Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Alureon.A... is it gone?


  • This topic is locked This topic is locked
31 replies to this topic

#1 ministe2003

ministe2003

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 03 February 2011 - 03:48 PM

Hi Everyone at Bleeping Computer.
My cousin has passed her netbook to me asking me to fix it. Her son has been using it (he's 10) and their antivirus expired, was never updated and the netbook grinded to a half.

I've built computers, fixed loads of family and friends' computers which have had malware problems, and would consider myself pretty good at it. I'll also point out im a programmer, so I'm pretty experienced with all things computery!

However I'm struggling with this, I've run Microsoft Security Essentials and Super Anti Spyware, removed some obvious anomalies using HijackThis with some help from hijackthis.de and I thought I had everything clean, but at this point I went to do some cleaningn and upgrading and found I couldnt open this website or Microsoft Updates. I did some googling on my own pc and found a thread on this forum where someone was having the same problem (couldnt open this site or MS Updates) and was advised to run combofix. I'd never heard of it before (and have since read on here not to use it unless told to, sorry!!) but i ran it and, RESULT! I could get on all websites :D

Once again I thought I'd sorted everything, but still I'm having a couple of strange issues. Some programs dont open properly, for example Add/Remove programs and I've had to uninstall things using CCleaner. The window opens but never loads. If i close it and reopen it once or twice, it does eventually work but im suspicious as to why it's not working. Plus, combofix is telling me that winlogin and explorer are both infected but I cant find any other scanners that will detect or remove whatever infection it is supposedly finding.

So here I am, posting this thread on the supposedly infected laptop. I dont know whether it has an infection or not anymore and my expertise are exhaused so I turn to you for help! Here are my logs as instructed.

Thanks in advance.
Steven

FYI Microsoft Security Essentials has found and supposedly removed the following over the last few days:
Alureon.A ---> it told me it couldnt fix it, yet the history page tells me it was removed, so I dont know what to believe!!
Bamital.H
Ramnit.B
FakeCog
Obfuscator.AG
PornPop.A

DDS (Ver_10-12-12.02) - NTFSx86
Run by Callum Dowd at 20:00:32.64 on 03/02/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1014.366 [GMT 0:00]

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Acer\Acer VCM\RS_Service.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\PersistenceThread.exe
C:\WINDOWS\RTHDCPL.EXE
svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Acer\Acer VCM\AcerVCM.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Callum Dowd\Local Settings\Temporary Internet Files\Content.IE5\HLUN0J71\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [PersistenceThread] c:\windows\system32\PersistenceThread.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [snp2uvc] rundll32.exe c:\windows\system32\csnp2uvc.dll,ResetCIDS
mRun: [PLFSetL] c:\windows\PLFSetL.exe
mRun: [LManager] c:\program files\launch manager\LManager.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acervc~1.lnk - c:\program files\acer\acer vcm\AcerVCM.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
uPolicies-system: rnlwupsylbfqwuwpubevTaskMgr = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1296427235859
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {C345E174-3E87-4F41-A01C-B066A90A49B4} - hxxp://trial.trymicrosoftoffice.com/trialoaa/buymsoffice_assets/framework/microsoft/wrc32.ocx
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\acer\acer vcm\Skype4COM.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKsla07387b6;MpKsla07387b6;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{71f509af-8bbd-4579-9b9f-3402ae4cfc79}\MpKsla07387b6.sys [2011-2-3 28752]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 RS_Service;Raw Socket Service;c:\program files\acer\acer vcm\RS_Service.exe [2009-4-15 237568]
R2 X4HSEx;X4HSEx;c:\program files\free ride games\X4HSEx.sys [2010-7-17 56352]
R3 igd;igd;c:\windows\system32\drivers\igxpmp32.sys [2009-4-15 5095360]
S1 eezzjrqu;eezzjrqu;\??\c:\windows\system32\drivers\eezzjrqu.sys --> c:\windows\system32\drivers\eezzjrqu.sys [?]
S1 ejukydqc;ejukydqc;\??\c:\windows\system32\drivers\ejukydqc.sys --> c:\windows\system32\drivers\ejukydqc.sys [?]
S1 feolxqft;feolxqft;\??\c:\windows\system32\drivers\feolxqft.sys --> c:\windows\system32\drivers\feolxqft.sys [?]
S1 jqkmalpr;jqkmalpr;\??\c:\windows\system32\drivers\jqkmalpr.sys --> c:\windows\system32\drivers\jqkmalpr.sys [?]
S1 pdhxkaci;pdhxkaci;\??\c:\windows\system32\drivers\pdhxkaci.sys --> c:\windows\system32\drivers\pdhxkaci.sys [?]
S1 tpwfyykn;tpwfyykn;\??\c:\windows\system32\drivers\tpwfyykn.sys --> c:\windows\system32\drivers\tpwfyykn.sys [?]
S1 wiaoprul;wiaoprul;\??\c:\windows\system32\drivers\wiaoprul.sys --> c:\windows\system32\drivers\wiaoprul.sys [?]
S2 0170281261755827mcinstcleanup;McAfee Application Installer Cleanup (0170281261755827);c:\windows\temp\017028~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\017028~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-4-15 1684736]
S3 GTUHSBUS;GT UHS BUS;c:\windows\system32\drivers\gtuhsbus.sys [2009-4-15 62592]
S3 GTUHSNDISIPXP;GT UHS IP NDIS;c:\windows\system32\drivers\gtuhs51.sys [2009-4-15 105984]
S3 GTUHSSER;GT UHS SER;c:\windows\system32\drivers\gtuhsser.sys [2009-4-15 8064]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\rtsustor.sys --> c:\windows\system32\drivers\RtsUStor.sys [?]
S3 RtsUIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2011-02-03 19:28:12 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{71f509af-8bbd-4579-9b9f-3402ae4cfc79}\MpKsla07387b6.sys
2011-02-02 19:55:06 98816 ----a-w- c:\windows\sed.exe
2011-02-02 19:55:06 89088 ----a-w- c:\windows\MBR.exe
2011-02-02 19:55:06 256512 ----a-w- c:\windows\PEV.exe
2011-02-02 19:55:06 161792 ----a-w- c:\windows\SWREG.exe
2011-02-02 19:54:56 -------- d-----w- C:\commy
2011-02-02 18:43:09 5890896 ------w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{71f509af-8bbd-4579-9b9f-3402ae4cfc79}\mpengine.dll
2011-02-01 23:24:46 -------- d-----w- c:\docume~1\callum~1\applic~1\Malwarebytes
2011-02-01 23:24:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-01 23:24:38 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-02-01 23:24:33 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-01 23:24:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-01 20:14:38 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-02-01 19:38:31 -------- d-----w- c:\docume~1\callum~1\applic~1\GlarySoft
2011-02-01 19:21:20 -------- d-----w- c:\program files\Glary Utilities
2011-01-31 23:12:00 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-31 23:12:00 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-31 22:28:57 -------- d-sh--w- c:\documents and settings\callum dowd\PrivacIE
2011-01-31 22:27:45 -------- d-----w- c:\docume~1\callum~1\applic~1\SUPERAntiSpyware.com
2011-01-31 19:30:22 -------- d-----w- c:\windows\system32\XPSViewer
2011-01-31 19:29:04 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-01-31 19:28:45 117760 ------w- c:\windows\system32\prntvpt.dll
2011-01-31 19:28:44 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-01-31 19:28:44 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-01-31 19:28:44 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-01-31 19:28:44 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2011-01-31 19:28:44 575488 ------w- c:\windows\system32\xpsshhdr.dll
2011-01-31 19:28:43 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2011-01-31 19:28:43 1676288 ------w- c:\windows\system32\xpssvcs.dll
2011-01-31 19:28:41 -------- d-----w- C:\36b77ed5c5b4dd9234b71688886c61
2011-01-31 19:19:58 -------- d-----w- c:\windows\system32\URTTEMP
2011-01-31 18:51:36 -------- d-----w- c:\program files\Windows Media Connect 2
2011-01-31 18:46:03 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll
2011-01-31 18:20:23 -------- d-----w- c:\windows\SxsCaPendDel
2011-01-31 07:44:37 -------- d-----w- C:\eb6959bc9b3cf6e3eff24e66
2011-01-31 07:44:32 -------- d-----w- C:\95a4fc25495908687ecbc22eb1c7
2011-01-31 03:50:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-01-31 03:50:23 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2011-01-31 00:40:41 -------- d-----w- c:\windows\ie8updates
2011-01-31 00:25:54 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2011-01-31 00:24:37 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2011-01-31 00:24:36 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-01-31 00:24:36 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2011-01-31 00:24:36 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2011-01-31 00:24:33 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-01-31 00:24:32 1991680 -c----w- c:\windows\system32\dllcache\iertutil.dll
2011-01-31 00:24:28 11080704 -c----w- c:\windows\system32\dllcache\ieframe.dll
2011-01-30 23:52:54 -------- d-----w- c:\windows\system32\PreInstall
2011-01-30 23:20:26 -------- d-sha-r- C:\cmdcons
2011-01-30 22:12:11 -------- d-sh--w- c:\documents and settings\callum dowd\IECompatCache
2011-01-30 22:10:38 -------- d-sh--w- c:\documents and settings\callum dowd\IETldCache
2011-01-30 21:44:35 -------- d-----w- c:\windows\Downloaded Installations
2011-01-30 21:00:29 -------- dc-h--w- c:\windows\ie8
2011-01-30 15:59:29 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-01-30 15:58:04 5890896 ------w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-01-30 15:49:31 -------- d--h--w- c:\windows\PIF
2011-01-29 20:16:39 507904 ----a-w- c:\windows\system32\winlogon.exe
2011-01-29 20:04:26 790 ----a-w- c:\windows\system32\drivers\knkaeaak.dat
2011-01-29 20:04:25 790 ----a-w- c:\windows\system32\drivers\jahjritc.dat
2011-01-29 20:03:51 790 ----a-w- c:\windows\system32\drivers\xvbdfhsq.dat
2011-01-29 19:52:45 790 ----a-w- c:\windows\system32\drivers\dytzdyrk.dat
2011-01-29 19:33:09 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-29 19:28:45 -------- d-----w- c:\program files\Microsoft Security Client
2011-01-29 17:00:11 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2011-01-29 16:57:42 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2011-01-27 16:53:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData

