Computer Hope
Software => Computer viruses and spyware => Virus and spyware removal => Topic started by: RueSauvage on August 16, 2010, 07:02:49 PM
-
Hi! I ran into this problem on Saturday, ran Malware Bytes' Anti-Malware and the issue returned Sunday. Sunday, my computer went to a blank screen after the initial Dell splash page (Inspiron Mini 1010). Some how, some way I managed to get my Windows loading screen back and login. At this time, I can use the computer okay, however, I'm afraid this thing is lurking somewhere. Unfortunately for me, I'm a freelance writer. I'm sure that explains it.
Anyhoo, I ran and installed the suggested tools in the "Computer Hope Virus and Spyware section Guidelines" post. Following are the requested logs:
Malwarebytes' Anti-Malware
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4438
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
8/16/2010 8:44:59 PM
mbam-log-2010-08-16 (20-44-59).txt
Scan type: Full scan (C:\|)
Objects scanned: 243050
Time elapsed: 1 hour(s), 41 minute(s), 27 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5801e436-4e3f-4cb4-b1c0-0d06c213d118} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5801e436-4e3f-4cb4-b1c0-0d06c213d118} (Trojan.BHO) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lmhohjyu (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 08/16/2010 at 05:42 PM
Application Version : 4.41.1000
Core Rules Database Version : 5364
Trace Rules Database Version: 3176
Scan type : Quick Scan
Total Scan Time : 01:03:19
Memory items scanned : 596
Memory threats detected : 0
Registry items scanned : 1795
Registry threats detected : 0
File items scanned : 42549
File threats detected : 36
Adware.Tracking Cookie
.dmtracker.com [ C:\Documents and Settings\Aleta Sanders\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.doubleclick.net [ C:\Documents and Settings\Aleta Sanders\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
cdn4.specificclick.net [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\TEV4ZLMF ]
media.mtvnservices.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\TEV4ZLMF ]
media.scanscout.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\TEV4ZLMF ]
objects.tremormedia.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\TEV4ZLMF ]
secure-us.imrworldwide.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\TEV4ZLMF ]
C:\Documents and Settings\NetworkService\Cookies\system@247realmedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@2o7[1].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
C:\Documents and Settings\NetworkService\Cookies\system@adbrite[2].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertise[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertise[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertising[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@apmebf[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@burstnet[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@casalemedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@collective-media[1].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[2].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
C:\Documents and Settings\NetworkService\Cookies\system@fastclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@mediaplex[2].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
C:\Documents and Settings\NetworkService\Cookies\system@pointroll[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@tribalfusion[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@tribalfusion[3].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
C:\Documents and Settings\NetworkService\Cookies\system@zedo[1].txt
HiJackThis Log File
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:04:41 PM, on 8/16/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iWin Games\iWinTrusted.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\Program Files\WSED\WSED.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rpcnet.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Dell\PlayMovie\PMVService.exe
C:\WINDOWS\system32\PersistenceThread.exe
C:\Program Files\Dell\Media Experience\PCMAgent.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\Media Experience\Kernel\CLML\CLMLSvc.exe
C:\Program Files\Battery Meter\BTMeter.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Cricket Broadband Connect\AvqAutoRun.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Aleta Sanders\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Program Files\Cricket Broadband Connect\mPhonetools.exe
C:\Program Files\Cricket Broadband Connect\Bytemobile\bmctl.exe
C:\Documents and Settings\Aleta Sanders\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Aleta Sanders\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Aleta Sanders\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Aleta Sanders\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Aleta Sanders\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Aleta Sanders\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Aleta Sanders\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Aleta Sanders\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Aleta Sanders\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Aleta Sanders\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Aleta Sanders\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Aleta Sanders\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HiJackThis\sniper.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {465E08E7-F005-4389-980F-1D8764B3486C} - (no file)
