Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Am I Infected?


  • This topic is locked This topic is locked
18 replies to this topic

#1 LarryToolman

LarryToolman

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 27 May 2010 - 09:42 PM

I run Super AntiSpyware and the same malware keeps popping up, here's my combofix log:

ComboFix 10-05-27.01 - Larry 05/27/2010 22:15:53.26.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2612 [GMT -4:00]
Running from: c:\documents and settings\Larry\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Larry\LOCALS~1\Temp\tmp1.tmp

.
((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-28 )))))))))))))))))))))))))))))))
.

2010-05-13 07:58 . 2010-05-13 07:58 -------- d-----w- c:\temp\MotoConnectTemp
2010-05-11 17:04 . 2010-01-29 14:53 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2010-05-11 17:04 . 2010-01-29 14:53 691712 ------w- c:\windows\system32\dllcache\inetcomm.dll
2010-05-03 04:09 . 2010-05-03 04:09 -------- d-----w- c:\program files\iPod
2010-05-03 04:02 . 2010-05-03 04:02 -------- d-----w- c:\program files\Bonjour
2010-05-03 04:01 . 2010-05-03 04:01 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-04-30 13:46 . 2010-05-27 00:04 664 ----a-w- c:\windows\system32\d3d9caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-28 02:12 . 2008-04-10 02:20 -------- d-----w- c:\documents and settings\Larry\Application Data\WTablet
2010-05-28 02:11 . 2008-04-16 04:07 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet
2010-05-28 02:09 . 2009-01-18 01:02 -------- d-----w- c:\documents and settings\Larry\Application Data\Skype
2010-05-28 01:46 . 2009-08-14 03:36 1268616 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-05-28 01:45 . 2006-07-13 02:42 -------- d-----w- c:\documents and settings\Larry\Application Data\Azureus
2010-05-27 04:46 . 2006-11-23 00:17 -------- d-----w- c:\documents and settings\Larry\Application Data\ZoomBrowser EX
2010-05-27 04:46 . 2006-11-22 22:37 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2010-05-25 03:41 . 2007-08-09 04:06 -------- d-----w- c:\program files\DOSBox-0.71
2010-05-24 18:22 . 2009-11-23 23:32 117760 ----a-w- c:\documents and settings\Larry\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-21 12:08 . 2006-07-22 04:46 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-05-17 02:34 . 2007-11-15 04:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-15 17:16 . 2006-02-12 19:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-12 00:19 . 2006-07-13 02:42 -------- d-----w- c:\program files\Azureus
2010-05-03 04:09 . 2007-11-14 02:26 -------- d-----w- c:\program files\Common Files\Apple
2010-05-03 04:05 . 2010-04-02 06:37 -------- d-----w- c:\program files\QuickTime
2010-04-29 19:39 . 2008-11-17 06:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2008-11-17 06:05 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-27 20:04 . 2009-01-18 01:03 -------- d-----w- c:\documents and settings\Larry\Application Data\skypePM
2010-04-27 18:15 . 2010-01-29 21:52 -------- d-----w- c:\program files\VMware
2010-04-27 18:12 . 2010-01-29 19:58 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2010-04-27 18:09 . 2006-10-12 23:46 -------- d-----w- c:\program files\Magic Workstation
2010-04-27 17:10 . 2010-01-29 19:59 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware
2010-04-26 02:54 . 2010-04-26 02:54 -------- d-----w- c:\program files\Common Files\Skype
2010-04-23 05:39 . 2006-02-12 21:21 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-04-19 01:44 . 2010-04-19 01:44 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-19 01:36 . 2010-04-19 01:36 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-19 01:21 . 2006-07-22 04:15 -------- d-----w- c:\program files\AIM
2010-04-19 01:21 . 2006-07-22 04:15 -------- d-----w- c:\program files\AOD
2010-04-19 00:34 . 2010-02-12 23:04 1316 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-19 00:25 . 2007-09-02 22:20 -------- d-----w- c:\program files\Microsoft Xbox 360 Accessories
2010-04-10 09:50 . 2010-03-09 05:02 4141117 ----a-w- c:\documents and settings\Larry\Application Data\Azureus\plugins\vuzexcode\mediainfo.exe
2010-04-10 09:50 . 2010-03-09 05:02 7282688 ----a-w- c:\documents and settings\Larry\Application Data\Azureus\plugins\vuzexcode\ffmpeg.exe
2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-04-07 14:14 . 2006-04-08 01:58 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-02 06:42 . 2010-04-02 06:41 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-03-18 00:54 . 2009-06-25 00:00 144160 ----a-w- c:\documents and settings\Larry\Application Data\Move Networks\uninstall.exe
2010-03-18 00:54 . 2009-12-10 19:26 4187512 ----a-w- c:\documents and settings\Larry\Application Data\Move Networks\plugins\npqmp071505000011.dll
2010-03-15 12:02 . 2010-03-15 12:02 1063320 ----a-w- c:\documents and settings\Larry\gotomypc_533.exe
2010-03-11 05:58 . 2010-03-05 01:02 1732608 ----a-w- c:\documents and settings\Larry\Application Data\Xbins\xbinsftp.exe
2010-03-10 06:15 . 2009-10-19 08:27 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 03:55 . 2006-02-12 05:26 92720 ----a-w- c:\documents and settings\Larry\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
CODE
<pre>
c:\program files\AIM\aim .exe
c:\program files\Common Files\Apple\Mobile Device Support\applesyncnotifier .exe
c:\program files\QuickTime\qttask .exe
c:\program files\VMware\VMware Workstation\vmware-tray .exe
c:\windows\system32\IME\PINTLGNT\imscinst .exe
c:\windows\system32\IME\TINTLGNT\tintsetp .exe
</pre>


------- Sigcheck -------

[-] 2009-10-19 . BA8C046D98345129723E6BCAA1E8AB99 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot_2010-04-17_21.19.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-28 02:11 . 2010-05-28 02:11 16384 c:\windows\temp\Perflib_Perfdata_700.dat
+ 2001-08-23 12:00 . 2010-04-27 18:12 75592 c:\windows\system32\perfc009.dat
+ 2010-04-19 01:44 . 2010-04-19 01:44 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
- 2009-11-23 23:31 . 2009-11-23 23:31 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2009-02-17 06:33 . 2010-05-17 02:34 35088 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\oisicon.exe
- 2009-02-17 06:33 . 2010-04-17 21:03 35088 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-02-17 06:33 . 2010-05-17 02:34 18704 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\mspicons.exe
- 2009-02-17 06:33 . 2010-04-17 21:03 18704 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-02-17 06:33 . 2010-05-17 02:34 20240 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\cagicon.exe
- 2009-02-17 06:33 . 2010-04-17 21:03 20240 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\cagicon.exe
+ 2006-02-14 04:15 . 2010-04-27 21:51 31232 c:\windows\ime\imkr6_1\imekrmig.exe
+ 2006-02-14 04:15 . 2010-04-27 21:51 31232 c:\windows\ime\imjp8_1\imjpmig.exe
+ 2010-04-19 01:44 . 2010-04-19 01:44 5120 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe
- 2009-11-23 23:31 . 2009-11-23 23:31 5120 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe
+ 2001-08-23 12:00 . 2010-04-27 18:12 455616 c:\windows\system32\perfh009.dat
+ 2009-10-19 08:25 . 2010-01-29 14:53 691712 c:\windows\system32\inetcomm.dll
- 2009-10-19 08:25 . 2009-10-19 08:25 691712 c:\windows\system32\inetcomm.dll
- 2009-02-17 06:33 . 2010-04-17 21:03 888080 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-02-17 06:33 . 2010-05-17 02:34 888080 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\wordicon.exe
- 2009-02-17 06:33 . 2010-04-17 21:03 272648 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pubs.exe
+ 2009-02-17 06:33 . 2010-05-17 02:34 272648 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pubs.exe
+ 2009-02-17 06:33 . 2010-05-17 02:34 922384 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pptico.exe
- 2009-02-17 06:33 . 2010-04-17 21:03 922384 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-02-17 06:33 . 2010-05-17 02:34 845584 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\outicon.exe
- 2009-02-17 06:33 . 2010-04-17 21:03 845584 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\outicon.exe
- 2009-02-17 06:33 . 2010-04-17 21:03 217864 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\misc.exe
+ 2009-02-17 06:33 . 2010-05-17 02:34 217864 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\misc.exe
+ 2010-05-03 04:10 . 2010-05-05 12:02 372736 c:\windows\Installer\{5ECB3A3C-980B-4D12-9724-25DCB07A1F47}\iTunesIco.exe
+ 2009-10-16 11:08 . 2009-10-16 11:08 2237952 c:\windows\Installer\facba.msp
+ 2010-04-09 19:21 . 2010-04-09 19:21 5025792 c:\windows\Installer\faca5.msp
+ 2010-05-03 04:10 . 2010-05-03 04:10 4795392 c:\windows\Installer\1b114264.msi
+ 2010-05-03 04:03 . 2010-05-03 04:03 3168768 c:\windows\Installer\1b113a2c.msi
+ 2010-05-03 04:02 . 2010-05-03 04:02 1984000 c:\windows\Installer\1b1139f9.msi
- 2009-02-17 06:33 . 2010-04-17 21:03 1172240 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-02-17 06:33 . 2010-05-17 02:34 1172240 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-02-17 06:33 . 2010-05-17 02:34 1165584 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\accicons.exe
- 2009-02-17 06:33 . 2010-04-17 21:03 1165584 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\accicons.exe
+ 2008-08-26 03:50 . 2008-08-26 03:50 2585592 c:\windows\Installer\$PatchCache$\Managed\00002119410000000000000000F01FEC\12.0.6425\VBE6.DLL
+ 2010-02-13 16:15 . 2010-04-30 18:51 32058312 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="c:\program files\AIM\aim.exe" [2006-08-01 67112]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-04-06 26102056]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-09-26 2356088]
"mybbffcu"="c:\documents and settings\Larry\Local Settings\Application Data\gycwoxhrb\mxstfivtssd.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 734264]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-21 110184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"mybbffcu"="c:\documents and settings\Larry\Local Settings\Application Data\gycwoxhrb\mxstfivtssd.exe" [N/A]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-10-19 128512]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Drobo Dashboard.lnk - d:\program files\Drobo\Drobo Dashboard\DroboDashboard.exe [2010-2-25 3395584]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
dmregers REG_SZ c:\windows\system32\javakrnl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\EA SPORTS\\MVP Baseball 2007\\mvp2005.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Drobo\\Drobo Dashboard\\DroboDashboard.exe"=
"c:\\WINDOWS\\system32\\iscsiexe.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"d:\\Program Files\\Steam\\steamapps\\stupidlarry\\team fortress 2\\hl2.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"d:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\Motorola\\Software Update\\msu.exe"=
"d:\\cygwin\\bin\\rsync.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\bin\\SDKLauncher.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"d:\\Program Files\\Drobo\\Drobo Dashboard\\Support\\DDService.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\program files\\aim\\aim.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

R1 Ext2fs;Ext2fs;c:\windows\system32\drivers\ext2fs.sys [1/22/2010 2:36 AM 181120]
R1 IfsMount;IfsMount;c:\windows\system32\drivers\ifsmount.sys [1/22/2010 2:36 AM 51072]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R2 DDService;Drobo Dashboard Service;d:\program files\Drobo\Drobo Dashboard\Support\DDService.exe [2/25/2010 6:07 PM 704512]
R2 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [11/30/2009 1:36 AM 91392]
R2 MSiSCSI;Microsoft iSCSI Initiator Service;c:\windows\system32\iscsiexe.exe [11/13/2008 10:09 PM 103480]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [4/9/2008 10:18 PM 1373480]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/16/2008 11:36 AM 24652]
S0 myhqeyrv;myhqeyrv;c:\windows\system32\drivers\bvytc.sys --> c:\windows\system32\drivers\bvytc.sys [?]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/12/2006 5:21 PM 691696]
S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [10/19/2009 4:29 AM 9472]
S1 SASKUTIL;SASKUTIL;\??\d:\program files\SUPERAntiSpyware\SASKUTIL.sys --> d:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 DeltaCopyService;DeltaCopy Server;"d:\deltacopy\DCServce.exe" --> d:\deltacopy\DCServce.exe [?]
S2 FreeDNSUpdate;FreeDNS Update;d:\program files\FreeDNS Update\FDNSUSVC.exe -start -sname=FreeDNSUpdate --> d:\program files\FreeDNS Update\FDNSUSVC.exe -start -sname=FreeDNSUpdate [?]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 5:46 AM 284016]
S3 iScsiPrt;iScsiPort Driver;c:\windows\system32\drivers\msiscsi.sys [11/13/2008 10:09 PM 158264]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [11/21/2009 1:02 AM 19712]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [11/21/2009 1:02 AM 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [11/21/2009 1:02 AM 42752]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
S3 scsichk;scsichk;\??\c:\windows\system32\scsichk.sys --> c:\windows\system32\scsichk.sys [?]
S4 WinDefend;Windows Defender Service;c:\program files\Windows Defender\MsMpEng.exe [4/3/2006 6:12 PM 14032]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-05-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-05-27 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-04-03 22:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} -
TCP: {C60625A8-25E8-4AD0-98CA-F768A62E0FCC} = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\documents and settings\Larry\Application Data\Mozilla\Firefox\Profiles\4rxn9ufz.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\documents and settings\Larry\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\Larry\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\windows\system32\npmirage.dll
FF - plugin: d:\program files\DivX\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: d:\program files\DivX\DivX Web Player\npdivx32.dll
FF - plugin: d:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF - plugin: d:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF - plugin: d:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF - plugin: d:\program files\Real Alternative\browser\plugins\nppl3260.dll
FF - plugin: d:\program files\Real Alternative\browser\plugins\nprpjplug.dll
FF - plugin: d:\program files\Veetle\Player\npvlc.dll
FF - plugin: d:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: d:\program files\Veetle\VLCBroadcast\npvbp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-27 22:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:6f,17,6f,ba,ed,23,e6,9b,f3,45,89,37,b8,0c,10,a5,d3,8f,ce,65,90,
ce,0f,08,53,d2,85,ef,5a,c4,b0,9a,a6,6d,56,25,ec,f6,5c,c2,56,05,69,39,e6,78,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:6f,17,6f,ba,ed,23,e6,9b,f3,45,89,37,b8,0c,10,a5,d3,8f,ce,65,90,
ce,0f,08,53,d2,85,ef,5a,c4,b0,9a,a6,6d,56,25,ec,f6,5c,c2,56,05,69,39,e6,78,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(572)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2010-05-27 22:25:38
ComboFix-quarantined-files.txt 2010-05-28 02:25
ComboFix2.txt 2010-05-28 02:04
ComboFix3.txt 2010-05-17 02:31
ComboFix4.txt 2010-04-27 22:16
ComboFix5.txt 2010-05-28 02:12

Pre-Run: 113,703,186,432 bytes free
Post-Run: 113,686,630,400 bytes free

Current=6 Default=6 Failed=4 LastKnownGood=7 Sets=1,2,3,4,5,6,7
- - End Of File - - BB5B49F437ACE23D22600CA790D5B90B


BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:17 PM

Posted 30 May 2010 - 02:43 PM

My name is etavares and I will be helping you with this log.

