Computer Hope
Software => Computer viruses and spyware => Topic started by: GrimAbbott on June 26, 2009, 11:49:09 PM
-
Looks like I'll get to spend some time on this forum, I've got two home PC's that have both turned into semi-paperweights due to spy or malware that came as a result of an expired Panda Internet Security 2008 subscription. Here's the first one.
Step 1: Malware applications
I'm seeing the following that are on the list: iMesh, Viewpoint Media Player. I'm also seeing two suspects: Last.fm.1.5.4.24567 and XplDbClientPatch.
Step 2: House Cleaning
I pulled down CCleaner 2.21.940 slim and have followed the directions.
Step 3: SUPERAntiSpyware
System would not allow software to download. Tried copying from flash drive, application does not run.
Step 4: Malwarebytes' Anti-Malware
System would not allow software to download. Installed from flash drive but application does not run.
Step 5: Update Your Java
Ran JavaRa and updated to JRE 6.14
Step 6: HijackThis
Completed
LOGS: Only HijackThis log is available since SAS and MBAM would not run.
My HijackThis report (http://www.computerhope.com/cgi-bin/process.pl?o=26225550)
[attachment deleted by admin]
-
Try running Steps 3 and 4 in safe mode...you may have to rename them....
-
OK, got the MBAM to run (report attached) in Safe Mode but the SAS still will not run, even when the .exe is renamed to ComputerHope.exe! Uninstalled and reinstalled SAS, still no luck.
[attachment deleted by admin]
-
Ok, all these infections indicate no action taken...you will have to remove and quarantine them when asked.
-
The successful MBAM scan/cleaning allowed SAS to run; log attached. Further suggestions?
[attachment deleted by admin]
-
While you wait for a specialist to review the logs you can try self help and use the process tool here...
http://www.computerhope.com/forum/index.php/topic,81761.msg540346.html#msg540346
-
Download DDS from |HERE| (http://www.techsupportforum.com/sectools/sUBs/dds) or |HERE| (http://download.bleepingcomputer.com/sUBs/dds.scr) or |HERE| (http://www.forospyware.com/sUBs/dds) and save it to your desktop.
Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)
* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.
1) DDS.txt
2) Attach.txt
* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.
Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copy and pasting it into the reply.
-
Nice to see you back.....evil
-
Shhh! I'm not back.... :P
-
*censored*...sorry... :-X
-
As requested from DDS:
DDS (Ver_09-06-26.01) - NTFSx86
Run by Dad at 15:19:42.03 on Sat 06/27/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1007.602 [GMT -7:00]
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\Program Files\QuickTime\QTTask.exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
E:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Dad\Desktop\dds.pif
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.gbcph.org/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.omnitechcorp.com
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common
files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFre1.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program
files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program
files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program
files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFre1.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Sony Ericsson PC Suite] "e:\program files\sony ericsson\sony ericsson pc suite\SEPCSuite.exe" /systray /nologon
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [AdaptecDirectCD] c:\program files\adaptec\easy cd creator 5\directcd\DirectCD.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AAWTray] c:\program files\lavasoft\ad-aware 2007\AAWTray.exe
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [MBM 5] "c:\program files\motherboard monitor 5\MBM5.EXE"
mRun: [Adobe Reader Speed Launcher] "e:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "e:\program files\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - hxxp://a.download.toontown.com/sv1.0.28.9/ttinst.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} - hxxps://disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\dad\applic~1\mozilla\firefox\profiles\b9k9d87q.default\
FF - prefs.js: browser.startup.homepage - www.gbcph.org
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: e:\program files\adobe\reader 8.0\reader\browser\nppdf32.dll
FF - plugin: e:\program files\itunes\mozilla plugins\npitunes.dll
FF - plugin: e:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: e:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: e:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: e:\program files\netscape6\nppl3260.dll
FF - plugin: e:\program files\netscape6\nprjplug.dll
FF - plugin: e:\program files\netscape6\nprpjplug.dll
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla
firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla
firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla
firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla
firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla
firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
============= SERVICES / DRIVERS ===============
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-6-26 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-8-27 566616]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-6-26 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-6-26 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-6-26 55640]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-4-10
24652]
S1 Multicam;MultiCam for Picolo;c:\windows\system32\drivers\multicam.sys --> c:\windows\system32\drivers\multicam.sys [?]
S1 SASKUTIL;SASKUTIL;\??\e:\program files\superantispyware\saskutil.sys --> e:\program files\superantispyware\SASKUTIL.sys
[?]
S3 AtomSync;AtomSync;e:\program files\atomsync\service.exe [2008-9-23 159744]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-5-20 13224]
S3 PavSRK.sys;PavSRK.sys;\??\c:\windows\system32\pavsrk.sys --> c:\windows\system32\PavSRK.sys [?]
S3 PavTPK.sys;PavTPK.sys;\??\c:\windows\system32\pavtpk.sys --> c:\windows\system32\PavTPK.sys [?]
S3 SASENUM;SASENUM;\??\e:\program files\superantispyware\sasenum.sys --> e:\program files\superantispyware\SASENUM.SYS [?]
=============== Created Last 30 ================
2009-06-27 14:03 <DIR> --d-h--- c:\windows\PIF
2009-06-26 23:55 <DIR> --d----- c:\docume~1\dad\applic~1\Malwarebytes
2009-06-26 23:50 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-06-26 23:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-06-26 23:20 <DIR> --d----- c:\docume~1\dad\applic~1\SUPERAntiSpyware.com
2009-06-26 22:46 <DIR> --d----- c:\program files\Trend Micro
2009-06-26 22:40 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-26 00:45 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-06-26 00:44 <DIR> --d----- c:\program files\Avira
2009-06-26 00:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-06-26 00:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-26 00:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-26 00:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-25 22:57 47 a----r-- c:\windows\amunres.lsl
2009-06-21 20:24 0 a------- c:\windows\system32\commonpriv.log.lock
2009-06-21 20:22 <DIR> --d----- c:\program files\AVG
2009-06-21 20:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-06-21 17:48 <DIR> --d----- c:\program files\iPod
2009-06-21 17:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-21 17:46 <DIR> --d----- c:\program files\Bonjour
==================== Find3M ====================
2008-01-15 11:50 1,004 a--sh--- c:\windows\system32\KGyGaAvL.sys
============= FINISH: 15:20:30.64 ===============
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-06-26.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 11/21/2003 6:30:08 AM
System Uptime: 6/27/2009 12:30:37 PM (3 hours ago)
Motherboard: Intel Corporation | | D865GLC
Processor: Intel(R) Celeron(R) CPU 2.00GHz | J2E1 | 1994/100mhz
==== Disk Partitions =========================
A: is Removable
C: is FIXED (NTFS) - 112 GiB total, 100.291 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 112 GiB total, 110.138 GiB free.
Y: is NetworkDisk (NTFS) - 372 GiB total, 220.977 GiB free.
Z: is NetworkDisk (NTFS) - 372 GiB total, 220.977 GiB free.
