Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: Ski Lift in Austria Left Control Panel Open on the Internet

Featured Deal: Pay What You Want Complete Cyber Security Certification Bundle Deal

Unknown infection

Started by elysse , Jan 07 2011 06:00 AM

Please log in to reply

23 replies to this topic

#1 elysse

Members
23 posts
OFFLINE

Local time:06:24 PM

Posted 07 January 2011 - 06:00 AM

Hi there, I would really appreciate any help.

The computer belongs to my Dad and is a Windows XP Professional, SP3. It has had a number of problems lately, including issues with display when using firefox with strange formatting on websites, blanks where sentences should be, blacked out pictures, disappearing lines while typing (while I am typing this the sentence above has disappeared), spontaneous reboots, freezes, unresponsive mouse pointer. Just a few minutes ago the blue screen of death appeared and made the computer restart. It was only there for a split second so I couldn't catch what the error message was.

Also, my Dad ran Avast! Antivirus a few days ago and according to him there were a large number of infected files found but the computer froze and rebooted when he clicked on Move to Chest. Repeat scans came up clean. I also ran MBAM and SuperAntiSpyware and those were clean. Really don't know what the problem is, but I am concerned about security as my Dad uses this computer for internet banking among other things. Would be really grateful for any help!

I have attached the DDS and Attach logs mentioned in the Preparation Guide, but could not attach ark.txt because the computer freezes in the middle of running GMER and crashes every time I try :mellow:

DDS (Ver_10-12-12.02) - NTFSx86
Run by Lawrence at 21:46:34.25 on Thu 01/06/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1072 [GMT 8:00]

AV: Spyware Doctor with AntiVirus *Enabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS.0\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS.0\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS.0\Explorer.EXE
C:\WINDOWS.0\system32\spoolsv.exe
C:\WINDOWS.0\system32\RUNDLL32.EXE
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe
C:\WINDOWS.0\system32\NLSSRV32.EXE
C:\WINDOWS.0\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\WINDOWS.0\system32\nvsvc32.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\program files\real\realplayer\update\realsched.exe
C:\Program Files\PC Tools Security\pctsAuxs.exe
C:\Program Files\PC Tools Security\pctsGui.exe
C:\Program Files\PC Tools Security\pctsSvc.exe
C:\WINDOWS.0\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\FreeCall.com\FreeCall\FreeCall.exe
C:\WINDOWS.0\system32\svchost.exe -k imgsvc
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS.0\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Lawrence\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS.0\system32\dwwin.exe
C:\Documents and Settings\Lawrence\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=zpwhtygjntrz&scc=1&ltmpl=default&ltmplcache=2&hl=en
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users.windows.0\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows.0\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [VoipBuster] "c:\program files\voipbuster.com\voipbuster\VoipBuster.exe" -nosplash -minimized
uRun: [googletalk] "c:\program files\google\google talk\googletalk.exe" /autostart
uRun: [FreeCall] "c:\program files\freecall.com\freecall\FreeCall.exe" -nosplash -minimized
uRun: [Google Update] "c:\documents and settings\lawrence\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows.0\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows.0\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [Ulead AutoDetector] c:\program files\ulead systems\ulead photo explorer 8.0 se basic\Monitor.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [ISTray] "c:\program files\pc tools security\pctsGui.exe" /hideGUI
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
IE: Add to Google Photos Screensa&ver - c:\windows.0\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: {2CE5ABBC-EFD3-482A-8CCC-550B45E3A770} = 218.102.62.71 203.198.23.208
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows.0\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\lawrence\applic~1\mozilla\firefox\profiles\kv6mwuqq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\documents and settings\all users.windows.0\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\all users.windows.0\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - component: c:\documents and settings\lawrence\application data\mozilla\firefox\profiles\kv6mwuqq.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\lawrence\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\lawrence\application data\mozilla\firefox\profiles\kv6mwuqq.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\lawrence\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\lawrence\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\lawrence\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.2166.3772\npCIDetect14.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Skype extension for Firefox: {B13721C7-F507-4982-B2E5-502A71474FED} - c:\program files\mozilla firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}
FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - Ext: Cooliris: piclens@cooliris.com - %profile%\extensions\piclens@cooliris.com
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users.windows.0\application data\real\realplayer\browserrecordplugin\firefox\Ext

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows.0\system32\drivers\PCTCore.sys [2010-12-29 239168]
R0 pctDS;PC Tools Data Store;c:\windows.0\system32\drivers\pctDS.sys [2010-12-29 338880]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows.0\system32\drivers\pctEFA.sys [2010-12-29 656320]
R1 aswSP;aswSP;c:\windows.0\system32\drivers\aswSP.sys [2009-10-27 293968]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2010-1-5 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 67656]
R2 aswFsBlk;aswFsBlk;c:\windows.0\system32\drivers\aswFsBlk.sys [2009-10-27 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-11-27 40384]
R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\nitro pdf\professional\NitroPDFDriverService.exe [2009-12-16 188736]
R2 nlsX86cc;NLS Service;c:\windows.0\system32\NLSSRV32.EXE [2009-12-16 65856]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\pc tools security\pctsAuxs.exe [2010-12-29 366840]
R2 sdCoreService;PC Tools Security Service;c:\program files\pc tools security\pctsSvc.exe [2010-12-29 1150936]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows.0\system32\drivers\RTL8187.sys [2000-1-1 194304]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-2 135664]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-7-13 30192]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 12872]

