Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser redirect


  • This topic is locked This topic is locked
20 replies to this topic

#1 darctiger

darctiger

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 09 April 2011 - 10:09 PM

Im not sure if anyone can help but hopefully so as I see similar topics already and dont want to do anything without guidance in this but recently my browser has been redirecting my google links to other search engine and even getting some popups. Im not sure what Im supposed to do but hopefully you can help. Im running Windows XP SP3 and IE8. The following is my HiJackThis log file;

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:50:51 AM, on 4/9/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\HelpCtr.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\SAMSUNG\FW LiveUpdate\FWManager.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\WINDOWS\vVX6000.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\IObit\IObit Security 360\IS360tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\PROGRAM FILES\OPERA\OPERA.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\downloads\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Avira\AntiVir Desktop\avscan.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.avatarsbydesign.com/forum/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: BitTorrentBar Toolbar - {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files\BitTorrentBar\tbBit0.dll
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngin1.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: BitTorrentBar Toolbar - {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files\BitTorrentBar\tbBit0.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O3 - Toolbar: BitTorrentBar Toolbar - {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files\BitTorrentBar\tbBit0.dll
O3 - Toolbar: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngin1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IDTSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Name of App] C:\Program Files\SAMSUNG\FW LiveUpdate\FWManager.exe r
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [VX6000] C:\WINDOWS\vVX6000.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Corel File Shell Monitor] C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IObit Security 360] C:\Program Files\IObit\IObit Security 360\IS360tray.exe
O4 - HKLM\..\Run: [Rleyazuyose] rundll32.exe "C:\WINDOWS\adajeboyoradiyub.dll",Startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O15 - Trusted Zone: http://www.forsakenclans.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {5AA5A569-F96F-4628-A528-8B3698F558BB} (HS_live Control) - https://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab


O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows update/v6/V5Controls/en/x86/client/wuweb_site.cab?1268073852359

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/fv6/fV5Controls/en/x86/cflient/muweb_site.fcab?f1269385432900
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: itlntfy - itlnfw32.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\WINDOWS\system32\STacSV.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 13091 bytes

Edited by darctiger, 09 April 2011 - 10:40 PM.


BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:28 AM

Posted 10 April 2011 - 09:15 AM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Any underlined text in my posts indicates a clickable link.
  • If you have any questions at all, please stop and ask before proceeding.
Posted Image Please download DDS by sUBs from one of the following links and save it to your desktop.

DDS.scr
DDS.com
DDS.pif
  • Disable any script blocking protection (How to Disable your Security Programs)
  • Double click DDS icon to run the tool (may take up to 3 minutes to run)
  • When done, DDS.txt will open.
  • After a few moments, attach.txt will open in a second window.
  • Save both reports to your desktop.
---------------------------------------------------
  • Post the contents of the DDS.txt report in your next reply
  • Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.
Posted Image Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.


    Posted Image
    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and post it in reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


If you have trouble running GEMR:
  • Make sure that your security software is disabled
  • Uncheck the box next to "Files" this time also
  • If you still can't run it, try in the Safe Mode
Please include the following in your next post:
  • DDS.txt and Attach.txt logs
  • GMER log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 darctiger

darctiger
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 10 April 2011 - 06:37 PM

Thanks for the quick reply and post...I tried to post the exact log several times but actually had to adjust where it said DPF windows update and seperate it in order to be allowed to post it all.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Timothy Carpenter at 19:08:58.42 on Sun 04/10/2011
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2712 [GMT -4:00]
.
AV: Bitdefender Antivirus *Enabled/Updated* {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\SAMSUNG\FW LiveUpdate\FWManager.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Timothy Carpenter\Desktop\dds.com
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.avatarsbydesign.com/forum/
uInternet Connection Wizard,ShellNext = hxxp://www.avatarsbydesign.com/forum/
mWinlogon: Userinit=userinit.exe
BHO: {000123B4-9B42-4900-B3F7-F4B073EFC214} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngin1.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - c:\program files\bittorrentbar\tbBit0.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - c:\program files\bittorrentbar\tbBit0.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngin1.dll
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [IDTSysTrayApp] sttray.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Name of App] c:\program files\samsung\fw liveupdate\FWManager.exe r
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask .exe" -atboottime
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: forsakenclans.com\www
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {5AA5A569-F96F-4628-A528-8B3698F558BB} - hxxps://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windows
update/v6/V5Controls/en/x86/client/wuweb_site.cab?1268073852359


DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1269385432900
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2011-3-10 14776]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-3-8 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2010-1-5 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-3-8 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-3-8 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-3-8 61960]
R2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2011-3-10 312152]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-1-27 136176]
S3 appliandMP;appliandMP;c:\windows\system32\drivers\appliand.sys --> c:\windows\system32\drivers\appliand.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 12872]
S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [2010-1-29 2074480]
.
=============== Created Last 30 ================
.
2011-04-10 23:04:12 72708 ----a-w- c:\windows\vVX6000.exe
2011-04-10 18:09:49 -------- d-----w- c:\windows\system32\NtmsData
2011-04-10 16:34:02 -------- d-----w- c:\windows\system32\FxsTmp
2011-04-10 16:28:45 31744 ----a-w- c:\windows\system32\fxsroute.dll
2011-04-10 16:28:45 132608 ----a-w- c:\windows\system32\fxsclntR.dll
2011-04-10 16:28:45 11264 ----a-w- c:\windows\system32\fxssend.exe
2011-04-10 16:28:45 111104 ----a-w- c:\windows\system32\fxscfgwz.dll
2011-04-09 23:48:15 -------- d-----w- c:\docume~1\timoth~1\applic~1\PriceGong
2011-04-09 06:20:07 -------- d-sha-r- C:\cmdcons
2011-04-09 06:15:29 98816 ----a-w- c:\windows\sed.exe
2011-04-09 06:15:29 89088 ----a-w- c:\windows\MBR.exe
2011-04-09 06:15:29 256512 ----a-w- c:\windows\PEV.exe
2011-04-09 06:15:29 161792 ----a-w- c:\windows\SWREG.exe
2011-04-07 06:01:48 0 ----a-w- c:\windows\Gzecitizo.bin
2011-04-07 06:01:47 -------- d-----w- c:\docume~1\timoth~1\locals~1\applic~1\{6221EF0C-9F77-451F-9833-410B9524EB0C}
2011-04-07 06:00:15 -------- d-----w- c:\docume~1\timoth~1\applic~1\00D49D5F42C758A61145B0CD1CCF06F0
2011-03-12 16:28:40 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
.
==================== Find3M ====================
.
2011-04-10 23:06:39 81984 ----a-w- c:\windows\system32\bdod.bin
2011-03-09 07:46:41 3192 --sha-w- c:\windows\system32\KGyGaAvL.sys
2011-02-04 22:48:32 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-04 22:48:30 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST380819 rev.8.04 -> Harddisk0\DR0 -> \Device\Ide\iaStor0
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89EAE439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x89eb47d0]; MOV EAX, [0x89eb484c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A873868]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A86DBA8]
\Driver\iaStor[0x8A85B858] -> IRP_MJ_CREATE -> 0x89EAE439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x147; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskST380819AS______________________________8.04____#4&3203b792&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 156249998 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 19:09:53.81 ===============

Attached Files


Edited by darctiger, 10 April 2011 - 06:39 PM.


#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:28 AM

Posted 10 April 2011 - 09:50 PM

darctiger:

Posted Image You have more than one antivirus (AV) program running. Your logs show both Avira AntiVir and BitDefender running. Running more than one AV program does not offer any more protection and often causes conflicts and slow downs with your computer. Please uninstall eiher Avira or BitDefender via Control Panel > Add/Remove Programs. Run the removal tool (links below) for whichever app you uninstall also:

BitDefender Removal Tool
Avira Removal Tool

Posted Image You have IObit Advanced SystemCare 3 and IObit Security 360 installed. IObit has been accused of stealing and incorporating Malwarebytes AntiMalware's proprietary database and intellectual property into their software. More information is available HERE and HERE. I strongly recommend that you unistall them.

Posted Image P2P - I see you have P2P software (BitTorrent) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to malware infections. Please see this post for more information. I recommend that you uninstall these now. You can do so via Control Panel >> Add or Remove Programs. If you choose to keep these applications, please do not use them until our fixes at BC are complete.

Posted Image Download TDSSKiller.zip and extract TDSSKiller.exe to your desktop
  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found then ensure Cure is selected. Important - If there is no option to "Cure" it is critical that you select "Skip"
  • Then click Continue > Reboot now
  • Once complete, a log will be produced in c:\. It will be named for example, TDSSKiller.2.4.0.0_24.07.2010_13.10.52_log.txt
  • Attach that log, please.
Posted Image Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please include the following in your next post:
  • ComboFix log
  • TDSSKiller log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 darctiger

darctiger
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 11 April 2011 - 09:26 AM

I got rid of the BitDefender and the Avira...mainly because Bitdefender was the free edition and I couldnt turn it off and Avira kept trying to send all my .exe to the quarantine. Ill probably go back to avast! unless there is one better that you recommend. BitTorrent it gone as well as Advanced System Care. I didnt know that about Advanced System Care. Thank you for letting me know. I have attached the logs you requested. Thank you so much for your help thus far.


ComboFix 11-04-10.04 - Timothy Carpenter 04/11/2011 10:10:12.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2900 [GMT -4:00]
Running from: c:\documents and settings\Timothy Carpenter\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\T5704GrE.exe
c:\documents and settings\Timothy Carpenter\Application Data\PriceGong
c:\documents and settings\Timothy Carpenter\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Timothy Carpenter\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Timothy Carpenter\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Timothy Carpenter\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Timothy Carpenter\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Timothy Carpenter\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Timothy Carpenter\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Timothy Carpenter\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Timothy Carpenter\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Timothy Carpenter\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Timothy Carpenter\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Timothy Carpenter\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Timothy Carpenter\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Timothy Carpenter\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Timothy Carpenter\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Timothy Carpenter\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Timothy Carpenter\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Timothy Carpenter\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Timothy Carpenter\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Timothy Carpenter\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Timothy Carpenter\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Timothy Carpenter\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Timothy Carpenter\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Timothy Carpenter\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Timothy Carpenter\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Timothy Carpenter\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Timothy Carpenter\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Timothy Carpenter\Application Data\PriceGong\Data\z.xml
c:\documents and settings\Timothy Carpenter\Local Settings\Application Data\{6221EF0C-9F77-451F-9833-410B9524EB0C}
c:\documents and settings\Timothy Carpenter\Local Settings\Application Data\{6221EF0C-9F77-451F-9833-410B9524EB0C}\chrome.manifest
c:\documents and settings\Timothy Carpenter\Local Settings\Application Data\{6221EF0C-9F77-451F-9833-410B9524EB0C}\chrome\content\_cfg.js
c:\documents and settings\Timothy Carpenter\Local Settings\Application Data\{6221EF0C-9F77-451F-9833-410B9524EB0C}\chrome\content\overlay.xul
c:\documents and settings\Timothy Carpenter\Local Settings\Application Data\{6221EF0C-9F77-451F-9833-410B9524EB0C}\install.rdf
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
.
.
((((((((((((((((((((((((( Files Created from 2011-03-11 to 2011-04-11 )))))))))))))))))))))))))))))))
.
.
2011-04-11 04:16 . 2011-04-11 04:16 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2011-04-11 04:15 . 2011-04-11 04:15 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2011-04-11 04:15 . 2011-04-11 04:15 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Conduit
2011-04-11 04:15 . 2011-04-11 04:15 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\BitTorrentBar
2011-04-11 03:01 . 2011-04-11 03:01 -------- d-sh--w- c:\documents and settings\NetworkService\IECompatCache
2011-04-11 03:00 . 2011-04-11 03:00 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2011-04-11 02:18 . 2011-04-11 02:18 -------- d--h--w- c:\windows\msdownld.tmp
2011-04-11 02:06 . 2011-04-11 02:06 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Conduit
2011-04-10 23:04 . 2011-04-10 23:04 72708 ----a-w- c:\windows\vVX6000.exe
2011-04-10 18:09 . 2011-04-10 18:10 -------- d-----w- c:\windows\system32\NtmsData
2011-04-10 16:34 . 2011-04-10 16:34 -------- d-----w- c:\windows\system32\FxsTmp
2011-04-10 16:28 . 2008-04-14 12:00 31744 ----a-w- c:\windows\system32\fxsroute.dll
2011-04-10 16:28 . 2008-04-14 12:00 132608 ----a-w- c:\windows\system32\fxsclntR.dll
2011-04-10 16:28 . 2008-04-14 12:00 11264 ----a-w- c:\windows\system32\fxssend.exe
2011-04-10 16:28 . 2008-04-14 12:00 111104 ----a-w- c:\windows\system32\fxscfgwz.dll
2011-04-09 06:34 . 2011-04-09 06:35 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-04-07 06:01 . 2011-04-07 06:01 0 ----a-w- c:\windows\Gzecitizo.bin
2011-04-07 06:00 . 2011-04-07 06:00 -------- d-----w- c:\documents and settings\Timothy Carpenter\Application Data\00D49D5F42C758A61145B0CD1CCF06F0
2011-03-12 16:28 . 2011-03-12 16:28 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-04 22:48 . 2004-08-10 12:00 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-04 22:48 . 2004-08-10 12:00 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 07:58 . 2010-03-06 17:54 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2010-03-06 17:54 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-10 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
.
<pre>
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Ahead\Lib\NeroCheck .exe
c:\program files\Common Files\Ahead\Lib\NMBgMonitor .exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\IObit\Advanced SystemCare 3\AWC .exe
c:\program files\IObit\IObit Security 360\IS360tray .exe
c:\program files\Microsoft ActiveSync\Wcescomm      .exe
c:\program files\Microsoft ActiveSync\Wcescomm     .exe
c:\program files\Microsoft ActiveSync\Wcescomm    .exe
c:\program files\Microsoft ActiveSync\Wcescomm   .exe
c:\program files\Microsoft ActiveSync\Wcescomm  .exe
c:\program files\Microsoft ActiveSync\Wcescomm .exe
c:\program files\QuickTime\qttask                                    .exe
c:\program files\QuickTime\qttask                                   .exe
c:\program files\QuickTime\qttask                                  .exe
c:\program files\QuickTime\qttask                                 .exe
c:\program files\QuickTime\qttask                                .exe
c:\program files\QuickTime\qttask                               .exe
c:\program files\QuickTime\qttask                              .exe
c:\program files\QuickTime\qttask                             .exe
c:\program files\QuickTime\qttask                            .exe
c:\program files\QuickTime\qttask                           .exe
c:\program files\QuickTime\qttask                          .exe
c:\program files\QuickTime\qttask                         .exe
c:\program files\QuickTime\qttask                        .exe
c:\program files\QuickTime\qttask                       .exe
c:\program files\QuickTime\qttask                      .exe
c:\program files\QuickTime\qttask                     .exe
c:\program files\QuickTime\qttask                    .exe
c:\program files\QuickTime\qttask                   .exe
c:\program files\QuickTime\qttask                  .exe
c:\program files\QuickTime\qttask                 .exe
c:\program files\QuickTime\qttask                .exe
c:\program files\QuickTime\qttask               .exe
c:\program files\QuickTime\qttask              .exe
c:\program files\QuickTime\qttask             .exe
c:\program files\QuickTime\qttask            .exe
c:\program files\QuickTime\qttask           .exe
c:\program files\QuickTime\qttask          .exe
c:\program files\QuickTime\qttask         .exe
c:\program files\QuickTime\qttask        .exe
c:\program files\QuickTime\qttask       .exe
c:\program files\QuickTime\qttask      .exe
c:\program files\QuickTime\qttask     .exe
c:\program files\QuickTime\qttask    .exe
c:\program files\QuickTime\qttask   .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\QuickTime\qttask .exe
c:\program files\SUPERAntiSpyware\SUPERAntiSpyware .exe
c:\windows\vVX6000 .exe
c:\windows\ehome\ehtray .exe
</pre>
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
2010-12-26 23:43 3911776 ----a-w- c:\program files\BitTorrentBar\tbBit0.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{88c7f2aa-f93f-432c-8f0e-b7d85967a527}"= "c:\program files\BitTorrentBar\tbBit0.dll" [2010-12-26 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{88C7F2AA-F93F-432C-8F0E-B7D85967A527}"= "c:\program files\BitTorrentBar\tbBit0.dll" [2010-12-26 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-04-10 72712]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2011-04-10 72712]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"IDTSysTrayApp"="sttray.exe" [2007-09-06 405504]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"Name of App"="c:\program files\SAMSUNG\FW LiveUpdate\FWManager.exe" [2010-08-04 692317]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-10 72708]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-04-10 72708]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2010-1-27 323584]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
.
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [3/10/2011 4:09 AM 14776]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [1/5/2010 8:56 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 8:56 AM 67656]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/27/2011 12:27 AM 136176]
S3 appliandMP;appliandMP;c:\windows\system32\DRIVERS\appliand.sys --> c:\windows\system32\DRIVERS\appliand.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 8:56 AM 12872]
S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [1/29/2010 2:04 AM 2074480]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - klmd25
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
itlsvc REG_MULTI_SZ itlperf
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
2011-04-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-27 04:27]
.
2011-04-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-27 04:27]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.avatarsbydesign.com/forum/
uInternet Connection Wizard,ShellNext = hxxp://www.avatarsbydesign.com/forum/
Trusted Zone: forsakenclans.com\www
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-11 10:18
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1a,31,61,82,b4,b4,bc,4a,91,06,c0,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1a,31,61,82,b4,b4,bc,4a,91,06,c0,\
.
[HKEY_USERS\S-1-5-21-1547161642-839522115-781633064-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{41494EE4-61D2-80B9-255E-AAECC9B1572D}*]
"mamjgndgkifambmgjkdopmbkee"=hex:69,61,6e,6f,65,67,6b,6a,6f,66,6b,68,68,69,70,
69,6f,68,00,02
"naclaackleeiocclohnmcdachchd"=hex:69,61,6e,6f,65,67,6b,6a,6f,66,6b,68,68,69,
70,69,6f,68,00,77
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(880)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
Completion time: 2011-04-11 10:19:50
ComboFix-quarantined-files.txt 2011-04-11 14:19
ComboFix2.txt 2011-04-09 07:10
.
Pre-Run: 14,671,417,344 bytes free
Post-Run: 14,671,716,352 bytes free
.
- - End Of File - - FD72FBBB9EBF3C71F9FE590F56C8BA70

