Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Had a Antivirius Soft and Now Internet Explorer Redirects


  • This topic is locked This topic is locked
23 replies to this topic

#1 shaun0822

shaun0822

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 13 May 2010 - 10:27 AM

clapping.gif
We had antivirus soft and then did a restore to a previous date. We have run AVG, malaware bytes, SuperAntiSpyware, and ATF-cleaner. IE still redirects when you click the link. When I ran the GMER I received a win32 error. I'm sorry I didn't write down the details. The system boots up and everything else seems slow, but works.




DDS (Ver_10-03-17.01) - NTFSx86
Run by Shaun at 21:33:53.50 on Wed 05/12/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.338 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Prevx 2.0 *On-access scanning disabled* (Updated) {557C3342-BC52-4508-AC25-4441BDF5C04C}
AV: Sunbelt VIPRE *On-access scanning disabled* (Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\ATT-SST\McciTrayApp.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Shaun\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.nadadventist.org/
uDefault_Page_URL = hxxp://www.bigzoo.net
uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyServer = ftp=proxy_server:8080;http=proxy_server:8080;https=proxy_server:8080;socks=proxy_server:8080
BHO: {000123B4-9B42-4900-B3F7-F4B073EFC214} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
BHO: {52706EF7-D7A2-49AD-A615-E903858CF284} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: URLDetector Class: {55ea1964-f5e4-4d6a-b9b2-125b37655fcb} - c:\documents and settings\all users\application data\prevx\pxbho.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} - No File
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
TB: {4E7BD74F-2B8D-469E-95BA-ED6DB186BE32} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: Groove Folder Synchronization: {2a541ae1-5bf6-4665-a8a3-cfa9672e4291} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [PopUpStopperFreeEdition] "c:\progra~1\panicw~1\pop-up~1\PSFree.exe"
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [FreeRAM XP] "c:\program files\yourware solutions\freeram xp pro\FreeRAM XP Pro.exe" -win
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [cdloader] "c:\documents and settings\shaun\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1150596.exe -Update -1150596 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 2.0.50727; .NET CLR 1.1.4322; InfoPath.2; .NET CLR 1.0.3705; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.eduplace.com/kids/hme/k_5/proofread/index.html"
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [TkBellExe] "realsched.exe" -osboot
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [ATT-SST_McciTrayApp] "c:\program files\att-sst\McciTrayApp.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
dRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
dRun: [Exetender] "c:\program files\free ride games\GPlayer.exe /runonstartup"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
uPolicies-explorer: rightsTest = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Display All Images with Full Quality
IE: Display Image with Full Quality
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: motive.com\patttbc.att
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} - hxxp://www.worldwinner.com/games/v46/scrabblecubes/scrabblecubes.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} - hxxp://www.pgalinks.com/CFIDE/classes/CFJava.cab
DPF: {084F552D-19EB-4668-9788-984CBC781A8F}
DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} - hxxp://download.mcafee.com/molbin/Shared/MGBrwFld.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/viewers/ipixx.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Mystery%20P.I.%20-%20The%20Vegas%20Heist/Images/stg_drm.ocx
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} - hxxp://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/msSecAdv.cab?1076387021093
DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} - hxxp://www.worldwinner.com/games/v47/shared/FunGamesLoader.cab
DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} - hxxps://secure.stamps.com/download/us/registration/3_0_0_804/sdcregie.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://dev.srtest.com/srl_bin/sysreqlab3.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxp://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - hxxp://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
DPF: {2C52AF58-B9B1-11D5-9DF6-00508B755B44} - hxxp://www.smartforce.com/v2.1/applications/liveplay/Activex/AXClientUtil.cab
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {315B0BFB-2BD4-481B-80A3-A9B80727C61B} - hxxp://webiq005.webiqonline.com/WebIQ/DataServer/Pub/DataServer.dll?Handler=GetEngineDistribution&EDID={896A23A1-5821-4609-A6C6-6D5536C585C9}
