Need a geek? Geeks to Go offers free, quality tech support -- in terms anyone can understand. Volunteers are waiting to help, friendly, technology experts who have knowledge to share, and enjoy helping others. Feel free to browse the site as a guest. However, you must log in to reply to existing topics, or to start a new topic of your own. Other benefits of joining include richer forum features, and removal of all advertising. Learn more in our Welcome Guide Infected? Malware and Spyware Cleaning Guide. What are you waiting for? Click here to join for free today!
4 Pages V  < 1 2 3 4 >  
 Closed TopicStart new topic
Please help with virus/malware/registry problems [Solved], Had Tanatos.M, win32/heur and trojan downloader
jwang01
post Sep 9 2009, 02:50 PM
Post #16


GeekU Senior
Group Icon
Posts: 1,148
From: Minnesota
OS: Windows Vista 32-bit
Hi,


Ok, sounds good. thumbsup.gif
Go to the top of the page
 
+Quote Post
RCguy
post Sep 9 2009, 02:58 PM
Post #17


Member
**
Posts: 46
From: Indiana - USA
OS: WinXP sp3
Attached File  SAFEBOOT_REPAIR.TXT ( 14.29K ) Number of downloads: 145
Attached File  virusinfo_cure.zip ( 310.31K ) Number of downloads: 7
Attached File  virusinfo_syscure.zip ( 32.3K ) Number of downloads: 7
[atta
chment=34045:virusinfo_syscheck.zip]Ok, I ran safeboot repair, seemed like it was happy, dunno tho. Here is the report that it generated after finishing, and the two AVZ reports also.


... I hope this is how you wanted the files attached... blushing.gif
Attached File(s)
Attached File  virusinfo_syscheck.zip ( 31.46K ) Number of downloads: 5
 
Go to the top of the page
 
+Quote Post
jwang01
post Sep 9 2009, 04:01 PM
Post #18


GeekU Senior
Group Icon
Posts: 1,148
From: Minnesota
OS: Windows Vista 32-bit
Hello,


Every thing was attached correctly and were the right logs. thumbsup.gif



  • Close all windows then double click on AVZ.exe
  • Click File > Custom scripts
  • Copy & paste the contents of the following codebox in the box in the program

    CODE
    begin
    SearchRootkit(true, true);
    SetAVZGuardStatus(True);
    StopService('vouioeniqurbml');
    DeleteService('vouioeniqurbml');
    SetServiceStart('vouioeniqurbml', 4);
    StopService('TSP');
    DeleteService('TSP');
    SetServiceStart('TSP', 4);
    StopService('kyceusb');
    DeleteService('kyceusb');
    SetServiceStart('kyceusb', 4);
    StopService('dcamx');
    DeleteService('dcamx');
    SetServiceStart('dcamx', 4);
    StopService('abp470n5');
    DeleteService('abp470n5');
    SetServiceStart('abp470n5', 4);
    TerminateProcessByName('c:\docume~1\owner\locals~1\temp\winonslk.exe');
    DeleteFile('c:\docume~1\owner\locals~1\temp\winonslk.exe');
    BC_DeleteFile('c:\docume~1\owner\locals~1\temp\winonslk.exe');
    DeleteFile('C:\WINDOWS\system32\drivers\olnmoq.sys');
    BC_DeleteFile('C:\WINDOWS\system32\drivers\olnmoq.sys');
    DeleteFile('C:\WINDOWS\system32\drivers\wfugoqm.sys');
    BC_DeleteFile('C:\WINDOWS\system32\drivers\wfugoqm.sys');
    DeleteFile('C:\WINDOWS\system32\DRIVERS\kyceusb.sys');
    BC_DeleteFile('C:\WINDOWS\system32\DRIVERS\kyceusb.sys');
    DeleteFile('C:\WINDOWS\system32\drivers\klif.sys');
    BC_DeleteFile('C:\WINDOWS\system32\drivers\klif.sys');
    DeleteFile('C:\WINDOWS\system32\drivers\pdshtuskhzmg.sys');
    BC_DeleteFile('C:\WINDOWS\system32\drivers\pdshtuskhzmg.sys');
    BC_ImportDeletedList;
    ExecuteSysClean;
    BC_Activate;
    RebootWindows(true);
    end.


  • Note: When you run the script, your PC will be restarted
  • Click Run
  • Restart your PC if it doesn't do it automatically, Then start OTL and run a Scan and post that back in your next reply.




Also, can you tell me how your computer is running after running this fix?

This post has been edited by jwang01: Sep 9 2009, 04:01 PM
Go to the top of the page
 
+Quote Post
RCguy
post Sep 10 2009, 05:59 AM
Post #19


Member
**
Posts: 46
From: Indiana - USA
OS: WinXP sp3
Ok, I ran the script with no problems. Here is the OTL scan results.

OTL logfile created on: 9/9/2009 6:45:43 PM - Run 4
OTL by OldTimer - Version 3.0.10.7 Folder = C:\Documents and Settings\Owner\Desktop\Geeks
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

478.42 Mb Total Physical Memory | 128.85 Mb Available Physical Memory | 26.93% Memory free
1.10 Gb Paging File | 0.85 Gb Available in Paging File | 77.66% Paging File free
Paging file location(s): C:\pagefile.sys 720 1440 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 20.33 Gb Free Space | 27.28% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ROGERLAPTOP
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2003/12/16 19:42:32 | 00,311,363 | ---- | M] (Intel Corporation ) -- C:\WINDOWS\System32\S24EvMon.exe
PRC - [2008/09/10 14:01:28 | 00,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
PRC - [2008/10/16 18:22:20 | 00,464,264 | ---- | M] () -- C:\Program Files\AskBarDis\bar\bin\AskService.exe
PRC - [2005/11/29 12:57:34 | 00,054,784 | ---- | M] (Macrovision) -- C:\WINDOWS\System32\drivers\CDAC11BA.EXE
PRC - [2009/08/24 16:37:10 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/07/20 11:51:52 | 00,935,208 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
PRC - [2003/12/16 19:41:40 | 00,122,880 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\RegSrvc.exe
PRC - [2003/03/31 08:00:00 | 00,019,456 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\tcpsvcs.exe
PRC - [2008/04/13 20:12:36 | 00,033,280 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\snmp.exe
PRC - [2008/04/13 20:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2003/11/20 18:18:50 | 00,499,712 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PRC - [2009/08/24 16:37:11 | 00,227,104 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2008/04/13 20:12:37 | 00,135,680 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\taskmgr.exe
PRC - [2009/08/27 07:45:19 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\Geeks\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2008/04/13 20:11:48 | 00,100,352 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\6to4svc.dll -- (6to4 [Auto | Running])
SRV - [2008/09/10 14:01:28 | 00,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice [Auto | Running])
SRV - [2006/02/21 09:26:42 | 00,147,456 | ---- | M] (Adobe Systems) -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service [On_Demand | Stopped])
SRV - File not found -- -- (AresChatServer [On_Demand | Stopped])
SRV - [2008/10/16 18:22:20 | 00,464,264 | ---- | M] () -- C:\Program Files\AskBarDis\bar\bin\AskService.exe -- (ASKService [Auto | Running])
SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2009/08/06 10:30:21 | 00,158,824 | ---- | M] (Autodesk) -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe -- (Autodesk Licensing Service [On_Demand | Stopped])
SRV - [2005/11/29 12:57:34 | 00,054,784 | ---- | M] (Macrovision) -- C:\WINDOWS\System32\drivers\CDAC11BA.EXE -- (C-DillaCdaC11BA [Auto | Running])
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2005/01/18 10:17:56 | 00,036,864 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\System32\cusrvc.exe -- (cusrvc [On_Demand | Stopped])
SRV - [2002/04/29 07:51:00 | 00,147,456 | ---- | M] () -- C:\Program Files\Rockwell Software\RSLINX\dnwhodisp.exe -- (dnWhoDisp [On_Demand | Stopped])
SRV - [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2009/03/25 15:34:31 | 00,257,008 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [On_Demand | Stopped])
SRV - [2003/05/06 15:13:32 | 00,188,416 | ---- | M] (Rockwell Software Inc.) -- C:\Program Files\Rockwell Software\RSCommon\RSOBSERV.EXE -- (Harmony [On_Demand | Stopped])
SRV - [2008/04/13 20:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2005/04/04 00:41:10 | 00,143,360 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2009/08/24 16:37:10 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2009/07/20 11:51:52 | 00,935,208 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe -- (Nero BackItUp Scheduler 4.0 [Auto | Running])
SRV - [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2004/12/02 08:28:32 | 00,098,304 | ---- | M] (OPC Foundation) -- C:\WINDOWS\System32\OpcEnum.exe -- (OpcEnum [On_Demand | Stopped])
SRV - [2008/04/13 20:12:02 | 00,105,472 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\p2pgasvc.dll -- (p2pgasvc [On_Demand | Stopped])
SRV - [2003/12/16 19:41:40 | 00,122,880 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\RegSrvc.exe -- (RegSrvc [Auto | Running])
SRV - [2005/07/29 15:45:46 | 01,978,640 | ---- | M] (Rockwell Software, Inc.) -- C:\Program Files\Rockwell Software\RSLINX\RSLINX.EXE -- (RSLinx [On_Demand | Stopped])
SRV - [2003/12/16 19:42:32 | 00,311,363 | ---- | M] (Intel Corporation ) -- C:\WINDOWS\System32\S24EvMon.exe -- (S24EventMonitor [Auto | Running])
SRV - [2003/03/31 08:00:00 | 00,019,456 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\tcpsvcs.exe -- (SimpTcp [Auto | Running])
SRV - [2008/04/13 20:12:36 | 00,033,280 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\snmp.exe -- (SNMP [Auto | Running])
SRV - [2007/10/18 12:31:54 | 00,180,248 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\usnsvc.exe -- (usnjsvc [On_Demand | Stopped])
SRV - [2007/10/25 16:27:54 | 00,335,872 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc [On_Demand | Stopped])
SRV - [2006/10/18 21:05:24 | 00,983,040 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2004/06/03 04:08:02 | 00,071,448 | ---- | M] (Rockwell Software Inc.) -- C:\WINDOWS\System32\Drivers\ABKTCX.sys -- (ABKTCX [On_Demand | Stopped])
DRV - [2002/04/01 16:15:00 | 00,004,816 | ---- | M] (Andrea Electronics Corporation) -- C:\WINDOWS\System32\drivers\aeaudio.sys -- (aeaudio [On_Demand | Running])
DRV - [2006/04/10 11:10:34 | 00,044,224 | ---- | M] (BVRP Software) -- C:\WINDOWS\System32\drivers\BVRPMPR5.SYS -- (BVRPMPR5 [On_Demand | Running])
DRV - [2005/11/29 12:57:36 | 00,012,464 | ---- | M] (Macrovision Europe Ltd) -- C:\WINDOWS\System32\drivers\CDAC15BA.SYS -- (CdaC15BA [Auto | Running])
DRV - [2003/02/19 15:14:12 | 00,019,153 | ---- | M] (FTDI Ltd.) -- C:\WINDOWS\System32\drivers\ftdibus.sys -- (FTDIBUS [On_Demand | Stopped])
DRV - [2002/12/20 11:59:20 | 00,050,396 | ---- | M] (FTDI Ltd.) -- C:\WINDOWS\System32\drivers\ftser2k.sys -- (FTSER2K [On_Demand | Stopped])
DRV - [2002/11/18 20:20:44 | 00,030,976 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\gv3.sys -- (gv3 [On_Demand | Stopped])
DRV - [2008/07/21 09:26:56 | 00,453,632 | ---- | M] (Aladdin Knowledge Systems) -- C:\WINDOWS\System32\drivers\hardlock.sys -- (hardlock [Auto | Running])
DRV - [2003/10/14 22:08:22 | 00,197,120 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\System32\DRIVERS\HSFHWICH.sys -- (HSFHWICH [On_Demand | Running])
DRV - [2003/10/14 22:04:16 | 01,043,072 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\System32\DRIVERS\HSF_DP.sys -- (HSF_DP [On_Demand | Running])
DRV - [2006/02/07 10:04:34 | 01,399,615 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\ialmnt5.sys -- (ialm [On_Demand | Running])
DRV - [2004/06/23 14:39:15 | 00,014,037 | ---- | M] (Meetinghouse Data Communications) -- C:\WINDOWS\System32\DRIVERS\mdc8021x.sys -- (MDC8021X [Auto | Running])
DRV - [2003/04/09 19:48:08 | 00,011,043 | ---- | M] (Conexant) -- C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys -- (mdmxsdk [Auto | Running])
DRV - [2009/08/19 12:21:12 | 00,027,136 | ---- | M] (NCH Swift Sound) -- C:\WINDOWS\System32\drivers\nchssvad.sys -- (NCHSSVAD [On_Demand | Running])
DRV - [2005/02/16 18:49:28 | 00,494,347 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\System32\NetWare\nwfs.sys -- (NetwareWorkstation [Auto | Running])
DRV - [2004/08/19 13:34:06 | 00,038,848 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\drivers\nicm.sys -- (NICM [Boot | Running])
DRV - [2008/04/13 14:53:09 | 00,040,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\NMnt.sys -- (nm [On_Demand | Stopped])
DRV - [2004/08/16 16:52:02 | 00,017,101 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\System32\NetWare\nwdhcp.sys -- (NWDHCP [Auto | Running])
DRV - [2005/01/13 10:43:26 | 00,037,196 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\System32\NetWare\nwdns.sys -- (NWDNS [On_Demand | Stopped])
DRV - [2005/01/14 09:46:38 | 00,015,919 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\system32\NetWare\nwfilter.sys -- (NWFILTER [Boot | Running])
DRV - [2004/02/17 16:16:58 | 00,011,856 | ---- | M] () -- C:\WINDOWS\System32\NetWare\NWHOST.sys -- (NWHOST [On_Demand | Stopped])
DRV - [2008/04/13 14:56:06 | 00,088,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\nwlnkipx.sys -- (NwlnkIpx [Auto | Running])
DRV - [2003/03/31 08:00:00 | 00,063,232 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\nwlnknb.sys -- (NwlnkNb [Auto | Running])
DRV - [2003/03/31 08:00:00 | 00,055,936 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\nwlnkspx.sys -- (NwlnkSpx [Auto | Running])
DRV - [2003/02/26 15:51:18 | 00,023,232 | ---- | M] () -- C:\WINDOWS\System32\NetWare\NWSAP.sys -- (NWSAP [On_Demand | Running])
DRV - [2004/07/12 17:52:20 | 00,041,888 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\System32\NetWare\nwsipx32.sys -- (NWSIPX32 [Auto | Running])
DRV - [2005/01/03 15:51:38 | 00,020,332 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\System32\NetWare\nwslp.sys -- (NWSLP [On_Demand | Stopped])
DRV - [2003/02/13 08:27:38 | 00,005,808 | ---- | M] () -- C:\WINDOWS\System32\NetWare\NWSNS.sys -- (NWSNS [On_Demand | Stopped])
DRV - [2003/03/31 08:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2005/08/22 15:44:03 | 00,020,576 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2004/06/01 19:19:34 | 00,027,249 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\System32\NetWare\resmgr.sys -- (RESMGR [Auto | Running])
DRV - [2003/10/20 22:09:26 | 00,065,664 | ---- | M] (REDC) -- C:\WINDOWS\System32\DRIVERS\rmedia.sys -- (rmedia [Boot | Running])
DRV - [2004/06/03 04:08:34 | 00,030,166 | ---- | M] (Rockwell Software, Inc.) -- C:\WINDOWS\system32\RSIKT.SYS -- (RsiKtControl [On_Demand | Stopped])
DRV - [2004/06/03 04:08:36 | 00,155,440 | ---- | M] (Rockwell Software Inc.) -- C:\WINDOWS\SYSTEM32\RSSERIAL.SYS -- (RSSERIAL [On_Demand | Stopped])
DRV - [2004/06/03 04:08:38 | 00,142,592 | ---- | M] (Rockwell Software, Inc.) -- C:\WINDOWS\SYSTEM32\RS_SS_NT.SYS -- (RS_SS_NT [On_Demand | Stopped])
DRV - [2003/08/13 18:27:22 | 00,065,280 | ---- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\System32\DRIVERS\Rtlnic51.sys -- (RTL8023 [On_Demand | Running])
DRV - [2003/09/15 13:20:18 | 00,011,258 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\s24trans.sys -- (s24trans [Auto | Running])
DRV - [2009/08/05 16:06:28 | 00,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV [System | Running])
DRV - [2009/08/05 16:06:30 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM [On_Demand | Stopped])
DRV - [2009/08/05 16:06:28 | 00,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys -- (SASKUTIL [System | Running])
DRV - [2007/11/13 06:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [Auto | Running])
DRV - [2007/09/05 04:03:00 | 00,049,664 | ---- | M] (Prolific Technology Inc.) -- C:\WINDOWS\System32\DRIVERS\ser2pl.sys -- (Ser2pl [On_Demand | Stopped])
DRV - [2005/03/03 13:53:57 | 00,048,640 | ---- | M] (Protection Technology) -- C:\WINDOWS\System32\drivers\sfdrv01.sys -- (sfdrv01 [Boot | Running])
DRV - [2005/02/23 11:59:54 | 00,006,656 | ---- | M] (Protection Technology) -- C:\WINDOWS\System32\drivers\sfhlp02.sys -- (sfhlp02 [Boot | Running])
DRV - [2004/01/13 19:40:28 | 00,612,032 | ---- | M] (Analog Devices, Inc.) -- C:\WINDOWS\System32\drivers\smwdm.sys -- (smwdm [On_Demand | Running])
DRV - [2009/08/19 12:11:27 | 00,717,296 | ---- | M] () -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd [Boot | Running])
DRV - [2008/11/17 02:24:00 | 00,051,688 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\ZoneLabs\srescan.sys -- (srescan [Boot | Running])
DRV - [2005/01/03 15:55:34 | 00,155,405 | ---- | M] (Novell, Inc.) -- C:\WINDOWS\System32\NetWare\srvloc.sys -- (SRVLOC [Auto | Running])
DRV - [2003/11/20 18:15:16 | 00,178,528 | ---- | M] (Synaptics, Inc.) -- C:\WINDOWS\System32\DRIVERS\SynTP.sys -- (SynTP [On_Demand | Running])
DRV - [2008/06/20 07:08:27 | 00,225,856 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\tcpip6.sys -- (Tcpip6 [System | Running])
DRV - [2009/02/16 00:10:26 | 00,353,672 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsdatant.sys -- (vsdatant [System | Running])
DRV - [2004/01/02 05:52:34 | 01,646,720 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\System32\DRIVERS\w22n51.sys -- (w22n51 [On_Demand | Stopped])
DRV - [2008/01/07 13:36:16 | 02,216,064 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\System32\DRIVERS\w29n51.sys -- (w29n51 [On_Demand | Running])
DRV - [2003/10/14 22:05:48 | 00,679,808 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys -- (winachsf [On_Demand | Running])
DRV - File not found -- -- (abp470n5 [On_Demand | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/defaulta.aspx
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = E0 DD 17 B2 8C 22 CA 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google"

