Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Broken browser


  • This topic is locked This topic is locked
24 replies to this topic

#1 JXP

JXP

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 22 May 2010 - 06:04 PM

Split from: http://www.bleepingcomputer.com/forums/t/316117/broken-browser/

Hi Budapest,

I followed the instructions to run defogger, DDS, and GMER. I was running with the DSL cable disconnected, and with firewall and antivirus disabled, but I had trouble running GMER.
S GMER scan takes about 7 hours, and it kept crashing about 2-3 hours into the scan with blue screens or lockup if it finished a scan. So I removed all my archived .jpgs and other stuff to remove about 60 GB from the C: drive. There is now only 24 GB total disk usage on this computer, so I was able to complete a GMER scan in a couple of hours.

After the scan, I rebooted and found I have no problem accessing Windows Update and no IE browser redirecting. I have been searching in Google for a half hour now and every search took me to the correct link that I clicked on. Maybe I am cured, or maybe the virus is hibernating.

Here are the logs from DDS and GMER:

My forum window does not have a button to add attachments at the bottom. So I put the attachment ZIP file here: attach3.zip

DDS (Ver_10-03-17.01) - NTFSx86
Run by J at 12:10:09.54 on Sat 05/22/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.683 [GMT -7:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Outpost Firewall *enabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\asuskbservice.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\anvshell.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\MagicTune Premium\GammaTray.exe
C:\Program Files\MagicTune Premium\MagicTune.exe
C:\Documents and Settings\J\Desktop\VIRUS\TOOLS\BLEEPING_COMPUTER\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [RemoteCenter] c:\program files\creative\mediasource\remotecontrol\RCMan.EXE
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [anvshell] anvshell.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
mRun: [CTDVDDET] c:\program files\creative\sbaudigy2zs\dvdaudio\CTDVDDET.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
mRun: [SBDrvDet] c:\program files\creative\sb drive det\SBDrvDet.exe /r
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [OutpostMonitor] c:\progra~1\agnitum\outpos~1\op_mon.exe /tray /noservice
mRun: [OutpostFeedBack] "c:\program files\agnitum\outpost firewall\feedback.exe" /dump:os_startup
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min /nosplash
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\gammat~1.lnk - c:\program files\magictune premium\GammaTray.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: //www.google.com/
Trusted Zone: microsoft.com\*.update
Trusted Zone: windowsupdate.com
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
DPF: {3BB1D69B-A780-4BE1-876E-F3D488877135} - hxxp://download.microsoft.com/download/3/B/E/3BE57995-8452-41F1-8297-DD75EF049853/VirtualEarth3D.cab
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
DPF: {428A9DEF-F057-402B-9F2D-A5887F4544ED} - hxxp://download.microsoft.com/download/f/0/2/f02b515c-7076-4cee-bc08-fd6fea594578/VirtualEarth3D.cab
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab55579.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab55579.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} - hxxp://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab55579.cab
Handler: junomsg - {C4D10830-379D-11d4-9B2D-00C04F1579A5} - c:\program files\juno\bin\jmsgpph.dll
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\coreftp\pftpns.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\j\applic~1\mozilla\firefox\profiles\x40xa1eg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\tracker software\pdf viewer\npPDFXCviewNPPlugin.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 ANVIOCTL;ANVIOCTL;c:\windows\system32\drivers\anvioctl.sys [2006-8-11 233816]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-10-21 11608]
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [2009-10-21 704384]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-4-27 68168]
R2 acssrv;Agnitum Client Security Service;c:\progra~1\agnitum\outpos~1\acs.exe [2009-10-21 1195008]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-10-21 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-10-21 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-10-21 56816]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [2009-10-21 31128]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [2009-10-21 257432]

=============== Created Last 30 ================

2010-05-20 15:17:43 0 ----a-w- c:\documents and settings\j\defogger_reenable
2010-05-17 11:36:34 0 d-----w- C:\HostsXpert
2010-05-11 02:24:28 0 d-----w- c:\docume~1\j\applic~1\Malwarebytes
2010-05-11 02:23:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-11 02:22:59 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-11 02:22:59 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-11 02:22:59 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-10 21:54:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-05-08 15:05:34 0 d-----w- c:\program files\bild.me Upload-Tool
2010-05-08 12:31:00 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-04 14:46:04 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-04 13:11:20 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-05-03 19:38:12 84992 --sha-r- c:\windows\system32\c_12544.dll
2010-04-29 12:04:42 0 ----a-w- c:\windows\iq_test.INI
2010-04-26 22:04:42 353592 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl

==================== Find3M ====================

2010-05-19 05:42:47 233816 ----a-w- c:\windows\system32\drivers\anvioctl.sys
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 17:59:18 94208 ----a-w- c:\windows\system32\dpl100.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2007-06-27 09:34:57 37644 ----a-w- c:\program files\Rose_Tint_Y.mid
2007-06-16 10:54:14 30793 ----a-w- c:\program files\rhps13-X_Rose_Tint.mid
2007-06-14 18:45:02 36767 ----a-w- c:\program files\rhps13-A_Rose_Tint.mid
2007-06-13 16:35:23 52983 ----a-w- c:\program files\kodachrome2.mid
2003-07-31 09:53:28 147456 ----a-w- c:\windows\inf\EL2K_XP.sys
2003-07-31 09:50:16 448768 ----a-w- c:\windows\inf\EL2K_N64.sys
2003-07-31 09:43:00 147456 ----a-w- c:\windows\inf\EL2K_2K.sys

