootkit.Win32.TDSS.ap 1
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP1019\A0119689.exe Infected: Packed.Win32.Katusha.j 1
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP998\A0101389.exe Infected: Packed.Win32.Katusha.j 1
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP998\A0102391.exe Infected: Packed.Win32.Katusha.j 1

Selected area has been scanned.

New DDS log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Geoffrey D. Bartlett at 17:23:45.65 on Wed 04/21/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20

============== Running Processes ===============

C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\MsiExec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Geoffrey D. Bartlett\Local Settings\temp\jkos-Geoffrey D. Bartlett\binaries\ScanningProcess.exe
C:\Documents and Settings\Geoffrey D. Bartlett\Local Settings\temp\jkos-Geoffrey D. Bartlett\binaries\ScanningProcess.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Documents and Settings\Geoffrey D. Bartlett\My Documents\Downloads\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k LocalService

============== Pseudo HJT Report ===============

uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT1098640
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = local.,;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://my.juno.com/s/search?r=minisearch
uURLSearchHooks: URLSearchHook Class: {37d2cdbf-2af4-44aa-8113-bd0d2da3c2b8} - c:\program files\netzero\SearchEnh1.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: ZeroBar: {f0f8ecbe-d460-4b34-b007-56a92e8f84a7} - c:\program files\netzero\Toolbar.dll
TB: JunoBar: {5854fac4-5bf0-47dd-b5a9-a5ea8cff3cf4} - c:\program files\juno\Toolbar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
mRun: [TFncKy] TFncKy.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [dla] c:\windows\system32\dla\DLACTRLW.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [CFSServ.exe] CFSServ.exe -NoClient
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask .exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {6054D082-355D-4B47-B77C-36A778899F48} - hxxp://qmedia.xlontech.net/100348/qm/latest/qsp2ieFull06061501.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {A8683C98-5341-421B-B23C-8514C05354F1} - hxxp://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\geoffr~1.bar\applic~1\mozilla\firefox\profiles\w24v0g30.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.byu.edu/webapp/home/index.jsp
FF - plugin: c:\documents and settings\geoffrey d. bartlett\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\geoffrey d. bartlett\application data\mozilla\firefox\profiles\w24v0g30.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071302000002.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R? IndiAvIn;TDK INDI AV-IN USB Device
R? mferkdk;VSCore mferkdk
R? SASENUM;SASENUM
S? AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7
S? aeda;aeda
S? ctxusbm;Citrix USB Monitor Driver
S? McrdSvc;Media Center Extender Service
S? PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service
S? SASDIFSV;SASDIFSV
S? SASKUTIL;SASKUTIL
S? StarWindServiceAE;StarWind AE Service
S? WinDefend;Windows Defender

=============== Created Last 30 ================

2010-04-21 17:34:07 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-04-21 17:34:07 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-20 22:09:06 0 d-----w- c:\documents and settings\geoffrey d. bartlett\.SunDownloadManager
2010-04-20 15:15:14 0 d-sha-r- C:\cmdcons
2010-04-20 15:13:10 98816 ----a-w- c:\windows\sed.exe
2010-04-20 15:13:10 77312 ----a-w- c:\windows\MBR.exe
2010-04-20 15:13:10 261632 ----a-w- c:\windows\PEV.exe
2010-04-20 15:13:10 161792 ----a-w- c:\windows\SWREG.exe
2010-04-20 14:19:41 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-20 12:59:52 75264 ------w- c:\windows\system32\aeda.sys
2010-04-15 15:16:13 20 ----a-w- c:\documents and settings\geoffrey d. bartlett\defogger_reenable
2010-04-15 14:49:58 0 d-----w- c:\program files\TrendMicro
2010-04-14 13:30:19 0 d-----w- c:\docume~1\alluse~1\applic~1\avG
2010-04-13 14:29:36 230 ----a-w- c:\windows\system32\.crusader
2010-04-12 22:34:03 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-04-12 22:33:39 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-04-12 19:52:04 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-04-12 19:49:41 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-04-12 16:46:41 1100 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-08 23:51:20 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-08 23:51:05 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-04-08 23:51:04 0 d-----w- c:\program files\Hitman Pro 3.5
2010-04-08 22:37:53 880640 ----a-w- c:\windows\system32\UniBox10.ocx
2010-04-08 22:37:53 212992 ----a-w- c:\windows\system32\UniBoxVB12.ocx
2010-04-08 22:37:53 1101824 ----a-w- c:\windows\system32\UniBox210.ocx
2010-04-08 22:37:51 0 d-----w- c:\program files\common files\PC Tools
2010-04-08 13:32:40 0 d-----w- c:\docume~1\geoffr~1.bar\applic~1\Malwarebytes
2010-04-08 13:32:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-08 13:31:55 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-08 13:31:51 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-08 13:31:50 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-05 18:56:40 0 d-----w- c:\docume~1\geoffr~1.bar\applic~1\Facebook
2010-03-30 11:27:25 0 d-----w- c:\windows\system32\%%DATA_DIR%%

==================== Find3M ====================

2010-04-21 16:57:07 11648 ----a-w- c:\windows\system32\drivers\ACPIEC.sys
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 17:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 13:11:07 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 23:47:50 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2006-06-28 18:19:36 251 -c--a-w- c:\program files\wt3d.ini
2009-02-05 17:15:26 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009020520090206\index.dat

============= FINISH: 17:29:11.11 ===============

Attached Files



#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:31 AM

Posted 22 April 2010 - 12:17 AM

Hello again,

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers.
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.



Open notepad and copy/paste the text in the quotebox below into it:

CODE
http://www.bleepingcomputer.com/forums/index.php?showtopic=310233&hl=
File::
C:\Documents and Settings\Geoffrey D. Bartlett\Application Data\Sun\Java\Deployment\cache\6.0\54\164c176-57b2725c
Suspect::[76]
c:\windows\system32\aeda.sys



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



Close all browser windows, disable protection, make sure internet connection is not disconnected and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Edited by Blade81, 22 April 2010 - 12:18 AM.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#7 gbartlett23

gbartlett23
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 22 April 2010 - 09:43 AM

Combofix acted strangely this time. Usually it will start doing its thing and then says it detected the presence of Rootkit activity and must reboot. Once it reboots I login to windows and before anything loads Combofix stops it and begins its scan. This time, when I logged into windows, everything loaded while Combofix was beginning its scan. I had to use the Task Manager to quickly "end process" on SuperAnti Sypware. I also had to end Registry Mechanic. Combofix appeared to do its thing and here is the log. Again, THANK YOU for your help!

Combofix log

ComboFix 10-04-21.01 - Geoffrey D. Bartlett 04/22/2010 6:59.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.536 [GMT -7:00]
Running from: c:\documents and settings\Geoffrey D. Bartlett\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Geoffrey D. Bartlett\Desktop\CFScript.txt

FILE ::
"c:\documents and settings\Geoffrey D. Bartlett\Application Data\Sun\Java\Deployment\cache\6.0\54\164c176-57b2725c"

file zipped: c:\windows\system32\aeda.sys
.
The following files were disabled during the run:
c:\progra~1\PHAROS~1\Core\PRNTRACK.DLL


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Geoffrey D. Bartlett\Application Data\Sun\Java\Deployment\cache\6.0\54\164c176-57b2725c

Infected copy of c:\windows\system32\drivers\ACPIEC.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-03-22 to 2010-04-22 )))))))))))))))))))))))))))))))
.