==================== Find3M ====================

2011-01-29 20:03:48 1033728 ----a-w- c:\windows\explorer.exe
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

============= FINISH: 20:07:20.37 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:28 PM

Posted 05 February 2011 - 08:06 PM

Please post the ComboFix Log(s)

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 ministe2003

ministe2003
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 06 February 2011 - 11:36 AM

ComboFix 11-01-31.02 - Callum Dowd 02/02/2011 20:23:55.5.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1014.485 [GMT 0:00]
Running from: c:\documents and settings\Callum Dowd\My Documents\commy.exe
Command switches used :: c:\documents and settings\Callum Dowd\My Documents\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2011-01-02 to 2011-02-02 )))))))))))))))))))))))))))))))
.

2011-02-02 20:32 . 2011-02-02 20:32 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{71F509AF-8BBD-4579-9B9F-3402AE4CFC79}\MpKsl8a473fd1.sys
2011-02-02 19:54 . 2011-02-02 20:07 -------- d-----w- C:\commy
2011-02-02 18:43 . 2011-01-20 10:39 5890896 ------w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{71F509AF-8BBD-4579-9B9F-3402AE4CFC79}\mpengine.dll
2011-02-01 23:24 . 2011-02-01 23:24 -------- d-----w- c:\documents and settings\Callum Dowd\Application Data\Malwarebytes
2011-02-01 23:24 . 2010-12-20 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-01 23:24 . 2011-02-01 23:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-02-01 23:24 . 2010-12-20 18:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-01 23:24 . 2011-02-01 23:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-01 20:14 . 2011-02-01 20:14 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-02-01 19:38 . 2011-02-01 19:38 -------- d-----w- c:\documents and settings\Callum Dowd\Application Data\GlarySoft
2011-02-01 19:21 . 2011-02-01 19:21 -------- d-----w- c:\program files\Glary Utilities
2011-01-31 23:12 . 2011-01-31 23:12 -------- d-----w- c:\windows\Sun
2011-01-31 23:12 . 2011-01-31 23:12 -------- d-----w- c:\program files\Common Files\Java
2011-01-31 23:12 . 2011-01-31 23:11 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-31 23:12 . 2011-01-31 23:11 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-31 23:11 . 2011-01-31 23:11 -------- d-----w- c:\program files\Java
2011-01-31 22:28 . 2011-01-31 22:28 -------- d-sh--w- c:\documents and settings\Callum Dowd\PrivacIE
2011-01-31 22:27 . 2011-01-31 22:27 -------- d-----w- c:\documents and settings\Callum Dowd\Application Data\SUPERAntiSpyware.com
2011-01-31 22:19 . 2011-01-31 22:19 -------- d-----w- c:\documents and settings\Jake.CALLUM\Application Data\SUPERAntiSpyware.com
2011-01-31 22:12 . 2011-01-31 22:12 -------- d-----w- c:\documents and settings\Paul.CALLUM\Application Data\SUPERAntiSpyware.com
2011-01-31 21:22 . 2011-01-31 21:54 -------- d-----w- c:\documents and settings\Suzanne Dowd.CALLUM\Local Settings\Application Data\ApplicationHistory
2011-01-31 19:30 . 2011-01-31 19:30 -------- d-----w- c:\windows\system32\XPSViewer
2011-01-31 19:30 . 2011-01-31 19:30 -------- d-----w- c:\program files\MSBuild
2011-01-31 19:29 . 2011-01-31 19:29 -------- d-----w- c:\program files\Reference Assemblies
2011-01-31 19:29 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-01-31 19:28 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2011-01-31 19:28 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-01-31 19:28 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2011-01-31 19:28 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2011-01-31 19:28 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-01-31 19:28 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-01-31 19:28 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2011-01-31 19:28 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2011-01-31 19:28 . 2011-01-31 19:29 -------- d-----w- C:\36b77ed5c5b4dd9234b71688886c61
2011-01-31 19:19 . 2011-01-31 19:19 -------- d-----w- c:\windows\system32\URTTEMP
2011-01-31 19:02 . 2008-04-14 12:00 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2011-01-31 18:55 . 2011-01-31 20:54 -------- d-----w- c:\program files\Microsoft Silverlight
2011-01-31 18:51 . 2011-01-31 18:51 -------- d-----w- c:\program files\Windows Media Connect 2
2011-01-31 18:47 . 2011-01-31 18:48 -------- d-----w- c:\windows\system32\drivers\UMDF
2011-01-31 18:46 . 2010-10-18 11:10 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll
2011-01-31 18:20 . 2011-01-31 18:22 -------- d-----w- c:\windows\SxsCaPendDel
2011-01-31 07:44 . 2011-01-31 07:44 -------- d-----w- C:\eb6959bc9b3cf6e3eff24e66
2011-01-31 07:44 . 2011-01-31 07:50 -------- d-----w- C:\95a4fc25495908687ecbc22eb1c7
