Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspected suspicious.mystic infection


  • Please log in to reply
20 replies to this topic

#1 mcgowana1974

mcgowana1974

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 22 August 2010 - 05:07 PM

Directed to create a new post here. See http://www.bleepingcomputer.com/forums/topic341682.html

DDS (Ver_10-03-17.01) - NTFSx86
Run by Home at 20:35:04.70 on 22/08/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:6522
mWinlogon: userinit=c:\windows\system32\userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.7.0.12\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.7.0.12\IPSBHO.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office 2007\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Norton Safety Minder: {b8e07826-0971-4f16-b133-047b88034e89} - c:\program files\norton online\addons\norton safety minder\engine\2.0.0.48\coIEPlg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.7.0.12\coIEPlg.dll
TB: Autodesk DWF: {f03966d3-8ea0-47b4-bbe0-85bfe6cbc8ac} - c:\program files\autodesk\autodesk dwf writer\dwf addin\DWFIEAddin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\home\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
uRun: [{63382E9C-504F-5DD6-6A85-129D74A4F20B}] "c:\documents and settings\home\application data\fimo\orut.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [CTDVDDET] "c:\program files\creative\sound blaster x-fi\dvdaudio\CTDVDDET.EXE"
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanel.exe" /r
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Monitor] c:\windows\pixart\pac207\Monitor.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office 2007\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [ADSL_A2] A2Installed
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-f400-7760-0000003d0002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi69df~1\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxps://eu.webapps.halcrow.com/CitrixSessionInit/ICAWEB/icaweb.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} - hxxp://lochwinnoch.viewnetcam.com:8080/bl_camera.cab
DPF: {96816368-C1E3-414D-A193-63C3CC921990} - hxxp://fivesquare-hiltonglasgow.remotemanager.co.uk/common/activex/MJPEGRender.ocx
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-29-0.cab
DPF: {C87A3AD5-DE8E-4a2e-BF7B-D6BCD419DED1} - hxxp://www.envivio.tv/downloads/EnvivioTV/EnvivioTV-AutomaticInstaller.exe
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} -
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office 2007\office12\GrooveSystemServices.dll
Handler: skyline - {3a4f9195-65a8-11d5-85c1-0001023952c1} - c:\program files\skyline\terraexplorer\TerraExplorerX.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office 2007\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = c:\windows\system32\mepepivu.dll scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\home\applic~1\mozilla\firefox\profiles\jutx1nni.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ig
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\home\application data\mozilla\firefox\profiles\jutx1nni.default\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}\platform\winnt_x86-msvc\components\pagespeed.dll
FF - component: c:\documents and settings\home\application data\mozilla\firefox\profiles\jutx1nni.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\home\application data\mozilla\firefox\profiles\jutx1nni.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\home\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.133.31\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\photosynth\npPhotosynthMozilla.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {CECC730D-F96B-4922-8231-3B4C73EFD431} - c:\documents and settings\home\local settings\application data\{CECC730D-F96B-4922-8231-3B4C73EFD431}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false

============= SERVICES / DRIVERS ===============


============== File Associations ===============

.scr=AutoCADScriptFile

=============== Created Last 30 ================

2010-08-22 19:34:30 525824 ----a-w- C:\dds.scr
2010-08-22 19:27:48 0 ----a-w- c:\documents and settings\home\defogger_reenable
2010-08-22 12:01:11 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-08-22 12:00:57 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-08-22 12:00:55 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-08-22 08:30:44 0 d-----w- c:\docume~1\alluse~1\applic~1\F-Secure
2010-08-21 22:44:00 50176 ----a-w- c:\windows\system32\SET116F.tmp
2010-08-21 22:44:00 438784 ----a-w- c:\windows\system32\SET116E.tmp
2010-08-21 22:44:00 121856 ----a-w- c:\windows\system32\SET1171.tmp
2010-08-21 21:55:16 0 d-----w- c:\program files\ESET
2010-08-21 17:05:27 0 d-----w- c:\windows\ERUNT
2010-08-21 17:01:37 0 d-----w- C:\SDFix
2010-08-21 08:09:27 0 d-----w- c:\windows\system32\CatRoot_bak
2010-08-20 06:35:23 0 d-----w- C:\ComboFix
2010-08-20 02:04:35 0 d-----w- c:\program files\MSXML 6.0
2010-08-19 21:56:42 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-08-19 21:56:25 0 d-----w- c:\program files\Lavasoft
2010-08-19 06:56:13 2422 ----a-w- c:\windows\system32\wpa.bak
2010-08-19 06:47:32 0 d-----w- c:\program files\msn gaming zone
2010-08-18 21:18:58 12288 -c--a-w- c:\windows\system32\dllcache\EXCH_smtpctrs.dll
2010-08-18 21:17:53 1875968 -c--a-w- c:\windows\system32\dllcache\msir3jp.lex
2010-08-18 21:16:55 10129408 -c--a-w- c:\windows\system32\dllcache\hwxkor.dll
2010-08-18 21:15:59 9728 -c--a-w- c:\windows\system32\dllcache\change.exe
2010-08-18 21:14:53 7680 -c--a-w- c:\windows\system32\dllcache\inetmgr.exe
2010-08-18 21:14:53 19968 -c--a-w- c:\windows\system32\dllcache\inetsloc.dll
2010-08-18 21:14:53 169984 -c--a-w- c:\windows\system32\dllcache\iisui.dll
2010-08-18 21:14:52 6144 -c--a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2010-08-18 21:14:52 5632 -c--a-w- c:\windows\system32\dllcache\iisrstap.dll
2010-08-18 21:14:52 14336 -c--a-w- c:\windows\system32\dllcache\iisreset.exe
2010-08-18 21:14:46 94720 -c--a-w- c:\windows\system32\dllcache\certmap.ocx
2010-08-18 21:13:33 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-08-18 21:11:59 488 ---ha-r- c:\windows\system32\logonui.exe.manifest
2010-08-18 21:11:47 749 ---ha-r- c:\windows\WindowsShell.Manifest
2010-08-18 21:11:47 749 ---ha-r- c:\windows\system32\wuaucpl.cpl.manifest
2010-08-18 21:11:47 749 ---ha-r- c:\windows\system32\sapi.cpl.manifest
2010-08-18 21:11:47 749 ---ha-r- c:\windows\system32\nwc.cpl.manifest
2010-08-18 21:11:47 749 ---ha-r- c:\windows\system32\ncpa.cpl.manifest
2010-08-18 21:11:38 0 d--h--w- c:\program files\WindowsUpdate
2010-08-18 21:11:36 0 d-----w- c:\program files\Online Services
2010-08-18 21:11:23 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2010-08-18 21:11:19 226816 ----a-w- c:\windows\system32\dllcache\npdrmv2.dll
2010-08-18 21:11:19 221184 -c--a-w- c:\windows\system32\dllcache\wmpns.dll
2010-08-18 21:11:18 4639 ----a-w- c:\windows\system32\dllcache\mplayer2.exe
2010-08-18 21:11:18 364544 ----a-w- c:\windows\system32\dllcache\npdsplay.dll
2010-08-18 21:11:18 10240 ----a-w- c:\windows\system32\dllcache\npwmsdrm.dll
2010-08-18 21:06:32 55296 ----a-w- c:\windows\system32\SET12D.tmp
2010-08-18 21:06:32 23552 ----a-w- c:\windows\system32\SET130.tmp
2010-08-18 20:55:25 22339 ----a-r- c:\windows\SETF0.tmp
2010-08-18 20:55:25 10559 ----a-r- c:\windows\SETF1.tmp
2010-08-18 20:55:19 13753 ----a-r- c:\windows\SETB5.tmp
2010-08-18 20:55:16 1086058 ----a-r- c:\windows\SETA6.tmp
2010-08-18 20:55:13 1042903 ----a-r- c:\windows\SETA3.tmp
2010-08-18 20:49:05 0 d-----w- c:\windows\NV10441888.TMP
2010-08-18 20:43:35 22339 ----a-r- c:\windows\SETEB.tmp
2010-08-18 20:43:35 10559 ----a-r- c:\windows\SETEC.tmp
2010-08-18 20:43:29 13753 ----a-r- c:\windows\SETAE.tmp
2010-08-18 20:43:24 1086058 ----a-r- c:\windows\SETA2.tmp
2010-08-18 20:43:20 1042903 ----a-r- c:\windows\SET9F.tmp
2010-08-18 20:39:03 0 d-----w- c:\windows\NV12641644.TMP
2010-08-18 20:33:26 10559 ----a-r- c:\windows\SETEA.tmp
2010-08-18 20:33:25 22339 ----a-r- c:\windows\SETE9.tmp
2010-08-18 20:33:20 13753 ----a-r- c:\windows\SETAD.tmp
2010-08-18 20:33:14 1086058 ----a-r- c:\windows\SETA1.tmp
2010-08-18 20:33:10 1042903 ----a-r- c:\windows\SET9E.tmp
2010-08-18 20:30:19 1080 ----a-w- c:\windows\system32\settingsbkup.sfm
2010-08-18 20:30:19 1080 ----a-w- c:\windows\system32\settings.sfm
2010-08-18 20:23:12 0 d-----w- c:\windows\NV12321900.TMP
2010-08-18 20:18:33 0 d-----w- c:\windows\dell
2010-08-18 20:15:24 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-08-18 20:15:24 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-08-18 20:15:24 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-08-18 20:15:24 13312 ----a-w- c:\windows\system32\irclass.dll
2010-08-18 20:15:19 10559 ----a-r- c:\windows\SETE8.tmp
2010-08-18 20:15:18 22339 ----a-r- c:\windows\SETE7.tmp
2010-08-18 20:15:12 13753 ----a-r- c:\windows\SETAC.tmp
2010-08-18 20:15:06 1086058 ----a-r- c:\windows\SETA0.tmp
2010-08-18 20:15:02 1042903 ----a-r- c:\windows\SET9D.tmp
2010-08-18 20:14:34 1114765 ----a-w- c:\windows\setupapi.log.3.old
2010-08-18 19:33:12 240761 ----a-w- c:\windows\setupapi.old
2010-08-16 20:37:02 0 d-----w- c:\docume~1\home\applic~1\Tific
2010-08-16 20:34:45 0 d-----w- c:\windows\system32\wbem\Repository
2010-08-14 20:49:50 2838 ----a-w- c:\windows\Cduwofesed.dat
2010-08-14 20:49:50 0 ----a-w- c:\windows\Gruxoq.bin
2010-08-14 20:48:38 782848 ----a-w- c:\windows\system32\drivers\krhzkf.sys
2010-08-10 22:07:31 0 d-----w- C:\e5aacdbcb9ad7c698c24a3ef4346
2010-08-10 21:20:21 0 d-----w- c:\program files\common files\Akamai
2010-08-03 15:32:28 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2010-08-03 15:32:28 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ggsemc_01007.Wdf
2010-08-03 15:32:28 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ggflt_01007.Wdf
2010-08-03 15:32:21 14640 ----a-w- c:\windows\system32\spmsgXP_2k3.dll
2010-08-01 18:00:27 27632 ----a-w- c:\windows\system32\drivers\seehcri.sys
2010-08-01 18:00:12 25512 ----a-w- c:\windows\system32\drivers\ggsemc.sys
2010-08-01 18:00:12 13224 ----a-w- c:\windows\system32\drivers\ggflt.sys
2010-08-01 18:00:12 1112288 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll
2010-08-01 17:59:44 0 d-----w- c:\program files\Sony Ericsson
2010-07-25 10:27:16 0 d-----w- c:\program files\common files\DivX Shared
2010-07-25 10:24:40 0 d-----w- c:\program files\DivX
2010-07-24 17:33:56 0 d-----w- c:\docume~1\alluse~1\applic~1\DivX