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2009/03/26 15:33:05 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/06/24 17:00:40 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/08/24 16:37:12 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 2.0.0.16\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/08/13 14:32:57 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 2.0.0.16\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/08/24 09:18:56 | 00,000,000 | ---D | M]

[2009/08/24 15:41:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\mozilla\Firefox\Profiles\e6m6iza8.default\extensions
[2009/08/14 09:55:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\mozilla\Firefox\Profiles\e6m6iza8.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/02/23 12:00:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\mozilla\Firefox\Profiles\e6m6iza8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2009/08/24 15:41:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\mozilla\Firefox\Profiles\e6m6iza8.default\extensions\{E9A1DEE0-C623-4439-8932-001E7D17607D}
[2009/09/05 07:46:11 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/08/13 14:32:55 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/08/13 14:34:10 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
[2009/08/24 16:37:36 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
[2007/06/19 20:22:53 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\realplayer@partners.mozilla.com
[2009/08/13 14:32:55 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\talkback@mozilla.org
[2009/03/05 18:08:04 | 00,061,440 | ---- | M] () -- C:\Program Files\mozilla firefox\components\FFComm.dll
[2009/08/13 14:32:28 | 00,067,696 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\jar50.dll
[2009/08/13 14:32:28 | 00,054,376 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\jsd3250.dll
[2009/08/13 14:32:28 | 00,034,952 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\myspell.dll
[2009/08/13 14:32:30 | 00,046,720 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\spellchk.dll
[2009/08/13 14:32:30 | 00,172,144 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\xpinstal.dll
[2008/06/17 16:12:42 | 00,114,688 | ---- | M] (Adobe Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\np32dsw.dll
[2009/08/24 16:37:11 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeploytk.dll
[2009/08/13 14:32:42 | 00,022,664 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2006/12/18 05:18:30 | 00,077,824 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\mozilla firefox\plugins\nppdf32.dll
[2009/08/13 14:32:51 | 00,001,514 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/08/13 14:32:51 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/07/24 00:12:00 | 00,001,519 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\avg_igeared.xml
[2009/08/13 14:32:51 | 00,001,038 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/08/13 14:32:51 | 00,001,046 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/08/13 14:32:51 | 00,002,351 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml

O1 HOSTS File: (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0 Pro\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AskBar BHO) - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (ZoneAlarm Spy Blocker Toolbar) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0 Pro\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [NWTRAY] File not found
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: CompatibleRUPSecurity = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\System32\netware\NWWS2NDS.DLL (Novell, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\WINDOWS\System32\netware\NWWS2SAP.DLL (Novell, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000006 [] - C:\WINDOWS\System32\netware\NWWS2SLP.DLL (Novell, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)
O15 - HKCU\..Trusted Domains: 56 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {00000075-9980-0010-8000-00AA00389B71} http://codecs.microsoft.com/codecs/i386/voxacm.CAB (Reg Error: Key error.)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.macromedia.com/get/shock...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.microsoft.com/officeupdate/content/opuc3.cab (Office Update Installation Engine)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1124832226067 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1133885287693 (MUWebControl Class)
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} http://cid-5b2448a5e5555cbf.spaces.live.co...ad/MsnPUpld.cab (Windows Live Photo Upload Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} http://support.gateway.com/support/serialharvest/gwCID.CAB (compid Class)
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} http://raiseinstall.rockwellautomation.com...emand/setup.exe (InstallShield Setup Player 2K2)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 64.255.96.2 64.255.96.3
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: GinaDLL - (NWGINA.DLL) - C:\WINDOWS\System32\NWGINA.DLL (Novell, Inc.)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\Sebring: DllName - C:\WINDOWS\System32\LgNotify.dll - C:\WINDOWS\System32\LgNotify.dll (Intel Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O30 - LSA: Authentication Packages - (nwv1_0) - C:\WINDOWS\System32\nwv1_0.dll (Novell, Inc.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/06/23 13:39:06 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()