O2 - BHO: iWin Toolbar - {ce0c2586-da36-452b-acdb-320d9bcb19bf} - C:\Program Files\iWin\tbiWin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: iWin Toolbar - {ce0c2586-da36-452b-acdb-320d9bcb19bf} - C:\Program Files\iWin\tbiWin.dll
O4 - HKLM\..\Run: [WSED] C:\Program Files\WSED\WSED.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [PlayMovie] "C:\Program Files\Dell\PlayMovie\PMVService.exe"
O4 - HKLM\..\Run: [PersistenceThread] C:\WINDOWS\system32\PersistenceThread.exe
O4 - HKLM\..\Run: [PCMAgent] "C:\Program Files\Dell\Media Experience\PCMAgent.exe"
O4 - HKLM\..\Run: [LoJackForLaptops] C:\Program Files\LFLInstall\InstallManager.exe /d60 /dd1 /bd0
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [Dell Webcam Central] "C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" /mode2
O4 - HKLM\..\Run: [CLMLServer] "C:\Program Files\Dell\Media Experience\Kernel\CLML\CLMLSvc.exe"
O4 - HKLM\..\Run: [BTMeter] C:\Program Files\Battery Meter\BTMeter.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [{F9AA8FE2-E89A-E99B-E8b8-E9AE9B9ABA99}] "C:\Program Files\Cricket Broadband Connect\AvqAutoRun.exe" "C:\Program Files\Cricket Broadband Connect\mPhonetools.exe" /OnPlug=%s
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Aleta Sanders\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Google Chrome.lnk = C:\Documents and Settings\Aleta Sanders\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Aleta Sanders\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Mystery%20P.I.%20-%20Lost%20in%20Los%20Angeles/Images/stg_drm.ocx
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Women's Murder Club - A Darker Shade of Grey\Images\armhelper.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D0DA0B3-63C2-48C1-A339-6180107E969E}: NameServer = 172.28.221.53 172.28.221.54
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iWinTrusted - iWin Inc. - C:\Program Files\iWin Games\iWinTrusted.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - Unknown owner - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 12104 bytes
Any help would be greatly appreciated.
-
Hello, and welcome to Computer Hope.
Please note the following information about the malware forum:
- Only the Malware Specialist Team is allowed to give advice on removing malware from your computer.
- From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by the staff I noted above.
- Please do not attach logs or post them in Quote/Code boxes unless requested.
- Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
- If you have already asked for help somewhere, please post the link to the topic you were helped.
- We try our best to reply quickly, but for any reason we do not reply in two days, reply to this topic with the word BUMP
- Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.
Please visit this webpage for a tutorial on downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
See the area: Using ComboFix, and when done, post the log back here.
-
I'm really sorry for the late reply and thank you for your assistance. Using ComboFix has taken two days for various reasons. Anyhoo, here's the log file:
ComboFix 10-08-17.02 - Aleta Sanders 08/17/2010 23:12:53.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.325 [GMT -4:00]
Running from: c:\documents and settings\Aleta Sanders\My Documents\Downloads\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: PC Tools Firewall Plus *enabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Aleta Sanders\Application Data\install.dat
c:\documents and settings\Aleta Sanders\Local Settings\Application Data\{6BBAA482-5D0E-4771-814E-21BCDAAB341E}
c:\documents and settings\Aleta Sanders\Local Settings\Application Data\{6BBAA482-5D0E-4771-814E-21BCDAAB341E}\chrome.manifest
c:\documents and settings\Aleta Sanders\Local Settings\Application Data\{6BBAA482-5D0E-4771-814E-21BCDAAB341E}\chrome\content\_cfg.js
c:\documents and settings\Aleta Sanders\Local Settings\Application Data\{6BBAA482-5D0E-4771-814E-21BCDAAB341E}\chrome\content\overlay.xul
c:\documents and settings\Aleta Sanders\Local Settings\Application Data\{6BBAA482-5D0E-4771-814E-21BCDAAB341E}\install.rdf
c:\documents and settings\Aleta Sanders\Local Settings\Application Data\Windows Server
c:\documents and settings\Aleta Sanders\Local Settings\Application Data\Windows Server\server.dat
c:\documents and settings\All Users\Application Data\hpe3A.dll
c:\documents and settings\Ezana\Application Data\install.dat
c:\documents and settings\Sabah\Application Data\install.dat
C:\install.exe
c:\program files\iWin\tbiWi1.dll
c:\windows\system32\config\system~1\applic~1\install.dat
c:\windows\system32\drivers\edparwo.sys
c:\windows\system32\Thumbs.db
c:\windows\system32\winlogon.exe . . . is infected!!
c:\windows\explorer.exe . . . is infected!!
Infected copy of c:\windows\system32\drivers\i8042prt.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_OSPPSVC
-------\Service_osppsvc
((((((((((((((((((((((((( Files Created from 2010-07-18 to 2010-08-18 )))))))))))))))))))))))))))))))
.
