CSRCS.exe scareware [Solved]

Geeks to Go Forums > Security > Virus, Spyware, Malware Removal

Today's New Content

CSRCS.exe scareware [Solved] Fake UAC dialog on Windows XP

#1 marvolo

Group: Member
Posts: 8
Joined: 18-April 10

Posted 18 April 2010 - 10:15 AM

Hi, I have a similar problem to this guy: http://www.geekstogo.com/forum/Win-2010-An...xe-t273425.html

Specifically, when I run IE, Firefox, taskmgr, notepad, etc..., I get these UAC-like dialogs (on Windows XP SP2!) saying
"User Account Control: An unidentified program wants access to your computer - Windows Security Center block active process: csrcs.exe Process try direct access to memory process.exe"
If I click Allow, my program shuts down. If I click Scan, it offers to fix it for $49.99.

I've tried Malware Bytes Anti-Malware, AVG Free, Avast Free, SuperAntispyware, Spywareblaster, Spybot Search & Destroy, and ComboFix. Only ComboFix will fix it for a short time - until it comes back.

Thanks for any advice you can give.

Here's my GMER log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-17 21:46:24
Windows 5.1.2600 Service Pack 2
Running: rdsnlpkx.exe; Driver: C:\DOCUME~1\Gary\LOCALS~1\Temp\fxddapow.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xA71E0C08]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xA71E0AC4]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwCreatePagingFile [0xB9F82A20]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xA71E1078]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xA71E0FA2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xA71E069A]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateKey [0xB9F832A8]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateValueKey [0xB9F8E910]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xA71E0B9E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xA71E05DA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xA71E063E]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwQueryKey [0xB9F832C8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xA71E0CBE]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xA71E1146]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xA71E0C7E]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwSetSystemPowerState [0xB9F8E0B0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xA71E0DFE]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA72A3320]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xA71ED50A]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xA71ED32E]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xA71ED468]
Code \??\C:\DOCUME~1\Gary\LOCALS~1\Temp\catchme.sys pIofCallDriver
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2CB8 80503B94 4 Bytes JMP A866F591
PAGE ntkrnlpa.exe!ZwLoadDriver 80582EDC 7 Bytes JMP A71ED46C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!NtCreateSection 805A9F9E 7 Bytes JMP A71ED332 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805BB08A 5 Bytes JMP A71E94AA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObInsertObject 805C19C0 5 Bytes JMP A71EA97E \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805CFB94 7 Bytes JMP A71ED50E \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB90D2000, 0x1C5D58, 0xE8000020]
pnidata C:\WINDOWS\system32\DRIVERS\secdrv.sys unknown last section [0xA0AE1F00, 0x24000, 0x48000000]
? C:\DOCUME~1\Gary\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)
Device \FileSystem\Ntfs \Ntfs 89DD1AC0

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Cdrom \Device\CdRom0 89034848
Device \FileSystem\Rdbss \Device\FsWrap 89257508
Device \FileSystem\Srv \Device\LanmanServer 88FEFB48

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 88FF3330
Device \FileSystem\MRxSmb \Device\LanmanRedirector 88FF3330
Device \FileSystem\Npfs \Device\NamedPipe 891FD158
Device \FileSystem\Msfs \Device\Mailslot 88D8FEA8
Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 89034950
Device \Driver\d347prt \Device\Scsi\d347prt1 89034950
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 88D8D960
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 88D8D960
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 88D8D960
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 88D8D960
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 88D8D960
Device \FileSystem\Cdfs \Cdfs 893764A8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@khjeh 0x20 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z0 0x51 0x01 0x16 0xE9 ...

---- EOF - GMER 1.0.15 ----

#2 Essexboy

Group: GeekU Moderator
Posts: 55,596
Joined: 31-May 06

Posted 18 April 2010 - 10:37 AM

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link. Could you also post the Combofix log from yor latest run

Download OTS to your Desktop

Close ALL OTHER PROGRAMS.
Double-click on OTS.exe to start the program.
Check the box that says Scan All Users
Under Additional Scans check the following:
- Reg - Shell Spawning
- File - Lop Check
- File - Purity Scan
- Evnt - EvtViewer (last 10)
Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
nvraid.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\drivers\*.sys /90
Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

Click Add Reply
Under the reply panel is the Attachments Panel
Browse for the attachment file you want to upload, then click the green Upload button
Once it has uploaded, click the Manage Current Attachments drop down box
Click on to insert the attachment into your post