========== Files/Folders - Created Within 30 Days ==========

[2009/09/09 16:46:47 | 00,288,654 | ---- | C] ( ) -- C:\Documents and Settings\Owner\Desktop\SafeBootKeyRepair.exe
[2009/09/09 07:58:10 | 00,153,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\triedit.dll
[2009/09/07 10:34:35 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\AVZ3
[2009/09/07 10:12:58 | 05,125,238 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\avz4.zip
[2009/09/07 09:11:26 | 00,000,000 | ---D | C] -- C:\_OTL
[2009/09/07 09:11:07 | 00,076,800 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\GeeksFix_9_07_09.doc
[2009/09/05 08:18:29 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\sysprot
[2009/09/05 08:05:36 | 00,000,000 | ---D | C] -- C:\_OTS
[2009/09/05 08:02:05 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\Geeks2
[2009/09/01 08:37:52 | 00,025,658 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Challenger_Door_Plt2_Laminator.pdf
[2009/08/31 14:59:35 | 00,036,352 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Challenger_Door_Plt2_Laminator.doc
[2009/08/28 17:00:58 | 00,001,355 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2009/08/27 07:56:14 | 00,000,617 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\NTREGOPT.lnk
[2009/08/27 07:56:14 | 00,000,598 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\ERUNT.lnk
[2009/08/27 07:56:13 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/08/27 07:48:06 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2009/08/27 07:42:24 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\Geeks
[2009/08/26 08:58:33 | 00,000,385 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Welcome to your control panel.url
[2009/08/25 15:18:24 | 00,019,968 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\linkinfo.dll
[2009/08/25 14:50:26 | 03,254,000 | R--- | C] () -- C:\Documents and Settings\Owner\Desktop\ComboFix.exe
[2009/08/25 08:07:25 | 00,001,740 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\HijackThis.lnk
[2009/08/25 08:07:25 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/08/24 16:37:31 | 00,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2009/08/24 16:37:31 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2009/08/24 16:37:31 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2009/08/24 16:37:31 | 00,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2009/08/24 16:37:04 | 00,000,000 | ---D | C] -- C:\Program Files\Java
[2009/08/24 16:03:32 | 00,000,253 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\UPDATED 8-step Viruses-Spyware-Malware Preliminary Removal Instructions - TechSpot OpenBoards.url
[2009/08/24 15:55:13 | 00,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2009/08/24 15:53:34 | 00,796,448 | ---- | C] (Sun Microsystems, Inc.) -- C:\Documents and Settings\Owner\Desktop\JavaSetup6u15.exe
[2009/08/24 15:53:18 | 00,881,976 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Owner\Desktop\HJTInstall.exe
[2009/08/24 15:49:02 | 00,466,305 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\UPDATED 8-step Viruses-Spyware-Malware Preliminary Removal Instructions - TechSpot OpenBoards.mht
[2009/08/24 15:41:25 | 00,000,000 | ---D | C] -- C:\Program Files\AskBarDis
[2009/08/24 15:39:11 | 00,058,248 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsregexp.dll
[2009/08/24 15:39:09 | 00,103,816 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\zlcommdb.dll
[2009/08/24 15:39:09 | 00,069,000 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\zlcomm.dll
[2009/08/24 15:39:01 | 00,035,208 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vswmi.dll
[2009/08/24 15:38:59 | 01,221,512 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\zpeng25.dll
[2009/08/24 15:38:59 | 00,309,128 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vspubapi.dll
[2009/08/24 15:38:59 | 00,109,960 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsxml.dll
[2009/08/24 15:38:59 | 00,107,912 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsmonapi.dll
[2009/08/24 15:38:59 | 00,000,000 | ---D | C] -- C:\Program Files\Zone Labs
[2009/08/24 15:38:53 | 00,353,672 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsdatant.sys
[2009/08/24 15:38:53 | 00,350,130 | ---- | C] () -- C:\WINDOWS\System32\vsconfig.xml
[2009/08/24 15:38:04 | 00,482,184 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsutil.dll
[2009/08/24 15:38:04 | 00,229,256 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsinit.dll
[2009/08/24 15:38:04 | 00,110,472 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsdata.dll
[2009/08/24 15:37:19 | 34,055,048 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\zaSetup_80_298_000_en.exe
[2009/08/24 11:21:32 | 02,628,096 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\rmtanat.exe
[2009/08/21 16:39:17 | 33,961,728 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\avira_antivir_personal_en.exe
[2009/08/21 14:23:10 | 00,001,731 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
[2009/08/21 13:13:26 | 01,614,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\sfcfiles.dll
[2009/08/21 13:13:26 | 00,574,976 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ntfs.sys
[2009/08/21 13:13:26 | 00,435,200 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ntmssvc.dll
[2009/08/21 13:13:26 | 00,409,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\qmgr.dll
[2009/08/21 13:13:26 | 00,253,952 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\es.dll
[2009/08/21 13:13:26 | 00,249,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\tapisrv.dll
[2009/08/21 13:13:26 | 00,245,248 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\mswsock.dll
[2009/08/21 13:13:26 | 00,198,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\netman.dll
[2009/08/21 13:13:26 | 00,192,512 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\schedsvc.dll
[2009/08/21 13:13:26 | 00,185,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\upnphost.dll
[2009/08/21 13:13:26 | 00,181,248 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\scecli.dll
[2009/08/21 13:13:26 | 00,171,008 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\srsvc.dll
[2009/08/21 13:13:26 | 00,135,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\shsvcs.dll
[2009/08/21 13:13:26 | 00,129,024 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\xmlprov.dll
[2009/08/21 13:13:26 | 00,088,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\rasauto.dll
[2009/08/21 13:13:26 | 00,077,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\browser.dll
[2009/08/21 13:13:26 | 00,071,680 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ssdpsrv.dll
[2009/08/21 13:13:26 | 00,062,464 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\cryptsvc.dll
[2009/08/21 13:13:26 | 00,059,904 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\regsvc.dll
[2009/08/21 13:13:26 | 00,056,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\eventlog.dll
[2009/08/21 13:13:26 | 00,027,136 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\mspmsnsv.dll
[2009/08/21 13:13:26 | 00,014,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\asyncmac.sys
[2009/08/21 13:13:26 | 00,013,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\wscntfy.exe
[2009/08/21 13:13:25 | 00,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\comctl32.dll
[2009/08/21 13:13:25 | 00,407,040 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\netlogon.dll
[2009/08/21 13:13:25 | 00,033,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\msgsvc.dll
[2009/08/21 13:13:25 | 00,011,648 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\acpiec.sys
[2009/08/21 13:13:25 | 00,005,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\sfc.dll
[2009/08/21 13:13:24 | 05,937,152 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\mshtml.dll
[2009/08/21 13:13:24 | 00,927,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\mfc40u.dll
[2009/08/21 13:13:24 | 00,792,064 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\comres.dll
[2009/08/21 13:13:24 | 00,401,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\rpcss.dll
[2009/08/21 13:13:24 | 00,142,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\aec.sys
[2009/08/21 13:13:24 | 00,024,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\kbdclass.sys
[2009/08/21 13:13:24 | 00,022,016 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\lpk.dll
[2009/08/21 13:13:24 | 00,004,224 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\beep.sys
[2009/08/21 13:13:24 | 00,002,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\null.sys
[2009/08/21 13:13:23 | 02,189,056 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ntoskrnl.exe
[2009/08/21 13:13:23 | 02,066,048 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ntkrnlpa.exe
[2009/08/21 13:13:23 | 01,033,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\explorer.exe
[2009/08/21 13:13:23 | 00,989,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\kernel32.dll
[2009/08/21 13:13:23 | 00,507,904 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\winlogon.exe
[2009/08/21 13:13:23 | 00,361,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\tcpip.sys
[2009/08/21 13:13:23 | 00,295,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\termsrv.dll
[2009/08/21 13:13:23 | 00,182,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ndis.sys
[2009/08/21 13:13:23 | 00,110,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\services.exe
[2009/08/21 13:13:23 | 00,110,080 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\imm32.dll
[2009/08/21 13:13:23 | 00,057,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\spoolsv.exe
[2009/08/21 13:13:23 | 00,051,224 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\wuauclt.exe
[2009/08/21 13:13:23 | 00,036,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ip6fw.sys
[2009/08/21 13:13:23 | 00,026,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\userinit.exe
[2009/08/21 13:13:23 | 00,017,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\powrprof.dll
[2009/08/21 13:13:23 | 00,015,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ctfmon.exe
[2009/08/21 13:13:23 | 00,013,312 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\lsass.exe
[2009/08/21 13:13:22 | 00,915,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\wininet.dll
[2009/08/21 13:13:22 | 00,578,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\user32.dll
[2009/08/21 13:13:22 | 00,082,432 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\ws2_32.dll
[2009/08/21 13:13:22 | 00,014,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cache\svchost.exe
[2009/08/21 13:13:22 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\dllcache\cache
[2009/08/21 12:43:33 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/08/21 12:43:26 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/08/21 12:43:16 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/08/21 12:28:19 | 00,299,008 | ---- | C] () -- C:\WINDOWS\System32\regxplor.dll
[2009/08/21 08:36:57 | 00,229,376 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009/08/20 13:06:30 | 01,294,368 | -HS- | C] () -- C:\WINDOWS\System32\drivers\fidbox.dat
[2009/08/20 13:06:30 | 00,057,120 | -HS- | C] () -- C:\WINDOWS\System32\drivers\fidbox2.dat
[2009/08/20 13:06:30 | 00,014,612 | -HS- | C] () -- C:\WINDOWS\System32\drivers\fidbox.idx
[2009/08/20 13:06:30 | 00,005,924 | -HS- | C] () -- C:\WINDOWS\System32\drivers\fidbox2.idx
[2009/08/20 12:45:16 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\ParetoLogic
[2009/08/20 12:45:16 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic
[2009/08/20 12:43:50 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Downloaded Installations
[2009/08/20 12:32:13 | 00,000,000 | ---D | C] -- C:\Program Files\avg1
[2009/08/20 09:38:24 | 00,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2009/08/20 08:52:58 | 00,081,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ieencode.dll
[2009/08/20 08:42:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\CD_DVD Burners
[2009/08/19 14:00:12 | 00,022,183 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Stephanie.pdf
[2009/08/19 13:56:05 | 00,023,040 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Stephanie.doc
[2009/08/19 12:57:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2009/08/19 12:57:33 | 00,000,786 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/08/19 12:57:29 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2009/08/19 12:57:29 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
[2009/08/19 12:21:12 | 00,000,844 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SoundTap Streaming Audio Recorder.lnk
[2009/08/19 12:20:16 | 00,000,000 | ---D | C] -- C:\Program Files\NCH Swift Sound
[2009/08/19 12:11:27 | 00,717,296 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2009/08/19 12:11:04 | 00,000,000 | ---D | C] -- C:\Program Files\LSoft Technologies
[2009/08/19 11:54:24 | 00,200,704 | ---- | C] (vbAccelerator) -- C:\WINDOWS\System32\vbalExpBar6.ocx
[2009/08/19 11:54:24 | 00,044,544 | ---- | C] () -- C:\WINDOWS\System32\GIF89.DLL
[2009/08/19 11:54:23 | 01,986,560 | ---- | C] (NCT Company Ltd.) -- C:\WINDOWS\System32\AudFile.dll
[2009/08/19 11:54:23 | 01,212,416 | ---- | C] (NCT Company Ltd.) -- C:\WINDOWS\System32\AudioInfos.dll
[2009/08/19 11:54:23 | 00,348,160 | ---- | C] (NCT Company Ltd.) -- C:\WINDOWS\System32\WMAFile.dll
[2009/08/19 11:54:23 | 00,015,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\inetfr.DLL
[2009/08/19 11:54:22 | 00,141,312 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MSCMCFR.DLL
[2009/08/19 11:54:22 | 00,119,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\VB6FR.DLL
[2009/08/19 11:54:22 | 00,032,768 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\CMDLGFR.DLL
[2009/08/19 11:54:21 | 00,044,544 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msxml4a.dll
[2009/08/19 11:54:21 | 00,000,000 | ---D | C] -- C:\Program Files\Free Easy Burner
[2009/08/19 11:43:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Nero
[2009/08/19 11:40:02 | 00,000,000 | ---D | C] -- C:\Program Files\Nero
[2009/08/19 11:39:43 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Nero
[2009/08/19 11:39:42 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Nero
[2009/08/19 07:59:46 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\Recovery
[2009/08/18 09:15:27 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Malwarebytes
[2009/08/18 09:15:14 | 00,038,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/08/18 09:15:12 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/08/18 09:15:11 | 00,019,096 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/08/18 09:15:11 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/08/14 15:31:21 | 00,000,127 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2009/08/14 08:47:08 | 00,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2009/08/14 08:47:08 | 00,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for
[2009/08/13 18:56:36 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\New Folder
[2009/08/13 18:16:34 | 00,128,512 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\dhtmled.ocx
[2009/08/13 18:15:50 | 01,315,328 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msoe.dll
[2009/08/11 13:52:53 | 00,021,410 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\ADM Redundant Dump Pit Shutdown Controller.pdf
[2009/02/27 01:08:24 | 00,075,576 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/03/04 18:52:34 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\libcurl.dll
[2007/11/27 17:50:15 | 00,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2007/10/31 09:39:54 | 00,059,904 | ---- | C] () -- C:\WINDOWS\System32\zlib1.dll
[2007/07/19 21:51:59 | 00,000,038 | ---- | C] () -- C:\WINDOWS\AviSplitter.INI
[2007/07/19 20:42:21 | 00,000,026 | ---- | C] () -- C:\WINDOWS\System32\satsukidecodersettings.ini
[2007/06/19 20:29:29 | 00,000,050 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2007/06/03 08:31:28 | 00,010,752 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2007/05/17 13:58:10 | 00,143,360 | ---- | C] () -- C:\WINDOWS\System32\libexpatw.dll
[2006/12/10 17:32:16 | 00,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2006/07/26 07:55:49 | 00,000,063 | ---- | C] () -- C:\WINDOWS\mdm.ini
[2006/03/24 17:53:36 | 00,001,635 | ---- | C] () -- C:\WINDOWS\System32\MRCVersion.ini
[2006/02/23 14:40:20 | 00,118,784 | ---- | C] () -- C:\WINDOWS\System32\vrcomp.dll
[2006/02/23 14:40:19 | 00,245,760 | ---- | C] () -- C:\WINDOWS\System32\vrupcfg.dll
[2006/02/23 14:40:19 | 00,094,208 | ---- | C] () -- C:\WINDOWS\System32\VrCAB.dll
[2006/02/23 14:40:18 | 00,299,008 | ---- | C] () -- C:\WINDOWS\VrEncDec.dll
[2006/02/23 14:40:18 | 00,299,008 | ---- | C] () -- C:\WINDOWS\System32\VrEncDec.dll
[2006/02/23 14:40:18 | 00,157,184 | ---- | C] () -- C:\WINDOWS\System32\Vrazrar.dll
[2006/02/23 14:40:16 | 00,110,592 | ---- | C] () -- C:\WINDOWS\System32\VMSLog.dll
[2006/02/23 14:40:16 | 00,073,728 | ---- | C] () -- C:\WINDOWS\System32\Vrazace.dll
[2006/02/23 14:40:15 | 00,425,984 | ---- | C] () -- C:\WINDOWS\System32\VrExpJpn.dll
[2006/02/21 12:42:14 | 00,000,000 | ---- | C] () -- C:\WINDOWS\mtstack16.INI
[2006/02/08 12:12:40 | 00,000,000 | ---- | C] () -- C:\WINDOWS\Unsetup.INI
[2006/02/06 11:34:03 | 00,251,420 | ---- | C] () -- C:\WINDOWS\System32\FarLsp.dll
[2006/02/06 11:34:03 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\WipeAllCom.dll
[2006/02/06 11:34:03 | 00,057,344 | ---- | C] () -- C:\WINDOWS\FWWipeALL.dll
[2005/11/30 17:50:02 | 00,000,062 | ---- | C] () -- C:\WINDOWS\abecad.ini
[2005/11/30 17:49:27 | 00,000,490 | ---- | C] () -- C:\WINDOWS\fw.ini
[2005/11/14 18:28:36 | 00,056,320 | ---- | C] () -- C:\WINDOWS\System32\iyvu9_32.dll
[2005/11/14 10:22:45 | 00,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll
[2005/11/14 10:22:45 | 00,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll
[2005/11/14 10:22:45 | 00,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll
[2005/11/04 09:03:41 | 00,000,146 | ---- | C] () -- C:\WINDOWS\BRVIDEO.INI
[2005/11/04 09:03:41 | 00,000,040 | ---- | C] () -- C:\WINDOWS\BRDIAG.INI
[2005/11/04 09:03:41 | 00,000,023 | ---- | C] () -- C:\WINDOWS\Brownie.ini
[2005/11/04 09:03:33 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\BROSNMP.DLL
[2005/11/04 09:03:33 | 00,026,624 | ---- | C] () -- C:\WINDOWS\System32\BRGSRC32.DLL
[2005/11/04 09:03:33 | 00,004,608 | ---- | C] () -- C:\WINDOWS\System32\BRGSRC16.DLL
[2005/11/04 09:03:32 | 00,009,015 | ---- | C] () -- C:\WINDOWS\HL-2070N.INI
[2005/11/04 09:03:06 | 00,000,426 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2005/10/16 15:16:07 | 00,000,035 | ---- | C] () -- C:\WINDOWS\worldbuilder.INI
[2005/09/19 10:15:52 | 00,000,000 | ---- | C] () -- C:\WINDOWS\esmain.INI
[2005/09/03 21:25:21 | 00,000,515 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2005/09/03 09:19:56 | 00,000,632 | ---- | C] () -- C:\WINDOWS\Edofma.INI
[2005/08/25 12:29:53 | 00,000,049 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2005/08/24 17:43:50 | 00,000,000 | ---- | C] () -- C:\WINDOWS\csmain.INI
[2005/08/24 17:43:10 | 00,005,597 | ---- | C] () -- C:\WINDOWS\HEIDB.INI
[2005/08/24 17:42:31 | 00,004,257 | ---- | C] () -- C:\WINDOWS\DS400.INI
[2005/08/24 13:19:57 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/08/24 11:09:30 | 00,299,454 | ---- | C] () -- C:\WINDOWS\ALLSIM.INI
[2005/08/24 11:09:30 | 00,061,268 | ---- | C] () -- C:\WINDOWS\BIUTILSM.INI
[2005/08/24 11:09:30 | 00,057,969 | ---- | C] () -- C:\WINDOWS\SIMSIM.INI
[2005/08/24 11:09:30 | 00,000,580 | ---- | C] () -- C:\WINDOWS\Common.ini
[2005/08/24 11:09:29 | 00,051,712 | ---- | C] () -- C:\WINDOWS\System32\ngprtserv.dll
[2005/08/24 11:09:28 | 00,000,645 | ---- | C] () -- C:\WINDOWS\Setupwizard.ini
[2005/08/24 11:09:15 | 00,000,011 | ---- | C] () -- C:\WINDOWS\NetWare.INI
[2005/08/23 12:39:20 | 00,005,030 | ---- | C] () -- C:\WINDOWS\Constructor2003.ini
[2005/08/23 12:35:46 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/08/23 12:14:36 | 00,001,467 | ---- | C] () -- C:\WINDOWS\EDS.ini
[2005/08/23 12:14:36 | 00,000,260 | ---- | C] () -- C:\WINDOWS\Rocksoft.ini
[2005/08/23 08:03:25 | 00,000,032 | ---- | C] () -- C:\WINDOWS\EvMoveW.INI
[2005/08/22 16:33:40 | 00,000,032 | ---- | C] () -- C:\WINDOWS\EVMOVE.INI
[2005/08/22 16:22:10 | 00,032,256 | ---- | C] () -- C:\WINDOWS\System32\_UNODBC.dll
[2005/02/25 18:20:30 | 00,000,092 | ---- | C] () -- C:\WINDOWS\System32\ftdiun2k.ini
[2005/02/10 17:44:40 | 00,245,839 | ---- | C] () -- C:\WINDOWS\System32\nwshlxnt.dll
[2005/01/14 10:01:40 | 00,226,304 | ---- | C] () -- C:\WINDOWS\System32\lgnwnt32.dll
[2004/10/05 18:37:20 | 00,258,048 | ---- | C] () -- C:\WINDOWS\System32\Manipulate.dll
[2004/06/26 05:21:18 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\SynTPCoI.dll
[2004/06/23 15:45:53 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/06/23 13:51:17 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/06/22 18:19:37 | 00,000,878 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2004/06/22 18:19:37 | 00,000,500 | ---- | C] () -- C:\WINDOWS\System32\emver.ini
[2004/06/22 18:19:10 | 00,000,929 | ---- | C] () -- C:\WINDOWS\win.ini
[2004/06/22 18:19:05 | 00,000,306 | ---- | C] () -- C:\WINDOWS\system.ini
[2003/08/07 15:01:50 | 00,237,568 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2003/07/28 19:04:22 | 00,053,248 | ---- | C] () -- C:\WINDOWS\System32\setupw2k.dll
[2003/03/27 15:18:54 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\akrip.dll
[2003/02/05 17:31:42 | 00,045,119 | ---- | C] () -- C:\WINDOWS\System32\dprpcw32.dll
[2002/03/18 13:37:42 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\mwmp3enc.dll
[2001/10/04 15:40:54 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\nwslog32.dll
[2000/01/20 10:15:14 | 00,051,200 | ---- | C] () -- C:\WINDOWS\System32\lgncon32.dll
[1999/06/30 05:48:00 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\dplgnw32.dll
[1999/01/22 14:46:58 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
[1999/01/11 05:37:36 | 00,002,757 | ---- | C] () -- C:\WINDOWS\System32\rdrstats.ini
[1996/05/14 10:50:22 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\prtwin32.dll
[1995/08/22 09:36:12 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\nwpsrv32.dll