Here are some guidelines to ensure we are able to get your machine back under your control.
  • Please do not run any unsupervised scans, fixes, etc. We can work against each other and end up in a worse place.
  • Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
  • Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
  • Please reply within 3 days to be fair to other people asking for help.
  • When in doubt, please stop and ask first. There's no harm in asking questions!

Please give me a little time to look over your log and I'll reply back.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:17 PM

Posted 30 May 2010 - 02:54 PM

Hello, LarryToolman.

Please don't miss my post above. You are infected with several different forms of malware.

Before I can do anything, we must first install an antivirus, otherwise anything we do will just be reversed in seconds.


P2P Warning and Request
The log shows that you have been using so called peer-to-peer or file-sharing programmes (in your case Azereus). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come a long way and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of their malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. I recommend that you uninstall this program. That is optional, however. If you decide to not uninstall, please refrain from using it until I let you know your computer is clean.



Step 1

I don't see an Anti Virus Program running on your machine
  • Download and install an antivirus program, and make sure that you keep it updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Two good antivirus programs free for non-commercial home use are Avast! and Antivir
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.



Step 2

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    activex
    drivers32
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT


  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply. If they are too big to paste in one reply, please split them into separate posts.



Step 3

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

If you have issues with GMER< please try GMER in safe mode. If that doesn't work, try in safe mode, but uncheck 'devices'. If all else fails, try in safe mode and only check 'files' and 'sections'

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#4 LarryToolman

LarryToolman
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 31 May 2010 - 02:01 PM

This is my OTL log. Will get to the GMER log. Thanks!

OTL logfile created on: 5/31/2010 2:27:41 PM - Run 1
OTL by OldTimer - Version 3.2.5.2 Folder = C:\Documents and Settings\Larry\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 61.00% Memory free
5.00 Gb Paging File | 3.00 Gb Available in Paging File | 61.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 145.75 Gb Total Space | 105.30 Gb Free Space | 72.25% Space Free | Partition Type: NTFS
Drive D: | 465.76 Gb Total Space | 16.68 Gb Free Space | 3.58% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 46.93 Mb Total Space | 39.61 Mb Free Space | 84.40% Space Free | Partition Type: FAT
Drive H: | 3.20 Gb Total Space | 0.41 Gb Free Space | 12.68% Space Free | Partition Type: FAT32
Drive I: | 2048.00 Gb Total Space | 1463.01 Gb Free Space | 71.44% Space Free | Partition Type: NTFS

Computer Name: LARRY
Current User Name: Larry
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/05/31 14:27:10 | 000,571,392 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Larry\My Documents\Downloads\OTL.exe
PRC - [2010/05/31 13:22:05 | 002,943,848 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Documents and Settings\Larry\Local Settings\temp\G2_533\g2viewer.exe
PRC - [2010/05/06 16:59:42 | 002,815,192 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/05/06 16:59:38 | 000,040,384 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2010/04/28 15:06:24 | 010,358,568 | ---- | M] (Apple Inc.) -- D:\Program Files\iTunes\iTunes.exe
PRC - [2010/04/16 08:33:40 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/04/01 12:28:36 | 002,010,864 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2010/03/31 21:45:50 | 011,957,424 | ---- | M] (Mozilla Messaging) -- C:\Program Files\Mozilla Thunderbird\thunderbird.exe
PRC - [2010/03/27 23:13:16 | 000,530,416 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Larry\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
PRC - [2010/03/15 08:02:20 | 001,063,320 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Documents and Settings\Larry\gotomypc_533.exe
PRC - [2010/02/25 18:07:28 | 000,704,512 | ---- | M] (Data Robotics, Inc.) -- D:\Program Files\Drobo\Drobo Dashboard\Support\DDService.exe
PRC - [2010/01/05 17:50:32 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- D:\Program Files\Java\jre6\bin\java.exe
PRC - [2009/11/09 12:40:20 | 000,091,392 | ---- | M] () -- C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe
PRC - [2009/11/09 12:40:10 | 000,273,664 | ---- | M] (Motorola) -- C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe
PRC - [2009/10/19 04:25:41 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2009/10/07 12:04:58 | 000,939,272 | ---- | M] (Raxco Software, Inc.) -- D:\Program Files\Raxco\PerfectDisk10\PDAgent.exe
PRC - [2008/11/13 22:09:06 | 000,103,480 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\iscsiexe.exe
PRC - [2007/09/07 14:16:50 | 000,132,392 | ---- | M] (Wacom Technology, Corp.) -- C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
PRC - [2007/09/07 14:16:18 | 001,373,480 | ---- | M] (Wacom Technology, Corp.) -- C:\WINDOWS\system32\Pen_Tablet.exe
PRC - [2007/06/14 16:48:42 | 000,411,168 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
PRC - [2007/01/04 17:38:18 | 000,112,336 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
PRC - [2007/01/04 17:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2006/10/26 14:45:04 | 000,293,376 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\WISPTIS.EXE
PRC - [2006/08/01 15:35:36 | 000,067,112 | ---- | M] (America Online, Inc.) -- C:\Program Files\AIM\aim.exe
PRC - [2006/07/12 00:33:47 | 000,421,888 | ---- | M] () -- C:\Documents and Settings\Larry\Desktop\putty.exe
PRC - [2006/03/30 10:15:44 | 000,096,341 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2006/02/28 21:10:18 | 000,069,632 | ---- | M] (CrypKey (Canada) Ltd.) -- C:\WINDOWS\system32\Crypserv.exe


========== Modules (SafeList) ==========

MOD - [2010/05/31 14:27:10 | 000,571,392 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Larry\My Documents\Downloads\OTL.exe
MOD - [2009/10/19 04:24:08 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5705_x-ww_36cfed49\comctl32.dll
MOD - [2008/04/14 08:00:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (SansaService)
SRV - File not found [Auto | Stopped] -- -- (FreeDNSUpdate)
SRV - File not found [Auto | Stopped] -- -- (DeltaCopyService)
SRV - [2010/05/06 16:59:38 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/05/06 16:59:38 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/05/06 16:59:38 | 000,040,384 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2010/04/16 08:33:40 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/02/25 18:07:28 | 000,704,512 | ---- | M] (Data Robotics, Inc.) [Auto | Running] -- D:\Program Files\Drobo\Drobo Dashboard\Support\DDService.exe -- (DDService)
SRV - [2009/12/17 17:36:24 | 000,067,360 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus®
SRV - [2009/11/09 12:40:20 | 000,091,392 | ---- | M] () [Auto | Running] -- C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe -- (MotoConnect Service)
SRV - [2009/10/07 12:05:02 | 001,033,480 | ---- | M] (Raxco Software, Inc.) [On_Demand | Stopped] -- D:\Program Files\Raxco\PerfectDisk10\PDEngine.exe -- (PDEngine)
SRV - [2009/10/07 12:04:58 | 000,939,272 | ---- | M] (Raxco Software, Inc.) [Auto | Running] -- D:\Program Files\Raxco\PerfectDisk10\PDAgent.exe -- (PDAgent)
SRV - [2009/08/31 13:51:01 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/11/13 22:09:06 | 000,103,480 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\iscsiexe.exe -- (MSiSCSI)
SRV - [2008/08/15 05:46:20 | 000,284,016 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe -- (Adobe Version Cue CS4)
SRV - [2007/09/07 14:16:18 | 001,373,480 | ---- | M] (Wacom Technology, Corp.) [Auto | Running] -- C:\WINDOWS\system32\Pen_Tablet.exe -- (TabletServicePen)
SRV - [2007/06/14 16:48:42 | 000,411,168 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2007/01/04 17:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)
SRV - [2006/04/03 18:12:14 | 000,014,032 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2006/03/30 10:15:44 | 000,096,341 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2006/02/28 21:10:18 | 000,069,632 | ---- | M] (CrypKey (Canada) Ltd.) [Auto | Running] -- C:\WINDOWS\System32\Crypserv.exe -- (Crypkey License)
SRV - [2006/02/12 00:54:11 | 000,069,632 | ---- | M] (Creative Labs) [On_Demand | Stopped] -- C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe -- (Creative Labs Licensing Service)
SRV - [2005/11/14 01:06:04 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Running] -- -- (catchme)
DRV - [2010/05/06 16:39:23 | 000,046,672 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010/05/06 16:39:00 | 000,164,048 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswSP.sys -- (aswSP)
DRV - [2010/05/06 16:34:27 | 000,023,376 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010/05/06 16:33:59 | 000,100,432 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2010/05/06 16:33:47 | 000,019,024 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/05/06 16:33:29 | 000,028,880 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2010/04/23 01:39:33 | 000,691,696 | ---- | M] (Duplex Secure Ltd.) [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2010/02/17 11:25:50 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2010/02/17 11:15:58 | 000,012,872 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Running] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2009/11/20 22:34:54 | 010,235,968 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2009/10/27 13:02:14 | 000,023,936 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motmodem.sys -- (motmodem)
DRV - [2009/10/19 04:29:36 | 000,009,472 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\dumpdrv.sys -- (DumpDrv)
DRV - [2009/08/20 12:11:30 | 000,073,232 | ---- | M] (Raxco Software, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DefragFs.sys -- (DefragFS)
DRV - [2009/06/19 17:59:34 | 000,019,712 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motccgp.sys -- (motccgp)
DRV - [2009/05/08 12:56:12 | 000,042,752 | ---- | M] (Motorola Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motodrv.sys -- (MotDev)
DRV - [2009/01/29 04:18:00 | 000,008,320 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motccgpfl.sys -- (motccgpfl)
DRV - [2008/11/24 11:54:12 | 000,495,104 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rt61.sys -- (RT61)
DRV - [2008/09/25 18:35:24 | 000,181,120 | ---- | M] (Stephan Schreiber) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\ext2fs.sys -- (Ext2fs)
DRV - [2008/08/28 23:45:58 | 000,051,072 | ---- | M] (Stephan Schreiber) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ifsmount.sys -- (IfsMount)
DRV - [2008/08/14 08:57:42 | 000,074,720 | ---- | M] (Adobe Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\adfs.sys -- (adfs)
DRV - [2008/05/06 02:01:28 | 000,016,512 | ---- | M] (Adaptec) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\ASPI32.SYS -- (Aspi32)
DRV - [2008/04/14 08:00:00 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/04/13 14:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/03/13 09:51:52 | 000,057,536 | ---- | M] (FTDI Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ftdibus.sys -- (FTDIBUS)
DRV - [2008/03/13 09:50:02 | 000,072,000 | ---- | M] (FTDI Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ftser2k.sys -- (FTSER2K)
DRV - [2007/08/28 18:05:12 | 000,055,808 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\xusb21.sys -- (xusb21)
DRV - [2007/08/17 02:03:47 | 000,022,768 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbsermpt.sys -- (usbsermpt)
DRV - [2007/02/16 15:12:36 | 000,011,312 | ---- | M] (Wacom Technology) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wacommousefilter.sys -- (wacommousefilter)
DRV - [2007/02/16 14:30:12 | 000,012,848 | ---- | M] (Wacom Technology) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wacomvhid.sys -- (wacomvhid)
DRV - [2007/02/15 20:11:28 | 000,011,440 | ---- | M] (Wacom Technology) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\WacomVKHid.sys -- (WacomVKHid)
DRV - [2006/11/06 04:28:11 | 000,030,988 | ---- | M] (PowerISO Computing, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\scdemu.sys -- (SCDEmu)
DRV - [2006/02/12 17:23:33 | 000,223,128 | ---- | M] (DT Soft Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\dtscsi.sys -- (dtscsi)
DRV - [2006/01/09 22:47:27 | 000,031,846 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\ckldrv.sys -- (NetworkX)
DRV - [2005/06/06 04:40:48 | 000,180,736 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA) High Definition Audio Driver (WDM)
DRV - [2005/05/25 05:34:00 | 000,158,464 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CTUSFSYN.SYS -- (CTUSFSYN)
DRV - [2005/03/31 18:04:52 | 000,180,736 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1e5132.sys -- (e1express) Intel®
DRV - [2005/03/24 22:11:00 | 001,350,272 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sigfilt.sys -- (sigfilt)
DRV - [2005/03/21 12:00:24 | 000,004,096 | ---- | M] (SuperAdBlocker.com) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\sabprocenum.sys -- (SABProcEnum)
DRV - [2005/01/10 06:15:00 | 000,138,752 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CTSFM2K.SYS -- (ctsfm2k)
DRV - [2005/01/10 06:15:00 | 000,106,496 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CTOSS2K.SYS -- (ossrv)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-21-1417001333-854245398-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1417001333-854245398-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1417001333-854245398-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-1417001333-854245398-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..extensions.enabledItems: {AB7308B2-C13C-4eba-AC78-2AD55B96EE09}:3.0.0
FF - prefs.js..extensions.enabledItems: check4change-owner@mozdev.org:1.7
FF - prefs.js..extensions.enabledItems: firebug@software.joehewitt.com:1.5.4
FF - prefs.js..extensions.enabledItems: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.8.20100408.6
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:1.0.0.%(version)s

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/12 00:21:24 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/12 00:21:24 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.4\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010/04/02 02:37:52 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.4\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2010/04/07 10:14:44 | 000,000,000 | ---D | M]