#3 marvolo

Group: Member
Posts: 8
Joined: 18-April 10

Posted 18 April 2010 - 10:50 AM

OTS attached

OTS.Txt (126.42K)
Number of downloads: 71

Here's my latest ComboFix log. Thanks to an earlier run of Combofix in the same windows session, this run occured at a point in time when the problems weren't very evident. (If I reboot the problems will be back):

ComboFix 10-04-17.07 - Gary 04/18/2010 8:58.8.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1527 [GMT -7:00]
Running from: c:\documents and settings\Gary\Desktop\ABCD.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2010-03-18 to 2010-04-18 )))))))))))))))))))))))))))))))
.

2010-04-18 15:43 . 2010-04-18 15:50 -------- d-----w- C:\ABCD24203A
2010-04-18 07:26 . 2010-04-18 07:33 -------- d-----w- C:\ABCD
2010-04-18 01:47 . 2010-04-18 01:49 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-18 01:47 . 2010-04-18 01:49 -------- d-----w- c:\program files\SpywareBlaster
2010-04-17 23:16 . 2010-04-17 23:16 52224 ----a-w- c:\documents and settings\Gary\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-17 23:16 . 2010-04-17 23:18 117760 ----a-w- c:\documents and settings\Gary\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-17 23:05 . 2010-04-17 23:05 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-17 23:04 . 2010-04-17 23:04 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-17 23:04 . 2010-04-17 23:04 -------- d-----w- c:\documents and settings\Gary\Application Data\SUPERAntiSpyware.com
2010-04-17 23:04 . 2010-04-17 23:04 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-17 19:02 . 2010-04-14 16:31 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-04-17 19:02 . 2010-04-14 16:35 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-04-17 19:02 . 2010-04-14 16:31 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-04-17 19:02 . 2010-04-14 16:35 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-04-17 19:02 . 2010-04-14 16:31 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-04-17 19:02 . 2010-04-14 16:31 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-04-17 19:02 . 2010-04-14 16:30 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-04-17 18:59 . 2010-04-14 16:47 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-04-17 18:59 . 2010-04-14 16:47 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-04-17 18:59 . 2010-04-17 18:59 -------- d-----w- c:\program files\Alwil Software
2010-04-17 18:59 . 2010-04-17 18:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-04-17 07:26 . 2010-04-17 07:26 -------- d-----w- c:\windows\system32\xircom
2010-04-17 07:26 . 2010-04-17 07:26 -------- d-----w- c:\windows\system32\wbem\snmp
2010-04-17 07:26 . 2010-04-17 07:26 -------- d-----w- c:\program files\microsoft frontpage
2010-04-15 04:49 . 2010-04-15 04:49 -------- d-----w- c:\documents and settings\All Users\Microsoft
2010-04-13 16:43 . 2010-04-13 16:43 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple
2010-04-10 06:10 . 2010-04-10 06:10 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-10 06:05 . 2010-04-10 06:05 -------- d-----w- c:\documents and settings\Gary\Application Data\Malwarebytes
2010-04-10 06:05 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-10 06:05 . 2010-04-10 06:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-10 06:05 . 2010-04-10 06:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-10 06:05 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-07 14:29 . 2010-04-07 14:29 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\avG