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP771: 3/29/2009 5:45:41 PM - System Checkpoint
RP772: 4/4/2009 6:02:04 PM - System Checkpoint
RP773: 4/6/2009 10:51:30 AM - System Checkpoint
RP774: 4/8/2009 5:20:42 PM - System Checkpoint
RP775: 4/11/2009 5:40:09 PM - System Checkpoint
RP776: 4/13/2009 10:46:03 AM - System Checkpoint
RP777: 4/18/2009 2:45:05 PM - System Checkpoint
RP778: 4/21/2009 5:03:36 PM - System Checkpoint
RP779: 5/8/2009 12:27:10 PM - System Checkpoint
RP780: 5/8/2009 10:18:06 PM - Installed DirectX
RP781: 5/18/2009 6:23:01 PM - System Checkpoint
RP782: 5/21/2009 2:02:35 PM - System Checkpoint
RP783: 6/8/2009 5:47:54 PM - System Checkpoint
RP784: 6/21/2009 3:36:29 PM - System Checkpoint
RP785: 6/21/2009 5:47:36 PM - Installed iTunes
RP786: 6/21/2009 8:24:20 PM - Installed AVG Free 8.5
RP787: 6/25/2009 10:16:57 PM - Removed Panda Internet Security 2007
RP788: 6/25/2009 11:02:16 PM - Removed OpenOffice.org 2.2
RP789: 6/25/2009 11:25:49 PM - Installed AVG Free 8.5
==== Installed Programs ======================
3D Virtual Reality Architect
Ad-Aware 2007
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Reader 8.1.4
Adobe Shockwave Player 11
AiO_Scan
Apple Mobile Device Support
Apple Software Update
AtomSync
Avira AntiVir Personal - Free Antivirus
Belkin 54g USB Network Adapter
Big Fish Games Client
Bonjour
CCleaner (remove only)
CutePDF Writer 2.7
Disc2Phone
Easy CD Creator 5 Basic
Freecorder Toolbar
Freecorder Toolbar 3.0 Application
Freecorder Toolbar 3.02 Application
GameShark SP
Google Talk (remove only)
Google Talk Plugin
Google Updater
HijackThis 2.0.2
HP Image Zone 4.7
HP PSC & OfficeJet 4.7
iMesh
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
iTunes
Java(TM) 6 Update 14
Juniper Networks Cache Cleaner 6.0.0
Juniper Networks Host Checker
Last.fm 1.5.4.24567
Logitech Gaming Software
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Motherboard Monitor 5
Mozilla Firefox (3.0.11)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
Pando Media Booster
QFolder
QuickTime
RealPlayer
Rhapsody Player Engine
Rosetta Stone 2.1.3.0A
Sansa Media Converter
Scan
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB923789)
Sibelius Scorch Plugin 5.2.5.30
SigmaTel MSCN Audio Player
Sony Ericsson PC Suite 4.010.00
SoundMAX
Spelling Dictionaries Support For Adobe Reader 8
SUPERAntiSpyware Free Edition
teenSMART®
TimeLeft
Unity Web Player
Update Service
URGE
Viewpoint Media Player
WebFldrs XP
Where in the World is Carmen Sandiego?
Windows Communication Foundation
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Service Pack 2
WordPerfect Office 12
XML Paper Specification Shared Components Pack 1.0
XplDbClientPatch
==== Event Viewer Messages From Past Week ========
6/27/2009 12:32:20 AM, error: Service Control Manager [7026] - The following boot-start or
system-start driver(s) failed to load: SASKUTIL
6/27/2009 12:31:25 PM, error: sr [1] - The System Restore filter encountered the unexpected
error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has
stopped monitoring the volume.
6/27/2009 11:05:26 AM, error: Service Control Manager [7000] - The SASENUM service failed
to start due to the following error: The system cannot find the path specified.
6/27/2009 11:05:22 AM, error: Service Control Manager [7000] - The SASKUTIL service failed
to start due to the following error: The system cannot find the path specified.
6/26/2009 12:38:58 AM, error: SideBySide [59] - Resolve Partial Assembly failed for
Microsoft.VC90.CRT. Reference error message: The referenced assembly is not installed on
your system. .
6/26/2009 12:38:58 AM, error: SideBySide [59] - Generate Activation Context failed for
C:\DOCUME~1\Dad\LOCALS~1\Temp\RarSFX0\basic\setup.exe. Reference error message: The
operation completed successfully. .
6/26/2009 12:38:58 AM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.CRT could
not be found and Last Error was The referenced assembly is not installed on your system.
6/26/2009 12:38:58 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the
service MSIServer with arguments "" in order to run the server:
{000C101C-0000-0000-C000-000000000046}
6/26/2009 12:35:35 AM, error: Service Control Manager [7026] - The following boot-start or
system-start driver(s) failed to load: cdudf_xp Fips intelppm mbmiodrvr sf
6/26/2009 12:34:59 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the
service StiSvc with arguments "" in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}
6/26/2009 12:34:37 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the
service EventSystem with arguments "" in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}
6/26/2009 11:54:26 PM, error: Service Control Manager [7026] - The following boot-start or
system-start driver(s) failed to load: avgio avipbb cdudf_xp Fips intelppm mbmiodrvr
SASKUTIL sf ssmdrv
6/26/2009 11:40:54 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the
service wuauserv with arguments "" in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}
6/26/2009 11:27:47 PM, error: Service Control Manager [7026] - The following boot-start or
system-start driver(s) failed to load: avgio avipbb cdudf_xp Fips intelppm mbmiodrvr sf
ssmdrv
6/21/2009 7:51:43 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds)
waiting for the Application Layer Gateway Service service to connect.
6/21/2009 7:51:43 PM, error: Service Control Manager [7000] - The Application Layer Gateway
Service service failed to start due to the following error: The service did not respond to
the start or control request in a timely fashion.
6/21/2009 7:51:12 PM, error: Service Control Manager [7022] - The Panda anti-virus service
service hung on starting.
6/21/2009 7:48:39 PM, error: sr [1] - The System Restore filter encountered the unexpected
error '0xC0000243' while processing the file 'NetPcap.cfg' on the volume 'HarddiskVolume1'.
It has stopped monitoring the volume.
==== End Of File ===========================
-
You have Viewpoint installed.
Viewpoint Media Player/Manager/Toolbar is considered as Foistware (http://en.wikipedia.org/wiki/Foistware) instead of malware since it is installed without users approval but doesn't spy or do anything "bad".
More information:
- ViewMgr.exe - Useless (http://www.greatis.com/appdata/u/v/viewmgr.exe.htm)
- Viewpoint to Plunge Into Adware (http://www.clickz.com/news/article.php/3561546/)
.
It is suggested to remove the program now. Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.
- Viewpoint
- Viewpoint Manager
- Viewpoint Media Player
- Viewpoint Toolbar
- Viewpoint Experience Technology
.
----------
Go to Start > Run > type Notepad.exe and click OK to open Notepad.
In the top of Notepad go to Format and click Word Wrap then close Notepad.
----------
Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.
