Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Extremely Persistent Mebroot Variant Suspected


  • This topic is locked This topic is locked
50 replies to this topic

#1 turc1656

turc1656

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 07 June 2010 - 11:02 AM

I am continuing this from:

http://www.bleepingcomputer.com/forums/topic322050.html

as instructed by a Moderator.

Here is the very detailed description of my problem:

I've been trying to get rid of an infection as time permits since 5/25. I got the infection when clicking on a google.com search result for a web site I have visited in the past. This time I got the "reported attack page" notice but since I had been to that site before and "knew" it was safe I figured it was just an incorrect report. So I clicked to go to it anyway and sure enough Eset's NOD32 popped up with 1 message of "JS/Exploit .Pdfka.NYV trojan", 2 of "a variant of Win32/Mebroot.DC trojan" and 1 of "a variant of Win32/Mebroot.DZ trojan". Turns out the site was hacked. I figured I was safe, though, since NOD32 seemingly caught it.

However, I immediately noticed that all my search results were hijacked and link to addresses all of the form "http://adwords.onlinesecuregroup.com/r.php?r=" and then some long string of alphanumeric code.

In addition to this, I also have these fake pages displayed when trying to login at certain sites. My girlfriend had a problem with her AOL mail. I get a fake page that asks for her CC information to "verify" her identity with the ones "on record". Yeah, ok. We of course were not foolish enough to provide any info. I tried in IE and also had both problems there (search engine results hijacking and the AOL thing). I also noticed a few days later I can't login to ebay and got a similar page. Fortunately I have not logged into Paypal or my bank's website since the infection and only did so at my work machine.

I figured out that I could use a portable version of Google Chrome to do my web browsing on this machine without the infection affecting it. I cannot however, use Firefox portable.

Here's what I have tried to resolve the issue:

Spybot - came up with no problems.
Malwarebyte's Anti-Malware - found 3 instances of "Trojan.Fake.Alert" or something like that - registry keys if I recall correctly. Removed them but problem persisted.
ComboFix - I realized I had a serious infection so I ran it and it recognized that there was rootkit activity, rebooted, did it's thing. Problem persisted. I ran it again, seemingly no issues found by ComboFix.

I found this page (along with others regarding Mebroot):
http://www.bleepingcomputer.com/forums/t/318521/search-engine-hijacker/?

I read everything and tried it all. It is of note that I do not, according to HAMeb_check.exe, have an infected MBR, unlike the guy in that post. So no FixMBR was run by me and the program did not run "mbr -f" because it did not detect an MBR infection. As such, my report did not say anything regarding "detected MBR hooks."


I did, however, and still do (according to the report) have "termsrv32.dll present!" so I ran HelpAsst_mebroot_fix.exe, rebooted, and then ran the cleanup. Problem still persists.

I ran Symantec's FixMebroot.exe and it found nothing. I ran F-secure's Blacklight and it also found nothing. I ran TrendMicro's RootkitBuster and it also found nothing. GMER had a problem though. When I loaded GMER up and it did it's initial startup scan when it loads up it finds nothing. When I click scan and let it run it had NEVER been able to finish. My system blue screens at some point every time.

I am really at a loss. Although I have one ray of hope. Well, 2 really. I KNOW that the termsrv32.dll is at least one issue causing this to recur. Which by the way, the file is not present as soon as I boot up into Windows. I ran a report with HAMeb_check.exe as soon as I could execute after login and it said it wasn't there. I ran it 5 minutes later and it's there! The other piece of info that seems critical is this line from the HAMeb_check.exe report: called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spbp.sys >>UNKNOWN [0x8AC78938]<<

That file in bold changes every time but always seems to be sp**.sys. I would bet my last dollar that is the way it is loading every time. Although I have no idea how to stop it from loading. I did a search on my computer and cannot find whatever file is listed by the report.

I apologize for the length of this post but I wanted to be thorough as I have tried everything I could think of. Side note - I am running XP SP3 Professional.

Would greatly appreciate help.



Here is the DDS log (GMER's log has a ton of entries for Comodo's firewall for some reason so it is zipped and attached, along with the attach.txt file also from DDS):




DDS (Ver_10-03-17.01) - NTFSx86
Run by Ryan Turcotte at 8:46:32.45 on Mon 06/07/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2303 [GMT -4:00]

AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\Program Files\Macrium\Reflect\ReflectService.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NetLimiter 2 Pro\NLClient.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\Program Files\PeerBlock\peerblock.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Winamp Remote\bin\Orb.exe
C:\Documents and Settings\Ryan Turcotte\Desktop\GoogleChromePortable\GoogleChromePortable.exe
C:\Documents and Settings\Ryan Turcotte\Desktop\GoogleChromePortable\App\Chrome-bin\chrome.exe
C:\Documents and Settings\Ryan Turcotte\Desktop\GoogleChromePortable\App\Chrome-bin\chrome.exe
C:\Documents and Settings\Ryan Turcotte\Desktop\GoogleChromePortable\App\Chrome-bin\chrome.exe
C:\Documents and Settings\Ryan Turcotte\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbit downloader\orbitcth.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: OToolbarHelper Class: {ead3a971-6a23-4246-8691-c9244e858967} - c:\program files\paypal\paypal plug-in\PayPalHelper.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: PayPal Plug-In: {dc0f2f93-27fa-4f84-acaa-9416f90b9511} - c:\program files\paypal\paypal plug-in\OToolbar.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbit downloader\GrabPro.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [NVIDIA nTune] c:\program files\nvidia corporation\ntune\nTuneCmd.exe resetprofile
uRun: [Orb] "c:\program files\winamp remote\bin\OrbTray.exe" /background
uRun: [PeerBlock] c:\program files\peerblock\peerblock.exe
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
dRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" resetprofile
IE: &Download by Orbit - c:\program files\orbit downloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbit downloader\orbitmxt.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: Do&wnload selected by Orbit - c:\program files\orbit downloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbit downloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: intuit.com\ttlc
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1267074435759
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
AppInit_DLLs: c:\windows\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ryantu~1\applic~1\mozilla\firefox\profiles\009kh1nl.ryan\
FF - component: c:\program files\paypal\paypal plug-in\components\PayPalPlugin.dll
FF - plugin: c:\program files\k-lite mega codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite mega codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\picasa 3\npPicasa3.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Pnp680;SiI 680 ATA Controller;c:\windows\system32\drivers\PnP680.sys [2009-5-18 59776]
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2008-5-20 15328]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-6-1 230360]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-6-1 25240]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-9-11 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-9-11 96408]
R1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [2007-4-23 82200]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2010-6-1 1778480]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-9-11 735960]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\macrium\reflect\ReflectService.exe [2008-8-6 216032]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-6-15 24652]
R3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2010-2-17 14424]
S3 MsDtsServer100;SQL Server Integration Services 10.0;c:\program files\microsoft sql server\100\dts\binn\MsDtsSrvr.exe [2008-7-10 218136]
S3 MSSQLFDLauncher;SQL Full-text Filter Daemon Launcher (MSSQLSERVER);c:\program files\microsoft sql server\mssql10.mssqlserver\mssql\binn\fdlauncher.exe [2008-7-10 31256]
S3 ReportServer;SQL Server Reporting Services (MSSQLSERVER);c:\program files\microsoft sql server\msrs10.mssqlserver\reporting services\reportserver\bin\ReportingServicesService.exe [2008-7-10 1106968]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]