=============== Created Last 30 ================

2010-12-28 21:39:33 656320 ----a-w- c:\windows.0\system32\drivers\pctEFA.sys
2010-12-28 21:39:33 338880 ----a-w- c:\windows.0\system32\drivers\pctDS.sys
2010-12-28 21:39:32 249616 ----a-w- c:\windows.0\system32\drivers\pctgntdi.sys
2010-12-28 21:39:27 239168 ----a-w- c:\windows.0\system32\drivers\PCTCore.sys
2010-12-28 21:39:27 160448 ----a-w- c:\windows.0\system32\drivers\PCTAppEvent.sys
2010-12-28 21:39:12 70536 ----a-w- c:\windows.0\system32\drivers\pctplsg.sys
2010-12-28 21:38:59 -------- d-----w- c:\program files\PC Tools Security
2010-12-28 21:38:59 -------- d-----w- c:\program files\common files\PC Tools
2010-12-28 21:38:59 -------- d-----w- c:\docume~1\lawrence\applic~1\PC Tools
2010-12-28 21:38:59 -------- d-----w- c:\docume~1\alluse~1.0\applic~1\PC Tools
2010-12-28 21:37:38 11776 ----a-w- c:\program files\mozilla firefox\plugins\nprjplug.dll
2010-12-28 21:37:20 151776 ----a-w- c:\program files\mozilla firefox\plugins\nppl3260.dll
2010-12-28 21:37:14 100352 ----a-w- c:\program files\mozilla firefox\plugins\nprpjplug.dll
2010-12-28 21:32:43 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

==================== Find3M ====================

2010-12-31 20:06:36 38848 ----a-w- c:\windows.0\avastSS.scr
2010-10-14 23:44:02 4280320 ----a-w- c:\windows.0\system32\GPhotos.scr
2006-05-03 09:06:54 163328 --sh--r- c:\windows.0\system32\flvDX.dll
2007-02-21 10:47:16 31232 --sh--r- c:\windows.0\system32\msfDX.dll
2008-03-16 12:30:52 216064 --sh--r- c:\windows.0\system32\nbDX.dll

============= FINISH: 21:48:48.93 ===============

Attached Files

Attach.txt 13.73KB 0 downloads

Edited by Budapest, 07 January 2011 - 06:18 AM.
Moved from XP ~BP

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 Casey_boy

Bleeping physicist

Malware Response Team
7,765 posts
OFFLINE

Gender:Male
Location:UK
Local time:10:24 AM

Posted 12 January 2011 - 03:09 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:

Download DDS by sUBs from one of the following links. Save it to your desktop.
- DDS.scr
- DDS.pif
Double click on the DDS icon, allow it to run.
A small box will open, with an explaination about the tool. No input is needed, the scan is running.
Notepad will open with the results.
Follow the instructions that pop up for posting the results.
Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.

* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *

#3 elysse

Topic Starter

Members
23 posts
OFFLINE

Local time:06:24 PM

Posted 13 January 2011 - 03:56 AM

Hello Casey,

Thanks for the reply. The computer is still freezing occasionally and lines disappear while I'm typing (right now I can't see what I've been typing so far). Another pattern I've noticed is that it blue-screens and restarts every time Firefox is clicked on more than once.

Here is the DDS log:

DDS (Ver_10-12-12.02) - NTFSx86
Run by Lawrence at 16:28:28.03 on Thu 01/13/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1056 [GMT 8:00]

AV: Spyware Doctor with AntiVirus *Enabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS.0\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS.0\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS.0\Explorer.EXE
C:\WINDOWS.0\system32\RUNDLL32.EXE
C:\WINDOWS.0\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\program files\real\realplayer\update\realsched.exe
C:\Program Files\PC Tools Security\pctsGui.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS.0\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\FreeCall.com\FreeCall\FreeCall.exe
C:\WINDOWS.0\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe
C:\WINDOWS.0\system32\NLSSRV32.EXE
C:\WINDOWS.0\system32\nvsvc32.exe
C:\Program Files\PC Tools Security\pctsAuxs.exe
C:\Program Files\PC Tools Security\pctsSvc.exe
C:\WINDOWS.0\system32\svchost.exe -k imgsvc
C:\WINDOWS.0\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Lawrence\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\Documents and Settings\Lawrence\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%