2010-04-21 17:35 . 2010-04-21 17:35 -------- d-----w- c:\program files\Common Files\Java
2010-04-21 17:34 . 2010-04-21 17:33 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-20 22:09 . 2010-04-20 22:11 -------- d-----w- c:\documents and settings\Geoffrey D. Bartlett\.SunDownloadManager
2010-04-20 14:19 . 2010-04-20 14:19 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-20 12:59 . 2010-04-20 12:59 75264 ------w- c:\windows\system32\aeda.sys
2010-04-15 14:54 . 2010-04-15 14:55 -------- d-----w- c:\program files\Safari
2010-04-15 14:51 . 2010-04-15 14:51 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-04-15 14:49 . 2010-04-15 14:49 388096 ----a-r- c:\documents and settings\Geoffrey D. Bartlett\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-04-15 14:49 . 2010-04-15 14:49 -------- d-----w- c:\program files\TrendMicro
2010-04-14 18:46 . 2010-04-14 18:46 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-04-14 13:30 . 2010-04-14 13:30 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\avG
2010-04-14 13:30 . 2010-04-14 13:30 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-04-12 22:34 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-04-12 22:33 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-04-12 19:52 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-04-12 16:46 . 2010-04-13 14:18 1100 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-08 23:51 . 2010-04-20 14:38 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-08 23:51 . 2010-04-09 00:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-04-08 23:51 . 2010-04-21 17:02 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-08 22:37 . 2010-04-08 22:37 -------- d-----w- c:\program files\Common Files\PC Tools
2010-04-08 22:30 . 2010-04-08 22:35 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-08 13:32 . 2010-04-08 13:32 -------- d-----w- c:\documents and settings\Geoffrey D. Bartlett\Application Data\Malwarebytes
2010-04-08 13:32 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-08 13:31 . 2010-04-08 13:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-08 13:31 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-08 13:31 . 2010-04-21 17:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-07 20:08 . 2010-04-09 13:48 52224 ----a-w- c:\documents and settings\Geoffrey D. Bartlett\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-05 18:56 . 2010-04-05 18:56 50354 ----a-w- c:\documents and settings\Geoffrey D. Bartlett\Application Data\Facebook\uninstall.exe
2010-04-05 18:56 . 2010-04-05 18:56 -------- d-----w- c:\documents and settings\Geoffrey D. Bartlett\Application Data\Facebook
2010-03-30 11:27 . 2010-03-30 11:27 -------- d-----w- c:\windows\system32\%%DATA_DIR%%

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-22 13:55 . 2009-04-17 14:21 117760 ----a-w- c:\documents and settings\Geoffrey D. Bartlett\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-22 13:55 . 2007-08-31 19:29 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-22 13:50 . 2001-08-17 13:57 11648 ----a-w- c:\windows\system32\drivers\ACPIEC.sys
2010-04-22 13:15 . 2009-02-06 00:11 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-21 18:10 . 2006-02-16 16:59 77256 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-21 17:34 . 2008-11-03 22:26 -------- d-----w- c:\program files\Sun
2010-04-21 17:31 . 2006-02-16 09:28 -------- d-----w- c:\program files\Java
2010-04-21 17:02 . 2007-02-23 14:13 -------- d-----w- c:\program files\Windows Defender
2010-04-21 17:02 . 2006-06-14 14:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-21 17:02 . 2009-09-10 16:02 -------- d-----w- c:\program files\QuickTime
2010-04-21 17:02 . 2009-04-21 00:28 -------- d-----w- c:\program files\Microsoft IntelliPoint
2010-04-21 17:02 . 2006-02-15 16:28 -------- d-----w- c:\program files\ltmoh
2010-04-21 17:02 . 2009-09-10 16:50 -------- d-----w- c:\program files\iTunes
2010-04-20 22:25 . 2007-04-20 17:57 -------- d-----w- c:\program files\MySpace
2010-04-20 22:19 . 2006-02-16 09:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-04-20 22:19 . 2006-02-16 09:55 -------- d-----w- c:\program files\Viewpoint
2010-04-20 22:14 . 2006-02-16 09:34 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-20 20:44 . 2006-02-25 07:02 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-19 15:12 . 2009-01-15 19:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-13 16:14 . 2006-02-16 10:39 -------- d-----w- c:\program files\Microsoft Works
2010-03-30 11:38 . 2009-11-16 13:25 79488 ----a-w- c:\documents and settings\Geoffrey D. Bartlett\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-30 11:28 . 2007-12-19 18:57 -------- d-----w- c:\program files\Microsoft Silverlight
2010-03-10 06:15 . 2006-02-15 14:04 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-06 05:30 . 2010-03-06 05:30 847040 ----a-w- c:\documents and settings\Geoffrey D. Bartlett\Application Data\Facebook\axfbootloader.dll
2010-03-06 05:30 . 2010-03-06 05:30 5582848 ----a-w- c:\documents and settings\Geoffrey D. Bartlett\Application Data\Facebook\npfbplugin_1_0_3.dll
2010-02-25 06:24 . 2006-02-15 14:04 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 17:16 . 2009-10-06 18:46 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 13:11 . 2006-02-15 14:03 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-16 14:08 . 2006-02-15 14:03 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2006-02-15 14:01 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2006-02-15 14:04 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2006-06-28 18:19 . 2006-06-28 18:19 251 -c--a-w- c:\program files\wt3d.ini
2009-09-13 06:05 . 2009-09-13 06:05 124240 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
2009-09-13 06:06 . 2009-09-13 06:06 13136 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2009-09-13 06:06 . 2009-09-13 06:06 70488 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2009-09-13 06:06 . 2009-09-13 06:06 91480 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2009-09-13 06:06 . 2009-09-13 06:06 22360 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2009-09-13 06:07 . 2009-09-13 06:07 255312 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2009-09-13 06:06 . 2009-09-13 06:06 31064 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2009-09-13 06:06 . 2009-09-13 06:06 40280 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2009-08-14 20:33 . 2009-08-14 20:33 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2009-09-13 06:06 . 2009-09-13 06:06 23896 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-04-20_15.39.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-22 13:53 . 2010-04-22 13:53 16384 c:\windows\temp\Perflib_Perfdata_6b0.dat
- 2005-08-05 21:56 . 2005-08-05 21:56 64512 c:\windows\system32\dllcache\ehtray.exe
+ 2006-02-16 17:03 . 2005-08-05 21:56 64512 c:\windows\system32\dllcache\ehtray.exe
+ 2006-02-16 17:03 . 2005-08-05 21:56 64512 c:\windows\ehome\ehtray.exe
- 2005-08-05 21:56 . 2005-08-05 21:56 64512 c:\windows\ehome\ehtray.exe
+ 2010-04-21 17:34 . 2010-04-21 17:33 153376 c:\windows\system32\javaws.exe
+ 2010-04-21 17:34 . 2010-04-21 17:33 145184 c:\windows\system32\javaw.exe
+ 2010-04-21 17:34 . 2010-04-21 17:33 145184 c:\windows\system32\java.exe
+ 2010-04-21 17:35 . 2010-04-21 17:35 180224 c:\windows\Installer\1da201.msi
+ 2010-04-21 17:34 . 2010-04-21 17:34 386048 c:\windows\Installer\1da1fc.msi
+ 2010-04-21 17:33 . 2010-04-21 17:33 576000 c:\windows\Installer\1da1f7.msi
+ 2010-04-21 17:32 . 2010-04-21 17:32 438784 c:\windows\Installer\1da1f3.msi
+ 2006-02-15 07:29 . 2010-04-21 13:15 2175512 c:\windows\system32\FNTCACHE.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1830128]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-11-25 3176408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CFSServ.exe"="CFSServ.exe -NoClient" [X]
"QuickTime Task"="c:\program files\QuickTime\QTTask .exe -atboottime" [X]
"TFncKy"="TFncKy.exe" [BU]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 88203]
"NDSTray.exe"="NDSTray.exe" [BU]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]
"dla"="c:\windows\system32\dla\DLACTRLW.exe" [2005-10-06 122940]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2005-07-23 176128]
"RTHDCPL"="RTHDCPL.EXE" [2008-11-07 17421824]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Clean Access Agent.lnk - c:\program files\Cisco Systems\Clean Access Agent\CCAAgent.exe [2007-9-17 2056275]
Pharos Notify.lnk - c:\program files\Pharos\Bin\PSNotify.exe [2007-10-9 405504]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-2-15 155648]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2010-04-20 13:04 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ WinCinema Manager.lnk
backup=c:\windows\pss\ WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Geoffrey D. Bartlett^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\Geoffrey D. Bartlett\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Geoffrey D. Bartlett^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Geoffrey D. Bartlett^Start Menu^Programs^Startup^Mobipocket Web Companion.lnk]
path=c:\documents and settings\Geoffrey D. Bartlett\Start Menu\Programs\Startup\Mobipocket Web Companion.lnk
backup=c:\windows\pss\Mobipocket Web Companion.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Geoffrey D. Bartlett^Start Menu^Programs^Startup^Webshots.lnk]
backup=c:\windows\pss\Webshots.lnkStartup
path=c:\documents and settings\Geoffrey D. Bartlett\Start Menu\Programs\Startup\Webshots.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
2005-12-10 14:57 133016 -c--a-w- c:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
2006-04-19 16:30 728176 -c--a-w- c:\program files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]
2007-12-22 23:03 916240 ----a-w- c:\program files\Eraser\Eraser.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2003-10-24 02:51 233472 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2003-06-25 18:24 49152 -c--a-w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-09 04:09 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Juno_uoltray]
2007-03-08 01:38 1629184 -c--a-w- c:\program files\Juno\exec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetZero_uoltray]
2007-03-07 00:00 1629184 -c--a-w- c:\program files\NetZero\exec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-04-12 22:31 41476 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\GospeLink 2001\\LP\\Bin\\LPLocal.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"=
"c:\\Program Files\\Pharos\\Bin\\PSNotify.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 7.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