Link #1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link #2 (http://subs.geekstogo.com/ComboFix.exe)
**Note: It is important that it is saved directly to your Desktop
DO NOT run it yet!
Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system
Delete these files/folders, as follows:
1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C
KillAll::
Driver::
Viewpoint Manager Service
PavSRK.sys
PavTPK.sys
DDS::
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Firefox::
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
Folder::
c:\program files\viewpoint
c:\program files\AVG
c:\docume~1\alluse~1\applic~1\avg8
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!
(http://i154.photobucket.com/albums/s258/evilfantasy69/CFScript-1.gif)
ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.
Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze
-
Quick check...CF got an error message: AntiVir Desktop is running. It requires me to kill that before continuing. I assume this is OK but await confirmation.
-
Yes you can shut down Avira while running CF.
-
Thanks. Along the way, CFx prompted a download of MS Recovery Console which installed successfully. Here is the ComboFix log:
ComboFix 09-06-26.02 - Dad 06/27/2009 18:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1007.696 [GMT -7:00]
Running from: c:\documents and settings\Dad\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dad\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\alluse~1\applic~1\avg8
c:\docume~1\alluse~1\applic~1\avg8\Log\avgcfg.log.install_backup
c:\docume~1\alluse~1\applic~1\avg8\Log\avgcfg.log.lock
c:\docume~1\alluse~1\applic~1\avg8\Log\avgcore.log.1
c:\docume~1\alluse~1\applic~1\avg8\Log\avgcore.log.lock
c:\docume~1\alluse~1\applic~1\avg8\Log\avglng.log.lock
c:\docume~1\alluse~1\applic~1\avg8\Log\avgsrm.log.lock
c:\docume~1\alluse~1\applic~1\avg8\Log\avgwd.log.install_backup
c:\docume~1\alluse~1\applic~1\avg8\Log\avgwd.log.lock
c:\docume~1\alluse~1\applic~1\avg8\Log\avgwdsvc.log.lock
c:\docume~1\alluse~1\applic~1\avg8\Log\commonpriv.log.lock
c:\documents and settings\Samuel.OAKTREE3\Application Data\WeatherDPA
c:\program files\AVG
c:\program files\AVG\AVG8\cfg\mail.cfg
c:\program files\AVG\AVG8\Emc\Log\emc.log
c:\program files\AVG\AVG8\log\history.xml
c:\program files\messenger\msmsgs.exe
c:\windows\system32\drivers\gxvxckrocqmjyidltpxtbimjcbiqmupvaqjgp.sys
c:\windows\system32\gxvxccounter
c:\windows\system32\gxvxcrqpaaxmkamxeyrvwwmfrfcjalcsbxrtq.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_GXVXCSERV.SYS
-------\Legacy_PAVSRK.SYS
-------\Legacy_PAVTPK.SYS
-------\Service_PavSRK.sys
-------\Service_PavTPK.sys
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-28 )))))))))))))))))))))))))))))))
.
2009-06-27 21:03 . 2009-06-27 21:03 -------- d--h--w- c:\windows\PIF
2009-06-27 06:55 . 2009-06-27 06:55 -------- d-----w- c:\documents and settings\Dad\Application Data\Malwarebytes
2009-06-27 06:50 . 2009-06-27 06:54 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-27 06:27 . 2009-06-27 18:06 117760 ----a-w- c:\documents and settings\Dad\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-27 06:27 . 2009-06-27 06:27 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-27 06:20 . 2009-06-27 06:20 -------- d-----w- c:\documents and settings\Dad\Application Data\SUPERAntiSpyware.com
2009-06-27 05:46 . 2009-06-27 05:46 -------- d-----w- c:\program files\Trend Micro
2009-06-27 05:40 . 2009-06-27 05:39 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-26 07:45 . 2009-03-30 17:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-06-26 07:45 . 2009-03-24 23:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-06-26 07:45 . 2009-02-13 19:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-06-26 07:45 . 2009-02-13 19:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-06-26 07:44 . 2009-06-26 07:44 -------- d-----w- c:\program files\Avira
2009-06-26 07:44 . 2009-06-26 07:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-06-26 07:36 . 2009-06-17 18:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-26 07:36 . 2009-06-26 07:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-26 07:36 . 2009-06-17 18:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-22 00:48 . 2009-06-22 00:48 -------- d-----w- c:\program files\iPod
2009-06-22 00:48 . 2009-06-22 00:48 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-22 00:46 . 2009-06-22 00:46 -------- d-----w- c:\program files\Bonjour
2009-06-22 00:45 . 2009-06-22 00:45 -------- d-----w- c:\program files\QuickTime
2009-06-22 00:43 . 2009-06-22 00:43 -------- d-----w- c:\program files\Apple Software Update
2009-06-21 22:50 . 2009-06-21 22:50 -------- d-----w- c:\documents and settings\Dad\Local Settings\Application Data\AOL
2009-06-05 20:57 . 2009-06-05 20:57 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-27 23:55 . 2009-04-10 18:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-06-27 06:49 . 2002-01-04 09:43 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-27 05:39 . 2002-01-02 07:20 -------- d-----w- c:\program files\Java
2009-06-27 04:41 . 2007-07-22 04:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-26 06:04 . 2007-03-25 15:49 51936 ----a-w- c:\documents and settings\Dad\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-26 06:02 . 2002-01-02 07:21 -------- d-----w- c:\program files\OpenOffice.org 2.2
2009-06-26 05:56 . 2003-07-31 11:52 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-26 05:52 . 2002-01-02 08:35 -------- d-----w- c:\documents and settings\Dad\Application Data\OpenOffice.org2
2009-06-26 05:52 . 2008-10-08 06:27 -------- d-----w- c:\documents and settings\Dad\Application Data\stickies
2009-06-26 05:20 . 2002-01-04 09:37 -------- d-----w- c:\program files\Common Files\Panda Software
2009-06-26 05:12 . 2008-11-25 19:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-06-22 00:48 . 2008-09-15 04:37 -------- d-----w- c:\program files\Common Files\Apple
2009-06-21 22:51 . 2009-04-10 18:24 -------- d-----w- c:\program files\Common Files\AOL
2009-06-09 17:09 . 2007-09-17 05:02 -------- d-----w- c:\documents and settings\Samuel.OAKTREE3\Application Data\OpenOffice.org2
2009-05-11 22:48 . 2009-05-11 22:20 34 ----a-w- c:\documents and settings\Samuel.OAKTREE3\jagex_runescape_preferences.dat
2009-04-10 18:29 . 2009-04-10 18:29 1144808 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\aimtunes\AIMTunes.exe
2008-01-15 18:50 . 2007-10-21 07:10 1004 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
2009-04-21 00:18 1883672 ----a-w- c:\program files\Freecorder\tbFre1.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sony Ericsson PC Suite"="e:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-06-19 393216]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 1388544]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2003-09-19 684032]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-27 148888]
"AAWTray"="c:\program files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 88024]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"MBM 5"="c:\program files\Motherboard Monitor 5\MBM5.EXE" [2004-06-12 594944]
"Adobe Reader Speed Launcher"="e:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Documents and Settings\\Samuel.OAKTREE3\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Samuel.OAKTREE3\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\iTunes\\iTunes.exe"=
"e:\\Program Files\\Stickies\\stickies.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"57086:TCP"= 57086:TCP:Pando Media Booster
"57086:UDP"= 57086:UDP:Pando Media Booster
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/26/2009 12:45 AM 108289]
S1 Multicam;MultiCam for Picolo;c:\windows\system32\Drivers\multicam.sys --> c:\windows\system32\Drivers\multicam.sys [?]