============== File Associations ===============

.txt=txt_auto_file

=============== Created Last 30 ================

2010-06-07 12:29:37 20 ----a-w- c:\documents and settings\ryan turcotte\defogger_reenable
2010-06-07 01:59:37 0 d-----w- c:\docume~1\alluse~1\applic~1\COMODO
2010-06-07 01:26:16 0 d-----w- c:\program files\COMODO
2010-06-07 01:15:53 0 d-----w- c:\docume~1\alluse~1\applic~1\Comodo Downloader
2010-06-06 17:03:12 0 d-----w- c:\docume~1\ryantu~1\applic~1\SUPERAntiSpyware.com
2010-06-06 17:03:12 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-06-06 17:02:53 0 d-----w- c:\program files\SUPERAntiSpyware
2010-06-06 16:55:43 2442 ----a-w- c:\windows\system32\tmp.reg
2010-06-05 17:46:23 0 d-----w- C:\HelpAsst_backup
2010-06-05 17:46:22 82944 ----a-w- c:\windows\sed.exe
2010-06-05 17:46:21 278016 ----a-w- c:\windows\swreg.exe
2010-06-05 17:11:17 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-06-05 17:11:17 0 d-----w- c:\documents and settings\ryan turcotte\log
2010-06-04 05:38:05 0 d-----w- c:\docume~1\ryantu~1\applic~1\Malwarebytes
2010-06-04 05:37:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-04 05:37:53 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-04 05:37:52 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-04 05:37:51 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-01 23:00:52 278288 ----a-w- c:\windows\system32\guard32.dll
2010-06-01 23:00:22 25240 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-06-01 23:00:22 230360 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2010-06-01 23:00:20 15464 ----a-w- c:\windows\system32\drivers\cmderd.sys
2010-05-29 00:52:26 0 d-sha-r- C:\cmdcons
2010-05-29 00:46:17 77312 ----a-w- c:\windows\MBR.exe
2010-05-29 00:46:15 256512 ----a-w- c:\windows\PEV.exe
2010-05-12 03:22:27 0 d-----w- c:\docume~1\ryantu~1\applic~1\Locktime
2010-05-12 03:13:48 44032 ------w- c:\windows\system32\CTSVCCDA.EXE
2010-05-12 03:13:48 25088 ------w- c:\windows\system32\CTSVCCTL.EXE
2010-05-12 03:13:26 0 d-----w- c:\program files\common files\Creative
2010-05-12 03:13:21 0 d--h--w- c:\program files\Creative Installation Information
2010-05-12 02:27:58 0 d-----w- c:\program files\Creative
2010-05-11 05:30:05 0 d-----w- c:\docume~1\alluse~1\applic~1\Locktime
2010-05-11 05:30:00 0 d-----w- c:\program files\NetLimiter 2 Pro
2010-05-10 23:24:01 0 d-----w- c:\docume~1\alluse~1\applic~1\AIM
2010-05-10 23:23:58 0 d-----w- c:\program files\AIM
2010-05-10 23:23:56 0 d-----w- c:\program files\common files\Software Update Utility

==================== Find3M ====================

2010-03-12 03:38:16 653312 ----a-w- c:\program files\common files\SetupDLL.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll

============= FINISH: 8:50:57.30 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:31 PM

Posted 10 June 2010 - 02:47 PM

Hello and welcome to Bleeping Computer! welcome.gif

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log





Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 turc1656

turc1656
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 11 June 2010 - 02:13 AM

Thank you for getting back to me.

I have re-run DDS and GMER. It should be noted that the first time I tried to run GMER it crashed on me. I reopened the program and ran the scan again. This time it completed. Good thing I saved the log immediately because as soon as I tried to load Chrome portable to come here and post the logs, i got a blue screen.

Here is the DDS log (GMER.log is attached to this post).


DDS (Ver_10-03-17.01) - NTFSx86
Run by Ryan Turcotte at 1:43:20.97 on Fri 06/11/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2330 [GMT -4:00]

AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\Program Files\Macrium\Reflect\ReflectService.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\NetLimiter 2 Pro\NLClient.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Ryan Turcotte\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbit downloader\orbitcth.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: OToolbarHelper Class: {ead3a971-6a23-4246-8691-c9244e858967} - c:\program files\paypal\paypal plug-in\PayPalHelper.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: PayPal Plug-In: {dc0f2f93-27fa-4f84-acaa-9416f90b9511} - c:\program files\paypal\paypal plug-in\OToolbar.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbit downloader\GrabPro.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [NVIDIA nTune] c:\program files\nvidia corporation\ntune\nTuneCmd.exe resetprofile
uRun: [Orb] "c:\program files\winamp remote\bin\OrbTray.exe" /background
uRun: [PeerBlock] c:\program files\peerblock\peerblock.exe
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" resetprofile
IE: &Download by Orbit - c:\program files\orbit downloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbit downloader\orbitmxt.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: Do&wnload selected by Orbit - c:\program files\orbit downloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbit downloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: intuit.com\ttlc
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1267074435759
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ryantu~1\applic~1\mozilla\firefox\profiles\p8p9nm8a.ryan2\
FF - component: c:\program files\paypal\paypal plug-in\components\PayPalPlugin.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\k-lite mega codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite mega codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\picasa 3\npPicasa3.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Pnp680;SiI 680 ATA Controller;c:\windows\system32\drivers\PnP680.sys [2009-5-18 59776]
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2008-5-20 15328]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-6-1 229312]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-6-1 25240]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-9-11 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-9-11 96408]
R1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [2007-4-23 82200]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2010-6-1 1778480]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-9-11 735960]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\macrium\reflect\ReflectService.exe [2008-8-6 216032]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-6-15 24652]
S3 MsDtsServer100;SQL Server Integration Services 10.0;c:\program files\microsoft sql server\100\dts\binn\MsDtsSrvr.exe [2008-7-10 218136]
S3 MSSQLFDLauncher;SQL Full-text Filter Daemon Launcher (MSSQLSERVER);c:\program files\microsoft sql server\mssql10.mssqlserver\mssql\binn\fdlauncher.exe [2008-7-10 31256]
S3 NDISKIO;NDISKIO;\??\c:\docume~1\ryantu~1\locals~1\temp\5199e003.nmc\nse\bin\ndiskio.sys --> c:\docume~1\ryantu~1\locals~1\temp\5199e003.nmc\nse\bin\ndiskio.sys [?]
S3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2010-2-17 14424]
S3 ReportServer;SQL Server Reporting Services (MSSQLSERVER);c:\program files\microsoft sql server\msrs10.mssqlserver\reporting services\reportserver\bin\ReportingServicesService.exe [2008-7-10 1106968]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]