Attached Files



#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:28 AM

Posted 11 April 2011 - 04:24 PM

darctiger:

You've got (among other things) a vundo file infector that replaced several of your exe's with malware which is why Avira was targeting them. Please do this next:

Posted Image Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::

File::
c:\windows\Gzecitizo.bin
DirLook::
c:\documents and settings\Timothy Carpenter\Application Data\00D49D5F42C758A61145B0CD1CCF06F0
RenV::
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Ahead\Lib\NeroCheck .exe
c:\program files\Common Files\Ahead\Lib\NMBgMonitor .exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\IObit\Advanced SystemCare 3\AWC .exe
c:\program files\IObit\IObit Security 360\IS360tray .exe
c:\program files\Microsoft ActiveSync\Wcescomm .exe
c:\program files\QuickTime\qttask .exe
c:\program files\SUPERAntiSpyware\SUPERAntiSpyware .exe
c:\windows\vVX6000 .exe
c:\windows\ehome\ehtray .exe

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 darctiger

darctiger
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 11 April 2011 - 09:20 PM

ok...did what you asked and as ComboFix started it asked to update so I clicked yes and it connected to the server to update...here is the new log.

ComboFix 11-04-11.02 - Timothy Carpenter 04/11/2011 22:06:31.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2876 [GMT -4:00]
Running from: c:\documents and settings\Timothy Carpenter\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Timothy Carpenter\Desktop\CFScript.txt
.
FILE ::
"c:\windows\Gzecitizo.bin"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\T5704GrE.exe
c:\documents and settings\NetworkService\Application Data\PriceGong
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\1.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\a.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\b.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\c.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\d.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\e.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\f.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\g.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\h.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\i.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\J.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\k.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\l.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\m.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\n.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\o.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\p.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\q.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\r.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\s.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\t.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\u.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\v.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\w.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\x.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\y.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\z.xml
c:\windows\Gzecitizo.bin
c:\windows\Tasks\At1.job
.
.
((((((((((((((((((((((((( Files Created from 2011-03-12 to 2011-04-12 )))))))))))))))))))))))))))))))
.
.
2011-04-11 04:16 . 2011-04-11 04:16 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2011-04-11 04:15 . 2011-04-11 04:15 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2011-04-11 04:15 . 2011-04-11 04:15 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Conduit
2011-04-11 04:15 . 2011-04-11 04:15 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\BitTorrentBar
2011-04-11 03:01 . 2011-04-11 03:01 -------- d-sh--w- c:\documents and settings\NetworkService\IECompatCache
2011-04-11 03:00 . 2011-04-11 03:00 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2011-04-11 02:18 . 2011-04-11 02:18 -------- d--h--w- c:\windows\msdownld.tmp
2011-04-11 02:06 . 2011-04-11 02:06 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Conduit
2011-04-10 18:09 . 2011-04-10 18:10 -------- d-----w- c:\windows\system32\NtmsData
2011-04-10 16:34 . 2011-04-10 16:34 -------- d-----w- c:\windows\system32\FxsTmp
2011-04-10 16:28 . 2008-04-14 12:00 31744 ----a-w- c:\windows\system32\fxsroute.dll
2011-04-10 16:28 . 2008-04-14 12:00 132608 ----a-w- c:\windows\system32\fxsclntR.dll
2011-04-10 16:28 . 2008-04-14 12:00 11264 ----a-w- c:\windows\system32\fxssend.exe
2011-04-10 16:28 . 2008-04-14 12:00 111104 ----a-w- c:\windows\system32\fxscfgwz.dll
2011-04-09 06:34 . 2011-04-09 06:35 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-04-07 06:00 . 2011-04-07 06:00 -------- d-----w- c:\documents and settings\Timothy Carpenter\Application Data\00D49D5F42C758A61145B0CD1CCF06F0
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-04 22:48 . 2004-08-10 12:00 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-04 22:48 . 2004-08-10 12:00 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 07:58 . 2010-03-06 17:54 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2010-03-06 17:54 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-10 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
.
<pre>
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Microsoft ActiveSync\Wcescomm      .exe
c:\program files\Microsoft ActiveSync\Wcescomm     .exe
c:\program files\Microsoft ActiveSync\Wcescomm    .exe
c:\program files\Microsoft ActiveSync\Wcescomm   .exe
c:\program files\Microsoft ActiveSync\Wcescomm  .exe
c:\program files\QuickTime\qttask                                    .exe
c:\program files\QuickTime\qttask                                   .exe
c:\program files\QuickTime\qttask                                  .exe
c:\program files\QuickTime\qttask                                 .exe
c:\program files\QuickTime\qttask                                .exe
c:\program files\QuickTime\qttask                               .exe
c:\program files\QuickTime\qttask                              .exe
c:\program files\QuickTime\qttask                             .exe
c:\program files\QuickTime\qttask                            .exe
c:\program files\QuickTime\qttask                           .exe
c:\program files\QuickTime\qttask                          .exe
c:\program files\QuickTime\qttask                         .exe
c:\program files\QuickTime\qttask                        .exe
c:\program files\QuickTime\qttask                       .exe
c:\program files\QuickTime\qttask                      .exe
c:\program files\QuickTime\qttask                     .exe
c:\program files\QuickTime\qttask                    .exe
c:\program files\QuickTime\qttask                   .exe
c:\program files\QuickTime\qttask                  .exe
c:\program files\QuickTime\qttask                 .exe
c:\program files\QuickTime\qttask                .exe
c:\program files\QuickTime\qttask               .exe
c:\program files\QuickTime\qttask              .exe
c:\program files\QuickTime\qttask             .exe
c:\program files\QuickTime\qttask            .exe
c:\program files\QuickTime\qttask           .exe
c:\program files\QuickTime\qttask          .exe
c:\program files\QuickTime\qttask         .exe
c:\program files\QuickTime\qttask        .exe
c:\program files\QuickTime\qttask       .exe
c:\program files\QuickTime\qttask      .exe
c:\program files\QuickTime\qttask     .exe
c:\program files\QuickTime\qttask    .exe
c:\program files\QuickTime\qttask   .exe
c:\program files\QuickTime\qttask  .exe
</pre>
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\Timothy Carpenter\Application Data\00D49D5F42C758A61145B0CD1CCF06F0 ----
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
2010-12-26 23:43 3911776 ----a-w- c:\program files\BitTorrentBar\tbBit0.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{88c7f2aa-f93f-432c-8f0e-b7d85967a527}"= "c:\program files\BitTorrentBar\tbBit0.dll" [2010-12-26 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{88C7F2AA-F93F-432C-8F0E-B7D85967A527}"= "c:\program files\BitTorrentBar\tbBit0.dll" [2010-12-26 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-10-17 2424560]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"IDTSysTrayApp"="sttray.exe" [2007-09-06 405504]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"Name of App"="c:\program files\SAMSUNG\FW LiveUpdate\FWManager.exe" [2010-08-04 692317]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-04-10 72708]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2010-1-27 323584]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
.
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [3/10/2011 4:09 AM 14776]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [1/5/2010 8:56 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 8:56 AM 67656]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/27/2011 12:27 AM 136176]
S3 appliandMP;appliandMP;c:\windows\system32\DRIVERS\appliand.sys --> c:\windows\system32\DRIVERS\appliand.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 8:56 AM 12872]
S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [1/29/2010 2:04 AM 2074480]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
itlsvc REG_MULTI_SZ itlperf
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
2011-04-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-27 04:27]
.
2011-04-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-27 04:27]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.avatarsbydesign.com/forum/
uInternet Connection Wizard,ShellNext = hxxp://www.avatarsbydesign.com/forum/
Trusted Zone: forsakenclans.com\www
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-11 22:12
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1a,31,61,82,b4,b4,bc,4a,91,06,c0,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1a,31,61,82,b4,b4,bc,4a,91,06,c0,\
.
[HKEY_USERS\S-1-5-21-1547161642-839522115-781633064-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{41494EE4-61D2-80B9-255E-AAECC9B1572D}*]
"mamjgndgkifambmgjkdopmbkee"=hex:69,61,6e,6f,65,67,6b,6a,6f,66,6b,68,68,69,70,
69,6f,68,00,02
"naclaackleeiocclohnmcdachchd"=hex:69,61,6e,6f,65,67,6b,6a,6f,66,6b,68,68,69,
70,69,6f,68,00,77
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(880)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'explorer.exe'(4052)
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\PSIService.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\stsystra.exe
c:\program files\QuickTime\qttask .exe
c:\program files\Microsoft ActiveSync\Wcescomm .exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehmsas.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\Microsoft ActiveSync\Wcescomm .exe
c:\progra~1\MICROS~3\rapimgr.exe
.
**************************************************************************
.
Completion time: 2011-04-11 22:18:06 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-12 02:18
ComboFix2.txt 2011-04-11 14:19
ComboFix3.txt 2011-04-09 07:10
.
Pre-Run: 14,626,041,856 bytes free
Post-Run: 14,657,290,240 bytes free
.
- - End Of File - - 12790AF87B143428823919E567CC9561

#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:28 AM

Posted 11 April 2011 - 09:47 PM

darctiger:

Please do this next:

Posted Image Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Folder::