S1 SASKUTIL;SASKUTIL;\??\e:\program files\SUPERAntiSpyware\SASKUTIL.sys --> e:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S3 AtomSync;AtomSync;e:\program files\AtomSync\service.exe [9/23/2008 10:34 PM 159744]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [5/20/2008 10:47 PM 13224]
S3 SASENUM;SASENUM;\??\e:\program files\SUPERAntiSpyware\SASENUM.SYS --> e:\program files\SUPERAntiSpyware\SASENUM.SYS [?]
.
Contents of the 'Scheduled Tasks' folder
2009-06-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
2009-06-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-02 01:16]
2009-06-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4265909289-2111342016-2801439982-1016.job
- c:\documents and settings\Samuel.OAKTREE3\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-18 07:05]
.
- - - - ORPHANS REMOVED - - - -
Notify-avgrsstarter - (no file)
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gbcph.org/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\b9k9d87q.default\
FF - prefs.js: browser.startup.homepage - www.gbcph.org
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: e:\program files\Adobe\Reader 8.0\Reader\browser\nppdf32.dll
FF - plugin: e:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF - plugin: e:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: e:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-27 18:59
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{15FD8424-D12A-4C51-8C6C-D5D57B80F781}\ProxyStubClsid]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{15FD8424-D12A-4C51-8C6C-D5D57B80F781}\ProxyStubClsid32]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{15FD8424-D12A-4C51-8C6C-D5D57B80F781}\TypeLib]
@DACL=(02 0000)
@="{C62A9E79-2B52-439B-AF57-2E60BB06E86C}"
"Version"="1.0"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{40CA90F3-4098-4877-AE87-23EB612B18C7}\ProxyStubClsid]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{40CA90F3-4098-4877-AE87-23EB612B18C7}\ProxyStubClsid32]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{40CA90F3-4098-4877-AE87-23EB612B18C7}\TypeLib]
@DACL=(02 0000)
@="{0729F461-8054-47DC-8D39-A31B61CC0119}"
"Version"="1.0"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{4C3B62AF-CA25-4FBA-8405-32E44F83BB6F}\ProxyStubClsid]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{4C3B62AF-CA25-4FBA-8405-32E44F83BB6F}\ProxyStubClsid32]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{4C3B62AF-CA25-4FBA-8405-32E44F83BB6F}\TypeLib]
@DACL=(02 0000)
@="{0729F461-8054-47DC-8D39-A31B61CC0119}"
"Version"="1.0"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{5A635A91-C303-45C9-8DB9-F759D98A3B9D}\ProxyStubClsid]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{5A635A91-C303-45C9-8DB9-F759D98A3B9D}\ProxyStubClsid32]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{5A635A91-C303-45C9-8DB9-F759D98A3B9D}\TypeLib]
@DACL=(02 0000)
@="{0729F461-8054-47DC-8D39-A31B61CC0119}"
"Version"="1.0"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{67B3BECF-7B6F-42B2-99F0-F7656F89CFFA}\ProxyStubClsid]
@DACL=(02 0000)
@="{00020420-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{67B3BECF-7B6F-42B2-99F0-F7656F89CFFA}\ProxyStubClsid32]
@DACL=(02 0000)
@="{00020420-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{67B3BECF-7B6F-42B2-99F0-F7656F89CFFA}\TypeLib]
@DACL=(02 0000)
@="{C62A9E79-2B52-439B-AF57-2E60BB06E86C}"
"Version"="1.0"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{715FFD42-4E05-4EAB-9513-C8DAA5395AE2}\ProxyStubClsid]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{715FFD42-4E05-4EAB-9513-C8DAA5395AE2}\ProxyStubClsid32]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{715FFD42-4E05-4EAB-9513-C8DAA5395AE2}\TypeLib]
@DACL=(02 0000)
@="{C62A9E79-2B52-439B-AF57-2E60BB06E86C}"
"Version"="1.0"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{759D6F7C-8D30-45B6-ABEA-FA51C190EED5}\ProxyStubClsid]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{759D6F7C-8D30-45B6-ABEA-FA51C190EED5}\ProxyStubClsid32]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{759D6F7C-8D30-45B6-ABEA-FA51C190EED5}\TypeLib]
@DACL=(02 0000)
@="{C62A9E79-2B52-439B-AF57-2E60BB06E86C}"
"Version"="1.0"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{7E335D04-2E6E-4D0E-A921-C3D9192E7121}\ProxyStubClsid]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{7E335D04-2E6E-4D0E-A921-C3D9192E7121}\ProxyStubClsid32]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{7E335D04-2E6E-4D0E-A921-C3D9192E7121}\TypeLib]
@DACL=(02 0000)
@="{0729F461-8054-47DC-8D39-A31B61CC0119}"
"Version"="1.0"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{99CCFB8C-6380-4A14-8FDD-EF3E7E95335D}\ProxyStubClsid]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{99CCFB8C-6380-4A14-8FDD-EF3E7E95335D}\ProxyStubClsid32]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{99CCFB8C-6380-4A14-8FDD-EF3E7E95335D}\TypeLib]
@DACL=(02 0000)
@="{0729F461-8054-47DC-8D39-A31B61CC0119}"
"Version"="1.0"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{9A4A64A4-A2FB-48FA-9BBA-1AC50267695D}\ProxyStubClsid]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{9A4A64A4-A2FB-48FA-9BBA-1AC50267695D}\ProxyStubClsid32]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{9A4A64A4-A2FB-48FA-9BBA-1AC50267695D}\TypeLib]
@DACL=(02 0000)
@="{C62A9E79-2B52-439B-AF57-2E60BB06E86C}"
"Version"="1.0"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{B20D7ADD-989C-4BC0-A797-F6FE7998EFD7}\ProxyStubClsid]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{B20D7ADD-989C-4BC0-A797-F6FE7998EFD7}\ProxyStubClsid32]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{B20D7ADD-989C-4BC0-A797-F6FE7998EFD7}\TypeLib]
@DACL=(02 0000)
@="{0729F461-8054-47DC-8D39-A31B61CC0119}"
"Version"="1.0"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{BFC20A15-B0AC-44CC-A25A-A7039014BA9F}\ProxyStubClsid]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{BFC20A15-B0AC-44CC-A25A-A7039014BA9F}\ProxyStubClsid32]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{BFC20A15-B0AC-44CC-A25A-A7039014BA9F}\TypeLib]