[2010/01/05 17:59:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Larry\Application Data\Mozilla\Extensions
[2010/01/05 17:59:07 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Larry\Application Data\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2010/05/28 21:52:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\4rxn9ufz.default\extensions
[2008/07/18 00:14:02 | 000,000,000 | ---D | M] (CSS Validator) -- C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\4rxn9ufz.default\extensions\{AB7308B2-C13C-4eba-AC78-2AD55B96EE09}
[2010/04/11 13:16:25 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\4rxn9ufz.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2010/04/06 23:25:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\4rxn9ufz.default\extensions\check4change-owner@mozdev.org
[2010/05/27 23:52:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\4rxn9ufz.default\extensions\firebug@software.joehewitt.com
[2010/05/27 23:52:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\4rxn9ufz.default\extensions\staged-xpis
[2010/04/29 12:00:05 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/05/27 22:22:40 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [XboxStat] C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-1417001333-854245398-682003330-1003..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe (Adobe Systems Incorporated)
O4 - HKU\S-1-5-21-1417001333-854245398-682003330-1003..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Drobo Dashboard.lnk = D:\Program Files\Drobo\Drobo Dashboard\DroboDashboard.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1417001333-854245398-682003330-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1417001333-854245398-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1417001333-854245398-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1417001333-854245398-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: E&xport to Microsoft Excel - D:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre6\bin\npjpi160_17.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - Reg Error: Key error. File not found
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - Reg Error: Key error. File not found
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com/qtactivex/qtplugin.cab (QuickTime Object)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Reg Error: Key error.)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab (System Requirements Lab Class)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} http://www.nvidia.com/content/DriverDownlo...sreqlab_nvd.cab (System Requirements Lab Class)
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} http://upload.facebook.com/controls/Facebo...toUploader3.cab (Facebook Photo Uploader 4 Control)
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} http://upload.facebook.com/controls/Facebo...otoUploader.cab (Facebook Photo Uploader Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1139721981656 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1256040145578 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} http://support.microsoft.com/mats/DiagWebControl.cab (Diagnostics ActiveX WebControl)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (get_atlcom Class)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Larry\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/02/11 20:35:01 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2005/02/23 14:39:12 | 000,000,398 | ---- | M] () - G:\AUTOEXEC.UP -- [ FAT ]
O32 - AutoRun File - [2005/02/23 14:39:12 | 000,000,398 | ---- | M] () - G:\AUTOEXEC.BAT -- [ FAT ]
O32 - AutoRun File - [2005/07/07 20:34:30 | 000,001,871 | ---- | M] () - H:\AUTOEXEC.BAT -- [ FAT32 ]
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O36 - AppCertDlls: dmregers - (C:\WINDOWS\system32\javakrnl.dll) - C:\WINDOWS\System32\javakrnl.dll File not found
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-21-1417001333-854245398-682003330-1003\...exe [@ = exefile] -- Reg Error: Key error. File not found

NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/11/29 09:21:40 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found


ActiveX: {03F998B2-0E00-11D3-A498-00104B6EB52E} - Viewpoint Media Player
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {16947F54-CB13-F47A-F503-37499223340B} - Microsoft Windows Media Player
ActiveX: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - Viewpoint Media Player
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {233C1507-6A77-46A4-9443-F871F945D258} - Adobe Shockwave Director 10.1.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A202491-F00D-11cf-87CC-0020AFEECF20} - Adobe Shockwave Director 10.1.4
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {35F3E59E-BAE9-9B64-C18E-C1D612362AF1} - Viewpoint Media Player
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.8
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73fa19d0-2d75-11d2-995d-00c04f98bbc9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {7914DC90-7254-49C6-F46F-6F31A935B174} - Themes Setup
ActiveX: {89099367-D829-78C4-12E6-1C050C9B4605} - Microsoft Windows Media Player 6.4
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {ACC563BC-4266-43f0-B6ED-9D38C4202C7E} -
ActiveX: {B508B3F1-A24A-32C0-B310-85786919EF28} - .NET Framework
ActiveX: {B6B0F76A-873E-438E-BC25-6704193DD344} - Microsoft Visual C# 2005 Express Edition - ENU Service Pack 1 (KB926749)
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} - Adobe Flash Player
ActiveX: {DAA94A2A-2A8D-4D3B-9DB8-56FBECED082D} - Microsoft .NET Framework 1.1 Security Update (KB953297)
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {ECD292A0-0347-4244-8C24-5DBCE990FB40} - Hotfix for Microsoft .NET Framework 3.0 (KB932471)
ActiveX: {EF289A85-8E57-408d-BE47-73B55609861A} - RootsUpdate
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - RunDLL32 IEDKCS32.DLL,BrandIEActiveSetup SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
ActiveX: >{99820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: Microsoft Base Smart Card Crypto Provider Package -

Drivers32: msacm.ac3acm - C:\WINDOWS\System32\AC3ACM.acm (fccHandler)
Drivers32: msacm.alf2cd - C:\WINDOWS\System32\alf2cd.acm (NCT Company)
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.scg726 - C:\WINDOWS\System32\Scg726.acm (SHARP Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: msacm.voxacm160 - C:\WINDOWS\System32\vct3216.acm (Voxware, Inc.)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)
Drivers32: vidc.dvsd - C:\WINDOWS\System32\mcdvd_32.dll (MainConcept)
Drivers32: vidc.ffds - C:\Program Files\Combined Community Codec Pack\Filters\FFDShow\ff_vfw.dll ()
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.mp42 - C:\WINDOWS\System32\mpg4c32.dll (Microsoft Corporation)
Drivers32: vidc.mp43 - C:\WINDOWS\System32\mpg4c32.dll (Microsoft Corporation)
Drivers32: vidc.mpg4 - C:\WINDOWS\System32\mpg4c32.dll (Microsoft Corporation)
Drivers32: vidc.VP60 - C:\WINDOWS\system32\vp6vfw.dll (On2.com)
Drivers32: vidc.VP61 - C:\WINDOWS\system32\vp6vfw.dll (On2.com)
Drivers32: vidc.yv12 - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17183584330711040)

========== Files/Folders - Created Within 90 Days ==========

[2010/05/31 14:16:08 | 000,164,048 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/05/31 14:16:08 | 000,019,024 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/05/31 14:16:07 | 000,023,376 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/05/31 14:16:06 | 000,046,672 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/05/31 14:16:05 | 000,100,432 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/05/31 14:16:05 | 000,094,800 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/05/31 14:16:04 | 000,028,880 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/05/31 14:15:50 | 000,165,032 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/05/31 14:15:50 | 000,038,848 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\avastSS.scr
[2010/05/31 14:15:45 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/05/31 14:15:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/05/28 00:48:12 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/05/27 22:09:42 | 000,000,000 | ---D | C] -- C:\ComboFix
[2010/05/27 22:04:27 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/05/03 00:09:10 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/05/03 00:02:22 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2010/04/25 22:54:49 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
[2010/04/19 00:40:11 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2010/04/18 21:44:10 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/04/18 21:36:48 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2010/04/18 20:33:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/04/18 20:33:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/04/18 20:32:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/04/18 20:32:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/04/18 20:24:47 | 000,000,000 | ---D | C] -- C:\spoolerlogs
[2010/04/02 02:41:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/04/02 02:37:23 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/03/15 08:02:17 | 001,063,320 | ---- | C] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Documents and Settings\Larry\gotomypc_533.exe
[2010/03/11 02:28:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Larry\Local Settings\Application Data\Xploder_Game_Cheats_Resig
[2010/03/09 18:12:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Larry\Local Settings\Application Data\GameTuts
[2010/03/07 15:09:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Larry\Application Data\WinRAR
[2010/03/07 14:55:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Larry\Local Settings\Application Data\sabnzbd
[2010/03/04 21:02:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Larry\Application Data\Xbins
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/05/31 14:16:09 | 000,001,700 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2010/05/31 14:16:05 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/05/31 02:27:00 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/05/29 13:29:00 | 000,218,112 | ---- | M] () -- C:\Documents and Settings\Larry\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/05/29 11:47:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/05/29 00:44:19 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/05/28 00:54:46 | 000,054,016 | ---- | M] () -- C:\WINDOWS\System32\drivers\xjohhfo.sys
[2010/05/27 22:47:34 | 000,000,143 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/05/27 22:25:38 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/27 22:22:49 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/05/27 22:22:40 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/05/27 22:13:16 | 000,000,801 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/05/27 22:12:16 | 000,013,668 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/27 22:11:06 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/27 22:10:28 | 019,136,512 | -H-- | M] () -- C:\Documents and Settings\Larry\NTUSER.DAT
[2010/05/27 22:08:16 | 000,272,291 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2010/05/27 21:51:08 | 003,700,283 | R--- | M] () -- C:\Documents and Settings\Larry\Desktop\ComboFix.exe
[2010/05/27 21:45:54 | 000,000,132 | ---- | M] () -- C:\WINDOWS\winamp.ini
[2010/05/27 21:45:39 | 000,000,600 | ---- | M] () -- C:\Documents and Settings\Larry\PUTTY.RND
[2010/05/27 21:45:29 | 003,177,332 | -H-- | M] () -- C:\Documents and Settings\Larry\Local Settings\Application Data\IconCache.db
[2010/05/26 07:57:44 | 000,014,869 | ---- | M] () -- C:\Documents and Settings\Larry\contestapplet.conf.bak
[2010/05/26 00:36:47 | 000,000,600 | ---- | M] () -- C:\Documents and Settings\Larry\Application Data\winscp.rnd
[2010/05/20 01:34:58 | 007,360,512 | ---- | M] () -- C:\Documents and Settings\Larry\My Documents\My Money.mny
[2010/05/17 17:50:23 | 000,000,663 | ---- | M] () -- C:\Documents and Settings\Larry\Desktop\CCleaner.lnk
[2010/05/13 15:06:03 | 000,014,869 | ---- | M] () -- C:\Documents and Settings\Larry\contestapplet.conf
[2010/05/06 16:59:57 | 000,038,848 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\avastSS.scr
[2010/05/06 16:59:36 | 000,165,032 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/05/06 16:39:23 | 000,046,672 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/05/06 16:39:00 | 000,164,048 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/05/06 16:34:27 | 000,023,376 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/05/06 16:33:59 | 000,100,432 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/05/06 16:33:55 | 000,094,800 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/05/06 16:33:47 | 000,019,024 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/05/06 16:33:29 | 000,028,880 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/05/05 08:01:38 | 000,002,341 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/04/29 20:28:30 | 000,399,360 | ---- | M] () -- C:\ctown.mpg
[2010/04/29 20:23:51 | 000,233,472 | ---- | M] () -- C:\clouds.mpg
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/27 18:07:58 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Larry\ntuser.ini
[2010/04/27 14:12:40 | 000,455,616 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/04/27 14:12:40 | 000,075,592 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2010/04/23 01:39:33 | 000,691,696 | ---- | M] (Duplex Secure Ltd.) -- C:\WINDOWS\System32\drivers\sptd.sys
[2010/04/19 00:29:50 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100427-141219.backup
[2010/04/18 21:44:14 | 000,000,780 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/04/18 21:21:16 | 000,000,610 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AIM.lnk
[2010/04/18 20:34:44 | 000,001,316 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/04/18 20:30:27 | 000,000,058 | -HS- | M] () -- C:\WINDOWS\System32\User.ini
[2010/04/18 20:30:03 | 000,007,392 | -HS- | M] () -- C:\Documents and Settings\Larry\Local Settings\Application Data\u4Q15RjfXYA
[2010/04/18 20:30:03 | 000,007,392 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\u4Q15RjfXYA
[2010/04/10 05:48:19 | 000,001,534 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Vuze.lnk
[2010/04/02 02:37:44 | 000,001,604 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2010/04/01 12:02:38 | 000,023,040 | ---- | M] () -- C:\Documents and Settings\Larry\My Documents\CoD MVP 87.xls
[2010/03/31 20:06:27 | 000,002,284 | ---- | M] () -- C:\Documents and Settings\Larry\Desktop\Google Chrome.lnk
[2010/03/25 12:37:42 | 000,000,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Paint.NET.lnk
[2010/03/21 14:11:53 | 000,530,094 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/09 11:17:15 | 000,000,429 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\mIRC.lnk
[2010/03/08 00:16:59 | 000,001,334 | -HS- | M] () -- C:\Documents and Settings\Larry\Local Settings\Application Data\omn2MB67
[2010/03/07 23:55:26 | 000,092,720 | ---- | M] () -- C:\Documents and Settings\Larry\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/03/07 23:53:38 | 002,418,544 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/03/07 14:55:01 | 000,000,573 | ---- | M] () -- C:\Documents and Settings\Larry\Desktop\SABnzbd.lnk
[2010/03/05 12:47:16 | 000,012,506 | -HS- | M] () -- C:\Documents and Settings\Larry\Local Settings\Application Data\04lB
[2010/03/05 01:20:46 | 000,000,587 | ---- | M] () -- C:\Documents and Settings\Larry\Desktop\WinSCP.lnk
[2010/03/04 00:25:36 | 000,001,658 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Drobo Dashboard.lnk
[2010/03/04 00:04:18 | 000,010,006 | -HS- | M] () -- C:\Documents and Settings\Larry\Local Settings\Application Data\jXP7U0T4
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/31 14:16:09 | 000,001,700 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2010/05/28 00:54:46 | 000,054,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\xjohhfo.sys
[2010/05/14 13:06:43 | 000,023,040 | ---- | C] () -- C:\Documents and Settings\Larry\My Documents\CoD MVP 88.xls
[2010/05/03 00:10:06 | 000,002,341 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/04/30 09:46:24 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/29 21:08:05 | 000,233,472 | ---- | C] () -- C:\clouds.mpg
[2010/04/29 21:05:50 | 000,399,360 | ---- | C] () -- C:\ctown.mpg
[2010/04/18 21:44:14 | 000,000,780 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/04/18 20:30:27 | 000,000,058 | -HS- | C] () -- C:\WINDOWS\System32\User.ini
[2010/04/18 20:24:30 | 000,007,392 | -HS- | C] () -- C:\Documents and Settings\Larry\Local Settings\Application Data\u4Q15RjfXYA
[2010/04/18 20:24:30 | 000,007,392 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\u4Q15RjfXYA
[2010/04/02 02:37:44 | 000,001,604 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2010/04/01 11:52:40 | 000,023,040 | ---- | C] () -- C:\Documents and Settings\Larry\My Documents\CoD MVP 87.xls
[2010/03/09 11:17:15 | 000,000,429 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\mIRC.lnk
[2010/03/08 00:16:41 | 000,001,334 | -HS- | C] () -- C:\Documents and Settings\Larry\Local Settings\Application Data\omn2MB67
[2010/03/07 14:55:01 | 000,000,573 | ---- | C] () -- C:\Documents and Settings\Larry\Desktop\SABnzbd.lnk
[2010/03/05 12:45:24 | 000,012,506 | -HS- | C] () -- C:\Documents and Settings\Larry\Local Settings\Application Data\04lB
[2010/03/05 01:20:47 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Larry\Application Data\winscp.rnd
[2010/03/05 01:20:46 | 000,000,587 | ---- | C] () -- C:\Documents and Settings\Larry\Desktop\WinSCP.lnk
[2010/03/03 23:59:44 | 000,010,006 | -HS- | C] () -- C:\Documents and Settings\Larry\Local Settings\Application Data\jXP7U0T4
[2010/01/30 20:51:26 | 000,000,071 | ---- | C] () -- C:\WINDOWS\Crypkey.ini
[2010/01/30 20:51:22 | 000,031,846 | ---- | C] () -- C:\WINDOWS\System32\Ckldrv.sys
[2010/01/30 20:51:22 | 000,018,432 | ---- | C] () -- C:\WINDOWS\Setup_ck.dll
[2010/01/05 18:54:25 | 000,000,095 | ---- | C] () -- C:\WINDOWS\AndreaMosaic.INI
[2009/10/19 04:34:58 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\msvcrt10.dll
[2009/09/21 01:37:12 | 000,000,021 | ---- | C] () -- C:\WINDOWS\SurCode.INI
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/02/21 15:02:10 | 000,119,296 | ---- | C] () -- C:\WINDOWS\System32\zlib.dll
[2009/02/21 15:02:10 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ADsSecurity.dll
[2009/02/21 15:02:10 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\dxinputdll.dll
[2008/08/20 20:34:18 | 000,383,238 | ---- | C] () -- C:\WINDOWS\System32\libmp3lame-0.dll
[2008/08/13 07:57:55 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\clauth2.dll
[2008/08/13 07:57:55 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\clauth1.dll
[2008/08/13 07:57:54 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\sysprs7.dll
[2008/06/29 20:26:22 | 000,000,355 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2008/04/25 01:18:02 | 000,001,126 | ---- | C] () -- C:\WINDOWS\AZPR3.INI
[2007/12/31 00:08:06 | 000,585,791 | ---- | C] () -- C:\WINDOWS\gmer.dll
[2007/12/31 00:08:06 | 000,000,250 | ---- | C] () -- C:\WINDOWS\gmer.ini
[2007/10/03 22:17:58 | 000,163,840 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2007/10/03 22:17:57 | 000,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2007/05/27 23:06:00 | 000,000,055 | ---- | C] () -- C:\WINDOWS\SpeakToText.ini
[2006/10/24 22:48:00 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2006/10/24 22:48:00 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2006/10/24 22:48:00 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2006/10/24 22:48:00 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2006/10/24 22:48:00 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2006/10/24 22:48:00 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2006/07/27 13:28:42 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2006/07/25 23:25:22 | 000,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI
[2006/07/22 01:10:12 | 000,000,733 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/07/22 00:14:14 | 000,000,029 | ---- | C] () -- C:\WINDOWS\atid.ini
[2006/07/22 00:02:42 | 000,000,132 | ---- | C] () -- C:\WINDOWS\winamp.ini
[2006/07/21 23:33:31 | 000,000,025 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2006/07/13 00:33:18 | 000,000,143 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2006/02/12 00:51:33 | 000,004,969 | ---- | C] () -- C:\WINDOWS\System32\Sigfilt.ini
[2006/02/12 00:51:33 | 000,000,029 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2001/06/15 12:14:09 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\WINXSCOM.dll
[1996/02/23 17:34:48 | 000,014,629 | ---- | C] () -- C:\WINDOWS\System32\Declw.dll
[1996/02/22 15:09:20 | 000,032,256 | ---- | C] () -- C:\WINDOWS\System32\Decln.dll