========== Files - Modified Within 30 Days ==========

[1 C:\Documents and Settings\Owner\My Documents\*.tmp files]
[2009/09/09 18:41:26 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/09/09 18:40:00 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/09/09 18:39:51 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/09/09 18:37:24 | 00,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{BD3D44B5-EE7C-46BA-BADE-4B5FC39C0C79}.job
[2009/09/09 16:46:48 | 00,288,654 | ---- | M] ( ) -- C:\Documents and Settings\Owner\Desktop\SafeBootKeyRepair.exe
[2009/09/09 08:15:28 | 00,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/09/07 10:29:36 | 05,125,238 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\avz4.zip
[2009/09/07 09:11:08 | 00,076,800 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\GeeksFix_9_07_09.doc
[2009/09/03 23:00:00 | 00,000,328 | ---- | M] () -- C:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job
[2009/09/01 08:39:49 | 00,025,658 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Challenger_Door_Plt2_Laminator.pdf
[2009/09/01 08:36:28 | 00,036,352 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Challenger_Door_Plt2_Laminator.doc
[2009/08/27 07:56:14 | 00,000,617 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\NTREGOPT.lnk
[2009/08/27 07:56:14 | 00,000,598 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\ERUNT.lnk
[2009/08/26 08:58:33 | 00,000,385 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Welcome to your control panel.url
[2009/08/25 15:16:16 | 00,000,306 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/08/25 14:50:35 | 03,254,000 | R--- | M] () -- C:\Documents and Settings\Owner\Desktop\ComboFix.exe
[2009/08/25 14:39:07 | 00,001,740 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\HijackThis.lnk
[2009/08/24 16:44:53 | 00,000,253 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\UPDATED 8-step Viruses-Spyware-Malware Preliminary Removal Instructions - TechSpot OpenBoards.url
[2009/08/24 16:37:10 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2009/08/24 16:37:10 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2009/08/24 16:37:10 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2009/08/24 16:37:10 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2009/08/24 16:37:10 | 00,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2009/08/24 16:23:30 | 00,796,448 | ---- | M] (Sun Microsystems, Inc.) -- C:\Documents and Settings\Owner\Desktop\JavaSetup6u15.exe
[2009/08/24 15:53:22 | 00,881,976 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Owner\Desktop\HJTInstall.exe
[2009/08/24 15:49:06 | 00,466,305 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\UPDATED 8-step Viruses-Spyware-Malware Preliminary Removal Instructions - TechSpot OpenBoards.mht
[2009/08/24 15:41:23 | 00,350,130 | ---- | M] () -- C:\WINDOWS\System32\vsconfig.xml
[2009/08/24 15:39:19 | 00,004,212 | -H-- | M] () -- C:\WINDOWS\System32\zllictbl.dat
[2009/08/24 15:37:39 | 34,055,048 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\zaSetup_80_298_000_en.exe
[2009/08/24 15:36:19 | 33,961,728 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\avira_antivir_personal_en.exe
[2009/08/24 11:21:59 | 02,628,096 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\rmtanat.exe
[2009/08/23 03:09:13 | 00,229,376 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2009/08/21 14:23:12 | 00,000,929 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/08/21 14:23:12 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2009/08/21 13:06:32 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/08/21 11:51:34 | 00,000,211 | ---- | M] () -- C:\Boot.bak
[2009/08/20 17:13:55 | 01,294,368 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.dat
[2009/08/20 17:12:05 | 00,057,120 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox2.dat
[2009/08/20 15:09:48 | 00,230,392 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/08/20 15:08:35 | 00,005,924 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox2.idx
[2009/08/20 15:08:34 | 00,014,612 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.idx
[2009/08/20 13:19:36 | 00,155,648 | ---- | M] (Ahead Software Gmbh) -- C:\WINDOWS\System32\NeroCheck.exe
[2009/08/19 14:06:10 | 00,022,183 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Stephanie.pdf
[2009/08/19 13:58:01 | 00,023,040 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Stephanie.doc
[2009/08/19 12:57:33 | 00,000,786 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/08/19 12:21:12 | 00,027,136 | ---- | M] (NCH Swift Sound) -- C:\WINDOWS\System32\drivers\nchssvad.sys
[2009/08/19 12:21:12 | 00,000,844 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SoundTap Streaming Audio Recorder.lnk
[2009/08/19 12:11:27 | 00,717,296 | ---- | M] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2009/08/14 16:16:36 | 00,230,912 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/14 16:16:36 | 00,000,049 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/08/14 15:31:21 | 00,000,127 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2009/08/14 15:03:12 | 00,005,030 | ---- | M] () -- C:\WINDOWS\Constructor2003.ini
[2009/08/14 08:47:08 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2009/08/14 08:47:08 | 00,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2009/08/11 13:52:53 | 00,021,410 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\ADM Redundant Dump Pit Shutdown Controller.pdf
< End of report >

I don't see much change ... My desktop program icon now shows the program icon instead of the MSDos icon, as well as the icon for Outlook in the quicklaunch bar. Registry is still blocked, TaskManager is still blocked. Although when I tried to change the taskmanager registry value back to 0 as I've been doing after each reboot, I had to be pretty quick on doing a ctrl-alt-delete and selecting task manager before the registry value was changed back to 1. Normally it's about 3-5 seconds, now it seems more like 1 second, so it seems like something is working quicker. As far as the misc. programs starting whenever there is an internet connection, I don't see any yet, but will leave the internet connected for awhile and see what happens.