==================== Find3M ====================

2010-08-12 12:15:20 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-08-12 12:15:20 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-08-10 18:29:00 31384 ----a-w- c:\windows\fonts\GLASB___.ttf
2010-07-25 15:46:20 89912 ---ha-w- c:\windows\system32\mlfcache.dat
2010-06-23 17:31:14 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-06-14 14:30:28 743936 ----a-w- c:\windows\system32\dllcache\helpsvc.exe
2010-06-09 23:01:10 133616 ----a-w- c:\windows\system32\pxafs.dll
2010-06-09 23:01:10 126448 ----a-w- c:\windows\system32\pxinsi64.exe
2010-06-09 23:01:10 123888 ----a-w- c:\windows\system32\pxcpyi64.exe
2010-06-03 02:41:44 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2007-01-03 21:30:39 3120 --sha-w- c:\program files\UIQTBUIVIOMZ.ini
2006-11-11 12:13:44 560 ----a-w- c:\program files\Global.sw
2006-04-28 17:33:30 251 ----a-w- c:\program files\wt3d.ini
2006-04-29 11:42:36 8 --sha-r- c:\windows\system32\BA1A00BFC9.sys
2006-05-21 20:22:36 56 --sha-r- c:\windows\system32\C9BF001ABA.sys
2006-06-26 19:26:43 6686 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-05-15 17:14:14 16384 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2008-10-18 12:23:03 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101820081019\index.dat
2009-05-15 17:14:14 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009051520090516\index.dat
2010-02-24 20:05:19 32768 --sha-w- c:\windows\temp\cookies\index.dat
2010-02-24 20:05:19 32768 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2010-02-24 20:05:19 49152 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 20:35:59.42 ===============

Attached Files


Edited by mcgowana1974, 23 August 2010 - 01:26 AM.


BC AdBot (Login to Remove)

 


#2 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:51 AM

Posted 23 August 2010 - 11:14 AM

Hello mcgowana1974,

I see you also attempted to run ComboFix. Before we begin, what happened when you tried to run ComboFix?

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#3 mcgowana1974

mcgowana1974
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 23 August 2010 - 12:30 PM

I downloaded Combofix and ran the exe file thinking it was an installer. From memory nothing happened when I ran the exe file other than it created a new folder with a load of files in it.

#4 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:51 AM

Posted 23 August 2010 - 04:58 PM

Thank you. Open notepad and copy/paste the text in the code box below into it:

QUOTE

DDS::
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:6522



Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to disable your security applications


***************************************************





Refering to the picture above, drag CFScript into ComboFix.exe
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.



Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#5 mcgowana1974

mcgowana1974
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 23 August 2010 - 05:33 PM

Combofix log below:

ComboFix 10-08-23.01 - Home 23/08/2010 23:12:38.1.2 - x86
Running from: c:\documents and settings\Home\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Home\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Home\Application Data\Fimo\orut.exe
c:\documents and settings\Home\Application Data\Luop
c:\documents and settings\Home\Application Data\Luop\etsoo.ydu
c:\documents and settings\Home\Local Settings\Application Data\{CECC730D-F96B-4922-8231-3B4C73EFD431}
c:\documents and settings\Home\Local Settings\Application Data\{CECC730D-F96B-4922-8231-3B4C73EFD431}\chrome.manifest
c:\documents and settings\Home\Local Settings\Application Data\{CECC730D-F96B-4922-8231-3B4C73EFD431}\chrome\content\_cfg.js
c:\documents and settings\Home\Local Settings\Application Data\{CECC730D-F96B-4922-8231-3B4C73EFD431}\chrome\content\overlay.xul
c:\documents and settings\Home\Local Settings\Application Data\{CECC730D-F96B-4922-8231-3B4C73EFD431}\install.rdf
c:\documents and settings\Home\Local Settings\Application Data\Windows Server
c:\documents and settings\Home\Recent\Thumbs.db
c:\windows\system32\_005123_.tmp.dll
c:\windows\system32\_005124_.tmp.dll
c:\windows\system32\_005125_.tmp.dll
c:\windows\system32\_005126_.tmp.dll
c:\windows\system32\_005133_.tmp.dll
c:\windows\system32\_005134_.tmp.dll
c:\windows\system32\_005135_.tmp.dll
c:\windows\system32\_005136_.tmp.dll
c:\windows\system32\_005138_.tmp.dll
c:\windows\system32\_005139_.tmp.dll
c:\windows\system32\_005142_.tmp.dll
c:\windows\system32\_005143_.tmp.dll
c:\windows\system32\_005145_.tmp.dll
c:\windows\system32\_005146_.tmp.dll
c:\windows\system32\_005147_.tmp.dll
c:\windows\system32\_005149_.tmp.dll
c:\windows\system32\_005152_.tmp.dll
c:\windows\system32\_005153_.tmp.dll
c:\windows\system32\_005157_.tmp.dll
c:\windows\system32\_005158_.tmp.dll
c:\windows\system32\_005160_.tmp.dll
c:\windows\system32\_005163_.tmp.dll
c:\windows\system32\_005165_.tmp.dll
c:\windows\system32\_005166_.tmp.dll
c:\windows\system32\_005167_.tmp.dll
c:\windows\system32\_005168_.tmp.dll
c:\windows\system32\_005169_.tmp.dll
c:\windows\system32\_005172_.tmp.dll
c:\windows\system32\_005173_.tmp.dll
c:\windows\system32\_005174_.tmp.dll
c:\windows\system32\_005175_.tmp.dll
c:\windows\system32\_005176_.tmp.dll
c:\windows\system32\_005181_.tmp.dll
c:\windows\system32\_005183_.tmp.dll
c:\windows\system32\_005184_.tmp.dll
c:\windows\system32\driVERs\krhzkf.sys
c:\windows\system32\SET198.tmp
c:\windows\system32\Thumbs.db
c:\windows\system32\win.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_krhzkf
-------\Service_krhzkf


((((((((((((((((((((((((( Files Created from 2010-07-23 to 2010-08-23 )))))))))))))))))))))))))))))))
.

