Jump to content

OK, before I reformat....


Recommended Posts

Infected. Windows Antivirus Pro logo on desktop and initially a large warning on desktop photo (not in a window). The latter was somewhere taken off along the road of multiple antivirus products softwares.

CPU has Malwarebytes already installed, but was disabled and not actively protecting. When red circle with X and desktop icon showed up, attempts to run Malwarebytes started, then 3 seconds into scan shut down. PC tools Spyware Doctor will scan and ID'd threats initially, including Antivirus Pro, but apparently it could not delete, because immediately upon restart and new scan, it finds "RogueAntispyware.HomeAntivirus2010", "RogueAntispyware.XPAntipyware", and "AdwareAgentZO".

I have tried reinstalling Malwarebytes under a different name, and under Safe mode, but will not run or will get message beginning "Windows cannot access specified file....".

I had earlier installed OldTimer program and followed instructions to remove and perform a regedit, but did not help.

I have installed Avira Antivirus and it will scan to completion, and after finding multiple agents, it fails to delete them also. Now it comes up and won't perform scan, although it is actively working because occasional windows popup about a threat.

I have installed and run Process Explorer, no Antivirus Pro or questionable icons show up.

I have installed Rootkit, but it will not run.

I have installed HijackThis, but it to will not run.

I continue to have red circle with X in toolbar and a message intermittently pops up and disappears from it saying "Your computer is infected".

I don't know how to get to or post a logfile.

Thanks for any help before I get someone to reformat drive.

Link to post
Share on other sites

  • Staff

Hi,

Download and run Win32kDiag:

Link to post
Share on other sites

Ok. Thanks, that program actually ran. Here is log:

Log file is located at: C:\Documents and Settings\reblw\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\$hf_mig$\KB942615\KB942615

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB968389\KB968389

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Cache\Adobe Reader 6.0\Adobe Reader 6.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Downloaded Program Files\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\CHSIME\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMEJP\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMEJP98\IMEJP98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMJP8_1\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMKR6_1\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMKR6_1\DICTS\DICTS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\SHARED\RES\RES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Internet Logs\Internet Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\JAVA\TRUSTLIB\TRUSTLIB

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Lycos\Lycos

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\MSAPPS\MSINFO\MSINFO

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe

[1] 2004-08-04 02:56:50 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:21 744448 C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe ()

[1] 2008-04-13 19:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}$TEMP$\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}$TEMP$

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\0dd0244816ffb4b094c1caba4c3b1178\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\4ee3fbebbfecab84fe3a0e44ae24966f\update\update

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\update\update

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\6913c676e5d33978934caa46c49fdc75\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b7f0b2892b21211a5630518d058f48d9\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\ba203fc55df79697d61ee240fe4d59fa\ba203fc55df79697d61ee240fe4d59fa

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\fa58243222bcfe35e5467668df396003\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\1031\1031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\3COM_DMI\3COM_DMI

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\appmgmt\MACHINE\MACHINE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\appmgmt\S-1-5-21-2804118902-3493737300-3796722626-1005\S-1-5-21-2804118902-3493737300-3796722626-1005

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\TempDir\TempDir

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\TempDir

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Identities\{2C7A8CD0-78FA-427F-BF86-AE333A20DC52}\{2C7A8CD0-78FA-427F-BF86-AE333A20DC52}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\Credentials\Credentials

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\Crypto\RSA\RSA

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Roxio\VideoWaveMC\Cinemagic\Cinemagic

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Roxio\VideoWaveMC\DVDBuilder\Projects\Projects

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Roxio\VideoWaveMC\Proxy\Proxy

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Roxio\VideoWaveMC\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\Microsoft\Credentials\Credentials

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\My Documents\My Pictures\Dell Image Expert Images\Dell Image Expert Images

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\My Documents\My Videos\My Videos

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\My Documents\Roxio\VideoWaveMC\Audio\Audio

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\My Documents\Roxio\VideoWaveMC\DVDBuilder\Images\Images

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\My Documents\Roxio\VideoWaveMC\Libraries\Libraries

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\My Documents\Roxio\VideoWaveMC\Productions\Productions

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\My Documents\Roxio\VideoWaveMC\Video\Video

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\Data\Data

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\DHCP\DHCP

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\DRIVERS\DISDN\DISDN

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\SYSTEM32\eventlog.dll

[1] 2004-08-04 02:56:42 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 63488 C:\WINDOWS\SYSTEM32\eventlog.dll ()

[2] 2008-04-13 19:11:53 56320 C:\WINDOWS\SYSTEM32\logevent.dll (Microsoft Corporation)

[1] 2002-08-29 06:00:00 49152 C:\i386\EVENTLOG.DLL (Microsoft Corporation)

Found mount point : C:\WINDOWS\SYSTEM32\EXPORT\EXPORT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\FxsTmp\FxsTmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\GroupPolicy\Machine\Machine

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\GroupPolicy\User\User

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\MpEngineStore\RebootActions\RebootActions

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\MUI\DISPSPEC\DISPSPEC

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\ISPSGNUP\ISPSGNUP

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\OEMCUST\OEMCUST

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\OEMHW\OEMHW

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\OEMREG\OEMREG

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\OOBE\SAMPLE\SAMPLE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\__SKIP_0290\__SKIP_0290

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\WBEM\MOF\BAD\BAD

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\WBEM\MOF\GOOD\GOOD

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\WBEM\SNMP\SNMP

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\WINS\WINS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\XIRCOM\XIRCOM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\tmp3\tmp3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Web\Wallpaper\inc\inc

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Finished!

Link to post
Share on other sites

  • Staff

Hi,

1. Please download The Avenger2 by SwanDog46

2. Unzip avenger.exe to your desktop.

3. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"

Files to move:
C:\WINDOWS\SYSTEM32\logevent.dll | C:\WINDOWS\SYSTEM32\eventlog.dll

4. Now start The Avenger2 by double clicking avenger.exe on your desktop.

5. Read the prompt that appears, and press OK.

6. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".

7. Press the "Execute" button.

8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.

Note: It is possible that Avenger will reboot your system TWICE.

9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

Also,

Go to start > run and copy and paste the following command in the field:

"%userprofile%\desktop\win32kdiag.exe" -f -r

This should restore permissions on locked files and remove mountpoints.

Link to post
Share on other sites

Here is the avenger log:

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

File move operation "C:\WINDOWS\SYSTEM32\logevent.dll|C:\WINDOWS\SYSTEM32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

The run command "%userprofile%\desktop\win32kdiag.exe" -f -r is currently running, I will post that logfile if it saves a new on, thanks for your help.

Link to post
Share on other sites

  • Staff

Ok, no problem...

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..

This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

Link to post
Share on other sites

Ok, this may take 2 posts:

ComboFix 09-08-31.03 - reblw 08/31/2009 16:07.1.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1051 [GMT -5:00]

Running from: c:\documents and settings\reblw\Desktop\Combo-Fix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\docume~1\reblw\LOCALS~1\Temp\csrss.exe

c:\docume~1\reblw\LOCALS~1\Temp\lsass.exe

c:\docume~1\reblw\LOCALS~1\Temp\services.exe

c:\docume~1\reblw\LOCALS~1\Temp\svchost.exe

c:\docume~1\reblw\LOCALS~1\Temp\taskmgr.exe

c:\docume~1\reblw\LOCALS~1\Temp\winlogon.exe

c:\documents and settings\All Users\Application Data\amydakaje.lib

c:\documents and settings\All Users\Application Data\xutyzikocy.pif

c:\documents and settings\All Users\Documents\atuhosa.exe

c:\documents and settings\All Users\Documents\fyzun.inf

c:\documents and settings\All Users\Documents\uwuza.bin

c:\documents and settings\reblw\Application Data\fepat.dl

c:\documents and settings\reblw\Application Data\ledinami.inf

c:\documents and settings\reblw\Local Settings\Application Data\woxuq.com

c:\documents and settings\reblw\Local Settings\Temporary Internet Files\cuhulovi.pif

c:\documents and settings\reblw\Local Settings\Temporary Internet Files\homyg.com

c:\documents and settings\reblw\Local Settings\Temporary Internet Files\ojipubah.vbs

c:\documents and settings\reblw\Local Settings\Temporary Internet Files\orabitefuq.com

c:\documents and settings\reblw\My Documents\ZbThumbnail.info

c:\documents and settings\reblw\Start Menu\Programs\PC_Antispyware2010

c:\documents and settings\reblw\Start Menu\Programs\Windows Antivirus Pro

c:\documents and settings\reblw\Start Menu\Programs\Windows Antivirus Pro\Windows Antivirus Pro.lnk