3Dhtml%26zy%3Dl&bsv=zpwhtygjntrz&scc=1&ltmpl=default&ltmplcache=2&hl=en
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users.windows.0\application

data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows.0\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [VoipBuster] "c:\program files\voipbuster.com\voipbuster\VoipBuster.exe" -nosplash -minimized
uRun: [googletalk] "c:\program files\google\google talk\googletalk.exe" /autostart
uRun: [FreeCall] "c:\program files\freecall.com\freecall\FreeCall.exe" -nosplash -minimized
uRun: [Google Update] "c:\documents and settings\lawrence\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows.0\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows.0\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [Ulead AutoDetector] c:\program files\ulead systems\ulead photo explorer 8.0 se basic\Monitor.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [ISTray] "c:\program files\pc tools security\pctsGui.exe" /hideGUI
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
IE: Add to Google Photos Screensa&ver - c:\windows.0\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: {2CE5ABBC-EFD3-482A-8CCC-550B45E3A770} = 218.102.62.71 203.198.23.208
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows.0\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\lawrence\applic~1\mozilla\firefox\profiles\kv6mwuqq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\documents and settings\all users.windows.0\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\all users.windows.0\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - component: c:\documents and settings\lawrence\application data\mozilla\firefox\profiles\kv6mwuqq.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\lawrence\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\lawrence\application data\mozilla\firefox\profiles\kv6mwuqq.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\lawrence\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\lawrence\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\lawrence\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.2166.3772\npCIDetect14.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Skype extension for Firefox: {B13721C7-F507-4982-B2E5-502A71474FED} - c:\program files\mozilla firefox\extensions\{B13721C7-F507-4982-B2E5-

502A71474FED}
FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - Ext: Cooliris: piclens@cooliris.com - %profile%\extensions\piclens@cooliris.com
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users.windows.0\application

data\real\realplayer\browserrecordplugin\firefox\Ext

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows.0\system32\drivers\PCTCore.sys [2010-12-29 239168]
R0 pctDS;PC Tools Data Store;c:\windows.0\system32\drivers\pctDS.sys [2010-12-29 338880]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows.0\system32\drivers\pctEFA.sys [2010-12-29 656320]
R1 aswSP;aswSP;c:\windows.0\system32\drivers\aswSP.sys [2009-10-27 293968]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2010-1-5 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 67656]
R2 aswFsBlk;aswFsBlk;c:\windows.0\system32\drivers\aswFsBlk.sys [2009-10-27 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-11-27 40384]
R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\nitro pdf\professional\NitroPDFDriverService.exe [2009-12-16 188736]
R2 nlsX86cc;NLS Service;c:\windows.0\system32\NLSSRV32.EXE [2009-12-16 65856]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\pc tools security\pctsAuxs.exe [2010-12-29 366840]
R2 sdCoreService;PC Tools Security Service;c:\program files\pc tools security\pctsSvc.exe [2010-12-29 1150936]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows.0\system32\drivers\RTL8187.sys [2000-1-1 194304]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-2 135664]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-7-13 30192]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 12872]

=============== Created Last 30 ================

2010-12-28 21:39:33 656320 ----a-w- c:\windows.0\system32\drivers\pctEFA.sys
2010-12-28 21:39:33 338880 ----a-w- c:\windows.0\system32\drivers\pctDS.sys
2010-12-28 21:39:32 249616 ----a-w- c:\windows.0\system32\drivers\pctgntdi.sys
2010-12-28 21:39:27 239168 ----a-w- c:\windows.0\system32\drivers\PCTCore.sys
2010-12-28 21:39:27 160448 ----a-w- c:\windows.0\system32\drivers\PCTAppEvent.sys
2010-12-28 21:39:12 70536 ----a-w- c:\windows.0\system32\drivers\pctplsg.sys
2010-12-28 21:38:59 -------- d-----w- c:\program files\PC Tools Security
2010-12-28 21:38:59 -------- d-----w- c:\program files\common files\PC Tools
2010-12-28 21:38:59 -------- d-----w- c:\docume~1\lawrence\applic~1\PC Tools
2010-12-28 21:38:59 -------- d-----w- c:\docume~1\alluse~1.0\applic~1\PC Tools
2010-12-28 21:37:38 11776 ----a-w- c:\program files\mozilla firefox\plugins\nprjplug.dll
2010-12-28 21:37:20 151776 ----a-w- c:\program files\mozilla firefox\plugins\nppl3260.dll
2010-12-28 21:37:14 100352 ----a-w- c:\program files\mozilla firefox\plugins\nprpjplug.dll
2010-12-28 21:32:43 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

==================== Find3M ====================

2010-12-31 20:06:36 38848 ----a-w- c:\windows.0\avastSS.scr
2006-05-03 09:06:54 163328 --sh--r- c:\windows.0\system32\flvDX.dll
2007-02-21 10:47:16 31232 --sh--r- c:\windows.0\system32\msfDX.dll
2008-03-16 12:30:52 216064 --sh--r- c:\windows.0\system32\nbDX.dll

============= FINISH: 16:30:41.42 ===============

Attach.txt attached, but I could not run GMER.exe. Several times the computer froze in the middle of running it and once it displayed a message "GMER.exe has encountered a problem and needs to close". :huh:

#4 elysse

Topic Starter

Members
23 posts
OFFLINE

Local time:06:24 PM

Posted 13 January 2011 - 03:58 AM

Sorry here is Attach.txt

Not sure why it didn't attach!!