============= FINISH: 12:11:05.60 ===============





GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-22 13:21:20
Windows 5.1.2600 Service Pack 3
Running: 0m7r49nl.exe; Driver: C:\DOCUME~1\J\LOCALS~1\Temp\pxtdypow.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwAssignProcessToJobObject [0xF2E33A60]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwClose [0xF2E18BF0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwConnectPort [0xF2E35920]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateFile [0xF2E14F60]
SSDT F7B7D546 ZwCreateKey
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateProcess [0xF2E2C2B0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateProcessEx [0xF2E2CBB0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateSection [0xF2E13D10]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateSymbolicLinkObject [0xF2E1FE40]
SSDT F7B7D53C ZwCreateThread
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwDebugActiveProcess [0xF2E38F30]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwDeleteFile [0xF2E1EB20]
SSDT F7B7D54B ZwDeleteKey
SSDT F7B7D555 ZwDeleteValueKey
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwLoadDriver [0xF2E29BB0]
SSDT F7B7D55A ZwLoadKey
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwMakeTemporaryObject [0xF2E1F6B0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwOpenFile [0xF2E17C10]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwOpenKey [0xF2E20FC0]
SSDT F7B7D528 ZwOpenProcess
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwOpenSection [0xF2E14580]
SSDT F7B7D52D ZwOpenThread
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwProtectVirtualMemory [0xF2E34DA0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueryDirectoryFile [0xF2E198A0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueryKey [0xF2E23750]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueryValueKey [0xF2E23FA0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueueApcThread [0xF2E32ED0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwRenameKey [0xF2E27590]
SSDT F7B7D564 ZwReplaceKey
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwRequestPort [0xF2E37A50]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwRequestWaitReplyPort [0xF2E37D70]
SSDT F7B7D55F ZwRestoreKey
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSaveKey [0xF2E25C80]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSaveKeyEx [0xF2E264D0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSecureConnectPort [0xF2E36480]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetContextThread [0xF2E32440]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetInformationDebugObject [0xF2E39520]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetInformationFile [0xF2E1ABF0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetSystemInformation [0xF2E291C0]
SSDT F7B7D550 ZwSetValueKey
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSuspendProcess [0xF2E31190]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSuspendThread [0xF2E31AC0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSystemDebugControl [0xF2E38770]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xF2EC8950]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwTerminateThread [0xF2E30620]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwUnloadDriver [0xF2E2A530]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwWriteVirtualMemory [0xF2E342B0]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + 46A 804E4CC4 12 Bytes [90, 11, E3, F2, C0, 1A, E3, ...]
init C:\WINDOWS\System32\ANVMINI.DLL entry point in "init" section [0xBFE47300]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\CTsvcCDA.exe[148] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\System32\CTsvcCDA.exe[148] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\System32\CTsvcCDA.exe[148] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\System32\CTsvcCDA.exe[148] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Java\jre6\bin\jqs.exe[228] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Java\jre6\bin\jqs.exe[228] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Java\jre6\bin\jqs.exe[228] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Java\jre6\bin\jqs.exe[228] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\MagicTune Premium\MagicTuneEngine.exe[280] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\MagicTune Premium\MagicTuneEngine.exe[280] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\MagicTune Premium\MagicTuneEngine.exe[280] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\MagicTune Premium\MagicTuneEngine.exe[280] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\System32\nvsvc32.exe[312] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\System32\nvsvc32.exe[312] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\System32\nvsvc32.exe[312] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\System32\nvsvc32.exe[312] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\System32\MsPMSPSv.exe[412] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\System32\MsPMSPSv.exe[412] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\System32\MsPMSPSv.exe[412] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\System32\MsPMSPSv.exe[412] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\anvshell.exe[600] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\anvshell.exe[600] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\anvshell.exe[600] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\anvshell.exe[600] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe[604] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe[604] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe[604] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe[604] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE[620] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE[620] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE[620] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE[620] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\CTHELPER.EXE[652] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\CTHELPER.EXE[652] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\CTHELPER.EXE[652] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\CTHELPER.EXE[652] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\AGRSMMSG.exe[720] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\AGRSMMSG.exe[720] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\AGRSMMSG.exe[720] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\AGRSMMSG.exe[720] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[732] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0059EB4C C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.)
.text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[732] kernel32.dll!LoadResource 7C80A055 5 Bytes JMP 0059E828 C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.)
.text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[732] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 0059EA88 C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.)
.text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[732] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 0059EB20 C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.)
.text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[732] USER32.dll!EnableWindow 7E429849 5 Bytes JMP 011A944C C:\PROGRA~1\Agnitum\OUTPOS~1\op_cmn.dll (Outpost Common Controls Library/Agnitum Ltd.)
.text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[732] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 0059EAF4 C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[768] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 009CA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[768] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 009CA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[768] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 009CA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[768] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 009CA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[896] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[896] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[896] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[896] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\winlogon.exe[944] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\winlogon.exe[944] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\winlogon.exe[944] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\winlogon.exe[944] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\services.exe[988] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\services.exe[988] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\services.exe[988] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\services.exe[988] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[1004] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[1004] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[1004] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[1004] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\MagicTune Premium\GammaTray.exe[1056] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\MagicTune Premium\GammaTray.exe[1056] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\MagicTune Premium\GammaTray.exe[1056] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\MagicTune Premium\GammaTray.exe[1056] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE[1340] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE[1340] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE[1340] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE[1340] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\ctfmon.exe[1552] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\ctfmon.exe[1552] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\ctfmon.exe[1552] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\ctfmon.exe[1552] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1596] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1596] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1596] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1596] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\rundll32.exe[1660] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\rundll32.exe[1660] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\rundll32.exe[1660] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\rundll32.exe[1660] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1704] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1704] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1704] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1704] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe[1924] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 00522570 C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe (Agnitum Outpost Service/Agnitum Ltd.)
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[2016] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[2016] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[2016] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[2016] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\Explorer.EXE[2024] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\Explorer.EXE[2024] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\Explorer.EXE[2024] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\Explorer.EXE[2024] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\asuskbservice.exe[2040] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\asuskbservice.exe[2040] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\asuskbservice.exe[2040] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\asuskbservice.exe[2040] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Documents and Settings\J\Desktop\0m7r49nl.exe[2192] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Documents and Settings\J\Desktop\0m7r49nl.exe[2192] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Documents and Settings\J\Desktop\0m7r49nl.exe[2192] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Documents and Settings\J\Desktop\0m7r49nl.exe[2192] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\MagicTune Premium\MagicTune.exe[2648] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 00BFA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\MagicTune Premium\MagicTune.exe[2648] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 00BFA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\MagicTune Premium\MagicTune.exe[2648] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 00BFA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\MagicTune Premium\MagicTune.exe[2648] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 00BFA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
Device \Driver\Tcpip \Device\Tcp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
Device \Driver\Tcpip \Device\Udp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
Device \Driver\Tcpip \Device\RawIp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
Device \Driver\Tcpip \Device\IPMULTICAST afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

---- EOF - GMER 1.0.15 ----

Edited by Budapest, 22 May 2010 - 06:22 PM.


BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:08 AM

Posted 22 May 2010 - 07:29 PM

Hello JXP. I'll continue helping you from here.

Disable Realtime Protection
Antimalware programs can interfere with the tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.


  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

With Regards,
The Panda

#3 JXP

JXP
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 22 May 2010 - 10:06 PM

Hi Panda,
Thanks for helping. I installed recovery console and ran ComboFix.


ComboFix 10-05-22.01 - J 05/22/2010 19:22:44.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.611 [GMT -7:00]
Running from: c:\documents and settings\J\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Outpost Firewall *disabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Fonts\Eurosti.TTF

.
((((((((((((((((((((((((( Files Created from 2010-04-23 to 2010-05-23 )))))))))))))))))))))))))))))))
.