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www1.snapfish.com/SnapfishActivia.cab
DPF: {4788DE0A-3552-49EA-AC8C-233DA52523B9} - hxxp://www.blackberry.com/devicesoftware/AxLoader.cab
DPF: {50647AB5-18FD-4142-82B0-5852478DD0D5} - hxxp://webeffective.keynote.com/applications/pconnector/download/ConnectorLauncher.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://mapg.fmd.emory.edu/mgvinstall/mgaxctrl.cab
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148708585421
DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} - hxxp://host.oddcast.com/hostClientIE.cab
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} - hxxp://games.att.net/gh/Delicious_Emilys_tea_garden_web/Game/gamehouseplayer.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - hxxp://chat.yahoo.com/cab/yacsui.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - hxxp://www.installengine.com/engine/isetup.cab
DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} - hxxp://a14.g.akamai.net/f/14/7141/1d/www.nielsennetpanel.com/netmeter4_5/nminstall_en_4.52.28.0_SILENT_2.cab
DPF: {A1337CC4-FF8E-11D1-9C48-00A0CC20E0D2} - hxxp://www.therealyellowpageslive.net/live/ezinit.cab
DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} - hxxp://www.microsoft.com/security/controls/DoomCln.CAB
DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} - hxxp://www.microsoft.com/security/controls/SassCln.CAB
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} - hxxp://drm1.reelsurvey.com/ePlayer/V3_2_0_0/ACNePlayer.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://games.att.net/Gh/Delicious_2_Web/Game/zylomplayer.cab
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://www.ritzpix.com/net/Uploader/LPUploader57.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Mystery%20P.I.%20-%20The%20Vegas%20Heist/Images/armhelper.ocx
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.5/installer.exe
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47} - hxxp://online.invokesolutions.com/events/bin/5.5.0.1437/MILive.cab
DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} - hxxp://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5531/mcfscan.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-17 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-17 29512]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-17 242896]
R1 PREVXTdi;PREVX TDI filter;c:\windows\system32\drivers\pxtdi.sys [2007-7-5 27784]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-6 68168]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-4-23 308064]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-5-25 47640]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S2 gupdate1c9bd005dd5bd4;Google Update Service (gupdate1c9bd005dd5bd4);c:\program files\google\update\GoogleUpdate.exe [2009-4-14 133104]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?]
S2 mrtRate;mrtRate; [x]
S2 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\opencase\opencase media agent\MediaAgent.exe [2007-12-6 810632]
S2 X4HSX32Ex;X4HSX32Ex;\??\c:\program files\free ride games\x4hsx32ex.sys --> c:\program files\free ride games\X4HSX32Ex.Sys [?]
S3 avga;avga;\??\c:\docume~1\guesta~1\locals~1\temp\avga.sys --> c:\docume~1\guesta~1\locals~1\temp\avga.sys [?]
S3 CASC;CASC;\??\c:\docume~1\guesta~1\locals~1\temp\casc.sys --> c:\docume~1\guesta~1\locals~1\temp\CASC.SYS [?]
S3 EmrtRate;EmrtRate;\??\c:\docume~1\guesta~1\locals~1\temp\emrtrate.sys --> c:\docume~1\guesta~1\locals~1\temp\EmrtRate.sys [?]
S3 ewdmaudn;ewdmaudn;\??\c:\docume~1\mike\locals~1\temp\ewdmaudn.sys --> c:\docume~1\mike\locals~1\temp\ewdmaudn.sys [?]
S3 ewstcode;ewstcode;\??\c:\docume~1\guesta~1\locals~1\temp\ewstcode.sys --> c:\docume~1\guesta~1\locals~1\temp\ewstcode.sys [?]
S3 gportcls;gportcls;\??\c:\docume~1\guesta~1\locals~1\temp\gportcls.sys --> c:\docume~1\guesta~1\locals~1\temp\gportcls.sys [?]
S3 KHPN;KHPN;\??\c:\docume~1\guesta~1\locals~1\temp\khpn.sys --> c:\docume~1\guesta~1\locals~1\temp\KHPN.SYS [?]
S3 MHPN;MHPN;\??\c:\docume~1\guesta~1\locals~1\temp\mhpn.sys --> c:\docume~1\guesta~1\locals~1\temp\MHPN.SYS [?]
S3 NIPFLTDR;NIPFLTDR;\??\c:\docume~1\shaun\locals~1\temp\nipfltdr.sys --> c:\docume~1\shaun\locals~1\temp\NIPFLTDR.SYS [?]
S3 PREVXEmulator;PREVX Emulator driver;c:\windows\system32\drivers\PxEmu.sys [2007-7-5 107784]
S3 rrdpwd;rrdpwd;\??\c:\docume~1\guesta~1\locals~1\temp\rrdpwd.sys --> c:\docume~1\guesta~1\locals~1\temp\rrdpwd.sys [?]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2010-5-8 95024]
S3 TPCIIDE;TPCIIDE;\??\c:\docume~1\guesta~1\locals~1\temp\tpciide.sys --> c:\docume~1\guesta~1\locals~1\temp\TPCIIDE.SYS [?]
S3 uatnt40k;uatnt40k;\??\c:\docume~1\guesta~1\locals~1\temp\uatnt40k.sys --> c:\docume~1\guesta~1\locals~1\temp\uatnt40k.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================