2010-08-18 07:20 . 2010-08-18 07:21 -------- d-----w- c:\documents and settings\Sabah\Application Data\PCToolsFirewallPlus
2010-08-17 01:01 . 2010-08-17 01:01 388096 ----a-r- c:\documents and settings\Aleta Sanders\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-17 01:01 . 2010-08-17 01:01 -------- d-----w- c:\program files\Trend Micro
2010-08-17 00:52 . 2010-08-17 00:53 -------- d-----w- c:\documents and settings\Aleta Sanders\Application Data\PCToolsFirewallPlus
2010-08-17 00:46 . 2010-01-12 13:34 70664 ----a-w- c:\windows\system32\drivers\pctNdis-PacketFilter.sys
2010-08-17 00:46 . 2010-01-07 15:35 58816 ----a-w- c:\windows\system32\drivers\pctNdis.sys
2010-08-17 00:46 . 2010-01-07 15:35 32680 ----a-w- c:\windows\system32\drivers\pctNdis-DNS.sys
2010-08-17 00:45 . 2010-01-13 12:59 115216 ----a-w- c:\windows\system32\drivers\pctplfw.sys
2010-08-17 00:45 . 2010-08-17 00:55 -------- d-----w- c:\program files\PC Tools Firewall Plus
2010-08-16 22:55 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-16 22:55 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-16 22:55 . 2010-08-16 22:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-16 20:29 . 2010-08-16 20:30 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-08-16 20:23 . 2010-07-17 09:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-16 20:00 . 2010-08-16 20:00 -------- d-----w- c:\program files\CCleaner
2010-08-16 19:28 . 2010-02-05 13:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-08-16 19:28 . 2010-03-29 14:06 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-08-16 19:28 . 2009-11-23 17:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-08-16 19:28 . 2010-04-08 18:29 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-08-16 19:27 . 2010-08-17 00:46 -------- d-----w- c:\program files\Common Files\PC Tools
2010-08-16 19:27 . 2010-08-16 19:28 -------- d-----w- c:\program files\Spyware Doctor
2010-08-16 19:27 . 2010-08-16 19:27 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-08-16 19:27 . 2010-08-16 19:27 -------- d-----w- c:\documents and settings\Aleta Sanders\Application Data\PC Tools
2010-08-16 15:49 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-08-16 15:49 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-08-16 15:49 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-08-16 15:49 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-08-16 15:48 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-08-16 15:48 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-08-16 15:48 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-08-16 15:48 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-08-16 15:47 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-08-16 15:47 . 2010-08-16 15:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-08-16 15:47 . 2010-08-16 15:47 -------- d-----w- c:\program files\Alwil Software
2010-08-15 19:13 . 2010-08-16 06:13 -------- d-----w- c:\documents and settings\Aleta Sanders\Local Settings\Application Data\ckgyknepn
2010-08-15 19:12 . 2010-08-15 19:12 0 ----a-w- c:\windows\Rcoyoheyevalana.bin
2010-08-15 19:12 . 2010-08-15 19:12 120 ----a-w- c:\windows\Mkiga.dat
2010-08-15 19:09 . 2010-08-16 04:22 -------- d-----w- c:\documents and settings\Aleta Sanders\Application Data\6139FD3F43EFFA39E0446AA163992656
2010-08-15 08:47 . 2010-08-15 08:47 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-08-15 08:09 . 2010-08-15 08:33 2928402903 ----a-w- c:\documents and settings\Aleta Sanders\My Documents.zip
2010-08-14 15:35 . 2010-08-16 20:32 63488 ----a-w- c:\documents and settings\Aleta Sanders\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-08-14 15:35 . 2010-08-14 15:35 52224 ----a-w- c:\documents and settings\Aleta Sanders\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-08-14 15:35 . 2010-08-16 20:32 117760 ----a-w- c:\documents and settings\Aleta Sanders\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-08-14 15:31 . 2010-08-14 15:31 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-08-14 15:31 . 2010-08-14 15:31 -------- d-----w- c:\documents and settings\Aleta Sanders\Application Data\SUPERAntiSpyware.com