2011-01-31 03:50 . 2009-08-06 19:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-01-31 00:25 . 2011-01-31 00:25 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2011-01-31 00:24 . 2010-11-06 00:26 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2011-01-31 00:24 . 2010-11-06 00:26 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-01-31 00:24 . 2010-11-06 00:26 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2011-01-31 00:24 . 2010-11-06 00:26 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2011-01-31 00:24 . 2010-11-06 00:26 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-01-31 00:24 . 2010-11-06 00:26 1991680 -c----w- c:\windows\system32\dllcache\iertutil.dll
2011-01-31 00:24 . 2010-11-06 00:26 11080704 -c----w- c:\windows\system32\dllcache\ieframe.dll
2011-01-30 23:02 . 2011-01-30 23:02 -------- d-----w- c:\documents and settings\Suzanne Dowd.CALLUM\Application Data\ElevatedDiagnostics
2011-01-30 22:12 . 2011-01-30 22:12 -------- d-sh--w- c:\documents and settings\Callum Dowd\IECompatCache
2011-01-30 22:10 . 2011-01-30 22:10 -------- d-sh--w- c:\documents and settings\Callum Dowd\IETldCache
2011-01-30 22:07 . 2011-01-30 22:07 -------- d-sh--w- c:\documents and settings\Jake.CALLUM\IECompatCache
2011-01-30 22:07 . 2011-01-30 22:07 -------- d-sh--w- c:\documents and settings\Jake.CALLUM\PrivacIE
2011-01-30 22:06 . 2011-01-30 22:06 -------- d-sh--w- c:\documents and settings\Jake.CALLUM\IETldCache
2011-01-30 22:03 . 2011-01-30 22:03 -------- d-sh--w- c:\documents and settings\Paul.CALLUM\IECompatCache
2011-01-30 22:03 . 2011-01-30 22:03 -------- d-sh--w- c:\documents and settings\Paul.CALLUM\PrivacIE
2011-01-30 22:02 . 2011-01-30 22:02 -------- d-sh--w- c:\documents and settings\Paul.CALLUM\IETldCache
2011-01-30 21:44 . 2011-01-30 21:44 -------- d-----w- c:\windows\Downloaded Installations
2011-01-30 21:22 . 2011-01-30 21:22 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2011-01-30 21:17 . 2011-01-30 21:17 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2011-01-30 21:16 . 2011-01-30 21:17 -------- d-----w- c:\documents and settings\Suzanne Dowd.CALLUM\Local Settings\Application Data\Deployment
2011-01-30 21:06 . 2011-01-30 21:06 -------- d-sh--w- c:\documents and settings\Suzanne Dowd.CALLUM\IECompatCache
2011-01-30 21:06 . 2011-01-30 21:06 -------- d-sh--w- c:\documents and settings\Suzanne Dowd.CALLUM\PrivacIE
2011-01-30 21:00 . 2011-01-30 21:02 -------- dc-h--w- c:\windows\ie8
2011-01-30 20:44 . 2011-01-30 20:44 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-01-30 20:41 . 2011-01-30 20:41 -------- d-sh--w- c:\documents and settings\Suzanne Dowd.CALLUM\IETldCache
2011-01-30 20:24 . 2011-01-30 20:24 -------- d-----w- c:\documents and settings\Suzanne Dowd.CALLUM\Application Data\GlarySoft
2011-01-30 15:59 . 2011-01-30 15:59 -------- d-----w- c:\documents and settings\Suzanne Dowd.CALLUM\Application Data\SUPERAntiSpyware.com
2011-01-30 15:59 . 2011-02-01 20:20 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-01-30 15:58 . 2011-01-20 10:39 5890896 ------w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-01-30 15:49 . 2011-01-30 15:49 -------- d--h--w- c:\windows\PIF
2011-01-30 15:39 . 2011-01-30 15:39 -------- d-----w- c:\documents and settings\Suzanne Dowd.CALLUM\Local Settings\Application Data\PCHealth
2011-01-30 15:38 . 2011-01-30 15:38 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2011-01-30 15:07 . 2011-01-30 21:19 -------- d-----w- c:\documents and settings\Suzanne Dowd.CALLUM\Local Settings\Application Data\Temp
2011-01-30 14:23 . 2011-02-02 00:01 -------- d-----w- c:\documents and settings\Administrator
2011-01-29 20:16 . 2011-01-29 20:03 507904 ----a-w- c:\windows\system32\winlogon.exe
2011-01-29 20:04 . 2011-01-29 20:04 790 ----a-w- c:\windows\system32\drivers\knkaeaak.dat
2011-01-29 20:04 . 2011-01-29 20:04 790 ----a-w- c:\windows\system32\drivers\jahjritc.dat
2011-01-29 20:03 . 2011-01-29 20:03 790 ----a-w- c:\windows\system32\drivers\xvbdfhsq.dat
2011-01-29 19:52 . 2011-01-29 19:52 790 ----a-w- c:\windows\system32\drivers\dytzdyrk.dat
2011-01-29 19:33 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-29 19:28 . 2011-01-29 19:29 -------- d-----w- c:\program files\Microsoft Security Client
2011-01-29 17:15 . 2011-01-29 17:15 -------- d-----w- c:\documents and settings\Suzanne Dowd.CALLUM\Application Data\AVG10
2011-01-29 17:00 . 2011-01-29 17:00 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-01-29 16:57 . 2011-01-30 15:36 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2011-01-27 16:59 . 2011-01-27 17:00 -------- d-----w- c:\documents and settings\Suzanne Dowd.CALLUM\Application Data\myfreezetoolbar
2011-01-27 16:53 . 2011-01-29 17:04 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-29 20:03 . 2009-04-15 23:32 1033728 ----a-w- c:\windows\explorer.exe
2010-11-18 18:12 . 2009-04-15 14:52 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52 . 2009-04-15 23:32 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26 . 2009-04-15 23:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2009-04-15 23:32 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2009-04-15 23:32 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
.