========== LOP Check ==========

[2009/02/18 13:03:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\2DBoy
[2007/05/21 00:04:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\All-Pro Software
[2010/05/31 14:15:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2009/08/31 12:15:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Azureus
[2010/01/30 16:06:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
[2006/10/24 23:31:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\InterVideo
[2008/08/13 07:57:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Minnetonka Audio Software
[2008/01/26 17:51:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PlayFirst
[2009/06/27 00:10:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap Games
[2007/11/22 15:10:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SimCity Societies
[2009/02/14 16:31:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2008/02/16 11:36:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2007/09/30 02:12:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2009/03/23 20:42:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
[2010/04/02 02:42:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/09/10 00:47:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/04/07 00:35:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2010/02/03 22:45:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Larry\Application Data\abgx360
[2007/08/27 00:33:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Larry\Application Data\Aim
[2008/01/28 01:49:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Larry\Application Data\albumart
[2010/02/10 01:19:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Larry\Application Data\Any Video Converter Professional
[2010/05/28 00:32:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Larry\Application Data\Azureus
[2006/08/24 22:46:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Larry\Application Data\DeepBurner
[2008/04/27 12:18:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Larry\Application Data\Devastation Net
[2010/01/07 01:28:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Larry\Application Data\ElevatedDiagnostics
[2007/12/31 06:30:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Larry\Application Data\Flash Undelete Software
[2007/07/04 14:15:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Larry\Application Data\Flickr
[2008/07/28 22:07:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Larry\Application Data\GetRightToGo
[2008/04/16 01:23:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Larry\Application Data\gtk-2.0
[2009/11/28 17:29:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Larry\Application Data\ImgBurn
[2007/01/10 00:26:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Larry\Application Data\Inkscape
[2006/10/24 22:49:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Larry\Application Data\Intervideo
[2009/02/21 15:02:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Larry\Application Data\KALiNKOsoft
[2006/02/18 19:19:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Larry\Application Data\My Games
[2007/03/22 00:16:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Larry\Application Data\Opera
[2008/01/26 17:51:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Larry\Application Data\PlayFirst
[2010/01/05 14:13:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Larry\Application Data\PNGGauntlet
[2007/10/03 21:48:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Larry\Application Data\RVM
[2007/08/30 00:21:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Larry\Application Data\SPAMfighter
[2008/09/06 15:08:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Larry\Application Data\SPORE
[2006/07/22 00:47:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Larry\Application Data\Thunderbird
[2007/07/07 10:23:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Larry\Application Data\Viewpoint
[2008/07/29 22:12:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Larry\Application Data\wootalyzer
[2010/03/04 21:02:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Larry\Application Data\Xbins
[2010/05/31 02:27:00 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job

========== Purity Check ==========



========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >
[4 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %SYSTEMDRIVE%\*.exe >
[2004/05/24 14:46:00 | 000,150,528 | ---- | M] (GNU <www.gnu.org>) -- C:\diff.exe
[2002/10/01 09:58:00 | 000,049,152 | ---- | M] (NirSoft) -- C:\FileDate.exe
[2006/09/21 10:22:42 | 000,057,344 | ---- | M] (Excellent Code / Digital Glue) -- C:\m3u2pla.exe
[2008/12/25 21:50:08 | 000,137,728 | ---- | M] () -- C:\mute.exe
[2006/10/27 00:42:05 | 000,303,104 | ---- | M] (Simon Tatham) -- C:\psftp.exe


< MD5 for: AGP440.SYS >
[2009/10/19 04:40:19 | 017,776,476 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2009/10/19 04:40:19 | 017,776,476 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/04/14 08:00:00 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/14 08:00:00 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2008/04/14 08:00:00 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 08:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/14 08:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: IASTOR.SYS >
[2008/09/12 13:32:56 | 000,327,192 | ---- | M] (Intel Corporation) MD5=8EF427C54497C5F8A7A645990E4278C7 -- C:\D\M\I4\IaStor.sys
[2007/09/29 17:03:12 | 000,308,248 | ---- | M] (Intel Corporation) MD5=E5A0034847537EAEE3C00349D5C34C5F -- C:\D\M\I3\IASTOR.SYS

< MD5 for: NETLOGON.DLL >
[2009/10/19 04:26:40 | 000,407,552 | ---- | M] (Microsoft Corporation) MD5=DAB13813B25B3D009B2AC1194CF5D0A2 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2009/10/19 04:26:40 | 000,407,552 | ---- | M] (Microsoft Corporation) MD5=DAB13813B25B3D009B2AC1194CF5D0A2 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: NVATABUS.SYS >
[2006/02/26 11:21:18 | 000,089,856 | ---- | M] (NVIDIA Corporation) MD5=83F0275A21D9772B51CEF57E35AFAE61 -- C:\D\M\NV123\NVATABUS.sys
[2006/04/24 11:52:28 | 000,100,736 | ---- | M] (NVIDIA Corporation) MD5=C03E15101F6D9E82CD9B0E7D715F5DE3 -- C:\D\M\NVTM\NVATABUS.sys

< MD5 for: NVGTS.SYS >
[2007/07/27 16:16:02 | 000,105,984 | ---- | M] (NVIDIA Corporation) MD5=4BC4BAAED05161E0D331627E90A10745 -- C:\D\M\NV6\nvgts.sys

< MD5 for: NVRD32.SYS >
[2007/07/27 16:15:56 | 000,116,736 | ---- | M] (NVIDIA Corporation) MD5=77AC69AC4F07BD9D29528B8FCC71FB49 -- C:\D\M\NV6\nvrd32.sys

< MD5 for: SCECLI.DLL >
[2008/04/14 08:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/14 08:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< MD5 for: VIAMRAID.SYS >
[2008/07/09 21:19:02 | 000,117,248 | ---- | M] (VIA Technologies inc,.ltd) MD5=00046AA2E396EDC2238556E740A8E5AF -- C:\D\M\V1\viamraid.sys

< %systemroot%\*. /mp /s >

========== Alternate Data Streams ==========

@Alternate Data Stream - 48 bytes -> C:\Documents and Settings\All Users\DRM:مهندسة
@Alternate Data Stream - 126 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 124 bytes -> C:\WINDOWS\System32\zlib.dll:SummaryInformation
@Alternate Data Stream - 124 bytes -> C:\WINDOWS\System32\zlib.dll:DocumentSummaryInformation
< End of report >

Edited by LarryToolman, 31 May 2010 - 05:14 PM.


#5 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:17 PM

Posted 31 May 2010 - 05:19 PM

OK, thanks! Once I look at the GMER log, we'll start to clean it. I do see several malware items, but need to look for rootkits before we start to clean.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#6 LarryToolman

LarryToolman
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 31 May 2010 - 09:14 PM

Sorry for the slow reply - the gmer scan took 6 hours or so. It's attached, thanks again!

Attached Files

  • Attached File  gmer.log   29.49KB   6 downloads

Edited by LarryToolman, 31 May 2010 - 09:14 PM.


#7 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:17 PM

Posted 02 June 2010 - 05:43 PM

Hello, LarryToolman.

OK, let's get started. First, please delete the copy of combofix you downloaded earlier and redownload a fresh copy from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop as LarryToolmanCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on LarryToolmanCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#8 LarryToolman

LarryToolman
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 02 June 2010 - 09:47 PM

Here's my combofix log:

ComboFix 10-06-02.02 - Larry 06/02/2010 22:34:40.27.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2631 [GMT -4:00]
Running from: c:\documents and settings\Larry\Desktop\LarryComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Larry\LOCALS~1\Temp\tmp1.tmp
c:\docume~1\Larry\LOCALS~1\Temp\tmp2.tmp

.
((((((((((((((((((((((((( Files Created from 2010-05-03 to 2010-06-03 )))))))))))))))))))))))))))))))
.