Thanks for your help once again. smile.gif
Go to the top of the page
 
+Quote Post
RCguy
post Sep 10 2009, 06:12 AM
Post #20


Member
**
Posts: 46
From: Indiana - USA
OS: WinXP sp3
Yeah, programs are still being spawned with an active internet connection. winxaambg.exe and yoehoe.exe just started, and w2e68ae0.exe...
Go to the top of the page
 
+Quote Post
RCguy
post Sep 10 2009, 06:22 AM
Post #21


Member
**
Posts: 46
From: Indiana - USA
OS: WinXP sp3
Just tried to boot into safe mode, no go. After Mup loads, get a message about ... "Press ... to stop loading sptd.sys" or something like that. But after that message is on the bottom of the startup list during boot for 2 or 3 seconds, machine auto reboots again to boot menu (boot into WinXP or Recovery counsel). So it doesn't look like we've accomplished too terrible much. beer.gif is easier wink.gif

This post has been edited by RCguy: Sep 10 2009, 10:43 AM
Go to the top of the page
 
+Quote Post
RCguy
post Sep 10 2009, 07:35 AM
Post #22


Member
**
Posts: 46
From: Indiana - USA
OS: WinXP sp3
Also if it matters, I am getting 'netsch.exe failed to initiate properly' error when I shutdown Windows. Most of the time I see it, sometimes not.
Go to the top of the page
 
+Quote Post
jwang01
post Sep 10 2009, 03:54 PM
Post #23


GeekU Senior
Group Icon
Posts: 1,148
From: Minnesota
OS: Windows Vista 32-bit
Hello,


Ok, thanks for the info. I need to find the re-spawner. So let's do this.



Please delete the version of Combofix you have and do the following:



Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3





--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt




Next



Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.



Please post the contents of the ComboFix and GMER logs in your next reply
Go to the top of the page
 
+Quote Post
RCguy
post Sep 11 2009, 09:03 AM
Post #24


Member
**
Posts: 46
From: Indiana - USA
OS: WinXP sp3
Ok got that done. ComboFix produced the log in notepad, but the screen was left with just the wallpaper showing, no task bar, buttons, icons, nuthin. Other than that, no problems. Lost a couple icons again, argh.

ComboFix 09-09-10.03 - owner 09/11/2009 8:30.5.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.478.207 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
AV: The Shield Deluxe 2009 Antivirus *On-access scanning disabled* (Outdated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: The Shield Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://media.townhallstore.com
.
((((((((((((((((((((((((( Files Created from 2009-08-11 to 2009-09-11 )))))))))))))))))))))))))))))))
.

2009-09-09 11:58 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-07 13:11 . 2009-09-07 13:11 -------- dc----w- C:\_OTL
2009-09-05 12:05 . 2009-09-05 12:05 -------- dc----w- C:\_OTS
2009-08-27 11:56 . 2009-08-27 11:56 -------- d-----w- c:\program files\ERUNT
2009-08-25 12:07 . 2009-08-25 12:07 -------- d-----w- c:\program files\Trend Micro
2009-08-24 20:37 . 2009-08-24 20:37 -------- d-----w- c:\program files\Java
2009-08-24 19:55 . 2009-08-24 19:55 -------- d-----w- c:\program files\CCleaner
2009-08-24 19:41 . 2009-08-24 19:41 -------- d-----w- c:\program files\AskBarDis
2009-08-24 19:39 . 2009-02-16 04:10 69000 ----a-w- c:\windows\system32\zlcomm.dll
2009-08-24 19:39 . 2009-02-16 04:10 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2009-08-24 19:38 . 2009-08-24 19:38 -------- d-----w- c:\program files\Zone Labs
2009-08-24 19:38 . 2009-02-16 04:10 1221512 ----a-w- c:\windows\system32\zpeng25.dll
2009-08-21 16:28 . 2002-07-02 13:15 299008 ----a-w- c:\windows\system32\regxplor.dll
2009-08-21 12:49 . 2009-08-21 12:49 -------- d-----w- c:\documents and settings\Rog\Application Data\Malwarebytes
2009-08-20 19:13 . 2009-08-20 19:13 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2009-08-20 17:06 . 2009-08-20 21:13 1294368 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-08-20 17:06 . 2009-08-20 21:12 57120 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-08-20 16:45 . 2009-08-20 20:25 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-08-20 16:45 . 2009-08-20 20:25 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-08-20 16:43 . 2009-08-20 16:43 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Downloaded Installations
2009-08-20 16:32 . 2009-08-21 16:36 -------- d-----w- c:\program files\avg1
2009-08-20 15:17 . 2009-08-20 15:17 -------- d-sh--w- c:\documents and settings\Rog\PrivacIE
2009-08-20 15:16 . 2009-08-20 15:17 -------- d-----w- c:\documents and settings\Rog\Local Settings\Application Data\Google
2009-08-20 15:09 . 2009-08-20 15:09 -------- d-----w- c:\documents and settings\Rog\Local Settings\Application Data\Adobe
2009-08-20 12:52 . 2008-04-14 09:41 81920 ------w- c:\windows\system32\ieencode.dll
2009-08-19 16:57 . 2009-08-19 16:57 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-19 16:57 . 2009-08-21 20:56 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-19 16:57 . 2009-08-19 16:57 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-08-19 16:20 . 2009-08-19 16:21 -------- d-----w- c:\program files\NCH Swift Sound
2009-08-19 16:11 . 2009-08-19 16:11 717296 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-08-19 16:11 . 2009-08-19 16:11 -------- d-----w- c:\program files\LSoft Technologies
2009-08-19 15:54 . 1998-07-13 21:53 44544 ----a-w- c:\windows\system32\GIF89.DLL
2009-08-19 15:54 . 2005-03-11 22:37 1986560 ----a-w- c:\windows\system32\AudFile.dll
2009-08-19 15:54 . 2005-02-24 17:11 1212416 ----a-w- c:\windows\system32\AudioInfos.dll
2009-08-19 15:54 . 2005-02-24 16:51 348160 ----a-w- c:\windows\system32\WMAFile.dll
2009-08-19 15:54 . 1998-07-13 02:00 15360 ----a-w- c:\windows\system32\inetfr.DLL
2009-08-19 15:54 . 2000-10-01 22:00 119568 ----a-w- c:\windows\system32\VB6FR.DLL
2009-08-19 15:54 . 1998-07-13 02:00 141312 ----a-w- c:\windows\system32\MSCMCFR.DLL
2009-08-19 15:54 . 1998-07-12 22:00 32768 ----a-w- c:\windows\system32\CMDLGFR.DLL
2009-08-19 15:54 . 2009-08-20 12:24 -------- d-----w- c:\program files\Free Easy Burner
2009-08-19 15:54 . 2003-04-18 19:29 44544 ----a-w- c:\windows\system32\msxml4a.dll
2009-08-19 15:43 . 2009-08-19 15:44 -------- d-----w- c:\documents and settings\Owner\Application Data\Nero
2009-08-19 15:40 . 2009-08-19 15:41 -------- d-----w- c:\program files\Nero
2009-08-19 15:39 . 2009-08-19 15:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-08-19 15:39 . 2009-08-19 15:42 -------- d-----w- c:\program files\Common Files\Nero
2009-08-18 13:15 . 2009-08-18 13:15 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-08-18 13:15 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-18 13:15 . 2009-08-18 13:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-18 13:15 . 2009-08-18 13:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-18 13:15 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-13 22:15 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-13 20:53 . 2009-08-13 20:53 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-09 12:18 . 2009-04-27 19:48 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-25 14:28 . 2006-02-06 15:31 -------- d-----w- c:\program files\PCSecurityShield
2009-08-24 20:41 . 2008-02-15 22:15 -------- d-----w- c:\documents and settings\All Users\Application Data\comodo
2009-08-24 20:37 . 2008-12-19 13:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-24 19:58 . 2005-08-23 16:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-24 19:39 . 2005-08-22 21:49 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-08-24 13:13 . 2005-08-22 21:56 -------- d-----w- c:\program files\Google
2009-08-21 21:06 . 2008-09-18 21:50 -------- d-----w- c:\documents and settings\Owner\Application Data\IGN_DLM
2009-08-21 20:52 . 2004-06-23 18:11 -------- d-----w- c:\program files\QuickTime
2009-08-21 20:51 . 2008-11-12 13:34 -------- d-----w- c:\program files\MP3 Workshop
2009-08-20 19:08 . 2009-08-20 17:06 5924 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-08-20 19:08 . 2009-08-20 17:06 14612 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-08-20 19:05 . 2009-08-06 14:20 -------- d-----w- c:\program files\AutoCAD 2009
2009-08-20 18:39 . 2005-11-04 12:44 -------- d-----w- c:\program files\AutoCAD 2004
2009-08-20 18:33 . 2008-11-14 12:35 -------- d-----w- c:\program files\Acoustica Shared Effects
2009-08-20 18:33 . 2008-11-14 12:26 -------- d-----w- c:\program files\Acoustica Mixcraft 4
2009-08-20 17:19 . 2004-06-23 18:21 155648 ----a-w- c:\windows\system32\NeroCheck.exe
2009-08-20 15:07 . 2009-08-20 15:07 62792 ----a-w- c:\documents and settings\Rog\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-19 16:57 . 2008-12-17 13:24 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-19 16:21 . 2007-11-20 20:24 27136 ----a-w- c:\windows\system32\drivers\nchssvad.sys
2009-08-19 16:11 . 2004-06-23 17:44 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-14 20:02 . 2005-08-23 16:52 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-11 18:28 . 2008-01-04 19:06 -------- d-----w- c:\program files\Support Tools
2009-08-07 21:03 . 2009-08-07 21:03 2272 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-08-06 14:45 . 2005-11-04 12:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk
2009-08-06 14:42 . 2005-08-22 21:42 62728 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 14:30 . 2005-11-29 16:55 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2009-08-06 14:20 . 2005-11-04 12:44 -------- d-----w- c:\documents and settings\Owner\Application Data\Autodesk
2009-08-05 09:01 . 2002-12-12 07:14 204800 ------w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-06-22 22:18 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-06-23 17:49 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2005-06-18 04:49 915456 ------w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2009-04-16 21:03 730112 ------w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2005-06-15 17:50 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-06-22 22:19 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-06-22 22:18 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-06-22 22:18 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-06-22 22:18 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-06-22 22:18 92928 ------w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-06-22 22:19 119808 ------w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-06-22 22:18 81920 ------w- c:\windows\system32\fontsub.dll
2009-03-05 22:08 . 2009-04-27 13:22 61440 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
2009-08-13 18:32 . 2007-06-20 00:22 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-08-13 18:32 . 2007-06-20 00:22 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-08-13 18:32 . 2007-08-10 13:18 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-08-13 18:32 . 2007-08-10 13:18 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-08-13 18:32 . 2007-06-20 00:22 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-08-25_19.16.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-10 12:15 . 2009-09-10 12:15 16384 c:\windows\Temp\Perflib_Perfdata_e0.dat
+ 2007-01-29 08:58 . 2009-07-14 11:03 46080 c:\windows\system32\tzchange.exe
- 2003-01-13 21:57 . 2009-03-08 08:33 726528 c:\windows\system32\jscript.dll
+ 2003-01-13 21:57 . 2009-06-22 06:44 726528 c:\windows\system32\jscript.dll
- 2008-05-09 10:53 . 2009-03-08 08:33 726528 c:\windows\system32\dllcache\jscript.dll
+ 2008-05-09 10:53 . 2009-06-22 06:44 726528 c:\windows\system32\dllcache\jscript.dll
+ 2009-09-09 12:14 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB971961-IE8\spuninst\updspapi.dll
+ 2009-09-09 12:14 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB971961-IE8\spuninst\spuninst.exe
+ 2009-09-09 12:14 . 2009-03-08 08:33 726528 c:\windows\ie8updates\KB971961-IE8\jscript.dll
+ 2009-08-27 11:57 . 2009-08-27 11:57 438272 c:\windows\ERDNT\8-27-2009\Users\00000002\UsrClass.dat
+ 2009-08-27 11:57 . 2005-10-20 16:02 163328 c:\windows\ERDNT\8-27-2009\ERDNT.EXE
+ 2004-06-23 19:25 . 2009-05-20 08:56 2458112 c:\windows\system32\WMVCore.dll
- 2004-06-23 19:25 . 2008-06-18 10:03 2458112 c:\windows\system32\WMVCore.dll
- 2004-06-23 19:25 . 2008-06-18 10:03 2458112 c:\windows\system32\dllcache\WMVCore.dll
+ 2004-06-23 19:25 . 2009-05-20 08:56 2458112 c:\windows\system32\dllcache\WMVCore.dll
+ 2005-08-22 20:05 . 2009-08-28 18:38 24689600 c:\windows\system32\MRT.exe
+ 2009-09-09 12:14 . 2009-09-09 12:14 15709696 c:\windows\Installer\9a395e0.msp
+ 2009-08-27 11:57 . 2009-08-27 11:57 10436608 c:\windows\ERDNT\8-27-2009\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-10-16 22:22 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-10-16 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-11-20 499712]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-24 227104]
"NWTRAY"="NWTRAY.EXE" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 139316]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2003-12-16 23:49 110592 ------w- c:\windows\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
backup=c:\windows\pss\PowerReg Scheduler.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^RCA Detective.lnk]
backup=c:\windows\pss\RCA Detective.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"VSSERV"=2 (0x2)
"LIVESRV"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\OpcEnum.exe"=
"c:\\Program Files\\Rockwell Software\\RSLINX\\RSLINX.EXE"=
"c:\\Program Files\\Rockwell Software\\OPCTools\\OPCTest\\opctest.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"=
"c:\\WINDOWS\\system32\\NeroCheck.exe"=
"c:\\Program Files\\Windows Media Player\\wmdbexport.exe"=
"c:\\WINDOWS\\system32\\msfeedssync.exe"=
"c:\\WINDOWS\\system32\\wuauclt.exe"=
"c:\\Program Files\\Google\\Common\\Google Updater\\GoogleUpdaterService.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
"c:\\Program Files\\Adobe\\Acrobat 7.0 Pro\\Distillr\\Acrotray.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Microsoft Office\\Office\\OSA9.EXE"=
"c:\\Program Files\\Adobe\\Acrobat 7.0 Pro\\Acrobat\\acrobat_sl.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jusched.exe"=
"c:\\WINDOWS\\system32\\ZCfgSvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"135:TCP"= 135:TCP:Port 135 TCP