==================== Find3M ====================

2010-05-06 14:36:38 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-23 20:06:36 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-23 20:06:33 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-23 20:05:35 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2010-03-09 08:28:20 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-25 15:54:36 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 13:11:07 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-24 09:54:25 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-02-17 13:10:28 2189952 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-17 13:10:28 2189952 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-16 14:08:49 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-12 04:33:11 100864 ------w- c:\windows\system32\dllcache\6to4svc.dll
2010-02-12 04:33:11 100864 ------w- c:\windows\system32\6to4svc.dll
2009-04-24 01:20:52 273597 ----a-w- c:\program files\INSTALL.LOG
2008-07-14 00:23:57 0 ----a-w- c:\program files\temp01
2007-01-08 00:55:16 774144 ----a-w- c:\program files\RngInterstitial.dll
2003-05-22 20:26:42 488032 ----a-w- c:\program files\PopUpStopper.exe
2009-10-04 21:22:48 16384 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-02-07 04:38:38 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009020620090207\index.dat

============= FINISH: 21:36:43.23 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:47 PM

Posted 13 May 2010 - 11:21 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 shaun0822

shaun0822
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 13 May 2010 - 01:06 PM

I disabled Spybot and AVG. After I save ComboFix to my desktop and tell it to run, it begins and then stalls. Should I do something differently first.

Thanks,

Shaun0822

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:47 PM

Posted 13 May 2010 - 01:10 PM

At what point does it stall? Can you let me know what the last thing is you see combofix do?

You can try to run it also in Safe Mode with Networking.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 shaun0822

shaun0822
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 13 May 2010 - 01:24 PM

It didn't get to the Microsoft Recovery aspect. It starts with the box as if it loading the software and then stops. I'll try it in safe mode.


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:47 PM

Posted 13 May 2010 - 01:32 PM

Okay, if it still doesn't work, let me know and I'll give a work around to install the Recovery Console.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 shaun0822

shaun0822
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 13 May 2010 - 03:49 PM

ComboFix 10-05-13.01 - Shaun 05/13/2010 16:05:55.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.633 [GMT -4:00]
Running from: c:\documents and settings\Shaun\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Prevx 2.0 *On-access scanning disabled* (Updated) {557C3342-BC52-4508-AC25-4441BDF5C04C}
AV: Sunbelt VIPRE *On-access scanning disabled* (Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Shaun\Application Data\.#
c:\documents and settings\Shaun\Application Data\.#\MBX@A00@1195BD8.###
c:\program files\INSTALL.LOG
C:\Thumbs.db
c:\windows\system\QTIM32.DLL
c:\windows\system32\ncase.ini
c:\windows\system32\twain.dll

Infected copy of c:\windows\system32\drivers\avgtdix.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-04-13 to 2010-05-13 )))))))))))))))))))))))))))))))
.