2010-06-01 20:33 . 2010-06-01 20:33 434688 ----a-w- c:\windows\system32\ss2uinst.exe
2010-05-31 18:16 . 2010-05-06 20:39 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-05-31 18:16 . 2010-05-06 20:33 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-05-31 18:16 . 2010-05-06 20:34 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-05-31 18:16 . 2010-05-06 20:39 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-05-31 18:16 . 2010-05-06 20:33 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-05-31 18:16 . 2010-05-06 20:33 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-05-31 18:16 . 2010-05-06 20:33 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-05-31 18:15 . 2010-05-06 20:59 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-05-31 18:15 . 2010-05-06 20:59 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-05-31 18:15 . 2010-05-31 18:15 -------- d-----w- c:\program files\Alwil Software
2010-05-31 18:15 . 2010-05-31 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-05-28 02:09 . 2010-05-28 02:25 -------- d-----w- C:\ComboFix
2010-05-13 07:58 . 2010-05-13 07:58 -------- d-----w- c:\temp\MotoConnectTemp
2010-05-11 17:04 . 2010-01-29 14:53 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2010-05-11 17:04 . 2010-01-29 14:53 691712 ------w- c:\windows\system32\dllcache\inetcomm.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-03 02:30 . 2008-04-10 02:20 -------- d-----w- c:\documents and settings\Larry\Application Data\WTablet
2010-06-03 02:30 . 2008-04-16 04:07 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet
2010-06-03 02:28 . 2009-01-18 01:02 -------- d-----w- c:\documents and settings\Larry\Application Data\Skype
2010-06-02 11:44 . 2006-07-22 04:46 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-06-01 17:28 . 2010-04-30 13:46 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-01 02:29 . 2006-02-12 19:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-01 02:12 . 2006-04-08 01:58 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-28 04:32 . 2006-07-13 02:42 -------- d-----w- c:\documents and settings\Larry\Application Data\Azureus
2010-05-28 02:36 . 2009-11-23 23:32 117760 ----a-w- c:\documents and settings\Larry\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-28 01:46 . 2009-08-14 03:36 1268616 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-05-27 04:46 . 2006-11-23 00:17 -------- d-----w- c:\documents and settings\Larry\Application Data\ZoomBrowser EX
2010-05-27 04:46 . 2006-11-22 22:37 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2010-05-25 03:41 . 2007-08-09 04:06 -------- d-----w- c:\program files\DOSBox-0.71
2010-05-17 02:34 . 2007-11-15 04:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-12 00:19 . 2006-07-13 02:42 -------- d-----w- c:\program files\Azureus
2010-05-03 04:09 . 2010-05-03 04:09 -------- d-----w- c:\program files\iPod
2010-05-03 04:09 . 2007-11-14 02:26 -------- d-----w- c:\program files\Common Files\Apple
2010-05-03 04:05 . 2010-04-02 06:37 -------- d-----w- c:\program files\QuickTime
2010-05-03 04:02 . 2010-05-03 04:02 -------- d-----w- c:\program files\Bonjour
2010-05-03 04:01 . 2010-05-03 04:01 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-04-29 19:39 . 2008-11-17 06:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2008-11-17 06:05 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-27 20:04 . 2009-01-18 01:03 -------- d-----w- c:\documents and settings\Larry\Application Data\skypePM
2010-04-27 18:15 . 2010-01-29 21:52 -------- d-----w- c:\program files\VMware
2010-04-27 18:12 . 2010-01-29 19:58 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2010-04-27 18:09 . 2006-10-12 23:46 -------- d-----w- c:\program files\Magic Workstation
2010-04-27 17:10 . 2010-01-29 19:59 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware
2010-04-26 02:54 . 2010-04-26 02:54 -------- d-----w- c:\program files\Common Files\Skype
2010-04-23 05:39 . 2006-02-12 21:21 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-04-19 01:44 . 2010-04-19 01:44 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-19 01:36 . 2010-04-19 01:36 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-19 01:21 . 2006-07-22 04:15 -------- d-----w- c:\program files\AIM
2010-04-19 01:21 . 2006-07-22 04:15 -------- d-----w- c:\program files\AOD
2010-04-19 00:34 . 2010-02-12 23:04 1316 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-19 00:25 . 2007-09-02 22:20 -------- d-----w- c:\program files\Microsoft Xbox 360 Accessories
2010-04-10 09:50 . 2010-03-09 05:02 4141117 ----a-w- c:\documents and settings\Larry\Application Data\Azureus\plugins\vuzexcode\mediainfo.exe
2010-04-10 09:50 . 2010-03-09 05:02 7282688 ----a-w- c:\documents and settings\Larry\Application Data\Azureus\plugins\vuzexcode\ffmpeg.exe
2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-18 00:54 . 2009-06-25 00:00 144160 ----a-w- c:\documents and settings\Larry\Application Data\Move Networks\uninstall.exe
2010-03-18 00:54 . 2009-12-10 19:26 4187512 ----a-w- c:\documents and settings\Larry\Application Data\Move Networks\plugins\npqmp071505000011.dll
2010-03-15 12:02 . 2010-03-15 12:02 1063320 ----a-w- c:\documents and settings\Larry\gotomypc_533.exe
2010-03-11 05:58 . 2010-03-05 01:02 1732608 ----a-w- c:\documents and settings\Larry\Application Data\Xbins\xbinsftp.exe
2010-03-10 06:15 . 2009-10-19 08:27 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 03:55 . 2006-02-12 05:26 92720 ----a-w- c:\documents and settings\Larry\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
CODE
<pre>
c:\program files\AIM\aim .exe
c:\program files\Common Files\Apple\Mobile Device Support\applesyncnotifier .exe
c:\program files\QuickTime\qttask .exe
c:\program files\VMware\VMware Workstation\vmware-tray .exe
c:\windows\system32\IME\PINTLGNT\imscinst .exe
c:\windows\system32\IME\TINTLGNT\tintsetp .exe
</pre>


------- Sigcheck -------

[-] 2009-10-19 . BA8C046D98345129723E6BCAA1E8AB99 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot_2010-04-17_21.19.43 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-07-12 05:02 . 2009-10-19 08:43 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
- 2009-11-29 15:24 . 2009-10-19 08:43 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\MFC90RUS.DLL
- 2009-11-29 15:24 . 2009-10-19 08:43 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\MFC90KOR.DLL
+ 2009-07-12 04:02 . 2009-07-12 04:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
- 2009-11-29 15:24 . 2009-10-19 08:43 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\MFC90JPN.DLL
- 2009-11-29 15:24 . 2009-10-19 08:43 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\MFC90ITA.DLL
+ 2009-07-12 04:02 . 2009-07-12 04:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
- 2009-11-29 15:24 . 2009-10-19 08:43 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\MFC90FRA.DLL
+ 2009-07-12 04:02 . 2009-07-12 04:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
- 2009-11-29 15:24 . 2009-10-19 08:43 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\MFC90ESP.DLL
- 2009-11-29 15:24 . 2009-10-19 08:43 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\MFC90ESN.DLL
+ 2009-07-12 04:02 . 2009-07-12 04:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
- 2009-11-29 15:24 . 2009-10-19 08:43 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\MFC90ENU.DLL
+ 2009-07-12 04:02 . 2009-07-12 04:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
- 2009-11-29 15:24 . 2009-10-19 08:43 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\MFC90DEU.DLL
- 2009-11-29 15:24 . 2009-10-19 08:43 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\MFC90CHT.DLL
+ 2009-07-12 04:02 . 2009-07-12 04:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
- 2009-11-29 15:24 . 2009-10-19 08:43 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\MFC90CHS.DLL
+ 2009-07-12 04:02 . 2009-07-12 04:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
+ 2009-07-12 04:05 . 2009-07-12 04:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
- 2009-11-29 15:24 . 2009-10-19 08:43 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
+ 2009-07-12 04:05 . 2009-07-12 04:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
- 2009-11-29 15:24 . 2009-10-19 08:43 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
+ 2010-06-03 02:30 . 2010-06-03 02:30 16384 c:\windows\temp\Perflib_Perfdata_7f4.dat
+ 2001-08-23 12:00 . 2010-04-27 18:12 75592 c:\windows\system32\perfc009.dat
- 2009-11-23 23:31 . 2009-11-23 23:31 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2010-04-19 01:44 . 2010-04-19 01:44 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2009-02-17 06:33 . 2010-05-17 02:34 35088 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\oisicon.exe
- 2009-02-17 06:33 . 2010-04-17 21:03 35088 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-02-17 06:33 . 2010-05-17 02:34 18704 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\mspicons.exe
- 2009-02-17 06:33 . 2010-04-17 21:03 18704 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-02-17 06:33 . 2010-05-17 02:34 20240 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\cagicon.exe
- 2009-02-17 06:33 . 2010-04-17 21:03 20240 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\cagicon.exe
+ 2006-02-14 04:15 . 2010-04-27 21:51 31232 c:\windows\ime\imkr6_1\imekrmig.exe
+ 2006-02-14 04:15 . 2010-04-27 21:51 31232 c:\windows\ime\imjp8_1\imjpmig.exe
- 2009-11-23 23:31 . 2009-11-23 23:31 5120 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe
+ 2010-04-19 01:44 . 2010-04-19 01:44 5120 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe
+ 2009-07-12 04:02 . 2009-07-12 04:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
- 2009-07-12 05:02 . 2009-10-19 08:43 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
- 2009-07-12 05:02 . 2009-10-19 08:43 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
- 2009-07-12 05:05 . 2009-10-19 08:43 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
+ 2009-07-12 04:05 . 2009-07-12 04:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
- 2009-07-12 05:02 . 2009-10-19 08:43 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\ATL90.dll
+ 2001-08-23 12:00 . 2010-04-27 18:12 455616 c:\windows\system32\perfh009.dat
+ 2009-10-19 08:25 . 2010-01-29 14:53 691712 c:\windows\system32\inetcomm.dll
- 2009-10-19 08:25 . 2009-10-19 08:25 691712 c:\windows\system32\inetcomm.dll
- 2009-02-17 06:33 . 2010-04-17 21:03 888080 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-02-17 06:33 . 2010-05-17 02:34 888080 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\wordicon.exe
- 2009-02-17 06:33 . 2010-04-17 21:03 272648 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pubs.exe
+ 2009-02-17 06:33 . 2010-05-17 02:34 272648 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pubs.exe
- 2009-02-17 06:33 . 2010-04-17 21:03 922384 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-02-17 06:33 . 2010-05-17 02:34 922384 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-02-17 06:33 . 2010-05-17 02:34 845584 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\outicon.exe
- 2009-02-17 06:33 . 2010-04-17 21:03 845584 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\outicon.exe
+ 2009-02-17 06:33 . 2010-05-17 02:34 217864 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\misc.exe
- 2009-02-17 06:33 . 2010-04-17 21:03 217864 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\misc.exe
+ 2010-05-03 04:10 . 2010-05-05 12:02 372736 c:\windows\Installer\{5ECB3A3C-980B-4D12-9724-25DCB07A1F47}\iTunesIco.exe
+ 2009-07-12 04:02 . 2009-07-12 04:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
- 2009-11-29 15:24 . 2009-10-19 08:43 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
- 2009-11-29 15:24 . 2009-10-19 08:43 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
+ 2009-10-16 11:08 . 2009-10-16 11:08 2237952 c:\windows\Installer\facba.msp
+ 2010-04-09 19:21 . 2010-04-09 19:21 5025792 c:\windows\Installer\faca5.msp
+ 2010-05-03 04:10 . 2010-05-03 04:10 4795392 c:\windows\Installer\1b114264.msi
+ 2010-05-03 04:03 . 2010-05-03 04:03 3168768 c:\windows\Installer\1b113a2c.msi
+ 2010-05-03 04:02 . 2010-05-03 04:02 1984000 c:\windows\Installer\1b1139f9.msi
- 2009-02-17 06:33 . 2010-04-17 21:03 1172240 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-02-17 06:33 . 2010-05-17 02:34 1172240 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-02-17 06:33 . 2010-05-17 02:34 1165584 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\accicons.exe
- 2009-02-17 06:33 . 2010-04-17 21:03 1165584 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\accicons.exe
+ 2008-08-26 03:50 . 2008-08-26 03:50 2585592 c:\windows\Installer\$PatchCache$\Managed\00002119410000000000000000F01FEC\12.0.6425\VBE6.DLL
+ 2010-02-13 16:15 . 2010-04-30 18:51 32058312 c:\windows\system32\MRT.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="c:\program files\AIM\aim.exe" [2006-08-01 67112]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-04-06 26102056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 734264]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-21 110184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-10-19 128512]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Drobo Dashboard.lnk - d:\program files\Drobo\Drobo Dashboard\DroboDashboard.exe [2010-2-25 3395584]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
dmregers REG_SZ c:\windows\system32\javakrnl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\EA SPORTS\\MVP Baseball 2007\\mvp2005.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Drobo\\Drobo Dashboard\\DroboDashboard.exe"=
"c:\\WINDOWS\\system32\\iscsiexe.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"d:\\Program Files\\Steam\\steamapps\\stupidlarry\\team fortress 2\\hl2.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"d:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\Motorola\\Software Update\\msu.exe"=
"d:\\cygwin\\bin\\rsync.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\bin\\SDKLauncher.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"d:\\Program Files\\Drobo\\Drobo Dashboard\\Support\\DDService.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\program files\\aim\\aim.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/31/2010 2:16 PM 164048]
R1 Ext2fs;Ext2fs;c:\windows\system32\drivers\ext2fs.sys [1/22/2010 2:36 AM 181120]
R1 IfsMount;IfsMount;c:\windows\system32\drivers\ifsmount.sys [1/22/2010 2:36 AM 51072]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/31/2010 2:16 PM 19024]
R2 DDService;Drobo Dashboard Service;d:\program files\Drobo\Drobo Dashboard\Support\DDService.exe [2/25/2010 6:07 PM 704512]
R2 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [11/30/2009 1:36 AM 91392]
R2 MSiSCSI;Microsoft iSCSI Initiator Service;c:\windows\system32\iscsiexe.exe [11/13/2008 10:09 PM 103480]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [4/9/2008 10:18 PM 1373480]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/16/2008 11:36 AM 24652]
S0 myhqeyrv;myhqeyrv;c:\windows\system32\drivers\bvytc.sys --> c:\windows\system32\drivers\bvytc.sys [?]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/12/2006 5:21 PM 691696]
S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [10/19/2009 4:29 AM 9472]
S1 SASKUTIL;SASKUTIL;\??\d:\program files\SUPERAntiSpyware\SASKUTIL.sys --> d:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 DeltaCopyService;DeltaCopy Server;"d:\deltacopy\DCServce.exe" --> d:\deltacopy\DCServce.exe [?]
S2 FreeDNSUpdate;FreeDNS Update;d:\program files\FreeDNS Update\FDNSUSVC.exe -start -sname=FreeDNSUpdate --> d:\program files\FreeDNS Update\FDNSUSVC.exe -start -sname=FreeDNSUpdate [?]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 5:46 AM 284016]
S3 iScsiPrt;iScsiPort Driver;c:\windows\system32\drivers\msiscsi.sys [11/13/2008 10:09 PM 158264]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [11/21/2009 1:02 AM 19712]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [11/21/2009 1:02 AM 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [11/21/2009 1:02 AM 42752]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
S3 scsichk;scsichk;\??\c:\windows\system32\scsichk.sys --> c:\windows\system32\scsichk.sys [?]
S4 WinDefend;Windows Defender Service;c:\program files\Windows Defender\MsMpEng.exe [4/3/2006 6:12 PM 14032]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-05-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-06-02 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-04-03 22:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} -
TCP: {C60625A8-25E8-4AD0-98CA-F768A62E0FCC} = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\documents and settings\Larry\Application Data\Mozilla\Firefox\Profiles\4rxn9ufz.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\documents and settings\Larry\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\Larry\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\windows\system32\npmirage.dll
FF - plugin: d:\program files\DivX\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: d:\program files\DivX\DivX Web Player\npdivx32.dll
FF - plugin: d:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF - plugin: d:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF - plugin: d:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF - plugin: d:\program files\Real Alternative\browser\plugins\nppl3260.dll
FF - plugin: d:\program files\Real Alternative\browser\plugins\nprpjplug.dll
FF - plugin: d:\program files\Veetle\Player\npvlc.dll
FF - plugin: d:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: d:\program files\Veetle\VLCBroadcast\npvbp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-02 22:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:6f,17,6f,ba,ed,23,e6,9b,f3,45,89,37,b8,0c,10,a5,d3,8f,ce,65,90,
ce,0f,08,53,d2,85,ef,5a,c4,b0,9a,a6,6d,56,25,ec,f6,5c,c2,56,05,69,39,e6,78,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:6f,17,6f,ba,ed,23,e6,9b,f3,45,89,37,b8,0c,10,a5,d3,8f,ce,65,90,
ce,0f,08,53,d2,85,ef,5a,c4,b0,9a,a6,6d,56,25,ec,f6,5c,c2,56,05,69,39,e6,78,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(580)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2010-06-02 22:45:47
ComboFix-quarantined-files.txt 2010-06-03 02:45
ComboFix2.txt 2010-05-28 02:25
ComboFix3.txt 2010-05-28 02:04
ComboFix4.txt 2010-05-17 02:31
ComboFix5.txt 2010-06-03 02:31

Pre-Run: 114,214,866,944 bytes free
Post-Run: 114,346,815,488 bytes free

Current=6 Default=6 Failed=4 LastKnownGood=7 Sets=1,2,3,4,5,6,7
- - End Of File - - 6FE1A2ECFBF9A0776DC7FD6876306A9D


#9 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:17 PM

Posted 03 June 2010 - 06:22 PM

Hello, LarryToolman.
OK, this may require a few rounds to fix. Let's start doing this manually.