C:\kvhwftjn.exe

C:\lcbckjms.exe

C:\p2hhr.bat

c:\program files\Common Files\etofaxu.dll

c:\program files\Common Files\giqo.sys

c:\program files\Common Files\okyneko.bin

c:\program files\PC_Antispyware2010

c:\program files\PC_Antispyware2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest

c:\program files\PC_Antispyware2010\Uninstall.exe

c:\program files\Shared\_lib.sig

c:\program files\Shared\lib.dll

c:\program files\Shared\lib.sig

c:\program files\Windows Antivirus Pro

c:\program files\Windows Antivirus Pro\msvcm80.dll

c:\program files\Windows Antivirus Pro\msvcp80.dll

c:\program files\Windows Antivirus Pro\msvcr80.dll

c:\program files\Windows Antivirus Pro\tmp\images\i1.gif

c:\program files\Windows Antivirus Pro\tmp\images\i2.gif

c:\program files\Windows Antivirus Pro\tmp\images\i3.gif

c:\program files\Windows Antivirus Pro\tmp\images\j1.gif

c:\program files\Windows Antivirus Pro\tmp\images\j2.gif

c:\program files\Windows Antivirus Pro\tmp\images\j3.gif

c:\program files\Windows Antivirus Pro\tmp\images\jj1.gif

c:\program files\Windows Antivirus Pro\tmp\images\jj2.gif

c:\program files\Windows Antivirus Pro\tmp\images\jj3.gif

c:\program files\Windows Antivirus Pro\tmp\images\l1.gif

c:\program files\Windows Antivirus Pro\tmp\images\l2.gif

c:\program files\Windows Antivirus Pro\tmp\images\l3.gif

c:\program files\Windows Antivirus Pro\tmp\images\pix.gif

c:\program files\Windows Antivirus Pro\tmp\images\t1.gif

c:\program files\Windows Antivirus Pro\tmp\images\t2.gif

c:\program files\Windows Antivirus Pro\tmp\images\up1.gif

c:\program files\Windows Antivirus Pro\tmp\images\up2.gif

c:\program files\Windows Antivirus Pro\tmp\images\w1.gif

c:\program files\Windows Antivirus Pro\tmp\images\w11.gif

c:\program files\Windows Antivirus Pro\tmp\images\w2.gif

c:\program files\Windows Antivirus Pro\tmp\images\w3.gif

c:\program files\Windows Antivirus Pro\tmp\images\w3.jpg

c:\program files\Windows Antivirus Pro\tmp\images\wt1.gif

c:\program files\Windows Antivirus Pro\tmp\images\wt2.gif

c:\program files\Windows Antivirus Pro\tmp\images\wt3.gif

c:\program files\Windows Antivirus Pro\tmp\wispex.html

c:\program files\Windows Antivirus Pro\Windows Antivirus Pro.exe

C:\sdlb.exe

c:\windows\AUTOLNCH.REG

c:\windows\braviax.exe

c:\windows\command

c:\windows\command\EXTRACT.PIF

c:\windows\cru629.dat

c:\windows\Downloaded Program Files\Temp

c:\windows\ifoh._dl

c:\windows\Installer\3f82c.msp

c:\windows\kiqe.pif

c:\windows\lakany.bin

c:\windows\mixu.pif

c:\windows\oguh.bin

c:\windows\ppp3.dat

c:\windows\ppp4.dat

c:\windows\Readme.txt

c:\windows\system32\_scui.cpl

c:\windows\system32\bennuar.old

c:\windows\system32\braviax.exe

c:\windows\system32\cru629.dat

c:\windows\system32\Data

c:\windows\system32\dllcache\beep.sys

c:\windows\system32\images

c:\windows\system32\images\i1.gif

c:\windows\system32\images\i2.gif

c:\windows\system32\images\i3.gif

c:\windows\system32\images\j1.gif

c:\windows\system32\images\j2.gif

c:\windows\system32\images\j3.gif

c:\windows\system32\images\jj1.gif

c:\windows\system32\images\jj2.gif

c:\windows\system32\images\jj3.gif

c:\windows\system32\images\l1.gif

c:\windows\system32\images\l2.gif

c:\windows\system32\images\l3.gif

c:\windows\system32\images\pix.gif

c:\windows\system32\images\t1.gif

c:\windows\system32\images\t2.gif

c:\windows\system32\images\up1.gif

c:\windows\system32\images\up2.gif

c:\windows\system32\images\w1.gif

c:\windows\system32\images\w11.gif

c:\windows\system32\images\w2.gif

c:\windows\system32\images\w3.gif

c:\windows\system32\images\w3.jpg

c:\windows\system32\images\wt1.gif

c:\windows\system32\images\wt2.gif

c:\windows\system32\images\wt3.gif

c:\windows\system32\pypaxaj.bin

c:\windows\system32\sonhelp.htm

c:\windows\system32\sysnet.dat

c:\windows\system32\tajf83ikdmf.dll

c:\windows\system32\tywerycul.sys

c:\windows\system32\wisdstr.exe

c:\windows\system32\wispex.html

c:\windows\system32\xwreg32.dll

c:\windows\Tasks\vopgcjeg.job

c:\windows\uvokoruguh.bin

c:\windows\yduno.sys

C:\yihw.exe

Infected copy of c:\windows\system32\drivers\beep.sys was found and disinfected

Restored copy from - c:\i386\BEEP.SYS

c:\windows\system32\proquota.exe was missing

Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_ANTIPPRO2009_100

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-31 )))))))))))))))))))))))))))))))

.

2009-08-31 21:19 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe

2009-08-26 20:15 . 2009-08-26 20:15 -------- d-----w- c:\program files\Trend Micro

2009-08-26 17:18 . 2009-07-28 21:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-08-26 17:18 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-08-26 17:18 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-08-26 17:18 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-08-26 17:17 . 2009-08-26 17:17 -------- d-----w- c:\program files\Avira

2009-08-26 17:17 . 2009-08-26 17:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2009-08-26 17:10 . 2009-08-26 17:10 190697 ----a-w- c:\windows\system32\wisdstr.VIR

2009-08-26 05:27 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-26 05:27 . 2009-08-26 17:02 -------- d-----w- c:\program files\22Malwarebytes' Anti-Malware

2009-08-26 05:27 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-26 04:56 . 2009-08-26 05:00 -------- d-----w- c:\program files\SpyZooka

2009-08-26 03:28 . 2009-08-26 03:29 -------- d-----w- c:\program files\Ask.com

2009-08-26 03:27 . 2009-08-26 03:27 -------- d-----w- c:\program files\MSSOAP

2009-08-26 03:26 . 2009-08-26 03:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot

2009-08-26 03:26 . 2009-08-26 03:26 -------- d-----w- c:\program files\Webroot

2009-08-26 03:26 . 2009-08-26 03:26 -------- d-----w- c:\documents and settings\reblw\Application Data\Webroot

2009-08-26 03:26 . 2009-05-13 20:39 1563008 ----a-w- c:\windows\WRSetup.dll

2009-08-26 03:22 . 2009-08-26 04:48 164 ----a-w- c:\windows\install.dat

2009-08-25 16:51 . 2009-08-26 17:02 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2009-08-25 03:55 . 2009-08-25 03:55 -------- d-----w- C:\_OTM

2009-08-25 03:29 . 2009-08-25 03:29 -------- d-----w- c:\documents and settings\reblw\Application Data\U3

2009-08-25 03:10 . 2009-08-25 03:10 13633 ----a-w- c:\documents and settings\reblw\Local Settings\Application Data\ogivaryh.dat

2009-08-25 03:10 . 2009-08-25 03:10 13093 ----a-w- c:\windows\fuqoduh.dat

2009-08-25 02:08 . 2002-08-29 11:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys

2009-08-23 17:58 . 2009-08-23 17:58 135736 ---ha-w- c:\windows\system32\mlfcache.dat

2009-08-13 01:06 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll

2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll

2009-08-01 21:59 . 2009-08-01 21:59 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2009-08-01 21:53 . 2009-08-01 21:53 -------- d-sh--w- c:\documents and settings\reblw\PrivacIE

2009-08-01 21:52 . 2009-08-01 21:52 -------- d-sh--w- c:\documents and settings\reblw\IETldCache

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-31 21:18 . 2009-07-18 05:15 -------- d-----w- c:\program files\Shared

2009-08-30 18:53 . 2009-05-24 01:16 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-08-28 11:50 . 2009-05-24 01:16 -------- d-----w- c:\program files\Spyware Doctor

2009-08-26 03:02 . 2008-09-21 23:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-25 03:10 . 2009-08-25 03:10 11308 ----a-w- c:\documents and settings\All Users\Application Data\okivo.dat

2009-08-23 17:57 . 2004-12-17 21:53 -------- d-----w- c:\documents and settings\reblw\Application Data\Apple Computer

2009-08-16 17:46 . 2003-02-09 17:50 -------- d-----w- c:\program files\QUICKENW

2009-08-15 04:42 . 2009-07-28 16:40 -------- d-----w- c:\program files\Safari

2009-08-05 09:01 . 2004-03-28 03:05 204800 ------w- c:\windows\system32\mswebdvd.dll

2009-07-28 16:42 . 2008-05-20 21:23 -------- d-----w- c:\program files\Apple Software Update

2009-07-28 16:37 . 2009-07-28 16:37 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

2009-07-28 16:37 . 2004-12-17 21:52 -------- d-----w- c:\program files\iTunes

2009-07-28 16:37 . 2004-12-17 21:51 -------- d-----w- c:\program files\iPod

2009-07-28 16:37 . 2007-12-25 18:17 -------- d-----w- c:\program files\Common Files\Apple

2009-07-28 16:35 . 2009-07-28 16:35 -------- d-----w- c:\program files\Bonjour

2009-07-28 16:35 . 2007-12-25 18:18 -------- d-----w- c:\program files\QuickTime

2009-07-28 16:29 . 2009-07-28 16:29 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe

2009-07-18 05:02 . 2003-02-09 22:51 -------- d-----w- c:\program files\Kazaa

2009-07-17 19:01 . 2002-08-29 11:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-13 15:08 . 2004-08-04 07:56 286720 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-09 17:16 . 2009-07-28 16:32 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll

2009-07-09 17:16 . 2007-12-25 18:18 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2009-07-03 17:09 . 2004-08-24 01:32 915456 ----a-w- c:\windows\system32\wininet.dll

2009-06-16 14:36 . 2002-08-29 11:00 81920 ------w- c:\windows\system32\fontsub.dll

2009-06-16 14:36 . 2002-08-29 11:00 119808 ------w- c:\windows\system32\t2embed.dll

2009-06-12 12:31 . 2002-08-29 11:00 80896 ------w- c:\windows\system32\tlntsess.exe

2009-06-12 12:31 . 2002-08-29 11:00 76288 ----a-w- c:\windows\system32\telnet.exe

2009-06-10 14:19 . 2002-08-29 11:00 2066432 ------w- c:\windows\system32\mstscax.dll

2009-06-10 14:13 . 2002-08-29 11:00 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-06-10 06:14 . 2002-08-29 11:00 132096 ------w- c:\windows\system32\wkssvc.dll

2009-06-03 19:09 . 2004-03-28 03:05 1291264 ------w- c:\windows\system32\quartz.dll

1999-11-13 00:32 . 1999-12-22 05:36 16873 ------w- c:\program files\WHATSNEW.TXT

1999-10-19 02:24 . 1999-12-22 05:36 2816 ------w- c:\program files\ORDER.TXT

1999-07-09 01:38 . 1999-07-09 01:38 8362 ------w- c:\program files\SETUP.LST

1999-07-09 01:38 . 1999-07-09 01:38 2164 ------w- c:\program files\Readme.txt

2005-07-16 10:41 . 2005-06-14 03:47 41573 ------w- c:\program files\mozilla firefox\components\jar50.dll

2005-07-16 10:41 . 2005-06-14 03:47 48223 ------w- c:\program files\mozilla firefox\components\jsd3250.dll

2005-07-16 10:41 . 2005-06-14 03:47 160871 ------w- c:\program files\mozilla firefox\components\xpinstal.dll

.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2005-08-18 18:49 . 2005-08-18 18:49 307200 c:\program files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe

2003-01-20 19:39 . 2005-08-31 02:05 344064 c:\program files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe

2002-08-22 19:11 . 2004-05-28 01:05 323584 c:\program files\Common Files\Dell\EUSW\bak\Support.exe

2003-01-20 19:42 . 2002-04-03 07:01 135264 c:\program files\Creative\SBLive\Diagnostics\bak\diagent.exe

2003-02-16 20:52 . 1998-11-24 08:00 42496 c:\program files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\bak\HPLamp.exe

2007-12-11 18:10 . 2007-12-11 18:10 267048 c:\program files\iTunes\bak\iTunesHelper.exe

2009-07-13 19:03 . 2009-07-13 19:03 292128 c:\program files\iTunes\iTunesHelper.exe

2008-01-06 06:54 . 2007-09-25 07:11 132496 c:\program files\Java\jre1.6.0_03\bin\bak\jusched.exe

2003-01-20 19:39 . 2001-10-09 07:59 200704 c:\program files\Logitech\iTouch\bak\iTouch.exe

2004-06-01 16:09 . 2004-06-01 16:09 458752 c:\program files\Logitech\Video\bak\ISStart.exe

2004-06-01 16:09 . 2004-06-01 16:09 458752 c:\program files\Logitech\Video\ISStart.exe

2004-06-01 16:03 . 2004-06-01 16:03 217088 c:\program files\Logitech\Video\bak\LogiTray.exe

2004-06-01 16:03 . 2004-06-01 16:03 217088 c:\program files\Logitech\Video\LogiTray.exe

2004-09-03 03:34 . 2004-06-01 15:46 196608 c:\program files\Logitech\Video\bak\ManifestEngine.exe

2003-01-20 19:39 . 2001-10-09 15:41 35328 c:\program files\MouseWare\system\bak\EM_EXEC.EXE

2005-06-02 01:02 . 2005-05-10 21:04 11776 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\bak\mimboot.exe

2005-10-06 03:07 . 2005-06-13 07:30 192512 c:\program files\Pinnacle\Shared Files\Programs\USBTip\bak\USBTip.exe

2007-12-11 16:56 . 2007-12-11 16:56 286720 c:\program files\QuickTime\bak\qttask.exe

2009-05-26 22:18 . 2009-05-26 22:18 413696 c:\program files\QuickTime\QTTask.exe

2002-04-10 22:44 . 2002-04-10 22:44 679936 c:\program files\Roxio\Easy CD Creator 5\DirectCD\bak\DirectCD.exe

2003-01-20 19:43 . 2000-05-11 07:00 90112 c:\windows\bak\UpdReg.EXE

2002-08-29 11:00 . 2004-08-04 07:56 15360 c:\windows\SYSTEM32\bak\ctfmon.exe

2002-08-29 11:00 . 2008-04-14 00:12 15360 c:\windows\SYSTEM32\ctfmon.exe

2002-08-15 00:22 . 2002-08-15 00:22 28672 c:\windows\SYSTEM32\bak\DSentry.exe

2004-05-22 00:11 . 2004-05-22 00:11 221184 c:\windows\SYSTEM32\bak\LVCOMSX.EXE

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-02-09 764296]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]

@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"

[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]

2009-05-13 20:34 238968 ----a-w- c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpyZooka"="c:\program files\SpyZooka\SpyZookaLdr.exe" [2009-08-09 60424]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"USB2Check"="c:\windows\system32\PCLECoInst.dll" [2004-09-21 73728]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

"SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-05-13 6345840]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"RegistryMechanic"="" [N/A]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-8-3 113664]

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-1-20 24576]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]

Source= c:\windows\system32\onhelp.htm

FriendlyName= tets

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{D468BCE5-D18E-49A4-8EA7-34BD583659D5}"= "c:\progra~1\SpyZooka\spyguard.dll" [2005-05-08 173568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]

2002-02-15 16:51 24638 ------w- c:\windows\SYSTEM32\PCANotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE"=

"c:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"=

"c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\UT2004\\System\\UT2004.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 PCTCore;PCTools KDS;c:\windows\SYSTEM32\DRIVERS\PCTCore.sys [5/23/2009 8:16 PM 130936]

R0 ssfs0bbc;ssfs0bbc;c:\windows\SYSTEM32\DRIVERS\ssfs0bbc.sys [4/21/2009 6:27 PM 29808]

R1 ATMhelpr;ATMhelpr;c:\windows\SYSTEM32\DRIVERS\ATMHELPR.SYS [2/12/2003 8:08 PM 4064]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/26/2009 12:18 PM 108289]

R2 NwSapAgent;SAP Agent;c:\windows\System32\svchost.exe -k netsvcs [8/29/2002 6:00 AM 14336]

R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [8/25/2009 10:30 PM 1205760]

R3 hpusbfd;Hewlett-Packard USB Filter Class;c:\windows\SYSTEM32\DRIVERS\hpusbfd.sys [2/8/2004 2:31 PM 7552]

R3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;c:\windows\SYSTEM32\DRIVERS\netusbxp.sys [12/24/2007 12:58 PM 72576]

S0 epstwnt;epstwnt;c:\windows\system32\Drivers\epstwnt.mpd --> c:\windows\system32\Drivers\epstwnt.mpd [?]

S2 portD;ABS PortIO Service;c:\windows\SYSTEM32\DRIVERS\portd2k.sys [8/5/2004 11:57 PM 7296]

S2 SHARSHTL;Shuttle Sharer;c:\windows\system32\Drivers\sharshtl.sys --> c:\windows\system32\Drivers\sharshtl.sys [?]

S3 epstw2k;SCM Parallel Port SCSI Driver;c:\windows\SYSTEM32\DRIVERS\epstw2k.sys [2/16/2003 3:09 PM 114944]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [5/23/2009 8:16 PM 348752]

S3 Wdm1;USB Bridge Cable Driver;c:\windows\SYSTEM32\DRIVERS\usbbc.sys [2/9/2003 1:45 PM 15576]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-08-28 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34]

2009-08-31 c:\windows\Tasks\At1.job

- c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59]

2009-08-31 c:\windows\Tasks\At10.job

- c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59]

2009-08-31 c:\windows\Tasks\At11.job

- c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59]

2009-08-31 c:\windows\Tasks\At12.job

- c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59]

2009-08-31 c:\windows\Tasks\At13.job

- c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59]

2009-08-31 c:\windows\Tasks\At14.job

- c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59]

2009-08-31 c:\windows\Tasks\At15.job

- c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59]

2009-08-31 c:\windows\Tasks\At16.job

- c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59]

2009-08-31 c:\windows\Tasks\At17.job

- c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59]

2009-08-30 c:\windows\Tasks\At18.job

- c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59]

2009-08-30 c:\windows\Tasks\At19.job

- c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59]

2009-08-31 c:\windows\Tasks\At2.job

- c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59]

2009-08-31 c:\windows\Tasks\At20.job

- c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59]

2009-08-31 c:\windows\Tasks\At21.job

- c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59]

2009-08-31 c:\windows\Tasks\At22.job

- c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59]

2009-08-31 c:\windows\Tasks\At23.job

- c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59]

2009-08-31 c:\windows\Tasks\At24.job

- c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59]

2009-08-31 c:\windows\Tasks\At3.job

- c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59]

2009-08-31 c:\windows\Tasks\At4.job

- c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59]

2009-08-31 c:\windows\Tasks\At5.job

- c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59]

2009-08-31 c:\windows\Tasks\At6.job

- c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59]

2009-08-31 c:\windows\Tasks\At7.job

- c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59]

2009-08-31 c:\windows\Tasks\At8.job

- c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59]

2009-08-31 c:\windows\Tasks\At9.job

- c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59]

2009-08-31 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job

- c:\program files\Ask.com\UpdateTask.exe [2009-02-09 20:06]

.