2010-05-13 07:24 . 2010-05-13 07:24 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-05-12 17:25 . 2010-05-12 17:25 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-05-12 16:13 . 2010-05-12 16:13 -------- d-----w- c:\program files\ESET
2010-05-12 00:21 . 2010-05-12 00:21 -------- d-----w- C:\12e6a38d8641dcdc537542
2010-05-12 00:12 . 2010-05-12 00:12 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-05-12 00:11 . 2010-05-12 00:12 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-12 00:11 . 2010-05-12 00:11 -------- d-----w- c:\documents and settings\Shaun\Application Data\SUPERAntiSpyware.com
2010-05-12 00:10 . 2010-05-12 00:10 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-11 14:39 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-05-10 20:53 . 2010-05-10 20:53 -------- d-----w- c:\documents and settings\Shaun\Application Data\Malwarebytes
2010-05-10 20:07 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-10 20:07 . 2010-05-10 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-10 20:07 . 2010-05-10 20:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-10 20:07 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-10 00:28 . 2010-05-10 00:28 -------- d-----w- c:\program files\Windows Defender
2010-05-08 16:04 . 2010-05-08 16:04 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-08 03:27 . 2010-05-08 03:27 -------- d-----w- c:\documents and settings\Shaun\Local Settings\Application Data\Threat Expert
2010-05-08 01:57 . 2010-05-08 01:57 -------- d-----w- c:\windows\system32\wbem\Repository
2010-05-08 01:53 . 2010-05-08 01:53 -------- d-----w- c:\program files\RealArcade
2010-05-08 01:53 . 2010-05-08 01:53 -------- d-----w- c:\program files\Realore
2010-04-23 20:09 . 2010-04-23 20:09 -------- d-----w- C:\$AVG
2010-04-23 19:59 . 2010-05-13 19:21 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-12 01:41 . 2007-12-18 21:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-11 15:39 . 2010-04-04 15:00 -------- d-----w- c:\documents and settings\Shaun\Application Data\mjusbsp
2010-05-10 22:37 . 2008-04-03 12:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-05-10 20:27 . 2007-11-15 18:36 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-08 13:12 . 2007-03-11 17:18 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-06 14:36 . 2009-10-04 06:29 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-27 20:38 . 2008-02-07 17:37 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995
2010-04-27 17:36 . 2008-02-07 17:37 59 ----a-w- c:\windows\wpd99.drv
2010-04-23 20:07 . 2009-03-18 02:16 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-04-23 20:06 . 2009-03-18 02:16 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-23 20:06 . 2009-03-18 02:16 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-23 20:05 . 2009-03-18 02:16 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-23 20:00 . 2009-01-23 14:01 -------- d-----w- c:\program files\AVG
2010-04-22 13:54 . 2003-05-23 16:06 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-08 13:57 . 2007-03-29 10:18 -------- d-----w- c:\program files\Common Files\Java
2010-04-08 13:56 . 2007-03-29 10:19 -------- d-----w- c:\program files\Java
2010-04-03 19:24 . 2009-01-13 08:19 256 ----a-w- c:\windows\system32\pool.bin
2010-03-10 06:15 . 2002-08-29 10:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 08:28 . 2009-06-22 23:03 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-25 06:24 . 2004-02-06 22:05 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2002-08-29 10:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 13:10 . 1980-01-01 05:00 2189952 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 1980-01-01 05:00 2066816 ------w- c:\windows\system32\ntkrnlpa.exe
2008-07-14 00:23 . 2008-07-14 00:23 0 ----a-w- c:\program files\temp01
2007-01-08 00:55 . 2007-01-08 00:55 774144 ----a-w- c:\program files\RngInterstitial.dll
2003-05-22 20:26 . 2003-05-22 20:26 488032 ----a-w- c:\program files\PopUpStopper.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopUpStopperFreeEdition"="c:\progra~1\PANICW~1\POP-UP~1\PSFree.exe" [2003-04-29 524288]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"FreeRAM XP"="c:\program files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2007-03-15 1591808]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"cdloader"="c:\documents and settings\Shaun\Application Data\mjusbsp\cdloader2.exe" [2010-02-26 50520]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150596.exe" [2009-04-29 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="realsched.exe -osboot" [X]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-14 28672]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"nwiz"="nwiz.exe" [2003-10-06 741376]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2003-10-06 49152]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2009-10-22 1577984]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-10-06 49152]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-5-18 24576]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"rightsTest"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-04-23 20:05 12464 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-17 00:35 87352 ------w- c:\windows\SYSTEM32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=c:\windows\pss\Desktop Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mike^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=c:\documents and settings\Mike\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=c:\windows\pss\Desktop Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Mike^Start Menu^Programs^Startup^GameSpot Download Manager.lnk]
path=c:\documents and settings\Mike\Start Menu\Programs\Startup\GameSpot Download Manager.lnk
backup=c:\windows\pss\GameSpot Download Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Shaun^Start Menu^Programs^Startup^Webshots.lnk]
path=c:\documents and settings\Shaun\Start Menu\Programs\Startup\Webshots.lnk
backup=c:\windows\pss\Webshots.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-12-17 17:28 684032 ----a-w- c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISW.exe]
2007-05-03 17:12 2061816 ----a-w- c:\program files\AT&T\Internet Security Wizard\ISW.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JFaxMailNTHelper]
1999-03-05 16:34 45056 ----a-w- c:\windows\JFaxMailNTHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Realore\\Tiny Cars 2\\TinyCars2.exe"=
"c:\\Program Files\\Third Day Games\\Bible Champions Demo\\bible.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\Documents and Settings\\Mike\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Documents and Settings\\Guest Account\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Documents and Settings\\Mike\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Documents and Settings\\Shaun\\Application Data\\mjusbsp\\magicJack.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:UltraVNC Server