Backdoor Warning
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.



Viewpoint (foistware) Warning"

I see Viewpoint is installed on your machine. Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Go to the Control Panel, then Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.







Step 1

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

CODE
File::
c:\windows\system32\drivers\bvytc.sys
C:\WINDOWS\System32\drivers\xjohhfo.sys
c:\windows\system32\scsichk.sys

RenV::
c:\program files\AIM\aim .exe
c:\program files\Common Files\Apple\Mobile Device Support\applesyncnotifier .exe
c:\program files\QuickTime\qttask .exe
c:\program files\VMware\VMware Workstation\vmware-tray .exe
c:\windows\system32\IME\PINTLGNT\imscinst .exe
c:\windows\system32\IME\TINTLGNT\tintsetp .exe

FCopy::
c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys | c:\windows\system32\drivers\tcpip.sys

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555

Driver::
myhqeyrv
scsichk
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 1
"DisableNotifications"= 0
RegLock::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#10 LarryToolman

LarryToolman
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 03 June 2010 - 07:04 PM

thanks again, here's my CF log:

ComboFix 10-06-03.01 - Larry 06/03/2010 19:35:35.28.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2427 [GMT -4:00]
Running from: c:\documents and settings\Larry\Desktop\LarryComboFix.exe
Command switches used :: c:\documents and settings\Larry\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\windows\system32\drivers\bvytc.sys"
"c:\windows\System32\drivers\xjohhfo.sys"
"c:\windows\system32\scsichk.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Larry\LOCALS~1\Temp\tmp1.tmp
c:\docume~1\Larry\LOCALS~1\Temp\tmp2.tmp

.
--------------- FCopy ---------------

c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys --> c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SCSICHK
-------\Service_myhqeyrv
-------\Service_scsichk


((((((((((((((((((((((((( Files Created from 2010-05-03 to 2010-06-03 )))))))))))))))))))))))))))))))
.

2010-06-03 02:28 . 2010-06-03 02:45 -------- d-----w- C:\LarryComboFix
2010-06-01 20:33 . 2010-06-01 20:33 434688 ----a-w- c:\windows\system32\ss2uinst.exe
2010-05-31 18:16 . 2010-05-06 20:39 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-05-31 18:16 . 2010-05-06 20:33 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-05-31 18:16 . 2010-05-06 20:34 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-05-31 18:16 . 2010-05-06 20:39 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-05-31 18:16 . 2010-05-06 20:33 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-05-31 18:16 . 2010-05-06 20:33 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-05-31 18:16 . 2010-05-06 20:33 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-05-31 18:15 . 2010-05-06 20:59 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-05-31 18:15 . 2010-05-06 20:59 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-05-31 18:15 . 2010-05-31 18:15 -------- d-----w- c:\program files\Alwil Software
2010-05-31 18:15 . 2010-05-31 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-05-28 02:09 . 2010-05-28 02:25 -------- d-----w- C:\ComboFix
2010-05-13 07:58 . 2010-05-13 07:58 -------- d-----w- c:\temp\MotoConnectTemp
2010-05-11 17:04 . 2010-01-29 14:53 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2010-05-11 17:04 . 2010-01-29 14:53 691712 ------w- c:\windows\system32\dllcache\inetcomm.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-03 23:49 . 2009-01-18 01:02 -------- d-----w- c:\documents and settings\Larry\Application Data\Skype
2010-06-03 23:45 . 2008-04-16 04:07 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet
2010-06-03 23:35 . 2010-04-02 06:37 -------- d-----w- c:\program files\QuickTime
2010-06-03 23:24 . 2006-07-22 04:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-06-03 23:24 . 2006-07-22 04:15 -------- d-----w- c:\program files\Viewpoint
2010-06-03 19:30 . 2006-07-22 04:46 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-06-03 18:39 . 2010-04-30 13:46 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-03 04:13 . 2006-11-23 00:17 -------- d-----w- c:\documents and settings\Larry\Application Data\ZoomBrowser EX
2010-06-03 04:13 . 2006-11-22 22:37 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2010-06-03 02:30 . 2008-04-10 02:20 -------- d-----w- c:\documents and settings\Larry\Application Data\WTablet
2010-06-01 02:29 . 2006-02-12 19:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-01 02:12 . 2006-04-08 01:58 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-28 04:32 . 2006-07-13 02:42 -------- d-----w- c:\documents and settings\Larry\Application Data\Azureus
2010-05-28 01:46 . 2009-08-14 03:36 1268616 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-05-25 03:41 . 2007-08-09 04:06 -------- d-----w- c:\program files\DOSBox-0.71
2010-05-17 02:34 . 2007-11-15 04:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-12 00:19 . 2006-07-13 02:42 -------- d-----w- c:\program files\Azureus
2010-05-03 04:09 . 2010-05-03 04:09 -------- d-----w- c:\program files\iPod
2010-05-03 04:09 . 2007-11-14 02:26 -------- d-----w- c:\program files\Common Files\Apple
2010-05-03 04:02 . 2010-05-03 04:02 -------- d-----w- c:\program files\Bonjour
2010-04-29 19:39 . 2008-11-17 06:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2008-11-17 06:05 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-27 20:04 . 2009-01-18 01:03 -------- d-----w- c:\documents and settings\Larry\Application Data\skypePM
2010-04-27 18:15 . 2010-01-29 21:52 -------- d-----w- c:\program files\VMware
2010-04-27 18:12 . 2010-01-29 19:58 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2010-04-27 18:09 . 2006-10-12 23:46 -------- d-----w- c:\program files\Magic Workstation
2010-04-27 17:10 . 2010-01-29 19:59 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware
2010-04-26 02:54 . 2010-04-26 02:54 -------- d-----w- c:\program files\Common Files\Skype
2010-04-23 05:39 . 2006-02-12 21:21 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-04-19 01:44 . 2010-04-19 01:44 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-19 01:36 . 2010-04-19 01:36 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-19 01:21 . 2006-07-22 04:15 -------- d-----w- c:\program files\AIM
2010-04-19 01:21 . 2006-07-22 04:15 -------- d-----w- c:\program files\AOD
2010-04-19 00:34 . 2010-02-12 23:04 1316 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-19 00:25 . 2007-09-02 22:20 -------- d-----w- c:\program files\Microsoft Xbox 360 Accessories
2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-15 12:02 . 2010-03-15 12:02 1063320 ----a-w- c:\documents and settings\Larry\gotomypc_533.exe
2010-03-10 06:15 . 2009-10-19 08:27 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 03:55 . 2006-02-12 05:26 92720 ----a-w- c:\documents and settings\Larry\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
CODE
<pre>
c:\program files\AIM\aim .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="c:\program files\AIM\aim.exe" [2006-08-01 67112]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-04-06 26102056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 734264]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-21 110184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-10-19 128512]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Drobo Dashboard.lnk - d:\program files\Drobo\Drobo Dashboard\DroboDashboard.exe [2010-2-25 3395584]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
dmregers REG_SZ c:\windows\system32\javakrnl.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\EA SPORTS\\MVP Baseball 2007\\mvp2005.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Drobo\\Drobo Dashboard\\DroboDashboard.exe"=
"c:\\WINDOWS\\system32\\iscsiexe.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"d:\\Program Files\\Steam\\steamapps\\stupidlarry\\team fortress 2\\hl2.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"d:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\Motorola\\Software Update\\msu.exe"=
"d:\\cygwin\\bin\\rsync.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\bin\\SDKLauncher.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"d:\\Program Files\\Drobo\\Drobo Dashboard\\Support\\DDService.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\program files\\aim\\aim.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/12/2006 5:21 PM 691696]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/31/2010 2:16 PM 164048]
R1 Ext2fs;Ext2fs;c:\windows\system32\drivers\ext2fs.sys [1/22/2010 2:36 AM 181120]
R1 IfsMount;IfsMount;c:\windows\system32\drivers\ifsmount.sys [1/22/2010 2:36 AM 51072]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/31/2010 2:16 PM 19024]
R2 DDService;Drobo Dashboard Service;d:\program files\Drobo\Drobo Dashboard\Support\DDService.exe [2/25/2010 6:07 PM 704512]
R2 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [11/30/2009 1:36 AM 91392]
R2 MSiSCSI;Microsoft iSCSI Initiator Service;c:\windows\system32\iscsiexe.exe [11/13/2008 10:09 PM 103480]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [4/9/2008 10:18 PM 1373480]
S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [10/19/2009 4:29 AM 9472]
S1 SASKUTIL;SASKUTIL;\??\d:\program files\SUPERAntiSpyware\SASKUTIL.sys --> d:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 DeltaCopyService;DeltaCopy Server;"d:\deltacopy\DCServce.exe" --> d:\deltacopy\DCServce.exe [?]
S2 FreeDNSUpdate;FreeDNS Update;d:\program files\FreeDNS Update\FDNSUSVC.exe -start -sname=FreeDNSUpdate --> d:\program files\FreeDNS Update\FDNSUSVC.exe -start -sname=FreeDNSUpdate [?]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 5:46 AM 284016]
S3 iScsiPrt;iScsiPort Driver;c:\windows\system32\drivers\msiscsi.sys [11/13/2008 10:09 PM 158264]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [11/21/2009 1:02 AM 19712]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [11/21/2009 1:02 AM 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [11/21/2009 1:02 AM 42752]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
S4 WinDefend;Windows Defender Service;c:\program files\Windows Defender\MsMpEng.exe [4/3/2006 6:12 PM 14032]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-05-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-06-03 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-04-03 22:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} -
TCP: {C60625A8-25E8-4AD0-98CA-F768A62E0FCC} = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\documents and settings\Larry\Application Data\Mozilla\Firefox\Profiles\4rxn9ufz.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\documents and settings\Larry\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\Larry\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\windows\system32\npmirage.dll
FF - plugin: d:\program files\DivX\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: d:\program files\DivX\DivX Web Player\npdivx32.dll
FF - plugin: d:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF - plugin: d:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF - plugin: d:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF - plugin: d:\program files\Real Alternative\browser\plugins\nppl3260.dll
FF - plugin: d:\program files\Real Alternative\browser\plugins\nprpjplug.dll
FF - plugin: d:\program files\Veetle\Player\npvlc.dll
FF - plugin: d:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: d:\program files\Veetle\VLCBroadcast\npvbp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-03 19:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys spve.sys hal.dll >>UNKNOWN [0x8B13E938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xb80ecf28
\Driver\ACPI -> ACPI.sys @ 0xb7e74cb8
\Driver\atapi -> atapi.sys @ 0xb7e09b40
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Intel® PRO/1000 PL Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xb7d12bb0
PacketIndicateHandler -> NDIS.sys @ 0xb7d1fb21
SendHandler -> NDIS.sys @ 0xb7cfd87b
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:6f,17,6f,ba,ed,23,e6,9b,f3,45,89,37,b8,0c,10,a5,d3,8f,ce,65,90,
ce,0f,08,53,d2,85,ef,5a,c4,b0,9a,a6,6d,56,25,ec,f6,5c,c2,56,05,69,39,e6,78,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:6f,17,6f,ba,ed,23,e6,9b,f3,45,89,37,b8,0c,10,a5,d3,8f,ce,65,90,
ce,0f,08,53,d2,85,ef,5a,c4,b0,9a,a6,6d,56,25,ec,f6,5c,c2,56,05,69,39,e6,78,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(624)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'winlogon.exe'(3160)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3668)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
d:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\logonui.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Seagate\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\crypserv.exe
d:\program files\Java\jre6\bin\jqs.exe
d:\program files\Raxco\PerfectDisk10\PDAgent.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\WTablet\Pen_TabletUser.exe
c:\windows\system32\rdpclip.exe
c:\windows\stsystra.exe
c:\program files\Skype\Phone\Skype.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\logon.scr
.
**************************************************************************
.
Completion time: 2010-06-03 20:01:57 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-04 00:01
ComboFix2.txt 2010-06-03 02:45
ComboFix3.txt 2010-05-28 02:25
ComboFix4.txt 2010-05-28 02:04
ComboFix5.txt 2010-06-03 23:31

Pre-Run: 113,981,952,000 bytes free
Post-Run: 114,152,591,360 bytes free

Current=6 Default=6 Failed=4 LastKnownGood=7 Sets=1,2,3,4,5,6,7
- - End Of File - - 219BB9B1859E58FC08B02F19C149E152


#11 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:17 PM

Posted 04 June 2010 - 05:43 AM

Hello, LarryToolman.
Ok, that took care of a bunch, but we still have a bit more.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
RenV::
c:\program files\AIM\aim .exe

Folder::
c:\documents and settings\Larry\Local Settings\Application Data\gycwoxhrb\
C:\Documents and Settings\Larry\Local Settings\Application Data\sabnzbd
C:\Documents and Settings\All Users\Application Data\u4Q15RjfXYA
C:\Documents and Settings\Larry\Local Settings\Application Data\omn2MB67
C:\Documents and Settings\Larry\Local Settings\Application Data\04lB
C:\Documents and Settings\Larry\Local Settings\Application Data\jXP7U0T4
C:\Documents and Settings\Larry\Local Settings\Application Data\u4Q15RjfXYA
C:\Documents and Settings\All Users\Application Data\u4Q15RjfXYA
C:\Documents and Settings\Larry\Local Settings\Application Data\omn2MB67


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#12 LarryToolman

LarryToolman
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 04 June 2010 - 11:03 AM

Here's my CF log after running. Thanks again!