------- Sigcheck -------

[-] 2011-01-29 . 3127006A8E2D6CFEACBAB38D2ADD2449 . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

[-] 2011-01-29 . B4F4369FD47354807F2F83CA54D6F335 . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2011-02-02_20.04.44 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-02-02 20:31 . 2011-02-02 20:31 16384 c:\windows\temp\Perflib_Perfdata_628.dat
- 2011-02-02 18:31 . 2011-02-02 18:31 16384 c:\windows\temp\Perflib_Perfdata_628.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-03-28 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-03-28 348160]
"PersistenceThread"="c:\windows\system32\PersistenceThread.exe" [2009-03-28 86016]
"RTHDCPL"="RTHDCPL.EXE" [2009-03-24 17567744]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-02-27 1434920]
"snp2uvc"="c:\windows\system32\csnp2uvc.dll" [2008-11-03 196608]
"PLFSetL"="c:\windows\PLFSetL.exe" [2008-07-03 94208]
"LManager"="c:\program files\Launch Manager\LManager.exe" [2009-02-20 817672]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer VCM.lnk - c:\program files\Acer\Acer VCM\AcerVCM.exe [2009-4-15 565248]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-3-23 603488]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"rnlwupsylbfqwuwpubevTaskMgr"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R1 MpKsl8a473fd1;MpKsl8a473fd1;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{71F509AF-8BBD-4579-9B9F-3402AE4CFC79}\MpKsl8a473fd1.sys [02/02/2011 20:32 28752]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 18:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 18:41 67656]
R2 RS_Service;Raw Socket Service;c:\program files\Acer\Acer VCM\RS_Service.exe [15/04/2009 17:02 237568]
R2 X4HSEx;X4HSEx;c:\program files\Free Ride Games\X4HSEx.sys [17/07/2010 14:47 56352]
R3 igd;igd;c:\windows\system32\drivers\igxpmp32.sys [15/04/2009 15:53 5095360]
S1 eezzjrqu;eezzjrqu;\??\c:\windows\system32\drivers\eezzjrqu.sys --> c:\windows\system32\drivers\eezzjrqu.sys [?]
S1 ejukydqc;ejukydqc;\??\c:\windows\system32\drivers\ejukydqc.sys --> c:\windows\system32\drivers\ejukydqc.sys [?]
S1 feolxqft;feolxqft;\??\c:\windows\system32\drivers\feolxqft.sys --> c:\windows\system32\drivers\feolxqft.sys [?]
S1 jqkmalpr;jqkmalpr;\??\c:\windows\system32\drivers\jqkmalpr.sys --> c:\windows\system32\drivers\jqkmalpr.sys [?]
S1 pdhxkaci;pdhxkaci;\??\c:\windows\system32\drivers\pdhxkaci.sys --> c:\windows\system32\drivers\pdhxkaci.sys [?]
S1 tpwfyykn;tpwfyykn;\??\c:\windows\system32\drivers\tpwfyykn.sys --> c:\windows\system32\drivers\tpwfyykn.sys [?]
S1 wiaoprul;wiaoprul;\??\c:\windows\system32\drivers\wiaoprul.sys --> c:\windows\system32\drivers\wiaoprul.sys [?]
S2 0170281261755827mcinstcleanup;McAfee Application Installer Cleanup (0170281261755827);c:\windows\TEMP\017028~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\017028~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13:16 130384]
S2 gupdate;Google Update Service (gupdate);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [15/04/2009 15:56 1684736]
S3 GTUHSBUS;GT UHS BUS;c:\windows\system32\drivers\gtuhsbus.sys [15/04/2009 23:33 62592]
S3 GTUHSNDISIPXP;GT UHS IP NDIS;c:\windows\system32\drivers\gtuhs51.sys [15/04/2009 23:33 105984]
S3 GTUHSSER;GT UHS SER;c:\windows\system32\drivers\gtuhsser.sys [15/04/2009 23:33 8064]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys --> c:\windows\system32\Drivers\RtsUStor.sys [?]
S3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13:16 753504]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MPKSL8A473FD1

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2011-02-02 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2011-02-01 14:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
DPF: {C345E174-3E87-4F41-A01C-B066A90A49B4} - hxxp://trial.trymicrosoftoffice.com/trialoaa/buymsoffice_assets/framework/microsoft/wrc32.ocx
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-02 20:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(724)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2060)
c:\windows\system32\WININET.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\igfxext.exe
.
**************************************************************************
.
Completion time: 2011-02-02 20:37:17 - machine was rebooted
ComboFix-quarantined-files.txt 2011-02-02 20:37
ComboFix2.txt 2011-02-02 20:07

Pre-Run: 135,102,836,736 bytes free
Post-Run: 135,084,331,008 bytes free

- - End Of File - - F96FCA366FD1529E3CEC408FE516C297


There's some very suspicious file names in the Drivers folder if you ask me!

Edited by ministe2003, 06 February 2011 - 11:38 AM.