2010-08-13 16:27 . 2010-08-14 18:03 -------- d-----w- c:\documents and settings\Aleta Sanders\Local Settings\Application Data\duivsjuhj
2010-08-06 03:49 . 2010-08-06 03:49 503808 ----a-w- c:\documents and settings\Aleta Sanders\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5becc8b2-n\msvcp71.dll
2010-08-06 03:49 . 2010-08-06 03:49 348160 ----a-w- c:\documents and settings\Aleta Sanders\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5becc8b2-n\msvcr71.dll
2010-08-06 03:49 . 2010-08-06 03:49 499712 ----a-w- c:\documents and settings\Aleta Sanders\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5becc8b2-n\jmc.dll
2010-08-06 03:49 . 2010-08-06 03:49 61440 ----a-w- c:\documents and settings\Aleta Sanders\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-36e18519-n\decora-sse.dll
2010-08-06 03:49 . 2010-08-06 03:49 12800 ----a-w- c:\documents and settings\Aleta Sanders\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-36e18519-n\decora-d3d.dll
2010-08-05 03:04 . 2010-08-05 11:54 -------- d-----w- c:\documents and settings\Aleta Sanders\Local Settings\Application Data\Deployment
2010-08-04 19:02 . 2010-07-23 21:22 1496064 ----a-w- c:\documents and settings\Aleta Sanders\Application Data\Mozilla\Firefox\Profiles\oy3t2c2p.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-08-04 19:02 . 2010-07-23 21:22 43008 ----a-w- c:\documents and settings\Aleta Sanders\Application Data\Mozilla\Firefox\Profiles\oy3t2c2p.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-08-04 19:02 . 2010-07-23 21:22 338944 ----a-w- c:\documents and settings\Aleta Sanders\Application Data\Mozilla\Firefox\Profiles\oy3t2c2p.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-08-04 19:02 . 2010-07-23 21:22 346112 ----a-w- c:\documents and settings\Aleta Sanders\Application Data\Mozilla\Firefox\Profiles\oy3t2c2p.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-07-31 03:27 . 2010-07-31 03:27 -------- d-sh--w- c:\documents and settings\Sabah\PrivacIE
2010-07-31 03:27 . 2010-07-31 03:27 -------- d-----w- c:\documents and settings\Sabah\Application Data\StumbleUpon
2010-07-31 03:27 . 2010-07-31 03:27 -------- d-----w- c:\documents and settings\Sabah\Local Settings\Application Data\Conduit
2010-07-31 03:27 . 2010-07-31 03:27 -------- d-----w- c:\documents and settings\Sabah\Local Settings\Application Data\iWin
2010-07-31 03:27 . 2010-07-31 03:27 -------- d-----w- c:\documents and settings\Sabah\Local Settings\Application Data\Google
2010-07-30 14:22 . 2010-07-30 14:22 -------- d-----w- c:\documents and settings\Ezana\Local Settings\Application Data\BVRP Software
2010-07-23 11:56 . 2010-07-23 11:56 -------- d-----w- c:\documents and settings\Aleta Sanders\Application Data\com.focusboosterapp.focusbooster.8E5F79C899747AD22E21DB62AA496926DA6BBC64.1
2010-07-23 11:56 . 2010-07-23 11:56 -------- d-----w- c:\program files\Focus Booster
2010-07-23 11:29 . 2010-07-23 11:29 61440 ----a-w- c:\documents and settings\Aleta Sanders\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5ad18a6e-n\decora-sse.dll
2010-07-23 11:29 . 2010-07-23 11:29 503808 ----a-w- c:\documents and settings\Aleta Sanders\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6c063074-n\msvcp71.dll
2010-07-23 11:29 . 2010-07-23 11:29 348160 ----a-w- c:\documents and settings\Aleta Sanders\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6c063074-n\msvcr71.dll
2010-07-23 11:29 . 2010-07-23 11:29 12800 ----a-w- c:\documents and settings\Aleta Sanders\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5ad18a6e-n\decora-d3d.dll
2010-07-23 11:29 . 2010-07-23 11:29 499712 ----a-w- c:\documents and settings\Aleta Sanders\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6c063074-n\jmc.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-18 07:31 . 2009-03-03 22:32 -------- d---a-w- c:\documents and settings\All Users\Application Data\Temp
2010-08-18 07:28 . 2009-04-30 10:48 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2010-08-18 07:28 . 2009-04-10 03:40 57752 ----a-w- c:\windows\system32\rpcnet.dll