Folder::
c:\documents and settings\Timothy Carpenter\Application Data\00D49D5F42C758A61145B0CD1CCF06F0
RenV::
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Microsoft ActiveSync\Wcescomm      .exe
c:\program files\Microsoft ActiveSync\Wcescomm     .exe
c:\program files\Microsoft ActiveSync\Wcescomm    .exe
c:\program files\Microsoft ActiveSync\Wcescomm   .exe
c:\program files\Microsoft ActiveSync\Wcescomm  .exe
c:\program files\QuickTime\qttask                                    .exe
c:\program files\QuickTime\qttask                                   .exe
c:\program files\QuickTime\qttask                                  .exe
c:\program files\QuickTime\qttask                                 .exe
c:\program files\QuickTime\qttask                                .exe
c:\program files\QuickTime\qttask                               .exe
c:\program files\QuickTime\qttask                              .exe
c:\program files\QuickTime\qttask                             .exe
c:\program files\QuickTime\qttask                            .exe
c:\program files\QuickTime\qttask                           .exe
c:\program files\QuickTime\qttask                          .exe
c:\program files\QuickTime\qttask                         .exe
c:\program files\QuickTime\qttask                        .exe
c:\program files\QuickTime\qttask                       .exe
c:\program files\QuickTime\qttask                      .exe
c:\program files\QuickTime\qttask                     .exe
c:\program files\QuickTime\qttask                    .exe
c:\program files\QuickTime\qttask                   .exe
c:\program files\QuickTime\qttask                  .exe
c:\program files\QuickTime\qttask                 .exe
c:\program files\QuickTime\qttask                .exe
c:\program files\QuickTime\qttask               .exe
c:\program files\QuickTime\qttask              .exe
c:\program files\QuickTime\qttask             .exe
c:\program files\QuickTime\qttask            .exe
c:\program files\QuickTime\qttask           .exe
c:\program files\QuickTime\qttask          .exe
c:\program files\QuickTime\qttask         .exe
c:\program files\QuickTime\qttask        .exe
c:\program files\QuickTime\qttask       .exe
c:\program files\QuickTime\qttask      .exe
c:\program files\QuickTime\qttask     .exe
c:\program files\QuickTime\qttask    .exe
c:\program files\QuickTime\qttask   .exe
c:\program files\QuickTime\qttask  .exe

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Posted Image You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM
  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Make sure that everything else is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please include the following in your next post:
  • ComboFix log
  • MBAM log

Edited by RPMcMurphy, 11 April 2011 - 09:48 PM.
Removed old instructions

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 darctiger

darctiger
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 11 April 2011 - 11:29 PM

Ok...here is the ComboFix Log


ComboFix 11-04-11.02 - Timothy Carpenter 04/11/2011 23:32:26.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3030 [GMT -4:00]
Running from: c:\documents and settings\Timothy Carpenter\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Timothy Carpenter\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Timothy Carpenter\Application Data\00D49D5F42C758A61145B0CD1CCF06F0
.
.
((((((((((((((((((((((((( Files Created from 2011-03-12 to 2011-04-12 )))))))))))))))))))))))))))))))
.
.
2011-04-11 04:16 . 2011-04-11 04:16 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2011-04-11 04:15 . 2011-04-11 04:15 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2011-04-11 04:15 . 2011-04-11 04:15 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Conduit
2011-04-11 04:15 . 2011-04-11 04:15 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\BitTorrentBar
2011-04-11 03:01 . 2011-04-11 03:01 -------- d-sh--w- c:\documents and settings\NetworkService\IECompatCache
2011-04-11 03:00 . 2011-04-11 03:00 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2011-04-11 02:18 . 2011-04-11 02:18 -------- d--h--w- c:\windows\msdownld.tmp
2011-04-11 02:06 . 2011-04-11 02:06 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Conduit
2011-04-10 18:09 . 2011-04-10 18:10 -------- d-----w- c:\windows\system32\NtmsData
2011-04-10 16:34 . 2011-04-10 16:34 -------- d-----w- c:\windows\system32\FxsTmp
2011-04-10 16:28 . 2008-04-14 12:00 31744 ----a-w- c:\windows\system32\fxsroute.dll
2011-04-10 16:28 . 2008-04-14 12:00 132608 ----a-w- c:\windows\system32\fxsclntR.dll
2011-04-10 16:28 . 2008-04-14 12:00 11264 ----a-w- c:\windows\system32\fxssend.exe
2011-04-10 16:28 . 2008-04-14 12:00 111104 ----a-w- c:\windows\system32\fxscfgwz.dll
2011-04-09 06:34 . 2011-04-09 06:35 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-04 22:48 . 2004-08-10 12:00 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-04 22:48 . 2004-08-10 12:00 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 07:58 . 2010-03-06 17:54 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2010-03-06 17:54 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-10 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
.
<pre>
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Ahead\Lib\NMBgMonitor .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Microsoft ActiveSync\Wcescomm       .exe
c:\program files\Microsoft ActiveSync\Wcescomm    .exe
c:\program files\Microsoft ActiveSync\Wcescomm   .exe
c:\program files\Microsoft ActiveSync\Wcescomm  .exe
c:\program files\QuickTime\qttask                                     .exe
c:\program files\QuickTime\qttask                                  .exe
c:\program files\QuickTime\qttask                                 .exe
c:\program files\QuickTime\qttask                                .exe
c:\program files\QuickTime\qttask                               .exe
c:\program files\QuickTime\qttask                              .exe
c:\program files\QuickTime\qttask                             .exe
c:\program files\QuickTime\qttask                            .exe
c:\program files\QuickTime\qttask                           .exe
c:\program files\QuickTime\qttask                          .exe
c:\program files\QuickTime\qttask                         .exe
c:\program files\QuickTime\qttask                        .exe
c:\program files\QuickTime\qttask                       .exe
c:\program files\QuickTime\qttask                      .exe
c:\program files\QuickTime\qttask                     .exe
c:\program files\QuickTime\qttask                    .exe
c:\program files\QuickTime\qttask                   .exe
c:\program files\QuickTime\qttask                  .exe
c:\program files\QuickTime\qttask                 .exe
c:\program files\QuickTime\qttask                .exe
c:\program files\QuickTime\qttask               .exe
c:\program files\QuickTime\qttask              .exe
c:\program files\QuickTime\qttask             .exe
c:\program files\QuickTime\qttask            .exe
c:\program files\QuickTime\qttask           .exe
c:\program files\QuickTime\qttask          .exe
c:\program files\QuickTime\qttask         .exe
c:\program files\QuickTime\qttask        .exe
c:\program files\QuickTime\qttask       .exe
c:\program files\QuickTime\qttask      .exe
c:\program files\QuickTime\qttask     .exe
c:\program files\QuickTime\qttask    .exe
c:\program files\QuickTime\qttask   .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\SUPERAntiSpyware\SUPERAntiSpyware .exe
c:\windows\ehome\ehtray .exe
</pre>
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
2010-12-26 23:43 3911776 ----a-w- c:\program files\BitTorrentBar\tbBit0.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{88c7f2aa-f93f-432c-8f0e-b7d85967a527}"= "c:\program files\BitTorrentBar\tbBit0.dll" [2010-12-26 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{88C7F2AA-F93F-432C-8F0E-B7D85967A527}"= "c:\program files\BitTorrentBar\tbBit0.dll" [2010-12-26 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-04-12 72712]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2011-04-12 72712]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"IDTSysTrayApp"="sttray.exe" [2007-09-06 405504]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"Name of App"="c:\program files\SAMSUNG\FW LiveUpdate\FWManager.exe" [2010-08-04 692317]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-12 72712]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-04-10 72708]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2010-1-27 323584]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
.
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [3/10/2011 4:09 AM 14776]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [1/5/2010 8:56 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 8:56 AM 67656]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/27/2011 12:27 AM 136176]
S3 appliandMP;appliandMP;c:\windows\system32\DRIVERS\appliand.sys --> c:\windows\system32\DRIVERS\appliand.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 8:56 AM 12872]
S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [1/29/2010 2:04 AM 2074480]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
itlsvc REG_MULTI_SZ itlperf
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
2011-04-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-27 04:27]
.
2011-04-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-27 04:27]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.avatarsbydesign.com/forum/
uInternet Connection Wizard,ShellNext = hxxp://www.avatarsbydesign.com/forum/
Trusted Zone: forsakenclans.com\www
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-11 23:41
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1a,31,61,82,b4,b4,bc,4a,91,06,c0,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1a,31,61,82,b4,b4,bc,4a,91,06,c0,\
.
[HKEY_USERS\S-1-5-21-1547161642-839522115-781633064-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{41494EE4-61D2-80B9-255E-AAECC9B1572D}*]
"mamjgndgkifambmgjkdopmbkee"=hex:69,61,6e,6f,65,67,6b,6a,6f,66,6b,68,68,69,70,
69,6f,68,00,02
"naclaackleeiocclohnmcdachchd"=hex:69,61,6e,6f,65,67,6b,6a,6f,66,6b,68,68,69,
70,69,6f,68,00,77
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(880)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'explorer.exe'(572)
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\PSIService.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\stsystra.exe
c:\windows\system32\dllhost.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
.
**************************************************************************
.
Completion time: 2011-04-11 23:46:19 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-12 03:46
ComboFix2.txt 2011-04-12 02:18
ComboFix3.txt 2011-04-11 14:19
ComboFix4.txt 2011-04-09 07:10
.
Pre-Run: 14,703,796,224 bytes free
Post-Run: 14,678,761,472 bytes free
.
- - End Of File - - 2B486B3DC7696DD4DDB259C6D3CBE9A2



Here is the MBAM log....

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6339

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/12/2011 12:22:53 AM
mbam-log-2011-04-12 (00-22-53).txt

Scan type: Quick scan
Objects scanned: 160458
Time elapsed: 3 minute(s), 0 second(s)

Memory Processes Infected: 4
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
c:\program files\common files\Java\java update\jusched.exe (Malware.Gen) -> 3364 -> Unloaded process successfully.
c:\program files\common files\Adobe\ARM\1.0\AdobeARM.exe (Malware.Gen) -> 3372 -> Unloaded process successfully.
c:\program files\superantispyware\superantispyware.exe (Malware.Gen) -> 3380 -> Unloaded process successfully.
c:\program files\common files\Ahead\Lib\nmbgmonitor.exe (Malware.Gen) -> 3388 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched (Malware.Gen) -> Value: SunJavaUpdateSched -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe ARM (Malware.Gen) -> Value: Adobe ARM -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SUPERAntiSpyware (Malware.Gen) -> Value: SUPERAntiSpyware -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} (Malware.Gen) -> Value: BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\common files\Java\java update\jusched.exe (Malware.Gen) -> Quarantined and deleted successfully.
c:\program files\common files\Adobe\ARM\1.0\AdobeARM.exe (Malware.Gen) -> Delete on reboot.
c:\program files\superantispyware\superantispyware.exe (Malware.Gen) -> Quarantined and deleted successfully.
c:\program files\common files\Ahead\Lib\nmbgmonitor.exe (Malware.Gen) -> Quarantined and deleted successfully.

#10 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:28 AM

Posted 12 April 2011 - 09:10 PM

darctiger:

Posted Image Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Under the Custom Scan box paste this in:

    /MD5START
    AdobeARM*.*
    NMBgMonitor*.*
    jusched*.*
    Wcescomm*.*
    qttask*.*
    SUPERAntiSpyware*.*
    /MD5STOP

  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of only the OTL.txt report into your next post.

Please include the following in your next post:
  • OTL.txt log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#11 darctiger

darctiger
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 12 April 2011 - 11:15 PM

OK, here is the next log...again thank you for all the awesome help.

OTL logfile created on: 4/13/2011 12:05:44 AM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Timothy Carpenter\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 87.00% Memory free
5.00 Gb Paging File | 5.00 Gb Available in Paging File | 95.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 13.60 Gb Free Space | 18.26% Space Free | Partition Type: NTFS
Unable to calculate disk information.
Drive G: | 465.76 Gb Total Space | 7.62 Gb Free Space | 1.64% Space Free | Partition Type: NTFS

Computer Name: TIMOTHY-PC | User Name: Timothy Carpenter | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/04/13 00:04:03 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Timothy Carpenter\Desktop\OTL.exe
PRC - [2010/08/04 14:55:36 | 000,692,317 | ---- | M] ( ) -- C:\Program Files\SAMSUNG\FW LiveUpdate\FWManager.exe
PRC - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
PRC - [2008/04/14 06:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/06/05 14:20:32 | 000,177,704 | ---- | M] () -- C:\WINDOWS\system32\PSIService.exe
PRC - [2005/03/22 18:20:44 | 000,339,968 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe


========== Modules (SafeList) ==========

MOD - [2011/04/13 00:04:03 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Timothy Carpenter\Desktop\OTL.exe
MOD - [2010/08/23 12:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/01/04 21:57:26 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2010/04/16 10:03:12 | 000,386,424 | ---- | M] (SupportSoft, Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\supportsoft\bin\ssrc.exe -- (SupportSoft RemoteAssist)
SRV - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) [Auto | Running] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2007/09/05 22:25:04 | 000,204,800 | ---- | M] (IDT, Inc.) [Auto | Stopped] -- C:\WINDOWS\system32\stacsv.exe -- (STacSV)
SRV - [2007/06/05 14:20:32 | 000,177,704 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\PSIService.exe -- (ProtexisLicensing)


========== Driver Services (SafeList) ==========

DRV - [2010/11/26 19:02:54 | 000,014,776 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\SmartDefragDriver.sys -- (SmartDefragDriver)
DRV - [2010/06/07 21:53:32 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/03/10 23:36:58 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV)
DRV - [2010/03/10 23:36:58 | 000,012,872 | ---- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2010/02/03 00:52:08 | 004,605,952 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2010/01/29 02:04:28 | 002,074,480 | ---- | M] (Microsoft Corporation
) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\VX6000Xp.sys -- (VX6000)
DRV - [2009/03/25 07:29:52 | 000,130,432 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2007/07/20 19:40:10 | 000,084,992 | ---- | M] (ATI Research Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AtiHdmi.sys -- (AtiHdmiService)
DRV - [2006/11/02 07:00:08 | 000,039,368 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\winusb.sys -- (WinUSB)
DRV - [2006/04/24 11:51:08 | 000,543,104 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2005/11/16 16:36:00 | 001,047,816 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2004/08/03 18:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.avatarsbydesign.com/forum/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