============== File Associations ===============

.txt=txt_auto_file

=============== Created Last 30 ================

2010-06-10 04:55:19 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-06-10 04:55:19 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-09 06:44:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-08 03:37:45 51 ----a-w- c:\windows\wininit.ini
2010-06-07 12:29:37 20 ----a-w- c:\documents and settings\ryan turcotte\defogger_reenable
2010-06-07 01:59:37 0 d-----w- c:\docume~1\alluse~1\applic~1\COMODO
2010-06-07 01:26:16 0 d-----w- c:\program files\COMODO
2010-06-07 01:15:53 0 d-----w- c:\docume~1\alluse~1\applic~1\Comodo Downloader
2010-06-06 17:03:12 0 d-----w- c:\docume~1\ryantu~1\applic~1\SUPERAntiSpyware.com
2010-06-06 17:03:12 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-06-06 17:02:53 0 d-----w- c:\program files\SUPERAntiSpyware
2010-06-05 17:46:23 0 d-----w- C:\HelpAsst_backup
2010-06-05 17:11:17 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-06-05 17:11:17 0 d-----w- c:\documents and settings\ryan turcotte\log
2010-06-04 05:38:05 0 d-----w- c:\docume~1\ryantu~1\applic~1\Malwarebytes
2010-06-04 05:37:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-04 05:37:53 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-04 05:37:52 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-04 05:37:51 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-01 23:00:52 278288 ----a-w- c:\windows\system32\guard32.dll
2010-06-01 23:00:22 25240 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-06-01 23:00:22 229312 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2010-06-01 23:00:20 15464 ----a-w- c:\windows\system32\drivers\cmderd.sys
2010-05-29 00:52:26 0 d-sha-r- C:\cmdcons
2010-05-29 00:46:17 77312 ----a-w- c:\windows\MBR.exe
2010-05-29 00:46:15 256512 ----a-w- c:\windows\PEV.exe

==================== Find3M ====================

2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-03-12 03:38:16 653312 ----a-w- c:\program files\common files\SetupDLL.dll

============= FINISH: 1:43:59.86 ===============

Attached Files

  • Attached File  GMER.log   20.8KB   12 downloads


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,835 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:31 PM

Posted 14 June 2010 - 11:12 AM


welcome.gif to the Bleeping Computer Malware Removal Forum
, My name is Elise. I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
Please be patient and I'd be grateful if you would note the following:
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem.


COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 turc1656

turc1656
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 14 June 2010 - 06:54 PM

Hello,

Thank you for your assistance.

I have disabled all necessary software and ran ComboFix. Here is the log file:



ComboFix 10-06-14.02 - Ryan Turcotte 06/14/2010 19:33:36.6.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2386 [GMT -4:00]
Running from: c:\documents and settings\Ryan Turcotte\Desktop\uioh7g7.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((( Files Created from 2010-05-14 to 2010-06-14 )))))))))))))))))))))))))))))))
.

2010-06-10 04:55 . 2010-06-10 04:55 -------- d-----w- c:\program files\Common Files\Java
2010-06-10 04:55 . 2010-06-10 04:55 61440 ----a-w- c:\documents and settings\Ryan Turcotte\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-155070a7-n\decora-sse.dll
2010-06-10 04:55 . 2010-06-10 04:55 503808 ----a-w- c:\documents and settings\Ryan Turcotte\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-40d85e8e-n\msvcp71.dll
2010-06-10 04:55 . 2010-06-10 04:55 499712 ----a-w- c:\documents and settings\Ryan Turcotte\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-40d85e8e-n\jmc.dll
2010-06-10 04:55 . 2010-06-10 04:55 348160 ----a-w- c:\documents and settings\Ryan Turcotte\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-40d85e8e-n\msvcr71.dll
2010-06-10 04:55 . 2010-06-10 04:55 12800 ----a-w- c:\documents and settings\Ryan Turcotte\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-155070a7-n\decora-d3d.dll
2010-06-10 04:55 . 2010-06-10 04:55 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-10 04:54 . 2010-06-10 04:54 79488 ----a-w- c:\documents and settings\Ryan Turcotte\Application Data\Sun\Java\jre1.6.0_20\gtapi.dll
2010-06-10 04:54 . 2010-06-10 04:54 152576 ----a-w- c:\documents and settings\Ryan Turcotte\Application Data\Sun\Java\jre1.6.0_20\lzma.dll
2010-06-09 06:44 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-07 01:59 . 2010-06-07 02:00 -------- d-----w- c:\documents and settings\All Users\Application Data\COMODO
2010-06-07 01:26 . 2010-06-07 01:26 -------- d-----w- c:\program files\COMODO
2010-06-07 01:15 . 2010-06-07 01:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo Downloader
2010-06-06 17:03 . 2010-06-07 01:47 63488 ----a-w- c:\documents and settings\Ryan Turcotte\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-06 17:03 . 2010-06-06 17:03 52224 ----a-w- c:\documents and settings\Ryan Turcotte\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-06 17:03 . 2010-06-07 01:47 117760 ----a-w- c:\documents and settings\Ryan Turcotte\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-06 17:03 . 2010-06-06 17:03 -------- d-----w- c:\documents and settings\Ryan Turcotte\Application Data\SUPERAntiSpyware.com
2010-06-06 17:03 . 2010-06-06 17:03 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-06-06 17:02 . 2010-06-06 17:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-06-05 17:46 . 2010-06-05 17:46 -------- d-----w- C:\HelpAsst_backup
2010-06-05 17:11 . 2010-06-05 17:11 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-06-05 17:11 . 2010-06-05 17:11 -------- d-----w- c:\documents and settings\Ryan Turcotte\log
2010-06-04 05:38 . 2010-06-04 05:38 -------- d-----w- c:\documents and settings\Ryan Turcotte\Application Data\Malwarebytes
2010-06-04 05:37 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-04 05:37 . 2010-06-04 05:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-04 05:37 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-04 05:37 . 2010-06-04 05:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-01 23:00 . 2010-06-01 23:00 278288 ----a-w- c:\windows\system32\guard32.dll
2010-06-01 23:00 . 2010-06-01 23:00 87824 ----a-w- c:\windows\system32\drivers\inspect.sys
2010-06-01 23:00 . 2010-06-10 04:08 229312 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2010-06-01 23:00 . 2010-06-01 23:00 25240 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-06-01 23:00 . 2010-06-01 23:00 15464 ----a-w- c:\windows\system32\drivers\cmderd.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-14 23:28 . 2010-02-18 03:24 -------- d-----w- c:\program files\PeerBlock
2010-06-14 13:22 . 2009-11-12 16:55 -------- d-----w- c:\documents and settings\Ryan Turcotte\Application Data\vlc
2010-06-11 07:01 . 2009-05-18 13:36 -------- d-----w- c:\program files\Winamp Remote
2010-06-10 04:28 . 2009-05-18 04:39 50752 ----a-w- c:\documents and settings\Ryan Turcotte\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-07 04:56 . 2009-05-19 03:18 -------- d-----w- c:\documents and settings\Ryan Turcotte\Application Data\NewsBin
2010-06-06 16:39 . 2009-08-04 23:12 -------- d-----w- c:\documents and settings\Ryan Turcotte\Application Data\Orbit
2010-06-06 16:36 . 2009-08-04 23:12 -------- d-----w- c:\program files\Orbit Downloader
2010-05-12 06:11 . 2010-05-12 03:27 -------- d-----w- c:\documents and settings\Ryan Turcotte\Application Data\Creative
2010-05-12 03:34 . 2009-05-18 04:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-12 03:30 . 2010-05-12 03:13 -------- d--h--w- c:\program files\Creative Installation Information
2010-05-12 03:30 . 2010-05-12 02:27 -------- d-----w- c:\program files\Creative
2010-05-12 03:22 . 2010-05-12 03:22 -------- d-----w- c:\documents and settings\Ryan Turcotte\Application Data\Locktime
2010-05-12 03:20 . 2009-05-18 04:47 -------- d-----w- c:\program files\uTorrent
2010-05-12 03:13 . 2010-05-12 03:13 -------- d-----w- c:\program files\Common Files\Creative
2010-05-11 05:30 . 2010-05-11 05:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Locktime
2010-05-11 05:30 . 2010-05-11 05:30 -------- d-----w- c:\program files\NetLimiter 2 Pro
2010-05-11 00:05 . 2009-06-06 16:27 -------- d-----w- c:\documents and settings\Ryan Turcotte\Application Data\dvdcss
2010-05-10 23:36 . 2009-05-18 04:47 -------- d-----w- c:\documents and settings\Ryan Turcotte\Application Data\uTorrent
2010-05-10 23:24 . 2010-05-10 23:24 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM
2010-05-10 23:24 . 2010-05-10 23:23 -------- d-----w- c:\program files\AIM
2010-04-20 05:30 . 2008-04-14 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-19 01:47 . 2009-06-17 04:00 -------- d-----w- c:\program files\Steam
2010-03-12 03:38 . 2010-03-12 14:02 653312 ----a-w- c:\program files\Common Files\SetupDLL.dll
2009-11-27 17:52 . 2009-11-27 17:51 24 --sh--w- c:\windows\SBEA5C0C4.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2008-04-11 110592]
"Orb"="c:\program files\Winamp Remote\bin\OrbTray.exe" [2008-04-01 507904]
"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2009-09-28 1524824]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-11-23 851968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-10-09 17021440]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-01-12 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-12 13666408]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-09-11 2054360]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-06-01 2039240]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2008-04-11 110592]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2010-04-03 20:44 640440 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2010-04-04 02:32 38840 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 12:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim]
2010-04-19 20:54 3972440 ----a-w- c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
2006-09-28 19:21 57344 ----a-w- c:\program files\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-10-30 11:57 369200 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GBMPro8Agent]
2008-04-16 12:55 189056 ----a-w- c:\program files\Genie-Soft\GBMPro8\GBMAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NodEnabler]
2009-12-09 08:05 394295 ----a-w- c:\program files\ESET\NodEnabler\NodEnabler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
2007-06-13 12:16 528384 ----a-r- c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-03-04 14:25 1217872 ----a-w- c:\program files\Steam\Steam.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\CrossLoop\\CrossLoopConnect.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Steam\\steamapps\\jiggly45\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Orbit Downloader\\orbitdm.exe"=
"c:\\Program Files\\Orbit Downloader\\orbitnet.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\AIM\\aim.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3805:TCP"= 3805:TCP:Services
"6110:TCP"= 6110:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop

R0 Pnp680;SiI 680 ATA Controller;c:\windows\system32\drivers\PnP680.sys [5/18/2009 12:07 AM 59776]
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [5/20/2008 8:32 AM 15328]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [6/1/2010 7:00 PM 229312]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [6/1/2010 7:00 PM 25240]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [9/11/2009 8:23 AM 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [9/11/2009 8:26 AM 96408]
R1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [4/23/2007 7:03 AM 82200]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [9/11/2009 8:24 AM 735960]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [8/6/2008 11:34 AM 216032]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/15/2009 7:31 PM 24652]
S3 MsDtsServer100;SQL Server Integration Services 10.0;c:\program files\Microsoft SQL Server\100\DTS\Binn\MsDtsSrvr.exe [7/10/2008 1:22 AM 218136]
S3 MSSQLFDLauncher;SQL Full-text Filter Daemon Launcher (MSSQLSERVER);c:\program files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Binn\fdlauncher.exe [7/10/2008 1:15 AM 31256]
S3 NDISKIO;NDISKIO;\??\c:\docume~1\RYANTU~1\LOCALS~1\Temp\5199e003.nmc\nse\bin\ndiskio.sys --> c:\docume~1\RYANTU~1\LOCALS~1\Temp\5199e003.nmc\nse\bin\ndiskio.sys [?]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [2/17/2010 11:24 PM 14424]
S3 ReportServer;SQL Server Reporting Services (MSSQLSERVER);c:\program files\Microsoft SQL Server\MSRS10.MSSQLSERVER\Reporting Services\ReportServer\bin\ReportingServicesService.exe [7/10/2008 2:22 AM 1106968]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/10/2008 5:49 AM 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [7/10/2008 2:49 AM 242712]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5/18/2009 8:56 PM 691696]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PBFILTER
.
.
------- Supplementary Scan -------
.
IE: &Download by Orbit - c:\program files\Orbit Downloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbit Downloader\orbitmxt.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Do&wnload selected by Orbit - c:\program files\Orbit Downloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbit Downloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
FF - ProfilePath - c:\documents and settings\Ryan Turcotte\Application Data\Mozilla\Firefox\Profiles\p8p9nm8a.Ryan2\
FF - component: c:\program files\PayPal\PayPal Plug-In\components\PayPalPlugin.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\K-Lite Mega Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Mega Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Picasa 3\npPicasa3.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
.
------- File Associations -------
.
.txt=txt_auto_file
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-14 19:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:a2,1a,44,81,97,06,ec,69,a2,72,cf,96,8a,c3,da,0c,74,ec,38,b0,f0,
d5,ec,fd,e3,c9,ad,2c,79,f0,ef,f2,22,66,f5,84,7c,26,d5,bc,30,fe,ee,89,70,e4,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="04F0D21-79D8-7A25-D702-433F"

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:a2,1a,44,81,97,06,ec,69,a2,72,cf,96,8a,c3,da,0c,74,ec,38,b0,f0,
d5,ec,fd,e3,c9,ad,2c,79,f0,ef,f2,22,66,f5,84,7c,26,d5,bc,30,fe,ee,89,70,e4,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(836)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(788)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-06-14 19:47:09
ComboFix-quarantined-files.txt 2010-06-14 23:46

Pre-Run: 29,654,265,856 bytes free
Post-Run: 29,642,113,024 bytes free

- - End Of File - - FDDB3E7CFEED9760DDDF58EA984BF7C1




#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,835 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:31 PM

Posted 15 June 2010 - 04:31 AM

Hello there, I see signs of an MBR infection.

Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.


*In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

mbr -f

Now, please do the Start>Run>mbr -f command a second time.
Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 turc1656

turc1656
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 15 June 2010 - 07:35 AM

i previously read elsewhere, in my searching for a solution, that there is the chance that if the MBR infection "encrypted" itself (or something like that), then it could destroy the entire MBR when trying to run this repair? is that information accurate? is this safe to do?

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,835 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:31 PM

Posted 15 June 2010 - 07:40 AM

the MBR is the Master Boot Record of the drive. this is the place that makes the drive accessible, so of course there is always a certain risk involved, when fixing such things.

As long as you do not use drive encryption software however, the risks are small. The risk of keeping this infection alive is lots bigger since sensitive information (like online banking details) can be stolen.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 turc1656

turc1656
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 15 June 2010 - 11:25 PM

Hi,

I followed your directions exactly. Here is the log file you requested:




C:\Documents and Settings\Ryan Turcotte\Desktop\HelpAsst_mebroot_fix.exe
Tue 06/15/2010 at 22:56:21.52

HelpAssistant account is Active ~ attempting to de-activate

Account active Yes
Local Group Memberships *Administrators

HelpAssistant successfully set Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
Remove on reboot: C:\WINDOWS\system32\termsrv32.dll

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"3805:TCP"=-
"6110:TCP"=-
"3389:TCP"=-
"3839:TCP"=-
"6178:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"3805:TCP"=-
"6110:TCP"=-
"3389:TCP"=-
"3839:TCP"=-
"6178:TCP"=-

~~ Checking profile list ~~

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-1993962763-1606980848-1060284298-1000
HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant ~ attempting to remove
~ All C:\Documents and Settings\HelpAssistant files successfully removed ~

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Tue 06/15/2010 at 23:53:40.71

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x022EF2AC3
malicious code @ sector 0x022EF2AC6 !
PE file found in sector at 0x022EF2ADC !