2010-08-18 03:31 . 2009-05-04 03:29 -------- d-----w- c:\program files\iWin
2010-08-17 11:05 . 2010-04-09 15:49 -------- d-----w- c:\documents and settings\Aleta Sanders\Application Data\SoftGrid Client
2010-08-16 20:23 . 2009-03-03 22:27 -------- d-----w- c:\program files\Java
2010-08-16 18:50 . 2009-10-14 21:29 126008 ----a-w- c:\documents and settings\Aleta Sanders\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-16 18:48 . 2009-11-27 21:27 -------- d-----w- c:\program files\Common Files\TXText
2010-08-16 18:48 . 2009-11-27 21:26 -------- d-----w- c:\program files\Broderbund
2010-08-16 18:42 . 2009-03-03 22:42 -------- d-----w- c:\program files\Dell Webcam
2010-08-16 18:42 . 2009-03-03 22:30 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-16 18:41 . 2009-03-03 22:43 -------- d-----w- c:\program files\Creative
2010-08-16 18:37 . 2009-11-04 00:06 -------- d-----w- c:\program files\Brother
2010-08-16 18:34 . 2009-05-04 03:34 -------- d-----w- c:\program files\iWin.com
2010-08-16 05:05 . 2009-04-30 10:48 17408 -c--a-w- c:\windows\system32\rpcnetp.dll
2010-08-14 18:21 . 2010-07-11 04:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Speedbit
2010-08-14 18:03 . 2010-07-10 13:27 -------- d-----w- c:\program files\iWin Games
2010-08-13 14:23 . 2010-08-16 02:32 183886 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
2010-08-12 05:23 . 2009-10-26 21:58 -------- d-----w- c:\documents and settings\Aleta Sanders\Application Data\PrimoPDF
2010-08-11 07:33 . 2009-03-03 22:40 -------- d-----w- c:\program files\Microsoft Works
2010-08-09 11:30 . 2009-10-29 00:57 -------- d-----w- c:\program files\RingCentral
2010-08-09 11:30 . 2009-10-29 00:56 -------- d-----w- c:\documents and settings\All Users\Application Data\RingCentral
2010-08-08 21:16 . 2009-10-14 21:27 55620 ----a-w- c:\documents and settings\Aleta Sanders\Application Data\wklnhst.dat
2010-08-05 12:15 . 2010-02-07 01:17 -------- d-----w- c:\program files\Google
2010-08-05 12:12 . 2010-02-15 18:21 -------- d-----w- c:\documents and settings\Sabah\Application Data\Teleca
2010-08-05 12:12 . 2010-02-15 17:19 -------- d-----w- c:\documents and settings\Ezana\Application Data\Teleca
2010-08-05 12:12 . 2010-06-26 23:17 -------- d-----w- c:\program files\Common Files\Teleca Shared
2010-08-05 12:09 . 2009-12-24 17:42 -------- d-----w- c:\program files\HTC
2010-08-05 12:06 . 2009-11-26 05:27 -------- d-----w- c:\program files\Encore
2010-08-05 11:49 . 2010-06-22 16:18 -------- d-----w- c:\documents and settings\All Users\Application Data\BVRP Software
2010-07-03 14:59 . 2009-10-14 21:01 664 ----a-w- c:\documents and settings\Aleta Sanders\Local Settings\Application Data\d3d9caps.dat
2010-07-03 01:11 . 2010-03-03 21:16 439816 ----a-w- c:\documents and settings\Aleta Sanders\Application Data\Real\Update\setup3.10\setup.exe
2010-06-30 12:31 . 2008-04-25 20:33 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-26 23:20 . 2009-12-24 17:46 -------- d-----w- c:\documents and settings\Aleta Sanders\Application Data\Teleca
2010-06-24 12:22 . 2008-04-25 20:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 02:18 . 2010-06-22 16:18 -------- d-----w- c:\program files\Cricket Broadband Connect
2010-06-23 13:44 . 2008-04-25 20:33 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-23 02:48 . 2010-06-23 02:48 -------- d-----w- c:\documents and settings\Aleta Sanders\Application Data\Alawar
2010-06-22 16:19 . 2010-06-22 16:19 -------- d-----w- c:\program files\PANTECH
2010-06-22 16:18 . 2010-06-22 16:18 -------- d-----w- c:\program files\Common Files\Avanquest software Shared
2010-06-21 15:27 . 2008-04-25 20:33 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2008-04-25 20:33 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2008-04-26 01:44 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2008-04-25 20:33 1172480 ----a-w- c:\windows\system32\msxml3.dll
2009-12-29 23:22 . 2009-12-17 19:16 119312 ----a-w- c:\program files\mozilla firefox\components\affdfcbadbfead.dll
.