- - - - ORPHANS REMOVED - - - -

Notify-cbXqqQih - (no file)

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mStart Page = hxxp://www.google.com

uInternet Connection Wizard,ShellNext = hxxp://www.dellnet.com/

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com

IE: &Google Search - c:\program files\Google\googletoolbar.dll/cmsearch.html

IE: Backward &Links - c:\program files\Google\googletoolbar.dll/cmbacklinks.html

IE: Cac&hed Snapshot of Page - c:\program files\Google\googletoolbar.dll/cmcache.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

IE: Si&milar Pages - c:\program files\Google\googletoolbar.dll/cmsimilar.html

IE: Translate Page - c:\program files\Google\googletoolbar.dll/cmtrans.html

IE: {{9239E4EC-C9A6-11D2-A844-00C04F68D538}

Trusted Zone: aol.com\free

Trusted Zone: musicmatch.com\online

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} - hxxp://download.divx.com/player/DivXPlayerInstaller.exe

FF - ProfilePath - c:\documents and settings\reblw\Application Data\Mozilla\Firefox\Profiles\p6fokhh9.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://mb26.scout.com/fmississippi74787frm14

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("backups.number_of_prefs_copies", 1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.link.open_newwindow.ui", 3); // prefs UI version

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.disable_window_open_feature.status", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("advanced.always_load_images", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.protocol-handler.external.help", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.connect.timeout", 30); // in seconds

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.request.timeout", 120); // in seconds

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN_show_punycode", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.image.imageBehavior", 0); // 0-Accept, 1-dontAcceptForeign, 2-dontUse

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.cookieBehavior", 3); // 0-Accept, 1-dontAcceptForeign, 2-dontUse, 3-p3p

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.id", "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.version",

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.extensions.version", "1.0");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.build_id",

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.autoUpdateEnabled", true); // Whether or not background app updates

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.url", "chrome://mozapps/locale/update/update.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.updatesAvailable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.lastUpdateDate", 0); // UTC offset when last App update was

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.performed", false); // Whether or not an update has been

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdateEnabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdate", false); // Automatically download and install

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.interval", 604800000); // Check for updates to Extensions and

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.lastUpdateDate", 0); // UTC offset when last Extension/Theme

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.severity.threshold", 5);// The number of pending Extension/Theme

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.count", 0); // The number of extension/theme/etc

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.interval", 3600000); // Check each of the above intervals

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.showSlidingNotification", true); // Windows-only slide-up taskbar

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.severity", 0);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendor", "Firefox");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendorSub",

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.update.resetHomepage", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.startup.homepage_override.1", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.turbo.enabled", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://browser/content/searchconfig.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://browser/content/searchconfig.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.enabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.provider.0.frequency", 7); // number of days

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.xul.error_pages.enabled", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("pfs.datasource.url", "chrome://mozapps/locale/plugins/plugins.properties");

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-31 16:23

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\epstwnt]

"ImagePath"="System32\Drivers\epstwnt.mpd"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,29,b0,42,2b,97,

33,5e,f5,e2,63,26,f1,3f,c8,ff,68,41,78,54,6b,cb,25,73,5e,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,29,c7,2e,0c,45,

72,79,01,6a,9c,d6,61,af,45,84,18,38,bb,d5,45,c2,68,70,5c,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,59,e5,8b,ca,2d,

e4,05,8f,ff,7c,85,e0,43,d4,0e,fe,e7,38,ef,42,95,63,97,c3,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,f7,c8,95,0d,6b,

68,b7,64,86,8c,21,01,be,91,eb,e7,ba,33,a5,03,1a,41,48,16,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,8f,1d,91,38,67,

99,cd,52,f5,1d,4d,73,a8,13,5c,05,1d,83,69,e8,ac,fb,66,38,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,8f,aa,a8,2e,19,

77,52,a3,df,20,58,62,78,6b,cf,c8,4e,9e,52,48,ec,c0,a7,1c,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"4d370831d2c43cd13623e232fed27b7b"=hex:97,20,4e,9a,c7,f1,35,ee,de,4f,7c,89,1a,

17,f6,ca,fb,a7,78,e6,12,2f,9a,ea,e2,c6,0d,83,3a,45,f8,77,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,52,4b,f4,3a,4e,

16,e7,ca,01,3a,48,fc,e8,04,4a,f1,82,29,83,2f,7d,40,7b,d2,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,d9,76,2a,8e,75,

17,0d,08,f6,0f,4e,58,98,5b,89,c9,25,df,65,00,2e,63,32,b1,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,5f,ea,ff,30,bd,

1b,bd,04,3d,ce,ea,26,2d,45,aa,78,37,32,9f,41,5c,1f,78,77,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,86,0c,00,31,30,

59,cc,b9,2a,b7,cc,b5,b9,7f,41,e7,8b,2c,6d,d9,31,77,a6,50,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,df,d6,2a,38,ef,

cb,92,0b,6c,43,2d,1e,aa,22,2f,9c,92,e1,1e,0f,d6,06,73,36,6c,43,2d,1e,aa,22,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(956)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3256)

c:\windows\system32\WININET.dll

c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\SYSTEM32\ati2evxx.exe

c:\program files\Citrix\ICA Client\ssonsvr.exe

c:\windows\SYSTEM32\ati2evxx.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\SYSTEM32\CTsvcCDA.EXE

c:\windows\SYSTEM32\wdfmgr.exe

c:\windows\SYSTEM32\MsPMSPSv.exe

c:\windows\SYSTEM32\fxssvc.exe

c:\windows\SYSTEM32\wscntfy.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2009-08-31 16:34 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-31 21:34

Pre-Run: 36,283,715,584 bytes free

Post-Run: 36,520,198,144 bytes free

568 --- E O F --- 2009-08-27 08:00

Link to post
Share on other sites

  • Staff

Hi,

What a mess. Not sure why you have waited so long, because I see infections present from last year as well.

Please let Combofix install the Recovery Console. I can't stress how important this is.

Then also uninstall Spyzooka since this one is not recommended. Also please uninstall the Ask Toolbar, this for the same reason.

Reboot afterwards.

Then, * Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab

Select "tets" you find in there (except for "My current home page") and press the delete button on the right.

Hit ok below > apply in previous window.

Then, * Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

File::

c:\windows\Tasks\Scheduled Update for Ask Toolbar.job

c:\windows\system32\AbwkK38u.exe

c:\windows\system32\onhelp.htm

c:\documents and settings\reblw\Local Settings\Application Data\ogivaryh.dat

c:\windows\fuqoduh.dat

c:\documents and settings\All Users\Application Data\okivo.dat

Folder::

c:\program files\QuickTime\bak

c:\program files\iTunes\bak

AWF::

c:\program files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe

c:\program files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe

c:\program files\Common Files\Dell\EUSW\bak\Support.exe

c:\program files\Creative\SBLive\Diagnostics\bak\diagent.exe

c:\program files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\bak\HPLamp.exe

c:\program files\Java\jre1.6.0_03\bin\bak\jusched.exe

c:\program files\Logitech\iTouch\bak\iTouch.exe

c:\program files\Logitech\Video\bak\ISStart.exe

c:\program files\Logitech\Video\bak\LogiTray.exe

c:\program files\Logitech\Video\bak\ManifestEngine.exe

c:\program files\MouseWare\system\bak\EM_EXEC.EXE

c:\program files\MUSICMATCH\MUSICMATCH Jukebox\bak\mimboot.exe

c:\program files\Pinnacle\Shared Files\Programs\USBTip\bak\USBTip.exe

c:\program files\Roxio\Easy CD Creator 5\DirectCD\bak\DirectCD.exe

c:\windows\bak\UpdReg.EXE

c:\windows\SYSTEM32\bak\ctfmon.exe

c:\windows\SYSTEM32\bak\DSentry.exe

c:\windows\SYSTEM32\bak\LVCOMSX.EXE

AtJob::

DDS::

uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com

Registry::

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{D468BCE5-D18E-49A4-8EA7-34BD583659D5}"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpyZooka"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RegistryMechanic"=-

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Link to post
Share on other sites

When I ran Combo-Fix I clicked yes to install the Recovery Console, but it self aborted and continued on, should I rerun it and see if it will install?

I will try to unistall those programs, but last time I tried, the unistall programs would not run. I am not at that computer at present, but I will try again...or should I just go to add/remove in control panel?

Thanks for your help, this cpu has been used by the kids so it is not well protected - yet.