2010-08-22 23:14 . 2010-08-22 23:14 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-08-22 19:34 . 2010-08-22 19:28 525824 ----a-w- C:\dds.scr
2010-08-22 12:01 . 2010-05-06 10:41 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-08-22 12:00 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-08-22 12:00 . 2010-05-06 10:41 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-08-22 08:30 . 2010-08-22 08:30 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2010-08-21 21:55 . 2010-08-21 21:55 -------- d-----w- c:\program files\ESET
2010-08-21 19:51 . 2010-08-22 12:42 63488 ----a-w- c:\documents and settings\Home\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-08-21 17:05 . 2010-08-21 17:05 -------- d-----w- c:\windows\ERUNT
2010-08-21 17:01 . 2010-08-21 17:40 -------- d-----w- C:\SDFix
2010-08-21 08:09 . 2010-08-22 11:03 -------- d-----w- c:\windows\system32\CatRoot_bak
2010-08-20 02:04 . 2010-08-20 02:04 -------- d-----w- c:\program files\MSXML 6.0
2010-08-19 21:57 . 2010-08-19 21:57 -------- d-----w- c:\documents and settings\Home\Local Settings\Application Data\Sunbelt Software
2010-08-19 21:56 . 2010-08-19 21:56 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-08-19 21:56 . 2010-08-12 12:16 2979848 -c--a-w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}\Ad-AwareInstall.exe
2010-08-19 21:56 . 2010-08-19 21:56 -------- d-----w- c:\program files\Lavasoft
2010-08-18 21:18 . 2001-08-17 21:36 12288 -c--a-w- c:\windows\system32\dllcache\EXCH_smtpctrs.dll
2010-08-18 21:17 . 2004-08-04 10:00 98304 -c--a-w- c:\windows\system32\dllcache\msir3jp.dll
2010-08-18 21:16 . 2004-08-04 10:00 10129408 -c--a-w- c:\windows\system32\dllcache\hwxkor.dll
2010-08-18 21:15 . 2004-08-04 10:00 9728 -c--a-w- c:\windows\system32\dllcache\change.exe
2010-08-18 21:14 . 2004-08-04 10:00 7680 -c--a-w- c:\windows\system32\dllcache\inetmgr.exe
2010-08-18 21:14 . 2004-08-04 10:00 19968 -c--a-w- c:\windows\system32\dllcache\inetsloc.dll
2010-08-18 21:14 . 2004-08-04 10:00 169984 -c--a-w- c:\windows\system32\dllcache\iisui.dll
2010-08-18 21:14 . 2004-08-04 10:00 6144 -c--a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2010-08-18 21:14 . 2004-08-04 10:00 5632 -c--a-w- c:\windows\system32\dllcache\iisrstap.dll
2010-08-18 21:14 . 2004-08-04 10:00 14336 -c--a-w- c:\windows\system32\dllcache\iisreset.exe
2010-08-18 21:13 . 2004-08-04 10:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-08-18 21:11 . 2004-08-04 10:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2010-08-18 21:11 . 2004-08-04 10:00 226816 ----a-w- c:\windows\system32\dllcache\npdrmv2.dll
2010-08-18 21:11 . 2004-08-04 10:00 221184 -c--a-w- c:\windows\system32\dllcache\wmpns.dll
2010-08-18 21:11 . 2004-08-04 10:00 4639 ----a-w- c:\windows\system32\dllcache\mplayer2.exe
2010-08-18 21:11 . 2004-08-04 10:00 364544 ----a-w- c:\windows\system32\dllcache\npdsplay.dll
2010-08-18 21:11 . 2004-08-04 10:00 10240 ----a-w- c:\windows\system32\dllcache\npwmsdrm.dll
2010-08-18 20:49 . 2010-08-18 20:49 -------- d-----w- c:\windows\NV10441888.TMP
2010-08-18 20:39 . 2010-08-18 20:39 -------- d-----w- c:\windows\NV12641644.TMP
2010-08-18 20:23 . 2010-08-18 20:23 -------- d-----w- c:\windows\NV12321900.TMP
2010-08-18 20:18 . 2010-08-18 20:18 -------- d-----w- c:\windows\dell
2010-08-18 20:15 . 2004-08-04 10:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-08-18 20:15 . 2004-08-04 10:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-08-18 20:15 . 2004-08-04 10:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-08-18 20:15 . 2004-08-04 10:00 13312 ----a-w- c:\windows\system32\irclass.dll
2010-08-16 20:37 . 2010-08-16 20:37 -------- d-----w- c:\documents and settings\Home\Application Data\Tific
2010-08-16 20:36 . 2010-08-16 20:36 -------- d-----w- c:\documents and settings\Home\Local Settings\Application Data\Symantec
2010-08-16 20:34 . 2010-08-16 20:34 -------- d-----w- c:\windows\system32\wbem\Repository
2010-08-14 20:49 . 2010-08-15 15:35 2838 ----a-w- c:\windows\Cduwofesed.dat
2010-08-14 20:49 . 2010-08-14 20:49 0 ----a-w- c:\windows\Gruxoq.bin
2010-08-14 20:48 . 2010-08-15 17:02 -------- d-----w- c:\documents and settings\Home\Local Settings\Application Data\tfkfxqkna
2010-08-14 20:48 . 2010-08-15 17:02 -------- d-----w- c:\documents and settings\Home\Local Settings\Application Data\vspfxywvl
2010-08-14 20:48 . 2010-08-15 17:02 -------- d-----w- c:\documents and settings\Home\Local Settings\Application Data\orcgxovlg
2010-08-10 22:07 . 2010-08-10 22:08 -------- d-----w- C:\e5aacdbcb9ad7c698c24a3ef4346
2010-08-10 21:20 . 2010-08-23 22:20 -------- d-----w- c:\program files\Common Files\Akamai
2010-08-03 15:32 . 2008-03-21 12:57 14640 ----a-w- c:\windows\system32\spmsgXP_2k3.dll
2010-08-01 18:00 . 2010-08-01 18:00 27632 ----a-w- c:\windows\system32\drivers\seehcri.sys
2010-08-01 18:00 . 2010-08-01 18:00 25512 ----a-w- c:\windows\system32\drivers\ggsemc.sys
2010-08-01 18:00 . 2010-08-01 18:00 13224 ----a-w- c:\windows\system32\drivers\ggflt.sys
2010-08-01 18:00 . 2010-08-01 18:00 1112288 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll
2010-08-01 17:59 . 2010-08-15 06:07 -------- d-----w- c:\program files\Sony Ericsson
2010-07-25 10:28 . 2010-07-25 10:24 1062184 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-07-25 10:28 . 2010-07-25 10:24 895256 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-07-25 10:28 . 2010-07-25 10:28 56765 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-07-25 10:28 . 2010-07-25 10:28 56997 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe
2010-07-25 10:28 . 2010-07-25 10:28 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-07-25 10:28 . 2010-07-25 10:28 57715 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Player\Uninstaller.exe
2010-07-25 10:24 . 2010-07-25 10:28 -------- d-----w- c:\program files\DivX
2010-07-25 10:24 . 2010-07-25 10:24 144696 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-22 14:46 . 2006-04-28 17:33 123296 ----a-w- c:\documents and settings\Home\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-22 12:42 . 2010-01-15 18:17 117760 ----a-w- c:\documents and settings\Home\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-08-22 12:21 . 2009-09-14 19:59 -------- d-----w- c:\program files\Visual LightBox
2010-08-22 12:21 . 2009-04-21 07:36 -------- d-----w- c:\documents and settings\Home\Application Data\Fimo
2010-08-22 06:02 . 2005-08-16 03:41 89779 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-08-21 22:04 . 2010-04-15 07:23 -------- d-----w- c:\documents and settings\Home\Application Data\Elech
2010-08-21 19:51 . 2010-01-15 18:16 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-08-21 08:29 . 2010-06-27 22:03 530208 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-08-19 23:51 . 2006-05-18 22:32 -------- d-----w- c:\program files\Passware
2010-08-19 07:10 . 2007-12-01 09:57 -------- d-----w- c:\program files\SAproxy
2010-08-18 21:59 . 2009-08-13 22:04 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-16 18:26 . 2007-04-22 07:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-08-16 18:18 . 2006-04-29 07:06 -------- d-----w- c:\program files\Sand
2010-08-14 22:50 . 2008-10-19 13:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-14 20:38 . 2007-04-22 19:26 -------- d-----w- c:\program files\PeerGuardian2
2010-08-12 12:15 . 2010-01-10 22:34 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-08-12 12:15 . 2010-01-10 20:36 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-08-10 22:17 . 2006-04-28 21:07 -------- d-----w- c:\documents and settings\Home\Application Data\Autodesk
2010-08-10 22:15 . 2006-04-28 19:47 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2010-08-10 21:42 . 2006-04-28 19:47 -------- d-----w- c:\program files\Autodesk
2010-08-03 15:32 . 2010-08-03 15:32 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2010-08-03 15:32 . 2010-08-03 15:32 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ggsemc_01007.Wdf
2010-08-03 15:32 . 2010-08-03 15:32 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ggflt_01007.Wdf
2010-07-25 15:46 . 2006-10-13 21:27 89912 ---ha-w- c:\windows\system32\mlfcache.dat
2010-07-25 10:29 . 2007-10-29 19:47 -------- d-----w- c:\documents and settings\Home\Application Data\DivX
2010-07-25 10:28 . 2010-07-24 17:33 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-07-25 10:28 . 2010-07-24 17:39 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-07-24 19:23 . 2010-01-16 21:39 -------- d-----w- c:\documents and settings\Home\Application Data\KRKsoft
2010-07-24 19:21 . 2006-04-25 13:51 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-24 19:21 . 2006-04-25 13:58 -------- d-----w- c:\program files\McAfee
2010-07-24 19:20 . 2010-06-26 19:37 -------- d-----w- c:\program files\Swift To-Do List
2010-07-24 19:17 . 2008-03-29 16:12 -------- d-----w- c:\program files\Microsoft Money 2007
2010-07-24 19:14 . 2008-12-26 10:41 -------- d-----w- c:\program files\CD to MP3 Freeware
2010-07-24 19:12 . 2010-03-06 12:27 -------- d-----w- c:\program files\GlobalMapper11
2010-07-24 19:11 . 2010-02-02 20:39 -------- d-----w- c:\program files\Dewpoint
2010-07-19 17:17 . 2010-07-01 12:48 -------- d-----w- c:\documents and settings\Home\Application Data\Yheds
2010-07-17 09:44 . 2006-04-28 19:58 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-07-03 19:47 . 2009-05-23 08:49 -------- d-----w- c:\documents and settings\Home\Application Data\Apple Computer
2010-07-03 19:39 . 2010-07-03 19:38 -------- d-----w- c:\program files\iTunes
2010-07-03 19:39 . 2010-07-03 19:38 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-07-03 19:38 . 2010-07-03 19:38 -------- d-----w- c:\program files\iPod
2010-07-03 19:38 . 2009-11-09 20:35 -------- d-----w- c:\program files\Common Files\Apple
2010-07-03 19:35 . 2006-04-25 13:56 -------- d-----w- c:\program files\QuickTime
2010-07-03 19:29 . 2010-07-03 19:29 -------- d-----w- c:\program files\Bonjour
2010-07-03 18:59 . 2010-07-03 18:59 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-28 19:32 . 2010-03-06 12:34 -------- d-----w- c:\documents and settings\Home\Application Data\GlobalMapper
2010-06-23 17:31 . 2010-05-15 08:14 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-06-23 17:31 . 2010-05-15 08:14 125488 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-06-14 14:30 . 2005-08-16 03:40 743936 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-09 23:01 . 2008-11-20 19:19 45648 ------w- c:\windows\system32\drivers\pxhelp20.sys
2010-06-09 23:01 . 2007-10-29 19:46 133616 ----a-w- c:\windows\system32\pxafs.dll
2010-06-09 23:01 . 2007-10-29 19:46 126448 ----a-w- c:\windows\system32\pxinsi64.exe
2010-06-09 23:01 . 2007-10-29 19:46 123888 ----a-w- c:\windows\system32\pxcpyi64.exe
2010-06-09 23:01 . 2006-12-29 09:21 9200 ----a-w- c:\windows\system32\drivers\cdralw2k.sys
2010-06-09 23:01 . 2006-12-29 09:21 9072 ----a-w- c:\windows\system32\drivers\cdr4_xp.sys
2010-06-03 02:41 . 2010-06-03 02:41 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2010-05-25 23:38 . 2010-06-24 04:07 813936 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{78CA3BF0-9C3B-40e1-B46D-38C877EF059A}\NSM_1.2.2.2\coFFFw\components\coFFFw.dll
2007-01-03 21:30 . 2007-01-03 21:30 3120 --sha-w- c:\program files\UIQTBUIVIOMZ.ini
2006-11-11 12:13 . 2006-11-11 12:13 560 ----a-w- c:\program files\Global.sw
2006-04-28 17:33 . 2006-04-28 17:33 251 ----a-w- c:\program files\wt3d.ini
2006-04-29 11:42 . 2006-04-29 11:42 8 --sha-r- c:\windows\system32\BA1A00BFC9.sys
2006-05-21 20:22 . 2006-04-28 17:39 56 --sha-r- c:\windows\system32\C9BF001ABA.sys
2006-06-26 19:26 . 2006-04-28 20:43 6686 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-03 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ADSL_A2"="A2Installed" [X]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-08 7110656]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-02 136600]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"GrooveMonitor"="c:\program files\Microsoft Office 2007\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
ADSL Diagnostic Tools.LNK - c:\windows\system32\mapiicon.exe [2001-3-23 343552]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-F400-7760-0000003D0002}\SC_Acrobat.exe [2006-7-19 25214]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2010-01-15 23:30 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\acaptuser32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2005-09-08 04:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mi-raysat_3dsmax8"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"=
"c:\\Program Files\\Google\\Google SketchUp 6\\SketchUp.exe"=
"c:\\Program Files\\Google\\Google SketchUp 6\\LayOut\\LayOut.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\Microsoft Office 2007\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office 2007\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office 2007\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\ehome\\ehtray.exe"=
"c:\\WINDOWS\\system32\\CTXFISPI.EXE"=
"c:\\WINDOWS\\PixArt\\PAC207\\Monitor.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\SAproxy\\dccproc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"1729:TCP"= 1729:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R1 eusk2par;EUTRON SmartKey Parallel Driver;c:\windows\system32\Drivers\eusk2par.sys [2004-11-18 24786]
R1 gbsbsxas;gbsbsxas;c:\windows\system32\drivers\gbsbsxas.sys [x]
R2 gupdate1c9404a13891b51;Google Update Service (gupdate1c9404a13891b51);c:\program files\Google\Update\GoogleUpdate.exe [2008-11-07 133104]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.SYS [2009-01-08 36608]
R3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys [2010-08-01 13224]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [2010-08-12 15008]
R3 PAC207;Trust Webcam Live;c:\windows\system32\DRIVERS\PFC027.SYS [2007-04-12 507264]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-25 12872]
R3 SYMRDR_{78CA3BF0-9C3B-40e1-B46D-38C877EF059A};Symantec Redirector - Norton Safety Minder;c:\windows\System32\Drivers\NSM\0200000.030\SymRdr.SYS [2010-05-11 180912]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-08-12 64288]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1107000.00C\SYMDS.SYS [2009-08-30 328752]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1107000.00C\SYMEFA.SYS [2010-04-22 173104]
S1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100810.004\BHDrvx86.sys [2010-08-10 692272]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1107000.00C\ccHPx86.sys [2010-02-26 501888]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-25 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2010-08-10 67656]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1107000.00C\Ironx86.SYS [2010-04-29 116784]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2004-08-04 14336]
S2 AMGM;ADSL Management and Monitor Interface;c:\windows\system32\DRIVERS\amgmwan.sys [2001-03-23 6272]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-08-12 1355416]
S2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe [2010-02-26 126392]
S2 NOF;Norton Online;c:\program files\Norton Online\Engine\2.0.0.71\ccSvcHst.exe [2010-05-23 126904]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-27 102448]
S3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100820.001\IDSxpx86.sys [2010-05-28 331640]
S3 itexadsla2;ITeX ADSL PCI NIC Service;c:\windows\system32\DRIVERS\ITeXwana.sys [2001-03-23 466160]
S3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\DRIVERS\seehcri.sys [2010-08-01 27632]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-08-23 c:\windows\Tasks\229B350D-034F-4c01-BAF2-3EA03DCAE0B9.job
- c:\program files\Norton Online\AddOns\Norton Safety Minder\Engine\2.0.0.48\tampmon.exe [2010-07-06 00:40]