Attached Files

Attach.zip 4.23KB 1 downloads

#5 gringo_pr

Bleepin Gringo

Malware Response Team
136,772 posts
OFFLINE

Gender:Male
Location:Puerto rico
Local time:06:24 AM

Posted 13 January 2011 - 09:08 AM

Hello

My name is gringo and I will be Helping you from this point forward

Somethings to remember while we are working together.

Do not run any other tool untill instructed to do so!
Please Do not Attach logs or put in code boxes unless I tell you so.
Tell me about any problems that have occurred during the fix.
Tell me of any other symptoms you may be having as these can help also.
Do not run anything while running a fix.

If you have not done so please Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Here is the first thing I would like you to do.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

In your next post I need the following
Log from Combofix
let me know of any problems you may have had
How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->

<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 elysse

Topic Starter

Members
23 posts
OFFLINE

Local time:06:24 PM

Posted 15 January 2011 - 04:28 AM

Hello Gringo,

Thanks for your message.

When I disabled Avast real time protection in order to run Combofix, it came up with this message:
"A suspicious hidden object (rootkit) has been detected on your system. This may be a sign of a malware infection. It is recommended to remove the object immediately."

Rootkit information
File name
C:\32788R22RWJFW\pev.exe

Should I delete it or ignore it? Haven't run Combofix yet...
Also I am not sure if I should completely exit Avast to run Combofix or if it is ok to just disable real time protection.

#7 gringo_pr

Bleepin Gringo

Malware Response Team
136,772 posts
OFFLINE

Gender:Male
Location:Puerto rico
Local time:06:24 AM

Posted 15 January 2011 - 04:56 AM

hello

that is part of combofix

please disable avast as much as possible to run combofix

Gringo

<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 elysse

Topic Starter

Members
23 posts
OFFLINE

Local time:06:24 PM

Posted 15 January 2011 - 09:55 AM

Hi there

Ok, I ignored the message about the rootkit and disabled Avast.

Before disabling, PC Tools Spyware Doctor also came up with a message saying that there was a threat and 2 infections in the computer.
"Trackware.Tracking Cookies!rem" When I attempted to exit PC Tools Spyware Doctor, I got a blue screen and the computer shut down and beeped a couple of times when I tried to start it up again.

Finally got it started and ran Combofix, then it said that there was an error saving a file C:\Windows.0\erdnt\Hiv=backup\software. [RegSaveKeyEx: 1016 - An I/O operation initiated by the registry failed unrecoverably. The registry could not read in, or write out, or flush, one of the files that contain the system's image of the registry ]. I just clicked on Yes to continue with the next file.

Middle of running ComboFix, computer froze again. After restart, managed to run ComboFix, close to finishing there was an error saying "dumphive.cfxxe has encountered a problem and needs to close".

Not sure if that meant anything.

The computer still freezes occasionally and restarts by itself. It also has issues with display where lines of text become missing, darker or distorted. I took a screenshot of this and can attach it if needed.

My dad has done a backup of the files he needs from the computer to an external hard drive.

ComboFix log attached, thanks!

Attached Files

log.txt 18.21KB 6 downloads

#9 gringo_pr

Bleepin Gringo

Malware Response Team
136,772 posts
OFFLINE

Gender:Male
Location:Puerto rico
Local time:06:24 AM

Posted 15 January 2011 - 01:01 PM

Hello

something don't sound right and I don't think it has to do with an ifection

run chkdsk

Got to Start, Run and type cmd and hit Enter
When the command window comes up, type: chkdsk c:
hit Enter again.
Maximize the command window, and wait for the scan to finish.
Read the results carefully to see if it says that it found problems with your file system.

IF it has found any problems with your file system,

Go To Start, Run and type cmd
hit Enter
Type this into the command window at the prompt:
- chkdsk c: /F <==notice the /F, with one space between c: and /F
hit Enter
You will get a message that the volume is locked, and a request to do the repair on Reboot.
Answer Y
Then type exit to close the Command window.
Go to Start, Turn Off Computer and choose Reboot
It will scan again and make the repairs as the first part of the reboot process.

After it reboots, run the first sequence again (without the /F parameter), and see if it still shows an error.
Tell me what it found originally, and if there was a problem, whether the final sequence showed no errors.
It's possible that the chkdsk c: /F sequence may have to be run on reboot twice to pick up everything.

<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 elysse

Topic Starter

Members
23 posts
OFFLINE

Local time:06:24 PM

Posted 16 January 2011 - 02:03 AM

Hi Gringo,

Thanks for the instructions.