Link to post
Share on other sites

OK, I reran ComboFix to see if it would install the recovery console-it did and this is the logfile it generated:

ComboFix 09-09-01.07 - reblw 09/02/2009 16:23.2.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1100 [GMT -5:00]

Running from: c:\documents and settings\reblw\Desktop\Combo-Fix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\Shared

c:\windows\system32\onhelp.htm

.

((((((((((((((((((((((((( Files Created from 2009-08-02 to 2009-09-02 )))))))))))))))))))))))))))))))

.

2009-08-26 20:15 . 2009-08-26 20:15 -------- d-----w- c:\program files\Trend Micro

2009-08-26 17:18 . 2009-07-28 21:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-08-26 17:18 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-08-26 17:18 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-08-26 17:18 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-08-26 17:17 . 2009-08-26 17:17 -------- d-----w- c:\program files\Avira

2009-08-26 17:17 . 2009-08-26 17:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2009-08-26 17:10 . 2009-08-26 17:10 190697 ----a-w- c:\windows\system32\wisdstr.VIR

2009-08-26 05:27 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-26 05:27 . 2009-08-26 17:02 -------- d-----w- c:\program files\22Malwarebytes' Anti-Malware

2009-08-26 05:27 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-26 04:56 . 2009-09-02 21:09 -------- d-----w- c:\program files\SpyZooka

2009-08-26 03:27 . 2009-08-26 03:27 -------- d-----w- c:\program files\MSSOAP

2009-08-26 03:26 . 2009-08-26 03:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot

2009-08-26 03:26 . 2009-08-26 03:26 -------- d-----w- c:\program files\Webroot

2009-08-26 03:26 . 2009-08-26 03:26 -------- d-----w- c:\documents and settings\reblw\Application Data\Webroot

2009-08-26 03:26 . 2009-05-13 20:39 1563008 ----a-w- c:\windows\WRSetup.dll

2009-08-26 03:22 . 2009-08-26 04:48 164 ----a-w- c:\windows\install.dat

2009-08-25 16:51 . 2009-08-26 17:02 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2009-08-25 03:55 . 2009-08-25 03:55 -------- d-----w- C:\_OTM

2009-08-25 03:29 . 2009-08-25 03:29 -------- d-----w- c:\documents and settings\reblw\Application Data\U3

2009-08-25 03:10 . 2009-08-25 03:10 13633 ----a-w- c:\documents and settings\reblw\Local Settings\Application Data\ogivaryh.dat

2009-08-25 03:10 . 2009-08-25 03:10 13093 ----a-w- c:\windows\fuqoduh.dat

2009-08-25 02:08 . 2002-08-29 11:00 4224 ------w- c:\windows\system32\drivers\beep.sys

2009-08-23 17:58 . 2009-08-23 17:58 135736 ---ha-w- c:\windows\system32\mlfcache.dat

2009-08-13 01:06 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll

2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-30 18:53 . 2009-05-24 01:16 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-08-28 11:50 . 2009-05-24 01:16 -------- d-----w- c:\program files\Spyware Doctor

2009-08-26 03:02 . 2008-09-21 23:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-25 03:10 . 2009-08-25 03:10 11308 ----a-w- c:\documents and settings\All Users\Application Data\okivo.dat

2009-08-23 17:57 . 2004-12-17 21:53 -------- d-----w- c:\documents and settings\reblw\Application Data\Apple Computer

2009-08-16 17:46 . 2003-02-09 17:50 -------- d-----w- c:\program files\QUICKENW

2009-08-15 04:42 . 2009-07-28 16:40 -------- d-----w- c:\program files\Safari

2009-08-05 09:01 . 2004-03-28 03:05 204800 ------w- c:\windows\system32\mswebdvd.dll

2009-07-28 16:42 . 2008-05-20 21:23 -------- d-----w- c:\program files\Apple Software Update

2009-07-28 16:37 . 2009-07-28 16:37 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

2009-07-28 16:37 . 2004-12-17 21:52 -------- d-----w- c:\program files\iTunes

2009-07-28 16:37 . 2004-12-17 21:51 -------- d-----w- c:\program files\iPod

2009-07-28 16:37 . 2007-12-25 18:17 -------- d-----w- c:\program files\Common Files\Apple

2009-07-28 16:35 . 2009-07-28 16:35 -------- d-----w- c:\program files\Bonjour

2009-07-28 16:35 . 2007-12-25 18:18 -------- d-----w- c:\program files\QuickTime

2009-07-18 05:02 . 2003-02-09 22:51 -------- d-----w- c:\program files\Kazaa

2009-07-17 19:01 . 2002-08-29 11:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-13 15:08 . 2004-08-04 07:56 286720 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-09 17:16 . 2009-07-28 16:32 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll

2009-07-09 17:16 . 2007-12-25 18:18 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2009-07-03 17:09 . 2004-08-24 01:32 915456 ------w- c:\windows\system32\wininet.dll

2009-06-16 14:36 . 2002-08-29 11:00 81920 ------w- c:\windows\system32\fontsub.dll

2009-06-16 14:36 . 2002-08-29 11:00 119808 ------w- c:\windows\system32\t2embed.dll

2009-06-12 12:31 . 2002-08-29 11:00 80896 ------w- c:\windows\system32\tlntsess.exe

2009-06-12 12:31 . 2002-08-29 11:00 76288 ----a-w- c:\windows\system32\telnet.exe

2009-06-10 14:19 . 2002-08-29 11:00 2066432 ------w- c:\windows\system32\mstscax.dll

2009-06-10 14:13 . 2002-08-29 11:00 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-06-10 06:14 . 2002-08-29 11:00 132096 ------w- c:\windows\system32\wkssvc.dll

1999-11-13 00:32 . 1999-12-22 05:36 16873 ------w- c:\program files\WHATSNEW.TXT

1999-10-19 02:24 . 1999-12-22 05:36 2816 ------w- c:\program files\ORDER.TXT

1999-07-09 01:38 . 1999-07-09 01:38 8362 ------w- c:\program files\SETUP.LST

1999-07-09 01:38 . 1999-07-09 01:38 2164 ------w- c:\program files\Readme.txt

2005-07-16 10:41 . 2005-06-14 03:47 41573 ------w- c:\program files\mozilla firefox\components\jar50.dll

2005-07-16 10:41 . 2005-06-14 03:47 48223 ------w- c:\program files\mozilla firefox\components\jsd3250.dll

2005-07-16 10:41 . 2005-06-14 03:47 160871 ------w- c:\program files\mozilla firefox\components\xpinstal.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-08-31_21.23.19 )))))))))))))))))))))))))))))))))))))))))

.

+ 2002-09-03 19:45 . 2009-08-31 21:21 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT

- 2002-09-03 19:45 . 2009-08-30 23:55 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT

+ 2002-09-03 19:45 . 2009-08-31 21:21 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT

- 2002-09-03 19:45 . 2009-08-30 23:55 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT

+ 2002-09-03 19:45 . 2009-08-31 21:21 16384 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT

- 2002-09-03 19:45 . 2009-08-30 23:55 16384 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT

.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2005-08-18 18:49 . 2005-08-18 18:49 307200 c:\program files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe

2003-01-20 19:39 . 2005-08-31 02:05 344064 c:\program files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe

2002-08-22 19:11 . 2004-05-28 01:05 323584 c:\program files\Common Files\Dell\EUSW\bak\Support.exe

2003-01-20 19:42 . 2002-04-03 07:01 135264 c:\program files\Creative\SBLive\Diagnostics\bak\diagent.exe

2003-02-16 20:52 . 1998-11-24 08:00 42496 c:\program files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\bak\HPLamp.exe

2007-12-11 18:10 . 2007-12-11 18:10 267048 c:\program files\iTunes\bak\iTunesHelper.exe

2009-07-13 19:03 . 2009-07-13 19:03 292128 c:\program files\iTunes\iTunesHelper.exe

2008-01-06 06:54 . 2007-09-25 07:11 132496 c:\program files\Java\jre1.6.0_03\bin\bak\jusched.exe

2003-01-20 19:39 . 2001-10-09 07:59 200704 c:\program files\Logitech\iTouch\bak\iTouch.exe

2004-06-01 16:09 . 2004-06-01 16:09 458752 c:\program files\Logitech\Video\bak\ISStart.exe

2004-06-01 16:09 . 2004-06-01 16:09 458752 c:\program files\Logitech\Video\ISStart.exe

2004-06-01 16:03 . 2004-06-01 16:03 217088 c:\program files\Logitech\Video\bak\LogiTray.exe

2004-06-01 16:03 . 2004-06-01 16:03 217088 c:\program files\Logitech\Video\LogiTray.exe

2004-09-03 03:34 . 2004-06-01 15:46 196608 c:\program files\Logitech\Video\bak\ManifestEngine.exe

2003-01-20 19:39 . 2001-10-09 15:41 35328 c:\program files\MouseWare\system\bak\EM_EXEC.EXE

2005-06-02 01:02 . 2005-05-10 21:04 11776 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\bak\mimboot.exe

2005-10-06 03:07 . 2005-06-13 07:30 192512 c:\program files\Pinnacle\Shared Files\Programs\USBTip\bak\USBTip.exe

2007-12-11 16:56 . 2007-12-11 16:56 286720 c:\program files\QuickTime\bak\qttask.exe