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"3839:TCP"=3839:TCP:*:Enabled:Services
"6178:TCP"=6178:TCP:*:Enabled:Services

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"3839:TCP"=3839:TCP:*:Enabled:Services
"6178:TCP"=6178:TCP:*:Enabled:Services


~~ EOF ~~






i rebooted again after doing this and then i ran spybot and antimalware again BEFORE checking to see if the problem was fixed. they still ran clean but then i checked and i still have the problem.

the one good thing is that it appears that termsrv32.dll really is no longer recreating itself after a few minutes after every boot. it used to not show up and then magically appear. i have been continuously checking to see if it appears but it does not, only the regular termsrv.dll. i noticed that this file is now 289 KB instead of 288 KB. both termsrv.dll and termsrv32.dll were 288 previously. not sure if that matters.

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,835 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:31 PM

Posted 16 June 2010 - 05:11 AM

Yes, you definitely had a rootkit infection. Please consider the following information first.

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
CODE
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
"65533:TCP"=-
"52344:TCP"=-
"3839:TCP"=-
"6178:TCP"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=-
"52344:TCP"=-
"3839:TCP"=-
"6178:TCP"=-

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 turc1656

turc1656
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 16 June 2010 - 08:32 AM

Hi,

Here is the ComboFix log:



ComboFix 10-06-15.03 - Ryan Turcotte 06/16/2010 9:06.7.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2432 [GMT -4:00]
Running from: c:\documents and settings\Ryan Turcotte\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ryan Turcotte\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((( Files Created from 2010-05-16 to 2010-06-16 )))))))))))))))))))))))))))))))
.

2010-06-16 04:43 . 2010-06-16 04:43 -------- d-----w- c:\program files\Sophos
2010-06-15 04:40 . 2010-06-15 04:41 -------- d-----w- c:\program files\Spectro
2010-06-15 04:40 . 1998-06-18 04:00 89360 ----a-w- c:\windows\system32\VB5DB.DLL
2010-06-15 04:37 . 2010-06-15 06:37 -------- d-----w- C:\lame3.98.4
2010-06-10 04:55 . 2010-06-10 04:55 -------- d-----w- c:\program files\Common Files\Java
2010-06-10 04:55 . 2010-06-10 04:55 61440 ----a-w- c:\documents and settings\Ryan Turcotte\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-155070a7-n\decora-sse.dll
2010-06-10 04:55 . 2010-06-10 04:55 503808 ----a-w- c:\documents and settings\Ryan Turcotte\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-40d85e8e-n\msvcp71.dll
2010-06-10 04:55 . 2010-06-10 04:55 499712 ----a-w- c:\documents and settings\Ryan Turcotte\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-40d85e8e-n\jmc.dll
2010-06-10 04:55 . 2010-06-10 04:55 348160 ----a-w- c:\documents and settings\Ryan Turcotte\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-40d85e8e-n\msvcr71.dll
2010-06-10 04:55 . 2010-06-10 04:55 12800 ----a-w- c:\documents and settings\Ryan Turcotte\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-155070a7-n\decora-d3d.dll
2010-06-10 04:55 . 2010-06-10 04:55 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-10 04:54 . 2010-06-10 04:54 79488 ----a-w- c:\documents and settings\Ryan Turcotte\Application Data\Sun\Java\jre1.6.0_20\gtapi.dll
2010-06-10 04:54 . 2010-06-10 04:54 152576 ----a-w- c:\documents and settings\Ryan Turcotte\Application Data\Sun\Java\jre1.6.0_20\lzma.dll
2010-06-09 06:44 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-07 01:59 . 2010-06-07 02:00 -------- d-----w- c:\documents and settings\All Users\Application Data\COMODO
2010-06-07 01:26 . 2010-06-07 01:26 -------- d-----w- c:\program files\COMODO
2010-06-07 01:15 . 2010-06-07 01:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo Downloader
2010-06-06 17:03 . 2010-06-07 01:47 63488 ----a-w- c:\documents and settings\Ryan Turcotte\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-06 17:03 . 2010-06-06 17:03 52224 ----a-w- c:\documents and settings\Ryan Turcotte\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-06 17:03 . 2010-06-07 01:47 117760 ----a-w- c:\documents and settings\Ryan Turcotte\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-06 17:03 . 2010-06-06 17:03 -------- d-----w- c:\documents and settings\Ryan Turcotte\Application Data\SUPERAntiSpyware.com
2010-06-06 17:03 . 2010-06-06 17:03 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-06-06 17:02 . 2010-06-06 17:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-06-05 17:46 . 2010-06-05 17:46 -------- d-----w- C:\HelpAsst_backup
2010-06-05 17:11 . 2010-06-05 17:11 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-06-05 17:11 . 2010-06-05 17:11 -------- d-----w- c:\documents and settings\Ryan Turcotte\log
2010-06-04 05:38 . 2010-06-04 05:38 -------- d-----w- c:\documents and settings\Ryan Turcotte\Application Data\Malwarebytes
2010-06-04 05:37 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-04 05:37 . 2010-06-04 05:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-04 05:37 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-04 05:37 . 2010-06-04 05:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-01 23:00 . 2010-06-01 23:00 278288 ----a-w- c:\windows\system32\guard32.dll
2010-06-01 23:00 . 2010-06-01 23:00 87824 ----a-w- c:\windows\system32\drivers\inspect.sys
2010-06-01 23:00 . 2010-06-10 04:08 229312 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2010-06-01 23:00 . 2010-06-01 23:00 25240 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-06-01 23:00 . 2010-06-01 23:00 15464 ----a-w- c:\windows\system32\drivers\cmderd.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-16 13:03 . 2010-02-18 03:24 -------- d-----w- c:\program files\PeerBlock
2010-06-16 05:12 . 2009-05-18 04:47 -------- d-----w- c:\documents and settings\Ryan Turcotte\Application Data\uTorrent
2010-06-16 00:45 . 2009-05-18 04:47 -------- d-----w- c:\program files\uTorrent
2010-06-15 07:25 . 2009-11-12 16:55 -------- d-----w- c:\documents and settings\Ryan Turcotte\Application Data\vlc
2010-06-15 05:10 . 2010-02-07 23:00 -------- d-----w- c:\program files\FLAC
2010-06-15 04:40 . 2009-05-18 04:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-15 03:26 . 2009-05-19 03:18 -------- d-----w- c:\documents and settings\Ryan Turcotte\Application Data\NewsBin
2010-06-11 07:01 . 2009-05-18 13:36 -------- d-----w- c:\program files\Winamp Remote
2010-06-10 04:28 . 2009-05-18 04:39 50752 ----a-w- c:\documents and settings\Ryan Turcotte\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-06 16:39 . 2009-08-04 23:12 -------- d-----w- c:\documents and settings\Ryan Turcotte\Application Data\Orbit
2010-06-06 16:36 . 2009-08-04 23:12 -------- d-----w- c:\program files\Orbit Downloader
2010-05-12 06:11 . 2010-05-12 03:27 -------- d-----w- c:\documents and settings\Ryan Turcotte\Application Data\Creative
2010-05-12 03:30 . 2010-05-12 03:13 -------- d--h--w- c:\program files\Creative Installation Information
2010-05-12 03:30 . 2010-05-12 02:27 -------- d-----w- c:\program files\Creative
2010-05-12 03:22 . 2010-05-12 03:22 -------- d-----w- c:\documents and settings\Ryan Turcotte\Application Data\Locktime
2010-05-12 03:13 . 2010-05-12 03:13 -------- d-----w- c:\program files\Common Files\Creative
2010-05-11 05:30 . 2010-05-11 05:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Locktime
2010-05-11 05:30 . 2010-05-11 05:30 -------- d-----w- c:\program files\NetLimiter 2 Pro
2010-05-11 00:05 . 2009-06-06 16:27 -------- d-----w- c:\documents and settings\Ryan Turcotte\Application Data\dvdcss
2010-05-10 23:24 . 2010-05-10 23:24 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM
2010-05-10 23:24 . 2010-05-10 23:23 -------- d-----w- c:\program files\AIM
2010-04-20 05:30 . 2008-04-14 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-19 01:47 . 2009-06-17 04:00 -------- d-----w- c:\program files\Steam
2010-03-12 03:38 . 2010-03-12 14:02 653312 ----a-w- c:\program files\Common Files\SetupDLL.dll
2009-11-27 17:52 . 2009-11-27 17:51 24 --sh--w- c:\windows\SBEA5C0C4.tmp
.