#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:28 PM

Posted 06 February 2011 - 01:10 PM

Hi

Do you have access to an installation CD?

winlogon.exe and explorer.exe will need to be replaced in the recovery console, but there are no suitable replacements on the machine.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 ministe2003

ministe2003
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 06 February 2011 - 01:48 PM

I have my own XP disc but its only SP2 so I'll have hundreds of updates to do. Oh well needs must.
So what shall I do, just do a repair install?

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:28 PM

Posted 06 February 2011 - 02:38 PM

no,

we just need copies of explorer.exe and winlogon.exe


Please do the following:

Insert your XP Installation disk

then you will need to do the following:

Go to Start > Run type cmd into the open run box and hit enter.

This will open the command prompt window.

Now type in the following red text exactly as seen at the command prompt. (if your cd drive is not D - change it to the appropriate letter)

expand D:\i386\explorer.ex_ C:\explorer.exe
expand D:\i386\winlogon.ex_ C:\winlogon.exe


(take note of the spaces, especially the space between .ex_ and C:\ - it needs to be there)

Please let me know that the command executed properly - you should see something like "expanded to {xxxxxx} bytes, {xx}% increase"

(if you did not get this message do not continue but report back with the error message)

If you received verification the files expanded successfully please do the following:



Now we need to boot into the recovery console -

Restart your computer

Before Windows loads, you will be prompted to choose which Operating System to start (be fast you only have a couple of seconds)

Use the up and down arrow key to select Microsoft Windows Recovery Console

You must now enter which Windows installation to log onto. (usually 1) Type 1 and press enter.

When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER

A command prompt will open:

At the C:\Windows prompt, type the following bolded text, and press Enter:

ren C:\windows\explorer.exe explorer.bad
ren C:\windows\system32\winlogon.exe winlogon.bad
copy C:\explorer.exe C:\windows\explorer.exe
copy C:\winlogon.exe C:\windows\system32\winlogon.exe

take note of the spaces

make sure you get the message that the file(s) were copied successfully.


If you did not get a message that the files were copied successfully you will have to name explorer.bad & winlogon.bad back to .exe or the computer will not boot.

Once you are done type exit to leave the recovery console and reboot.

Re-run ComboFix - allow it to update if it requests to do so.

Print out these instructions before you start > if you have any questions about this procedure, please ask.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 ministe2003

ministe2003
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 06 February 2011 - 02:58 PM

Cheers for that. One thing I've just noticed!! This netbook doesnt have a CDRom drive and I dont have (or know anyone who has) a USB one. If I make a bootable flash drive with XP on, will that work?

Thanks for all your help!

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:28 PM

Posted 06 February 2011 - 03:02 PM

well, that should work, but I'm not certain

One other thing you might try is to download Service Pack 3 and then extract the files from the service pack - that might be easier:

You'll need to download the Windows XP Service Pack 3 and save it directly to your C:\ drive

Double click the installer and it will begin extracting it's files. (Note the folder it extracts to- it will be an alpha-numeric named folder)

Once fully extracted, leave the setup screen sit, then browse to the folder the package extracted to.

The files will be in the i386 subfolder of the alpha-numeric folder, and they are compressed.


NEXT

Locate explorer.ex_ > right click the file >copy > then paste it into your c:\ drive

Now locate winlogon.ex_ and copy it to your c:/ drive as well.

Next, please do the following:

Go to start > run type cmd OK

this will open a command window:

please copy/paste the following into the command window:

expand -r c:\explorer.ex_ c:\
expand -r c:\winlogon.ex_ c:\


now follow the instructions for replacing the files in the recovery console as above

then run ComboFix one more time.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 ministe2003

ministe2003
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 06 February 2011 - 03:29 PM

good idea with the sp3 thing. When I choose Microsoft Windows Recovery Console though I just get a black screen with a message saying

A disc read error occurred
Press Ctrl+Alt+Del to restart.

So how can I get into a position where I can replace the two exe files?

Thanks!

FOLLOW UP:

I just booted into safemode with command prompt and ran the instructions above, got no errors so im running combofix now (just updated) will let you know the results.

Ta

Edited by ministe2003, 06 February 2011 - 03:44 PM.


#10 ministe2003

ministe2003
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 06 February 2011 - 04:03 PM

looks good:

ComboFix 11-02-05.01 - Callum Dowd 06/02/2011 20:47:14.6.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1014.507 [GMT 0:00]
Running from: c:\documents and settings\Callum Dowd\Desktop\commy.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\explorer.exe
C:\winlogon.exe

.
((((((((((((((((((((((((( Files Created from 2011-01-06 to 2011-02-06 )))))))))))))))))))))))))))))))
.