2009-05-26 22:18 . 2009-05-26 22:18 413696 c:\program files\QuickTime\QTTask.exe

2002-04-10 22:44 . 2002-04-10 22:44 679936 c:\program files\Roxio\Easy CD Creator 5\DirectCD\bak\DirectCD.exe

2003-01-20 19:43 . 2000-05-11 07:00 90112 c:\windows\bak\UpdReg.EXE

2002-08-29 11:00 . 2004-08-04 07:56 15360 c:\windows\SYSTEM32\bak\ctfmon.exe

2002-08-29 11:00 . 2008-04-14 00:12 15360 c:\windows\SYSTEM32\ctfmon.exe

2002-08-15 00:22 . 2002-08-15 00:22 28672 c:\windows\SYSTEM32\bak\DSentry.exe

2004-05-22 00:11 . 2004-05-22 00:11 221184 c:\windows\SYSTEM32\bak\LVCOMSX.EXE

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]

@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"

[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]

2009-05-13 20:34 238968 ----a-w- c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"USB2Check"="c:\windows\system32\PCLECoInst.dll" [2004-09-21 73728]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

"SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-05-13 6345840]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"RegistryMechanic"="" [N/A]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-8-3 113664]

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-1-20 24576]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]

Source= c:\windows\system32\onhelp.htm

FriendlyName= tets

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]

2002-02-15 16:51 24638 ------w- c:\windows\SYSTEM32\PCANotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE"=

"c:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"=

"c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\UT2004\\System\\UT2004.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 PCTCore;PCTools KDS;c:\windows\SYSTEM32\DRIVERS\PCTCore.sys [5/23/2009 8:16 PM 130936]

R0 ssfs0bbc;ssfs0bbc;c:\windows\SYSTEM32\DRIVERS\ssfs0bbc.sys [4/21/2009 6:27 PM 29808]

R1 ATMhelpr;ATMhelpr;c:\windows\SYSTEM32\DRIVERS\ATMHELPR.SYS [2/12/2003 8:08 PM 4064]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/26/2009 12:18 PM 108289]

R2 NwSapAgent;SAP Agent;c:\windows\System32\svchost.exe -k netsvcs [8/29/2002 6:00 AM 14336]

R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [8/25/2009 10:30 PM 1205760]

R3 hpusbfd;Hewlett-Packard USB Filter Class;c:\windows\SYSTEM32\DRIVERS\hpusbfd.sys [2/8/2004 2:31 PM 7552]

R3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;c:\windows\SYSTEM32\DRIVERS\netusbxp.sys [12/24/2007 12:58 PM 72576]

S0 epstwnt;epstwnt;c:\windows\system32\Drivers\epstwnt.mpd --> c:\windows\system32\Drivers\epstwnt.mpd [?]

S2 portD;ABS PortIO Service;c:\windows\SYSTEM32\DRIVERS\portd2k.sys [8/5/2004 11:57 PM 7296]

S2 SHARSHTL;Shuttle Sharer;c:\windows\system32\Drivers\sharshtl.sys --> c:\windows\system32\Drivers\sharshtl.sys [?]

S3 epstw2k;SCM Parallel Port SCSI Driver;c:\windows\SYSTEM32\DRIVERS\epstw2k.sys [2/16/2003 3:09 PM 114944]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [5/23/2009 8:16 PM 348752]

S3 Wdm1;USB Bridge Cable Driver;c:\windows\SYSTEM32\DRIVERS\usbbc.sys [2/9/2003 1:45 PM 15576]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-08-28 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34]

2009-09-02 c:\windows\Tasks\At1.job

- c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59]

2009-09-02 c:\windows\Tasks\At10.job

- c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59]

2009-09-02 c:\windows\Tasks\At11.job

- c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59]

2009-09-02 c:\windows\Tasks\At12.job

- c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59]

2009-09-02 c:\windows\Tasks\At13.job

- c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59]

2009-09-02 c:\windows\Tasks\At14.job

- c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59]

2009-09-02 c:\windows\Tasks\At15.job

- c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59]

2009-09-02 c:\windows\Tasks\At16.job

- c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59]

2009-09-02 c:\windows\Tasks\At17.job

- c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59]

2009-09-01 c:\windows\Tasks\At18.job

- c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59]

2009-09-01 c:\windows\Tasks\At19.job

- c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59]

2009-09-02 c:\windows\Tasks\At2.job

- c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59]

2009-09-02 c:\windows\Tasks\At20.job

- c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59]

2009-09-02 c:\windows\Tasks\At21.job

- c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59]

2009-09-02 c:\windows\Tasks\At22.job

- c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59]

2009-09-02 c:\windows\Tasks\At23.job

- c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59]

2009-09-02 c:\windows\Tasks\At24.job

- c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59]

2009-09-02 c:\windows\Tasks\At3.job

- c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59]

2009-09-02 c:\windows\Tasks\At4.job

- c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59]

2009-09-02 c:\windows\Tasks\At5.job

- c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59]

2009-09-02 c:\windows\Tasks\At6.job

- c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59]

2009-09-02 c:\windows\Tasks\At7.job

- c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59]

2009-09-02 c:\windows\Tasks\At8.job

- c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59]

2009-09-02 c:\windows\Tasks\At9.job

- c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mStart Page = hxxp://www.google.com

uInternet Connection Wizard,ShellNext = hxxp://www.dellnet.com/

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com

IE: &Google Search - c:\program files\Google\googletoolbar.dll/cmsearch.html

IE: Backward &Links - c:\program files\Google\googletoolbar.dll/cmbacklinks.html

IE: Cac&hed Snapshot of Page - c:\program files\Google\googletoolbar.dll/cmcache.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

IE: Si&milar Pages - c:\program files\Google\googletoolbar.dll/cmsimilar.html

IE: Translate Page - c:\program files\Google\googletoolbar.dll/cmtrans.html

IE: {{9239E4EC-C9A6-11D2-A844-00C04F68D538}

Trusted Zone: aol.com\free

Trusted Zone: musicmatch.com\online

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} - hxxp://download.divx.com/player/DivXPlayerInstaller.exe

FF - ProfilePath - c:\documents and settings\reblw\Application Data\Mozilla\Firefox\Profiles\p6fokhh9.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://mb26.scout.com/fmississippi74787frm14

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("backups.number_of_prefs_copies", 1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.link.open_newwindow.ui", 3); // prefs UI version

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.disable_window_open_feature.status", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("advanced.always_load_images", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.protocol-handler.external.help", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.connect.timeout", 30); // in seconds

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.request.timeout", 120); // in seconds

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN_show_punycode", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.image.imageBehavior", 0); // 0-Accept, 1-dontAcceptForeign, 2-dontUse

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.cookieBehavior", 3); // 0-Accept, 1-dontAcceptForeign, 2-dontUse, 3-p3p

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.id", "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.version",

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.extensions.version", "1.0");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.build_id",

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.autoUpdateEnabled", true); // Whether or not background app updates

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.url", "chrome://mozapps/locale/update/update.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.updatesAvailable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.lastUpdateDate", 0); // UTC offset when last App update was

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.performed", false); // Whether or not an update has been

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdateEnabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdate", false); // Automatically download and install

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.interval", 604800000); // Check for updates to Extensions and

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.lastUpdateDate", 0); // UTC offset when last Extension/Theme

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.severity.threshold", 5);// The number of pending Extension/Theme

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.count", 0); // The number of extension/theme/etc

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.interval", 3600000); // Check each of the above intervals

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.showSlidingNotification", true); // Windows-only slide-up taskbar

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.severity", 0);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendor", "Firefox");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendorSub",

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.update.resetHomepage", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.startup.homepage_override.1", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.turbo.enabled", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://browser/content/searchconfig.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://browser/content/searchconfig.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.enabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.provider.0.frequency", 7); // number of days

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.xul.error_pages.enabled", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("pfs.datasource.url", "chrome://mozapps/locale/plugins/plugins.properties");

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-02 16:30

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\epstwnt]

"ImagePath"="System32\Drivers\epstwnt.mpd"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,29,b0,42,2b,97,

33,5e,f5,e2,63,26,f1,3f,c8,ff,68,41,78,54,6b,cb,25,73,5e,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,29,c7,2e,0c,45,

72,79,01,6a,9c,d6,61,af,45,84,18,38,bb,d5,45,c2,68,70,5c,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,59,e5,8b,ca,2d,

e4,05,8f,ff,7c,85,e0,43,d4,0e,fe,e7,38,ef,42,95,63,97,c3,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,f7,c8,95,0d,6b,

68,b7,64,86,8c,21,01,be,91,eb,e7,ba,33,a5,03,1a,41,48,16,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,8f,1d,91,38,67,

99,cd,52,f5,1d,4d,73,a8,13,5c,05,1d,83,69,e8,ac,fb,66,38,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,8f,aa,a8,2e,19,

77,52,a3,df,20,58,62,78,6b,cf,c8,4e,9e,52,48,ec,c0,a7,1c,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"4d370831d2c43cd13623e232fed27b7b"=hex:97,20,4e,9a,c7,f1,35,ee,de,4f,7c,89,1a,

17,f6,ca,fb,a7,78,e6,12,2f,9a,ea,e2,c6,0d,83,3a,45,f8,77,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,52,4b,f4,3a,4e,

16,e7,ca,01,3a,48,fc,e8,04,4a,f1,82,29,83,2f,7d,40,7b,d2,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,d9,76,2a,8e,75,

17,0d,08,f6,0f,4e,58,98,5b,89,c9,25,df,65,00,2e,63,32,b1,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,5f,ea,ff,30,bd,

1b,bd,04,3d,ce,ea,26,2d,45,aa,78,37,32,9f,41,5c,1f,78,77,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,86,0c,00,31,30,

59,cc,b9,2a,b7,cc,b5,b9,7f,41,e7,8b,2c,6d,d9,31,77,a6,50,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,df,d6,2a,38,ef,

cb,92,0b,6c,43,2d,1e,aa,22,2f,9c,92,e1,1e,0f,d6,06,73,36,6c,43,2d,1e,aa,22,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(956)

c:\windows\system32\Ati2evxx.dll

c:\windows\System32\wbem\wbemcomn.dll

.