Here's what chkdsk found the first time:

- (after verifying indexes): CHKDSK is recovering lost files.
- (after Usn Journal verification): CHKDSK discovered free space marked as allocated in the master file table (MFT) bitmap. Correcting errors in the Volume Bitmap. Windows found problems with the file system. Run CHKDSK with the /F option to correct these.

After first reboot:

- (after Usn Journal verification): Correcting errors in the Volume Bitmap. Windows found problems with the file system. Run CHKDSK with the /F option to correct these.

After second reboot:

- (after verifying indexes): CHKDSK is recovering lost files. Recovering orphaned file ETILQS~1 (49169) into directory file 26084. Recovering orphaned file etilqs_zLoe9P0F9Hkv9ZyWhkxH (49169) intor directory file 26084.
- (after Usn Journal verification): Correcting errors in the master file table's (MFT) BITMAP attribute. Correcting errors in the Volume Bitmap. Windows found problems with the file system. Run CHKDSK with the /F option to correct these.

Rebooted a third time and chkdsk had the same findings as the second reboot.

Rebooted a fourth time, same findings as the first reboot.

After fifth reboot:

- (after verifying indexes): CHKDSK is recovering lost files. Recovering orphaned file FP0000.SPL (58758) into directory file 130980. Recovering orphaned file FP00000.SHD (58904) into directory file 130980.
- (after USn Journal verification): Correcting errors in the master file table's (MFT) BITMAP attribute. Correcting errors in the Volume Bitmap. Windows found problems with the file system. Run CHKDSK with the /F option to correct these.

Should I keep on rebooting?

#11 gringo_pr

Bleepin Gringo

Malware Response Team
136,772 posts
OFFLINE

Gender:Male
Location:Puerto rico
Local time:06:24 AM

Posted 16 January 2011 - 02:17 AM

try a few more time and then go to this page and download seatools and check the harddrive

http://www.seagate.com/www/en-us/support/downloads/seatools

Gringo

Edited by gringo_pr, 16 January 2011 - 02:21 AM.

<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 elysse

Topic Starter

Members
23 posts
OFFLINE

Local time:06:24 PM

Posted 16 January 2011 - 09:13 AM

Hello,

Here's what happened after sixth reboot:
Correcting errors in the Volume Bitmap. Windows found problems with the file system. Run CHKDSK with the /F option to correct these.

After seventh and eighth reboots:
CHKDSK is verifying indexes (stage 2 of 3)...
Deleting index entry background_gradient[1] in index $130 of file 14709.
(there were several other similar entries)
Index verification completed.
Errors found. CHKDSK cannot continue in read-only mode.

I then ran SeaTools.
PATA-SATA passed SMART test, short DST, long DST, short Generic and long Generic.

Thanks!

#13 elysse

Topic Starter

Members
23 posts
OFFLINE

Local time:06:24 PM

Posted 19 January 2011 - 07:41 AM

Hi there
Is this new post equivalent to a "bump"?
Not to rush but since it says to bump in your tag, here I am

#14 gringo_pr

Bleepin Gringo

Malware Response Team
136,772 posts
OFFLINE

Gender:Male
Location:Puerto rico
Local time:06:24 AM

Posted 19 January 2011 - 12:54 PM

Hello

sorry for the delay - I have been going over the reports and I still don't think it is malware but I am going to give a good check up anyway

I want to start by doing an updated combofix run - remember to shut down the AV

update combofix

I would like you to download an updated virsion of combofix.

Delete the version of combofix you have now on your desktop and download a new one from here

Link 1
Link 2
Link 3
**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note:Do not mouseclick combofix's window while it's running. That may cause it to stall
[/list]

Gringo

<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 elysse

Topic Starter

Members
23 posts
OFFLINE

Local time:06:24 PM

Posted 21 January 2011 - 01:39 AM

Hello Gringo,

Thanks for your reply.

This popup came up when I tried to run ComboFix:

NirCmd.cfxxe - Entry Point Not Found

The procedure entry point_except_handler4_common could not be located in the dynamic link library msvcrt.dll.

I just clicked OK and let ComboFix run.

Log file attached, thanks!

ComboFix 11-01-19.03 - Lawrence 01/20/2011 20:19:39.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1314 [GMT 8:00]
Running from: c:\documents and settings\Lawrence\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Spyware Doctor with AntiVirus *Disabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.

((((((((((((((((((((((((( Files Created from 2010-12-20 to 2011-01-20 )))))))))))))))))))))))))))))))
.