2011-02-06 20:37 . 2008-04-14 05:42 507904 ----a-w- c:\windows\system32\winlogon.exe
2011-02-06 20:37 . 2008-04-14 05:42 1033728 ----a-w- c:\windows\explorer.exe
2011-02-06 20:19 . 2011-02-06 20:20 -------- d-----w- c:\windows\system32\CatRoot_bak
2011-02-06 20:17 . 2011-02-06 20:19 -------- d-----w- C:\35a3533f5316693423c7abf99643
2011-02-06 20:00 . 2011-02-06 20:00 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{30650081-27D8-444F-AB00-61747F6E2BF2}\MpKsl20fe588d.sys
2011-02-06 16:56 . 2011-02-06 17:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-02-06 16:56 . 2011-02-06 16:59 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-02-06 16:42 . 2011-01-20 10:39 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{30650081-27D8-444F-AB00-61747F6E2BF2}\mpengine.dll
2011-02-02 19:54 . 2011-02-02 20:07 -------- d-----w- C:\commy
2011-02-01 23:24 . 2011-02-01 23:24 -------- d-----w- c:\documents and settings\Callum Dowd\Application Data\Malwarebytes
2011-02-01 23:24 . 2010-12-20 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-01 23:24 . 2011-02-01 23:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-02-01 23:24 . 2010-12-20 18:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-01 23:24 . 2011-02-01 23:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-01 20:14 . 2011-02-01 20:14 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-02-01 19:38 . 2011-02-01 19:38 -------- d-----w- c:\documents and settings\Callum Dowd\Application Data\GlarySoft
2011-02-01 19:21 . 2011-02-01 19:21 -------- d-----w- c:\program files\Glary Utilities
2011-01-31 23:12 . 2011-01-31 23:12 -------- d-----w- c:\windows\Sun
2011-01-31 23:12 . 2011-01-31 23:12 -------- d-----w- c:\program files\Common Files\Java
2011-01-31 23:12 . 2011-01-31 23:11 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-31 23:12 . 2011-01-31 23:11 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-31 23:11 . 2011-01-31 23:11 -------- d-----w- c:\program files\Java
2011-01-31 22:28 . 2011-01-31 22:28 -------- d-sh--w- c:\documents and settings\Callum Dowd\PrivacIE
2011-01-31 22:27 . 2011-01-31 22:27 -------- d-----w- c:\documents and settings\Callum Dowd\Application Data\SUPERAntiSpyware.com
2011-01-31 22:19 . 2011-01-31 22:19 -------- d-----w- c:\documents and settings\Jake.CALLUM\Application Data\SUPERAntiSpyware.com
2011-01-31 22:12 . 2011-01-31 22:12 -------- d-----w- c:\documents and settings\Paul.CALLUM\Application Data\SUPERAntiSpyware.com
2011-01-31 21:22 . 2011-01-31 21:54 -------- d-----w- c:\documents and settings\Suzanne Dowd.CALLUM\Local Settings\Application Data\ApplicationHistory
2011-01-31 19:30 . 2011-01-31 19:30 -------- d-----w- c:\windows\system32\XPSViewer
2011-01-31 19:30 . 2011-01-31 19:30 -------- d-----w- c:\program files\MSBuild
2011-01-31 19:29 . 2011-01-31 19:29 -------- d-----w- c:\program files\Reference Assemblies
2011-01-31 19:29 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-01-31 19:28 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2011-01-31 19:28 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-01-31 19:28 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2011-01-31 19:28 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2011-01-31 19:28 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-01-31 19:28 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-01-31 19:28 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2011-01-31 19:28 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2011-01-31 19:28 . 2011-01-31 19:29 -------- d-----w- C:\36b77ed5c5b4dd9234b71688886c61
2011-01-31 19:19 . 2011-01-31 19:19 -------- d-----w- c:\windows\system32\URTTEMP
2011-01-31 19:02 . 2008-04-14 12:00 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2011-01-31 18:55 . 2011-01-31 20:54 -------- d-----w- c:\program files\Microsoft Silverlight
2011-01-31 18:51 . 2011-01-31 18:51 -------- d-----w- c:\program files\Windows Media Connect 2
2011-01-31 18:47 . 2011-01-31 18:48 -------- d-----w- c:\windows\system32\drivers\UMDF
2011-01-31 18:46 . 2010-10-18 11:10 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll
2011-01-31 18:20 . 2011-01-31 18:22 -------- d-----w- c:\windows\SxsCaPendDel
2011-01-31 07:44 . 2011-01-31 07:44 -------- d-----w- C:\eb6959bc9b3cf6e3eff24e66
2011-01-31 07:44 . 2011-01-31 07:50 -------- d-----w- C:\95a4fc25495908687ecbc22eb1c7
2011-01-31 03:50 . 2009-08-06 19:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-01-31 00:25 . 2011-01-31 00:25 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2011-01-31 00:24 . 2010-11-06 00:26 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2011-01-31 00:24 . 2010-11-06 00:26 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-01-31 00:24 . 2010-11-06 00:26 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2011-01-31 00:24 . 2010-11-06 00:26 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2011-01-31 00:24 . 2010-11-06 00:26 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-01-31 00:24 . 2010-11-06 00:26 1991680 -c----w- c:\windows\system32\dllcache\iertutil.dll
2011-01-31 00:24 . 2010-11-06 00:26 11080704 -c----w- c:\windows\system32\dllcache\ieframe.dll
2011-01-30 23:02 . 2011-01-30 23:02 -------- d-----w- c:\documents and settings\Suzanne Dowd.CALLUM\Application Data\ElevatedDiagnostics
2011-01-30 22:12 . 2011-01-30 22:12 -------- d-sh--w- c:\documents and settings\Callum Dowd\IECompatCache
2011-01-30 22:10 . 2011-01-30 22:10 -------- d-sh--w- c:\documents and settings\Callum Dowd\IETldCache
2011-01-30 22:07 . 2011-01-30 22:07 -------- d-sh--w- c:\documents and settings\Jake.CALLUM\IECompatCache
2011-01-30 22:07 . 2011-01-30 22:07 -------- d-sh--w- c:\documents and settings\Jake.CALLUM\PrivacIE
2011-01-30 22:06 . 2011-01-30 22:06 -------- d-sh--w- c:\documents and settings\Jake.CALLUM\IETldCache
2011-01-30 22:03 . 2011-01-30 22:03 -------- d-sh--w- c:\documents and settings\Paul.CALLUM\IECompatCache
2011-01-30 22:03 . 2011-01-30 22:03 -------- d-sh--w- c:\documents and settings\Paul.CALLUM\PrivacIE
2011-01-30 22:02 . 2011-01-30 22:02 -------- d-sh--w- c:\documents and settings\Paul.CALLUM\IETldCache
2011-01-30 21:44 . 2011-01-30 21:44 -------- d-----w- c:\windows\Downloaded Installations
2011-01-30 21:22 . 2011-01-30 21:22 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2011-01-30 21:17 . 2011-01-30 21:17 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2011-01-30 21:16 . 2011-01-30 21:17 -------- d-----w- c:\documents and settings\Suzanne Dowd.CALLUM\Local Settings\Application Data\Deployment
2011-01-30 21:06 . 2011-01-30 21:06 -------- d-sh--w- c:\documents and settings\Suzanne Dowd.CALLUM\IECompatCache
2011-01-30 21:06 . 2011-01-30 21:06 -------- d-sh--w- c:\documents and settings\Suzanne Dowd.CALLUM\PrivacIE
2011-01-30 21:00 . 2011-01-30 21:02 -------- dc-h--w- c:\windows\ie8
2011-01-30 20:44 . 2011-01-30 20:44 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-01-30 20:41 . 2011-01-30 20:41 -------- d-sh--w- c:\documents and settings\Suzanne Dowd.CALLUM\IETldCache
2011-01-30 20:24 . 2011-01-30 20:24 -------- d-----w- c:\documents and settings\Suzanne Dowd.CALLUM\Application Data\GlarySoft
2011-01-30 15:59 . 2011-01-30 15:59 -------- d-----w- c:\documents and settings\Suzanne Dowd.CALLUM\Application Data\SUPERAntiSpyware.com
2011-01-30 15:59 . 2011-02-06 16:46 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-01-30 15:58 . 2011-01-20 10:39 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-01-30 15:49 . 2011-01-30 15:49 -------- d--h--w- c:\windows\PIF
2011-01-30 15:39 . 2011-01-30 15:39 -------- d-----w- c:\documents and settings\Suzanne Dowd.CALLUM\Local Settings\Application Data\PCHealth
2011-01-30 15:38 . 2011-01-30 15:38 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2011-01-30 15:07 . 2011-01-30 21:19 -------- d-----w- c:\documents and settings\Suzanne Dowd.CALLUM\Local Settings\Application Data\Temp
2011-01-30 14:23 . 2011-02-02 00:01 -------- d-----w- c:\documents and settings\Administrator
2011-01-29 20:16 . 2011-01-29 20:03 507904 ----a-w- c:\windows\system32\winlogon.bad
2011-01-29 20:04 . 2011-01-29 20:04 790 ----a-w- c:\windows\system32\drivers\knkaeaak.dat
2011-01-29 20:04 . 2011-01-29 20:04 790 ----a-w- c:\windows\system32\drivers\jahjritc.dat
2011-01-29 20:03 . 2011-01-29 20:03 790 ----a-w- c:\windows\system32\drivers\xvbdfhsq.dat
2011-01-29 19:52 . 2011-01-29 19:52 790 ----a-w- c:\windows\system32\drivers\dytzdyrk.dat
2011-01-29 19:33 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-29 19:28 . 2011-01-29 19:29 -------- d-----w- c:\program files\Microsoft Security Client
2011-01-29 17:15 . 2011-01-29 17:15 -------- d-----w- c:\documents and settings\Suzanne Dowd.CALLUM\Application Data\AVG10
2011-01-29 17:00 . 2011-01-29 17:00 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-01-29 16:57 . 2011-01-30 15:36 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2011-01-27 16:59 . 2011-01-27 17:00 -------- d-----w- c:\documents and settings\Suzanne Dowd.CALLUM\Application Data\myfreezetoolbar
2011-01-27 16:53 . 2011-01-29 17:04 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-29 20:03 . 2009-04-15 23:32 1033728 ----a-w- c:\windows\explorer.bad
2010-11-18 18:12 . 2009-04-15 14:52 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52 . 2009-04-15 23:32 249856 ----a-w- c:\windows\system32\odbc32.dll
.