Completion time: 2009-09-02 16:35

ComboFix-quarantined-files.txt 2009-09-02 21:34

ComboFix2.txt 2009-08-31 21:34

Pre-Run: 36,191,248,384 bytes free

Post-Run: 36,138,754,048 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

409 --- E O F --- 2009-08-27 08:00

Link to post
Share on other sites

I then uninstalled the Spyzilla and Ask toolbar, then ran the combofix script, and here is the logfile that generated:

ComboFix 09-09-01.08 - reblw 09/02/2009 16:55.3.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1078 [GMT -5:00]

Running from: c:\documents and settings\reblw\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\reblw\Desktop\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}

FILE ::

"c:\documents and settings\All Users\Application Data\okivo.dat"

"c:\documents and settings\reblw\Local Settings\Application Data\ogivaryh.dat"

"c:\windows\fuqoduh.dat"

"c:\windows\system32\AbwkK38u.exe"

"c:\windows\system32\onhelp.htm"

"c:\windows\Tasks\Scheduled Update for Ask Toolbar.job"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\okivo.dat

c:\documents and settings\reblw\Local Settings\Application Data\ogivaryh.dat

c:\program files\iTunes\bak

c:\program files\iTunes\bak\iTunesHelper.exe

c:\program files\QuickTime\bak

c:\program files\QuickTime\bak\qttask.exe

c:\windows\fuqoduh.dat

c:\windows\system32\AbwkK38u.exe

c:\windows\Tasks\At1.job

c:\windows\Tasks\At10.job

c:\windows\Tasks\At11.job

c:\windows\Tasks\At12.job

c:\windows\Tasks\At13.job

c:\windows\Tasks\At14.job

c:\windows\Tasks\At15.job

c:\windows\Tasks\At16.job

c:\windows\Tasks\At17.job

c:\windows\Tasks\At18.job

c:\windows\Tasks\At19.job

c:\windows\Tasks\At2.job

c:\windows\Tasks\At20.job

c:\windows\Tasks\At21.job

c:\windows\Tasks\At22.job

c:\windows\Tasks\At23.job

c:\windows\Tasks\At24.job

c:\windows\Tasks\At3.job

c:\windows\Tasks\At4.job

c:\windows\Tasks\At5.job

c:\windows\Tasks\At6.job

c:\windows\Tasks\At7.job

c:\windows\Tasks\At8.job

c:\windows\Tasks\At9.job

.

((((((((((((((((((((((((( Files Created from 2009-08-02 to 2009-09-02 )))))))))))))))))))))))))))))))

.

2009-08-31 21:19 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe

2009-08-26 20:15 . 2009-08-26 20:15 -------- d-----w- c:\program files\Trend Micro

2009-08-26 17:18 . 2009-07-28 21:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-08-26 17:18 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-08-26 17:18 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-08-26 17:18 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-08-26 17:17 . 2009-08-26 17:17 -------- d-----w- c:\program files\Avira

2009-08-26 17:17 . 2009-08-26 17:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2009-08-26 17:10 . 2009-08-26 17:10 190697 ----a-w- c:\windows\system32\wisdstr.VIR

2009-08-26 05:27 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-26 05:27 . 2009-08-26 17:02 -------- d-----w- c:\program files\22Malwarebytes' Anti-Malware

2009-08-26 05:27 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-26 04:56 . 2009-09-02 21:09 -------- d-----w- c:\program files\SpyZooka

2009-08-26 03:27 . 2009-08-26 03:27 -------- d-----w- c:\program files\MSSOAP

2009-08-26 03:26 . 2009-08-26 03:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot

2009-08-26 03:26 . 2009-08-26 03:26 -------- d-----w- c:\program files\Webroot

2009-08-26 03:26 . 2009-08-26 03:26 -------- d-----w- c:\documents and settings\reblw\Application Data\Webroot

2009-08-26 03:26 . 2009-05-13 20:39 1563008 ----a-w- c:\windows\WRSetup.dll

2009-08-26 03:22 . 2009-08-26 04:48 164 ----a-w- c:\windows\install.dat

2009-08-25 16:51 . 2009-08-26 17:02 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2009-08-25 03:55 . 2009-08-25 03:55 -------- d-----w- C:\_OTM

2009-08-25 03:29 . 2009-08-25 03:29 -------- d-----w- c:\documents and settings\reblw\Application Data\U3

2009-08-25 02:08 . 2002-08-29 11:00 4224 ------w- c:\windows\system32\drivers\beep.sys

2009-08-23 17:58 . 2009-08-23 17:58 135736 ---ha-w- c:\windows\system32\mlfcache.dat

2009-08-13 01:06 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll

2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-02 21:58 . 2007-12-25 18:18 -------- d-----w- c:\program files\QuickTime

2009-09-02 21:58 . 2004-12-17 21:52 -------- d-----w- c:\program files\iTunes

2009-08-30 18:53 . 2009-05-24 01:16 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-08-28 11:50 . 2009-05-24 01:16 -------- d-----w- c:\program files\Spyware Doctor

2009-08-26 03:02 . 2008-09-21 23:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-23 17:57 . 2004-12-17 21:53 -------- d-----w- c:\documents and settings\reblw\Application Data\Apple Computer

2009-08-16 17:46 . 2003-02-09 17:50 -------- d-----w- c:\program files\QUICKENW

2009-08-15 04:42 . 2009-07-28 16:40 -------- d-----w- c:\program files\Safari

2009-08-05 09:01 . 2004-03-28 03:05 204800 ------w- c:\windows\system32\mswebdvd.dll

2009-07-28 16:42 . 2008-05-20 21:23 -------- d-----w- c:\program files\Apple Software Update

2009-07-28 16:37 . 2009-07-28 16:37 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

2009-07-28 16:37 . 2004-12-17 21:51 -------- d-----w- c:\program files\iPod

2009-07-28 16:37 . 2007-12-25 18:17 -------- d-----w- c:\program files\Common Files\Apple

2009-07-28 16:35 . 2009-07-28 16:35 -------- d-----w- c:\program files\Bonjour

2009-07-18 05:02 . 2003-02-09 22:51 -------- d-----w- c:\program files\Kazaa

2009-07-17 19:01 . 2002-08-29 11:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-13 15:08 . 2004-08-04 07:56 286720 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-09 17:16 . 2009-07-28 16:32 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll

2009-07-09 17:16 . 2007-12-25 18:18 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2009-07-03 17:09 . 2004-08-24 01:32 915456 ------w- c:\windows\system32\wininet.dll

2009-06-16 14:36 . 2002-08-29 11:00 81920 ------w- c:\windows\system32\fontsub.dll

2009-06-16 14:36 . 2002-08-29 11:00 119808 ------w- c:\windows\system32\t2embed.dll

2009-06-12 12:31 . 2002-08-29 11:00 80896 ------w- c:\windows\system32\tlntsess.exe

2009-06-12 12:31 . 2002-08-29 11:00 76288 ----a-w- c:\windows\system32\telnet.exe

2009-06-10 14:19 . 2002-08-29 11:00 2066432 ------w- c:\windows\system32\mstscax.dll

2009-06-10 14:13 . 2002-08-29 11:00 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-06-10 06:14 . 2002-08-29 11:00 132096 ------w- c:\windows\system32\wkssvc.dll

1999-11-13 00:32 . 1999-12-22 05:36 16873 ------w- c:\program files\WHATSNEW.TXT

1999-10-19 02:24 . 1999-12-22 05:36 2816 ------w- c:\program files\ORDER.TXT

1999-07-09 01:38 . 1999-07-09 01:38 8362 ------w- c:\program files\SETUP.LST

1999-07-09 01:38 . 1999-07-09 01:38 2164 ------w- c:\program files\Readme.txt

2005-07-16 10:41 . 2005-06-14 03:47 41573 ------w- c:\program files\mozilla firefox\components\jar50.dll

2005-07-16 10:41 . 2005-06-14 03:47 48223 ------w- c:\program files\mozilla firefox\components\jsd3250.dll

2005-07-16 10:41 . 2005-06-14 03:47 160871 ------w- c:\program files\mozilla firefox\components\xpinstal.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-08-31_21.23.19 )))))))))))))))))))))))))))))))))))))))))

.