2010-08-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 12:15]

2010-08-23 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 10:20]

2010-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-11-06 07:13]

2010-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-11-06 07:13]

2010-08-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2700957803-3763328643-430907694-1005Core.job
- c:\documents and settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-25 11:03]

2010-08-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2700957803-3763328643-430907694-1005UA.job
- c:\documents and settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-25 11:03]

2010-08-23 c:\windows\Tasks\User_Feed_Synchronization-{5476E38C-6A4F-4D05-9753-50B34519FF0A}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
DPF: {96816368-C1E3-414D-A193-63C3CC921990} - hxxp://fivesquare-hiltonglasgow.remotemanager.co.uk/common/activex/MJPEGRender.ocx
DPF: {C87A3AD5-DE8E-4a2e-BF7B-D6BCD419DED1} - hxxp://www.envivio.tv/downloads/EnvivioTV/EnvivioTV-AutomaticInstaller.exe
FF - ProfilePath - c:\documents and settings\Home\Application Data\Mozilla\Firefox\Profiles\jutx1nni.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ig
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\Home\Application Data\Mozilla\Firefox\Profiles\jutx1nni.default\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}\platform\WINNT_x86-msvc\components\pagespeed.dll
FF - component: c:\documents and settings\Home\Application Data\Mozilla\Firefox\Profiles\jutx1nni.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\Home\Application Data\Mozilla\Firefox\Profiles\jutx1nni.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\Home\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\Photosynth\npPhotosynthMozilla.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
SafeBoot-klmdb.sys
SafeBoot-Wdf01000.sys
SafeBoot-mcmscsvc
SafeBoot-MCODS
MSConfigStartUp-brastk - brastk.exe
AddRemove-{7585478E9D9B42108671C12F8714CEFE} - c:\program files\DivX\DivXConverterUninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-23 23:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.7.0.12\diMaster.dll\" /prefetch:1"
--

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\NOF]
"ImagePath"="\"c:\program files\Norton Online\Engine\2.0.0.71\ccSvcHst.exe\" /s \"NOF\" /m \"c:\program files\Norton Online\Engine\2.0.0.71\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2700957803-3763328643-430907694-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{BCC83DA4-E991-F826-5381-2243CD0622B4}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"gahiaechhnlpke"=hex:62,61,6c,70,00,17
"hajiaebmljbdkfmf"=hex:62,61,6c,70,00,f9
"iabiehapfphcghjkeo"=hex:6b,61,6e,70,69,69,6a,6a,66,62,70,65,67,66,69,61,63,62,
64,63,63,6a,00,c0
"hahikfkomlgmdfmi"=hex:6b,61,6e,70,69,69,6a,6a,66,62,70,65,67,66,69,61,63,62,
64,63,63,6a,00,00

[HKEY_LOCAL_MACHINE\software\Classes\htafile\CLSID]
@DACL=(02 0000)
@="{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}"

[HKEY_LOCAL_MACHINE\software\Classes\mapi\Shell]
@DACL=(02 0000)
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1048)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(5380)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Windows Live\Family Safety\fsssvc.exe
c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\SYSTEM32\CTXFISPI.EXE
c:\windows\eHome\ehmsas.exe
c:\program files\Microsoft ActiveSync\Wcescomm.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2010-08-23 23:30:45 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-23 22:30

Pre-Run: 242,322,804,736 bytes free
Post-Run: 243,639,099,392 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 1D2EAB737B53B02A4386DE3E624B6E03


#6 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:51 AM

Posted 23 August 2010 - 05:47 PM

Hi,

It's IMPORTANT to carry out the instructions in the sequence listed below.