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [3/17/2009 10:16 PM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [3/17/2009 10:16 PM 242896]
R1 PREVXTdi;PREVX TDI filter;c:\windows\SYSTEM32\DRIVERS\pxtdi.sys [7/5/2007 8:48 AM 27784]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/6/2010 5:10 PM 68168]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [4/23/2010 4:02 PM 308064]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 gupdate1c9bd005dd5bd4;Google Update Service (gupdate1c9bd005dd5bd4);c:\program files\Google\Update\GoogleUpdate.exe [4/14/2009 8:53 AM 133104]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S2 mrtRate;mrtRate; [x]
S2 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe [12/6/2007 7:34 PM 810632]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S2 X4HSX32Ex;X4HSX32Ex;\??\c:\program files\Free Ride Games\X4HSX32Ex.Sys --> c:\program files\Free Ride Games\X4HSX32Ex.Sys [?]
S3 avga;avga;\??\c:\docume~1\GUESTA~1\LOCALS~1\Temp\avga.sys --> c:\docume~1\GUESTA~1\LOCALS~1\Temp\avga.sys [?]
S3 CASC;CASC;\??\c:\docume~1\GUESTA~1\LOCALS~1\Temp\CASC.SYS --> c:\docume~1\GUESTA~1\LOCALS~1\Temp\CASC.SYS [?]
S3 EmrtRate;EmrtRate;\??\c:\docume~1\GUESTA~1\LOCALS~1\Temp\EmrtRate.sys --> c:\docume~1\GUESTA~1\LOCALS~1\Temp\EmrtRate.sys [?]
S3 ewdmaudn;ewdmaudn;\??\c:\docume~1\Mike\LOCALS~1\Temp\ewdmaudn.sys --> c:\docume~1\Mike\LOCALS~1\Temp\ewdmaudn.sys [?]
S3 ewstcode;ewstcode;\??\c:\docume~1\GUESTA~1\LOCALS~1\Temp\ewstcode.sys --> c:\docume~1\GUESTA~1\LOCALS~1\Temp\ewstcode.sys [?]
S3 gportcls;gportcls;\??\c:\docume~1\GUESTA~1\LOCALS~1\Temp\gportcls.sys --> c:\docume~1\GUESTA~1\LOCALS~1\Temp\gportcls.sys [?]
S3 KHPN;KHPN;\??\c:\docume~1\GUESTA~1\LOCALS~1\Temp\KHPN.SYS --> c:\docume~1\GUESTA~1\LOCALS~1\Temp\KHPN.SYS [?]
S3 MHPN;MHPN;\??\c:\docume~1\GUESTA~1\LOCALS~1\Temp\MHPN.SYS --> c:\docume~1\GUESTA~1\LOCALS~1\Temp\MHPN.SYS [?]
S3 NIPFLTDR;NIPFLTDR;\??\c:\docume~1\Shaun\LOCALS~1\Temp\NIPFLTDR.SYS --> c:\docume~1\Shaun\LOCALS~1\Temp\NIPFLTDR.SYS [?]
S3 PREVXEmulator;PREVX Emulator driver;c:\windows\SYSTEM32\DRIVERS\PxEmu.sys [7/5/2007 8:48 AM 107784]
S3 rrdpwd;rrdpwd;\??\c:\docume~1\GUESTA~1\LOCALS~1\Temp\rrdpwd.sys --> c:\docume~1\GUESTA~1\LOCALS~1\Temp\rrdpwd.sys [?]
S3 SBRE;SBRE;c:\windows\SYSTEM32\DRIVERS\SBREDrv.sys [5/8/2010 12:04 PM 95024]
S3 TPCIIDE;TPCIIDE;\??\c:\docume~1\GUESTA~1\LOCALS~1\Temp\TPCIIDE.SYS --> c:\docume~1\GUESTA~1\LOCALS~1\Temp\TPCIIDE.SYS [?]
S3 uatnt40k;uatnt40k;\??\c:\docume~1\GUESTA~1\LOCALS~1\Temp\uatnt40k.sys --> c:\docume~1\GUESTA~1\LOCALS~1\Temp\uatnt40k.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-05-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-14 12:53]

2010-05-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-14 12:53]

2010-05-12 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-11-03 20:31]

2010-05-13 c:\windows\Tasks\User_Feed_Synchronization-{8544120C-104C-4C21-A4E3-E37218B9CEF0}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.nadadventist.org/
uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyServer = ftp=proxy_server:8080;http=proxy_server:8080;https=proxy_server:8080;socks=proxy_server:8080
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Display All Images with Full Quality
IE: Display Image with Full Quality
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: motive.com\patttbc.att
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {2C52AF58-B9B1-11D5-9DF6-00508B755B44} - hxxp://www.smartforce.com/v2.1/applications/liveplay/Activex/AXClientUtil.cab
DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} - hxxp://games.att.net/gh/Delicious_Emilys_tea_garden_web/Game/gamehouseplayer.cab
DPF: {A1337CC4-FF8E-11D1-9C48-00A0CC20E0D2} - hxxp://www.therealyellowpageslive.net/live/ezinit.cab
DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} - hxxp://drm1.reelsurvey.com/ePlayer/V3_2_0_0/ACNePlayer.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://games.att.net/Gh/Delicious_2_Web/Game/zylomplayer.cab
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://www.ritzpix.com/net/Uploader/LPUploader57.cab
DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47} - hxxp://online.invokesolutions.com/events/bin/5.5.0.1437/MILive.cab
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-Exetender - c:\program files\Free Ride Games\GPlayer.exe
MSConfigStartUp-MimBoot - c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
AddRemove-ActiveTouchMeetingClient - c:\windows\DOWNLO~1\atcliun.exe
AddRemove-RealJukebox 1.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe
AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe
AddRemove-{777CA290-7D14-77c5-C518-684DC520A777}_is1 - c:\program files\EleFun Games\Puzzle Mania\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-13 16:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\LMIinit.dll
.
Completion time: 2010-05-13 16:39:40
ComboFix-quarantined-files.txt 2010-05-13 20:39

Pre-Run: 24,164,536,320 bytes free
Post-Run: 25,756,000,256 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 2EEFBACF3BA3E785328EF4564A321DE3


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:47 PM

Posted 14 May 2010 - 04:19 AM

Hi, before continuing, your log shows you are connecting through a proxy server. Can you confirm you are indeed using this (I ask because malware also can set proxy's).