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 4:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]
R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [8/24/2009 3:41 PM 464264]
R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\olnmoq.sys --> c:\windows\system32\drivers\olnmoq.sys [?]
S1 VirtualBackplane;A-B Virtual Backplane;c:\windows\system32\Drivers\VirtualBackplane.sys --> c:\windows\system32\Drivers\VirtualBackplane.sys [?]
S3 ABKTCX;Rockwell Software 1784-KTC(X) Driver;c:\windows\system32\drivers\abktcx.sys [6/3/2004 4:08 AM 71448]
S3 FarStoneFireWallDrive;FarStoneFireWallDrive;c:\windows\system32\Drivers\FarDrive.sys --> c:\windows\system32\Drivers\FarDrive.sys [?]
S3 RS_SS_NT;RSLinx Classic S-S SD/SD2 Device Driver;c:\windows\system32\RS_SS_NT.SYS [6/3/2004 4:08 AM 142592]
S3 RsiKtControl;RsiKtControl;c:\windows\system32\RSIKT.SYS [6/3/2004 4:08 AM 30166]
S3 RSSERIAL;RSLinx Classic Serial Driver;c:\windows\system32\rsserial.sys [6/3/2004 4:08 AM 155440]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-11 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2005-08-23 19:31]

2009-09-11 c:\windows\Tasks\User_Feed_Synchronization-{BD3D44B5-EE7C-46BA-BADE-4B5FC39C0C79}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.foxnews.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} - hxxp://raiseinstall.rockwellautomation.com/ecad-ondemand/setup.exe
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\e6m6iza8.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-11 08:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(912)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\System32\LgNotify.dll
.
Completion time: 2009-09-11 8:52
ComboFix-quarantined-files.txt 2009-09-11 12:52
ComboFix2.txt 2009-08-25 19:23
ComboFix3.txt 2009-08-24 13:00
ComboFix4.txt 2009-08-21 17:17
ComboFix5.txt 2009-09-11 12:28

Pre-Run: 22,198,636,544 bytes free
Post-Run: 22,153,199,616 bytes free

312 --- E O F --- 2009-09-10 12:31

_____________________________________________________________________________________________________________

GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-09-11 10:53:52
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xED9C8C80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateKey [0xED9E3170]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xED9C9210]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xED9E39F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xED9E37A0]
SSDT spjh.sys ZwEnumerateKey [0xF7385CA2]
SSDT spjh.sys ZwEnumerateValueKey [0xF7386030]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xED9E3F10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xED9E3F90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xED9C9070]
SSDT spjh.sys ZwOpenKey [0xF73670C0]
SSDT spjh.sys ZwQueryKey [0xF7386108]
SSDT spjh.sys ZwQueryValueKey [0xF7385F88]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xED9E46F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xED9E4150]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xED9E4540]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xED9C9440]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xED9E34E0]

INT 0x33 ? 855F6F00
INT 0x3A ? 855F6F00
INT 0x3E ? 8574CBF8
INT 0x3F ? 8574CBF8

---- Kernel code sections - GMER 1.0.15 ----

? spjh.sys The system cannot find the file specified. !
? nwfilter.sys The system cannot find the file specified. !
? srescan.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F62068AC 5 Bytes JMP 855F64E0
? C:\WINDOWS\system32\drivers\olnmoq.sys The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 857515E0
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F7398C4C] spjh.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F7398CA0] spjh.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7368040] spjh.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F736813C] spjh.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F73680BE] spjh.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F73687FC] spjh.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F73686D2] spjh.sys
IAT \SystemRoot\System32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 855F65E0
IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F7378048] spjh.sys
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateFile] [ED9E9B30] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\rdbss.sys[ntoskrnl.exe!FsRtlRegisterUncProvider] [F78A962A] nwfilter.sys
IAT \SystemRoot\System32\DRIVERS\mrxdav.sys[ntoskrnl.exe!FsRtlRegisterUncProvider] [F78A962A] nwfilter.sys
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [ED9C98D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [ED9C9A80] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtCreateFile] [ED9C95E0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtOpenFile] [ED9C9980] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8574A1F8
Device \FileSystem\Fastfat \FatCdrom 85557500
Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\NetBT \Device\NetBT_Tcpip_{42EED50B-5EB6-4D5C-ABDB-2CD6A81B9687} 84C541F8
Device \Driver\usbuhci \Device\USBPDO-0 855EF500
Device \Driver\usbuhci \Device\USBPDO-1 855EF500
Device \Driver\usbuhci \Device\USBPDO-2 855EF500
Device \Driver\usbehci \Device\USBPDO-3 855FA500
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Ftdisk \Device\HarddiskVolume1 8574D1F8
Device \Driver\Cdrom \Device\CdRom0 855871F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 84C541F8
Device \Driver\NetBT \Device\NetbiosSmb 84C541F8
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\usbuhci \Device\USBFDO-0 855EF500
Device \Driver\usbuhci \Device\USBFDO-1 855EF500
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 84BCE500
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\usbuhci \Device\USBFDO-2 855EF500
Device \FileSystem\MRxSmb \Device\LanmanRedirector 84BCE500
Device \Driver\usbehci \Device\USBFDO-3 855FA500
Device \Driver\Ftdisk \Device\FtControl 8574D1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{A755F705-ACE8-4349-A17D-F086CDF8E1B6} 84C541F8
Device \FileSystem\Fastfat \Fat 85557500
Device \FileSystem\Cdfs \Cdfs 853DE500

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETkvwwurqp@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETkvwwurqp@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETkvwwurqp@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETkvwwurqp@imagepath \systemroot\system32\drivers\SKYNETuyxmktiq.sys
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETkvwwurqp\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETkvwwurqp\main@aid 10096
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETkvwwurqp\main@sid 0
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETkvwwurqp\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETkvwwurqp\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETkvwwurqp\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETkvwwurqp\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETkvwwurqp\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETkvwwurqp\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETkvwwurqp\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETuyxmktiq.sys
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETkvwwurqp\modules@SKYNETcmd.dll \systemroot\system32\SKYNETmupfulhm.dll
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETkvwwurqp\modules@SKYNETlog.dat \systemroot\system32\SKYNETvlpfqhne.dat
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETkvwwurqp\modules@SKYNETwsp.dll \systemroot\system32\SKYNETltqskdbq.dll
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETkvwwurqp\modules@SKYNET.dat \systemroot\system32\SKYNETlxkonlrd.dat

---- EOF - GMER 1.0.15 ----
Go to the top of the page
 
+Quote Post
jwang01
post Sep 12 2009, 12:20 PM
Post #25


GeekU Senior
Group Icon
Posts: 1,148
From: Minnesota
OS: Windows Vista 32-bit
Hello,


I think I may have found the culprit. You have one sneaky Rootkit installed on your computer.



Looking at your system now, one or more of the identified infections is a backdoor Trojan or Rootkit.

If this computer is ever used for on-line banking, I suggest you do the following immediately:

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.




Next


You safe boot keys are still corrupt please do the following:


First we need to run a REG fix. Please follow the instructions below:

  • Copy all of the contents below in the code box below into Notepade
  • Go to save as and save it as fix.reg and change the Change File Type to [/b]All Files.[/b]
  • Save the file to your desktop
  • Then find the icon on your desktop and double click it
  • You will be asked if you are sure you want to merge it into the registry, click Yes
  • You should then receive a messege that says it was successful.


CODE
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot]
"AlternateShell"="cmd.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AFD]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Browser]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Dhcp]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\DnsCache]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LanmanServer]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LanmanWorkstation]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LmHosts]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Messenger]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NDIS]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NDIS Wrapper]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Ndisuio]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetBIOS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetBIOSGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetBT]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetDDEGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetMan]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Network]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetworkProvider]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NtLmSsp]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PNP_TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdsessmgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SharedAccess]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Streams Drivers]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Tcpip]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\termservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WZCSVC]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
@="Net"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
@="NetClient"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
@="NetService"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
@="NetTrans"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.



Next


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
KillAll::

File::
c:\windows\system32\drivers\olnmoq.sys

Folder::

Collect::
C:\system32\SKYNETlxkonlrd.dat
C:\system32\SKYNETltqskdbq.dll
C:\system32\SKYNETvlpfqhne.dat
C:\system32\SKYNETmupfulhm.dll
C:\system32\drivers\SKYNETuyxmktiq.sys

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000
"DisableRegistryTools"=dword:00000000

Driver::
abp470n5
SKYNETuyxmktiq


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



Next



Please run another scan with GMER and post that log in your next reply.


Please post the logs of ComboFix and GMER in your next reply
Go to the top of the page
 
+Quote Post
RCguy
post Sep 13 2009, 04:39 PM
Post #26


Member
**
Posts: 46
From: Indiana - USA
OS: WinXP sp3
Ok, I did all three, and all three reported ok. The registry fix said that it completed ok, although I had to use the other registry software that I got to temporarily set the key value to 0 to allow the script to execute, but it seemed ok and said that it was successful. Combofix wouldn't execute at first, gave me a message that combofix had been changed/altered and was unsafe to use, and I closed it. I downloaded a fresh copy from the previous link you gave, dropped the script on the icon immediately, and it executed ok then. GMER scanned without incident. Here are the results you asked for.