2010-05-17 11:36 . 2010-05-17 11:36 -------- d-----w- C:\HostsXpert
2010-05-11 02:24 . 2010-05-11 02:24 -------- d-----w- c:\documents and settings\J\Application Data\Malwarebytes
2010-05-11 02:23 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-11 02:22 . 2010-05-11 02:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-11 02:22 . 2010-05-11 02:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-11 02:22 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-08 15:05 . 2010-05-08 15:05 -------- d-----w- c:\program files\bild.me Upload-Tool
2010-05-08 12:31 . 2010-05-10 21:54 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-04 14:46 . 2010-05-08 06:00 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-04 13:11 . 2010-05-04 13:11 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-03 21:42 . 2010-05-03 21:42 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-05-03 19:38 . 2010-05-03 19:38 84992 --sha-r- c:\windows\system32\c_12544.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-23 02:30 . 2006-08-11 18:38 384 ----a-w- c:\windows\system32\DVCStateBkp-{00000002-00000000-00000009-00001102-00000004-20021102}.dat
2010-05-23 02:30 . 2006-08-11 18:38 384 ----a-w- c:\windows\system32\DVCState-{00000002-00000000-00000009-00001102-00000004-20021102}.dat
2010-05-19 05:42 . 2006-08-11 16:51 233816 ----a-w- c:\windows\system32\drivers\anvioctl.sys
2010-05-15 02:54 . 2008-08-02 02:42 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-15 02:46 . 2010-04-18 07:11 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-05-15 02:46 . 2010-04-18 07:07 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-05-15 02:46 . 2010-05-15 02:46 56766 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-05-15 02:46 . 2008-07-04 07:35 -------- d-----w- c:\program files\DivX
2010-05-15 02:46 . 2010-05-15 02:46 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-05-15 02:46 . 2010-05-15 02:46 57409 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe
2010-05-15 02:42 . 2010-05-15 02:42 144696 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.exe
2010-05-15 02:42 . 2010-04-18 07:11 754984 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-05-15 02:42 . 2010-04-18 07:11 1180952 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-05-14 10:40 . 2010-05-04 13:19 63488 ----a-w- c:\documents and settings\J\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-14 10:40 . 2010-05-04 13:19 117760 ----a-w- c:\documents and settings\J\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-14 00:12 . 2009-08-16 06:31 -------- d-----w- c:\program files\SRWare Iron
2010-05-10 21:55 . 2010-05-10 21:55 503808 ----a-w- c:\documents and settings\J\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-477f181d-n\msvcp71.dll
2010-05-10 21:55 . 2010-05-10 21:55 499712 ----a-w- c:\documents and settings\J\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-477f181d-n\jmc.dll
2010-05-10 21:55 . 2010-05-10 21:55 348160 ----a-w- c:\documents and settings\J\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-477f181d-n\msvcr71.dll
2010-05-10 21:54 . 2010-05-10 21:54 61440 ----a-w- c:\documents and settings\J\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6e780e0d-n\decora-sse.dll
2010-05-10 21:54 . 2010-05-10 21:54 12800 ----a-w- c:\documents and settings\J\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6e780e0d-n\decora-d3d.dll
2010-05-09 09:49 . 2009-11-06 05:53 -------- d-----w- c:\program files\Google
2010-05-09 09:43 . 2006-08-17 23:34 -------- d-----w- c:\program files\Java
2010-05-09 09:43 . 2006-08-17 23:16 -------- d-----w- c:\program files\Common Files\Java
2010-05-04 13:19 . 2010-05-04 13:19 52224 ----a-w- c:\documents and settings\J\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-04 13:18 . 2008-08-02 02:42 -------- d-----w- c:\documents and settings\J\Application Data\SUPERAntiSpyware.com
2010-04-29 13:27 . 2010-02-28 16:18 -------- d-----w- c:\program files\MagicTune Premium
2010-04-18 07:10 . 2010-04-18 07:10 56978 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe
2010-04-18 07:10 . 2010-04-18 07:10 52963 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-04-18 07:10 . 2010-04-18 07:10 54073 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe
2010-04-18 07:10 . 2009-08-20 05:21 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-04-01 17:32 . 2010-04-01 17:32 -------- d-----w- c:\program files\QuickTime
2010-04-01 17:32 . 2006-11-16 03:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-03-10 06:15 . 2003-03-31 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 17:59 . 2010-03-08 17:59 94208 ----a-w- c:\windows\system32\dpl100.dll
2010-02-25 06:24 . 2003-03-31 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2003-03-31 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2007-06-27 09:34 . 2007-06-27 09:34 37644 ----a-w- c:\program files\Rose_Tint_Y.mid
2007-06-16 10:54 . 2007-06-16 10:54 30793 ----a-w- c:\program files\rhps13-X_Rose_Tint.mid
2007-06-14 18:45 . 2007-06-14 18:45 36767 ----a-w- c:\program files\rhps13-A_Rose_Tint.mid
2007-06-13 16:35 . 2007-06-13 16:35 52983 ----a-w- c:\program files\kodachrome2.mid
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteCenter"="c:\program files\Creative\MediaSource\RemoteControl\RCMan.EXE" [2003-06-12 135168]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-05-09 2017280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-07-09 4136960]
"nwiz"="nwiz.exe" [2004-07-01 843776]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2004-07-09 81920]
"anvshell"="anvshell.exe" [2004-06-24 393216]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-07-02 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"CTHelper"="CTHELPER.EXE" [2003-06-20 24576]
"AsioReg"="CTASIO.DLL" [2003-06-20 118784]
"SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-04 45056]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363]
"OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2009-04-28 2374464]
"OutpostFeedBack"="c:\program files\Agnitum\Outpost Firewall\feedback.exe" [2009-04-28 428032]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-04-12 1135912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
GammaTray.lnk - c:\program files\MagicTune Premium\GammaTray.exe [2010-2-28 36864]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R1 ANVIOCTL;ANVIOCTL;c:\windows\system32\drivers\anvioctl.sys [8/11/2006 9:51 AM 233816]
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [10/21/2009 10:12 PM 704384]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/27/2010 5:30 PM 68168]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/21/2009 10:20 PM 108289]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [10/21/2009 10:10 PM 31128]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [10/21/2009 10:12 PM 257432]
S2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [10/21/2009 10:10 PM 1195008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-05-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-05-22 c:\windows\Tasks\User_Feed_Synchronization-{88268424-A414-41CE-AD3E-C42E88E3A3BA}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: //www.google.com/
Trusted Zone: microsoft.com\*.update
Trusted Zone: windowsupdate.com
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll
FF - ProfilePath - c:\documents and settings\J\Application Data\Mozilla\Firefox\Profiles\x40xa1eg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-22 19:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1659004503-2025429265-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(948)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2288)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\asuskbservice.exe
c:\windows\System32\CTsvcCDA.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\MagicTune Premium\MagicTuneEngine.exe
c:\windows\System32\nvsvc32.exe
c:\windows\System32\MsPMSPSv.exe
c:\windows\anvshell.exe
c:\windows\AGRSMMSG.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-05-22 19:49:30 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-23 02:49

Pre-Run: 93,764,923,392 bytes free
Post-Run: 96,433,303,552 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - A04F20A211F1EB4D11E109CDA11F93D1

#4 JXP

JXP
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 23 May 2010 - 05:14 AM

A note that may help:
The symptoms of IE browser redirect stopped before I ran the ComboFix scan, and there has been no problem accessing the Windows Update site before or after the scan.
Then, a few hours after completing the ComboFix scan I was browsing with IE and I got virus warnings from Alvira:

Virus or unwanted program 'HTML/Crypted.Gen [virus]'
detected in file 'C:\Documents and Settings\J\Local Settings\Temporary Internet Files\Content.IE5\HXZ37LTX\cd[1].htm.
Action performed: Delete file 5-23-2010, 1:46:18

Virus or unwanted program 'HTML/Crypted.Gen [virus]'
detected in file 'C:\Documents and Settings\J\Local Settings\Temporary Internet Files\Content.IE5\HXZ37LTX\cd[1].htm.
Action performed: Delete file 5-23-2010, 1:48:34

There have been no symptoms of browser redirect after detecting and deleting these viruses.

#5 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:08 AM

Posted 23 May 2010 - 09:50 AM

Hello.

That sounds good. I want to have a closer look at a file though.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    CODE
    http://www.bleepingcomputer.com/forums/t/318474/broken-browser/

    Collect::[59]
    c:\windows\system32\c_12544.dll

    Suspect::[59]
    c:\windows\system32\drivers\anvioctl.sys

    FileLook::
    c:\windows\system32\drivers\anvioctl.sys
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)

    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Please tell me if the symptoms return.

With Regards,
The Panda

#6 JXP

JXP
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 23 May 2010 - 04:33 PM

I dragged the script into ComboFix and ran it. The window said it uploaded to the server at the end of the scan.
So far I have no symptoms of browser redirecing and I can access all the Windows Update link. I will report back if any more problems come up.