TWO ANTIVIRUS PROGRAMS
---------------------------------------
I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
  • False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
  • System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and leave only one of the following programs on your computer; AVG, PrevX or Sunbelt vipre.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 shaun0822

shaun0822
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 14 May 2010 - 05:57 PM

I don't know what a proxy server is. We use AT&T for our DSL. Prevyx and Sunbelt are not in the add/remove program list. I will try to delete it through the program file list. Thanks.

#10 shaun0822

shaun0822
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 14 May 2010 - 06:08 PM

I'm not able to locate Sunbelt in my program files. Do you have a suggestion on how I can find and remove it?

Thanks,

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:47 PM

Posted 15 May 2010 - 03:24 AM

In that case, lets get rid of the proxy smile.gif

To get rid of Sunbelt/PrevX, you can try something like Revo Uninstaller


CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
CODE
DDS::
uInternet Settings,ProxyServer = ftp=proxy_server:8080;http=proxy_server:8080;https=proxy_server:8080;socks=proxy
_server:8080

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 shaun0822

shaun0822
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 15 May 2010 - 07:19 AM

After I dragged the file onto Comobfix and it did the grey box and gave me the blue screen, Combofix asked me if I wanted to update the copy. I said yes. Was I supposed to say no? It made the update, restarted itself, and is now doing the scan. I just want to make sure that I clicked the right button, even thought it may be too late to ask now. cool.gif

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:47 PM

Posted 15 May 2010 - 07:28 AM

Yes, that is fine smile.gif

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 shaun0822

shaun0822
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 15 May 2010 - 09:04 PM

ComboFix 10-05-14.06 - Shaun 05/15/2010 8:14.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.480 [GMT -4:00]
Running from: c:\documents and settings\Shaun\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Shaun\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Prevx 2.0 *On-access scanning disabled* (Updated) {557C3342-BC52-4508-AC25-4441BDF5C04C}
AV: Sunbelt VIPRE *On-access scanning disabled* (Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C}
.

((((((((((((((((((((((((( Files Created from 2010-04-15 to 2010-05-15 )))))))))))))))))))))))))))))))
.