R1 aeda;aeda;c:\windows\system32\aeda.sys [4/20/2010 5:59 AM 75264]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [9/8/2009 6:13 PM 65584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [1/15/2009 4:17 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/15/2009 4:17 PM 66632]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 12:03 PM 169312]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [4/8/2010 3:37 PM 632792]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/15/2009 4:17 PM 12872]
S3 IndiAvIn;TDK INDI AV-IN USB Device;c:\windows\system32\drivers\IndiAvIn.sys [7/15/2006 1:00 PM 86016]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/12/2006 8:00 AM 716272]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-04-22 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT1098640
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = local.,;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://my.juno.com/s/search?r=minisearch
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
DPF: {6054D082-355D-4B47-B77C-36A778899F48} - hxxp://qmedia.xlontech.net/100348/qm/latest/qsp2ieFull06061501.cab
FF - ProfilePath - c:\documents and settings\Geoffrey D. Bartlett\Application Data\Mozilla\Firefox\Profiles\w24v0g30.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.byu.edu/webapp/home/index.jsp
FF - plugin: c:\documents and settings\Geoffrey D. Bartlett\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\Geoffrey D. Bartlett\Application Data\Mozilla\Firefox\Profiles\w24v0g30.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071302000002.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-22 07:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x87291AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf75e2f28
\Driver\ACPI -> ACPI.sys @ 0xf7535cb8
\Driver\atapi -> atapi.sys @ 0xf74a9852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
NDIS: Intel® PRO/Wireless 3945ABG Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf7342bb0
PacketIndicateHandler -> NDIS.sys @ 0xf7331a0d
SendHandler -> NDIS.sys @ 0xf7345b40
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\mchInjDrv]
"ImagePath"="\??\c:\windows\TEMP\mc21.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(916)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'lsass.exe'(976)
c:\windows\system32\WININET.dll
.
Completion time: 2010-04-22 07:21:29
ComboFix-quarantined-files.txt 2010-04-22 14:21
ComboFix2.txt 2010-04-20 15:46

Pre-Run: 32,034,799,616 bytes free
Post-Run: 32,100,777,984 bytes free

Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - 1F5F14916BEBCEF76BA2C0545EF19F2D
Upload was successful


#8 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:31 AM

Posted 22 April 2010 - 11:56 AM

Hi,

Click start->run->type cmd.exe. Copy paste following code box contents into command prompt window.
CODE
copy %systemroot%\system32\drivers\ACPIEC.sys %systemroot%
echo copy ACPIEC.sys system32\drivers>%systemroot%\fix.bat
echo del ACPIEC.sys>>%systemroot%\fix.bat
exit
cls


Window should close by itself.

Print these instructions since you won't be able to access them in recovery console.

1. Restart your computer
2. Before Windows loads, you will be prompted to choose which Operating System to start
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 1 and press enter.
5. At the C:\Windows prompt, type the following bolded text, and press Enter:

batch fix.bat

6. At the next prompt, type the following bolded text, and press Enter:

exit


Windows will now begin loading. Please run GMER again with sections option enabled.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#9 gbartlett23

gbartlett23
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 22 April 2010 - 12:08 PM

Do you want me to run GMER with ONLY sections option enabled or sections option enabled along with other options?

#10 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:31 AM

Posted 22 April 2010 - 12:23 PM

Actually try to run by having other than "files" option (and show all box) checked first. If it fails then attempt with sections only.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#11 gbartlett23

gbartlett23
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 22 April 2010 - 12:44 PM

Entered the command prompt and pasted the text and windows isn't doing anything (not restarting).

I tried it again and it said "Overwrite C:\WINDOWS\ACPIEC.sys? <Yes/No/All>:"

I didn't want to mess anything up so I just closed the command prompt window.

The computer hasn't shut down normally for a while now. Usually I have to unplug the power cord and remove the battery to kill it. Then I plug the cord and replace the battery and press the power button.

Edited by gbartlett23, 22 April 2010 - 01:01 PM.


#12 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:31 AM

Posted 22 April 2010 - 01:02 PM

Hi,

Please move on to that recovery console related part.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#13 gbartlett23

gbartlett23
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 22 April 2010 - 01:24 PM

Here's the GMER log. I selected everything except "files" and "show all". It actually ran all the way through very quickly. When it was done I saved the log file and then tried to close GMER. At that point the computer just appeared to turn off.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-22 11:15:57
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\GEOFFR~1.BAR\LOCALS~1\Temp\kxroqpow.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xAA463320]