Here is the log file:
ComboFix 10-05-22.01 - J 05/23/2010 14:08:40.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.713 [GMT -7:00]
Running from: c:\documents and settings\J\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\J\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Outpost Firewall *disabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}

file zipped: c:\windows\system32\c_12544.dll
file zipped: c:\windows\system32\drivers\anvioctl.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\c_12544.dll

.
((((((((((((((((((((((((( Files Created from 2010-04-23 to 2010-05-23 )))))))))))))))))))))))))))))))
.

2010-05-23 06:47 . 2010-05-23 06:47 503808 ----a-w- c:\documents and settings\J\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6898d292-n\msvcp71.dll
2010-05-23 06:47 . 2010-05-23 06:47 499712 ----a-w- c:\documents and settings\J\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6898d292-n\jmc.dll
2010-05-23 06:47 . 2010-05-23 06:47 348160 ----a-w- c:\documents and settings\J\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6898d292-n\msvcr71.dll
2010-05-23 06:47 . 2010-05-23 06:47 61440 ----a-w- c:\documents and settings\J\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-31e03770-n\decora-sse.dll
2010-05-23 06:47 . 2010-05-23 06:47 12800 ----a-w- c:\documents and settings\J\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-31e03770-n\decora-d3d.dll
2010-05-17 11:36 . 2010-05-17 11:36 -------- d-----w- C:\HostsXpert
2010-05-15 02:46 . 2010-05-15 02:46 56766 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-05-15 02:46 . 2010-05-15 02:46 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-05-15 02:46 . 2010-05-15 02:46 57409 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe
2010-05-15 02:42 . 2010-05-15 02:42 144696 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.exe
2010-05-11 02:24 . 2010-05-11 02:24 -------- d-----w- c:\documents and settings\J\Application Data\Malwarebytes
2010-05-11 02:23 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-11 02:22 . 2010-05-11 02:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-11 02:22 . 2010-05-11 02:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-11 02:22 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-10 21:55 . 2010-05-10 21:55 503808 ----a-w- c:\documents and settings\J\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-477f181d-n\msvcp71.dll
2010-05-10 21:55 . 2010-05-10 21:55 499712 ----a-w- c:\documents and settings\J\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-477f181d-n\jmc.dll
2010-05-10 21:55 . 2010-05-10 21:55 348160 ----a-w- c:\documents and settings\J\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-477f181d-n\msvcr71.dll
2010-05-10 21:54 . 2010-05-10 21:54 61440 ----a-w- c:\documents and settings\J\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6e780e0d-n\decora-sse.dll
2010-05-10 21:54 . 2010-05-10 21:54 12800 ----a-w- c:\documents and settings\J\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6e780e0d-n\decora-d3d.dll
2010-05-08 15:05 . 2010-05-08 15:05 -------- d-----w- c:\program files\bild.me Upload-Tool
2010-05-08 12:31 . 2010-05-10 21:54 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-04 14:46 . 2010-05-08 06:00 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-04 13:19 . 2010-05-14 10:40 63488 ----a-w- c:\documents and settings\J\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-04 13:19 . 2010-05-04 13:19 52224 ----a-w- c:\documents and settings\J\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-04 13:19 . 2010-05-14 10:40 117760 ----a-w- c:\documents and settings\J\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-04 13:11 . 2010-05-04 13:11 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-03 21:42 . 2010-05-03 21:42 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-23 11:33 . 2006-08-11 18:38 384 ----a-w- c:\windows\system32\DVCStateBkp-{00000002-00000000-00000009-00001102-00000004-20021102}.dat
2010-05-23 11:33 . 2006-08-11 18:38 384 ----a-w- c:\windows\system32\DVCState-{00000002-00000000-00000009-00001102-00000004-20021102}.dat
2010-05-19 05:42 . 2006-08-11 16:51 233816 ----a-w- c:\windows\system32\drivers\anvioctl.sys
2010-05-15 02:54 . 2008-08-02 02:42 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-15 02:46 . 2010-04-18 07:11 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-05-15 02:46 . 2010-04-18 07:07 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-05-15 02:46 . 2008-07-04 07:35 -------- d-----w- c:\program files\DivX
2010-05-15 02:42 . 2010-04-18 07:11 754984 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-05-15 02:42 . 2010-04-18 07:11 1180952 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-05-14 00:12 . 2009-08-16 06:31 -------- d-----w- c:\program files\SRWare Iron
2010-05-09 09:49 . 2009-11-06 05:53 -------- d-----w- c:\program files\Google
2010-05-09 09:43 . 2006-08-17 23:34 -------- d-----w- c:\program files\Java
2010-05-09 09:43 . 2006-08-17 23:16 -------- d-----w- c:\program files\Common Files\Java
2010-05-04 13:18 . 2008-08-02 02:42 -------- d-----w- c:\documents and settings\J\Application Data\SUPERAntiSpyware.com
2010-04-29 13:27 . 2010-02-28 16:18 -------- d-----w- c:\program files\MagicTune Premium
2010-04-18 07:10 . 2010-04-18 07:10 56978 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe
2010-04-18 07:10 . 2010-04-18 07:10 52963 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-04-18 07:10 . 2010-04-18 07:10 54073 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe
2010-04-18 07:10 . 2009-08-20 05:21 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-04-01 17:32 . 2010-04-01 17:32 -------- d-----w- c:\program files\QuickTime
2010-04-01 17:32 . 2006-11-16 03:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-03-10 06:15 . 2003-03-31 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 17:59 . 2010-03-08 17:59 94208 ----a-w- c:\windows\system32\dpl100.dll
2010-02-25 06:24 . 2003-03-31 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2003-03-31 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2007-06-27 09:34 . 2007-06-27 09:34 37644 ----a-w- c:\program files\Rose_Tint_Y.mid
2007-06-16 10:54 . 2007-06-16 10:54 30793 ----a-w- c:\program files\rhps13-X_Rose_Tint.mid
2007-06-14 18:45 . 2007-06-14 18:45 36767 ----a-w- c:\program files\rhps13-A_Rose_Tint.mid
2007-06-13 16:35 . 2007-06-13 16:35 52983 ----a-w- c:\program files\kodachrome2.mid
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

--- c:\windows\system32\drivers\anvioctl.sys ---
Company: ------
File Description: ------
File Version: ------
Product Name: ------
Copyright: ------
Original Filename: ------
File size: 233816
Created time: 2006-08-11 16:51
Modified time: 2010-05-19 05:42
MD5: 25F793092DBB40B7C7D7FBCE41FF4229
SHA1: 2FD1459FE58F336AFA565F5397088DE507E5D2AA