2010-04-07 14:29 . 2010-04-07 14:29 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-04-07 10:48 . 2010-04-07 10:48 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-07 10:48 . 2010-04-15 04:49 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-18 15:41 . 2010-04-18 15:41 0 ----a-w- c:\documents and settings\Gary\ntuser.tmp
2010-04-18 00:33 . 2007-01-20 04:13 41984 ----a-w- c:\windows\system32\drivers\Imapi.sys
2010-04-17 23:11 . 2009-11-11 03:52 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-17 23:04 . 2009-11-11 03:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-17 23:02 . 2009-11-11 03:45 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-04-17 16:54 . 2009-11-11 04:54 -------- d-----w- c:\program files\Diablo II
2010-04-15 09:37 . 2009-11-20 22:28 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-15 09:24 . 2009-11-12 08:01 -------- d-----w- c:\documents and settings\Gary\Application Data\Apple Computer
2010-03-24 02:05 . 2009-11-11 04:56 41675 ----a-w- c:\windows\DIIUnin.dat
2010-03-07 04:11 . 2010-03-07 04:10 -------- d-----w- c:\program files\Safari
2010-03-07 04:10 . 2010-03-07 04:10 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2010-03-07 04:09 . 2010-03-07 04:09 -------- d-----w- c:\program files\iTunes
2010-03-07 04:09 . 2010-03-07 04:09 -------- d-----w- c:\program files\iPod
2010-03-07 04:09 . 2009-11-12 08:00 -------- d-----w- c:\program files\Common Files\Apple
2010-03-07 04:08 . 2010-03-07 04:07 -------- d-----w- c:\program files\QuickTime
2010-03-07 04:05 . 2010-03-07 04:05 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-03-06 07:40 . 2009-11-13 09:25 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-01-29 01:35 . 2010-01-29 01:35 395328 ----a-w- c:\documents and settings\All Users\Application Data\WildTangent\WTDownloader\capoeirafighter3\Download\prodinfo_capoeirafighter3_1.0.0.472\install-prodinfo.exe
2010-01-29 01:35 . 2010-01-29 01:35 1663880 ----a-w- c:\documents and settings\All Users\Application Data\WildTangent\WTDownloader\capoeirafighter3\Download\console_patch_25-wildgames_1.0.0.1021\install-console_patch.exe
2010-01-29 01:35 . 2010-01-29 01:35 124104 ----a-w- c:\documents and settings\All Users\Application Data\WildTangent\WTDownloader\capoeirafighter3\Download\brandinfo_wildgames_1.0.0.255\install-brandinfo.exe
2010-01-29 01:35 . 2010-01-29 01:35 502008 ----a-w- c:\documents and settings\All Users\Application Data\WildTangent\WTDownloader\capoeirafighter3\Download\catalyst_en-us_1.0.0.346\Catalyst-en-us.exe
2010-01-29 01:35 . 2010-01-29 01:33 3633152 ----a-w- c:\documents and settings\All Users\Application Data\WildTangent\WTDownloader\capoeirafighter3\Temp\WTDownloader.exe
2010-01-28 22:02 . 2010-01-28 22:02 620272 ----a-w- c:\documents and settings\All Users\Application Data\WildTangent\WTDownloader\bobthebuildercandocarnival\Download\brand_wildgames_1.0.0.287\install-brand.exe
2010-01-28 22:02 . 2010-01-28 22:02 293840 ----a-w- c:\documents and settings\All Users\Application Data\WildTangent\WTDownloader\bobthebuildercandocarnival\Download\touchpoints_1.0.0.111\install-touchpoints.exe
2010-01-28 22:02 . 2010-01-28 22:02 18053040 ----a-w- c:\documents and settings\All Users\Application Data\WildTangent\WTDownloader\bobthebuildercandocarnival\Download\console_wildgames_1.0.0.259\install-console.exe
2010-01-28 19:15 . 2010-01-28 21:50 121344 ----a-w- c:\documents and settings\All Users\Application Data\WildTangent\WTDownloader\bobthebuildercandocarnival\UI\CatalystWrapper.exe
.