ComboFix 09-09-12.A0 - owner 09/13/2009 12:57.6.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.478.119 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: The Shield Deluxe 2009 Antivirus *On-access scanning disabled* (Outdated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: The Shield Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

FILE ::
"c:\windows\system32\drivers\olnmoq.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://media.townhallstore.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ABP470N5
-------\Service_abp470n5


((((((((((((((((((((((((( Files Created from 2009-08-13 to 2009-09-13 )))))))))))))))))))))))))))))))
.

2009-09-09 11:58 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-07 13:11 . 2009-09-07 13:11 -------- dc----w- C:\_OTL
2009-09-05 12:05 . 2009-09-05 12:05 -------- dc----w- C:\_OTS
2009-08-27 11:56 . 2009-08-27 11:56 -------- d-----w- c:\program files\ERUNT
2009-08-25 12:07 . 2009-08-25 12:07 -------- d-----w- c:\program files\Trend Micro
2009-08-24 20:37 . 2009-08-24 20:37 -------- d-----w- c:\program files\Java
2009-08-24 19:55 . 2009-08-24 19:55 -------- d-----w- c:\program files\CCleaner
2009-08-24 19:41 . 2009-08-24 19:41 -------- d-----w- c:\program files\AskBarDis
2009-08-24 19:39 . 2009-02-16 04:10 69000 ----a-w- c:\windows\system32\zlcomm.dll
2009-08-24 19:39 . 2009-02-16 04:10 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2009-08-24 19:38 . 2009-08-24 19:38 -------- d-----w- c:\program files\Zone Labs
2009-08-24 19:38 . 2009-02-16 04:10 1221512 ----a-w- c:\windows\system32\zpeng25.dll
2009-08-21 16:28 . 2002-07-02 13:15 299008 ----a-w- c:\windows\system32\regxplor.dll
2009-08-21 12:49 . 2009-08-21 12:49 -------- d-----w- c:\documents and settings\Rog\Application Data\Malwarebytes
2009-08-20 19:13 . 2009-08-20 19:13 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2009-08-20 17:06 . 2009-08-20 21:13 1294368 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-08-20 17:06 . 2009-08-20 21:12 57120 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-08-20 16:45 . 2009-08-20 20:25 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-08-20 16:45 . 2009-08-20 20:25 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-08-20 16:43 . 2009-08-20 16:43 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Downloaded Installations
2009-08-20 16:32 . 2009-08-21 16:36 -------- d-----w- c:\program files\avg1
2009-08-20 15:17 . 2009-08-20 15:17 -------- d-sh--w- c:\documents and settings\Rog\PrivacIE
2009-08-20 15:16 . 2009-08-20 15:17 -------- d-----w- c:\documents and settings\Rog\Local Settings\Application Data\Google
2009-08-20 15:09 . 2009-08-20 15:09 -------- d-----w- c:\documents and settings\Rog\Local Settings\Application Data\Adobe
2009-08-20 12:52 . 2008-04-14 09:41 81920 ------w- c:\windows\system32\ieencode.dll
2009-08-19 16:57 . 2009-08-19 16:57 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-19 16:57 . 2009-08-21 20:56 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-19 16:57 . 2009-08-19 16:57 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-08-19 16:20 . 2009-08-19 16:21 -------- d-----w- c:\program files\NCH Swift Sound
2009-08-19 16:11 . 2009-08-19 16:11 717296 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-08-19 16:11 . 2009-08-19 16:11 -------- d-----w- c:\program files\LSoft Technologies
2009-08-19 15:54 . 1998-07-13 21:53 44544 ----a-w- c:\windows\system32\GIF89.DLL
2009-08-19 15:54 . 2005-03-11 22:37 1986560 ----a-w- c:\windows\system32\AudFile.dll
2009-08-19 15:54 . 2005-02-24 17:11 1212416 ----a-w- c:\windows\system32\AudioInfos.dll
2009-08-19 15:54 . 2005-02-24 16:51 348160 ----a-w- c:\windows\system32\WMAFile.dll
2009-08-19 15:54 . 1998-07-13 02:00 15360 ----a-w- c:\windows\system32\inetfr.DLL
2009-08-19 15:54 . 2000-10-01 22:00 119568 ----a-w- c:\windows\system32\VB6FR.DLL
2009-08-19 15:54 . 1998-07-13 02:00 141312 ----a-w- c:\windows\system32\MSCMCFR.DLL
2009-08-19 15:54 . 1998-07-12 22:00 32768 ----a-w- c:\windows\system32\CMDLGFR.DLL
2009-08-19 15:54 . 2009-08-20 12:24 -------- d-----w- c:\program files\Free Easy Burner
2009-08-19 15:54 . 2003-04-18 19:29 44544 ----a-w- c:\windows\system32\msxml4a.dll
2009-08-19 15:43 . 2009-08-19 15:44 -------- d-----w- c:\documents and settings\Owner\Application Data\Nero
2009-08-19 15:40 . 2009-08-19 15:41 -------- d-----w- c:\program files\Nero
2009-08-19 15:39 . 2009-08-19 15:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-08-19 15:39 . 2009-08-19 15:42 -------- d-----w- c:\program files\Common Files\Nero
2009-08-18 13:15 . 2009-08-18 13:15 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-08-18 13:15 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-18 13:15 . 2009-08-18 13:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-18 13:15 . 2009-08-18 13:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-18 13:15 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-09 12:18 . 2009-04-27 19:48 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-25 14:28 . 2006-02-06 15:31 -------- d-----w- c:\program files\PCSecurityShield
2009-08-24 20:41 . 2008-02-15 22:15 -------- d-----w- c:\documents and settings\All Users\Application Data\comodo
2009-08-24 20:37 . 2008-12-19 13:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-24 19:58 . 2005-08-23 16:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-24 19:39 . 2005-08-22 21:49 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-08-24 13:13 . 2005-08-22 21:56 -------- d-----w- c:\program files\Google
2009-08-21 21:06 . 2008-09-18 21:50 -------- d-----w- c:\documents and settings\Owner\Application Data\IGN_DLM
2009-08-21 20:52 . 2004-06-23 18:11 -------- d-----w- c:\program files\QuickTime
2009-08-21 20:51 . 2008-11-12 13:34 -------- d-----w- c:\program files\MP3 Workshop
2009-08-20 19:08 . 2009-08-20 17:06 5924 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-08-20 19:08 . 2009-08-20 17:06 14612 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-08-20 19:05 . 2009-08-06 14:20 -------- d-----w- c:\program files\AutoCAD 2009
2009-08-20 18:39 . 2005-11-04 12:44 -------- d-----w- c:\program files\AutoCAD 2004
2009-08-20 18:33 . 2008-11-14 12:35 -------- d-----w- c:\program files\Acoustica Shared Effects
2009-08-20 18:33 . 2008-11-14 12:26 -------- d-----w- c:\program files\Acoustica Mixcraft 4
2009-08-20 17:19 . 2004-06-23 18:21 155648 ----a-w- c:\windows\system32\NeroCheck.exe
2009-08-20 15:07 . 2009-08-20 15:07 62792 ----a-w- c:\documents and settings\Rog\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-19 16:57 . 2008-12-17 13:24 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-19 16:21 . 2007-11-20 20:24 27136 ----a-w- c:\windows\system32\drivers\nchssvad.sys
2009-08-19 16:11 . 2004-06-23 17:44 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-14 20:02 . 2005-08-23 16:52 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-11 18:28 . 2008-01-04 19:06 -------- d-----w- c:\program files\Support Tools
2009-08-07 21:03 . 2009-08-07 21:03 2272 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-08-06 14:45 . 2005-11-04 12:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk
2009-08-06 14:42 . 2005-08-22 21:42 62728 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 14:30 . 2005-11-29 16:55 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2009-08-06 14:20 . 2005-11-04 12:44 -------- d-----w- c:\documents and settings\Owner\Application Data\Autodesk
2009-08-05 09:01 . 2002-12-12 07:14 204800 ------w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-06-22 22:18 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-06-23 17:49 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2005-06-18 04:49 915456 ------w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2009-04-16 21:03 730112 ------w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2005-06-15 17:50 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-06-22 22:19 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-06-22 22:18 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-06-22 22:18 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-06-22 22:18 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-06-22 22:18 92928 ------w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-06-22 22:19 119808 ------w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-06-22 22:18 81920 ------w- c:\windows\system32\fontsub.dll
2009-03-05 22:08 . 2009-04-27 13:22 61440 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
2009-08-13 18:32 . 2007-06-20 00:22 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-08-13 18:32 . 2007-06-20 00:22 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-08-13 18:32 . 2007-08-10 13:18 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-08-13 18:32 . 2007-08-10 13:18 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-08-13 18:32 . 2007-06-20 00:22 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
Ok.

.

((((((((((((((((((((((((((((( SnapShot_2009-08-25_19.16.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-13 17:40 . 2009-09-13 17:40 16384 c:\windows\temp\Perflib_Perfdata_738.dat
+ 2009-09-13 17:40 . 2009-09-13 17:40 16384 c:\windows\temp\Perflib_Perfdata_4f0.dat
+ 2009-09-13 17:42 . 2009-09-13 17:42 16384 c:\windows\temp\Perflib_Perfdata_214.dat
+ 2007-01-29 08:58 . 2009-07-14 11:03 46080 c:\windows\system32\tzchange.exe
+ 2003-01-13 21:57 . 2009-06-22 06:44 726528 c:\windows\system32\jscript.dll
- 2003-01-13 21:57 . 2009-03-08 08:33 726528 c:\windows\system32\jscript.dll
- 2008-05-09 10:53 . 2009-03-08 08:33 726528 c:\windows\system32\dllcache\jscript.dll
+ 2008-05-09 10:53 . 2009-06-22 06:44 726528 c:\windows\system32\dllcache\jscript.dll
+ 2009-09-09 12:14 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB971961-IE8\spuninst\updspapi.dll
+ 2009-09-09 12:14 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB971961-IE8\spuninst\spuninst.exe
+ 2009-09-09 12:14 . 2009-03-08 08:33 726528 c:\windows\ie8updates\KB971961-IE8\jscript.dll
+ 2009-08-27 11:57 . 2009-08-27 11:57 438272 c:\windows\ERDNT\8-27-2009\Users\00000002\UsrClass.dat
+ 2009-08-27 11:57 . 2005-10-20 16:02 163328 c:\windows\ERDNT\8-27-2009\ERDNT.EXE
+ 2009-09-13 17:42 . 2009-09-13 17:42 2189056 c:\windows\temp\winvbek.exe
+ 2004-06-23 19:25 . 2009-05-20 08:56 2458112 c:\windows\system32\WMVCore.dll
- 2004-06-23 19:25 . 2008-06-18 10:03 2458112 c:\windows\system32\WMVCore.dll
+ 2004-06-23 19:25 . 2009-05-20 08:56 2458112 c:\windows\system32\dllcache\WMVCore.dll
- 2004-06-23 19:25 . 2008-06-18 10:03 2458112 c:\windows\system32\dllcache\WMVCore.dll
+ 2005-08-22 20:05 . 2009-08-28 18:38 24689600 c:\windows\system32\MRT.exe
+ 2009-09-09 12:14 . 2009-09-09 12:14 15709696 c:\windows\Installer\9a395e0.msp
+ 2009-08-27 11:57 . 2009-08-27 11:57 10436608 c:\windows\ERDNT\8-27-2009\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-10-16 22:22 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-10-16 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-11-20 499712]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-24 227104]
"NWTRAY"="NWTRAY.EXE" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 139316]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)
"EnableLUA"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2003-12-16 23:49 110592 ------w- c:\windows\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
backup=c:\windows\pss\PowerReg Scheduler.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^RCA Detective.lnk]
backup=c:\windows\pss\RCA Detective.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"VSSERV"=2 (0x2)
"LIVESRV"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\OpcEnum.exe"=
"c:\\Program Files\\Rockwell Software\\RSLINX\\RSLINX.EXE"=
"c:\\Program Files\\Rockwell Software\\OPCTools\\OPCTest\\opctest.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"=
"c:\\WINDOWS\\system32\\NeroCheck.exe"=
"c:\\Program Files\\Windows Media Player\\wmdbexport.exe"=
"c:\\WINDOWS\\system32\\msfeedssync.exe"=
"c:\\WINDOWS\\system32\\wuauclt.exe"=
"c:\\Program Files\\Google\\Common\\Google Updater\\GoogleUpdaterService.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
"c:\\Program Files\\Adobe\\Acrobat 7.0 Pro\\Distillr\\Acrotray.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Microsoft Office\\Office\\OSA9.EXE"=
"c:\\Program Files\\Adobe\\Acrobat 7.0 Pro\\Acrobat\\acrobat_sl.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jusched.exe"=
"c:\\WINDOWS\\system32\\ZCfgSvc.exe"=
"c:\\WINDOWS\\system32\\CF6703.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"135:TCP"= 135:TCP:Port 135 TCP