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\tifm21.sys entry point in "init" section [0xF676BEBF]
? C:\WINDOWS\system32\aeda.sys The process cannot access the file because it is being used by another process.
? C:\WINDOWS\TEMP\mc21.tmp The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\RAMASST.exe[156] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\RAMASST.exe[156] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\RAMASST.exe[156] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 5F00003D
.text C:\WINDOWS\system32\RAMASST.exe[156] kernel32.dll!ExitProcess 7C81CB12 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\RAMASST.exe[156] GDI32.dll!EndPage 77F2DC61 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\system32\RAMASST.exe[156] GDI32.dll!EndDoc 77F2DEF1 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\RAMASST.exe[156] GDI32.dll!StartPage 77F2F49E 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\RAMASST.exe[156] GDI32.dll!AbortDoc 77F44CD2 6 Bytes JMP 5F1C0F5A
.text C:\WINDOWS\system32\RAMASST.exe[156] GDI32.dll!StartDocW 77F45962 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RAMASST.exe[156] GDI32.dll!StartDocW + 4 77F45966 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\RAMASST.exe[156] GDI32.dll!StartDocA 77F45E79 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RAMASST.exe[156] GDI32.dll!StartDocA + 4 77F45E7D 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\wuauclt.exe[2116] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 5F00003D
.text C:\Program Files\TOSHIBA\ConfigFree\CFXFER.exe[2524] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Program Files\TOSHIBA\ConfigFree\CFXFER.exe[2524] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\TOSHIBA\ConfigFree\CFXFER.exe[2524] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 5F00003D
.text C:\Program Files\TOSHIBA\ConfigFree\CFXFER.exe[2524] kernel32.dll!ExitProcess 7C81CB12 6 Bytes JMP 5F040F5A
.text C:\Program Files\TOSHIBA\ConfigFree\CFXFER.exe[2524] GDI32.dll!EndPage 77F2DC61 6 Bytes JMP 5F190F5A
.text C:\Program Files\TOSHIBA\ConfigFree\CFXFER.exe[2524] GDI32.dll!EndDoc 77F2DEF1 6 Bytes JMP 5F130F5A
.text C:\Program Files\TOSHIBA\ConfigFree\CFXFER.exe[2524] GDI32.dll!StartPage 77F2F49E 6 Bytes JMP 5F160F5A
.text C:\Program Files\TOSHIBA\ConfigFree\CFXFER.exe[2524] GDI32.dll!AbortDoc 77F44CD2 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\TOSHIBA\ConfigFree\CFXFER.exe[2524] GDI32.dll!StartDocW 77F45962 3 Bytes [FF, 25, 1E]
.text C:\Program Files\TOSHIBA\ConfigFree\CFXFER.exe[2524] GDI32.dll!StartDocW + 4 77F45966 2 Bytes [11, 5F]
.text C:\Program Files\TOSHIBA\ConfigFree\CFXFER.exe[2524] GDI32.dll!StartDocA 77F45E79 3 Bytes [FF, 25, 1E]
.text C:\Program Files\TOSHIBA\ConfigFree\CFXFER.exe[2524] GDI32.dll!StartDocA + 4 77F45E7D 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\dllhost.exe[2548] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 5F00003D
.text C:\WINDOWS\System32\alg.exe[2656] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 5F00003D
.text C:\WINDOWS\system32\SearchIndexer.exe[2888] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 5F00003D
.text C:\WINDOWS\system32\SearchIndexer.exe[2888] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\Explorer.EXE[3384] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\Explorer.EXE[3384] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\Explorer.EXE[3384] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 5F00003D
.text C:\WINDOWS\Explorer.EXE[3384] kernel32.dll!ExitProcess 7C81CB12 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\Explorer.EXE[3384] GDI32.dll!EndPage 77F2DC61 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\Explorer.EXE[3384] GDI32.dll!EndDoc 77F2DEF1 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\Explorer.EXE[3384] GDI32.dll!StartPage 77F2F49E 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\Explorer.EXE[3384] GDI32.dll!AbortDoc 77F44CD2 6 Bytes JMP 5F1C0F5A
.text C:\WINDOWS\Explorer.EXE[3384] GDI32.dll!StartDocW 77F45962 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[3384] GDI32.dll!StartDocW + 4 77F45966 2 Bytes [11, 5F]
.text C:\WINDOWS\Explorer.EXE[3384] GDI32.dll!StartDocA 77F45E79 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[3384] GDI32.dll!StartDocA + 4 77F45E7D 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Documents and Settings\Geoffrey D. Bartlett\Desktop\gmer\gmer.exe[3484] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Documents and Settings\Geoffrey D. Bartlett\Desktop\gmer\gmer.exe[3484] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F0A0F5A
.text C:\Documents and Settings\Geoffrey D. Bartlett\Desktop\gmer\gmer.exe[3484] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 5F00003D
.text C:\Documents and Settings\Geoffrey D. Bartlett\Desktop\gmer\gmer.exe[3484] kernel32.dll!ExitProcess 7C81CB12 6 Bytes JMP 5F040F5A
.text C:\Documents and Settings\Geoffrey D. Bartlett\Desktop\gmer\gmer.exe[3484] GDI32.dll!EndPage 77F2DC61 6 Bytes JMP 5F190F5A
.text C:\Documents and Settings\Geoffrey D. Bartlett\Desktop\gmer\gmer.exe[3484] GDI32.dll!EndDoc 77F2DEF1 6 Bytes JMP 5F130F5A
.text C:\Documents and Settings\Geoffrey D. Bartlett\Desktop\gmer\gmer.exe[3484] GDI32.dll!StartPage 77F2F49E 6 Bytes JMP 5F160F5A
.text C:\Documents and Settings\Geoffrey D. Bartlett\Desktop\gmer\gmer.exe[3484] GDI32.dll!AbortDoc 77F44CD2 6 Bytes JMP 5F1C0F5A
.text C:\Documents and Settings\Geoffrey D. Bartlett\Desktop\gmer\gmer.exe[3484] GDI32.dll!StartDocW 77F45962 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Geoffrey D. Bartlett\Desktop\gmer\gmer.exe[3484] GDI32.dll!StartDocW + 4 77F45966 2 Bytes [11, 5F]
.text C:\Documents and Settings\Geoffrey D. Bartlett\Desktop\gmer\gmer.exe[3484] GDI32.dll!StartDocA 77F45E79 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Geoffrey D. Bartlett\Desktop\gmer\gmer.exe[3484] GDI32.dll!StartDocA + 4 77F45E7D 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe[3680] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe[3680] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe[3680] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 5F00003D
.text C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe[3680] kernel32.dll!ExitProcess 7C81CB12 6 Bytes JMP 5F040F5A
.text C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe[3680] GDI32.dll!EndPage 77F2DC61 6 Bytes JMP 5F190F5A
.text C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe[3680] GDI32.dll!EndDoc 77F2DEF1 6 Bytes JMP 5F130F5A
.text C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe[3680] GDI32.dll!StartPage 77F2F49E 6 Bytes JMP 5F160F5A
.text C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe[3680] GDI32.dll!AbortDoc 77F44CD2 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe[3680] GDI32.dll!StartDocW 77F45962 3 Bytes [FF, 25, 1E]
.text C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe[3680] GDI32.dll!StartDocW + 4 77F45966 2 Bytes [11, 5F]
.text C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe[3680] GDI32.dll!StartDocA 77F45E79 3 Bytes [FF, 25, 1E]
.text C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe[3680] GDI32.dll!StartDocA + 4 77F45E7D 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\hkcmd.exe[3696] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\hkcmd.exe[3696] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\hkcmd.exe[3696] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 5F00003D
.text C:\WINDOWS\system32\hkcmd.exe[3696] kernel32.dll!ExitProcess 7C81CB12 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\hkcmd.exe[3696] GDI32.dll!EndPage 77F2DC61 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\system32\hkcmd.exe[3696] GDI32.dll!EndDoc 77F2DEF1 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\hkcmd.exe[3696] GDI32.dll!StartPage 77F2F49E 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\hkcmd.exe[3696] GDI32.dll!AbortDoc 77F44CD2 6 Bytes JMP 5F1C0F5A
.text C:\WINDOWS\system32\hkcmd.exe[3696] GDI32.dll!StartDocW 77F45962 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\hkcmd.exe[3696] GDI32.dll!StartDocW + 4 77F45966 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\hkcmd.exe[3696] GDI32.dll!StartDocA 77F45E79 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\hkcmd.exe[3696] GDI32.dll!StartDocA + 4 77F45E7D 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\igfxpers.exe[3736] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\igfxpers.exe[3736] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\igfxpers.exe[3736] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 5F00003D
.text C:\WINDOWS\system32\igfxpers.exe[3736] kernel32.dll!ExitProcess 7C81CB12 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\igfxpers.exe[3736] GDI32.dll!EndPage 77F2DC61 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\system32\igfxpers.exe[3736] GDI32.dll!EndDoc 77F2DEF1 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\igfxpers.exe[3736] GDI32.dll!StartPage 77F2F49E 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\igfxpers.exe[3736] GDI32.dll!AbortDoc 77F44CD2 6 Bytes JMP 5F1C0F5A
.text C:\WINDOWS\system32\igfxpers.exe[3736] GDI32.dll!StartDocW 77F45962 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\igfxpers.exe[3736] GDI32.dll!StartDocW + 4 77F45966 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\igfxpers.exe[3736] GDI32.dll!StartDocA 77F45E79 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\igfxpers.exe[3736] GDI32.dll!StartDocA + 4 77F45E7D 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\ehome\ehtray.exe[3748] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\ehome\ehtray.exe[3748] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\ehome\ehtray.exe[3748] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 5F00003D
.text C:\WINDOWS\ehome\ehtray.exe[3748] kernel32.dll!ExitProcess 7C81CB12 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\ehome\ehtray.exe[3748] GDI32.dll!EndPage 77F2DC61 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\ehome\ehtray.exe[3748] GDI32.dll!EndDoc 77F2DEF1 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\ehome\ehtray.exe[3748] GDI32.dll!StartPage 77F2F49E 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\ehome\ehtray.exe[3748] GDI32.dll!AbortDoc 77F44CD2 6 Bytes JMP 5F1C0F5A
.text C:\WINDOWS\ehome\ehtray.exe[3748] GDI32.dll!StartDocW 77F45962 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\ehome\ehtray.exe[3748] GDI32.dll!StartDocW + 4 77F45966 2 Bytes [11, 5F]