[2010/06/04 23:40:59 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Timothy Carpenter\Application Data\Mozilla\Extensions
[2010/06/04 23:40:59 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Timothy Carpenter\Application Data\Mozilla\Extensions\mozswing@mozswing.org

O1 HOSTS File: ([2011/04/11 23:41:07 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {000123B4-9B42-4900-B3F7-F4B073EFC214} - No CLSID value found.
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (BitTorrentBar Toolbar) - {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files\BitTorrentBar\tbBit0.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (BitTorrentBar Toolbar) - {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files\BitTorrentBar\tbBit0.dll (Conduit Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (BitTorrentBar Toolbar) - {88C7F2AA-F93F-432C-8F0E-B7D85967A527} - C:\Program Files\BitTorrentBar\tbBit0.dll (Conduit Ltd.)
O4 - HKLM..\Run: [IDTSysTrayApp] C:\WINDOWS\sttray.exe (IDT, Inc.)
O4 - HKLM..\Run: [Name of App] C:\Program Files\SAMSUNG\FW LiveUpdate\FWManager.exe ( )
O4 - HKLM..\Run: [QuickTime Task] File not found
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKCU..\Run: [H/PC Connection Agent] File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe (Eastman Kodak Company)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - File not found
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - File not found
O15 - HKCU\..Trusted Domains: forsakenclans.com ([www] http in Trusted sites)
O15 - HKCU\..Trusted Domains: forsakenclans.com ([www] https in Trusted sites)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/sites/production/ieawsdc32.cab (Microsoft Office Template and Media Control)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab (QuickTime Object)
O16 - DPF: {5AA5A569-F96F-4628-A528-8B3698F558BB} https://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab (HS_live Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1268073852359 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1269385432900 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Value error.)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab (Windows Live Hotmail Photo Upload Tool)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Timothy Carpenter\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Timothy Carpenter\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/03/06 14:01:43 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/04/13 00:04:03 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Timothy Carpenter\Desktop\OTL.exe
[2011/04/12 00:36:44 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/04/11 23:31:25 | 000,000,000 | ---D | C] -- C:\ComboFix
[2011/04/11 09:52:07 | 001,377,112 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Timothy Carpenter\Desktop\TDSSKiller.exe
[2011/04/11 00:15:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Conduit
[2011/04/11 00:15:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\BitTorrentBar
[2011/04/10 22:06:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Conduit
[2011/04/10 18:36:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/04/10 14:09:49 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2011/04/10 12:34:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\FxsTmp
[2011/04/09 02:34:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2011/04/09 02:20:07 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/04/09 02:15:29 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/04/09 02:15:29 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/04/09 02:15:29 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/04/09 02:15:29 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/04/09 02:14:44 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/04/09 02:10:00 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/04/09 00:50:25 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Timothy Carpenter\Desktop\HijackThis.exe
[2011/04/08 23:09:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Sun
[2011/04/07 10:43:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/04/07 10:43:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2011/04/07 02:10:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/04/07 02:10:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/04/06 01:54:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Timothy Carpenter\Desktop\Crossfit
[2010/06/18 08:07:13 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\Timothy Carpenter\Application Data\pcouffin.sys
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/04/13 00:04:03 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Timothy Carpenter\Desktop\OTL.exe
[2011/04/12 23:32:00 | 000,000,908 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/04/12 23:32:00 | 000,000,904 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/04/12 03:17:29 | 000,000,449 | ---- | M] () -- C:\Documents and Settings\Timothy Carpenter\Application Data\SamsungLiveUpdateConfig.ini
[2011/04/12 03:17:08 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/04/12 03:01:04 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/04/11 23:41:07 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/04/11 22:04:38 | 004,318,978 | R--- | M] () -- C:\Documents and Settings\Timothy Carpenter\Desktop\ComboFix.exe
[2011/04/11 20:49:01 | 000,000,112 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\W3UvT12.dat
[2011/04/11 10:06:12 | 000,081,984 | ---- | M] () -- C:\WINDOWS\System32\bdod.bin
[2011/04/11 09:55:17 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/04/11 09:44:26 | 001,263,721 | ---- | M] () -- C:\Documents and Settings\Timothy Carpenter\Desktop\tdsskiller.zip
[2011/04/11 00:56:50 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/04/10 22:22:47 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\Timothy Carpenter\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/04/10 20:50:14 | 000,000,143 | ---- | M] () -- C:\Documents and Settings\Timothy Carpenter\default.pls
[2011/04/10 20:50:10 | 000,000,229 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2011/04/10 19:11:25 | 000,301,568 | ---- | M] () -- C:\Documents and Settings\Timothy Carpenter\Desktop\r8ybkio2.exe
[2011/04/10 19:08:57 | 000,625,664 | ---- | M] () -- C:\Documents and Settings\Timothy Carpenter\Desktop\dds.com
[2011/04/10 12:34:06 | 000,448,188 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/04/10 12:34:06 | 000,073,962 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/04/10 12:28:51 | 000,000,535 | ---- | M] () -- C:\WINDOWS\System32\mapisvc.inf
[2011/04/09 02:20:12 | 000,000,325 | RHS- | M] () -- C:\boot.ini
[2011/04/09 01:56:08 | 000,045,056 | ---- | M] () -- C:\Documents and Settings\Timothy Carpenter\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/04/09 00:50:29 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Timothy Carpenter\Desktop\HijackThis.exe
[2011/04/08 09:01:50 | 000,000,094 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2011/04/07 23:52:32 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Mbidexofipu.dat
[2011/04/06 15:50:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/03/29 03:17:38 | 003,848,483 | ---- | M] () -- C:\Documents and Settings\Timothy Carpenter\Desktop\Tactical-Life_com » Dave Sevigny’s Head to Toe Gear.mht
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/04/11 09:44:38 | 004,318,978 | R--- | C] () -- C:\Documents and Settings\Timothy Carpenter\Desktop\ComboFix.exe
[2011/04/11 09:44:26 | 001,263,721 | ---- | C] () -- C:\Documents and Settings\Timothy Carpenter\Desktop\tdsskiller.zip
[2011/04/10 19:10:57 | 000,301,568 | ---- | C] () -- C:\Documents and Settings\Timothy Carpenter\Desktop\r8ybkio2.exe
[2011/04/10 18:59:28 | 000,625,664 | ---- | C] () -- C:\Documents and Settings\Timothy Carpenter\Desktop\dds.com
[2011/04/10 14:01:25 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\W3UvT12.dat
[2011/04/10 12:28:51 | 000,000,535 | ---- | C] () -- C:\WINDOWS\System32\mapisvc.inf
[2011/04/10 12:28:45 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2011/04/10 12:28:45 | 000,001,361 | ---- | C] () -- C:\WINDOWS\System32\fxscount.h
[2011/04/09 02:20:12 | 000,000,209 | ---- | C] () -- C:\Boot.bak
[2011/04/09 02:20:08 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/04/09 02:15:29 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/04/09 02:15:29 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/04/09 02:15:29 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/04/09 02:15:29 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/04/09 02:15:29 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/04/08 09:01:50 | 000,000,094 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2011/04/07 23:44:34 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/04/07 02:01:48 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Mbidexofipu.dat
[2011/03/29 03:17:34 | 003,848,483 | ---- | C] () -- C:\Documents and Settings\Timothy Carpenter\Desktop\Tactical-Life_com » Dave Sevigny’s Head to Toe Gear.mht
[2011/03/10 04:09:14 | 000,028,496 | ---- | C] () -- C:\WINDOWS\System32\SmartDefragBootTime.exe
[2011/03/10 04:09:14 | 000,014,776 | ---- | C] () -- C:\WINDOWS\System32\drivers\SmartDefragDriver.sys
[2010/06/18 08:07:38 | 000,001,057 | ---- | C] () -- C:\Documents and Settings\Timothy Carpenter\Application Data\vso_ts_preview.xml
[2010/06/18 08:07:13 | 000,007,887 | ---- | C] () -- C:\Documents and Settings\Timothy Carpenter\Application Data\pcouffin.cat
[2010/06/18 08:07:13 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\Timothy Carpenter\Application Data\pcouffin.inf
[2010/05/05 21:45:24 | 000,000,617 | ---- | C] () -- C:\WINDOWS\nvrbm.ini
[2010/04/30 22:47:18 | 000,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2010/04/30 22:26:18 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\Timothy Carpenter\Application Data\$_hpcst$.hpc
[2010/04/14 23:48:03 | 000,000,292 | ---- | C] () -- C:\WINDOWS\vtmb.ini
[2010/04/12 00:31:43 | 000,000,011 | ---- | C] () -- C:\WINDOWS\System32\tscrip22.dll
[2010/03/22 20:29:13 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\CNMVS5y.DLL
[2010/03/14 20:10:55 | 000,000,113 | ---- | C] () -- C:\WINDOWS\(null)toolkit.ini
[2010/03/11 01:17:35 | 000,000,229 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2010/03/11 00:03:22 | 000,003,192 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2010/03/11 00:03:22 | 000,000,088 | RHS- | C] () -- C:\WINDOWS\System32\78882C803C.sys
[2010/03/10 23:58:12 | 000,045,056 | ---- | C] () -- C:\Documents and Settings\Timothy Carpenter\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/03/10 20:07:56 | 000,081,984 | ---- | C] () -- C:\WINDOWS\System32\bdod.bin
[2010/03/10 19:37:17 | 000,000,080 | RHS- | C] () -- C:\WINDOWS\System32\4FBF377AE0.dll
[2010/03/10 19:29:41 | 000,000,449 | ---- | C] () -- C:\Documents and Settings\Timothy Carpenter\Application Data\SamsungLiveUpdateConfig.ini
[2010/03/10 19:05:23 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/03/08 18:15:48 | 000,000,140 | ---- | C] () -- C:\Documents and Settings\Timothy Carpenter\Local Settings\Application Data\fusioncache.dat
[2010/03/08 17:43:02 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin
[2010/03/08 17:42:54 | 000,887,724 | ---- | C] () -- C:\WINDOWS\System32\ativva6x.dat
[2010/03/08 17:42:54 | 000,294,912 | ---- | C] () -- C:\WINDOWS\System32\ATIODE.exe
[2010/03/08 17:42:54 | 000,198,341 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2010/03/08 17:42:54 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\ATIODCLI.exe
[2010/03/08 17:42:54 | 000,000,003 | ---- | C] () -- C:\WINDOWS\System32\ativva5x.dat
[2010/03/06 14:03:48 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/03/06 13:57:37 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/03/05 14:00:06 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/03/05 13:59:11 | 002,523,584 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/01/28 00:44:12 | 000,015,497 | ---- | C] () -- C:\WINDOWS\VX6KStd.ini
[2009/03/03 13:18:04 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll
[2007/07/22 17:39:26 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2007/07/22 17:39:26 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2007/07/22 17:39:26 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2007/07/22 17:39:26 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2007/07/22 17:39:26 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2007/07/22 17:39:26 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2007/07/22 17:39:26 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2007/07/22 17:39:26 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2007/07/22 17:39:26 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[2007/06/25 20:34:26 | 000,070,400 | ---- | C] () -- C:\WINDOWS\System32\PhysXLoader.dll
[2007/06/05 14:20:32 | 000,177,704 | ---- | C] () -- C:\WINDOWS\System32\PSIService.exe
[2005/08/05 15:01:54 | 000,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/08/10 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/10 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/10 08:00:00 | 000,448,188 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/10 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/10 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/10 08:00:00 | 000,073,962 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/10 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/10 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/10 08:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/10 08:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/10 08:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/10 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2011/04/11 10:06:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BitDefender
[2011/03/10 04:09:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\IObit
[2011/01/05 00:26:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Rosetta Stone
[2010/07/25 23:09:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/09/18 23:31:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Timothy Carpenter\Application Data\Alien Skin
[2011/04/10 21:17:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Timothy Carpenter\Application Data\BitTorrent
[2010/07/01 21:59:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Timothy Carpenter\Application Data\CanuckSoftware
[2010/08/05 21:23:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Timothy Carpenter\Application Data\GrabPro
[2011/03/10 04:09:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Timothy Carpenter\Application Data\IObit
[2010/12/15 23:57:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Timothy Carpenter\Application Data\mjusbsp
[2010/03/10 23:44:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Timothy Carpenter\Application Data\Opera
[2011/04/09 02:08:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Timothy Carpenter\Application Data\Orbit
[2010/08/05 21:23:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Timothy Carpenter\Application Data\ProgSense
[2010/05/18 20:07:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Timothy Carpenter\Application Data\Skinux
[2010/08/05 21:11:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Timothy Carpenter\Application Data\Sytexis Software
[2010/03/10 20:08:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Timothy Carpenter\Application Data\Trillian
[2010/06/19 22:47:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Timothy Carpenter\Application Data\Vso

========== Purity Check ==========



========== Custom Scans ==========



< MD5 for: ADOBEARM .EXE >
[2010/09/20 23:07:44 | 000,932,288 | R--- | M] (Adobe Systems Incorporated) MD5=BAD6BEA0DE1F69C82BDB74378CE0C20A -- C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM .exe

< MD5 for: ADOBEARM .EXE-12B22D00.PF >
[2011/04/12 00:18:38 | 000,018,142 | ---- | M] () MD5=457CC3D34F44AC109B25FAB5DFE5F044 -- C:\WINDOWS\Prefetch\ADOBEARM .EXE-12B22D00.pf

< MD5 for: ADOBEARM.EXE-2D1B11BF.PF >
[2011/04/12 00:18:28 | 000,014,280 | ---- | M] () MD5=CC82E2C209155C38F71BF4A0F1F0E83D -- C:\WINDOWS\Prefetch\ADOBEARM.EXE-2D1B11BF.pf

< MD5 for: ADOBEARM.LOG >
[2011/04/12 00:18:38 | 000,000,811 | ---- | M] () MD5=C0CB0CA091FC2E34BBC5E8EC99D3FAB9 -- C:\Documents and Settings\Timothy Carpenter\Local Settings\temp\AdobeARM.log