((((((((((((((((((((((((((((( SnapShot@2010-06-14_23.43.47 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-16 12:54 . 2010-06-16 12:54 16384 c:\windows\Temp\Perflib_Perfdata_aec.dat
+ 2010-06-16 12:54 . 2010-06-16 12:54 16384 c:\windows\Temp\Perflib_Perfdata_67c.dat
+ 2003-02-21 12:42 . 2008-09-22 02:31 348160 c:\windows\system32\msvcr71.dll
- 2003-02-21 12:42 . 2003-02-21 12:42 348160 c:\windows\system32\msvcr71.dll
+ 2003-03-19 04:14 . 2008-09-22 02:31 505128 c:\windows\system32\msvcp71.dll
+ 2007-06-26 02:11 . 2008-09-22 02:31 1060864 c:\windows\system32\MFC71.dll
- 2007-06-26 02:11 . 2007-06-26 02:11 1060864 c:\windows\system32\MFC71.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2008-04-11 110592]
"Orb"="c:\program files\Winamp Remote\bin\OrbTray.exe" [2008-04-01 507904]
"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2009-09-28 1524824]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-11-23 851968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-10-09 17021440]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-01-12 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-12 13666408]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-09-11 2054360]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-06-01 2039240]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2008-04-11 110592]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2010-04-03 20:44 640440 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2010-04-04 02:32 38840 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 12:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim]
2010-04-19 20:54 3972440 ----a-w- c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
2006-09-28 19:21 57344 ----a-w- c:\program files\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-10-30 11:57 369200 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GBMPro8Agent]
2008-04-16 12:55 189056 ----a-w- c:\program files\Genie-Soft\GBMPro8\GBMAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NodEnabler]
2009-12-09 08:05 394295 ----a-w- c:\program files\ESET\NodEnabler\NodEnabler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
2007-06-13 12:16 528384 ----a-r- c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-03-04 14:25 1217872 ----a-w- c:\program files\Steam\Steam.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\CrossLoop\\CrossLoopConnect.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Steam\\steamapps\\jiggly45\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Orbit Downloader\\orbitdm.exe"=
"c:\\Program Files\\Orbit Downloader\\orbitnet.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\AIM\\aim.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3389:TCP"= 3389:TCP:Remote Desktop

R0 Pnp680;SiI 680 ATA Controller;c:\windows\system32\drivers\PnP680.sys [5/18/2009 12:07 AM 59776]
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [5/20/2008 8:32 AM 15328]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [6/1/2010 7:00 PM 229312]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [6/1/2010 7:00 PM 25240]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [9/11/2009 8:23 AM 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [9/11/2009 8:26 AM 96408]
R1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [4/23/2007 7:03 AM 82200]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [9/11/2009 8:24 AM 735960]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [8/6/2008 11:34 AM 216032]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/15/2009 7:31 PM 24652]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\D1.tmp --> c:\windows\system32\D1.tmp [?]
S3 MsDtsServer100;SQL Server Integration Services 10.0;c:\program files\Microsoft SQL Server\100\DTS\Binn\MsDtsSrvr.exe [7/10/2008 1:22 AM 218136]
S3 MSSQLFDLauncher;SQL Full-text Filter Daemon Launcher (MSSQLSERVER);c:\program files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Binn\fdlauncher.exe [7/10/2008 1:15 AM 31256]
S3 NDISKIO;NDISKIO;\??\c:\docume~1\RYANTU~1\LOCALS~1\Temp\5199e003.nmc\nse\bin\ndiskio.sys --> c:\docume~1\RYANTU~1\LOCALS~1\Temp\5199e003.nmc\nse\bin\ndiskio.sys [?]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [2/17/2010 11:24 PM 14424]
S3 ReportServer;SQL Server Reporting Services (MSSQLSERVER);c:\program files\Microsoft SQL Server\MSRS10.MSSQLSERVER\Reporting Services\ReportServer\bin\ReportingServicesService.exe [7/10/2008 2:22 AM 1106968]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/10/2008 5:49 AM 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [7/10/2008 2:49 AM 242712]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5/18/2009 8:56 PM 691696]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PBFILTER
.
.
------- Supplementary Scan -------
.
IE: &Download by Orbit - c:\program files\Orbit Downloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbit Downloader\orbitmxt.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Do&wnload selected by Orbit - c:\program files\Orbit Downloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbit Downloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
FF - ProfilePath - c:\documents and settings\Ryan Turcotte\Application Data\Mozilla\Firefox\Profiles\p8p9nm8a.Ryan2\
FF - component: c:\program files\PayPal\PayPal Plug-In\components\PayPalPlugin.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\K-Lite Mega Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Mega Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Picasa 3\npPicasa3.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-16 09:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\D1.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:a2,1a,44,81,97,06,ec,69,a2,72,cf,96,8a,c3,da,0c,74,ec,38,b0,f0,
d5,ec,fd,e3,c9,ad,2c,79,f0,ef,f2,22,66,f5,84,7c,26,d5,bc,30,fe,ee,89,70,e4,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="04F0D21-79D8-7A25-D702-433F"

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:a2,1a,44,81,97,06,ec,69,a2,72,cf,96,8a,c3,da,0c,74,ec,38,b0,f0,
d5,ec,fd,e3,c9,ad,2c,79,f0,ef,f2,22,66,f5,84,7c,26,d5,bc,30,fe,ee,89,70,e4,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(832)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2276)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-06-16 09:19:59
ComboFix-quarantined-files.txt 2010-06-16 13:19
ComboFix2.txt 2010-06-14 23:47

Pre-Run: 37,349,744,640 bytes free
Post-Run: 37,364,621,312 bytes free

- - End Of File - - E2B5771D1A0F1A86103023E982638354







I still have the problem, by the way. Not sure if this was supposed to be the fix or just one of the steps in the process.