.text C:\WINDOWS\ehome\ehtray.exe[3748] GDI32.dll!StartDocA 77F45E79 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\ehome\ehtray.exe[3748] GDI32.dll!StartDocA + 4 77F45E7D 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\AGRSMMSG.exe[3756] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\AGRSMMSG.exe[3756] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\AGRSMMSG.exe[3756] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 5F00003D
.text C:\WINDOWS\AGRSMMSG.exe[3756] kernel32.dll!ExitProcess 7C81CB12 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\AGRSMMSG.exe[3756] GDI32.dll!EndPage 77F2DC61 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\AGRSMMSG.exe[3756] GDI32.dll!EndDoc 77F2DEF1 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\AGRSMMSG.exe[3756] GDI32.dll!StartPage 77F2F49E 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\AGRSMMSG.exe[3756] GDI32.dll!AbortDoc 77F44CD2 6 Bytes JMP 5F1C0F5A
.text C:\WINDOWS\AGRSMMSG.exe[3756] GDI32.dll!StartDocW 77F45962 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\AGRSMMSG.exe[3756] GDI32.dll!StartDocW + 4 77F45966 2 Bytes [11, 5F]
.text C:\WINDOWS\AGRSMMSG.exe[3756] GDI32.dll!StartDocA 77F45E79 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\AGRSMMSG.exe[3756] GDI32.dll!StartDocA + 4 77F45E7D 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe[3772] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe[3772] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe[3772] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 5F00003D
.text C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe[3772] kernel32.dll!ExitProcess 7C81CB12 6 Bytes JMP 5F040F5A
.text C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe[3772] GDI32.dll!EndPage 77F2DC61 6 Bytes JMP 5F190F5A
.text C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe[3772] GDI32.dll!EndDoc 77F2DEF1 6 Bytes JMP 5F130F5A
.text C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe[3772] GDI32.dll!StartPage 77F2F49E 6 Bytes JMP 5F160F5A
.text C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe[3772] GDI32.dll!AbortDoc 77F44CD2 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe[3772] GDI32.dll!StartDocW 77F45962 3 Bytes [FF, 25, 1E]
.text C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe[3772] GDI32.dll!StartDocW + 4 77F45966 2 Bytes [11, 5F]
.text C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe[3772] GDI32.dll!StartDocA 77F45E79 3 Bytes [FF, 25, 1E]
.text C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe[3772] GDI32.dll!StartDocA + 4 77F45E7D 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\dla\DLACTRLW.exe[3820] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\dla\DLACTRLW.exe[3820] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\dla\DLACTRLW.exe[3820] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 5F00003D
.text C:\WINDOWS\system32\dla\DLACTRLW.exe[3820] kernel32.dll!ExitProcess 7C81CB12 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\dla\DLACTRLW.exe[3820] GDI32.dll!EndPage 77F2DC61 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\system32\dla\DLACTRLW.exe[3820] GDI32.dll!EndDoc 77F2DEF1 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\dla\DLACTRLW.exe[3820] GDI32.dll!StartPage 77F2F49E 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\dla\DLACTRLW.exe[3820] GDI32.dll!AbortDoc 77F44CD2 6 Bytes JMP 5F1C0F5A
.text C:\WINDOWS\system32\dla\DLACTRLW.exe[3820] GDI32.dll!StartDocW 77F45962 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\dla\DLACTRLW.exe[3820] GDI32.dll!StartDocW + 4 77F45966 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\dla\DLACTRLW.exe[3820] GDI32.dll!StartDocA 77F45E79 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\dla\DLACTRLW.exe[3820] GDI32.dll!StartDocA + 4 77F45E7D 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe[3912] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe[3912] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe[3912] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 5F00003D
.text C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe[3912] kernel32.dll!ExitProcess 7C81CB12 6 Bytes JMP 5F040F5A
.text C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe[3912] GDI32.dll!EndPage 77F2DC61 6 Bytes JMP 5F190F5A
.text C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe[3912] GDI32.dll!EndDoc 77F2DEF1 6 Bytes JMP 5F130F5A
.text C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe[3912] GDI32.dll!StartPage 77F2F49E 6 Bytes JMP 5F160F5A
.text C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe[3912] GDI32.dll!AbortDoc 77F44CD2 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe[3912] GDI32.dll!StartDocW 77F45962 3 Bytes [FF, 25, 1E]
.text C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe[3912] GDI32.dll!StartDocW + 4 77F45966 2 Bytes [11, 5F]
.text C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe[3912] GDI32.dll!StartDocA 77F45E79 3 Bytes [FF, 25, 1E]
.text C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe[3912] GDI32.dll!StartDocA + 4 77F45E7D 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\RTHDCPL.EXE[3920] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\RTHDCPL.EXE[3920] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\RTHDCPL.EXE[3920] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 5F00003D
.text C:\WINDOWS\RTHDCPL.EXE[3920] kernel32.dll!ExitProcess 7C81CB12 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\RTHDCPL.EXE[3920] GDI32.dll!EndPage 77F2DC61 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\RTHDCPL.EXE[3920] GDI32.dll!EndDoc 77F2DEF1 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\RTHDCPL.EXE[3920] GDI32.dll!StartPage 77F2F49E 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\RTHDCPL.EXE[3920] GDI32.dll!AbortDoc 77F44CD2 6 Bytes JMP 5F1C0F5A
.text C:\WINDOWS\RTHDCPL.EXE[3920] GDI32.dll!StartDocW 77F45962 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\RTHDCPL.EXE[3920] GDI32.dll!StartDocW + 4 77F45966 2 Bytes [11, 5F]
.text C:\WINDOWS\RTHDCPL.EXE[3920] GDI32.dll!StartDocA 77F45E79 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\RTHDCPL.EXE[3920] GDI32.dll!StartDocA + 4 77F45E7D 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3952] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3952] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3952] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 5F00003D
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3952] kernel32.dll!ExitProcess 7C81CB12 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3952] GDI32.dll!EndPage 77F2DC61 6 Bytes JMP 5F190F5A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3952] GDI32.dll!EndDoc 77F2DEF1 6 Bytes JMP 5F130F5A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3952] GDI32.dll!StartPage 77F2F49E 6 Bytes JMP 5F160F5A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3952] GDI32.dll!AbortDoc 77F44CD2 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3952] GDI32.dll!StartDocW 77F45962 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3952] GDI32.dll!StartDocW + 4 77F45966 2 Bytes [11, 5F]
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3952] GDI32.dll!StartDocA 77F45E79 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3952] GDI32.dll!StartDocA + 4 77F45E7D 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\eHome\ehmsas.exe[4028] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\eHome\ehmsas.exe[4028] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\eHome\ehmsas.exe[4028] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 5F00003D
.text C:\WINDOWS\eHome\ehmsas.exe[4028] kernel32.dll!ExitProcess 7C81CB12 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\eHome\ehmsas.exe[4028] GDI32.dll!EndPage 77F2DC61 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\eHome\ehmsas.exe[4028] GDI32.dll!EndDoc 77F2DEF1 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\eHome\ehmsas.exe[4028] GDI32.dll!StartPage 77F2F49E 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\eHome\ehmsas.exe[4028] GDI32.dll!AbortDoc 77F44CD2 6 Bytes JMP 5F1C0F5A
.text C:\WINDOWS\eHome\ehmsas.exe[4028] GDI32.dll!StartDocW 77F45962 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\eHome\ehmsas.exe[4028] GDI32.dll!StartDocW + 4 77F45966 2 Bytes [11, 5F]
.text C:\WINDOWS\eHome\ehmsas.exe[4028] GDI32.dll!StartDocA 77F45E79 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\eHome\ehmsas.exe[4028] GDI32.dll!StartDocA + 4 77F45E7D 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\ctfmon.exe[4064] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\ctfmon.exe[4064] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\ctfmon.exe[4064] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 5F00003D
.text C:\WINDOWS\system32\ctfmon.exe[4064] kernel32.dll!ExitProcess 7C81CB12 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\ctfmon.exe[4064] GDI32.dll!EndPage 77F2DC61 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\system32\ctfmon.exe[4064] GDI32.dll!EndDoc 77F2DEF1 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\ctfmon.exe[4064] GDI32.dll!StartPage 77F2F49E 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\ctfmon.exe[4064] GDI32.dll!AbortDoc 77F44CD2 6 Bytes JMP 5F1C0F5A
.text C:\WINDOWS\system32\ctfmon.exe[4064] GDI32.dll!StartDocW 77F45962 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[4064] GDI32.dll!StartDocW + 4 77F45966 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[4064] GDI32.dll!StartDocA 77F45E79 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[4064] GDI32.dll!StartDocA + 4 77F45E7D 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Pharos\Bin\PSNotify.exe[4092] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Program Files\Pharos\Bin\PSNotify.exe[4092] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Pharos\Bin\PSNotify.exe[4092] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 5F00003D
.text C:\Program Files\Pharos\Bin\PSNotify.exe[4092] kernel32.dll!ExitProcess 7C81CB12 6 Bytes JMP 5F040F5A
.text C:\Program Files\Pharos\Bin\PSNotify.exe[4092] GDI32.dll!EndPage 77F2DC61 6 Bytes JMP 5F190F5A
.text C:\Program Files\Pharos\Bin\PSNotify.exe[4092] GDI32.dll!EndDoc 77F2DEF1 6 Bytes JMP 5F130F5A
.text C:\Program Files\Pharos\Bin\PSNotify.exe[4092] GDI32.dll!StartPage 77F2F49E 6 Bytes JMP 5F160F5A
.text C:\Program Files\Pharos\Bin\PSNotify.exe[4092] GDI32.dll!AbortDoc 77F44CD2 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Pharos\Bin\PSNotify.exe[4092] GDI32.dll!StartDocW 77F45962 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Pharos\Bin\PSNotify.exe[4092] GDI32.dll!StartDocW + 4 77F45966 2 Bytes [11, 5F]
.text C:\Program Files\Pharos\Bin\PSNotify.exe[4092] GDI32.dll!StartDocA 77F45E79 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Pharos\Bin\PSNotify.exe[4092] GDI32.dll!StartDocA + 4 77F45E7D 2 Bytes [0E, 5F] {PUSH CS; POP EDI}