2010-05-15 11:49 . 2010-05-15 11:49 -------- d-----w- c:\documents and settings\Shaun\Local Settings\Application Data\VS Revo Group
2010-05-15 11:49 . 2010-05-15 11:49 -------- d-----w- c:\windows\LastGood
2010-05-15 11:49 . 2009-12-30 16:20 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2010-05-15 11:49 . 2010-05-15 11:49 -------- d-----w- c:\program files\VS Revo Group
2010-05-13 07:24 . 2010-05-13 07:24 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-05-12 17:25 . 2010-05-12 17:25 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-05-12 16:13 . 2010-05-12 16:13 -------- d-----w- c:\program files\ESET
2010-05-12 00:21 . 2010-05-12 00:21 -------- d-----w- C:\12e6a38d8641dcdc537542
2010-05-12 00:12 . 2010-05-12 00:12 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-05-12 00:11 . 2010-05-12 00:12 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-12 00:11 . 2010-05-12 00:11 -------- d-----w- c:\documents and settings\Shaun\Application Data\SUPERAntiSpyware.com
2010-05-12 00:10 . 2010-05-12 00:10 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-11 14:39 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-05-10 20:53 . 2010-05-10 20:53 -------- d-----w- c:\documents and settings\Shaun\Application Data\Malwarebytes
2010-05-10 20:07 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-10 20:07 . 2010-05-10 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-10 20:07 . 2010-05-10 20:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-10 20:07 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-10 00:28 . 2010-05-10 00:28 -------- d-----w- c:\program files\Windows Defender
2010-05-08 16:04 . 2010-05-08 16:04 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-08 03:27 . 2010-05-08 03:27 -------- d-----w- c:\documents and settings\Shaun\Local Settings\Application Data\Threat Expert
2010-05-08 01:57 . 2010-05-08 01:57 -------- d-----w- c:\windows\system32\wbem\Repository
2010-05-08 01:53 . 2010-05-08 01:53 -------- d-----w- c:\program files\RealArcade
2010-05-08 01:53 . 2010-05-08 01:53 -------- d-----w- c:\program files\Realore
2010-04-23 20:09 . 2010-04-23 20:09 -------- d-----w- C:\$AVG
2010-04-23 19:59 . 2010-05-13 19:21 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-14 23:04 . 2007-07-05 12:47 -------- d-----w- c:\program files\Prevx2
2010-05-13 23:05 . 2008-02-07 17:37 60 ----a-w- c:\windows\wpd99.drv
2010-05-13 23:05 . 2008-02-07 17:37 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995
2010-05-12 01:41 . 2007-12-18 21:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-11 15:39 . 2010-04-04 15:00 -------- d-----w- c:\documents and settings\Shaun\Application Data\mjusbsp
2010-05-10 22:37 . 2008-04-03 12:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-05-10 20:27 . 2007-11-15 18:36 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-08 13:12 . 2007-03-11 17:18 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-08 01:55 . 2010-04-05 12:40 -------- d-----w- c:\documents and settings\Guest Account\Application Data\mjusbsp
2010-05-06 14:36 . 2009-10-04 06:29 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-03 00:50 . 2008-04-24 01:47 -------- d-----w- c:\documents and settings\Mike\Application Data\mjusbsp
2010-04-23 20:07 . 2009-03-18 02:16 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-04-23 20:06 . 2009-03-18 02:16 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-23 20:06 . 2009-03-18 02:16 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-23 20:05 . 2009-03-18 02:16 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-23 20:00 . 2009-01-23 14:01 -------- d-----w- c:\program files\AVG
2010-04-22 13:54 . 2003-05-23 16:06 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-11 14:45 . 2010-04-11 14:45 664 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\d3d9caps.tmp
2010-04-08 13:57 . 2007-03-29 10:18 -------- d-----w- c:\program files\Common Files\Java
2010-04-08 13:56 . 2007-03-29 10:19 -------- d-----w- c:\program files\Java
2010-04-03 19:24 . 2009-01-13 08:19 256 ----a-w- c:\windows\system32\pool.bin
2010-03-10 06:15 . 2002-08-29 10:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 08:28 . 2009-06-22 23:03 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-25 06:24 . 2004-02-06 22:05 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2002-08-29 10:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 13:10 . 1980-01-01 05:00 2189952 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 1980-01-01 05:00 2066816 ------w- c:\windows\system32\ntkrnlpa.exe
2008-07-14 00:23 . 2008-07-14 00:23 0 ----a-w- c:\program files\temp01
2007-01-08 00:55 . 2007-01-08 00:55 774144 ----a-w- c:\program files\RngInterstitial.dll
2003-05-22 20:26 . 2003-05-22 20:26 488032 ----a-w- c:\program files\PopUpStopper.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopUpStopperFreeEdition"="c:\progra~1\PANICW~1\POP-UP~1\PSFree.exe" [2003-04-29 524288]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"FreeRAM XP"="c:\program files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2007-03-15 1591808]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"cdloader"="c:\documents and settings\Shaun\Application Data\mjusbsp\cdloader2.exe" [2010-02-26 50520]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150596.exe" [2009-04-29 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="realsched.exe -osboot" [X]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-14 28672]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"nwiz"="nwiz.exe" [2003-10-06 741376]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2003-10-06 49152]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2009-10-22 1577984]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-10-06 49152]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\Mike\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-5-18 24576]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"rightsTest"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-04-23 20:05 12464 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-17 00:35 87352 ------w- c:\windows\SYSTEM32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=c:\windows\pss\Desktop Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mike^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=c:\documents and settings\Mike\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=c:\windows\pss\Desktop Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Mike^Start Menu^Programs^Startup^GameSpot Download Manager.lnk]
path=c:\documents and settings\Mike\Start Menu\Programs\Startup\GameSpot Download Manager.lnk
backup=c:\windows\pss\GameSpot Download Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Shaun^Start Menu^Programs^Startup^Webshots.lnk]
path=c:\documents and settings\Shaun\Start Menu\Programs\Startup\Webshots.lnk
backup=c:\windows\pss\Webshots.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-12-17 17:28 684032 ----a-w- c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISW.exe]
2007-05-03 17:12 2061816 ----a-w- c:\program files\AT&T\Internet Security Wizard\ISW.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JFaxMailNTHelper]
1999-03-05 16:34 45056 ----a-w- c:\windows\JFaxMailNTHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Realore\\Tiny Cars 2\\TinyCars2.exe"=
"c:\\Program Files\\Third Day Games\\Bible Champions Demo\\bible.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\Documents and Settings\\Mike\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Documents and Settings\\Guest Account\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Documents and Settings\\Mike\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Documents and Settings\\Shaun\\Application Data\\mjusbsp\\magicJack.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:UltraVNC Server