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteCenter"="c:\program files\Creative\MediaSource\RemoteControl\RCMan.EXE" [2003-06-12 135168]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-05-09 2017280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-07-09 4136960]
"nwiz"="nwiz.exe" [2004-07-01 843776]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2004-07-09 81920]
"anvshell"="anvshell.exe" [2004-06-24 393216]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-07-02 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"CTHelper"="CTHELPER.EXE" [2003-06-20 24576]
"AsioReg"="CTASIO.DLL" [2003-06-20 118784]
"SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-04 45056]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363]
"OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2009-04-28 2374464]
"OutpostFeedBack"="c:\program files\Agnitum\Outpost Firewall\feedback.exe" [2009-04-28 428032]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-04-12 1135912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
GammaTray.lnk - c:\program files\MagicTune Premium\GammaTray.exe [2010-2-28 36864]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R1 ANVIOCTL;ANVIOCTL;c:\windows\system32\drivers\anvioctl.sys [8/11/2006 9:51 AM 233816]
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [10/21/2009 10:12 PM 704384]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/27/2010 5:30 PM 68168]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/21/2009 10:20 PM 108289]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [10/21/2009 10:10 PM 31128]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [10/21/2009 10:12 PM 257432]
S2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [10/21/2009 10:10 PM 1195008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-05-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-05-23 c:\windows\Tasks\User_Feed_Synchronization-{88268424-A414-41CE-AD3E-C42E88E3A3BA}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: //www.google.com/
Trusted Zone: microsoft.com\*.update
Trusted Zone: windowsupdate.com
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll
FF - ProfilePath - c:\documents and settings\J\Application Data\Mozilla\Firefox\Profiles\x40xa1eg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1659004503-2025429265-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1036)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2010-05-23 14:18:50
ComboFix-quarantined-files.txt 2010-05-23 21:18
ComboFix2.txt 2010-05-23 02:49

Pre-Run: 96,385,679,360 bytes free
Post-Run: 96,374,616,064 bytes free

- - End Of File - - 5015313B2E24C17E79BBB87AB0F02346
Upload was successful

#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:08 AM

Posted 24 May 2010 - 10:15 AM

Hello.

There is an unsinged driver file that I'm suspicious of. Let's look for a replacement.

Please run DDS again. This time, post the Attach.txt too please.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    CODE
    :filefind
    anvioctl.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

With Regards,
The Panda

#8 JXP

JXP
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 24 May 2010 - 03:41 PM

Hi Panda,

I ran the two programs as you requested with the DSL cable unplugged, and firewall and Alvira disabled.
Three logfiles are below:

DDS (Ver_10-03-17.01) - NTFSx86
Run by J at 13:33:22.81 on Mon 05/24/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.607 [GMT -7:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Outpost Firewall *disabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\anvshell.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\MagicTune Premium\GammaTray.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\asuskbservice.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\MagicTune Premium\MagicTune.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\IrfanView\i_view32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\J\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [RemoteCenter] c:\program files\creative\mediasource\remotecontrol\RCMan.EXE
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [anvshell] anvshell.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
mRun: [CTDVDDET] c:\program files\creative\sbaudigy2zs\dvdaudio\CTDVDDET.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
mRun: [SBDrvDet] c:\program files\creative\sb drive det\SBDrvDet.exe /r
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [OutpostMonitor] c:\progra~1\agnitum\outpos~1\op_mon.exe /tray /noservice
mRun: [OutpostFeedBack] "c:\program files\agnitum\outpost firewall\feedback.exe" /dump:os_startup
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min /nosplash
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\gammat~1.lnk - c:\program files\magictune premium\GammaTray.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: //www.google.com/
Trusted Zone: microsoft.com\*.update
Trusted Zone: windowsupdate.com
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
DPF: {3BB1D69B-A780-4BE1-876E-F3D488877135} - hxxp://download.microsoft.com/download/3/B/E/3BE57995-8452-41F1-8297-DD75EF049853/VirtualEarth3D.cab
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
DPF: {428A9DEF-F057-402B-9F2D-A5887F4544ED} - hxxp://download.microsoft.com/download/f/0/2/f02b515c-7076-4cee-bc08-fd6fea594578/VirtualEarth3D.cab
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab55579.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab55579.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} - hxxp://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab55579.cab
Handler: junomsg - {C4D10830-379D-11d4-9B2D-00C04F1579A5} - c:\program files\juno\bin\jmsgpph.dll
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\coreftp\pftpns.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\j\applic~1\mozilla\firefox\profiles\x40xa1eg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 ANVIOCTL;ANVIOCTL;c:\windows\system32\drivers\anvioctl.sys [2006-8-11 233816]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-10-21 11608]
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [2009-10-21 704384]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-4-27 68168]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-10-21 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-10-21 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-10-21 56816]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [2009-10-21 31128]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [2009-10-21 257432]
S2 acssrv;Agnitum Client Security Service;c:\progra~1\agnitum\outpos~1\acs.exe [2009-10-21 1195008]

=============== Created Last 30 ================

2010-05-23 21:07:35 0 d-----w- C:\ComboFix
2010-05-23 02:20:03 0 d-sha-r- C:\cmdcons
2010-05-23 02:11:02 98816 ----a-w- c:\windows\sed.exe
2010-05-23 02:11:02 77312 ----a-w- c:\windows\MBR.exe
2010-05-23 02:11:02 256512 ----a-w- c:\windows\PEV.exe
2010-05-23 02:11:02 161792 ----a-w- c:\windows\SWREG.exe
2010-05-20 15:17:43 0 ----a-w- c:\documents and settings\j\defogger_reenable
2010-05-17 11:36:34 0 d-----w- C:\HostsXpert
2010-05-11 02:24:28 0 d-----w- c:\docume~1\j\applic~1\Malwarebytes
2010-05-11 02:23:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-11 02:22:59 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-11 02:22:59 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-11 02:22:59 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-10 21:54:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-05-08 15:05:34 0 d-----w- c:\program files\bild.me Upload-Tool
2010-05-08 12:31:00 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-04 14:46:04 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-04 13:11:20 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-04-29 12:04:42 0 ----a-w- c:\windows\iq_test.INI
2010-04-26 22:04:42 353592 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl

==================== Find3M ====================

2010-05-19 05:42:47 233816 ----a-w- c:\windows\system32\drivers\anvioctl.sys
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 17:59:18 94208 ----a-w- c:\windows\system32\dpl100.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2007-06-27 09:34:57 37644 ----a-w- c:\program files\Rose_Tint_Y.mid
2007-06-16 10:54:14 30793 ----a-w- c:\program files\rhps13-X_Rose_Tint.mid
2007-06-14 18:45:02 36767 ----a-w- c:\program files\rhps13-A_Rose_Tint.mid
2007-06-13 16:35:23 52983 ----a-w- c:\program files\kodachrome2.mid
2003-07-31 09:53:28 147456 ----a-w- c:\windows\inf\EL2K_XP.sys
2003-07-31 09:50:16 448768 ----a-w- c:\windows\inf\EL2K_N64.sys
2003-07-31 09:43:00 147456 ----a-w- c:\windows\inf\EL2K_2K.sys

============= FINISH: 13:33:59.50 ===============




UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume3
Install Date: 8/11/2006 9:28:22 AM
System Uptime: 5/24/2010 12:47:44 PM (1 hours ago)

Motherboard: ASUSTeK Computer Inc. | | P4P800
Processor: Intel® Pentium® 4 CPU 2.80GHz | CPU 1 | 2798/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 112 GiB total, 89.344 GiB free.
D: is CDROM ()
F: is Removable
G: is Removable
I: is Removable
K: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Audio Controller
Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_80F31043&REV_02\3&267A616A&0&FD
Manufacturer:
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_80F31043&REV_02\3&267A616A&0&FD
Service:

==== System Restore Points ===================

RP19: 5/21/2010 12:43:49 AM - System Checkpoint
RP20: 5/22/2010 3:31:05 AM - System Checkpoint