2011-01-16 08:51 . 2011-01-16 08:51 -------- d-----w- c:\program files\Seagate
2011-01-15 14:26 . 2011-01-15 14:26 -------- d-----w- c:\windows.0\system32\xircom
2011-01-15 14:26 . 2011-01-15 14:26 -------- d-----w- c:\windows.0\system32\wbem\snmp
2011-01-15 14:26 . 2011-01-15 14:26 -------- d-----w- c:\program files\microsoft frontpage
2010-12-28 21:39 . 2010-07-16 06:59 656320 ----a-w- c:\windows.0\system32\drivers\pctEFA.sys
2010-12-28 21:39 . 2010-07-16 06:59 338880 ----a-w- c:\windows.0\system32\drivers\pctDS.sys
2010-12-28 21:39 . 2010-11-17 02:19 249616 ----a-w- c:\windows.0\system32\drivers\pctgntdi.sys
2010-12-28 21:39 . 2010-11-25 02:53 160448 ----a-w- c:\windows.0\system32\drivers\PCTAppEvent.sys
2010-12-28 21:39 . 2010-11-25 02:43 239168 ----a-w- c:\windows.0\system32\drivers\PCTCore.sys
2010-12-28 21:39 . 2010-11-25 02:42 70536 ----a-w- c:\windows.0\system32\drivers\pctplsg.sys
2010-12-28 21:38 . 2011-01-15 13:32 -------- d-----w- c:\program files\PC Tools Security
2010-12-28 21:38 . 2010-12-28 21:39 -------- d-----w- c:\program files\Common Files\PC Tools
2010-12-28 21:38 . 2010-12-28 21:38 -------- d-----w- c:\documents and settings\Lawrence\Application Data\PC Tools
2010-12-28 21:38 . 2010-12-28 21:38 -------- d-----w- c:\documents and settings\All Users.WINDOWS.0\Application Data\PC Tools
2010-12-28 21:37 . 2010-12-28 21:37 11776 ----a-w- c:\program files\Mozilla Firefox\plugins\nprjplug.dll
2010-12-28 21:37 . 2010-12-28 21:37 151776 ----a-w- c:\program files\Mozilla Firefox\plugins\nppl3260.dll
2010-12-28 21:37 . 2010-12-28 21:37 100352 ----a-w- c:\program files\Mozilla Firefox\plugins\nprpjplug.dll
2010-12-28 21:32 . 2010-12-28 21:32 119808 ----a-w- c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
2010-12-28 21:32 . 2010-12-28 21:32 -------- d-----w- c:\documents and settings\All Users.WINDOWS.0\Application Data\Google Updater

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-31 20:06 . 2010-11-27 07:54 38848 ----a-w- c:\windows.0\avastSS.scr
2010-12-31 20:06 . 2009-10-27 13:59 188216 ----a-w- c:\windows.0\system32\aswBoot.exe
2010-12-31 20:00 . 2009-10-27 13:59 293968 ----a-w- c:\windows.0\system32\drivers\aswSP.sys
2010-12-31 19:59 . 2009-10-27 13:59 47440 ----a-w- c:\windows.0\system32\drivers\aswTdi.sys
2010-12-31 19:59 . 2009-10-27 13:59 100176 ----a-w- c:\windows.0\system32\drivers\aswmon2.sys
2010-12-31 19:59 . 2009-10-27 13:59 94544 ----a-w- c:\windows.0\system32\drivers\aswmon.sys
2010-12-31 19:56 . 2009-10-27 14:00 23632 ----a-w- c:\windows.0\system32\drivers\aswRdr.sys
2010-12-31 19:56 . 2009-10-27 13:59 29264 ----a-w- c:\windows.0\system32\drivers\aavmker4.sys
2010-12-31 19:56 . 2009-10-27 13:59 17744 ----a-w- c:\windows.0\system32\drivers\aswFsBlk.sys
2010-12-20 10:09 . 2009-10-28 00:43 38224 ----a-w- c:\windows.0\system32\drivers\mbamswissarmy.sys
2010-12-20 10:08 . 2009-10-28 00:43 20952 ----a-w- c:\windows.0\system32\drivers\mbam.sys
2010-12-28 21:32 . 2010-12-28 21:32 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2006-05-03 09:06 163328 --sh--r- c:\windows.0\system32\flvDX.dll
2007-02-21 10:47 31232 --sh--r- c:\windows.0\system32\msfDX.dll
2008-03-16 12:30 216064 --sh--r- c:\windows.0\system32\nbDX.dll
.

------- Sigcheck -------

[-] 2008-11-18 . 4C51D5275AE8A16999EDFE7E647D00DE . 576384 . . [5.1.2600.5712] . . c:\windows.0\system32\drivers\ntfs.sys

[-] 2009-05-20 . 25A740D70E8007814A48D3FA1B34FA34 . 361600 . . [5.1.2600.5649] . . c:\windows.0\system32\drivers\tcpip.sys

[-] 2009-05-20 . 9222562D44021B988B9F9F62207FB6F2 . 401408 . . [5.1.2600.5755] . . c:\windows.0\system32\rpcss.dll

[-] 2009-05-20 . 020CEAAEDC8EB655B6506B8C70D53BB6 . 110592 . . [5.1.2600.5755] . . c:\windows.0\system32\services.exe