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Udfs \UdfsCdRom DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\meiudf \MeiUDF_Disk DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\meiudf \MeiUDF_CdRom DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Udfs \UdfsDisk DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp aeda.sys

Device \FileSystem\Cdfs \Cdfs A96A2400
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 52\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x3C 0x64 0x2E 0xDA ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xE1 0x84 0xB9 0xBF ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x4F 0x24 0xFF 0x2D ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xC7 0x89 0xCF 0xE3 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xB8 0xF1 0x4C 0xF7 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x4B 0xE0 0x7A 0x38 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x92 0x54 0x18 0x67 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xEE 0xF5 0x47 0xAD ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x0C 0x02 0x5B 0x5A ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 52\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x3C 0x64 0x2E 0xDA ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xE1 0x84 0xB9 0xBF ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x4F 0x24 0xFF 0x2D ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xC7 0x89 0xCF 0xE3 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xB8 0xF1 0x4C 0xF7 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x4B 0xE0 0x7A 0x38 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x92 0x54 0x18 0x67 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xEE 0xF5 0x47 0xAD ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x0C 0x02 0x5B 0x5A ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 52\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x3C 0x64 0x2E 0xDA ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xE1 0x84 0xB9 0xBF ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x4F 0x24 0xFF 0x2D ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xC7 0x89 0xCF 0xE3 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xB8 0xF1 0x4C 0xF7 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x4B 0xE0 0x7A 0x38 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x92 0x54 0x18 0x67 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xEE 0xF5 0x47 0xAD ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x0C 0x02 0x5B 0x5A ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 52\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x3C 0x64 0x2E 0xDA ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xE1 0x84 0xB9 0xBF ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x4F 0x24 0xFF 0x2D ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xC7 0x89 0xCF 0xE3 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xB8 0xF1 0x4C 0xF7 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x4B 0xE0 0x7A 0x38 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x92 0x54 0x18 0x67 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xEE 0xF5 0x47 0xAD ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x0C 0x02 0x5B 0x5A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 52\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x3C 0x64 0x2E 0xDA ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xE1 0x84 0xB9 0xBF ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x4F 0x24 0xFF 0x2D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xC7 0x89 0xCF 0xE3 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xB8 0xF1 0x4C 0xF7 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x4B 0xE0 0x7A 0x38 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x92 0x54 0x18 0x67 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xEE 0xF5 0x47 0xAD ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x0C 0x02 0x5B 0x5A ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 52\
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x3C 0x64 0x2E 0xDA ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xE1 0x84 0xB9 0xBF ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x4F 0x24 0xFF 0x2D ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xC7 0x89 0xCF 0xE3 ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xB8 0xF1 0x4C 0xF7 ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x4B 0xE0 0x7A 0x38 ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x92 0x54 0x18 0x67 ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xEE 0xF5 0x47 0xAD ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x0C 0x02 0x5B 0x5A ...

---- EOF - GMER 1.0.15 ----


#14 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:31 AM

Posted 22 April 2010 - 01:52 PM

Thanks for the report.

Open notepad and copy/paste the text in the quotebox below into it:

CODE
Edited



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & fresh dds log.

Edited by Blade81, 23 April 2010 - 09:20 AM.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#15 gbartlett23

gbartlett23
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 22 April 2010 - 02:34 PM

This time Combofix DID NOT say it detected Rootkit activity and restart the computer. However, when it was done it actually rebooted the computer without me having to pull the cord and battery (that was nice). I rebooted after it was finished and ran DDS.

Combofix:

ComboFix 10-04-21.01 - Geoffrey D. Bartlett 04/22/2010 12:02:13.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.519 [GMT -7:00]
Running from: c:\documents and settings\Geoffrey D. Bartlett\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Geoffrey D. Bartlett\Desktop\CFScript.txt
.
The following files were disabled during the run:
c:\progra~1\PHAROS~1\Core\PRNTRACK.DLL


((((((((((((((((((((((((( Files Created from 2010-03-22 to 2010-04-22 )))))))))))))))))))))))))))))))
.