==== Installed Programs ======================


7-Zip 9.10 beta
AAC Decoder
Adobe Download Manager
Adobe Flash Player 10 Plugin
Agere Systems PCI Soft Modem
Apple Application Support
Apple Software Update
ASUS Display Drivers
Audacity 1.2.6
AutoUpdate
Avira AntiVir Personal - Free Antivirus
bild.me Upload-Tool 1.0 BETA
Core FTP LE 1.3c
Creative MediaSource
Creative System Information
Cubasis VST 4
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Setup
DivX Version Checker
getPlus®_ocx
GTK+ 2.8.18-1 runtime environment
H.264 Decoder
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
InfraRecorder
IrfanView (remove only)
Japanese Fonts Support For Adobe Reader 9
Java Auto Updater
Java™ 6 Update 20
jetAudio Basic
Juno
LADSPA_plugins-win-0.4.15
Macromedia Shockwave Player
MagicTune Premium
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Excel Viewer 97
Microsoft Office Word Viewer 2003
Microsoft PowerPoint Viewer 97
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
MKV Splitter
Mozilla Firefox (3.6)
MSVCRT
Natural Color
Nero Suite
NVIDIA Drivers
Outpost Firewall 2009
PDF-Viewer
PhotoStudio 2.0 SE
Powerbullet Presenter
PowerDVD
QuickTime
Registrar Lite 2.00
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
Segoe UI
Serif DrawPlus 4.0
SHG Installation
Sound Blaster Audigy 2 ZS
Spelling Dictionaries Support For Adobe Reader 9
SRWare Iron 3.0.197.0
SRWare Iron 4.0.280
SUPERAntiSpyware Free Edition
The GIMP 2.2.13
The KMPlayer (remove only)
Ulead GIF Animator 2.0 Full Version
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB968220)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
vanBasco's Karaoke Player
VC80CRTRedist - 8.0.50727.4053
Virtual Earth 3D (Beta)
VST Bridge 1.0
WaveLab Lite
WebFldrs XP
What's Running 2.2
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows XP Service Pack 3
WinRAR archiver
YouTube Downloader 2.5.4

==== Event Viewer Messages From Past Week ========

5/20/2010 2:55:37 AM, error: Service Control Manager [7034] - The MagicTuneEngine service terminated unexpectedly. It has done this 1 time(s).
5/19/2010 9:48:19 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Agnitum Client Security Service service to connect.
5/19/2010 9:48:15 PM, error: Service Control Manager [7031] - The Agnitum Client Security Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 3000 milliseconds: Restart the service.
5/19/2010 3:53:31 PM, error: DCOM [10005] - DCOM got error "%1055" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
5/19/2010 12:33:08 PM, error: DCOM [10005] - DCOM got error "%1055" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
5/18/2010 2:54:19 AM, error: DCOM [10005] - DCOM got error "%1055" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
5/18/2010 10:43:17 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume3'. It has stopped monitoring the volume.
5/18/2010 10:33:33 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
5/18/2010 10:33:33 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.

==== End Of File ===========================


SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 13:35 on 24/05/2010 by J (Administrator - Elevation successful)

========== filefind ==========

Searching for "anvioctl.sys"

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:08 AM

Posted 24 May 2010 - 08:17 PM

Hello JXP.

I already have a copy of the file in question from the ComboFix upload smile.gif .

I think the SystemLook log was incomplete. Please try running SystemLook again with the same directives. Make sure that the scan is completed and that you see:
QUOTE
-=End Of File=-

At the bottom of the log.

With Regards,
The Panda

#10 JXP

JXP
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 24 May 2010 - 11:07 PM

Still no redirecting symptoms and this PC is running fast like when new.
Thands for helping. SystemLook log below:


SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 20:56 on 24/05/2010 by J (Administrator - Elevation successful)

========== filefind ==========

Searching for "anvioctl.sys"
C:\WINDOWS\system32\drivers\anvioctl.sys --a--- 233816 bytes [16:51 11/08/2006] [05:42 19/05/2010] 25F793092DBB40B7C7D7FBCE41FF4229

-=End Of File=-

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:08 AM

Posted 25 May 2010 - 07:55 AM

Hello JXP.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    CODE
    SRPeek::
    C:\WINDOWS\system32\drivers\anvioctl.sys
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)

    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

With Regards,
The Panda

#12 JXP

JXP
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 25 May 2010 - 10:05 AM

A few hours ago a new JRE update installed - Java 2 Runtime Environment SE v.1.4.2_18 while the existing JAVA 6 Update 20 remains at the time I ran ComboFix.


ComboFix 10-05-22.01 - J 05/25/2010 7:40.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.679 [GMT -7:00]
Running from: c:\documents and settings\J\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\J\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Outpost Firewall *disabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
.

((((((((((((((((((((((((( Files Created from 2010-04-25 to 2010-05-25 )))))))))))))))))))))))))))))))
.