[-] 2009-05-20 08:28 . F17F6226BDC0CD5F0BEF0DAF84D29BEC . 253952 . . [2001.12.4414.706] . . c:\windows.0\system32\es.dll

[-] 2009-05-20 . DA11D9D6ECBDF0F93436A4B7C13F7BEC . 991744 . . [5.1.2600.5781] . . c:\windows.0\system32\kernel32.dll

[-] 2009-05-20 . 06B8485FB1DA9A552B10AB978CD1AC85 . 343040 . . [7.0.2600.5701] . . c:\windows.0\system32\msvcrt.dll
[-] 2008-10-29 . A4C4A54FD7E31179CB5BDF7896DF3DF7 . 343040 . . [7.0.2600.5701] . . c:\windows.0\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.5701_x-ww_40d12c25\msvcrt.dll
[7] 2004-08-04 . 4200BE3808F6406DBE45A7B88DAE5035 . 322560 . . [7.0.2600.0] . . c:\windows.0\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a\msvcrt.dll

[-] 2009-05-20 . 290C1A30DEFC723BBE10910AC2D6F6D0 . 245248 . . [5.1.2600.5649] . . c:\windows.0\system32\mswsock.dll

[-] 2009-05-20 . 06CF9EEDB7E827205C6948C9DAF56974 . 407040 . . [5.1.2600.5582] . . c:\windows.0\system32\netlogon.dll

[-] 2009-05-20 . E2B32B10ACC5D97623275AAFB67E5F03 . 249856 . . [5.1.2600.5654] . . c:\windows.0\system32\tapisrv.dll

[-] 2009-05-20 . 2BB75B7F548D82A099125D0C5971DE7D . 1033728 . . [6.00.2900.5634] . . c:\windows.0\explorer.exe

[-] 2009-05-20 . 0A80305BFB7346ACB49FD5611B675EC5 . 1288192 . . [5.1.2600.5685] . . c:\windows.0\system32\ole32.dll

[-] 2009-05-20 . 37981A741AD7B04258E87129FFE79AB9 . 296448 . . [5.1.2600.5733] . . c:\windows.0\system32\termsrv.dll

[-] 2009-05-20 . 0A878AA66E4DD3E2608192A1ECCD9F8F . 344064 . . [5.1.2600.5589] . . c:\windows.0\system32\hnetcfg.dll

[-] 2009-05-20 08:29 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows.0\system32\mspmsnsv.dll

[-] 2009-05-20 . D2CF91B2C710E9F666E60AFBF87643EE . 1689088 . . [5.03.2600.5601] . . c:\windows.0\system32\d3d9.dll

[-] 2009-05-20 . 9F8A0D0CBB2FA265A754516128C00E22 . 175616 . . [5.1.2600.5635] . . c:\windows.0\system32\w32time.dll
.
((((((((((((((((((((((((((((( SnapShot@2011-01-15_14.27.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-11 12:54 . 2009-07-11 12:54 65536 c:\windows.0\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e79c4723\vcomp.dll
+ 2009-07-11 12:32 . 2009-07-11 12:32 49152 c:\windows.0\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80KOR.dll
+ 2009-07-11 12:32 . 2009-07-11 12:32 49152 c:\windows.0\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80JPN.dll
+ 2009-07-11 12:32 . 2009-07-11 12:32 61440 c:\windows.0\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ITA.dll
+ 2009-07-11 12:32 . 2009-07-11 12:32 61440 c:\windows.0\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80FRA.dll
+ 2009-07-11 12:32 . 2009-07-11 12:32 61440 c:\windows.0\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ESP.dll
+ 2009-07-11 12:32 . 2009-07-11 12:32 57344 c:\windows.0\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ENU.dll
+ 2009-07-11 12:32 . 2009-07-11 12:32 65536 c:\windows.0\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80DEU.dll
+ 2009-07-11 12:32 . 2009-07-11 12:32 45056 c:\windows.0\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80CHT.dll
+ 2009-07-11 12:32 . 2009-07-11 12:32 40960 c:\windows.0\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80CHS.dll
+ 2009-07-11 11:41 . 2009-07-11 11:41 97280 c:\windows.0\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_473666fd\ATL80.dll
+ 2011-01-16 23:22 . 2011-01-16 23:22 16384 c:\windows.0\Temp\Perflib_Perfdata_958.dat
+ 2011-01-16 08:51 . 2011-01-16 08:51 11264 c:\windows.0\Installer\{98613C99-1399-416C-A07C-1EE1C585D872}\Icon98613C992.exe
+ 2011-01-17 23:09 . 2011-01-17 23:09 628224 c:\windows.0\Installer\1a7f4.msi
+ 2011-01-16 08:51 . 2011-01-16 08:51 454656 c:\windows.0\Installer\11a609.msi
+ 2011-01-16 08:50 . 2011-01-16 08:50 424960 c:\windows.0\Installer\11a605.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-15 68856]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"FreeCall"="c:\program files\FreeCall.com\FreeCall\FreeCall.exe" [2011-01-17 13124912]
"Google Update"="c:\documents and settings\Lawrence\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-18 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows.0\system32\NvCpl.dll" [2007-03-22 8425472]
"NvMediaCenter"="c:\windows.0\system32\NvMcTray.dll" [2007-03-22 81920]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-17 16143872]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-31 148888]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2009-01-20 377232]
"Ulead AutoDetector"="c:\program files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe" [2003-11-18 45056]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-12-31 3395600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-12-28 30192]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2010-12-28 274608]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 06:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS.0^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users.WINDOWS.0\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows.0\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2006-12-23 10:05 143360 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-05-04 02:59 161328 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2007-03-22 02:50 8425472 ----a-w- c:\windows.0\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2007-03-22 02:50 81920 ----a-w- c:\windows.0\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2009-07-08 16:03 1657376 ----a-w- c:\program files\NVIDIA Corporation\nView\nwiz.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\FreeCall.com\\FreeCall\\FreeCall.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\SmartVoip.com\\SmartVoip\\SmartVoip.exe"=
"c:\\Program Files\\iCall\\iCall.exe"=
"c:\\Program Files\\pfingoTALK\\pfingoTALK\\pfingoTALK.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Users\\Lawrence\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