2010-04-22 17:37 . 2010-04-22 17:37 50 ----a-w- c:\windows\fix.bat
2010-04-22 17:37 . 2010-04-22 13:50 11648 ----a-w- c:\windows\system32\drivers\ACPIEC.sys
2010-04-21 17:35 . 2010-04-21 17:35 -------- d-----w- c:\program files\Common Files\Java
2010-04-21 17:34 . 2010-04-21 17:33 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-20 22:09 . 2010-04-20 22:11 -------- d-----w- c:\documents and settings\Geoffrey D. Bartlett\.SunDownloadManager
2010-04-20 14:19 . 2010-04-20 14:19 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-20 12:59 . 2010-04-20 12:59 75264 ------w- c:\windows\system32\aeda.sys
2010-04-15 14:54 . 2010-04-15 14:55 -------- d-----w- c:\program files\Safari
2010-04-15 14:49 . 2010-04-15 14:49 -------- d-----w- c:\program files\TrendMicro
2010-04-14 18:46 . 2010-04-14 18:46 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-04-14 13:30 . 2010-04-14 13:30 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\avG
2010-04-14 13:30 . 2010-04-14 13:30 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-04-12 22:34 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-04-12 22:33 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-04-12 19:52 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-04-12 16:46 . 2010-04-13 14:18 1100 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-08 23:51 . 2010-04-20 14:38 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-08 23:51 . 2010-04-09 00:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-04-08 23:51 . 2010-04-21 17:02 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-08 22:37 . 2010-04-08 22:37 -------- d-----w- c:\program files\Common Files\PC Tools
2010-04-08 22:30 . 2010-04-08 22:35 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-08 13:32 . 2010-04-08 13:32 -------- d-----w- c:\documents and settings\Geoffrey D. Bartlett\Application Data\Malwarebytes
2010-04-08 13:32 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-08 13:31 . 2010-04-08 13:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-08 13:31 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-08 13:31 . 2010-04-21 17:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-05 18:56 . 2010-04-05 18:56 -------- d-----w- c:\documents and settings\Geoffrey D. Bartlett\Application Data\Facebook
2010-03-30 11:27 . 2010-03-30 11:27 -------- d-----w- c:\windows\system32\%%DATA_DIR%%

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-22 19:14 . 2007-08-31 19:29 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-22 16:16 . 2010-04-22 16:16 61440 ----a-w- c:\documents and settings\Geoffrey D. Bartlett\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2257ecb1-n\decora-sse.dll
2010-04-22 16:16 . 2010-04-22 16:16 503808 ----a-w- c:\documents and settings\Geoffrey D. Bartlett\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-280d5b16-n\msvcp71.dll
2010-04-22 16:16 . 2010-04-22 16:16 499712 ----a-w- c:\documents and settings\Geoffrey D. Bartlett\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-280d5b16-n\jmc.dll
2010-04-22 16:16 . 2010-04-22 16:16 348160 ----a-w- c:\documents and settings\Geoffrey D. Bartlett\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-280d5b16-n\msvcr71.dll
2010-04-22 16:16 . 2010-04-22 16:16 12800 ----a-w- c:\documents and settings\Geoffrey D. Bartlett\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2257ecb1-n\decora-d3d.dll
2010-04-22 14:37 . 2009-04-17 14:21 117760 ----a-w- c:\documents and settings\Geoffrey D. Bartlett\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-22 14:37 . 2009-02-06 00:11 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-21 18:10 . 2006-02-16 16:59 77256 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-21 17:34 . 2008-11-03 22:26 -------- d-----w- c:\program files\Sun
2010-04-21 17:31 . 2006-02-16 09:28 -------- d-----w- c:\program files\Java
2010-04-21 17:02 . 2007-02-23 14:13 -------- d-----w- c:\program files\Windows Defender
2010-04-21 17:02 . 2006-06-14 14:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-21 17:02 . 2009-09-10 16:02 -------- d-----w- c:\program files\QuickTime
2010-04-21 17:02 . 2009-04-21 00:28 -------- d-----w- c:\program files\Microsoft IntelliPoint
2010-04-21 17:02 . 2006-02-15 16:28 -------- d-----w- c:\program files\ltmoh
2010-04-21 17:02 . 2009-09-10 16:50 -------- d-----w- c:\program files\iTunes
2010-04-20 22:25 . 2007-04-20 17:57 -------- d-----w- c:\program files\MySpace
2010-04-20 22:19 . 2006-02-16 09:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-04-20 22:19 . 2006-02-16 09:55 -------- d-----w- c:\program files\Viewpoint
2010-04-20 22:14 . 2006-02-16 09:34 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-20 20:44 . 2006-02-25 07:02 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-19 15:12 . 2009-01-15 19:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-15 14:51 . 2010-04-15 14:51 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-04-15 14:49 . 2010-04-15 14:49 388096 ----a-r- c:\documents and settings\Geoffrey D. Bartlett\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-04-13 16:14 . 2006-02-16 10:39 -------- d-----w- c:\program files\Microsoft Works
2010-04-09 13:48 . 2010-04-07 20:08 52224 ----a-w- c:\documents and settings\Geoffrey D. Bartlett\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-05 18:56 . 2010-04-05 18:56 50354 ----a-w- c:\documents and settings\Geoffrey D. Bartlett\Application Data\Facebook\uninstall.exe
2010-03-30 11:38 . 2009-11-16 13:25 79488 ----a-w- c:\documents and settings\Geoffrey D. Bartlett\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-30 11:28 . 2007-12-19 18:57 -------- d-----w- c:\program files\Microsoft Silverlight
2010-03-10 06:15 . 2006-02-15 14:04 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-06 05:30 . 2010-03-06 05:30 847040 ----a-w- c:\documents and settings\Geoffrey D. Bartlett\Application Data\Facebook\axfbootloader.dll
2010-03-06 05:30 . 2010-03-06 05:30 5582848 ----a-w- c:\documents and settings\Geoffrey D. Bartlett\Application Data\Facebook\npfbplugin_1_0_3.dll
2010-02-25 06:24 . 2006-02-15 14:04 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 17:16 . 2009-10-06 18:46 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 13:11 . 2006-02-15 14:03 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-16 14:08 . 2006-02-15 14:03 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2006-02-15 14:01 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2006-02-15 14:04 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2006-06-28 18:19 . 2006-06-28 18:19 251 -c--a-w- c:\program files\wt3d.ini
2009-09-13 06:05 . 2009-09-13 06:05 124240 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
2009-09-13 06:06 . 2009-09-13 06:06 13136 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2009-09-13 06:06 . 2009-09-13 06:06 70488 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2009-09-13 06:06 . 2009-09-13 06:06 91480 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2009-09-13 06:06 . 2009-09-13 06:06 22360 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2009-09-13 06:07 . 2009-09-13 06:07 255312 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2009-09-13 06:06 . 2009-09-13 06:06 31064 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2009-09-13 06:06 . 2009-09-13 06:06 40280 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2009-08-14 20:33 . 2009-08-14 20:33 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2009-09-13 06:06 . 2009-09-13 06:06 23896 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-22 2010864]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-11-25 3176408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CFSServ.exe"="CFSServ.exe -NoClient" [X]
"QuickTime Task"="c:\program files\QuickTime\QTTask .exe -atboottime" [X]
"TFncKy"="TFncKy.exe" [BU]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 88203]
"NDSTray.exe"="NDSTray.exe" [BU]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]
"dla"="c:\windows\system32\dla\DLACTRLW.exe" [2005-10-06 122940]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2005-07-23 176128]
"RTHDCPL"="RTHDCPL.EXE" [2008-11-07 17421824]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Clean Access Agent.lnk - c:\program files\Cisco Systems\Clean Access Agent\CCAAgent.exe [2007-9-17 2056275]
Pharos Notify.lnk - c:\program files\Pharos\Bin\PSNotify.exe [2007-10-9 405504]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-2-15 155648]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2010-04-20 13:04 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ WinCinema Manager.lnk
backup=c:\windows\pss\ WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Geoffrey D. Bartlett^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\Geoffrey D. Bartlett\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Geoffrey D. Bartlett^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Geoffrey D. Bartlett^Start Menu^Programs^Startup^Mobipocket Web Companion.lnk]
path=c:\documents and settings\Geoffrey D. Bartlett\Start Menu\Programs\Startup\Mobipocket Web Companion.lnk
backup=c:\windows\pss\Mobipocket Web Companion.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Geoffrey D. Bartlett^Start Menu^Programs^Startup^Webshots.lnk]
backup=c:\windows\pss\Webshots.lnkStartup
path=c:\documents and settings\Geoffrey D. Bartlett\Start Menu\Programs\Startup\Webshots.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
2005-12-10 14:57 133016 -c--a-w- c:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
2006-04-19 16:30 728176 -c--a-w- c:\program files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]
2007-12-22 23:03 916240 ----a-w- c:\program files\Eraser\Eraser.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2003-10-24 02:51 233472 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2003-06-25 18:24 49152 -c--a-w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-09 04:09 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Juno_uoltray]
2007-03-08 01:38 1629184 -c--a-w- c:\program files\Juno\exec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetZero_uoltray]
2007-03-07 00:00 1629184 -c--a-w- c:\program files\NetZero\exec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-04-12 22:31 41476 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\GospeLink 2001\\LP\\Bin\\LPLocal.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"=
"c:\\Program Files\\Pharos\\Bin\\PSNotify.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 7.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