2010-05-23 06:47 . 2010-05-23 06:47 503808 ----a-w- c:\documents and settings\J\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6898d292-n\msvcp71.dll
2010-05-23 06:47 . 2010-05-23 06:47 499712 ----a-w- c:\documents and settings\J\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6898d292-n\jmc.dll
2010-05-23 06:47 . 2010-05-23 06:47 348160 ----a-w- c:\documents and settings\J\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6898d292-n\msvcr71.dll
2010-05-23 06:47 . 2010-05-23 06:47 61440 ----a-w- c:\documents and settings\J\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-31e03770-n\decora-sse.dll
2010-05-23 06:47 . 2010-05-23 06:47 12800 ----a-w- c:\documents and settings\J\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-31e03770-n\decora-d3d.dll
2010-05-17 11:36 . 2010-05-17 11:36 -------- d-----w- C:\HostsXpert
2010-05-15 02:46 . 2010-05-15 02:46 56766 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-05-15 02:46 . 2010-05-15 02:46 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-05-15 02:46 . 2010-05-15 02:46 57409 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe
2010-05-15 02:42 . 2010-05-15 02:42 144696 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.exe
2010-05-11 02:24 . 2010-05-11 02:24 -------- d-----w- c:\documents and settings\J\Application Data\Malwarebytes
2010-05-11 02:23 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-11 02:22 . 2010-05-11 02:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-11 02:22 . 2010-05-11 02:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-11 02:22 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-10 21:55 . 2010-05-10 21:55 503808 ----a-w- c:\documents and settings\J\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-477f181d-n\msvcp71.dll
2010-05-10 21:55 . 2010-05-10 21:55 499712 ----a-w- c:\documents and settings\J\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-477f181d-n\jmc.dll
2010-05-10 21:55 . 2010-05-10 21:55 348160 ----a-w- c:\documents and settings\J\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-477f181d-n\msvcr71.dll
2010-05-10 21:54 . 2010-05-10 21:54 61440 ----a-w- c:\documents and settings\J\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6e780e0d-n\decora-sse.dll
2010-05-10 21:54 . 2010-05-10 21:54 12800 ----a-w- c:\documents and settings\J\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6e780e0d-n\decora-d3d.dll
2010-05-08 15:05 . 2010-05-08 15:05 -------- d-----w- c:\program files\bild.me Upload-Tool
2010-05-08 12:31 . 2010-05-10 21:54 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-04 14:46 . 2010-05-08 06:00 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-04 13:19 . 2010-05-23 23:42 63488 ----a-w- c:\documents and settings\J\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-04 13:19 . 2010-05-04 13:19 52224 ----a-w- c:\documents and settings\J\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-04 13:19 . 2010-05-23 23:42 117760 ----a-w- c:\documents and settings\J\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-04 13:11 . 2010-05-04 13:11 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-03 21:42 . 2010-05-03 21:42 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-25 12:27 . 2006-08-17 23:34 -------- d-----w- c:\program files\Java
2010-05-25 12:26 . 2006-08-17 23:16 -------- d-----w- c:\program files\Common Files\Java
2010-05-25 01:51 . 2006-08-11 18:38 384 ----a-w- c:\windows\system32\DVCStateBkp-{00000002-00000000-00000009-00001102-00000004-20021102}.dat
2010-05-25 01:51 . 2006-08-11 18:38 384 ----a-w- c:\windows\system32\DVCState-{00000002-00000000-00000009-00001102-00000004-20021102}.dat
2010-05-19 05:42 . 2006-08-11 16:51 233816 ----a-w- c:\windows\system32\drivers\anvioctl.sys
2010-05-15 02:54 . 2008-08-02 02:42 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-15 02:46 . 2010-04-18 07:11 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-05-15 02:46 . 2010-04-18 07:07 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-05-15 02:46 . 2008-07-04 07:35 -------- d-----w- c:\program files\DivX
2010-05-15 02:42 . 2010-04-18 07:11 754984 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-05-15 02:42 . 2010-04-18 07:11 1180952 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-05-14 00:12 . 2009-08-16 06:31 -------- d-----w- c:\program files\SRWare Iron
2010-05-09 09:49 . 2009-11-06 05:53 -------- d-----w- c:\program files\Google
2010-05-04 13:18 . 2008-08-02 02:42 -------- d-----w- c:\documents and settings\J\Application Data\SUPERAntiSpyware.com
2010-04-29 13:27 . 2010-02-28 16:18 -------- d-----w- c:\program files\MagicTune Premium
2010-04-18 07:10 . 2010-04-18 07:10 56978 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe
2010-04-18 07:10 . 2010-04-18 07:10 52963 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-04-18 07:10 . 2010-04-18 07:10 54073 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe
2010-04-18 07:10 . 2009-08-20 05:21 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-04-01 17:32 . 2010-04-01 17:32 -------- d-----w- c:\program files\QuickTime
2010-04-01 17:32 . 2006-11-16 03:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-03-10 06:15 . 2003-03-31 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 17:59 . 2010-03-08 17:59 94208 ----a-w- c:\windows\system32\dpl100.dll
2010-02-25 06:24 . 2003-03-31 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2007-06-27 09:34 . 2007-06-27 09:34 37644 ----a-w- c:\program files\Rose_Tint_Y.mid
2007-06-16 10:54 . 2007-06-16 10:54 30793 ----a-w- c:\program files\rhps13-X_Rose_Tint.mid
2007-06-14 18:45 . 2007-06-14 18:45 36767 ----a-w- c:\program files\rhps13-A_Rose_Tint.mid
2007-06-13 16:35 . 2007-06-13 16:35 52983 ----a-w- c:\program files\kodachrome2.mid
.

(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))

[-] 25F793092DBB40B7C7D7FBCE41FF4229 233816 c:\windows\system32\drivers\anvioctl.sys
[-] 25F793092DBB40B7C7D7FBCE41FF4229 233816 \RP20\A0020592.sys
[-] 25F793092DBB40B7C7D7FBCE41FF4229 233816 \RP20\A0020677.sys
.
((((((((((((((((((((((((((((( SnapShot@2010-05-23_21.17.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-25 03:50 . 2010-05-25 03:50 16384 c:\windows\Temp\Perflib_Perfdata_718.dat
+ 2006-08-11 16:48 . 1998-10-29 23:45 306688 c:\windows\IsUninst.exe
- 2006-08-11 16:48 . 1998-10-30 00:45 306688 c:\windows\IsUninst.exe
+ 2010-05-25 12:27 . 2010-05-25 12:27 622080 c:\windows\Installer\1d92f53.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteCenter"="c:\program files\Creative\MediaSource\RemoteControl\RCMan.EXE" [2003-06-12 135168]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-05-09 2017280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-07-09 4136960]
"nwiz"="nwiz.exe" [2004-07-01 843776]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2004-07-09 81920]
"anvshell"="anvshell.exe" [2004-06-24 393216]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-07-02 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"CTHelper"="CTHELPER.EXE" [2003-06-20 24576]
"AsioReg"="CTASIO.DLL" [2003-06-20 118784]
"SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-04 45056]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363]
"OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2009-04-28 2374464]
"OutpostFeedBack"="c:\program files\Agnitum\Outpost Firewall\feedback.exe" [2009-04-28 428032]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-04-12 1135912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
GammaTray.lnk - c:\program files\MagicTune Premium\GammaTray.exe [2010-2-28 36864]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R1 ANVIOCTL;ANVIOCTL;c:\windows\system32\drivers\anvioctl.sys [8/11/2006 9:51 AM 233816]
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [10/21/2009 10:12 PM 704384]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/27/2010 5:30 PM 68168]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/21/2009 10:20 PM 108289]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [10/21/2009 10:10 PM 31128]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [10/21/2009 10:12 PM 257432]
S2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [10/21/2009 10:10 PM 1195008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-05-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-05-25 c:\windows\Tasks\User_Feed_Synchronization-{88268424-A414-41CE-AD3E-C42E88E3A3BA}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: //www.google.com/
Trusted Zone: microsoft.com\*.update
Trusted Zone: windowsupdate.com
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll
FF - ProfilePath - c:\documents and settings\J\Application Data\Mozilla\Firefox\Profiles\x40xa1eg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-25 07:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1659004503-2025429265-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1104)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(324)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-05-25 07:55:06
ComboFix-quarantined-files.txt 2010-05-25 14:55
ComboFix2.txt 2010-05-23 21:20
ComboFix3.txt 2010-05-23 02:49

Pre-Run: 96,185,094,144 bytes free
Post-Run: 96,870,871,040 bytes free

- - End Of File - - 2DCA329D2BB5C78551181230C6DBC855


#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:08 AM

Posted 26 May 2010 - 09:42 PM

Hello.

Sorry for the delay in response. I just got a new computer set up.

Let's try one more time to look for a replacement file on your computer. If there is not one, we can try updating the driver.

Please run this script with SystemLook and post back the resulting log:
CODE
:filefind
anvioctl*


#14 JXP

JXP
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 27 May 2010 - 09:57 PM


Hi Panda,
I have another PC with XP Home SP3 of the same vintage that I can copy in drivers if needed.

Log file:

ComboFix 10-05-22.01 - J 05/27/2010 19:35:10.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.653 [GMT -7:00]
Running from: c:\documents and settings\J\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\J\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Outpost Firewall *disabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
.

((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-28 )))))))))))))))))))))))))))))))
.