#12 turc1656

turc1656
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 16 June 2010 - 09:17 AM

Also, one more thing I noticed over the past few days. If I leave my machine on for extended periods of time it will blue screen at some point when I am not around. This is a recent development that has occurred with the inclusion of the virus on my system. If I am active on the machine for hours upon hours at a time it works perfectly fine. I was on for about 7 hours straight on Monday night and it was fine. But I left the system on over night and I found it on a blue screen when I woke up. I only put two and two together this morning because I had left the system on again.

The only other time recently that the system has blue screened while I was active on it, was when running GMER (as originally described in my problem), but was able to successfully run GMER upon reboot.

Hopefully this additional information helps.

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,835 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:31 PM

Posted 16 June 2010 - 10:14 AM

Hello again, could you please tell me if you are still having these BSOD issues (except for GMER, because that often crashes)?

Please run the following as a CFScript (instructions same as in my last post).
CODE
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"=-

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 turc1656

turc1656
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 16 June 2010 - 07:42 PM

Hi, I ran the new script as instructed. I do have one question though - when ComboFix opened it asked me if I wanted to update because a newer version was available. I said yes and ComboFix restarted. Does that mean that the script was used correctly? Perhaps it wasn't because ComboFix restarted? From the looks of the log file it says it used the script and I noticed it deleted the script, just as it did with the previous one, so my guess is yes. Below is the log file, which I assume you want to see.

I will let you know about the BSOD tomorrow. I will leave the machine on in an idle state tonight and see what happens in the morning.





ComboFix 10-06-16.02 - Ryan Turcotte 06/16/2010 20:21:53.8.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2379 [GMT -4:00]
Running from: c:\documents and settings\Ryan Turcotte\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ryan Turcotte\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((( Files Created from 2010-05-17 to 2010-06-17 )))))))))))))))))))))))))))))))
.

2010-06-16 13:00 . 2010-06-16 13:00 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2010-06-16 04:43 . 2010-06-16 04:43 -------- d-----w- c:\program files\Sophos
2010-06-15 04:40 . 2010-06-15 04:41 -------- d-----w- c:\program files\Spectro
2010-06-15 04:40 . 1998-06-18 04:00 89360 ----a-w- c:\windows\system32\VB5DB.DLL
2010-06-15 04:37 . 2010-06-15 06:37 -------- d-----w- C:\lame3.98.4
2010-06-10 04:55 . 2010-06-10 04:55 -------- d-----w- c:\program files\Common Files\Java
2010-06-10 04:55 . 2010-06-10 04:55 61440 ----a-w- c:\documents and settings\Ryan Turcotte\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-155070a7-n\decora-sse.dll
2010-06-10 04:55 . 2010-06-10 04:55 503808 ----a-w- c:\documents and settings\Ryan Turcotte\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-40d85e8e-n\msvcp71.dll
2010-06-10 04:55 . 2010-06-10 04:55 499712 ----a-w- c:\documents and settings\Ryan Turcotte\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-40d85e8e-n\jmc.dll
2010-06-10 04:55 . 2010-06-10 04:55 348160 ----a-w- c:\documents and settings\Ryan Turcotte\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-40d85e8e-n\msvcr71.dll
2010-06-10 04:55 . 2010-06-10 04:55 12800 ----a-w- c:\documents and settings\Ryan Turcotte\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-155070a7-n\decora-d3d.dll
2010-06-10 04:55 . 2010-06-10 04:55 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-10 04:54 . 2010-06-10 04:54 79488 ----a-w- c:\documents and settings\Ryan Turcotte\Application Data\Sun\Java\jre1.6.0_20\gtapi.dll
2010-06-10 04:54 . 2010-06-10 04:54 152576 ----a-w- c:\documents and settings\Ryan Turcotte\Application Data\Sun\Java\jre1.6.0_20\lzma.dll
2010-06-09 06:44 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-07 01:59 . 2010-06-07 02:00 -------- d-----w- c:\documents and settings\All Users\Application Data\COMODO
2010-06-07 01:26 . 2010-06-07 01:26 -------- d-----w- c:\program files\COMODO
2010-06-07 01:15 . 2010-06-07 01:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo Downloader
2010-06-06 17:03 . 2010-06-07 01:47 63488 ----a-w- c:\documents and settings\Ryan Turcotte\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-06 17:03 . 2010-06-06 17:03 52224 ----a-w- c:\documents and settings\Ryan Turcotte\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-06 17:03 . 2010-06-07 01:47 117760 ----a-w- c:\documents and settings\Ryan Turcotte\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-06 17:03 . 2010-06-06 17:03 -------- d-----w- c:\documents and settings\Ryan Turcotte\Application Data\SUPERAntiSpyware.com
2010-06-06 17:03 . 2010-06-06 17:03 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-06-06 17:02 . 2010-06-06 17:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-06-05 17:46 . 2010-06-05 17:46 -------- d-----w- C:\HelpAsst_backup
2010-06-05 17:11 . 2010-06-05 17:11 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-06-05 17:11 . 2010-06-05 17:11 -------- d-----w- c:\documents and settings\Ryan Turcotte\log
2010-06-04 05:38 . 2010-06-04 05:38 -------- d-----w- c:\documents and settings\Ryan Turcotte\Application Data\Malwarebytes
2010-06-04 05:37 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-04 05:37 . 2010-06-04 05:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-04 05:37 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-04 05:37 . 2010-06-04 05:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-01 23:00 . 2010-06-01 23:00 278288 ----a-w- c:\windows\system32\guard32.dll
2010-06-01 23:00 . 2010-06-01 23:00 87824 ----a-w- c:\windows\system32\drivers\inspect.sys
2010-06-01 23:00 . 2010-06-10 04:08 229312 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2010-06-01 23:00 . 2010-06-01 23:00 25240 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-06-01 23:00 . 2010-06-01 23:00 15464 ----a-w- c:\windows\system32\drivers\cmderd.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-17 00:15 . 2010-02-18 03:24 -------- d-----w- c:\program files\PeerBlock
2010-06-16 05:12 . 2009-05-18 04:47 -------- d-----w- c:\documents and settings\Ryan Turcotte\Application Data\uTorrent
2010-06-16 00:45 . 2009-05-18 04:47 -------- d-----w- c:\program files\uTorrent
2010-06-15 07:25 . 2009-11-12 16:55 -------- d-----w- c:\documents and settings\Ryan Turcotte\Application Data\vlc
2010-06-15 05:10 . 2010-02-07 23:00 -------- d-----w- c:\program files\FLAC
2010-06-15 04:40 . 2009-05-18 04:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-15 03:26 . 2009-05-19 03:18 -------- d-----w- c:\documents and settings\Ryan Turcotte\Application Data\NewsBin
2010-06-11 07:01 . 2009-05-18 13:36 -------- d-----w- c:\program files\Winamp Remote
2010-06-10 04:28 . 2009-05-18 04:39 50752 ----a-w- c:\documents and settings\Ryan Turcotte\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-06 16:39 . 2009-08-04 23:12 -------- d-----w- c:\documents and settings\Ryan Turcotte\Application Data\Orbit
2010-06-06 16:36 . 2009-08-04 23:12 -------- d-----w- c:\program files\Orbit Downloader
2010-05-12 06:11 . 2010-05-12 03:27 -------- d-----w- c:\documents and settings\Ryan Turcotte\Application Data\Creative
2010-05-12 03:30 . 2010-05-12 03:13 -------- d--h--w- c:\program files\Creative Installation Information
2010-05-12 03:30 . 2010-05-12 02:27 -------- d-----w- c:\program files\Creative
2010-05-12 03:22 . 2010-05-12 03:22 -------- d-----w- c:\documents and settings\Ryan Turcotte\Application Data\Locktime
2010-05-12 03:13 . 2010-05-12 03:13 -------- d-----w- c:\program files\Common Files\Creative
2010-05-11 05:30 . 2010-05-11 05:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Locktime
2010-05-11 05:30 . 2010-05-11 05:30 -------- d-----w- c:\program files\NetLimiter 2 Pro
2010-05-11 00:05 . 2009-06-06 16:27 -------- d-----w- c:\documents and settings\Ryan Turcotte\Application Data\dvdcss
2010-05-10 23:24 . 2010-05-10 23:24 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM
2010-05-10 23:24 . 2010-05-10 23:23 -------- d-----w- c:\program files\AIM
2010-04-20 05:30 . 2008-04-14 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-19 01:47 . 2009-06-17 04:00 -------- d-----w- c:\program files\Steam
2010-03-12 03:38 . 2010-03-12 14:02 653312 ----a-w- c:\program files\Common Files\SetupDLL.dll
2009-11-27 17:52 . 2009-11-27 17:51 24 --sh--w- c:\windows\SBEA5C0C4.tmp
.