***************************************************

Open notepad and copy/paste the text in the code box below into it:

CODE
http://www.bleepingcomputer.com/forums/topic342022.html

Collect::
c:\WINDOWS\Cduwofesed.dat

File::
c:\WINDOWS\Gruxoq.bin

Folder::
c:\documents and settings\Home\Local Settings\Application Data\tfkfxqkna
c:\documents and settings\Home\Local Settings\Application Data\vspfxywvl
c:\documents and settings\Home\Local Settings\Application Data\orcgxovlg


Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************





Refering to the picture above, drag CFScript into ComboFix.exe


When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
---------------------------------------------------------------------

It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.
Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix.txt
Kaspersky results
Update on system behavior



Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#7 mcgowana1974

mcgowana1974
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 24 August 2010 - 12:57 AM

Latest Combofix log:

ComboFix 10-08-23.01 - Home 23/08/2010 23:51:49.2.2 - x86
Running from: c:\documents and settings\Home\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Home\Desktop\CFScript.txt
* Created a new restore point

FILE ::
"c:\windows\Gruxoq.bin"

file zipped: c:\windows\Cduwofesed.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Home\Local Settings\Application Data\orcgxovlg
c:\documents and settings\Home\Local Settings\Application Data\tfkfxqkna
c:\documents and settings\Home\Local Settings\Application Data\vspfxywvl
c:\windows\Cduwofesed.dat
c:\windows\Gruxoq.bin

.
((((((((((((((((((((((((( Files Created from 2010-07-23 to 2010-08-23 )))))))))))))))))))))))))))))))
.