ComboFix 10-06-03.01 - Larry 06/04/2010 11:22:27.29.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2630 [GMT -4:00]
Running from: c:\documents and settings\Larry\Desktop\LarryComboFix.exe
Command switches used :: c:\documents and settings\Larry\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Larry\Local Settings\Application Data\sabnzbd
c:\documents and settings\Larry\Local Settings\Application Data\sabnzbd\admin\history1.db
c:\documents and settings\Larry\Local Settings\Application Data\sabnzbd\cache\bookmarks.sab
c:\documents and settings\Larry\Local Settings\Application Data\sabnzbd\cache\bytes9.sab
c:\documents and settings\Larry\Local Settings\Application Data\sabnzbd\cache\postproc1.sab
c:\documents and settings\Larry\Local Settings\Application Data\sabnzbd\cache\queue9.sab
c:\documents and settings\Larry\Local Settings\Application Data\sabnzbd\cache\rss_data.sab
c:\documents and settings\Larry\Local Settings\Application Data\sabnzbd\cache\SABnzbd_article__bioie
c:\documents and settings\Larry\Local Settings\Application Data\sabnzbd\cache\SABnzbd_article_4n9dch
c:\documents and settings\Larry\Local Settings\Application Data\sabnzbd\cache\SABnzbd_article_cdz8nm
c:\documents and settings\Larry\Local Settings\Application Data\sabnzbd\cache\SABnzbd_article_grs0vi
c:\documents and settings\Larry\Local Settings\Application Data\sabnzbd\cache\SABnzbd_article_lwvakr
c:\documents and settings\Larry\Local Settings\Application Data\sabnzbd\cache\SABnzbd_article_qhqpov
c:\documents and settings\Larry\Local Settings\Application Data\sabnzbd\cache\SABnzbd_article_riqvnn
c:\documents and settings\Larry\Local Settings\Application Data\sabnzbd\cache\SABnzbd_article_sh-fqv
c:\documents and settings\Larry\Local Settings\Application Data\sabnzbd\cache\SABnzbd_article_u2nu-x
c:\documents and settings\Larry\Local Settings\Application Data\sabnzbd\cache\SABnzbd_article_vfuaai
c:\documents and settings\Larry\Local Settings\Application Data\sabnzbd\cache\SABnzbd_article_ynbd_y
c:\documents and settings\Larry\Local Settings\Application Data\sabnzbd\cache\SABnzbd_article_z9ctbz
c:\documents and settings\Larry\Local Settings\Application Data\sabnzbd\cache\SABnzbd_nzo_nr57ok
c:\documents and settings\Larry\Local Settings\Application Data\sabnzbd\cache\watched_data.sab
c:\documents and settings\Larry\Local Settings\Application Data\sabnzbd\logs\sabnzbd.log
c:\documents and settings\Larry\Local Settings\Application Data\sabnzbd\logs\sabnzbd.log.1
c:\documents and settings\Larry\Local Settings\Application Data\sabnzbd\logs\sabnzbd.log.2
c:\documents and settings\Larry\Local Settings\Application Data\sabnzbd\logs\sabnzbd.log.3
c:\documents and settings\Larry\Local Settings\Application Data\sabnzbd\logs\sabnzbd.log.4
c:\documents and settings\Larry\Local Settings\Application Data\sabnzbd\logs\sabnzbd.log.5
c:\documents and settings\Larry\Local Settings\Application Data\sabnzbd\sabnzbd.ini

.
((((((((((((((((((((((((( Files Created from 2010-05-04 to 2010-06-04 )))))))))))))))))))))))))))))))
.

2010-06-03 02:28 . 2010-06-03 02:45 -------- d-----w- C:\LarryComboFix
2010-06-01 20:33 . 2010-06-01 20:33 434688 ----a-w- c:\windows\system32\ss2uinst.exe
2010-05-31 18:16 . 2010-05-06 20:39 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-05-31 18:16 . 2010-05-06 20:33 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-05-31 18:16 . 2010-05-06 20:34 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-05-31 18:16 . 2010-05-06 20:39 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-05-31 18:16 . 2010-05-06 20:33 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-05-31 18:16 . 2010-05-06 20:33 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-05-31 18:16 . 2010-05-06 20:33 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-05-31 18:15 . 2010-05-06 20:59 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-05-31 18:15 . 2010-05-06 20:59 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-05-31 18:15 . 2010-05-31 18:15 -------- d-----w- c:\program files\Alwil Software
2010-05-31 18:15 . 2010-05-31 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-05-28 02:09 . 2010-05-28 02:25 -------- d-----w- C:\ComboFix
2010-05-13 07:58 . 2010-05-13 07:58 -------- d-----w- c:\temp\MotoConnectTemp
2010-05-11 17:04 . 2010-01-29 14:53 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2010-05-11 17:04 . 2010-01-29 14:53 691712 ------w- c:\windows\system32\dllcache\inetcomm.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-04 14:01 . 2008-04-16 04:07 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet
2010-06-04 14:00 . 2010-04-30 13:46 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-04 14:00 . 2009-01-18 01:02 -------- d-----w- c:\documents and settings\Larry\Application Data\Skype
2010-06-04 01:38 . 2009-11-23 23:32 117760 ----a-w- c:\documents and settings\Larry\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-04 01:17 . 2006-07-22 04:46 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-06-03 23:35 . 2010-04-02 06:37 -------- d-----w- c:\program files\QuickTime
2010-06-03 23:24 . 2006-07-22 04:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-06-03 23:24 . 2006-07-22 04:15 -------- d-----w- c:\program files\Viewpoint
2010-06-03 04:13 . 2006-11-23 00:17 -------- d-----w- c:\documents and settings\Larry\Application Data\ZoomBrowser EX
2010-06-03 04:13 . 2006-11-22 22:37 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2010-06-03 02:30 . 2008-04-10 02:20 -------- d-----w- c:\documents and settings\Larry\Application Data\WTablet
2010-06-01 02:29 . 2006-02-12 19:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-01 02:12 . 2006-04-08 01:58 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-28 04:32 . 2006-07-13 02:42 -------- d-----w- c:\documents and settings\Larry\Application Data\Azureus
2010-05-28 01:46 . 2009-08-14 03:36 1268616 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-05-25 03:41 . 2007-08-09 04:06 -------- d-----w- c:\program files\DOSBox-0.71
2010-05-17 02:34 . 2007-11-15 04:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-12 00:19 . 2006-07-13 02:42 -------- d-----w- c:\program files\Azureus
2010-05-03 04:09 . 2010-05-03 04:09 -------- d-----w- c:\program files\iPod
2010-05-03 04:09 . 2007-11-14 02:26 -------- d-----w- c:\program files\Common Files\Apple
2010-05-03 04:02 . 2010-05-03 04:02 -------- d-----w- c:\program files\Bonjour
2010-05-03 04:01 . 2010-05-03 04:01 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-04-29 19:39 . 2008-11-17 06:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2008-11-17 06:05 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-27 20:04 . 2009-01-18 01:03 -------- d-----w- c:\documents and settings\Larry\Application Data\skypePM
2010-04-27 18:15 . 2010-01-29 21:52 -------- d-----w- c:\program files\VMware
2010-04-27 18:12 . 2010-01-29 19:58 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2010-04-27 18:09 . 2006-10-12 23:46 -------- d-----w- c:\program files\Magic Workstation
2010-04-27 17:10 . 2010-01-29 19:59 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware
2010-04-26 02:54 . 2010-04-26 02:54 -------- d-----w- c:\program files\Common Files\Skype
2010-04-23 05:39 . 2006-02-12 21:21 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-04-19 01:44 . 2010-04-19 01:44 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-19 01:36 . 2010-04-19 01:36 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-19 01:21 . 2006-07-22 04:15 -------- d-----w- c:\program files\AIM
2010-04-19 01:21 . 2006-07-22 04:15 -------- d-----w- c:\program files\AOD
2010-04-19 00:34 . 2010-02-12 23:04 1316 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-19 00:25 . 2007-09-02 22:20 -------- d-----w- c:\program files\Microsoft Xbox 360 Accessories
2010-04-10 09:50 . 2010-03-09 05:02 4141117 ----a-w- c:\documents and settings\Larry\Application Data\Azureus\plugins\vuzexcode\mediainfo.exe
2010-04-10 09:50 . 2010-03-09 05:02 7282688 ----a-w- c:\documents and settings\Larry\Application Data\Azureus\plugins\vuzexcode\ffmpeg.exe
2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-18 00:54 . 2009-06-25 00:00 144160 ----a-w- c:\documents and settings\Larry\Application Data\Move Networks\uninstall.exe
2010-03-18 00:54 . 2009-12-10 19:26 4187512 ----a-w- c:\documents and settings\Larry\Application Data\Move Networks\plugins\npqmp071505000011.dll
2010-03-15 12:02 . 2010-03-15 12:02 1063320 ----a-w- c:\documents and settings\Larry\gotomypc_533.exe
2010-03-11 05:58 . 2010-03-05 01:02 1732608 ----a-w- c:\documents and settings\Larry\Application Data\Xbins\xbinsftp.exe
2010-03-10 06:15 . 2009-10-19 08:27 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 03:55 . 2006-02-12 05:26 92720 ----a-w- c:\documents and settings\Larry\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
CODE
<pre>
c:\program files\AIM\aim .exe
</pre>


((((((((((((((((((((((((((((( SnapShot_2010-06-03_02.42.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-04 14:01 . 2010-06-04 14:01 16384 c:\windows\temp\Perflib_Perfdata_108.dat
+ 2009-10-19 08:27 . 2010-04-21 13:28 46080 c:\windows\system32\tzchange.exe
- 2009-10-19 08:27 . 2010-01-23 08:11 46080 c:\windows\system32\tzchange.exe
+ 2009-10-13 23:43 . 2009-05-26 09:01 17272 c:\windows\system32\spmsg.dll
- 2009-10-13 23:43 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll
+ 2009-11-29 18:34 . 2008-04-14 12:00 59392 c:\windows\system32\IME\PINTLGNT\imscinst.exe
+ 2009-11-29 18:34 . 2008-04-14 12:00 59392 c:\windows\system32\dllcache\imscinst.exe
+ 2009-11-29 18:34 . 2008-04-14 12:00 455168 c:\windows\system32\IME\TINTLGNT\tintsetp.exe
- 2009-10-19 08:35 . 2009-10-19 08:35 361600 c:\windows\system32\drivers\tcpip.sys
+ 2009-10-19 08:35 . 2008-06-20 11:59 361600 c:\windows\system32\drivers\tcpip.sys
+ 2009-11-29 18:34 . 2008-04-14 12:00 455168 c:\windows\system32\dllcache\tintsetp.exe
+ 2009-10-19 08:35 . 2008-06-20 11:59 361600 c:\windows\system32\dllcache\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="c:\program files\AIM\aim.exe" [2006-08-01 67112]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-04-06 26102056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 734264]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-21 110184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-10-19 128512]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Drobo Dashboard.lnk - d:\program files\Drobo\Drobo Dashboard\DroboDashboard.exe [2010-2-25 3395584]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
dmregers REG_SZ c:\windows\system32\javakrnl.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\EA SPORTS\\MVP Baseball 2007\\mvp2005.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Drobo\\Drobo Dashboard\\DroboDashboard.exe"=
"c:\\WINDOWS\\system32\\iscsiexe.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"d:\\Program Files\\Steam\\steamapps\\stupidlarry\\team fortress 2\\hl2.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"d:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\Motorola\\Software Update\\msu.exe"=
"d:\\cygwin\\bin\\rsync.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\bin\\SDKLauncher.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"d:\\Program Files\\Drobo\\Drobo Dashboard\\Support\\DDService.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\program files\\aim\\aim.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/31/2010 2:16 PM 164048]
R1 Ext2fs;Ext2fs;c:\windows\system32\drivers\ext2fs.sys [1/22/2010 2:36 AM 181120]
R1 IfsMount;IfsMount;c:\windows\system32\drivers\ifsmount.sys [1/22/2010 2:36 AM 51072]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/31/2010 2:16 PM 19024]
R2 DDService;Drobo Dashboard Service;d:\program files\Drobo\Drobo Dashboard\Support\DDService.exe [2/25/2010 6:07 PM 704512]
R2 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [11/30/2009 1:36 AM 91392]
R2 MSiSCSI;Microsoft iSCSI Initiator Service;c:\windows\system32\iscsiexe.exe [11/13/2008 10:09 PM 103480]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [4/9/2008 10:18 PM 1373480]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/12/2006 5:21 PM 691696]
S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [10/19/2009 4:29 AM 9472]
S2 FreeDNSUpdate;FreeDNS Update;d:\program files\FreeDNS Update\FDNSUSVC.exe -start -sname=FreeDNSUpdate --> d:\program files\FreeDNS Update\FDNSUSVC.exe -start -sname=FreeDNSUpdate [?]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 5:46 AM 284016]
S3 iScsiPrt;iScsiPort Driver;c:\windows\system32\drivers\msiscsi.sys [11/13/2008 10:09 PM 158264]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [11/21/2009 1:02 AM 19712]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [11/21/2009 1:02 AM 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [11/21/2009 1:02 AM 42752]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
S4 WinDefend;Windows Defender Service;c:\program files\Windows Defender\MsMpEng.exe [4/3/2006 6:12 PM 14032]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-05-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-06-04 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-04-03 22:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} -
TCP: {C60625A8-25E8-4AD0-98CA-F768A62E0FCC} = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\documents and settings\Larry\Application Data\Mozilla\Firefox\Profiles\4rxn9ufz.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\documents and settings\Larry\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\Larry\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\windows\system32\npmirage.dll
FF - plugin: d:\program files\DivX\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: d:\program files\DivX\DivX Web Player\npdivx32.dll
FF - plugin: d:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF - plugin: d:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF - plugin: d:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF - plugin: d:\program files\Real Alternative\browser\plugins\nppl3260.dll
FF - plugin: d:\program files\Real Alternative\browser\plugins\nprpjplug.dll
FF - plugin: d:\program files\Veetle\Player\npvlc.dll
FF - plugin: d:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: d:\program files\Veetle\VLCBroadcast\npvbp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-04 11:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:6f,17,6f,ba,ed,23,e6,9b,f3,45,89,37,b8,0c,10,a5,d3,8f,ce,65,90,
ce,0f,08,53,d2,85,ef,5a,c4,b0,9a,a6,6d,56,25,ec,f6,5c,c2,56,05,69,39,e6,78,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:6f,17,6f,ba,ed,23,e6,9b,f3,45,89,37,b8,0c,10,a5,d3,8f,ce,65,90,
ce,0f,08,53,d2,85,ef,5a,c4,b0,9a,a6,6d,56,25,ec,f6,5c,c2,56,05,69,39,e6,78,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(580)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'winlogon.exe'(3524)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2010-06-04 11:35:09
ComboFix-quarantined-files.txt 2010-06-04 15:35
ComboFix2.txt 2010-06-04 00:01
ComboFix3.txt 2010-06-03 02:45
ComboFix4.txt 2010-05-28 02:25
ComboFix5.txt 2010-06-04 15:21

Pre-Run: 113,755,713,536 bytes free
Post-Run: 113,719,500,800 bytes free

Current=6 Default=6 Failed=4 LastKnownGood=7 Sets=1,2,3,4,5,6,7
- - End Of File - - 545479E3BB3C2E3A4AB60C77AD0EC8A0


#13 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:17 PM

Posted 05 June 2010 - 06:08 AM

Hello, LarryToolman.