((((((((((((((((((((((((((((( SnapShot@2010-06-14_23.43.47 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-17 00:13 . 2010-06-17 00:13 16384 c:\windows\Temp\Perflib_Perfdata_e78.dat
+ 2010-06-17 00:13 . 2010-06-17 00:13 16384 c:\windows\Temp\Perflib_Perfdata_c2c.dat
+ 2003-02-21 12:42 . 2008-09-22 02:31 348160 c:\windows\system32\msvcr71.dll
- 2003-02-21 12:42 . 2003-02-21 12:42 348160 c:\windows\system32\msvcr71.dll
+ 2003-03-19 04:14 . 2008-09-22 02:31 505128 c:\windows\system32\msvcp71.dll
+ 2007-06-26 02:11 . 2008-09-22 02:31 1060864 c:\windows\system32\MFC71.dll
- 2007-06-26 02:11 . 2007-06-26 02:11 1060864 c:\windows\system32\MFC71.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2008-04-11 110592]
"Orb"="c:\program files\Winamp Remote\bin\OrbTray.exe" [2008-04-01 507904]
"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2009-09-28 1524824]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-11-23 851968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-10-09 17021440]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-01-12 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-12 13666408]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-09-11 2054360]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-06-01 2039240]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2008-04-11 110592]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2010-04-03 20:44 640440 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2010-04-04 02:32 38840 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 12:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim]
2010-04-19 20:54 3972440 ----a-w- c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
2006-09-28 19:21 57344 ----a-w- c:\program files\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-10-30 11:57 369200 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GBMPro8Agent]
2008-04-16 12:55 189056 ----a-w- c:\program files\Genie-Soft\GBMPro8\GBMAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NodEnabler]
2009-12-09 08:05 394295 ----a-w- c:\program files\ESET\NodEnabler\NodEnabler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
2007-06-13 12:16 528384 ----a-r- c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-03-04 14:25 1217872 ----a-w- c:\program files\Steam\Steam.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\CrossLoop\\CrossLoopConnect.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Steam\\steamapps\\jiggly45\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Orbit Downloader\\orbitdm.exe"=
"c:\\Program Files\\Orbit Downloader\\orbitnet.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\AIM\\aim.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"8993:TCP"= 8993:TCP:Services
"8994:TCP"= 8994:TCP:Services

R0 Pnp680;SiI 680 ATA Controller;c:\windows\system32\drivers\PnP680.sys [5/18/2009 12:07 AM 59776]
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [5/20/2008 8:32 AM 15328]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [6/1/2010 7:00 PM 229312]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [6/1/2010 7:00 PM 25240]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [9/11/2009 8:23 AM 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [9/11/2009 8:26 AM 96408]
R1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [4/23/2007 7:03 AM 82200]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [9/11/2009 8:24 AM 735960]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [8/6/2008 11:34 AM 216032]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/15/2009 7:31 PM 24652]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\D1.tmp --> c:\windows\system32\D1.tmp [?]
S3 MsDtsServer100;SQL Server Integration Services 10.0;c:\program files\Microsoft SQL Server\100\DTS\Binn\MsDtsSrvr.exe [7/10/2008 1:22 AM 218136]
S3 MSSQLFDLauncher;SQL Full-text Filter Daemon Launcher (MSSQLSERVER);c:\program files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Binn\fdlauncher.exe [7/10/2008 1:15 AM 31256]
S3 NDISKIO;NDISKIO;\??\c:\docume~1\RYANTU~1\LOCALS~1\Temp\5199e003.nmc\nse\bin\ndiskio.sys --> c:\docume~1\RYANTU~1\LOCALS~1\Temp\5199e003.nmc\nse\bin\ndiskio.sys [?]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [2/17/2010 11:24 PM 14424]
S3 ReportServer;SQL Server Reporting Services (MSSQLSERVER);c:\program files\Microsoft SQL Server\MSRS10.MSSQLSERVER\Reporting Services\ReportServer\bin\ReportingServicesService.exe [7/10/2008 2:22 AM 1106968]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/10/2008 5:49 AM 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [7/10/2008 2:49 AM 242712]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5/18/2009 8:56 PM 691696]
.
.
------- Supplementary Scan -------
.
IE: &Download by Orbit - c:\program files\Orbit Downloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbit Downloader\orbitmxt.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Do&wnload selected by Orbit - c:\program files\Orbit Downloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbit Downloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
FF - ProfilePath - c:\documents and settings\Ryan Turcotte\Application Data\Mozilla\Firefox\Profiles\p8p9nm8a.Ryan2\
FF - component: c:\program files\PayPal\PayPal Plug-In\components\PayPalPlugin.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\K-Lite Mega Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Mega Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Picasa 3\npPicasa3.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-16 20:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\D1.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:a2,1a,44,81,97,06,ec,69,a2,72,cf,96,8a,c3,da,0c,74,ec,38,b0,f0,
d5,ec,fd,e3,c9,ad,2c,79,f0,ef,f2,22,66,f5,84,7c,26,d5,bc,30,fe,ee,89,70,e4,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="04F0D21-79D8-7A25-D702-433F"

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:a2,1a,44,81,97,06,ec,69,a2,72,cf,96,8a,c3,da,0c,74,ec,38,b0,f0,
d5,ec,fd,e3,c9,ad,2c,79,f0,ef,f2,22,66,f5,84,7c,26,d5,bc,30,fe,ee,89,70,e4,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(832)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(992)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-06-16 20:34:52
ComboFix-quarantined-files.txt 2010-06-17 00:34
ComboFix2.txt 2010-06-16 13:19
ComboFix3.txt 2010-06-14 23:47

Pre-Run: 37,325,926,400 bytes free
Post-Run: 37,312,311,296 bytes free

- - End Of File - - 1CB246087F8C7F5C82B0A4F71327FD42


#15 turc1656

turc1656
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 16 June 2010 - 07:47 PM

something else just caught my eye. the XP version suddenly changed and went DOWN like i somehow have an earlier version from when i last gave you the combofix log. in the 2nd to last it says:

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2432 [GMT -4:00]

in the latest one i just posted it says:

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2379 [GMT -4:00]



I wonder if that is significant in any way - as in perhaps this thing is deliberately setting me back somehow so it can exist because of some exploit/loophole? Just a thought.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users