+ 2003-01-20 19:43 . 2000-05-11 07:00 90112 c:\windows\UpdReg.EXE

+ 2002-08-15 00:22 . 2002-08-15 00:22 28672 c:\windows\SYSTEM32\DSentry.exe

+ 2002-09-03 19:45 . 2009-08-31 21:21 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT

- 2002-09-03 19:45 . 2009-08-30 23:55 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT

+ 2002-09-03 19:45 . 2009-08-31 21:21 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT

- 2002-09-03 19:45 . 2009-08-30 23:55 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT

+ 2002-09-03 19:45 . 2009-08-31 21:21 16384 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT

- 2002-09-03 19:45 . 2009-08-30 23:55 16384 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT

+ 2004-05-22 00:11 . 2004-05-22 00:11 221184 c:\windows\SYSTEM32\LVCOMSX.EXE

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]

@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"

[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]

2009-05-13 20:34 238968 ----a-w- c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"USB2Check"="c:\windows\system32\PCLECoInst.dll" [2004-09-21 73728]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

"SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-05-13 6345840]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-8-3 113664]

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-1-20 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]

2002-02-15 16:51 24638 ------w- c:\windows\SYSTEM32\PCANotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE"=

"c:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"=

"c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\UT2004\\System\\UT2004.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 PCTCore;PCTools KDS;c:\windows\SYSTEM32\DRIVERS\PCTCore.sys [5/23/2009 8:16 PM 130936]

R0 ssfs0bbc;ssfs0bbc;c:\windows\SYSTEM32\DRIVERS\ssfs0bbc.sys [4/21/2009 6:27 PM 29808]

R1 ATMhelpr;ATMhelpr;c:\windows\SYSTEM32\DRIVERS\ATMHELPR.SYS [2/12/2003 8:08 PM 4064]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/26/2009 12:18 PM 108289]

R2 NwSapAgent;SAP Agent;c:\windows\System32\svchost.exe -k netsvcs [8/29/2002 6:00 AM 14336]

R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [8/25/2009 10:30 PM 1205760]

R3 hpusbfd;Hewlett-Packard USB Filter Class;c:\windows\SYSTEM32\DRIVERS\hpusbfd.sys [2/8/2004 2:31 PM 7552]

R3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;c:\windows\SYSTEM32\DRIVERS\netusbxp.sys [12/24/2007 12:58 PM 72576]

S0 epstwnt;epstwnt;c:\windows\system32\Drivers\epstwnt.mpd --> c:\windows\system32\Drivers\epstwnt.mpd [?]

S2 portD;ABS PortIO Service;c:\windows\SYSTEM32\DRIVERS\portd2k.sys [8/5/2004 11:57 PM 7296]

S2 SHARSHTL;Shuttle Sharer;c:\windows\system32\Drivers\sharshtl.sys --> c:\windows\system32\Drivers\sharshtl.sys [?]

S3 epstw2k;SCM Parallel Port SCSI Driver;c:\windows\SYSTEM32\DRIVERS\epstw2k.sys [2/16/2003 3:09 PM 114944]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [5/23/2009 8:16 PM 348752]

S3 Wdm1;USB Bridge Cable Driver;c:\windows\SYSTEM32\DRIVERS\usbbc.sys [2/9/2003 1:45 PM 15576]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-08-28 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mStart Page = hxxp://www.google.com

uInternet Connection Wizard,ShellNext = hxxp://www.dellnet.com/

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com

IE: &Google Search - c:\program files\Google\googletoolbar.dll/cmsearch.html

IE: Backward &Links - c:\program files\Google\googletoolbar.dll/cmbacklinks.html

IE: Cac&hed Snapshot of Page - c:\program files\Google\googletoolbar.dll/cmcache.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

IE: Si&milar Pages - c:\program files\Google\googletoolbar.dll/cmsimilar.html

IE: Translate Page - c:\program files\Google\googletoolbar.dll/cmtrans.html

IE: {{9239E4EC-C9A6-11D2-A844-00C04F68D538}

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} - hxxp://download.divx.com/player/DivXPlayerInstaller.exe

FF - ProfilePath - c:\documents and settings\reblw\Application Data\Mozilla\Firefox\Profiles\p6fokhh9.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://mb26.scout.com/fmississippi74787frm14

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("backups.number_of_prefs_copies", 1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.link.open_newwindow.ui", 3); // prefs UI version

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.disable_window_open_feature.status", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("advanced.always_load_images", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.protocol-handler.external.help", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.connect.timeout", 30); // in seconds

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.request.timeout", 120); // in seconds

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN_show_punycode", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.image.imageBehavior", 0); // 0-Accept, 1-dontAcceptForeign, 2-dontUse

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.cookieBehavior", 3); // 0-Accept, 1-dontAcceptForeign, 2-dontUse, 3-p3p

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.id", "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.version",

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.extensions.version", "1.0");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.build_id",

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.autoUpdateEnabled", true); // Whether or not background app updates

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.url", "chrome://mozapps/locale/update/update.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.updatesAvailable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.lastUpdateDate", 0); // UTC offset when last App update was

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.performed", false); // Whether or not an update has been

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdateEnabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdate", false); // Automatically download and install

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.interval", 604800000); // Check for updates to Extensions and

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.lastUpdateDate", 0); // UTC offset when last Extension/Theme

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.severity.threshold", 5);// The number of pending Extension/Theme

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.count", 0); // The number of extension/theme/etc

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.interval", 3600000); // Check each of the above intervals

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.showSlidingNotification", true); // Windows-only slide-up taskbar

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.severity", 0);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendor", "Firefox");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendorSub",

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.update.resetHomepage", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.startup.homepage_override.1", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.turbo.enabled", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://browser/content/searchconfig.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://browser/content/searchconfig.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.enabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.provider.0.frequency", 7); // number of days

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.xul.error_pages.enabled", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("pfs.datasource.url", "chrome://mozapps/locale/plugins/plugins.properties");

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-02 17:01

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\epstwnt]

"ImagePath"="System32\Drivers\epstwnt.mpd"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,29,b0,42,2b,97,

33,5e,f5,e2,63,26,f1,3f,c8,ff,68,41,78,54,6b,cb,25,73,5e,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,29,c7,2e,0c,45,

72,79,01,6a,9c,d6,61,af,45,84,18,38,bb,d5,45,c2,68,70,5c,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,59,e5,8b,ca,2d,

e4,05,8f,ff,7c,85,e0,43,d4,0e,fe,e7,38,ef,42,95,63,97,c3,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,f7,c8,95,0d,6b,

68,b7,64,86,8c,21,01,be,91,eb,e7,ba,33,a5,03,1a,41,48,16,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,8f,1d,91,38,67,

99,cd,52,f5,1d,4d,73,a8,13,5c,05,1d,83,69,e8,ac,fb,66,38,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,8f,aa,a8,2e,19,

77,52,a3,df,20,58,62,78,6b,cf,c8,4e,9e,52,48,ec,c0,a7,1c,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"4d370831d2c43cd13623e232fed27b7b"=hex:97,20,4e,9a,c7,f1,35,ee,de,4f,7c,89,1a,

17,f6,ca,fb,a7,78,e6,12,2f,9a,ea,e2,c6,0d,83,3a,45,f8,77,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,52,4b,f4,3a,4e,

16,e7,ca,01,3a,48,fc,e8,04,4a,f1,82,29,83,2f,7d,40,7b,d2,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,d9,76,2a,8e,75,

17,0d,08,f6,0f,4e,58,98,5b,89,c9,25,df,65,00,2e,63,32,b1,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,5f,ea,ff,30,bd,

1b,bd,04,3d,ce,ea,26,2d,45,aa,78,37,32,9f,41,5c,1f,78,77,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,86,0c,00,31,30,

59,cc,b9,2a,b7,cc,b5,b9,7f,41,e7,8b,2c,6d,d9,31,77,a6,50,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,df,d6,2a,38,ef,

cb,92,0b,6c,43,2d,1e,aa,22,2f,9c,92,e1,1e,0f,d6,06,73,36,6c,43,2d,1e,aa,22,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(956)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(828)

c:\windows\system32\WININET.dll

c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\SYSTEM32\ati2evxx.exe

c:\program files\Citrix\ICA Client\ssonsvr.exe

c:\windows\SYSTEM32\ati2evxx.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\SYSTEM32\CTsvcCDA.EXE

c:\windows\SYSTEM32\wdfmgr.exe

c:\windows\SYSTEM32\MsPMSPSv.exe

c:\windows\SYSTEM32\fxssvc.exe

c:\windows\SYSTEM32\wscntfy.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2009-09-02 17:10 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-02 22:10

ComboFix2.txt 2009-09-02 21:35

ComboFix3.txt 2009-08-31 21:34

Pre-Run: 36,165,726,208 bytes free

Post-Run: 36,144,660,480 bytes free

379 --- E O F --- 2009-08-27 08:00

Link to post
Share on other sites

  • Staff

Hi,

Navigate to and delete the following folder:

c:\program files\SpyZooka

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Link to post
Share on other sites

Ok, malwarebytes runs fine.

Thanks so much for your help/expertise.

I have installed the full version of malwarebytes and told the kids to not stop it from running. It seems like this

has been a more aggressive antivirus pro, do you think malwarebytes alone will prevent recurrence, or is there some other program that can run along side it? Antivir had too many spyware type properties to me, so I delted it.

Link to post
Share on other sites

  • Staff

Hi,

You always need an Antivirus as well (In your case Avira). The combination Avira+mbam is ideal to prevent most malware. :P

Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.