OK, one more try. If this doesn't work, we move on to wiping the infected program off your computer and reinstall AIM.





Step 1

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

c:\windows\system32\javakrnl.dll

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/



Step 2

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
RenV::
c:\program files\AIM\aim .exe


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#14 LarryToolman

LarryToolman
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 05 June 2010 - 12:15 PM

Thanks again etavares!

Couldn't find javakrnl.dll

here's the CF log:

ComboFix 10-06-03.01 - Larry 06/05/2010 12:57:59.30.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.1880 [GMT -4:00]
Running from: c:\documents and settings\Larry\Desktop\LarryComboFix.exe
Command switches used :: c:\documents and settings\Larry\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2010-05-05 to 2010-06-05 )))))))))))))))))))))))))))))))
.

2010-06-04 15:58 . 2010-06-04 15:58 -------- d-----w- c:\documents and settings\Larry\Local Settings\Application Data\sabnzbd
2010-06-03 02:28 . 2010-06-03 02:45 -------- d-----w- C:\LarryComboFix
2010-06-01 20:33 . 2010-06-01 20:33 434688 ----a-w- c:\windows\system32\ss2uinst.exe
2010-05-31 18:16 . 2010-05-06 20:39 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-05-31 18:16 . 2010-05-06 20:33 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-05-31 18:16 . 2010-05-06 20:34 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-05-31 18:16 . 2010-05-06 20:39 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-05-31 18:16 . 2010-05-06 20:33 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-05-31 18:16 . 2010-05-06 20:33 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-05-31 18:16 . 2010-05-06 20:33 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-05-31 18:15 . 2010-05-06 20:59 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-05-31 18:15 . 2010-05-06 20:59 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-05-31 18:15 . 2010-05-31 18:15 -------- d-----w- c:\program files\Alwil Software
2010-05-31 18:15 . 2010-05-31 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-05-28 02:09 . 2010-05-28 02:25 -------- d-----w- C:\ComboFix
2010-05-13 07:58 . 2010-05-13 07:58 -------- d-----w- c:\temp\MotoConnectTemp
2010-05-11 17:04 . 2010-01-29 14:53 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2010-05-11 17:04 . 2010-01-29 14:53 691712 ------w- c:\windows\system32\dllcache\inetcomm.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-05 16:57 . 2006-07-22 04:15 -------- d-----w- c:\program files\AIM
2010-06-04 16:46 . 2009-11-23 23:32 117760 ----a-w- c:\documents and settings\Larry\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-04 16:05 . 2006-07-22 04:46 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-06-04 14:01 . 2008-04-16 04:07 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet
2010-06-04 14:00 . 2010-04-30 13:46 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-04 14:00 . 2009-01-18 01:02 -------- d-----w- c:\documents and settings\Larry\Application Data\Skype
2010-06-03 23:35 . 2010-04-02 06:37 -------- d-----w- c:\program files\QuickTime
2010-06-03 23:24 . 2006-07-22 04:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-06-03 23:24 . 2006-07-22 04:15 -------- d-----w- c:\program files\Viewpoint
2010-06-03 04:13 . 2006-11-23 00:17 -------- d-----w- c:\documents and settings\Larry\Application Data\ZoomBrowser EX
2010-06-03 04:13 . 2006-11-22 22:37 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2010-06-03 02:30 . 2008-04-10 02:20 -------- d-----w- c:\documents and settings\Larry\Application Data\WTablet
2010-06-01 02:29 . 2006-02-12 19:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-01 02:12 . 2006-04-08 01:58 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-28 04:32 . 2006-07-13 02:42 -------- d-----w- c:\documents and settings\Larry\Application Data\Azureus
2010-05-28 01:46 . 2009-08-14 03:36 1268616 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-05-25 03:41 . 2007-08-09 04:06 -------- d-----w- c:\program files\DOSBox-0.71
2010-05-17 02:34 . 2007-11-15 04:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-12 00:19 . 2006-07-13 02:42 -------- d-----w- c:\program files\Azureus
2010-05-03 04:09 . 2010-05-03 04:09 -------- d-----w- c:\program files\iPod
2010-05-03 04:09 . 2007-11-14 02:26 -------- d-----w- c:\program files\Common Files\Apple
2010-05-03 04:02 . 2010-05-03 04:02 -------- d-----w- c:\program files\Bonjour
2010-05-03 04:01 . 2010-05-03 04:01 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-04-29 19:39 . 2008-11-17 06:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2008-11-17 06:05 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-27 20:04 . 2009-01-18 01:03 -------- d-----w- c:\documents and settings\Larry\Application Data\skypePM
2010-04-27 18:15 . 2010-01-29 21:52 -------- d-----w- c:\program files\VMware
2010-04-27 18:12 . 2010-01-29 19:58 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2010-04-27 18:09 . 2006-10-12 23:46 -------- d-----w- c:\program files\Magic Workstation
2010-04-27 17:10 . 2010-01-29 19:59 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware
2010-04-26 02:54 . 2010-04-26 02:54 -------- d-----w- c:\program files\Common Files\Skype
2010-04-23 05:39 . 2006-02-12 21:21 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-04-19 01:44 . 2010-04-19 01:44 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-19 01:36 . 2010-04-19 01:36 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-19 01:21 . 2006-07-22 04:15 -------- d-----w- c:\program files\AOD
2010-04-19 00:34 . 2010-02-12 23:04 1316 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-19 00:25 . 2007-09-02 22:20 -------- d-----w- c:\program files\Microsoft Xbox 360 Accessories
2010-04-10 09:50 . 2010-03-09 05:02 4141117 ----a-w- c:\documents and settings\Larry\Application Data\Azureus\plugins\vuzexcode\mediainfo.exe
2010-04-10 09:50 . 2010-03-09 05:02 7282688 ----a-w- c:\documents and settings\Larry\Application Data\Azureus\plugins\vuzexcode\ffmpeg.exe
2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-18 00:54 . 2009-06-25 00:00 144160 ----a-w- c:\documents and settings\Larry\Application Data\Move Networks\uninstall.exe
2010-03-18 00:54 . 2009-12-10 19:26 4187512 ----a-w- c:\documents and settings\Larry\Application Data\Move Networks\plugins\npqmp071505000011.dll
2010-03-15 12:02 . 2010-03-15 12:02 1063320 ----a-w- c:\documents and settings\Larry\gotomypc_533.exe
2010-03-11 05:58 . 2010-03-05 01:02 1732608 ----a-w- c:\documents and settings\Larry\Application Data\Xbins\xbinsftp.exe
2010-03-10 06:15 . 2009-10-19 08:27 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 03:55 . 2006-02-12 05:26 92720 ----a-w- c:\documents and settings\Larry\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot_2010-06-03_02.42.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-04 14:01 . 2010-06-04 14:01 16384 c:\windows\temp\Perflib_Perfdata_108.dat
+ 2009-10-19 08:27 . 2010-04-21 13:28 46080 c:\windows\system32\tzchange.exe
- 2009-10-19 08:27 . 2010-01-23 08:11 46080 c:\windows\system32\tzchange.exe
+ 2009-10-13 23:43 . 2009-05-26 09:01 17272 c:\windows\system32\spmsg.dll
- 2009-10-13 23:43 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll
+ 2009-11-29 18:34 . 2008-04-14 12:00 59392 c:\windows\system32\IME\PINTLGNT\imscinst.exe
+ 2009-11-29 18:34 . 2008-04-14 12:00 59392 c:\windows\system32\dllcache\imscinst.exe
+ 2009-11-29 18:34 . 2008-04-14 12:00 455168 c:\windows\system32\IME\TINTLGNT\tintsetp.exe
- 2009-10-19 08:35 . 2009-10-19 08:35 361600 c:\windows\system32\drivers\tcpip.sys
+ 2009-10-19 08:35 . 2008-06-20 11:59 361600 c:\windows\system32\drivers\tcpip.sys
+ 2009-11-29 18:34 . 2008-04-14 12:00 455168 c:\windows\system32\dllcache\tintsetp.exe
+ 2009-10-19 08:35 . 2008-06-20 11:59 361600 c:\windows\system32\dllcache\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="c:\program files\AIM\aim.exe" [2006-08-01 67112]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-04-06 26102056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 734264]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-21 110184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-10-19 128512]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Drobo Dashboard.lnk - d:\program files\Drobo\Drobo Dashboard\DroboDashboard.exe [2010-2-25 3395584]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
dmregers REG_SZ c:\windows\system32\javakrnl.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\EA SPORTS\\MVP Baseball 2007\\mvp2005.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Drobo\\Drobo Dashboard\\DroboDashboard.exe"=
"c:\\WINDOWS\\system32\\iscsiexe.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"d:\\Program Files\\Steam\\steamapps\\stupidlarry\\team fortress 2\\hl2.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"d:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\Motorola\\Software Update\\msu.exe"=
"d:\\cygwin\\bin\\rsync.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\bin\\SDKLauncher.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"d:\\Program Files\\Drobo\\Drobo Dashboard\\Support\\DDService.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\program files\\aim\\aim.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/31/2010 2:16 PM 164048]
R1 Ext2fs;Ext2fs;c:\windows\system32\drivers\ext2fs.sys [1/22/2010 2:36 AM 181120]
R1 IfsMount;IfsMount;c:\windows\system32\drivers\ifsmount.sys [1/22/2010 2:36 AM 51072]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/31/2010 2:16 PM 19024]
R2 DDService;Drobo Dashboard Service;d:\program files\Drobo\Drobo Dashboard\Support\DDService.exe [2/25/2010 6:07 PM 704512]
R2 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [11/30/2009 1:36 AM 91392]
R2 MSiSCSI;Microsoft iSCSI Initiator Service;c:\windows\system32\iscsiexe.exe [11/13/2008 10:09 PM 103480]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [4/9/2008 10:18 PM 1373480]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/12/2006 5:21 PM 691696]
S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [10/19/2009 4:29 AM 9472]
S2 FreeDNSUpdate;FreeDNS Update;d:\program files\FreeDNS Update\FDNSUSVC.exe -start -sname=FreeDNSUpdate --> d:\program files\FreeDNS Update\FDNSUSVC.exe -start -sname=FreeDNSUpdate [?]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 5:46 AM 284016]
S3 iScsiPrt;iScsiPort Driver;c:\windows\system32\drivers\msiscsi.sys [11/13/2008 10:09 PM 158264]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [11/21/2009 1:02 AM 19712]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [11/21/2009 1:02 AM 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [11/21/2009 1:02 AM 42752]
S4 WinDefend;Windows Defender Service;c:\program files\Windows Defender\MsMpEng.exe [4/3/2006 6:12 PM 14032]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SASKUTIL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-06-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-06-05 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-04-03 22:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} -
TCP: {C60625A8-25E8-4AD0-98CA-F768A62E0FCC} = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\documents and settings\Larry\Application Data\Mozilla\Firefox\Profiles\4rxn9ufz.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\documents and settings\Larry\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\Larry\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\windows\system32\npmirage.dll
FF - plugin: d:\program files\DivX\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: d:\program files\DivX\DivX Web Player\npdivx32.dll
FF - plugin: d:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF - plugin: d:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF - plugin: d:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF - plugin: d:\program files\Real Alternative\browser\plugins\nppl3260.dll
FF - plugin: d:\program files\Real Alternative\browser\plugins\nprpjplug.dll
FF - plugin: d:\program files\Veetle\Player\npvlc.dll
FF - plugin: d:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: d:\program files\Veetle\VLCBroadcast\npvbp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-05 13:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:6f,17,6f,ba,ed,23,e6,9b,f3,45,89,37,b8,0c,10,a5,d3,8f,ce,65,90,
ce,0f,08,53,d2,85,ef,5a,c4,b0,9a,a6,6d,56,25,ec,f6,5c,c2,56,05,69,39,e6,78,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:6f,17,6f,ba,ed,23,e6,9b,f3,45,89,37,b8,0c,10,a5,d3,8f,ce,65,90,
ce,0f,08,53,d2,85,ef,5a,c4,b0,9a,a6,6d,56,25,ec,f6,5c,c2,56,05,69,39,e6,78,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(580)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'winlogon.exe'(3524)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(33144)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2010-06-05 13:10:11
ComboFix-quarantined-files.txt 2010-06-05 17:10
ComboFix2.txt 2010-06-04 15:35
ComboFix3.txt 2010-06-04 00:01
ComboFix4.txt 2010-06-03 02:45
ComboFix5.txt 2010-06-05 16:57

Pre-Run: 113,535,922,176 bytes free
Post-Run: 113,496,588,288 bytes free

Current=6 Default=6 Failed=4 LastKnownGood=7 Sets=1,2,3,4,5,6,7
- - End Of File - - 69A65C71312EE92E802393975FC2C5B9


#15 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:17 PM

Posted 05 June 2010 - 01:01 PM

Hello, LarryToolman.

OK, that time it worked. It's a persistent Vundo file infector infection....but we finally seem to be rid of it. Let's get a second opinion, but you're looking a lot better.



Step 1

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push



Step 2

in addition to that log, please also run a fresh OTL scan and post it in your reply.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users