------- Sigcheck -------

[-] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\drivers\atapi.sys

[-] 2004-08-04 . 02000ABF34AF4C218C35D257024807D6 . 14336 . . [5.1.2600.2180] . . c:\windows\system32\drivers\asyncmac.sys

[-] 2001-08-23 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\system32\drivers\beep.sys

[-] 2004-08-04 . EBDEE8A2EE5393890A1ACEE971C4C246 . 24576 . . [5.1.2600.2180] . . c:\windows\system32\drivers\kbdclass.sys

[-] 2004-08-04 . 558635D3AF1C7546D26067D5D9B6959E . 182912 . . [5.1.2600.2180] . . c:\windows\system32\drivers\ndis.sys

[-] 2004-08-04 . B78BE402C3F63DD55521F73876951CDD . 574592 . . [5.1.2600.2180] . . c:\windows\system32\drivers\ntfs.sys

[-] 2001-08-23 . 73C1E1F395918BC2C6DD67AF7591A3AD . 2944 . . [5.1.2600.0] . . c:\windows\system32\drivers\null.sys

[-] 2007-01-20 . 73FA055A81714E48D72281270CD410DC . 360704 . . [5.1.2600.2956] . . c:\windows\system32\drivers\tcpip.sys

[-] 2007-01-20 . 39128B5A743545BAEDD3984C210F00A8 . 77824 . . [5.1.2600.2586] . . c:\windows\system32\browser.dll

[-] 2004-08-04 . 84885F9B82F4D55C6146EBF6065D75D2 . 13312 . . [5.1.2600.2180] . . c:\windows\system32\lsass.exe

[-] 2007-01-20 . 3516D8A18B36784B1005B950B84232E1 . 197632 . . [5.1.2600.2743] . . c:\windows\system32\netman.dll

[-] 2004-08-04 . 2C69EC7E5A311334D10DD95F338FCCEA . 382464 . . [6.6.2600.2180] . . c:\windows\system32\qmgr.dll

[-] 2007-01-20 . 348F04E3582EF2467EE5379D67B99FD7 . 399360 . . [5.1.2600.2948] . . c:\windows\system32\rpcss.dll

[-] 2004-08-04 . C6CE6EEC82F187615D1002BB3BB50ED4 . 108032 . . [5.1.2600.2180] . . c:\windows\system32\services.exe

[-] 2007-01-20 . AD3D9D191AEA7B5445FE1D82FFBB4788 . 57856 . . [5.1.2600.2696] . . c:\windows\system32\spoolsv.exe

[-] 2004-08-04 . 01C3346C241652F43AED8E2149881BFE . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe

[-] 2007-01-20 . B0124CB21D28B1C9F678B566B6B57D92 . 617472 . . [5.82] . . c:\windows\system32\comctl32.dll

[-] 2007-01-20 . 87F3E2D2A3231F820F9248DB90090F42 . 62464 . . [5.1.2600.2845] . . c:\windows\system32\cryptsvc.dll

[-] 2007-01-20 04:13 . 3D9418CF112A11ADC45E2A0C0A44DF47 . 243200 . . [2001.12.4414.312] . . c:\windows\system32\es.dll

[-] 2004-08-04 . 87CA7CE6469577F059297B9D6556D66D . 110080 . . [5.1.2600.2180] . . c:\windows\system32\imm32.dll

[-] 2007-01-20 . 16F21882C96EE0136A92E867DA94215C . 985600 . . [5.1.2600.2991] . . c:\windows\system32\kernel32.dll

[-] 2007-01-20 . 212DEC5056523F8727C7B4E7E86782D5 . 19968 . . [5.1.2600.2839] . . c:\windows\system32\linkinfo.dll

[-] 2004-08-04 . 74D66B3DE265E8789153414E75175F26 . 22016 . . [5.1.2600.2180] . . c:\windows\system32\lpk.dll

[-] 2009-08-29 . 0E49677EE57A928765FC47FFBACD5326 . 5940224 . . [8.00.6001.18828] . . c:\windows\system32\mshtml.dll
[-] 2009-08-29 . 0E49677EE57A928765FC47FFBACD5326 . 5940224 . . [8.00.6001.18828] . . c:\windows\system32\dllcache\mshtml.dll
[-] 2009-08-29 . B68F6E6C66D17D9EDABF3D5DA71046DA . 5942272 . . [8.00.6001.22918] . . c:\windows\$hf_mig$\KB974455-IE8\SP3QFE\mshtml.dll
[-] 2009-03-08 . D469A0EBA2EF5C6BEE8065B7E3196E5E . 5937152 . . [8.00.6001.18702] . . c:\windows\ie8updates\KB974455-IE8\mshtml.dll
[-] 2007-08-14 . C6EC2493346ED8888A549F59210A8ED3 . 3578368 . . [7.00.5730.13] . . c:\windows\ie8\mshtml.dll
[-] 2007-01-20 . 3A84E5BB38BFBAD368F23171FC635B12 . 3131392 . . [6.00.2900.3020] . . c:\windows\ie7\mshtml.dll

[-] 2004-08-04 . B0FEFA816D61EC66AA765DDF534EAB5E . 343040 . . [7.0.2600.2180] . . c:\windows\system32\msvcrt.dll

[-] 2004-08-04 . 4E74AF063C3271FBEA20DD940CFD1184 . 245248 . . [5.1.2600.2180] . . c:\windows\system32\mswsock.dll

[-] 2004-08-04 . 96353FCECBA774BB8DA74A1C6507015A . 407040 . . [5.1.2600.2180] . . c:\windows\system32\netlogon.dll