R0 PCTCore;PCTools KDS;c:\windows.0\system32\drivers\PCTCore.sys [12/29/2010 5:39 AM 239168]
R0 pctDS;PC Tools Data Store;c:\windows.0\system32\drivers\pctDS.sys [12/29/2010 5:39 AM 338880]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows.0\system32\drivers\pctEFA.sys [12/29/2010 5:39 AM 656320]
R1 aswSP;aswSP;c:\windows.0\system32\drivers\aswSP.sys [10/27/2009 9:59 PM 293968]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [1/5/2010 7:56 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 67656]
R2 aswFsBlk;aswFsBlk;c:\windows.0\system32\drivers\aswFsBlk.sys [10/27/2009 9:59 PM 17744]
R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\Nitro PDF\Professional\NitroPDFDriverService.exe [12/16/2009 10:09 AM 188736]
R2 nlsX86cc;NLS Service;c:\windows.0\system32\NLSSRV32.EXE [12/16/2009 10:11 AM 65856]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows.0\system32\drivers\RTL8187.sys [1/1/2000 7:51 PM 194304]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/2/2009 5:38 PM 135664]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [7/13/2007 3:00 PM 30192]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 12872]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [12/29/2010 5:39 AM 366840]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2011-01-11 c:\windows.0\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 04:34]

2011-01-20 c:\windows.0\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-07-13 21:32]

2011-01-20 c:\windows.0\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-02 09:38]

2011-01-20 c:\windows.0\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-02 09:38]

2011-01-16 c:\windows.0\Tasks\GoogleUpdateTaskUserS-1-5-21-2052111302-1303643608-1801674531-1003Core.job
- c:\documents and settings\Lawrence\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-25 01:48]

2011-01-20 c:\windows.0\Tasks\GoogleUpdateTaskUserS-1-5-21-2052111302-1303643608-1801674531-1003UA.job
- c:\documents and settings\Lawrence\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-25 01:48]

2011-01-20 c:\windows.0\Tasks\RealUpgradeLogonTaskS-1-5-21-2052111302-1303643608-1801674531-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 03:33]

2011-01-20 c:\windows.0\Tasks\RealUpgradeScheduledTaskS-1-5-21-2052111302-1303643608-1801674531-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 03:33]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=zpwhtygjntrz&scc=1&ltmpl=default&ltmplcache=2&hl=en
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows.0\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
TCP: {2CE5ABBC-EFD3-482A-8CCC-550B45E3A770} = 218.102.62.71 203.198.23.208
FF - ProfilePath - c:\documents and settings\Lawrence\Application Data\Mozilla\Firefox\Profiles\kv6mwuqq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Skype extension for Firefox: {B13721C7-F507-4982-B2E5-502A71474FED} - c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}
FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - Ext: Cooliris: piclens@cooliris.com - %profile%\extensions\piclens@cooliris.com
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users.WINDOWS.0\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-20 20:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1204)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows.0\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1924)
c:\windows.0\system32\WININET.dll
c:\windows.0\system32\ieframe.dll
c:\windows.0\system32\msi.dll
c:\windows.0\system32\webcheck.dll
c:\windows.0\system32\WPDShServiceObj.dll
c:\windows.0\system32\PortableDeviceTypes.dll
c:\windows.0\system32\PortableDeviceApi.dll
.
Completion time: 2011-01-20 20:47:23
ComboFix-quarantined-files.txt 2011-01-20 12:47
ComboFix2.txt 2011-01-15 14:44

Pre-Run: 242,594,521,088 bytes free
Post-Run: 242,584,395,776 bytes free

- - End Of File - - 04A772B758173A35C146601675175EE0