2010-05-23 06:47 . 2010-05-23 06:47 503808 ----a-w- c:\documents and settings\J\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6898d292-n\msvcp71.dll
2010-05-23 06:47 . 2010-05-23 06:47 499712 ----a-w- c:\documents and settings\J\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6898d292-n\jmc.dll
2010-05-23 06:47 . 2010-05-23 06:47 348160 ----a-w- c:\documents and settings\J\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6898d292-n\msvcr71.dll
2010-05-23 06:47 . 2010-05-23 06:47 61440 ----a-w- c:\documents and settings\J\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-31e03770-n\decora-sse.dll
2010-05-23 06:47 . 2010-05-23 06:47 12800 ----a-w- c:\documents and settings\J\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-31e03770-n\decora-d3d.dll
2010-05-17 11:36 . 2010-05-17 11:36 -------- d-----w- C:\HostsXpert
2010-05-15 02:46 . 2010-05-15 02:46 56766 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-05-15 02:46 . 2010-05-15 02:46 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-05-15 02:46 . 2010-05-15 02:46 57409 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe
2010-05-15 02:42 . 2010-05-15 02:42 144696 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.exe
2010-05-11 02:24 . 2010-05-11 02:24 -------- d-----w- c:\documents and settings\J\Application Data\Malwarebytes
2010-05-11 02:23 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-11 02:22 . 2010-05-11 02:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-11 02:22 . 2010-05-11 02:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-11 02:22 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-10 21:55 . 2010-05-10 21:55 503808 ----a-w- c:\documents and settings\J\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-477f181d-n\msvcp71.dll
2010-05-10 21:55 . 2010-05-10 21:55 499712 ----a-w- c:\documents and settings\J\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-477f181d-n\jmc.dll
2010-05-10 21:55 . 2010-05-10 21:55 348160 ----a-w- c:\documents and settings\J\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-477f181d-n\msvcr71.dll
2010-05-10 21:54 . 2010-05-10 21:54 61440 ----a-w- c:\documents and settings\J\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6e780e0d-n\decora-sse.dll
2010-05-10 21:54 . 2010-05-10 21:54 12800 ----a-w- c:\documents and settings\J\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6e780e0d-n\decora-d3d.dll
2010-05-08 15:05 . 2010-05-08 15:05 -------- d-----w- c:\program files\bild.me Upload-Tool
2010-05-08 12:31 . 2010-05-10 21:54 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-04 14:46 . 2010-05-08 06:00 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-04 13:19 . 2010-05-23 23:42 63488 ----a-w- c:\documents and settings\J\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-04 13:19 . 2010-05-04 13:19 52224 ----a-w- c:\documents and settings\J\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-04 13:19 . 2010-05-23 23:42 117760 ----a-w- c:\documents and settings\J\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-04 13:11 . 2010-05-04 13:11 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-03 21:42 . 2010-05-03 21:42 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-28 02:30 . 2006-08-11 18:38 384 ----a-w- c:\windows\system32\DVCStateBkp-{00000002-00000000-00000009-00001102-00000004-20021102}.dat
2010-05-28 02:30 . 2006-08-11 18:38 384 ----a-w- c:\windows\system32\DVCState-{00000002-00000000-00000009-00001102-00000004-20021102}.dat
2010-05-26 12:37 . 2008-08-02 02:42 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-25 12:27 . 2006-08-17 23:34 -------- d-----w- c:\program files\Java
2010-05-25 12:26 . 2006-08-17 23:16 -------- d-----w- c:\program files\Common Files\Java
2010-05-19 05:42 . 2006-08-11 16:51 233816 ----a-w- c:\windows\system32\drivers\anvioctl.sys
2010-05-15 02:46 . 2010-04-18 07:11 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-05-15 02:46 . 2010-04-18 07:07 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-05-15 02:46 . 2008-07-04 07:35 -------- d-----w- c:\program files\DivX
2010-05-15 02:42 . 2010-04-18 07:11 754984 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-05-15 02:42 . 2010-04-18 07:11 1180952 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-05-14 00:12 . 2009-08-16 06:31 -------- d-----w- c:\program files\SRWare Iron
2010-05-09 09:49 . 2009-11-06 05:53 -------- d-----w- c:\program files\Google
2010-05-04 13:18 . 2008-08-02 02:42 -------- d-----w- c:\documents and settings\J\Application Data\SUPERAntiSpyware.com
2010-04-29 13:27 . 2010-02-28 16:18 -------- d-----w- c:\program files\MagicTune Premium
2010-04-18 07:10 . 2010-04-18 07:10 56978 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe
2010-04-18 07:10 . 2010-04-18 07:10 52963 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-04-18 07:10 . 2010-04-18 07:10 54073 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe
2010-04-18 07:10 . 2009-08-20 05:21 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-04-01 17:32 . 2010-04-01 17:32 -------- d-----w- c:\program files\QuickTime
2010-04-01 17:32 . 2006-11-16 03:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-03-10 06:15 . 2003-03-31 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 17:59 . 2010-03-08 17:59 94208 ----a-w- c:\windows\system32\dpl100.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-05-23_21.17.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-28 02:32 . 2010-05-28 02:32 16384 c:\windows\Temp\Perflib_Perfdata_f0.dat
+ 2007-01-29 08:58 . 2010-04-21 13:28 46080 c:\windows\system32\tzchange.exe
- 2007-01-29 08:58 . 2010-01-23 08:11 46080 c:\windows\system32\tzchange.exe
+ 2006-08-11 16:48 . 1998-10-29 23:45 306688 c:\windows\IsUninst.exe
- 2006-08-11 16:48 . 1998-10-30 00:45 306688 c:\windows\IsUninst.exe
+ 2010-05-25 12:27 . 2010-05-25 12:27 622080 c:\windows\Installer\1d92f53.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteCenter"="c:\program files\Creative\MediaSource\RemoteControl\RCMan.EXE" [2003-06-12 135168]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-05-26 2397424]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-07-09 4136960]
"nwiz"="nwiz.exe" [2004-07-01 843776]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2004-07-09 81920]
"anvshell"="anvshell.exe" [2004-06-24 393216]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-07-02 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"CTHelper"="CTHELPER.EXE" [2003-06-20 24576]
"AsioReg"="CTASIO.DLL" [2003-06-20 118784]
"SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-04 45056]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363]
"OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2009-04-28 2374464]
"OutpostFeedBack"="c:\program files\Agnitum\Outpost Firewall\feedback.exe" [2009-04-28 428032]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-04-12 1135912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
GammaTray.lnk - c:\program files\MagicTune Premium\GammaTray.exe [2010-2-28 36864]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R1 ANVIOCTL;ANVIOCTL;c:\windows\system32\drivers\anvioctl.sys [8/11/2006 9:51 AM 233816]
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [10/21/2009 10:12 PM 704384]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/27/2010 5:30 PM 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/21/2009 10:20 PM 108289]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [10/21/2009 10:10 PM 31128]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [10/21/2009 10:12 PM 257432]
S2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [10/21/2009 10:10 PM 1195008]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SASDIFSV

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-05-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-05-28 c:\windows\Tasks\User_Feed_Synchronization-{88268424-A414-41CE-AD3E-C42E88E3A3BA}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: //www.google.com/
Trusted Zone: microsoft.com\*.update
Trusted Zone: windowsupdate.com
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll
FF - ProfilePath - c:\documents and settings\J\Application Data\Mozilla\Firefox\Profiles\x40xa1eg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-27 19:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\J\LOCALS~1\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1659004503-2025429265-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1092)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2892)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-05-27 19:50:27
ComboFix-quarantined-files.txt 2010-05-28 02:50
ComboFix2.txt 2010-05-25 14:55
ComboFix3.txt 2010-05-23 21:20
ComboFix4.txt 2010-05-23 02:49

Pre-Run: 96,509,394,944 bytes free
Post-Run: 96,820,232,192 bytes free

- - End Of File - - E0A39641FE891F85040D28182DE80E3A

#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:08 AM

Posted 28 May 2010 - 06:14 PM

Hello.

Please navigate to this link:
http://support.asus.com/download/download.aspx

Follow the directions there download updates for your motherboard driver.

With Regards,
The Panda






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users