2010-08-22 23:14 . 2010-08-22 23:14 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-08-22 19:34 . 2010-08-22 19:28 525824 ----a-w- C:\dds.scr
2010-08-22 12:01 . 2010-05-06 10:41 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-08-22 12:00 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-08-22 12:00 . 2010-05-06 10:41 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-08-22 08:30 . 2010-08-22 08:30 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2010-08-21 21:55 . 2010-08-21 21:55 -------- d-----w- c:\program files\ESET
2010-08-21 19:51 . 2010-08-22 12:42 63488 ----a-w- c:\documents and settings\Home\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-08-21 17:05 . 2010-08-21 17:05 -------- d-----w- c:\windows\ERUNT
2010-08-21 17:01 . 2010-08-21 17:40 -------- d-----w- C:\SDFix
2010-08-21 08:09 . 2010-08-22 11:03 -------- d-----w- c:\windows\system32\CatRoot_bak
2010-08-20 02:04 . 2010-08-20 02:04 -------- d-----w- c:\program files\MSXML 6.0
2010-08-19 21:57 . 2010-08-19 21:57 -------- d-----w- c:\documents and settings\Home\Local Settings\Application Data\Sunbelt Software
2010-08-19 21:56 . 2010-08-19 21:56 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-08-19 21:56 . 2010-08-12 12:16 2979848 -c--a-w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}\Ad-AwareInstall.exe
2010-08-19 21:56 . 2010-08-19 21:56 -------- d-----w- c:\program files\Lavasoft
2010-08-18 21:18 . 2001-08-17 21:36 12288 -c--a-w- c:\windows\system32\dllcache\EXCH_smtpctrs.dll
2010-08-18 21:17 . 2004-08-04 10:00 98304 -c--a-w- c:\windows\system32\dllcache\msir3jp.dll
2010-08-18 21:16 . 2004-08-04 10:00 10129408 -c--a-w- c:\windows\system32\dllcache\hwxkor.dll
2010-08-18 21:15 . 2004-08-04 10:00 9728 -c--a-w- c:\windows\system32\dllcache\change.exe
2010-08-18 21:14 . 2004-08-04 10:00 7680 -c--a-w- c:\windows\system32\dllcache\inetmgr.exe
2010-08-18 21:14 . 2004-08-04 10:00 19968 -c--a-w- c:\windows\system32\dllcache\inetsloc.dll
2010-08-18 21:14 . 2004-08-04 10:00 169984 -c--a-w- c:\windows\system32\dllcache\iisui.dll
2010-08-18 21:14 . 2004-08-04 10:00 6144 -c--a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2010-08-18 21:14 . 2004-08-04 10:00 5632 -c--a-w- c:\windows\system32\dllcache\iisrstap.dll
2010-08-18 21:14 . 2004-08-04 10:00 14336 -c--a-w- c:\windows\system32\dllcache\iisreset.exe
2010-08-18 21:13 . 2004-08-04 10:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-08-18 21:11 . 2004-08-04 10:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2010-08-18 21:11 . 2004-08-04 10:00 226816 ----a-w- c:\windows\system32\dllcache\npdrmv2.dll
2010-08-18 21:11 . 2004-08-04 10:00 221184 -c--a-w- c:\windows\system32\dllcache\wmpns.dll
2010-08-18 21:11 . 2004-08-04 10:00 4639 ----a-w- c:\windows\system32\dllcache\mplayer2.exe
2010-08-18 21:11 . 2004-08-04 10:00 364544 ----a-w- c:\windows\system32\dllcache\npdsplay.dll
2010-08-18 21:11 . 2004-08-04 10:00 10240 ----a-w- c:\windows\system32\dllcache\npwmsdrm.dll
2010-08-18 20:49 . 2010-08-18 20:49 -------- d-----w- c:\windows\NV10441888.TMP
2010-08-18 20:39 . 2010-08-18 20:39 -------- d-----w- c:\windows\NV12641644.TMP
2010-08-18 20:23 . 2010-08-18 20:23 -------- d-----w- c:\windows\NV12321900.TMP
2010-08-18 20:18 . 2010-08-18 20:18 -------- d-----w- c:\windows\dell
2010-08-18 20:15 . 2004-08-04 10:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-08-18 20:15 . 2004-08-04 10:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-08-18 20:15 . 2004-08-04 10:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-08-18 20:15 . 2004-08-04 10:00 13312 ----a-w- c:\windows\system32\irclass.dll
2010-08-16 20:37 . 2010-08-16 20:37 -------- d-----w- c:\documents and settings\Home\Application Data\Tific
2010-08-16 20:36 . 2010-08-16 20:36 -------- d-----w- c:\documents and settings\Home\Local Settings\Application Data\Symantec
2010-08-16 20:34 . 2010-08-16 20:34 -------- d-----w- c:\windows\system32\wbem\Repository
2010-08-10 22:07 . 2010-08-10 22:08 -------- d-----w- C:\e5aacdbcb9ad7c698c24a3ef4346
2010-08-10 21:20 . 2010-08-23 22:20 -------- d-----w- c:\program files\Common Files\Akamai
2010-08-03 15:32 . 2008-03-21 12:57 14640 ----a-w- c:\windows\system32\spmsgXP_2k3.dll
2010-08-01 18:00 . 2010-08-01 18:00 27632 ----a-w- c:\windows\system32\drivers\seehcri.sys
2010-08-01 18:00 . 2010-08-01 18:00 25512 ----a-w- c:\windows\system32\drivers\ggsemc.sys
2010-08-01 18:00 . 2010-08-01 18:00 13224 ----a-w- c:\windows\system32\drivers\ggflt.sys
2010-08-01 18:00 . 2010-08-01 18:00 1112288 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll
2010-08-01 17:59 . 2010-08-15 06:07 -------- d-----w- c:\program files\Sony Ericsson
2010-07-25 10:28 . 2010-07-25 10:24 1062184 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-07-25 10:28 . 2010-07-25 10:24 895256 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-07-25 10:28 . 2010-07-25 10:28 56765 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-07-25 10:28 . 2010-07-25 10:28 56997 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe
2010-07-25 10:28 . 2010-07-25 10:28 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-07-25 10:28 . 2010-07-25 10:28 57715 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Player\Uninstaller.exe
2010-07-25 10:24 . 2010-07-25 10:28 -------- d-----w- c:\program files\DivX
2010-07-25 10:24 . 2010-07-25 10:24 144696 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-22 14:46 . 2006-04-28 17:33 123296 ----a-w- c:\documents and settings\Home\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-22 12:42 . 2010-01-15 18:17 117760 ----a-w- c:\documents and settings\Home\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-08-22 12:21 . 2009-09-14 19:59 -------- d-----w- c:\program files\Visual LightBox
2010-08-22 12:21 . 2009-04-21 07:36 -------- d-----w- c:\documents and settings\Home\Application Data\Fimo
2010-08-22 06:02 . 2005-08-16 03:41 89779 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-08-21 22:04 . 2010-04-15 07:23 -------- d-----w- c:\documents and settings\Home\Application Data\Elech
2010-08-21 19:51 . 2010-01-15 18:16 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-08-21 08:29 . 2010-06-27 22:03 530208 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-08-19 23:51 . 2006-05-18 22:32 -------- d-----w- c:\program files\Passware
2010-08-19 07:10 . 2007-12-01 09:57 -------- d-----w- c:\program files\SAproxy
2010-08-18 21:59 . 2009-08-13 22:04 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-16 18:26 . 2007-04-22 07:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-08-16 18:18 . 2006-04-29 07:06 -------- d-----w- c:\program files\Sand
2010-08-14 22:50 . 2008-10-19 13:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-14 20:38 . 2007-04-22 19:26 -------- d-----w- c:\program files\PeerGuardian2
2010-08-12 12:15 . 2010-01-10 22:34 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-08-12 12:15 . 2010-01-10 20:36 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-08-10 22:17 . 2006-04-28 21:07 -------- d-----w- c:\documents and settings\Home\Application Data\Autodesk
2010-08-10 22:15 . 2006-04-28 19:47 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2010-08-10 21:42 . 2006-04-28 19:47 -------- d-----w- c:\program files\Autodesk
2010-08-03 15:32 . 2010-08-03 15:32 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2010-08-03 15:32 . 2010-08-03 15:32 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ggsemc_01007.Wdf
2010-08-03 15:32 . 2010-08-03 15:32 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ggflt_01007.Wdf
2010-07-25 15:46 . 2006-10-13 21:27 89912 ---ha-w- c:\windows\system32\mlfcache.dat
2010-07-25 10:29 . 2007-10-29 19:47 -------- d-----w- c:\documents and settings\Home\Application Data\DivX
2010-07-25 10:28 . 2010-07-24 17:33 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-07-25 10:28 . 2010-07-24 17:39 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-07-24 19:23 . 2010-01-16 21:39 -------- d-----w- c:\documents and settings\Home\Application Data\KRKsoft
2010-07-24 19:21 . 2006-04-25 13:51 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-24 19:21 . 2006-04-25 13:58 -------- d-----w- c:\program files\McAfee
2010-07-24 19:20 . 2010-06-26 19:37 -------- d-----w- c:\program files\Swift To-Do List
2010-07-24 19:17 . 2008-03-29 16:12 -------- d-----w- c:\program files\Microsoft Money 2007
2010-07-24 19:14 . 2008-12-26 10:41 -------- d-----w- c:\program files\CD to MP3 Freeware
2010-07-24 19:12 . 2010-03-06 12:27 -------- d-----w- c:\program files\GlobalMapper11
2010-07-24 19:11 . 2010-02-02 20:39 -------- d-----w- c:\program files\Dewpoint
2010-07-19 17:17 . 2010-07-01 12:48 -------- d-----w- c:\documents and settings\Home\Application Data\Yheds
2010-07-17 09:44 . 2006-04-28 19:58 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-07-03 19:47 . 2009-05-23 08:49 -------- d-----w- c:\documents and settings\Home\Application Data\Apple Computer
2010-07-03 19:39 . 2010-07-03 19:38 -------- d-----w- c:\program files\iTunes
2010-07-03 19:39 . 2010-07-03 19:38 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-07-03 19:38 . 2010-07-03 19:38 -------- d-----w- c:\program files\iPod
2010-07-03 19:38 . 2009-11-09 20:35 -------- d-----w- c:\program files\Common Files\Apple
2010-07-03 19:35 . 2006-04-25 13:56 -------- d-----w- c:\program files\QuickTime
2010-07-03 19:29 . 2010-07-03 19:29 -------- d-----w- c:\program files\Bonjour
2010-07-03 18:59 . 2010-07-03 18:59 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-28 19:32 . 2010-03-06 12:34 -------- d-----w- c:\documents and settings\Home\Application Data\GlobalMapper
2010-06-23 17:31 . 2010-05-15 08:14 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-06-23 17:31 . 2010-05-15 08:14 125488 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-06-14 14:30 . 2005-08-16 03:40 743936 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-09 23:01 . 2008-11-20 19:19 45648 ------w- c:\windows\system32\drivers\pxhelp20.sys
2010-06-09 23:01 . 2007-10-29 19:46 133616 ----a-w- c:\windows\system32\pxafs.dll
2010-06-09 23:01 . 2007-10-29 19:46 126448 ----a-w- c:\windows\system32\pxinsi64.exe
2010-06-09 23:01 . 2007-10-29 19:46 123888 ----a-w- c:\windows\system32\pxcpyi64.exe
2010-06-09 23:01 . 2006-12-29 09:21 9200 ----a-w- c:\windows\system32\drivers\cdralw2k.sys
2010-06-09 23:01 . 2006-12-29 09:21 9072 ----a-w- c:\windows\system32\drivers\cdr4_xp.sys
2010-06-03 02:41 . 2010-06-03 02:41 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2010-05-25 23:38 . 2010-06-24 04:07 813936 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{78CA3BF0-9C3B-40e1-B46D-38C877EF059A}\NSM_1.2.2.2\coFFFw\components\coFFFw.dll
2007-01-03 21:30 . 2007-01-03 21:30 3120 --sha-w- c:\program files\UIQTBUIVIOMZ.ini
2006-11-11 12:13 . 2006-11-11 12:13 560 ----a-w- c:\program files\Global.sw
2006-04-28 17:33 . 2006-04-28 17:33 251 ----a-w- c:\program files\wt3d.ini
2006-04-29 11:42 . 2006-04-29 11:42 8 --sha-r- c:\windows\system32\BA1A00BFC9.sys
2006-05-21 20:22 . 2006-04-28 17:39 56 --sha-r- c:\windows\system32\C9BF001ABA.sys
2006-06-26 19:26 . 2006-04-28 20:43 6686 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-08-23_22.23.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-23 22:40 . 2010-08-23 22:40 16384 c:\windows\Temp\Perflib_Perfdata_5cc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-03 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ADSL_A2"="A2Installed" [X]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-08 7110656]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-02 136600]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"GrooveMonitor"="c:\program files\Microsoft Office 2007\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
ADSL Diagnostic Tools.LNK - c:\windows\system32\mapiicon.exe [2001-3-23 343552]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-F400-7760-0000003D0002}\SC_Acrobat.exe [2006-7-19 25214]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2010-01-15 23:30 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\acaptuser32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2005-09-08 04:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mi-raysat_3dsmax8"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"=
"c:\\Program Files\\Google\\Google SketchUp 6\\SketchUp.exe"=
"c:\\Program Files\\Google\\Google SketchUp 6\\LayOut\\LayOut.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\Microsoft Office 2007\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office 2007\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office 2007\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\ehome\\ehtray.exe"=
"c:\\WINDOWS\\system32\\CTXFISPI.EXE"=
"c:\\WINDOWS\\PixArt\\PAC207\\Monitor.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\SAproxy\\dccproc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"1729:TCP"= 1729:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R1 eusk2par;EUTRON SmartKey Parallel Driver;c:\windows\system32\Drivers\eusk2par.sys [2004-11-18 24786]
R1 gbsbsxas;gbsbsxas;c:\windows\system32\drivers\gbsbsxas.sys [x]
R2 gupdate1c9404a13891b51;Google Update Service (gupdate1c9404a13891b51);c:\program files\Google\Update\GoogleUpdate.exe [2008-11-07 133104]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-08-12 1355416]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.SYS [2009-01-08 36608]
R3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys [2010-08-01 13224]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [2010-08-12 15008]
R3 PAC207;Trust Webcam Live;c:\windows\system32\DRIVERS\PFC027.SYS [2007-04-12 507264]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-25 12872]
R3 SYMRDR_{78CA3BF0-9C3B-40e1-B46D-38C877EF059A};Symantec Redirector - Norton Safety Minder;c:\windows\System32\Drivers\NSM\0200000.030\SymRdr.SYS [2010-05-11 180912]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-08-12 64288]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1107000.00C\SYMDS.SYS [2009-08-30 328752]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1107000.00C\SYMEFA.SYS [2010-04-22 173104]
S1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100810.004\BHDrvx86.sys [2010-08-10 692272]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1107000.00C\ccHPx86.sys [2010-02-26 501888]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-25 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2010-08-10 67656]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1107000.00C\Ironx86.SYS [2010-04-29 116784]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2004-08-04 14336]
S2 AMGM;ADSL Management and Monitor Interface;c:\windows\system32\DRIVERS\amgmwan.sys [2001-03-23 6272]
S2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe [2010-02-26 126392]
S2 NOF;Norton Online;c:\program files\Norton Online\Engine\2.0.0.71\ccSvcHst.exe [2010-05-23 126904]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-27 102448]
S3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100820.001\IDSxpx86.sys [2010-05-28 331640]
S3 itexadsla2;ITeX ADSL PCI NIC Service;c:\windows\system32\DRIVERS\ITeXwana.sys [2001-03-23 466160]
S3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\DRIVERS\seehcri.sys [2010-08-01 27632]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-08-23 c:\windows\Tasks\229B350D-034F-4c01-BAF2-3EA03DCAE0B9.job
- c:\program files\Norton Online\AddOns\Norton Safety Minder\Engine\2.0.0.48\tampmon.exe [2010-07-06 00:40]