@DACL=(02 0000)
@="{0729F461-8054-47DC-8D39-A31B61CC0119}"
"Version"="1.0"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{F019AEC4-4C95-46DE-A107-E302473E3B9A}\ProxyStubClsid]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{F019AEC4-4C95-46DE-A107-E302473E3B9A}\ProxyStubClsid32]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{F019AEC4-4C95-46DE-A107-E302473E3B9A}\TypeLib]
@DACL=(02 0000)
@="{0729F461-8054-47DC-8D39-A31B61CC0119}"
"Version"="1.0"
[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{0729F461-8054-47DC-8D39-A31B61CC0119}\1.0]
@DACL=(02 0000)
@="HbCoreSrv 1.0 Type Library"
[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{C62A9E79-2B52-439B-AF57-2E60BB06E86C}\1.0]
@DACL=(02 0000)
@="HbToolbar 1.0 Type Library"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(856)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
- - - - - - - > 'explorer.exe'(3396)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Belkin\Belkin Wireless Network Utility\WLService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-06-28 19:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-28 02:04
Pre-Run: 107,632,934,912 bytes free
Post-Run: 108,974,166,016 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
358
-
Delete these files/folders, as follows:
1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C
KillAll::
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"=-
"57086:TCP"=-
"57086:UDP"=-
RegLockDel::
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{15FD8424-D12A-4C51-8C6C-D5D57B80F781}\ProxyStubClsid]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{15FD8424-D12A-4C51-8C6C-D5D57B80F781}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{15FD8424-D12A-4C51-8C6C-D5D57B80F781}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{40CA90F3-4098-4877-AE87-23EB612B18C7}\ProxyStubClsid]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{40CA90F3-4098-4877-AE87-23EB612B18C7}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{40CA90F3-4098-4877-AE87-23EB612B18C7}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{4C3B62AF-CA25-4FBA-8405-32E44F83BB6F}\ProxyStubClsid]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{4C3B62AF-CA25-4FBA-8405-32E44F83BB6F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{4C3B62AF-CA25-4FBA-8405-32E44F83BB6F}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{5A635A91-C303-45C9-8DB9-F759D98A3B9D}\ProxyStubClsid]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{5A635A91-C303-45C9-8DB9-F759D98A3B9D}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{5A635A91-C303-45C9-8DB9-F759D98A3B9D}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{67B3BECF-7B6F-42B2-99F0-F7656F89CFFA}\ProxyStubClsid]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{67B3BECF-7B6F-42B2-99F0-F7656F89CFFA}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{67B3BECF-7B6F-42B2-99F0-F7656F89CFFA}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{715FFD42-4E05-4EAB-9513-C8DAA5395AE2}\ProxyStubClsid]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{715FFD42-4E05-4EAB-9513-C8DAA5395AE2}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{715FFD42-4E05-4EAB-9513-C8DAA5395AE2}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{759D6F7C-8D30-45B6-ABEA-FA51C190EED5}\ProxyStubClsid]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{759D6F7C-8D30-45B6-ABEA-FA51C190EED5}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{759D6F7C-8D30-45B6-ABEA-FA51C190EED5}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{7E335D04-2E6E-4D0E-A921-C3D9192E7121}\ProxyStubClsid]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{7E335D04-2E6E-4D0E-A921-C3D9192E7121}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{7E335D04-2E6E-4D0E-A921-C3D9192E7121}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{99CCFB8C-6380-4A14-8FDD-EF3E7E95335D}\ProxyStubClsid]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{99CCFB8C-6380-4A14-8FDD-EF3E7E95335D}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{99CCFB8C-6380-4A14-8FDD-EF3E7E95335D}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{9A4A64A4-A2FB-48FA-9BBA-1AC50267695D}\ProxyStubClsid]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{9A4A64A4-A2FB-48FA-9BBA-1AC50267695D}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{9A4A64A4-A2FB-48FA-9BBA-1AC50267695D}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{B20D7ADD-989C-4BC0-A797-F6FE7998EFD7}\ProxyStubClsid]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{B20D7ADD-989C-4BC0-A797-F6FE7998EFD7}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{B20D7ADD-989C-4BC0-A797-F6FE7998EFD7}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{BFC20A15-B0AC-44CC-A25A-A7039014BA9F}\ProxyStubClsid]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{BFC20A15-B0AC-44CC-A25A-A7039014BA9F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{BFC20A15-B0AC-44CC-A25A-A7039014BA9F}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{F019AEC4-4C95-46DE-A107-E302473E3B9A}\ProxyStubClsid]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{F019AEC4-4C95-46DE-A107-E302473E3B9A}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{F019AEC4-4C95-46DE-A107-E302473E3B9A}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{0729F461-8054-47DC-8D39-A31B61CC0119}\1.0]
[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{C62A9E79-2B52-439B-AF57-2E60BB06E86C}\1.0]
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!
(http://i154.photobucket.com/albums/s258/evilfantasy69/CFScript-1.gif)
ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.
Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze
-
As requested:
ComboFix 09-06-26.02 - Dad 06/27/2009 19:56.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1007.572 [GMT -7:00]
Running from: c:\documents and settings\Dad\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dad\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-28 )))))))))))))))))))))))))))))))
.