< MD5 for: JUSCHED .EXE >
[2010/05/14 11:44:46 | 000,248,552 | ---- | M] (Sun Microsystems, Inc.) MD5=93DB1FF92B03D24738A71E6E4992DFD3 -- C:\Program Files\Common Files\Java\Java Update\jusched .exe

< MD5 for: JUSCHED.LOG >
[2011/04/11 23:47:09 | 000,000,403 | ---- | M] () MD5=410188CF64B6341ED20C0AE329A6BB21 -- C:\Documents and Settings\Timothy Carpenter\Local Settings\temp\jusched.log

< MD5 for: NMBGMONITOR .EXE >
[2007/06/27 19:03:40 | 000,152,872 | ---- | M] (Nero AG) MD5=86F0D0B3A07C142C81DAB47E8495A822 -- C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor .exe

< MD5 for: QTTASK .EXE >
[2010/11/29 18:38:18 | 000,421,888 | ---- | M] (Apple Inc.) MD5=0AEE5668EB59912F32FF245BFA72465F -- C:\Program Files\QuickTime\qttask .exe

< MD5 for: QTTASK .EXE >
[2011/04/11 09:49:46 | 000,072,712 | ---- | M] () MD5=1BC127C08A11CF259E825A7D3F7F7540 -- C:\Program Files\QuickTime\qttask .exe

< MD5 for: QTTASK .EXE >
[2011/04/11 09:44:59 | 000,072,712 | ---- | M] () MD5=38C9E576E4D565547662C130B91D634B -- C:\Program Files\QuickTime\qttask .exe

< MD5 for: QTTASK .EXE >
[2011/04/11 09:32:55 | 000,072,712 | ---- | M] () MD5=6FB30409DD5529635151B0DB82BE0512 -- C:\Program Files\QuickTime\qttask .exe

< MD5 for: QTTASK .EXE >
[2011/04/11 06:08:54 | 000,072,728 | ---- | M] () MD5=9301342AA731FF609049945C6F2BF98C -- C:\Program Files\QuickTime\qttask .exe

< MD5 for: QTTASK .EXE >
[2011/04/11 06:08:02 | 000,072,724 | ---- | M] () MD5=E9CC5E0F73BCC4F4971A5C9B1CB3A681 -- C:\Program Files\QuickTime\qttask .exe

< MD5 for: QTTASK .EXE >
[2011/04/11 06:07:15 | 000,072,724 | ---- | M] () MD5=51E6171B923B2BF82A23D3F6B6F49B08 -- C:\Program Files\QuickTime\qttask .exe

< MD5 for: QTTASK .EXE >
[2011/04/11 06:06:26 | 000,072,720 | ---- | M] () MD5=5F7B2349E2F0D35D96432A4302A115A7 -- C:\Program Files\QuickTime\qttask .exe

< MD5 for: QTTASK .EXE >
[2011/04/11 06:05:42 | 000,072,724 | ---- | M] () MD5=CA24DCE732BC17F718E5AE0F8E594C0C -- C:\Program Files\QuickTime\qttask .exe

< MD5 for: QTTASK .EXE >
[2011/04/11 06:04:58 | 000,072,720 | ---- | M] () MD5=A1EE593CE7BF1869A5930710E94DAA92 -- C:\Program Files\QuickTime\qttask .exe

< MD5 for: QTTASK .EXE >
[2011/04/11 06:04:13 | 000,072,720 | ---- | M] () MD5=BD612E3132F7A2C2C098D1038BAC6292 -- C:\Program Files\QuickTime\qttask .exe

< MD5 for: QTTASK .EXE >
[2011/04/11 06:03:29 | 000,072,716 | ---- | M] () MD5=EC7C7F477EBA53263335B21850301BBF -- C:\Program Files\QuickTime\qttask .exe

< MD5 for: QTTASK .EXE >
[2011/04/11 06:02:38 | 000,072,724 | ---- | M] () MD5=5791E6222D732A96F02FE345611E86F7 -- C:\Program Files\QuickTime\qttask .exe

< MD5 for: QTTASK .EXE >
[2011/04/11 06:01:49 | 000,072,720 | ---- | M] () MD5=3088F10494DCAB469607D134E11741E3 -- C:\Program Files\QuickTime\qttask .exe

< MD5 for: QTTASK .EXE >
[2011/04/11 06:01:07 | 000,072,720 | ---- | M] () MD5=BFC88F46A14DE4D2DD66DCB7D40F0A4A -- C:\Program Files\QuickTime\qttask .exe

< MD5 for: QTTASK .EXE >
[2011/04/11 06:00:24 | 000,072,716 | ---- | M] () MD5=D180B26026A247743749037509935038 -- C:\Program Files\QuickTime\qttask .exe

< MD5 for: QTTASK .EXE >
[2011/04/11 05:59:27 | 000,072,720 | ---- | M] () MD5=173B801671C70A4826C55FE938452EB7 -- C:\Program Files\QuickTime\qttask .exe

< MD5 for: QTTASK .EXE >
[2011/04/11 05:58:38 | 000,072,716 | ---- | M] () MD5=3F84A877E10EA73875F33E9BC896802F -- C:\Program Files\QuickTime\qttask .exe

< MD5 for: QTTASK .EXE >
[2011/04/11 05:57:52 | 000,072,716 | ---- | M] () MD5=2452068018D4933FB6A2B61C54E65BFB -- C:\Program Files\QuickTime\qttask .exe

< MD5 for: QTTASK .EXE >
[2011/04/11 05:57:06 | 000,072,712 | ---- | M] () MD5=B01FD2BFD8E961C6722A4D7CD99E48F8 -- C:\Program Files\QuickTime\qttask .exe

< MD5 for: QTTASK .EXE >
[2011/04/11 03:21:43 | 000,072,724 | ---- | M] () MD5=EF8E27C840359E28E5F82775B2E81F0C -- C:\Program Files\QuickTime\qttask .exe

< MD5 for: QTTASK .EXE >
[2011/04/11 03:20:43 | 000,072,720 | ---- | M] () MD5=1EEFD65F2F4F8A08014F65F19F72CD38 -- C:\Program Files\QuickTime\qttask .exe

< MD5 for: QTTASK .EXE >
[2011/04/11 03:19:57 | 000,072,720 | ---- | M] () MD5=901A78C7889DDF4C9E2281B1CDC3FB06 -- C:\Program Files\QuickTime\qttask .exe

< MD5 for: QTTASK .EXE >
[2011/04/11 03:19:11 | 000,072,716 | ---- | M] () MD5=386E41CBF1C09D4B2645F5D14A1CFB1E -- C:\Program Files\QuickTime\qttask .exe

< MD5 for: QTTASK .EXE >
[2011/04/11 03:18:28 | 000,072,720 | ---- | M] () MD5=E968C540199955A16117466B7244F917 -- C:\Program Files\QuickTime\qttask .exe

< MD5 for: QTTASK .EXE >
[2011/04/11 03:17:40 | 000,072,716 | ---- | M] () MD5=83AC4CB97B476B7506AECBCA8F6DABEF -- C:\Program Files\QuickTime\qttask .exe

< MD5 for: QTTASK .EXE >
[2011/04/11 03:16:50 | 000,072,716 | ---- | M] () MD5=00C09DB1F75AE02F44C575F088AEC3E9 -- C:\Program Files\QuickTime\qttask .exe

< MD5 for: QTTASK .EXE >
[2011/04/11 03:16:03 | 000,072,712 | ---- | M] () MD5=3DA62CBDA0F22ABDB8D3E3B34816EA20 -- C:\Program Files\QuickTime\qttask .exe

< MD5 for: QTTASK .EXE >
[2011/04/11 02:52:15 | 000,072,720 | ---- | M] () MD5=65CFDF69DB866BF909BE41C00D3E5684 -- C:\Program Files\QuickTime\qttask .exe

< MD5 for: QTTASK .EXE >
[2011/04/11 02:51:24 | 000,072,716 | ---- | M] () MD5=B129761AD6AFED9222ACF894929FEC44 -- C:\Program Files\QuickTime\qttask .exe

< MD5 for: QTTASK .EXE >
[2011/04/11 02:50:40 | 000,072,716 | ---- | M] () MD5=DD2A758F14D6EBA04527A92DD44EA435 -- C:\Program Files\QuickTime\qttask .exe

< MD5 for: QTTASK .EXE >
[2011/04/11 02:49:56 | 000,072,712 | ---- | M] () MD5=D1F948D02F372F8F269A8F896C0D1B15 -- C:\Program Files\QuickTime\qttask .exe

< MD5 for: QTTASK .EXE >
[2011/04/11 01:13:37 | 000,072,712 | ---- | M] () MD5=E27F490611477C96F4DA1242455654CD -- C:\Program Files\QuickTime\qttask .exe

< MD5 for: QTTASK .EXE >
[2011/04/10 20:34:17 | 000,072,712 | ---- | M] () MD5=A0E16187EB8F007009C9CCCD6EF081A0 -- C:\Program Files\QuickTime\qttask .exe

< MD5 for: QTTASK.EXE >
[2011/04/11 10:01:59 | 000,072,712 | ---- | M] () MD5=E389DAC8CB70C0243FE6E20AC3369F09 -- C:\Program Files\QuickTime\qttask.exe

< MD5 for: SUPERANTISPYWARE .EXE >
[2010/10/17 18:55:58 | 002,424,560 | ---- | M] (SUPERAntiSpyware.com) MD5=52231A2FFDEAD130D3F89BBC6D64AB7C -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe

< MD5 for: SUPERANTISPYWARE ALTERNATE START.LNK >
[2010/03/10 20:00:20 | 000,000,806 | ---- | M] () MD5=5345C5EBF5349C615C45DAC828164A1B -- C:\Documents and Settings\All Users\Start Menu\Programs\SUPERAntiSpyware\SUPERAntiSpyware Alternate Start.lnk

< MD5 for: SUPERANTISPYWARE FREE EDITION.ICO >
[2011/04/09 02:05:09 | 000,015,046 | ---- | M] () MD5=E4E47CAAB3A8C78216B8A3AB5678F9A8 -- C:\Documents and Settings\Timothy Carpenter\Application Data\Orbit\icon\SUPERAntiSpyware Free Edition.ico

< MD5 for: SUPERANTISPYWARE FREE EDITION.LNK >
[2010/03/10 20:00:20 | 000,001,736 | ---- | M] () MD5=E0D53D0A1194E49109095A491B61A0FC -- C:\Documents and Settings\All Users\Start Menu\Programs\SUPERAntiSpyware\SUPERAntiSpyware Free Edition.lnk

< MD5 for: SUPERANTISPYWARE HELP.LNK >
[2010/03/10 20:00:20 | 000,000,836 | ---- | M] () MD5=A07A75A338069622F934C856919FC331 -- C:\Documents and Settings\All Users\Start Menu\Programs\SUPERAntiSpyware\SUPERAntiSpyware Help.lnk

< MD5 for: SUPERANTISPYWARE REGISTRATION-ACTIVATION.LNK >
[2010/03/10 20:00:20 | 000,001,686 | ---- | M] () MD5=2CF21DD98AD1FBCC424FA69497D673D6 -- C:\Documents and Settings\All Users\Start Menu\Programs\SUPERAntiSpyware\SUPERAntiSpyware Registration-Activation.lnk

< MD5 for: SUPERANTISPYWARE REPAIR.LNK >
[2010/03/10 20:00:20 | 000,001,882 | ---- | M] () MD5=31FCE02629CA8A9FA02AA4AF85BBB2D8 -- C:\Documents and Settings\All Users\Start Menu\Programs\SUPERAntiSpyware\SUPERAntiSpyware Repair.lnk

< MD5 for: SUPERANTISPYWARE SCAN LOG - 04-08-2011 - 00-45-46.LOG >
[2011/04/08 00:45:46 | 000,028,984 | ---- | M] () MD5=73443E163BE479FE0A03E08877EBC4D5 -- C:\Documents and Settings\Timothy Carpenter\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Logs\SUPERAntiSpyware Scan Log - 04-08-2011 - 00-45-46.log

< MD5 for: SUPERANTISPYWARE.CHM >
[2007/11/27 13:12:26 | 001,088,725 | ---- | M] () MD5=B717B479E425D5D58108F95789370E91 -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.chm

< MD5 for: SUPERANTISPYWARE.EXE >
[2010/03/10 20:00:07 | 007,520,288 | ---- | M] () MD5=5EE5A255F3C7AAC7B423F78D2765F316 -- C:\Documents and Settings\Timothy Carpenter\My Documents\Downloaded Program Updates\SUPERAntiSpyware.exe

< MD5 for: SUPERANTISPYWARE-4-10-2011( 13-57-58 ).SDB >
[2011/04/10 18:11:21 | 000,006,510 | ---- | M] () MD5=2E711ACA07C07562F0F518CF0D78AE03 -- C:\Documents and Settings\Timothy Carpenter\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-4-10-2011( 13-57-58 ).SDB

< MD5 for: SUPERANTISPYWARE-4-10-2011( 18-17-2 ).SDB >
[2011/04/10 19:05:01 | 000,006,550 | ---- | M] () MD5=FF7DED3C1D1F7A5202AB2EC92AD25ACC -- C:\Documents and Settings\Timothy Carpenter\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-4-10-2011( 18-17-2 ).SDB

< MD5 for: SUPERANTISPYWARE-4-10-2011( 20-32-9 ).SDB >
[2011/04/10 21:26:50 | 000,006,567 | ---- | M] () MD5=85F00FD4B3C9BD11AE6B8FFBB917CB1B -- C:\Documents and Settings\Timothy Carpenter\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-4-10-2011( 20-32-9 ).SDB

< MD5 for: SUPERANTISPYWARE-4-10-2011( 21-32-17 ).SDB >
[2011/04/10 22:19:09 | 000,006,566 | ---- | M] () MD5=6870F5C08C86104BBB4202DAE8973607 -- C:\Documents and Settings\Timothy Carpenter\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-4-10-2011( 21-32-17 ).SDB