2010-08-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 12:15]

2010-08-23 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 10:20]

2010-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-11-06 07:13]

2010-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-11-06 07:13]

2010-08-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2700957803-3763328643-430907694-1005Core.job
- c:\documents and settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-25 11:03]

2010-08-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2700957803-3763328643-430907694-1005UA.job
- c:\documents and settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-25 11:03]

2010-08-23 c:\windows\Tasks\User_Feed_Synchronization-{5476E38C-6A4F-4D05-9753-50B34519FF0A}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
DPF: {96816368-C1E3-414D-A193-63C3CC921990} - hxxp://fivesquare-hiltonglasgow.remotemanager.co.uk/common/activex/MJPEGRender.ocx
DPF: {C87A3AD5-DE8E-4a2e-BF7B-D6BCD419DED1} - hxxp://www.envivio.tv/downloads/EnvivioTV/EnvivioTV-AutomaticInstaller.exe
FF - ProfilePath - c:\documents and settings\Home\Application Data\Mozilla\Firefox\Profiles\jutx1nni.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ig
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\Home\Application Data\Mozilla\Firefox\Profiles\jutx1nni.default\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}\platform\WINNT_x86-msvc\components\pagespeed.dll
FF - component: c:\documents and settings\Home\Application Data\Mozilla\Firefox\Profiles\jutx1nni.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-23 23:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.7.0.12\diMaster.dll\" /prefetch:1"
--

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\NOF]
"ImagePath"="\"c:\program files\Norton Online\Engine\2.0.0.71\ccSvcHst.exe\" /s \"NOF\" /m \"c:\program files\Norton Online\Engine\2.0.0.71\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2700957803-3763328643-430907694-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{BCC83DA4-E991-F826-5381-2243CD0622B4}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"gahiaechhnlpke"=hex:62,61,6c,70,00,17
"hajiaebmljbdkfmf"=hex:62,61,6c,70,00,f9
"iabiehapfphcghjkeo"=hex:6b,61,6e,70,69,69,6a,6a,66,62,70,65,67,66,69,61,63,62,
64,63,63,6a,00,c0
"hahikfkomlgmdfmi"=hex:6b,61,6e,70,69,69,6a,6a,66,62,70,65,67,66,69,61,63,62,
64,63,63,6a,00,00

[HKEY_LOCAL_MACHINE\software\Classes\htafile\CLSID]
@DACL=(02 0000)
@="{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}"

[HKEY_LOCAL_MACHINE\software\Classes\mapi\Shell]
@DACL=(02 0000)
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1048)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2010-08-23 23:59:36
ComboFix-quarantined-files.txt 2010-08-23 22:59
ComboFix2.txt 2010-08-23 22:30

Pre-Run: 243,681,660,928 bytes free
Post-Run: 243,655,909,376 bytes free

- - End Of File - - F613EA3DBCF98169B1C7479041D4FFC0
Upload was successful



KASPERSKY report:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, August 24, 2010
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, August 23, 2010 14:43:11
Records in database: 4138022
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 189166
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 03:48:43

No threats found. Scanned area is clean.

Selected area has been scanned.

#8 mcgowana1974

mcgowana1974
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 25 August 2010 - 04:11 PM

Do I need to do anything further?

#9 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:51 AM

Posted 25 August 2010 - 08:48 PM

Pardon the delay, I was waiting for you to advise on system behavior. smile.gif

QUOTE
Please include the following in your next reply:

C:\ComboFix.txt
Kaspersky results
Update on system behavior



The logs are clean. If there aren't any more problems, we have some final housekeeping to tend to now. Please do not skip this step as it will implement some important cleanup procedures. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point for you.


Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /uninstall

--------------------------------------------------------------------

Should you wish to contribute to the ongoing development of ComboFix, donations are being accepted via PayPal.


To help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

As 'Googling' is such an integral part of internet life, I recommend that you get the following free program if you do not already have it:

WOT - Web of Trust. This is a free browser add on that warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
  • Green to go
  • Yellow for caution
  • Red to stop
WOT has an addon available for both Firefox and IE.

  • Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

  • BACKING UP YOUR REGISTRY
    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders System Restore unavailable by simple means. With ERUNT, you're able to restore the damaged Registry.

    Vista/Windows 7 users - see this link for proper setup of Erunt http://www.winhelponline.com/blog/backup-w...ly-using-erunt/


    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

Kindly respond one more time and let us know if we may consider this thread resolved.

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#10 mcgowana1974

mcgowana1974
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 26 August 2010 - 11:25 AM

My system seemed to be working fine but I can now no longer get into Windows.

When I switch on the PC the text is messed up with white dots all over the screen. It then gets to the Windows loading screen and then all I get is a black screen and the monitor does into standby. I suspect my graphics card has failed.

#11 mcgowana1974

mcgowana1974
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 26 August 2010 - 03:36 PM

I downloaded the latest video card drivers in safe mode and now everything seems to be back up and running.

I ran Combofix / uninstall which certainly removed Combofix but it didn't seem to flush previous restore points.

#12 mcgowana1974

mcgowana1974
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 26 August 2010 - 04:18 PM

I spoke to soon. Working away on the PC when the screen went blank and the PC rebooted and the white dots are back when it first starts to boot. Can only get safe mode to work.

#13 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:51 AM

Posted 26 August 2010 - 10:51 PM

Did you install ERUNT and NTREGOPT? If so, what restore points do you have available?

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#14 mcgowana1974

mcgowana1974
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 27 August 2010 - 01:50 AM

I didn't get as far as installing ERUNT and NTREGOPT before the PC shut itself down. I currently have a restore point each day from 23 August to the 26th August.

#15 mcgowana1974

mcgowana1974
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 27 August 2010 - 02:07 AM

Just installed and ran ERUNT and NTREGOPT. PC then started up normally after a re-boot - will see how it performs today.

Now have another restore point on 27 August i.e. today

Should I re-enable CD Emulation?

Edited by mcgowana1974, 27 August 2010 - 02:07 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users