2009-06-28 02:02 . 2009-06-28 02:02 -------- d-----w- c:\windows\system32\dllcache\cache
2009-06-27 21:03 . 2009-06-27 21:03 -------- d--h--w- c:\windows\PIF
2009-06-27 06:55 . 2009-06-27 06:55 -------- d-----w- c:\documents and settings\Dad\Application Data\Malwarebytes
2009-06-27 06:50 . 2009-06-27 06:54 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-27 06:27 . 2009-06-27 18:06 117760 ----a-w- c:\documents and settings\Dad\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-27 06:27 . 2009-06-27 06:27 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-27 06:20 . 2009-06-27 06:20 -------- d-----w- c:\documents and settings\Dad\Application Data\SUPERAntiSpyware.com
2009-06-27 05:46 . 2009-06-27 05:46 -------- d-----w- c:\program files\Trend Micro
2009-06-27 05:40 . 2009-06-27 05:39 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-26 07:45 . 2009-03-30 17:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-06-26 07:45 . 2009-03-24 23:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-06-26 07:45 . 2009-02-13 19:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-06-26 07:45 . 2009-02-13 19:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-06-26 07:44 . 2009-06-26 07:44 -------- d-----w- c:\program files\Avira
2009-06-26 07:44 . 2009-06-26 07:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-06-26 07:36 . 2009-06-17 18:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-26 07:36 . 2009-06-26 07:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-26 07:36 . 2009-06-17 18:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-22 00:48 . 2009-06-22 00:48 -------- d-----w- c:\program files\iPod
2009-06-22 00:48 . 2009-06-22 00:48 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-22 00:46 . 2009-06-22 00:46 -------- d-----w- c:\program files\Bonjour
2009-06-22 00:45 . 2009-06-22 00:45 -------- d-----w- c:\program files\QuickTime
2009-06-22 00:43 . 2009-06-22 00:43 -------- d-----w- c:\program files\Apple Software Update
2009-06-21 22:50 . 2009-06-21 22:50 -------- d-----w- c:\documents and settings\Dad\Local Settings\Application Data\AOL
2009-06-05 20:57 . 2009-06-05 20:57 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-27 23:55 . 2009-04-10 18:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-06-27 06:49 . 2002-01-04 09:43 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-27 05:39 . 2002-01-02 07:20 -------- d-----w- c:\program files\Java
2009-06-27 04:41 . 2007-07-22 04:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-26 06:04 . 2007-03-25 15:49 51936 ----a-w- c:\documents and settings\Dad\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-26 06:02 . 2002-01-02 07:21 -------- d-----w- c:\program files\OpenOffice.org 2.2
2009-06-26 05:56 . 2003-07-31 11:52 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-26 05:52 . 2002-01-02 08:35 -------- d-----w- c:\documents and settings\Dad\Application Data\OpenOffice.org2
2009-06-26 05:52 . 2008-10-08 06:27 -------- d-----w- c:\documents and settings\Dad\Application Data\stickies
2009-06-26 05:20 . 2002-01-04 09:37 -------- d-----w- c:\program files\Common Files\Panda Software
2009-06-26 05:12 . 2008-11-25 19:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-06-22 00:48 . 2008-09-15 04:37 -------- d-----w- c:\program files\Common Files\Apple
2009-06-21 22:51 . 2009-04-10 18:24 -------- d-----w- c:\program files\Common Files\AOL
2009-06-09 17:09 . 2007-09-17 05:02 -------- d-----w- c:\documents and settings\Samuel.OAKTREE3\Application Data\OpenOffice.org2
2009-05-11 22:48 . 2009-05-11 22:20 34 ----a-w- c:\documents and settings\Samuel.OAKTREE3\jagex_runescape_preferences.dat
2009-04-10 18:29 . 2009-04-10 18:29 1144808 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\aimtunes\AIMTunes.exe
2008-01-15 18:50 . 2007-10-21 07:10 1004 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-06-28_01.59.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-28 03:02 . 2009-06-28 03:02 16384 c:\windows\temp\Perflib_Perfdata_294.dat
+ 2009-06-28 02:02 . 2008-10-16 22:09 51224 c:\windows\system32\dllcache\cache\wuauclt.exe
+ 2009-06-28 02:02 . 2004-08-04 07:56 82944 c:\windows\system32\dllcache\cache\ws2_32.dll
+ 2009-06-28 02:02 . 2004-08-04 07:56 24576 c:\windows\system32\dllcache\cache\userinit.exe
+ 2009-06-28 02:02 . 2004-08-04 07:56 14336 c:\windows\system32\dllcache\cache\svchost.exe
+ 2009-06-28 02:02 . 2005-06-10 23:53 57856 c:\windows\system32\dllcache\cache\spoolsv.exe
+ 2009-06-28 02:02 . 2004-08-04 07:56 17408 c:\windows\system32\dllcache\cache\powrprof.dll
+ 2009-06-28 02:02 . 2004-08-04 07:56 13312 c:\windows\system32\dllcache\cache\lsass.exe
+ 2009-06-28 02:02 . 2004-08-04 05:58 24576 c:\windows\system32\dllcache\cache\kbdclass.sys
+ 2009-06-28 02:02 . 2004-08-04 06:00 29056 c:\windows\system32\dllcache\cache\ip6fw.sys
+ 2009-06-28 02:02 . 2004-08-04 07:56 15360 c:\windows\system32\dllcache\cache\ctfmon.exe
+ 2009-06-28 02:02 . 2004-08-04 07:56 502272 c:\windows\system32\dllcache\cache\winlogon.exe
+ 2009-06-28 02:02 . 2008-10-16 10:37 659456 c:\windows\system32\dllcache\cache\wininet.dll
+ 2009-06-28 02:02 . 2007-03-08 15:36 577536 c:\windows\system32\dllcache\cache\user32.dll
+ 2009-06-28 02:02 . 2004-08-04 07:56 295424 c:\windows\system32\dllcache\cache\termsrv.dll
+ 2009-06-28 02:02 . 2008-06-20 10:45 360320 c:\windows\system32\dllcache\cache\tcpip.sys
+ 2009-06-28 02:02 . 2004-08-04 07:56 108032 c:\windows\system32\dllcache\cache\services.exe
+ 2009-06-28 02:02 . 2004-08-04 06:14 182912 c:\windows\system32\dllcache\cache\ndis.sys
+ 2009-06-28 02:02 . 2007-04-16 15:52 984576 c:\windows\system32\dllcache\cache\kernel32.dll
+ 2009-06-28 02:02 . 2004-08-04 07:56 110080 c:\windows\system32\dllcache\cache\imm32.dll
+ 2009-06-28 02:02 . 2004-08-04 07:56 167936 c:\windows\system32\dllcache\cache\appmgmts.dll
+ 2009-06-28 02:02 . 2004-08-04 07:56 1580544 c:\windows\system32\dllcache\cache\sfcfiles.dll
+ 2009-06-28 02:02 . 2008-08-14 09:58 2136064 c:\windows\system32\dllcache\cache\ntoskrnl.exe
+ 2009-06-28 02:02 . 2008-08-14 09:22 2015744 c:\windows\system32\dllcache\cache\ntkrnlpa.exe
+ 2009-06-28 02:02 . 2007-06-13 10:23 1033216 c:\windows\system32\dllcache\cache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
2009-04-21 00:18 1883672 ----a-w- c:\program files\Freecorder\tbFre1.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sony Ericsson PC Suite"="e:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-06-19 393216]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 1388544]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2003-09-19 684032]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-27 148888]
"AAWTray"="c:\program files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 88024]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"MBM 5"="c:\program files\Motherboard Monitor 5\MBM5.EXE" [2004-06-12 594944]
"Adobe Reader Speed Launcher"="e:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Documents and Settings\\Samuel.OAKTREE3\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Samuel.OAKTREE3\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\iTunes\\iTunes.exe"=
"e:\\Program Files\\Stickies\\stickies.exe"=
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/26/2009 12:45 AM 108289]
S1 Multicam;MultiCam for Picolo;c:\windows\system32\Drivers\multicam.sys --> c:\windows\system32\Drivers\multicam.sys [?]
S1 SASKUTIL;SASKUTIL;\??\e:\program files\SUPERAntiSpyware\SASKUTIL.sys --> e:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S3 AtomSync;AtomSync;e:\program files\AtomSync\service.exe [9/23/2008 10:34 PM 159744]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [5/20/2008 10:47 PM 13224]
S3 SASENUM;SASENUM;\??\e:\program files\SUPERAntiSpyware\SASENUM.SYS --> e:\program files\SUPERAntiSpyware\SASENUM.SYS [?]
.