< MD5 for: SUPERANTISPYWARE-4-10-2011( 22-52-58 ).SDB >
[2011/04/11 09:39:48 | 000,006,567 | ---- | M] () MD5=E2C37A63875AD600491B921CB410A1E4 -- C:\Documents and Settings\Timothy Carpenter\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-4-10-2011( 22-52-58 ).SDB

< MD5 for: SUPERANTISPYWARE-4-11-2011( 22-12-52 ).SDB >
[2011/04/11 22:14:33 | 000,006,467 | ---- | M] () MD5=985EB9356D489969EDE3F4DFAD6120C6 -- C:\Documents and Settings\Timothy Carpenter\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-4-11-2011( 22-12-52 ).SDB

< MD5 for: SUPERANTISPYWARE-4-11-2011( 22-19-55 ).SDB >
[2011/04/11 23:28:22 | 000,006,584 | ---- | M] () MD5=A24F9A0E3096526B9D3F310771BD1BD1 -- C:\Documents and Settings\Timothy Carpenter\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-4-11-2011( 22-19-55 ).SDB

< MD5 for: SUPERANTISPYWARE-4-11-2011( 23-42-26 ).SDB >
[2011/04/11 23:43:11 | 000,006,524 | ---- | M] () MD5=E8E88D708C423A16C8845F9066ED5011 -- C:\Documents and Settings\Timothy Carpenter\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-4-11-2011( 23-42-26 ).SDB

< MD5 for: SUPERANTISPYWARE-4-11-2011( 9-43-16 ).SDB >
[2011/04/11 09:45:35 | 000,006,567 | ---- | M] () MD5=67E1AE7890120F967B3CFF96E259C94B -- C:\Documents and Settings\Timothy Carpenter\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-4-11-2011( 9-43-16 ).SDB

< MD5 for: SUPERANTISPYWARE-4-11-2011( 9-48-54 ).SDB >
[2011/04/11 09:49:29 | 000,006,524 | ---- | M] () MD5=1946A0A8C6E4B6A4C2F96B5C14A2E029 -- C:\Documents and Settings\Timothy Carpenter\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-4-11-2011( 9-48-54 ).SDB

< MD5 for: SUPERANTISPYWARE-4-11-2011( 9-56-48 ).SDB >
[2011/04/11 10:01:27 | 000,006,524 | ---- | M] () MD5=1C730126D2DAB9D7F6AE5A983FB41C68 -- C:\Documents and Settings\Timothy Carpenter\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-4-11-2011( 9-56-48 ).SDB

< MD5 for: SUPERANTISPYWARE-4-5-2011( 21-43-5 ).SDB >
[2011/04/05 21:43:05 | 000,006,273 | ---- | M] () MD5=C8FEB82B2BFAB4F17AAC8D2F5F484E32 -- C:\Documents and Settings\Timothy Carpenter\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-4-5-2011( 21-43-5 ).SDB

< MD5 for: SUPERANTISPYWARE-4-6-2011( 17-34-37 ).SDB >
[2011/04/07 08:54:29 | 000,006,362 | ---- | M] () MD5=05E683EC64F2ADADAE225A1C435E240D -- C:\Documents and Settings\Timothy Carpenter\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-4-6-2011( 17-34-37 ).SDB

< MD5 for: SUPERANTISPYWARE-4-7-2011( 21-58-13 ).SDB >
[2011/04/08 09:02:31 | 001,066,163 | ---- | M] () MD5=F27C1A7F95BFEF87385730D97CE094AC -- C:\Documents and Settings\Timothy Carpenter\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-4-7-2011( 21-58-13 ).SDB

< MD5 for: SUPERANTISPYWARE-4-7-2011( 8-58-44 ).SDB >
[2011/04/07 21:54:03 | 000,006,362 | ---- | M] () MD5=61156E956641DDB413323DDC520E9690 -- C:\Documents and Settings\Timothy Carpenter\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-4-7-2011( 8-58-44 ).SDB

< MD5 for: SUPERANTISPYWARE-4-9-2011( 0-16-6 ).SDB >
[2011/04/09 00:16:06 | 000,006,422 | ---- | M] () MD5=0C02AB9FC4A51851740A2C1A3A06610D -- C:\Documents and Settings\Timothy Carpenter\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-4-9-2011( 0-16-6 ).SDB

< MD5 for: SUPERANTISPYWARE-4-9-2011( 1-30-48 ).SDB >
[2011/04/09 01:30:48 | 000,006,421 | ---- | M] () MD5=499BB9DDBAD9598EB42CA4B1D6412C53 -- C:\Documents and Settings\Timothy Carpenter\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-4-9-2011( 1-30-48 ).SDB

< MD5 for: SUPERANTISPYWARE-4-9-2011( 1-47-53 ).SDB >
[2011/04/09 01:47:53 | 000,006,421 | ---- | M] () MD5=A0060F07D05EB24D0781984754AF998E -- C:\Documents and Settings\Timothy Carpenter\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-4-9-2011( 1-47-53 ).SDB

< MD5 for: SUPERANTISPYWARE-4-9-2011( 1-55-25 ).SDB >
[2011/04/09 01:55:25 | 000,006,421 | ---- | M] () MD5=D3D76F61295D604CC8835F70D4AA65C2 -- C:\Documents and Settings\Timothy Carpenter\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-4-9-2011( 1-55-25 ).SDB

< MD5 for: SUPERANTISPYWARE-4-9-2011( 19-54-15 ).SDB >
[2011/04/10 13:53:26 | 000,006,510 | ---- | M] () MD5=237C8301EEFF7EC8103F8ED0FB8ED0DC -- C:\Documents and Settings\Timothy Carpenter\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-4-9-2011( 19-54-15 ).SDB

< MD5 for: SUPERANTISPYWARE-4-9-2011( 2-1-25 ).SDB >
[2011/04/09 02:08:18 | 000,006,468 | ---- | M] () MD5=A83C6714F55353CAB9970D9D7156C419 -- C:\Documents and Settings\Timothy Carpenter\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-4-9-2011( 2-1-25 ).SDB

< MD5 for: SUPERANTISPYWARE-4-9-2011( 3-4-8 ).SDB >
[2011/04/09 19:48:55 | 000,006,511 | ---- | M] () MD5=73E28BBB45D8564C2DC785BAC83FDC15 -- C:\Documents and Settings\Timothy Carpenter\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-4-9-2011( 3-4-8 ).SDB

< MD5 for: WCESCOMM .EXE >
[2006/11/13 13:39:52 | 001,289,000 | ---- | M] (Microsoft Corporation) MD5=5515EB5E3A8B073F66CFC697EB0D4B55 -- C:\Program Files\Microsoft ActiveSync\Wcescomm .exe

< MD5 for: WCESCOMM .EXE >
[2011/04/11 09:49:46 | 000,072,712 | ---- | M] () MD5=057E91054D7AF239C43190B035244593 -- C:\Program Files\Microsoft ActiveSync\Wcescomm .exe

< MD5 for: WCESCOMM .EXE >
[2011/04/11 09:44:59 | 000,072,712 | ---- | M] () MD5=38C9E576E4D565547662C130B91D634B -- C:\Program Files\Microsoft ActiveSync\Wcescomm .exe

< MD5 for: WCESCOMM .EXE >
[2011/04/11 01:13:37 | 000,072,712 | ---- | M] () MD5=E27F490611477C96F4DA1242455654CD -- C:\Program Files\Microsoft ActiveSync\Wcescomm .exe

< MD5 for: WCESCOMM.EXE >
[2011/04/11 10:01:59 | 000,072,712 | ---- | M] () MD5=2B2111A334B28CFC34525F046BD46ACB -- C:\Program Files\Microsoft ActiveSync\Wcescomm.exe

========== Alternate Data Streams ==========

@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:72E6616C

< End of report >

#12 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:28 AM

Posted 13 April 2011 - 08:08 PM

darctiger:

How comfortable are you with using Windows Explorer to find and rename some files? Please do this and let me know:

Posted Image Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

    :OTL
    [2011/04/11 09:49:46 | 000,072,712 | ---- | M] () MD5=1BC127C08A11CF259E825A7D3F7F7540 -- C:\Program Files\QuickTime\qttask .exe
    [2011/04/11 09:44:59 | 000,072,712 | ---- | M] () MD5=38C9E576E4D565547662C130B91D634B -- C:\Program Files\QuickTime\qttask .exe
    [2011/04/11 09:32:55 | 000,072,712 | ---- | M] () MD5=6FB30409DD5529635151B0DB82BE0512 -- C:\Program Files\QuickTime\qttask .exe
    [2011/04/11 06:08:54 | 000,072,728 | ---- | M] () MD5=9301342AA731FF609049945C6F2BF98C -- C:\Program Files\QuickTime\qttask .exe
    [2011/04/11 06:08:02 | 000,072,724 | ---- | M] () MD5=E9CC5E0F73BCC4F4971A5C9B1CB3A681 -- C:\Program Files\QuickTime\qttask .exe
    [2011/04/11 06:07:15 | 000,072,724 | ---- | M] () MD5=51E6171B923B2BF82A23D3F6B6F49B08 -- C:\Program Files\QuickTime\qttask .exe
    [2011/04/11 06:06:26 | 000,072,720 | ---- | M] () MD5=5F7B2349E2F0D35D96432A4302A115A7 -- C:\Program Files\QuickTime\qttask .exe
    [2011/04/11 06:05:42 | 000,072,724 | ---- | M] () MD5=CA24DCE732BC17F718E5AE0F8E594C0C -- C:\Program Files\QuickTime\qttask .exe
    [2011/04/11 06:04:58 | 000,072,720 | ---- | M] () MD5=A1EE593CE7BF1869A5930710E94DAA92 -- C:\Program Files\QuickTime\qttask .exe
    [2011/04/11 06:04:13 | 000,072,720 | ---- | M] () MD5=BD612E3132F7A2C2C098D1038BAC6292 -- C:\Program Files\QuickTime\qttask .exe
    [2011/04/11 06:03:29 | 000,072,716 | ---- | M] () MD5=EC7C7F477EBA53263335B21850301BBF -- C:\Program Files\QuickTime\qttask .exe
    [2011/04/11 06:02:38 | 000,072,724 | ---- | M] () MD5=5791E6222D732A96F02FE345611E86F7 -- C:\Program Files\QuickTime\qttask .exe
    [2011/04/11 06:01:49 | 000,072,720 | ---- | M] () MD5=3088F10494DCAB469607D134E11741E3 -- C:\Program Files\QuickTime\qttask .exe
    [2011/04/11 06:01:07 | 000,072,720 | ---- | M] () MD5=BFC88F46A14DE4D2DD66DCB7D40F0A4A -- C:\Program Files\QuickTime\qttask .exe
    [2011/04/11 06:00:24 | 000,072,716 | ---- | M] () MD5=D180B26026A247743749037509935038 -- C:\Program Files\QuickTime\qttask .exe
    [2011/04/11 05:59:27 | 000,072,720 | ---- | M] () MD5=173B801671C70A4826C55FE938452EB7 -- C:\Program Files\QuickTime\qttask .exe
    [2011/04/11 05:58:38 | 000,072,716 | ---- | M] () MD5=3F84A877E10EA73875F33E9BC896802F -- C:\Program Files\QuickTime\qttask .exe
    [2011/04/11 05:57:52 | 000,072,716 | ---- | M] () MD5=2452068018D4933FB6A2B61C54E65BFB -- C:\Program Files\QuickTime\qttask .exe
    [2011/04/11 05:57:06 | 000,072,712 | ---- | M] () MD5=B01FD2BFD8E961C6722A4D7CD99E48F8 -- C:\Program Files\QuickTime\qttask .exe
    [2011/04/11 03:21:43 | 000,072,724 | ---- | M] () MD5=EF8E27C840359E28E5F82775B2E81F0C -- C:\Program Files\QuickTime\qttask .exe
    [2011/04/11 03:20:43 | 000,072,720 | ---- | M] () MD5=1EEFD65F2F4F8A08014F65F19F72CD38 -- C:\Program Files\QuickTime\qttask .exe
    [2011/04/11 03:19:57 | 000,072,720 | ---- | M] () MD5=901A78C7889DDF4C9E2281B1CDC3FB06 -- C:\Program Files\QuickTime\qttask .exe
    [2011/04/11 03:19:11 | 000,072,716 | ---- | M] () MD5=386E41CBF1C09D4B2645F5D14A1CFB1E -- C:\Program Files\QuickTime\qttask .exe
    [2011/04/11 03:18:28 | 000,072,720 | ---- | M] () MD5=E968C540199955A16117466B7244F917 -- C:\Program Files\QuickTime\qttask .exe
    [2011/04/11 03:17:40 | 000,072,716 | ---- | M] () MD5=83AC4CB97B476B7506AECBCA8F6DABEF -- C:\Program Files\QuickTime\qttask .exe
    [2011/04/11 03:16:50 | 000,072,716 | ---- | M] () MD5=00C09DB1F75AE02F44C575F088AEC3E9 -- C:\Program Files\QuickTime\qttask .exe
    [2011/04/11 03:16:03 | 000,072,712 | ---- | M] () MD5=3DA62CBDA0F22ABDB8D3E3B34816EA20 -- C:\Program Files\QuickTime\qttask .exe
    [2011/04/11 02:52:15 | 000,072,720 | ---- | M] () MD5=65CFDF69DB866BF909BE41C00D3E5684 -- C:\Program Files\QuickTime\qttask .exe
    [2011/04/11 02:51:24 | 000,072,716 | ---- | M] () MD5=B129761AD6AFED9222ACF894929FEC44 -- C:\Program Files\QuickTime\qttask .exe
    [2011/04/11 02:50:40 | 000,072,716 | ---- | M] () MD5=DD2A758F14D6EBA04527A92DD44EA435 -- C:\Program Files\QuickTime\qttask .exe
    [2011/04/11 02:49:56 | 000,072,712 | ---- | M] () MD5=D1F948D02F372F8F269A8F896C0D1B15 -- C:\Program Files\QuickTime\qttask .exe
    [2011/04/11 01:13:37 | 000,072,712 | ---- | M] () MD5=E27F490611477C96F4DA1242455654CD -- C:\Program Files\QuickTime\qttask .exe
    [2011/04/10 20:34:17 | 000,072,712 | ---- | M] () MD5=A0E16187EB8F007009C9CCCD6EF081A0 -- C:\Program Files\QuickTime\qttask .exe
    [2011/04/11 10:01:59 | 000,072,712 | ---- | M] () MD5=E389DAC8CB70C0243FE6E20AC3369F09 -- C:\Program Files\QuickTime\qttask.exe
    [2010/03/10 20:00:07 | 007,520,288 | ---- | M] () MD5=5EE5A255F3C7AAC7B423F78D2765F316 -- C:\Documents and Settings\Timothy Carpenter\My Documents\Downloaded Program Updates\SUPERAntiSpyware.exe
    [2011/04/11 09:49:46 | 000,072,712 | ---- | M] () MD5=057E91054D7AF239C43190B035244593 -- C:\Program Files\Microsoft ActiveSync\Wcescomm .exe
    [2011/04/11 09:44:59 | 000,072,712 | ---- | M] () MD5=38C9E576E4D565547662C130B91D634B -- C:\Program Files\Microsoft ActiveSync\Wcescomm .exe
    [2011/04/11 01:13:37 | 000,072,712 | ---- | M] () MD5=E27F490611477C96F4DA1242455654CD -- C:\Program Files\Microsoft ActiveSync\Wcescomm .exe
    [2011/04/11 10:01:59 | 000,072,712 | ---- | M] () MD5=2B2111A334B28CFC34525F046BD46ACB -- C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
    :Commands
    [EmptyFlash]
    [EmptyTemp]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, it will reboot when it is done and produce a log
Posted Image Run Combofix again