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [3/17/2009 10:16 PM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [3/17/2009 10:16 PM 242896]
R1 PREVXTdi;PREVX TDI filter;c:\windows\SYSTEM32\DRIVERS\pxtdi.sys [7/5/2007 8:48 AM 27784]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/6/2010 5:10 PM 68168]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [4/23/2010 4:02 PM 308064]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 gupdate1c9bd005dd5bd4;Google Update Service (gupdate1c9bd005dd5bd4);c:\program files\Google\Update\GoogleUpdate.exe [4/14/2009 8:53 AM 133104]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S2 mrtRate;mrtRate; [x]
S2 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe [12/6/2007 7:34 PM 810632]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S2 X4HSX32Ex;X4HSX32Ex;\??\c:\program files\Free Ride Games\X4HSX32Ex.Sys --> c:\program files\Free Ride Games\X4HSX32Ex.Sys [?]
S3 avga;avga;\??\c:\docume~1\GUESTA~1\LOCALS~1\Temp\avga.sys --> c:\docume~1\GUESTA~1\LOCALS~1\Temp\avga.sys [?]
S3 CASC;CASC;\??\c:\docume~1\GUESTA~1\LOCALS~1\Temp\CASC.SYS --> c:\docume~1\GUESTA~1\LOCALS~1\Temp\CASC.SYS [?]
S3 EmrtRate;EmrtRate;\??\c:\docume~1\GUESTA~1\LOCALS~1\Temp\EmrtRate.sys --> c:\docume~1\GUESTA~1\LOCALS~1\Temp\EmrtRate.sys [?]
S3 ewdmaudn;ewdmaudn;\??\c:\docume~1\Mike\LOCALS~1\Temp\ewdmaudn.sys --> c:\docume~1\Mike\LOCALS~1\Temp\ewdmaudn.sys [?]
S3 ewstcode;ewstcode;\??\c:\docume~1\GUESTA~1\LOCALS~1\Temp\ewstcode.sys --> c:\docume~1\GUESTA~1\LOCALS~1\Temp\ewstcode.sys [?]
S3 gportcls;gportcls;\??\c:\docume~1\GUESTA~1\LOCALS~1\Temp\gportcls.sys --> c:\docume~1\GUESTA~1\LOCALS~1\Temp\gportcls.sys [?]
S3 KHPN;KHPN;\??\c:\docume~1\GUESTA~1\LOCALS~1\Temp\KHPN.SYS --> c:\docume~1\GUESTA~1\LOCALS~1\Temp\KHPN.SYS [?]
S3 MHPN;MHPN;\??\c:\docume~1\GUESTA~1\LOCALS~1\Temp\MHPN.SYS --> c:\docume~1\GUESTA~1\LOCALS~1\Temp\MHPN.SYS [?]
S3 NIPFLTDR;NIPFLTDR;\??\c:\docume~1\Shaun\LOCALS~1\Temp\NIPFLTDR.SYS --> c:\docume~1\Shaun\LOCALS~1\Temp\NIPFLTDR.SYS [?]
S3 PREVXEmulator;PREVX Emulator driver;c:\windows\SYSTEM32\DRIVERS\PxEmu.sys [7/5/2007 8:48 AM 107784]
S3 Revoflt;Revoflt;c:\windows\SYSTEM32\DRIVERS\revoflt.sys [5/15/2010 7:49 AM 27064]
S3 rrdpwd;rrdpwd;\??\c:\docume~1\GUESTA~1\LOCALS~1\Temp\rrdpwd.sys --> c:\docume~1\GUESTA~1\LOCALS~1\Temp\rrdpwd.sys [?]
S3 SBRE;SBRE;c:\windows\SYSTEM32\DRIVERS\SBREDrv.sys [5/8/2010 12:04 PM 95024]
S3 TPCIIDE;TPCIIDE;\??\c:\docume~1\GUESTA~1\LOCALS~1\Temp\TPCIIDE.SYS --> c:\docume~1\GUESTA~1\LOCALS~1\Temp\TPCIIDE.SYS [?]
S3 uatnt40k;uatnt40k;\??\c:\docume~1\GUESTA~1\LOCALS~1\Temp\uatnt40k.sys --> c:\docume~1\GUESTA~1\LOCALS~1\Temp\uatnt40k.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-05-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-14 12:53]

2010-05-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-14 12:53]

2010-05-15 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-11-03 20:31]

2010-05-15 c:\windows\Tasks\User_Feed_Synchronization-{8544120C-104C-4C21-A4E3-E37218B9CEF0}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.nadadventist.org/
uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Display All Images with Full Quality
IE: Display Image with Full Quality
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: motive.com\patttbc.att
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {2C52AF58-B9B1-11D5-9DF6-00508B755B44} - hxxp://www.smartforce.com/v2.1/applications/liveplay/Activex/AXClientUtil.cab
DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} - hxxp://games.att.net/gh/Delicious_Emilys_tea_garden_web/Game/gamehouseplayer.cab
DPF: {A1337CC4-FF8E-11D1-9C48-00A0CC20E0D2} - hxxp://www.therealyellowpageslive.net/live/ezinit.cab
DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} - hxxp://drm1.reelsurvey.com/ePlayer/V3_2_0_0/ACNePlayer.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://games.att.net/Gh/Delicious_2_Web/Game/zylomplayer.cab
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://www.ritzpix.com/net/Uploader/LPUploader57.cab
DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47} - hxxp://online.invokesolutions.com/events/bin/5.5.0.1437/MILive.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-15 08:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\LMIinit.dll

- - - - - - - > 'explorer.exe'(652)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2010-05-15 08:41:33
ComboFix-quarantined-files.txt 2010-05-15 12:41
ComboFix2.txt 2010-05-13 20:39

Pre-Run: 25,601,191,936 bytes free
Post-Run: 25,902,383,104 bytes free

- - End Of File - - 8C490DB26814A898422C395C59815ABF


#15 shaun0822

shaun0822
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 15 May 2010 - 09:29 PM

It's fixed. Thanks!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users