Contents of the 'Scheduled Tasks' folder
2009-06-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
2009-06-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-02 01:16]
2009-06-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4265909289-2111342016-2801439982-1016.job
- c:\documents and settings\Samuel.OAKTREE3\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-18 07:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gbcph.org/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\b9k9d87q.default\
FF - prefs.js: browser.startup.homepage - www.gbcph.org
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: e:\program files\Adobe\Reader 8.0\Reader\browser\nppdf32.dll
FF - plugin: e:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF - plugin: e:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: e:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-27 20:03
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{0729F461-8054-47DC-8D39-A31B61CC0119}\1.0\0\win32]
@DACL=(02 0000)
@="c:\\Program Files\\Zango\\bin\\10.3.75.0\\CoreSrv.dll"
[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{C62A9E79-2B52-439B-AF57-2E60BB06E86C}\1.0\0\win32]
@DACL=(02 0000)
@="c:\\Program Files\\Zango\\bin\\10.3.75.0\\Toolbar.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(856)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
- - - - - - - > 'explorer.exe'(1440)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Belkin\Belkin Wireless Network Utility\WLService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-06-28 20:08 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-28 03:08
ComboFix2.txt 2009-06-28 02:04
Pre-Run: 108,959,559,680 bytes free
Post-Run: 108,944,457,728 bytes free
214
-
Delete these files/folders, as follows:
1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C
KillAll::
Folder::
c:\Program Files\Zango
RegLockDel::
[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{0729F461-8054-47DC-8D39-A31B61CC0119}\1.0\0\win32]
[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{C62A9E79-2B52-439B-AF57-2E60BB06E86C}\1.0\0\win32]
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!
(http://i154.photobucket.com/albums/s258/evilfantasy69/CFScript-1.gif)
ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.
Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze
-
ComboFix 09-06-26.02 - Dad 06/27/2009 22:42.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1007.579 [GMT -7:00]
Running from: c:\documents and settings\Dad\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dad\Desktop\cfscript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-28 )))))))))))))))))))))))))))))))
.
2009-06-28 02:02 . 2009-06-28 02:02 -------- d-----w- c:\windows\system32\dllcache\cache
2009-06-27 21:03 . 2009-06-27 21:03 -------- d--h--w- c:\windows\PIF
2009-06-27 06:55 . 2009-06-27 06:55 -------- d-----w- c:\documents and settings\Dad\Application Data\Malwarebytes
2009-06-27 06:50 . 2009-06-27 06:54 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-27 06:27 . 2009-06-27 18:06 117760 ----a-w- c:\documents and settings\Dad\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-27 06:27 . 2009-06-27 06:27 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-27 06:20 . 2009-06-27 06:20 -------- d-----w- c:\documents and settings\Dad\Application Data\SUPERAntiSpyware.com
2009-06-27 05:46 . 2009-06-27 05:46 -------- d-----w- c:\program files\Trend Micro
2009-06-27 05:40 . 2009-06-27 05:39 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-26 07:45 . 2009-03-30 17:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-06-26 07:45 . 2009-03-24 23:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-06-26 07:45 . 2009-02-13 19:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-06-26 07:45 . 2009-02-13 19:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-06-26 07:44 . 2009-06-26 07:44 -------- d-----w- c:\program files\Avira
2009-06-26 07:44 . 2009-06-26 07:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-06-26 07:36 . 2009-06-17 18:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-26 07:36 . 2009-06-26 07:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-26 07:36 . 2009-06-17 18:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-22 00:48 . 2009-06-22 00:48 -------- d-----w- c:\program files\iPod
2009-06-22 00:48 . 2009-06-22 00:48 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-22 00:46 . 2009-06-22 00:46 -------- d-----w- c:\program files\Bonjour
2009-06-22 00:45 . 2009-06-22 00:45 -------- d-----w- c:\program files\QuickTime
2009-06-22 00:43 . 2009-06-22 00:43 -------- d-----w- c:\program files\Apple Software Update
2009-06-21 22:50 . 2009-06-21 22:50 -------- d-----w- c:\documents and settings\Dad\Local Settings\Application Data\AOL
2009-06-05 20:57 . 2009-06-05 20:57 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-27 23:55 . 2009-04-10 18:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-06-27 06:49 . 2002-01-04 09:43 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-27 05:39 . 2002-01-02 07:20 -------- d-----w- c:\program files\Java
2009-06-27 04:41 . 2007-07-22 04:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-26 06:04 . 2007-03-25 15:49 51936 ----a-w- c:\documents and settings\Dad\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-26 06:02 . 2002-01-02 07:21 -------- d-----w- c:\program files\OpenOffice.org 2.2
2009-06-26 05:56 . 2003-07-31 11:52 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-26 05:52 . 2002-01-02 08:35 -------- d-----w- c:\documents and settings\Dad\Application Data\OpenOffice.org2
2009-06-26 05:52 . 2008-10-08 06:27 -------- d-----w- c:\documents and settings\Dad\Application Data\stickies
2009-06-26 05:20 . 2002-01-04 09:37 -------- d-----w- c:\program files\Common Files\Panda Software
2009-06-26 05:12 . 2008-11-25 19:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-06-22 00:48 . 2008-09-15 04:37 -------- d-----w- c:\program files\Common Files\Apple
2009-06-21 22:51 . 2009-04-10 18:24 -------- d-----w- c:\program files\Common Files\AOL
2009-06-09 17:09 . 2007-09-17 05:02 -------- d-----w- c:\documents and settings\Samuel.OAKTREE3\Application Data\OpenOffice.org2
2009-05-11 22:48 . 2009-05-11 22:20 34 ----a-w- c:\documents and settings\Samuel.OAKTREE3\jagex_runescape_preferences.dat
2009-04-10 18:29 . 2009-04-10 18:29 1144808 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\aimtunes\AIMTunes.exe
2008-01-15 18:50 . 2007-10-21 07:10 1004 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-06-28_01.59.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-28 05:48 . 2009-06-28 05:48 16384 c:\windows\temp\Perflib_Perfdata_244.dat
+ 2009-06-28 02:02 . 2008-10-16 22:09 51224 c:\windows\system32\dllcache\cache\wuauclt.exe
+ 2009-06-28 02:02 . 2004-08-04 07:56 82944 c:\windows\system32\dllcache\cache\ws2_32.dll
+ 2009-06-28 02:02 . 2004-08-04 07:56 24576 c:\windows\system32\dllcache\cache\userinit.exe
+ 2009-06-28 02:02 . 2004-08-04 07:56 14336 c:\windows\system32\dllcache\cache\svchost.exe
+ 2009-06-28 02:02 . 2005-06-10 23:53 57856 c:\windows\system32\dllcache\cache\spoolsv.exe
+ 2009-06-28 02:02 . 2004-08-04 07:56 17408 c:\windows\system32\dllcache\cache\powrprof.dll
+ 2009-06-28 02:02 . 2004-08-04 07:56 13312 c:\windows\system32\dllcache\cache\lsass.exe
+ 2009-06-28 02:02 . 2004-08-04 05:58 24576 c:\windows\system32\dllcache\cache\kbdclass.sys
+ 2009-06-28 02:02 . 2004-08-04 06:00 29056 c:\windows\system32\dllcache\cache\ip6fw.sys
+ 2009-06-28 02:02 . 2004-08-04 07:56 15360 c:\windows\system32\dllcache\cache\ctfmon.exe
+ 2009-06-28 02:02 . 2004-08-04 07:56 502272 c:\windows\system32\dllcache\cache\winlogon.exe
+ 2009-06-28 02:02 . 2008-10-16 10:37 659456 c:\windows\system32\dllcache\cache\wininet.dll