R1 aeda;aeda;c:\windows\system32\aeda.sys [4/20/2010 5:59 AM 75264]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [9/8/2009 6:13 PM 65584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [1/15/2009 4:17 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/15/2009 4:17 PM 66632]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 12:03 PM 169312]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [4/8/2010 3:37 PM 632792]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/15/2009 4:17 PM 12872]
S3 IndiAvIn;TDK INDI AV-IN USB Device;c:\windows\system32\drivers\IndiAvIn.sys [7/15/2006 1:00 PM 86016]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/12/2006 8:00 AM 716272]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-04-22 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT1098640
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = local.,;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://my.juno.com/s/search?r=minisearch
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
DPF: {6054D082-355D-4B47-B77C-36A778899F48} - hxxp://qmedia.xlontech.net/100348/qm/latest/qsp2ieFull06061501.cab
FF - ProfilePath - c:\documents and settings\Geoffrey D. Bartlett\Application Data\Mozilla\Firefox\Profiles\w24v0g30.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.byu.edu/webapp/home/index.jsp
FF - plugin: c:\documents and settings\Geoffrey D. Bartlett\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\Geoffrey D. Bartlett\Application Data\Mozilla\Firefox\Profiles\w24v0g30.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071302000002.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-22 12:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\mchInjDrv]
"ImagePath"="\??\c:\windows\TEMP\mc21.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(924)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1652)
c:\windows\system32\WININET.dll
c:\progra~1\PHAROS~1\Core\PRNTRACK.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\program files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
c:\windows\AGRSMMSG.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\windows\eHome\ehmsas.exe
c:\program files\TOSHIBA\ConfigFree\CFSServ.exe
c:\windows\RTHDCPL.EXE
c:\program files\TOSHIBA\ConfigFree\CFXFER.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2010-04-22 12:23:27 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-22 19:23
ComboFix2.txt 2010-04-22 14:22
ComboFix3.txt 2010-04-20 15:46

Pre-Run: 32,047,063,040 bytes free
Post-Run: 32,025,403,392 bytes free

- - End Of File - - EF1614E82340633C8F9EFFBAF67066DF

DDS


DDS (Ver_10-03-17.01) - NTFSx86
Run by Geoffrey D. Bartlett at 12:28:39.68 on Thu 04/22/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.501 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\dla\DLACTRLW.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Pharos\Bin\PSNotify.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\TOSHIBA\ConfigFree\CFXFER.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Geoffrey D. Bartlett\My Documents\Downloads\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT1098640
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = local.,;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://my.juno.com/s/search?r=minisearch
uURLSearchHooks: URLSearchHook Class: {37d2cdbf-2af4-44aa-8113-bd0d2da3c2b8} - c:\program files\netzero\SearchEnh1.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: ZeroBar: {f0f8ecbe-d460-4b34-b007-56a92e8f84a7} - c:\program files\netzero\Toolbar.dll
TB: JunoBar: {5854fac4-5bf0-47dd-b5a9-a5ea8cff3cf4} - c:\program files\juno\Toolbar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [TFncKy] TFncKy.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [dla] c:\windows\system32\dla\DLACTRLW.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [CFSServ.exe] CFSServ.exe -NoClient
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask .exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\cleana~1.lnk - c:\program files\cisco systems\clean access agent\CCAAgent.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pharos~1.lnk - c:\program files\pharos\bin\PSNotify.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {6054D082-355D-4B47-B77C-36A778899F48} - hxxp://qmedia.xlontech.net/100348/qm/latest/qsp2ieFull06061501.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {A8683C98-5341-421B-B23C-8514C05354F1} - hxxp://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\geoffr~1.bar\applic~1\mozilla\firefox\profiles\w24v0g30.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.byu.edu/webapp/home/index.jsp
FF - plugin: c:\documents and settings\geoffrey d. bartlett\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\geoffrey d. bartlett\application data\mozilla\firefox\profiles\w24v0g30.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071302000002.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aeda;aeda;c:\windows\system32\aeda.sys [2010-4-20 75264]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-9-8 65584]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-1-15 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 66632]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2010-4-8 632792]
R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 52\starwind\StarWindServiceAE.exe [2007-5-28 275968]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 12872]
S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]
S3 IndiAvIn;TDK INDI AV-IN USB Device;c:\windows\system32\drivers\IndiAvIn.sys [2006-7-15 86016]

=============== Created Last 30 ================

2010-04-22 17:37:17 50 ----a-w- c:\windows\fix.bat
2010-04-22 17:37:16 11648 ----a-w- c:\windows\system32\drivers\ACPIEC.sys
2010-04-21 17:34:07 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-04-21 17:34:07 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-20 22:09:06 0 d-----w- c:\documents and settings\geoffrey d. bartlett\.SunDownloadManager
2010-04-20 15:15:14 0 d-sha-r- C:\cmdcons
2010-04-20 15:13:10 98816 ----a-w- c:\windows\sed.exe
2010-04-20 15:13:10 77312 ----a-w- c:\windows\MBR.exe
2010-04-20 15:13:10 261632 ----a-w- c:\windows\PEV.exe
2010-04-20 15:13:10 161792 ----a-w- c:\windows\SWREG.exe
2010-04-20 14:19:41 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-20 12:59:52 75264 ------w- c:\windows\system32\aeda.sys
2010-04-15 15:16:13 20 ----a-w- c:\documents and settings\geoffrey d. bartlett\defogger_reenable
2010-04-15 14:49:58 0 d-----w- c:\program files\TrendMicro
2010-04-14 13:30:19 0 d-----w- c:\docume~1\alluse~1\applic~1\avG
2010-04-13 14:29:36 230 ----a-w- c:\windows\system32\.crusader
2010-04-12 22:34:03 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-04-12 22:33:39 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-04-12 19:52:04 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-04-12 19:49:41 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-04-12 16:46:41 1100 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-08 23:51:20 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-08 23:51:05 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-04-08 23:51:04 0 d-----w- c:\program files\Hitman Pro 3.5
2010-04-08 22:37:53 880640 ----a-w- c:\windows\system32\UniBox10.ocx
2010-04-08 22:37:53 212992 ----a-w- c:\windows\system32\UniBoxVB12.ocx
2010-04-08 22:37:53 1101824 ----a-w- c:\windows\system32\UniBox210.ocx
2010-04-08 22:37:51 0 d-----w- c:\program files\common files\PC Tools
2010-04-08 13:32:40 0 d-----w- c:\docume~1\geoffr~1.bar\applic~1\Malwarebytes
2010-04-08 13:32:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-08 13:31:55 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-08 13:31:51 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-08 13:31:50 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-05 18:56:40 0 d-----w- c:\docume~1\geoffr~1.bar\applic~1\Facebook
2010-03-30 11:27:25 0 d-----w- c:\windows\system32\%%DATA_DIR%%

==================== Find3M ====================

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 17:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 13:11:07 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 23:47:50 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2006-06-28 18:19:36 251 -c--a-w- c:\program files\wt3d.ini
2009-02-05 17:15:26 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009020520090206\index.dat

============= FINISH: 12:29:53.76 ===============

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users