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • If you have trouble, stop and post back. Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.
.
Please include the following in your next post:
  • OTL Fix log
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#13 darctiger

darctiger
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 14 April 2011 - 01:45 AM

I can find and rename whatever


OTL....


All processes killed
========== OTL ==========
File C:\Program Files\QuickTime\qttask .exe not found.
File C:\Program Files\QuickTime\qttask .exe not found.
File C:\Program Files\QuickTime\qttask .exe not found.
File C:\Program Files\QuickTime\qttask .exe not found.
File C:\Program Files\QuickTime\qttask .exe not found.
File C:\Program Files\QuickTime\qttask .exe not found.
File C:\Program Files\QuickTime\qttask .exe not found.
File C:\Program Files\QuickTime\qttask .exe not found.
File C:\Program Files\QuickTime\qttask .exe not found.
File C:\Program Files\QuickTime\qttask .exe not found.
File C:\Program Files\QuickTime\qttask .exe not found.
File C:\Program Files\QuickTime\qttask .exe not found.
File C:\Program Files\QuickTime\qttask .exe not found.
File C:\Program Files\QuickTime\qttask .exe not found.
File C:\Program Files\QuickTime\qttask .exe not found.
File C:\Program Files\QuickTime\qttask .exe not found.
File C:\Program Files\QuickTime\qttask .exe not found.
File C:\Program Files\QuickTime\qttask .exe not found.
File C:\Program Files\QuickTime\qttask .exe not found.
File C:\Program Files\QuickTime\qttask .exe not found.
File C:\Program Files\QuickTime\qttask .exe not found.
File C:\Program Files\QuickTime\qttask .exe not found.
File C:\Program Files\QuickTime\qttask .exe not found.
File C:\Program Files\QuickTime\qttask .exe not found.
File C:\Program Files\QuickTime\qttask .exe not found.
File C:\Program Files\QuickTime\qttask .exe not found.
File C:\Program Files\QuickTime\qttask .exe not found.
File C:\Program Files\QuickTime\qttask .exe not found.
File C:\Program Files\QuickTime\qttask .exe not found.
File C:\Program Files\QuickTime\qttask .exe not found.
File C:\Program Files\QuickTime\qttask .exe not found.
File C:\Program Files\QuickTime\qttask .exe not found.
File C:\Program Files\QuickTime\qttask .exe not found.
C:\Program Files\QuickTime\qttask.exe moved successfully.
C:\Documents and Settings\Timothy Carpenter\My Documents\Downloaded Program Updates\SUPERAntiSpyware.exe moved successfully.
File C:\Program Files\Microsoft ActiveSync\Wcescomm .exe not found.
File C:\Program Files\Microsoft ActiveSync\Wcescomm .exe not found.
File C:\Program Files\Microsoft ActiveSync\Wcescomm .exe not found.
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe moved successfully.
========== COMMANDS ==========

[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 42313 bytes

User: All Users

User: Default User
->Flash cache emptied: 41620 bytes

User: LocalService
->Flash cache emptied: 48100 bytes

User: NetworkService
->Flash cache emptied: 48976 bytes

User: Timothy Carpenter
->Flash cache emptied: 894 bytes

Total Flash Files Cleaned = 0.00 mb


[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 294871 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 4292742 bytes
->Java cache emptied: 1669 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 589020 bytes
->Java cache emptied: 6706 bytes
->Flash cache emptied: 0 bytes

User: Timothy Carpenter
->Temp folder emptied: 42464053 bytes
->Temporary Internet Files folder emptied: 34509495 bytes
->Java cache emptied: 384440 bytes
->Opera cache emptied: 17551615 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1205958 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 208 bytes

Total Files Cleaned = 97.00 mb


OTL by OldTimer - Version 3.2.22.3 log created on 04132011_221618

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...



ComboFix...