+ 2009-06-28 02:02 . 2007-03-08 15:36 577536 c:\windows\system32\dllcache\cache\user32.dll
+ 2009-06-28 02:02 . 2004-08-04 07:56 295424 c:\windows\system32\dllcache\cache\termsrv.dll
+ 2009-06-28 02:02 . 2008-06-20 10:45 360320 c:\windows\system32\dllcache\cache\tcpip.sys
+ 2009-06-28 02:02 . 2004-08-04 07:56 108032 c:\windows\system32\dllcache\cache\services.exe
+ 2009-06-28 02:02 . 2004-08-04 06:14 182912 c:\windows\system32\dllcache\cache\ndis.sys
+ 2009-06-28 02:02 . 2007-04-16 15:52 984576 c:\windows\system32\dllcache\cache\kernel32.dll
+ 2009-06-28 02:02 . 2004-08-04 07:56 110080 c:\windows\system32\dllcache\cache\imm32.dll
+ 2009-06-28 02:02 . 2004-08-04 07:56 167936 c:\windows\system32\dllcache\cache\appmgmts.dll
+ 2009-06-28 02:02 . 2004-08-04 07:56 1580544 c:\windows\system32\dllcache\cache\sfcfiles.dll
+ 2009-06-28 02:02 . 2008-08-14 09:58 2136064 c:\windows\system32\dllcache\cache\ntoskrnl.exe
+ 2009-06-28 02:02 . 2008-08-14 09:22 2015744 c:\windows\system32\dllcache\cache\ntkrnlpa.exe
+ 2009-06-28 02:02 . 2007-06-13 10:23 1033216 c:\windows\system32\dllcache\cache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
2009-04-21 00:18 1883672 ----a-w- c:\program files\Freecorder\tbFre1.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sony Ericsson PC Suite"="e:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-06-19 393216]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 1388544]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2003-09-19 684032]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-27 148888]
"AAWTray"="c:\program files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 88024]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"MBM 5"="c:\program files\Motherboard Monitor 5\MBM5.EXE" [2004-06-12 594944]
"Adobe Reader Speed Launcher"="e:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Documents and Settings\\Samuel.OAKTREE3\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Samuel.OAKTREE3\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\iTunes\\iTunes.exe"=
"e:\\Program Files\\Stickies\\stickies.exe"=
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/26/2009 12:45 AM 108289]
S1 Multicam;MultiCam for Picolo;c:\windows\system32\Drivers\multicam.sys --> c:\windows\system32\Drivers\multicam.sys [?]
S1 SASKUTIL;SASKUTIL;\??\e:\program files\SUPERAntiSpyware\SASKUTIL.sys --> e:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S3 AtomSync;AtomSync;e:\program files\AtomSync\service.exe [9/23/2008 10:34 PM 159744]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [5/20/2008 10:47 PM 13224]
S3 SASENUM;SASENUM;\??\e:\program files\SUPERAntiSpyware\SASENUM.SYS --> e:\program files\SUPERAntiSpyware\SASENUM.SYS [?]
.
Contents of the 'Scheduled Tasks' folder
2009-06-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
2009-06-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-02 01:16]
2009-06-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4265909289-2111342016-2801439982-1016.job
- c:\documents and settings\Samuel.OAKTREE3\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-18 07:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gbcph.org/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\b9k9d87q.default\
FF - prefs.js: browser.startup.homepage - www.gbcph.org
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: e:\program files\Adobe\Reader 8.0\Reader\browser\nppdf32.dll
FF - plugin: e:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF - plugin: e:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: e:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-27 22:51
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(860)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
- - - - - - - > 'explorer.exe'(1456)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Belkin\Belkin Wireless Network Utility\WLService.exe
c:\program files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-06-28 22:56 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-28 05:56
ComboFix2.txt 2009-06-28 03:08
ComboFix3.txt 2009-06-28 02:04
Pre-Run: 108,956,647,424 bytes free
Post-Run: 108,939,886,592 bytes free
207
-
OK I think we finally got all of that.
- Click START then RUN
- Now type Combofix /u in the runbox
- Make sure there's a space between Combofix and /u
- Then hit Enter.
.
- The above procedure will:
- Delete the following:
- ComboFix and its associated files and folders.
- Reset the clock settings.
- Hide file extensions, if required.
- Hide System/Hidden files, if required.
- Set a new, clean Restore Point.
.
----------
Clean out your temporary internet files and temp files.
Download TFC by OldTimer (http://oldtimer.geekstogo.com/TFC.exe) to your desktop.
Double-click TFC.exe to run it.
Note: If you are running on Vista, right-click on the file and choose Run As Administrator
TFC will close all programs when run, so make sure you have saved all your work before you begin.
* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.
Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
----------
Use the ESET Online Antivirus Scanner (http://www.eset.com/onlinescan/index.php)
This scanner requires Internet Explorer
1. Check the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the activex control to install
4. Click Start
5. Make sure that the option Remove found threats and the option Scan unwanted applications is check marked.
6. Click Scan
7. Wait for the scan to finish
8. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
9. Add the C:\Program Files\EsetOnlineScanner\log.txt log into your next reply.
-
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - delete file error:The process cannot access the file because it is being used by another process.
OnlineScanner.ocx - copy file error :The process cannot access the file because it is being used by another process.
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=f8635a3504fa9c4583e41c03195de3f1
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-06-29 09:53:45
# local_time=2009-06-29 02:53:45 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=1797 21 100 100 76642968750
# scanned=46189
# found=0
# cleaned=0
# scan_time=1490
-
Looks good. Is the computer running OK now?
Use the Secunia Software Inspector (http://secunia.com/software_inspector) to check for out of date software.
- Click Start Now
- Check the box next to Enable thorough system inspection.
- Click Start
- Allow the scan to finish and scroll down to see if any updates are needed.
- Update anything listed.
.
----------
Go to Microsoft Windows Update (http://windowsupdate.microsoft.com/) and get all critical updates.
----------
I suggest using WOT - Web of Trust (http://www.mywot.com/). WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.
SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* (http://www.bleepingcomputer.com/tutorials/tutorial49.html)Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/forums/tutorial49.html)
* If you don't know what ActiveX controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
Check out Keeping Yourself Safe On The Web (http://evilfantasy.wordpress.com/2008/05/20/keeping-yourself-safe-on-the-web/) for tips and free tools to help keep you safe in the future.
Also see Slow Computer? It May Not Be Malware (http://evilfantasy.wordpress.com/2008/05/24/slow-computer-it-may-not-be-malware/) for free cleaning/maintenance tools to help keep your computer running smooth.
-
Ahhh...much better!
My thanks to all of the CH players who invested time in helping me resolve this problem. This has been a long but rewarding and educational process. Thanks also for the final "tools" recommendations to help safeguard my future computing experiences.
Kudos to the team!
(Now it's time to run off to the XP thread and see how my other machine is doing!)