((((((((((((((((((((((((((((( SnapShot@2011-02-02_20.04.44 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-02-06 20:39 . 2011-02-06 20:39 16384 c:\windows\temp\Perflib_Perfdata_630.dat
+ 2009-04-15 23:32 . 2011-02-06 20:43 82664 c:\windows\system32\perfc009.dat
- 2009-04-15 23:32 . 2011-02-02 18:36 82664 c:\windows\system32\perfc009.dat
+ 2009-04-15 23:32 . 2011-02-06 20:43 486938 c:\windows\system32\perfh009.dat
- 2009-04-15 23:32 . 2011-02-02 18:36 486938 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-03-28 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-03-28 348160]
"PersistenceThread"="c:\windows\system32\PersistenceThread.exe" [2009-03-28 86016]
"RTHDCPL"="RTHDCPL.EXE" [2009-03-24 17567744]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-02-27 1434920]
"snp2uvc"="c:\windows\system32\csnp2uvc.dll" [2008-11-03 196608]
"PLFSetL"="c:\windows\PLFSetL.exe" [2008-07-03 94208]
"LManager"="c:\program files\Launch Manager\LManager.exe" [2009-02-20 817672]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\Callum Dowd\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer VCM.lnk - c:\program files\Acer\Acer VCM\AcerVCM.exe [2009-4-15 565248]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-3-23 603488]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"rnlwupsylbfqwuwpubevTaskMgr"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R1 MpKsl20fe588d;MpKsl20fe588d;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{30650081-27D8-444F-AB00-61747F6E2BF2}\MpKsl20fe588d.sys [06/02/2011 20:00 28752]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 18:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 18:41 67656]
R2 RS_Service;Raw Socket Service;c:\program files\Acer\Acer VCM\RS_Service.exe [15/04/2009 17:02 237568]
R2 X4HSEx;X4HSEx;c:\program files\Free Ride Games\X4HSEx.sys [17/07/2010 14:47 56352]
R3 igd;igd;c:\windows\system32\drivers\igxpmp32.sys [15/04/2009 15:53 5095360]
S1 eezzjrqu;eezzjrqu;\??\c:\windows\system32\drivers\eezzjrqu.sys --> c:\windows\system32\drivers\eezzjrqu.sys [?]
S1 ejukydqc;ejukydqc;\??\c:\windows\system32\drivers\ejukydqc.sys --> c:\windows\system32\drivers\ejukydqc.sys [?]
S1 feolxqft;feolxqft;\??\c:\windows\system32\drivers\feolxqft.sys --> c:\windows\system32\drivers\feolxqft.sys [?]
S1 jqkmalpr;jqkmalpr;\??\c:\windows\system32\drivers\jqkmalpr.sys --> c:\windows\system32\drivers\jqkmalpr.sys [?]
S1 pdhxkaci;pdhxkaci;\??\c:\windows\system32\drivers\pdhxkaci.sys --> c:\windows\system32\drivers\pdhxkaci.sys [?]
S1 tpwfyykn;tpwfyykn;\??\c:\windows\system32\drivers\tpwfyykn.sys --> c:\windows\system32\drivers\tpwfyykn.sys [?]
S1 wiaoprul;wiaoprul;\??\c:\windows\system32\drivers\wiaoprul.sys --> c:\windows\system32\drivers\wiaoprul.sys [?]
S2 0170281261755827mcinstcleanup;McAfee Application Installer Cleanup (0170281261755827);c:\windows\TEMP\017028~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\017028~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13:16 130384]
S2 gupdate;Google Update Service (gupdate);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [15/04/2009 15:56 1684736]
S3 GTUHSBUS;GT UHS BUS;c:\windows\system32\drivers\gtuhsbus.sys [15/04/2009 23:33 62592]
S3 GTUHSNDISIPXP;GT UHS IP NDIS;c:\windows\system32\drivers\gtuhs51.sys [15/04/2009 23:33 105984]
S3 GTUHSSER;GT UHS SER;c:\windows\system32\drivers\gtuhsser.sys [15/04/2009 23:33 8064]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys --> c:\windows\system32\Drivers\RtsUStor.sys [?]
S3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13:16 753504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2011-02-06 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2011-02-01 14:13]

2011-02-06 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 12:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
DPF: {C345E174-3E87-4F41-A01C-B066A90A49B4} - hxxp://trial.trymicrosoftoffice.com/trialoaa/buymsoffice_assets/framework/microsoft/wrc32.ocx
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-06 20:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(728)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2011-02-06 20:58:20
ComboFix-quarantined-files.txt 2011-02-06 20:58
ComboFix2.txt 2011-02-02 20:37
ComboFix3.txt 2011-02-02 20:07

Pre-Run: 134,108,848,128 bytes free
Post-Run: 134,240,280,576 bytes free

- - End Of File - - 62B53E5C9046B98E159E81BB512F1ACB


I've deleted the two .bad files now.