------- Sigcheck -------
[-] 2008-04-14 . CEE3922616FB3E862B28965473E241CF . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
[-] 2008-04-14 . 142E50036F14068A750CD493AA679F99 . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Aleta Sanders\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-12-15 135664]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WSED"="c:\program files\WSED\WSED.exe" [2008-12-12 238888]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-12-13 198160]
"RTHDCPL"="RTHDCPL.EXE" [2008-12-23 18063872]
"PlayMovie"="c:\program files\Dell\PlayMovie\PMVService.exe" [2008-12-11 177384]
"PersistenceThread"="c:\windows\system32\PersistenceThread.exe" [2008-12-24 92696]
"PCMAgent"="c:\program files\Dell\Media Experience\PCMAgent.exe" [2008-12-11 148776]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-12-24 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-12-24 354840]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-11-11 442536]
"CLMLServer"="c:\program files\Dell\Media Experience\Kernel\CLML\CLMLSvc.exe" [2008-12-11 202024]
"BTMeter"="c:\program files\Battery Meter\BTMeter.exe" [2008-11-05 623912]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-01-06 2289664]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2008-04-14 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"{F9AA8FE2-E89A-E99B-E8b8-E9AE9B9ABA99}"="c:\program files\Cricket Broadband Connect\AvqAutoRun.exe" [2009-10-19 73728]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2010-05-11 1287120]
"00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2010-01-12 3168216]
c:\documents and settings\Aleta Sanders\Start Menu\Programs\Startup\
Google Chrome.lnk - c:\documents and settings\Aleta Sanders\Local Settings\Application Data\Google\Chrome\Application\chrome.exe [2009-12-14 945720]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\iWin Games\\iWinGames.exe"=
"c:\\Program Files\\iWin Games\\WebUpdater.exe"=
R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [3/3/2009 6:32 PM 14248]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [8/16/2010 3:28 PM 218592]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/16/2010 11:49 AM 165456]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [8/16/2010 3:28 PM 233136]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/16/2010 11:49 AM 17744]
R2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [9/26/2009 7:35 AM 819600]
R2 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [7/7/2010 4:50 PM 176408]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [8/16/2010 3:28 PM 88040]
R2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [9/23/2009 3:04 PM 447832]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [3/3/2009 6:42 PM 135936]
R3 igd;igd;c:\windows\system32\drivers\igxpmp32.sys [3/3/2009 8:08 PM 5088416]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [3/3/2009 8:08 PM 110080]
R3 OA012Afx;Provides a software interface to control audio effects of OA012 camera.;c:\windows\system32\drivers\OA012Afx.sys [3/3/2009 8:08 PM 148056]
R3 OA012Ufd;Creative Camera OA012 Upper Filter Driver;c:\windows\system32\drivers\OA012Ufd.sys [3/3/2009 8:08 PM 133472]
R3 OA012Vid;Creative Camera OA012 Function Driver;c:\windows\system32\drivers\OA012Vid.sys [3/3/2009 8:08 PM 271328]
R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [8/16/2010 8:46 PM 70664]
R3 pctNDIS;PC Tools Driver;c:\windows\system32\drivers\pctNdis.sys [8/16/2010 8:46 PM 58816]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [8/16/2010 8:45 PM 115216]
R3 PTUMWBus;PANTECH USB Modem V2 Composite Device Driver;c:\windows\system32\drivers\PTUMWBus.sys [6/22/2010 12:19 PM 54544]
R3 PTUMWFLT;PTUMWNET Filter Driver;c:\windows\system32\drivers\PTUMWFLT.sys [6/22/2010 12:19 PM 12048]
R3 PTUMWMdm;PANTECH USB Modem V2 Modem Driver;c:\windows\system32\drivers\PTUMWMdm.sys [6/22/2010 12:19 PM 160400]
R3 PTUMWNET;PANTECH USB Modem V2 WWAN Driver;c:\windows\system32\drivers\PTUMWNET.sys [6/22/2010 12:19 PM 115216]
R3 PTUMWVsp;PANTECH USB Modem V2 Diagnostic Port;c:\windows\system32\drivers\PTUMWVsp.sys [6/22/2010 12:19 PM 160400]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [3/3/2009 8:07 PM 157696]
R3 sftfs;sftfs;c:\program files\Microsoft Application Virtualization Client\drivers\SftFSXP.sys [9/23/2009 3:04 PM 543064]
R3 sftplay;sftplay;c:\program files\Microsoft Application Virtualization Client\drivers\sftplayxp.sys [9/23/2009 3:04 PM 190312]
R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirxp.sys [9/23/2009 3:05 PM 21864]
R3 sftvol;sftvol;c:\program files\Microsoft Application Virtualization Client\drivers\SftVolXP.sys [9/23/2009 3:04 PM 14680]
R3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [9/23/2009 3:04 PM 203608]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/6/2010 9:18 PM 135664]
S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\drivers\ETD.sys [3/3/2009 8:07 PM 129024]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys --> c:\windows\system32\Drivers\ANDROIDUSB.sys [?]