ComboFix 11-04-13.04 - Timothy Carpenter 04/14/2011 2:29.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3112 [GMT -4:00]
Running from: c:\documents and settings\Timothy Carpenter\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Microsoft ActiveSync\Wcescomm .exe
c:\program files\Microsoft ActiveSync\Wcescomm .exe
c:\program files\Microsoft ActiveSync\Wcescomm .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
.
.
((((((((((((((((((((((((( Files Created from 2011-03-14 to 2011-04-14 )))))))))))))))))))))))))))))))
.
.
2011-04-14 02:16 . 2011-04-14 02:16 -------- d-----w- C:\_OTL
2011-04-11 04:16 . 2011-04-11 04:16 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2011-04-11 04:15 . 2011-04-11 04:15 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2011-04-11 04:15 . 2011-04-11 04:15 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Conduit
2011-04-11 04:15 . 2011-04-11 04:15 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\BitTorrentBar
2011-04-11 03:01 . 2011-04-11 03:01 -------- d-sh--w- c:\documents and settings\NetworkService\IECompatCache
2011-04-11 03:00 . 2011-04-11 03:00 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2011-04-11 02:06 . 2011-04-11 02:06 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Conduit
2011-04-10 18:09 . 2011-04-10 18:10 -------- d-----w- c:\windows\system32\NtmsData
2011-04-10 16:34 . 2011-04-10 16:34 -------- d-----w- c:\windows\system32\FxsTmp
2011-04-10 16:28 . 2008-04-14 12:00 31744 ----a-w- c:\windows\system32\fxsroute.dll
2011-04-10 16:28 . 2008-04-14 12:00 132608 ----a-w- c:\windows\system32\fxsclntR.dll
2011-04-10 16:28 . 2008-04-14 12:00 11264 ----a-w- c:\windows\system32\fxssend.exe
2011-04-10 16:28 . 2008-04-14 12:00 111104 ----a-w- c:\windows\system32\fxscfgwz.dll
2011-04-09 06:34 . 2011-04-09 06:35 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-04 22:48 . 2004-08-10 12:00 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-04 22:48 . 2004-08-10 12:00 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 07:58 . 2010-03-06 17:54 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2010-03-06 17:54 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-10 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
.
<pre>
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Ahead\Lib\NMBgMonitor .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Microsoft ActiveSync\Wcescomm       .exe
c:\program files\QuickTime\qttask                                     .exe
c:\program files\SUPERAntiSpyware\SUPERAntiSpyware .exe
c:\windows\ehome\ehtray .exe
</pre>
.
((((((((((((((((((((((((((((( SnapShot@2011-04-11_14.18.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-14 02:18 . 2011-04-14 02:18 16384 c:\windows\Temp\Perflib_Perfdata_5a8.dat
- 2004-08-10 12:00 . 2009-03-08 08:31 66560 c:\windows\system32\mshtmled.dll
+ 2004-08-10 12:00 . 2010-12-20 23:59 66560 c:\windows\system32\mshtmled.dll
- 2009-03-08 08:31 . 2009-03-08 08:31 55296 c:\windows\system32\msfeedsbs.dll
+ 2009-03-08 08:31 . 2010-12-20 23:59 55296 c:\windows\system32\msfeedsbs.dll
+ 2004-08-10 12:00 . 2010-12-20 23:59 43520 c:\windows\system32\licmgr10.dll
- 2004-08-10 12:00 . 2009-03-08 08:33 25600 c:\windows\system32\jsproxy.dll
+ 2004-08-10 12:00 . 2010-12-20 23:59 25600 c:\windows\system32\jsproxy.dll
+ 2010-03-11 00:01 . 2010-12-20 22:09 38224 c:\windows\system32\drivers\mbamswissarmy.sys
- 2010-03-11 00:01 . 2010-04-29 19:39 38224 c:\windows\system32\drivers\mbamswissarmy.sys
+ 2010-03-11 00:01 . 2010-12-20 22:08 20952 c:\windows\system32\drivers\mbam.sys
- 2010-03-11 00:01 . 2010-04-29 19:39 20952 c:\windows\system32\drivers\mbam.sys
- 2009-03-08 08:31 . 2009-03-08 08:31 66560 c:\windows\system32\dllcache\mshtmled.dll
+ 2009-03-08 08:31 . 2010-12-20 23:59 66560 c:\windows\system32\dllcache\mshtmled.dll
+ 2009-03-08 08:34 . 2010-12-20 23:59 43520 c:\windows\system32\dllcache\licmgr10.dll
+ 2009-03-08 08:33 . 2010-12-20 23:59 25600 c:\windows\system32\dllcache\jsproxy.dll
- 2009-03-08 08:33 . 2009-03-08 08:33 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2011-04-12 07:00 . 2009-05-26 11:40 17272 c:\windows\ie8updates\KB981332-IE8\spmsg.dll
+ 2011-04-12 07:00 . 2009-05-26 11:40 26488 c:\windows\ie8updates\KB981332-IE8\spcustom.dll
+ 2011-04-12 07:01 . 2008-07-08 13:02 17272 c:\windows\ie8updates\KB976662-IE8\spmsg.dll
+ 2011-04-12 07:01 . 2008-07-08 13:02 26488 c:\windows\ie8updates\KB976662-IE8\spcustom.dll
+ 2011-04-12 07:00 . 2008-07-08 13:02 17272 c:\windows\ie8updates\KB971961-IE8\spmsg.dll
+ 2011-04-12 07:00 . 2008-07-08 13:02 26488 c:\windows\ie8updates\KB971961-IE8\spcustom.dll
+ 2011-04-12 07:00 . 2009-03-08 08:33 12288 c:\windows\ie8updates\KB2482017-IE8\xpshims.dll
+ 2011-04-12 07:00 . 2010-07-05 13:15 17272 c:\windows\ie8updates\KB2482017-IE8\spmsg.dll
+ 2011-04-12 07:00 . 2010-07-05 13:15 26488 c:\windows\ie8updates\KB2482017-IE8\spcustom.dll
+ 2011-04-12 07:00 . 2009-03-08 08:31 66560 c:\windows\ie8updates\KB2482017-IE8\mshtmled.dll
+ 2011-04-12 07:00 . 2009-03-08 08:31 55296 c:\windows\ie8updates\KB2482017-IE8\msfeedsbs.dll
+ 2011-04-12 07:00 . 2009-03-08 08:34 43008 c:\windows\ie8updates\KB2482017-IE8\licmgr10.dll
+ 2011-04-12 07:00 . 2009-03-08 08:33 25600 c:\windows\ie8updates\KB2482017-IE8\jsproxy.dll
+ 2010-01-29 06:04 . 2010-01-29 06:04 764784 c:\windows\vVX6000.exe
+ 2004-08-10 12:00 . 2010-12-20 23:59 916480 c:\windows\system32\wininet.dll
- 2004-08-10 12:00 . 2009-03-08 08:33 420352 c:\windows\system32\vbscript.dll
+ 2004-08-10 12:00 . 2010-03-10 06:15 420352 c:\windows\system32\vbscript.dll
+ 2004-08-10 12:00 . 2010-12-20 23:59 206848 c:\windows\system32\occache.dll
+ 2004-08-10 12:00 . 2010-12-20 23:59 611840 c:\windows\system32\mstime.dll
- 2004-08-10 12:00 . 2009-03-08 08:32 611840 c:\windows\system32\mstime.dll
+ 2009-03-08 08:32 . 2010-12-20 23:59 602112 c:\windows\system32\msfeeds.dll
- 2004-08-10 12:00 . 2009-03-08 08:33 726528 c:\windows\system32\jscript.dll
+ 2004-08-10 12:00 . 2009-12-09 05:53 726528 c:\windows\system32\jscript.dll
+ 2004-08-10 12:00 . 2010-12-20 23:59 184320 c:\windows\system32\iepeers.dll
+ 2004-08-10 12:00 . 2010-12-20 23:59 387584 c:\windows\system32\iedkcs32.dll
+ 2004-08-10 12:00 . 2010-12-20 12:55 173568 c:\windows\system32\ie4uinit.exe
+ 2009-03-08 08:34 . 2010-12-20 23:59 916480 c:\windows\system32\dllcache\wininet.dll
- 2009-03-08 08:33 . 2009-03-08 08:33 420352 c:\windows\system32\dllcache\vbscript.dll
+ 2009-03-08 08:33 . 2010-03-10 06:15 420352 c:\windows\system32\dllcache\vbscript.dll
+ 2009-03-08 08:34 . 2010-12-20 23:59 206848 c:\windows\system32\dllcache\occache.dll
+ 2009-03-08 08:32 . 2010-12-20 23:59 611840 c:\windows\system32\dllcache\mstime.dll
- 2009-03-08 08:32 . 2009-03-08 08:32 611840 c:\windows\system32\dllcache\mstime.dll
- 2009-03-08 08:33 . 2009-03-08 08:33 726528 c:\windows\system32\dllcache\jscript.dll
+ 2009-03-08 08:33 . 2009-12-09 05:53 726528 c:\windows\system32\dllcache\jscript.dll
+ 2009-03-08 08:31 . 2010-12-20 23:59 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2009-03-08 18:09 . 2010-12-20 23:59 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2009-03-08 08:32 . 2010-12-20 12:55 173568 c:\windows\system32\dllcache\ie4uinit.exe
+ 2011-04-12 07:00 . 2009-03-08 08:33 420352 c:\windows\ie8updates\KB981332-IE8\vbscript.dll
+ 2011-04-12 07:00 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB981332-IE8\updspapi.dll
+ 2011-04-12 07:00 . 2009-05-26 11:40 755576 c:\windows\ie8updates\KB981332-IE8\update.exe
+ 2011-04-12 07:00 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB981332-IE8\spuninst\updspapi.dll
+ 2011-04-12 07:00 . 2009-05-26 11:40 231288 c:\windows\ie8updates\KB981332-IE8\spuninst\spuninst.exe
+ 2011-04-12 07:00 . 2009-05-26 11:40 231288 c:\windows\ie8updates\KB981332-IE8\spuninst.exe
+ 2011-04-12 07:01 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976662-IE8\updspapi.dll
+ 2011-04-12 07:01 . 2008-07-08 13:02 755576 c:\windows\ie8updates\KB976662-IE8\update.exe
+ 2011-04-12 07:01 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976662-IE8\spuninst\updspapi.dll
+ 2011-04-12 07:01 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976662-IE8\spuninst\spuninst.exe
+ 2011-04-12 07:01 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976662-IE8\spuninst.exe
+ 2011-04-12 07:01 . 2009-06-22 06:44 726528 c:\windows\ie8updates\KB976662-IE8\jscript.dll
+ 2011-04-12 07:00 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB971961-IE8\updspapi.dll
+ 2011-04-12 07:00 . 2008-07-08 13:02 755576 c:\windows\ie8updates\KB971961-IE8\update.exe
+ 2011-04-12 07:00 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB971961-IE8\spuninst\updspapi.dll
+ 2011-04-12 07:00 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB971961-IE8\spuninst\spuninst.exe
+ 2011-04-12 07:00 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB971961-IE8\spuninst.exe
+ 2011-04-12 07:00 . 2009-03-08 08:33 726528 c:\windows\ie8updates\KB971961-IE8\jscript.dll
+ 2011-04-12 07:00 . 2009-03-08 08:34 914944 c:\windows\ie8updates\KB2482017-IE8\wininet.dll
+ 2011-04-12 07:00 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2482017-IE8\updspapi.dll
+ 2011-04-12 07:00 . 2010-07-05 13:15 755576 c:\windows\ie8updates\KB2482017-IE8\update.exe
+ 2011-04-12 07:00 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2482017-IE8\spuninst\updspapi.dll
+ 2011-04-12 07:00 . 2010-07-05 13:15 231288 c:\windows\ie8updates\KB2482017-IE8\spuninst\spuninst.exe
+ 2011-04-12 07:00 . 2010-07-05 13:15 231288 c:\windows\ie8updates\KB2482017-IE8\spuninst.exe
+ 2011-04-12 07:00 . 2009-03-08 08:34 109568 c:\windows\ie8updates\KB2482017-IE8\occache.dll
+ 2011-04-12 07:00 . 2009-03-08 08:32 611840 c:\windows\ie8updates\KB2482017-IE8\mstime.dll
+ 2011-04-12 07:00 . 2009-03-08 08:32 594432 c:\windows\ie8updates\KB2482017-IE8\msfeeds.dll
+ 2011-04-12 07:00 . 2009-03-08 08:33 246784 c:\windows\ie8updates\KB2482017-IE8\ieproxy.dll
+ 2011-04-12 07:00 . 2009-03-08 08:31 183808 c:\windows\ie8updates\KB2482017-IE8\iepeers.dll
+ 2011-04-12 07:00 . 2009-03-08 08:35 742912 c:\windows\ie8updates\KB2482017-IE8\iedvtool.dll
+ 2011-04-12 07:00 . 2009-03-08 18:09 391536 c:\windows\ie8updates\KB2482017-IE8\iedkcs32.dll
+ 2011-04-12 07:00 . 2009-03-08 08:32 173056 c:\windows\ie8updates\KB2482017-IE8\ie4uinit.exe
+ 2004-08-10 12:00 . 2010-12-20 23:59 1210880 c:\windows\system32\urlmon.dll
+ 2004-08-10 12:00 . 2010-12-20 23:59 5961216 c:\windows\system32\mshtml.dll
+ 2009-03-08 08:32 . 2010-12-20 23:59 1991680 c:\windows\system32\iertutil.dll
+ 2009-03-08 08:34 . 2010-12-20 23:59 1210880 c:\windows\system32\dllcache\urlmon.dll
+ 2009-03-08 08:41 . 2010-12-20 23:59 5961216 c:\windows\system32\dllcache\mshtml.dll
+ 2011-04-12 07:00 . 2009-03-08 08:34 1206784 c:\windows\ie8updates\KB2482017-IE8\urlmon.dll
+ 2011-04-12 07:00 . 2009-03-08 08:41 5937152 c:\windows\ie8updates\KB2482017-IE8\mshtml.dll
+ 2011-04-12 07:00 . 2009-03-08 08:32 1985024 c:\windows\ie8updates\KB2482017-IE8\iertutil.dll
+ 2009-03-08 08:39 . 2010-12-21 09:29 11080704 c:\windows\system32\ieframe.dll
+ 2011-04-12 07:00 . 2009-03-08 08:39 11063808 c:\windows\ie8updates\KB2482017-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
2010-12-26 23:43 3911776 ----a-w- c:\program files\BitTorrentBar\tbBit0.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{88c7f2aa-f93f-432c-8f0e-b7d85967a527}"= "c:\program files\BitTorrentBar\tbBit0.dll" [2010-12-26 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{88C7F2AA-F93F-432C-8F0E-B7D85967A527}"= "c:\program files\BitTorrentBar\tbBit0.dll" [2010-12-26 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"IDTSysTrayApp"="sttray.exe" [2007-09-06 405504]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"Name of App"="c:\program files\SAMSUNG\FW LiveUpdate\FWManager.exe" [2010-08-04 692317]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2010-1-27 323584]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
.
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [3/10/2011 4:09 AM 14776]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [1/5/2010 8:56 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 8:56 AM 67656]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/27/2011 12:27 AM 136176]
S3 appliandMP;appliandMP;c:\windows\system32\DRIVERS\appliand.sys --> c:\windows\system32\DRIVERS\appliand.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 8:56 AM 12872]
S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [1/29/2010 2:04 AM 2074480]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
itlsvc REG_MULTI_SZ itlperf
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
2011-04-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-27 04:27]
.
2011-04-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-27 04:27]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.avatarsbydesign.com/forum/
uInternet Connection Wizard,ShellNext = hxxp://www.avatarsbydesign.com/forum/
Trusted Zone: forsakenclans.com\www
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-14 02:37
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1a,31,61,82,b4,b4,bc,4a,91,06,c0,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1a,31,61,82,b4,b4,bc,4a,91,06,c0,\
.
[HKEY_USERS\S-1-5-21-1547161642-839522115-781633064-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{41494EE4-61D2-80B9-255E-AAECC9B1572D}*]
"mamjgndgkifambmgjkdopmbkee"=hex:69,61,6e,6f,65,67,6b,6a,6f,66,6b,68,68,69,70,
69,6f,68,00,02
"naclaackleeiocclohnmcdachchd"=hex:69,61,6e,6f,65,67,6b,6a,6f,66,6b,68,68,69,
70,69,6f,68,00,77
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(880)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
Completion time: 2011-04-14 02:39:05
ComboFix-quarantined-files.txt 2011-04-14 06:39
ComboFix2.txt 2011-04-12 03:46
ComboFix3.txt 2011-04-12 02:18
ComboFix4.txt 2011-04-11 14:19
ComboFix5.txt 2011-04-14 06:26
.
Pre-Run: 14,516,420,608 bytes free
Post-Run: 14,552,137,728 bytes free
.
- - End Of File - - 3457F2A9D075C02AB5CB25EE5E34BA56

#14 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:28 AM

Posted 14 April 2011 - 06:45 PM

darctiger:

Thanks for your patience - we are making progress. Please do this now:

Posted Image Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above RenV::

RenV::
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Ahead\Lib\NMBgMonitor .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Microsoft ActiveSync\Wcescomm       .exe
c:\program files\QuickTime\qttask                                     .exe
c:\program files\SUPERAntiSpyware\SUPERAntiSpyware .exe
c:\windows\ehome\ehtray .exe

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#15 darctiger

darctiger
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 14 April 2011 - 11:54 PM

Here is the next set of logs.


ComboFix 11-04-14.01 - Timothy Carpenter 04/15/2011 0:47.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3015 [GMT -4:00]
Running from: c:\documents and settings\Timothy Carpenter\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Timothy Carpenter\Desktop\CFScript.txt
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-03-15 to 2011-04-15 )))))))))))))))))))))))))))))))
.
.
2011-04-15 03:33 . 2011-04-15 03:33 -------- d-----w- c:\windows\LastGood
2011-04-14 02:16 . 2011-04-14 02:16 -------- d-----w- C:\_OTL
2011-04-11 04:16 . 2011-04-11 04:16 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2011-04-11 04:15 . 2011-04-11 04:15 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2011-04-11 04:15 . 2011-04-11 04:15 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Conduit
2011-04-11 04:15 . 2011-04-11 04:15 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\BitTorrentBar
2011-04-11 03:01 . 2011-04-11 03:01 -------- d-sh--w- c:\documents and settings\NetworkService\IECompatCache
2011-04-11 03:00 . 2011-04-11 03:00 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2011-04-11 02:06 . 2011-04-11 02:06 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Conduit
2011-04-10 18:09 . 2011-04-10 18:10 -------- d-----w- c:\windows\system32\NtmsData
2011-04-10 16:34 . 2011-04-10 16:34 -------- d-----w- c:\windows\system32\FxsTmp
2011-04-10 16:28 . 2008-04-14 12:00 31744 ----a-w- c:\windows\system32\fxsroute.dll
2011-04-10 16:28 . 2008-04-14 12:00 132608 ----a-w- c:\windows\system32\fxsclntR.dll
2011-04-10 16:28 . 2008-04-14 12:00 11264 ----a-w- c:\windows\system32\fxssend.exe
2011-04-10 16:28 . 2008-04-14 12:00 111104 ----a-w- c:\windows\system32\fxscfgwz.dll
2011-04-09 06:34 . 2011-04-09 06:35 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-04 22:48 . 2004-08-10 12:00 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-04 22:48 . 2004-08-10 12:00 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 07:58 . 2010-03-06 17:54 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2010-03-06 17:54 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-10 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2011-04-14_06.37.20 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
2010-12-26 23:43 3911776 ----a-w- c:\program files\BitTorrentBar\tbBit0.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{88c7f2aa-f93f-432c-8f0e-b7d85967a527}"= "c:\program files\BitTorrentBar\tbBit0.dll" [2010-12-26 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{88C7F2AA-F93F-432C-8F0E-B7D85967A527}"= "c:\program files\BitTorrentBar\tbBit0.dll" [2010-12-26 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"IDTSysTrayApp"="sttray.exe" [2007-09-06 405504]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"Name of App"="c:\program files\SAMSUNG\FW LiveUpdate\FWManager.exe" [2010-08-04 692317]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2010-1-27 323584]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
.
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [3/10/2011 4:09 AM 14776]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [1/5/2010 8:56 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 8:56 AM 67656]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/27/2011 12:27 AM 136176]
S3 appliandMP;appliandMP;c:\windows\system32\DRIVERS\appliand.sys --> c:\windows\system32\DRIVERS\appliand.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 8:56 AM 12872]
S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [1/29/2010 2:04 AM 2074480]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
itlsvc REG_MULTI_SZ itlperf
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
2011-04-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-27 04:27]
.
2011-04-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-27 04:27]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.avatarsbydesign.com/forum/
uInternet Connection Wizard,ShellNext = hxxp://www.avatarsbydesign.com/forum/
Trusted Zone: forsakenclans.com\www
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-15 00:50
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1a,31,61,82,b4,b4,bc,4a,91,06,c0,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1a,31,61,82,b4,b4,bc,4a,91,06,c0,\
.
[HKEY_USERS\S-1-5-21-1547161642-839522115-781633064-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{41494EE4-61D2-80B9-255E-AAECC9B1572D}*]
"mamjgndgkifambmgjkdopmbkee"=hex:69,61,6e,6f,65,67,6b,6a,6f,66,6b,68,68,69,70,
69,6f,68,00,02
"naclaackleeiocclohnmcdachchd"=hex:69,61,6e,6f,65,67,6b,6a,6f,66,6b,68,68,69,
70,69,6f,68,00,77
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(880)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
- - - - - - - > 'explorer.exe'(2236)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-04-15 00:52:40
ComboFix-quarantined-files.txt 2011-04-15 04:52
ComboFix2.txt 2011-04-14 06:39
ComboFix3.txt 2011-04-12 03:46
ComboFix4.txt 2011-04-12 02:18
ComboFix5.txt 2011-04-15 04:47
.
Pre-Run: 14,366,789,632 bytes free
Post-Run: 14,354,165,760 bytes free
.
- - End Of File - - E1301734D84661DDD254E18B15245080




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users