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 4:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]
R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [8/24/2009 3:41 PM 464264]
S1 VirtualBackplane;A-B Virtual Backplane;c:\windows\system32\Drivers\VirtualBackplane.sys --> c:\windows\system32\Drivers\VirtualBackplane.sys [?]
S3 ABKTCX;Rockwell Software 1784-KTC(X) Driver;c:\windows\system32\drivers\abktcx.sys [6/3/2004 4:08 AM 71448]
S3 FarStoneFireWallDrive;FarStoneFireWallDrive;c:\windows\system32\Drivers\FarDrive.sys --> c:\windows\system32\Drivers\FarDrive.sys [?]
S3 RS_SS_NT;RSLinx Classic S-S SD/SD2 Device Driver;c:\windows\system32\RS_SS_NT.SYS [6/3/2004 4:08 AM 142592]
S3 RsiKtControl;RsiKtControl;c:\windows\system32\RSIKT.SYS [6/3/2004 4:08 AM 30166]
S3 RSSERIAL;RSLinx Classic Serial Driver;c:\windows\system32\rsserial.sys [6/3/2004 4:08 AM 155440]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-11 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2005-08-23 19:31]

2009-09-13 c:\windows\Tasks\User_Feed_Synchronization-{BD3D44B5-EE7C-46BA-BADE-4B5FC39C0C79}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.foxnews.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} - hxxp://raiseinstall.rockwellautomation.com/ecad-ondemand/setup.exe
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\e6m6iza8.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-13 13:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(916)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\System32\LgNotify.dll

- - - - - - - > 'Explorer.exe'(2772)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\NLS\ENGLISH\NWSHLXNR.DLL
c:\windows\system32\NLS\ENGLISH\NOVNPNTR.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\S24EvMon.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\drivers\CDAC11BA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\windows\system32\RegSrvc.exe
c:\windows\system32\tcpsvcs.exe
c:\windows\system32\snmp.exe
.
**************************************************************************
.
Completion time: 2009-09-13 13:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-13 17:51
ComboFix2.txt 2009-09-11 12:52
ComboFix3.txt 2009-08-25 19:23
ComboFix4.txt 2009-08-24 13:00
ComboFix5.txt 2009-09-13 16:55

Pre-Run: 20,361,162,752 bytes free
Post-Run: 20,208,410,624 bytes free

325 --- E O F --- 2009-09-10 12:31





_____________________________________________________________________________________________________________



GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-09-13 18:29:55
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xEDF91C80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateKey [0xEDFAC170]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xEDF92210]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xEDFAC9F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xEDFAC7A0]
SSDT spge.sys ZwEnumerateKey [0xF7385CA2]
SSDT spge.sys ZwEnumerateValueKey [0xF7386030]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xEDFACF10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xEDFACF90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xEDF92070]
SSDT spge.sys ZwOpenKey [0xF73670C0]
SSDT spge.sys ZwQueryKey [0xF7386108]
SSDT spge.sys ZwQueryValueKey [0xF7385F88]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xEDFAD6F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xEDFAD150]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xEDFAD540]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xEDF92440]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xEDFAC4E0]

INT 0x33 ? 855D3F00
INT 0x3A ? 855D3F00
INT 0x3E ? 8574BBF8
INT 0x3F ? 8574BBF8

---- Kernel code sections - GMER 1.0.15 ----

? spge.sys The system cannot find the file specified. !
? nwfilter.sys The system cannot find the file specified. !
? Combo-Fix.sys The system cannot find the file specified. !
? srescan.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F67A78AC 5 Bytes JMP 855D34E0
? C:\WINDOWS\system32\drivers\olnmoq.sys The system cannot find the file specified. !
? C:\Combo-Fix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 857502D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F7398C4C] spge.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F7398CA0] spge.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7368040] spge.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F736813C] spge.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F73680BE] spge.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F73687FC] spge.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F73686D2] spge.sys
IAT \SystemRoot\System32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 855D35E0
IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F7378048] spge.sys
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateFile] [EDFB2B30] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\rdbss.sys[ntoskrnl.exe!FsRtlRegisterUncProvider] [F78A962A] nwfilter.sys
IAT \SystemRoot\System32\DRIVERS\mrxdav.sys[ntoskrnl.exe!FsRtlRegisterUncProvider] [F78A962A] nwfilter.sys
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [EDF928D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [EDF92A80] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtCreateFile] [EDF925E0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtOpenFile] [EDF92980] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 857491F8
Device \FileSystem\Fastfat \FatCdrom 853CE500
Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\abp470n5 \Device\abp470n5 olnmoq.sys
Device \Driver\NetBT \Device\NetBT_Tcpip_{42EED50B-5EB6-4D5C-ABDB-2CD6A81B9687} 84B581F8
Device \Driver\usbuhci \Device\USBPDO-0 855D4500
Device \Driver\usbuhci \Device\USBPDO-1 855D4500
Device \Driver\usbuhci \Device\USBPDO-2 855D4500
Device \Driver\usbehci \Device\USBPDO-3 8550E1F8
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Ftdisk \Device\HarddiskVolume1 8574C1F8
Device \Driver\Cdrom \Device\CdRom0 854FF1F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 84B581F8
Device \Driver\NetBT \Device\NetbiosSmb 84B581F8
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\usbuhci \Device\USBFDO-0 855D4500
Device \Driver\usbuhci \Device\USBFDO-1 855D4500
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 84B781F8
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\usbuhci \Device\USBFDO-2 855D4500
Device \FileSystem\MRxSmb \Device\LanmanRedirector 84B781F8
Device \Driver\usbehci \Device\USBFDO-3 8550E1F8
Device \Driver\Ftdisk \Device\FtControl 8574C1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{A755F705-ACE8-4349-A17D-F086CDF8E1B6} 84B581F8
Device \FileSystem\Fastfat \Fat 853CE500
Device \FileSystem\Cdfs \Cdfs 849F4500

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETkvwwurqp@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETkvwwurqp@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETkvwwurqp@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETkvwwurqp@imagepath \systemroot\system32\drivers\SKYNETuyxmktiq.sys
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETkvwwurqp\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETkvwwurqp\main@aid 10096
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETkvwwurqp\main@sid 0
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETkvwwurqp\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETkvwwurqp\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETkvwwurqp\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETkvwwurqp\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETkvwwurqp\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETkvwwurqp\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETkvwwurqp\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETuyxmktiq.sys
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETkvwwurqp\modules@SKYNETcmd.dll \systemroot\system32\SKYNETmupfulhm.dll
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETkvwwurqp\modules@SKYNETlog.dat \systemroot\system32\SKYNETvlpfqhne.dat
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETkvwwurqp\modules@SKYNETwsp.dll \systemroot\system32\SKYNETltqskdbq.dll
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETkvwwurqp\modules@SKYNET.dat \systemroot\system32\SKYNETlxkonlrd.dat

---- Files - GMER 1.0.15 ----

File C:\System Volume Information\_restore{1C5C44A1-2FDC-42B5-8242-B6F085064C4F}\RP58\A0025703.exe 800304 bytes executable
File C:\System Volume Information\_restore{1C5C44A1-2FDC-42B5-8242-B6F085064C4F}\RP58\A0025704.exe 1812016 bytes executable
File C:\System Volume Information\_restore{1C5C44A1-2FDC-42B5-8242-B6F085064C4F}\RP58\A0025705.EXE 28512 bytes
File C:\System Volume Information\_restore{1C5C44A1-2FDC-42B5-8242-B6F085064C4F}\RP58\A0025706.exe 102400 bytes executable

---- EOF - GMER 1.0.15 ----



My registry has taskmanager and regedit disabled. I have not seen any spawners since this last fix session, but I have not left the computer with access to the internet for too long either. One thing I have noticed the last day or so though, notepad.exe is in the taskmanager, but I'm not using it, nor is there a window for it, nor does it show minimized. I try to end process it and ... nothing. Usually windows will let you know that a program won't respond when it tries to close it, but not with this. I can try to end process it over and over and just nothing. Ahhh there we go, winfdxf.exe just spawned. Glad to be able to give you a challenge. wink.gif Thank you very much for your effort even so. smile.gif
Go to the top of the page
 
+Quote Post
jwang01
post Sep 14 2009, 01:05 PM
Post #27


GeekU Senior
Group Icon
Posts: 1,148
From: Minnesota
OS: Windows Vista 32-bit
Hello,


I think we are going to need to use a bigger gun here. There are some things that are being stubborn smile.gif



1. Please download The Avenger by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

CODE
Begin copying here:
Drivers to delete:
SKYNETuyxmktiq.sys
abp470n5

Files to delete:
C:\system32\SKYNETlxkonlrd.dat
C:\system32\SKYNETltqskdbq.dll
C:\system32\SKYNETvlpfqhne.dat
C:\system32\SKYNETmupfulhm.dll
C:\system32\drivers\SKYNETuyxmktiq.sys
c:\windows\system32\drivers\olnmoq.sys


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply [/u][/b].


Next


  • Please go to VirusTotal
  • Click on the Browse button and navigate to C:\WINDOWS\system32\drivers\spge.sys
  • Then click Send File
  • It will open up a log. Please post that log in your next reply.



Next


Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.



Next



Please open up OTL and run another scan. Post that log in your next reply.



Please post the logs of Avenger, VirusTotal, MBAM and OTL in your next reply
Go to the top of the page
 
+Quote Post
RCguy
post Sep 14 2009, 01:54 PM
Post #28


Member
**
Posts: 46
From: Indiana - USA
OS: WinXP sp3
Ok it looks like we've encountered a bump in the road here. I ran Avenger and the report basically said that everything we did, didn't work. Files weren't found etc. I can't navigate to virustotal.com yet either, so I was going to send the file (spge.sys) to my email and have it analyzed on another computer. Well, spge.sys is not in C:Windows/System32/Drivers/ ... I opened the folder properties and clicked the 'show hidden files' box, but still nothing. So, you want the MBAM and OTL reports or no?

Here is the report from Avenger.


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\SKYNETuyxmktiq.sys" not found!
Deletion of driver "SKYNETuyxmktiq.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\abp470n5" not found!
Deletion of driver "abp470n5" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not open file "C:\system32\SKYNETlxkonlrd.dat"
Deletion of file "C:\system32\SKYNETlxkonlrd.dat" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open file "C:\system32\SKYNETltqskdbq.dll"
Deletion of file "C:\system32\SKYNETltqskdbq.dll" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open file "C:\system32\SKYNETvlpfqhne.dat"
Deletion of file "C:\system32\SKYNETvlpfqhne.dat" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open file "C:\system32\SKYNETmupfulhm.dll"
Deletion of file "C:\system32\SKYNETmupfulhm.dll" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open file "C:\system32\drivers\SKYNETuyxmktiq.sys"
Deletion of file "C:\system32\drivers\SKYNETuyxmktiq.sys" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: file "c:\windows\system32\drivers\olnmoq.sys" not found!
Deletion of file "c:\windows\system32\drivers\olnmoq.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.



And here is a screenshot of where spge.sys was thought to be...

Attached Image

Attached Image
Go to the top of the page
 
+Quote Post
RCguy
post Sep 14 2009, 01:58 PM
Post #29


Member
**
Posts: 46
From: Indiana - USA
OS: WinXP sp3
And yeah, I'm still getting the spawners...
Go to the top of the page
 
+Quote Post
jwang01
post Sep 14 2009, 02:20 PM
Post #30


GeekU Senior
Group Icon
Posts: 1,148
From: Minnesota
OS: Windows Vista 32-bit
Hello,


This a tough one. Yes, please post the MBAM and OTL logs aswell. thumbsup.gif
Go to the top of the page
 
+Quote Post
 

4 Pages V  < 1 2 3 4 >
Closed TopicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 
RSS Time is now: 20th November 2009 - 10:44 PM

Advertisements do not imply our endorsement of that product or service. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks mentioned on this page are the property of their respective owners.

© Geeks to Go, Inc. | All Rights Reserved | Privacy Policy | Advertising
Powered By IP.Board © 2009  IPS, Inc.