S3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [12/12/2009 1:39 AM 9472]
S3 PTUMWCDF;PANTECH USB Modem V2 Installation CD;c:\windows\system32\drivers\PTUMWCDF.sys [6/22/2010 12:19 PM 22032]
--- Other Services/Drivers In Memory ---
*Deregistered* - BMLoad
.
Contents of the 'Scheduled Tasks' folder
2010-08-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cac6ae8e7a4a8e.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 01:18]
2010-08-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2870019680-4263584670-1697931001-1006Core1cac6ae3f9a9f2c.job
- c:\documents and settings\Aleta Sanders\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-15 03:23]
2010-08-18 c:\windows\Tasks\User_Feed_Synchronization-{5E178C74-6EBA-4B70-B8B0-E5C851430BA7}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
2010-08-18 c:\windows\Tasks\User_Feed_Synchronization-{A2BDE66F-77B2-46CD-8BCA-B62726FEA3A6}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:6522
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Aleta Sanders\Start Menu\Programs\IMVU\Run IMVU.lnk
TCP: {7D0DA0B3-63C2-48C1-A339-6180107E969E} = 172.28.221.53 172.28.221.54
FF - ProfilePath - c:\documents and settings\Aleta Sanders\Application Data\Mozilla\Firefox\Profiles\oy3t2c2p.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - component: c:\documents and settings\Aleta Sanders\Application Data\Mozilla\Firefox\Profiles\oy3t2c2p.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\Mozilla Firefox\components\affdfcbadbfead.dll
FF - component: c:\program files\Mozilla Firefox\extensions\[email protected]\components\Shim.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\Aleta Sanders\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\progra~1\MICROS~3\Office14\NPSPWRAP.DLL
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-LoJackForLaptops - c:\program files\LFLInstall\InstallManager.exe
HKLM-Run-dellsupportcenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
HKLM-Run-BrMfcWnd - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-18 03:29
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1564)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\System32\BCMLogon.dll
c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\MFC80.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
- - - - - - - > 'explorer.exe'(3788)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\PC Tools Firewall Plus\FWService.exe
c:\windows\system32\rpcnet.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2010-08-18 03:38:33 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-18 07:38
Pre-Run: 138,039,341,056 bytes free
Post-Run: 138,057,777,152 bytes free
- - End Of File - - D27714A33D38F688E0CB7DFC4B4AEE85
Thanks!
-
Please go to: VirusTotal (http://www.virustotal.com/en/indexf.html)(http://img199.imageshack.us/img199/9734/79566475.png)
- Click the Browse button and search for the following file: c:\windows\system32\winlogon.exe
- Click Open
- Then click Send File
- Please be patient while the file is scanned.
- Once the scan results appear, please provide them in your next reply.
If it says already scanned -- click "reanalyze now"
Please post the results in your next reply.
Do it for this file as well:
c:\windows\explorer.exe
-
Hi,
I went to VirusTotal; however, I could not get the system to scan the winlogon.exe file. I tried several times with no luck. Attached is the log for the explorer.exe file.
Please advise.
[recovering disk space - old attachment deleted by admin]
-
None of that worked.
Re-running ComboFix to remove infections:
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Open notepad and copy/paste the text in the codebox below into it:
SysRst::- Save this as CFScript.txt, in the same location as ComboFix.exe
(http://i35.tinypic.com/2v3rg44.jpg)
- Referring to the picture above, drag CFScript into ComboFix.exe
- When finished, it shall produce a log for you at C:\ComboFix.txt
- Please post the contents of the log in your next reply.