What do you make of the weird named files in the Drivers folder?

#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:28 PM

Posted 06 February 2011 - 04:23 PM

Hi

Good, that appears to have worked, I'm usually over cautious in replacing them in the RC.

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".


Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic377380.html/page__view__findpost__p__2123750
Collect::
c:\windows\system32\drivers\knkaeaak.dat
c:\windows\system32\drivers\jahjritc.dat
c:\windows\system32\drivers\xvbdfhsq.dat
c:\windows\system32\drivers\dytzdyrk.dat
c:\windows\system32\drivers\eezzjrqu.sys 
c:\windows\system32\drivers\ejukydqc.sys 
c:\windows\system32\drivers\feolxqft.sys
c:\windows\system32\drivers\jqkmalpr.sys 
c:\windows\system32\drivers\pdhxkaci.sys
c:\windows\system32\drivers\tpwfyykn.sys 
c:\windows\system32\drivers\wiaoprul.sys 

FCopy::
c:\windows\system32\winlogon.exe | c:\windows\system32\dllcache\winlogon.exe
c:\windows\explorer.exe | c:\windows\system32\dllcache\explorer.exe

Driver::
eezzjrqu
ejukydqc
feolxqft
jqkmalpr
pdhxkaci
tpwfyykn
wiaoprul

DirLook::
C:\commy

File::
c:\windows\system32\winlogon.bad
c:\windows\explorer.bad

Folder::
c:\documents and settings\Suzanne Dowd.CALLUM\Application Data\myfreezetoolbar

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"rnlwupsylbfqwuwpubevTaskMgr"=-


Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
Posted Image


  • Refering to the picture above, drag CFScript into ComboFix.exe.
  • When finished, it shall produce a log for you at "C:\ComboFix.txt"

Upload Samples by ComboFix

When Combofix finishes running, the ComboFix log will open along with a message box. With the above script, ComboFix captured some files to submit for analysis.
  • Important: Ensure you are connected to the internet before clicking OK on the message box.
  • A blue-screen would appear auto-uploading the zipped file I requested.
  • After the uploading is done you should see a message near the bottom saying "Upload was Successful".


  • If for some reason Combofix fails to upload the file please do the following:
  • Go to Start >> My Computer > C:\
  • Then Navigate to the C:\Qoobox\Quarantine folder.
  • Find the archive zip file called "[4]-Submit_Date_Time.zip"
  • Simply go to This Channel and upload the submit.zip archive file to me.
  • Follow the instructions on that page to copy/paste/send the requested file.

Let me know how it goes and if the upload went successfully or not in your next reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#12 ministe2003

ministe2003
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 06 February 2011 - 04:49 PM

said the server was unavailable so I just uploaded it now at 21.48.
apologies though, as I said on my previous post I had deleted the explorer.bad and winlogon.bad files before your last post - wanted to get them off the PC asap!!

#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:28 PM

Posted 06 February 2011 - 05:16 PM

great thanks

if you could post the new combofix log too.

please run MBAM and an ESET scan

I'll be away from the PC for about 5 hours, I'll be back later tonight.

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#14 ministe2003

ministe2003
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 06 February 2011 - 07:40 PM

this is a quarantine log from the combofox run:

2011-02-06 21:33:05 . 2011-02-06 21:33:05 2,394 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_wiaoprul.reg.dat
2011-02-06 21:33:05 . 2011-02-06 21:33:05 2,394 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_tpwfyykn.reg.dat
2011-02-06 21:33:05 . 2011-02-06 21:33:05 2,394 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_pdhxkaci.reg.dat
2011-02-06 21:33:04 . 2011-02-06 21:33:04 2,394 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_jqkmalpr.reg.dat
2011-02-06 21:33:04 . 2011-02-06 21:33:04 2,416 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_feolxqft.reg.dat
2011-02-06 21:33:04 . 2011-02-06 21:33:04 2,416 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_ejukydqc.reg.dat
2011-02-06 21:33:04 . 2011-02-06 21:33:04 2,416 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_eezzjrqu.reg.dat
2011-02-06 21:28:53 . 2011-02-06 21:28:53 4,246 ----a-w- C:\Qoobox\Quarantine\[4]-Submit_2011-02-06_21.28.47.zip
2011-02-06 20:22:56 . 2008-04-14 05:42:40 507,904 ----a-w- C:\Qoobox\Quarantine\C\winlogon.exe.vir
2011-02-06 20:22:21 . 2008-04-14 05:42:20 1,033,728 ----a-w- C:\Qoobox\Quarantine\C\explorer.exe.vir
2011-02-02 20:01:14 . 2011-02-06 21:32:53 7,511 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2011-02-02 19:54:58 . 2011-02-06 21:26:43 255 ----a-w- C:\Qoobox\Quarantine\catchme.log
2011-01-27 17:00:03 . 2011-01-27 17:03:32 977 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Suzanne Dowd.CALLUM\Application Data\myfreezetoolbar\preferences.dat.vir
2010-11-02 17:44:39 . 2011-01-29 17:22:07 16 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\dmlconf.dat.vir
2010-10-04 18:59:14 . 2010-12-15 20:40:55 288 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\complete.dat.vir
2010-10-04 18:58:48 . 2011-01-29 17:22:10 16 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\dmlconf.dat.vir
2009-04-15 23:32:59 . 2008-04-14 12:00:00 95,744 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\scardsvr.exe.vir
2009-04-15 23:32:39 . 2008-04-14 12:00:00 19,456 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\arp.exe.vir


the scanners didnt find anything but here's the log for mbam anyway:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5661

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

06/02/2011 22:18:33
mbam-log-2011-02-06 (22-18-33).txt

Scan type: Quick scan
Objects scanned: 206454
Time elapsed: 6 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:28 PM

Posted 07 February 2011 - 05:34 AM

Hi

Visit ADOBEand download the latest version of Acrobat Reader (version X)
Having the latest updates ensures there are no security vulnerabilities in your system.


NEXT


Please post a fresh DDS Log and advise how the computer is running now and if there are any outstanding issues.

(you can close and delete that SP3 installer package if you haven't already done so, we won't be needing it any more)

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users