[-] 2007-01-20 . 0C58CB9E8C2163F290FCDDCC75D9BEFA . 2137600 . . [5.1.2600.3023] . . c:\windows\system32\ntoskrnl.exe

[-] 2004-08-04 . 1B5F6923ABB450692E9FE0672C897AED . 17408 . . [6.00.2900.2180] . . c:\windows\system32\powrprof.dll

[-] 2004-08-04 . 0F78E27F563F2AAF74B91A49E2ABF19A . 180224 . . [5.1.2600.2180] . . c:\windows\system32\scecli.dll

[-] 2004-08-04 . E8A12A12EA9088B4327D49EDCA3ADD3E . 5120 . . [5.1.2600.2180] . . c:\windows\system32\sfc.dll

[-] 2004-08-04 . 8F078AE4ED187AAABC0A305146DE6716 . 14336 . . [5.1.2600.2180] . . c:\windows\system32\svchost.exe

[-] 2007-01-20 . 1418A3A6E76E5A2E3F5E43866E793A8B . 249344 . . [5.1.2600.2716] . . c:\windows\system32\tapisrv.dll

[-] 2007-01-20 . 1800F293BCCC8EDE8A70E12B88D80036 . 577024 . . [5.1.2600.2622] . . c:\windows\system32\user32.dll

[-] 2004-08-04 . 39B1FFB03C2296323832ACBAE50D2AFF . 24576 . . [5.1.2600.2180] . . c:\windows\system32\userinit.exe

[-] 2009-08-29 . CF0A5FE05BF614C24950D8FAEC1BC309 . 916480 . . [8.00.6001.18828] . . c:\windows\system32\wininet.dll
[-] 2009-08-29 . CF0A5FE05BF614C24950D8FAEC1BC309 . 916480 . . [8.00.6001.18828] . . c:\windows\system32\dllcache\wininet.dll
[-] 2009-08-29 . 972B226BDAD71C55F3CC9A72BBF8F1C1 . 916480 . . [8.00.6001.22918] . . c:\windows\$hf_mig$\KB974455-IE8\SP3QFE\wininet.dll
[-] 2009-03-08 . 6CE32F7778061CCC5814D5E0F282D369 . 914944 . . [8.00.6001.18702] . . c:\windows\ie8updates\KB974455-IE8\wininet.dll
[-] 2007-08-14 . A4A0FC92358F39538A6494C42EF99FE9 . 818688 . . [7.00.5730.13] . . c:\windows\ie8\wininet.dll
[-] 2007-01-20 . 40F08D30CD76BD397020084117ABDD87 . 674816 . . [6.00.2900.3020] . . c:\windows\ie7\wininet.dll

[-] 2004-08-04 . 2ED0B7F12A60F90092081C50FA0EC2B2 . 82944 . . [5.1.2600.2180] . . c:\windows\system32\ws2_32.dll

[-] 2007-01-20 . C218977C0E898118D92F9B487DA150DC . 1183744 . . [6.00.2900.2894] . . c:\windows\explorer.exe

[-] 2004-08-04 . 92BDF74F12D6CBEC43C94D4B7F804838 . 170496 . . [5.1.2600.2180] . . c:\windows\system32\srsvc.dll

[-] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\system32\wscntfy.exe

[-] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\system32\xmlprov.dll

[-] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\system32\eventlog.dll

[-] 2004-08-04 . 30A609E00BD1D4FFC49D6B5A432BE7F2 . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll

[-] 2004-08-04 . 24232996A38C0B0CF151C2140AE29FC8 . 15360 . . [5.1.2600.2180] . . c:\windows\system32\ctfmon.exe

[-] 2004-08-04 . E7518DC542D3EBDCB80EDD98462C7821 . 134656 . . [6.00.2900.2180] . . c:\windows\system32\shsvcs.dll

[-] 2004-08-04 . 3151427DB7D87107D1C5BE58FAC53960 . 59904 . . [5.1.2600.2180] . . c:\windows\system32\regsvc.dll

[-] 2004-08-04 . 92360854316611F6CC471612213C3D92 . 190976 . . [5.1.2600.2180] . . c:\windows\system32\schedsvc.dll

[-] 2004-08-04 . 4B8D61792F7175BED48859CC18CE4E38 . 71680 . . [5.1.2600.2180] . . c:\windows\system32\ssdpsrv.dll

[-] 2007-01-20 . C29A5286E64D97385178452D5F307B98 . 295424 . . [5.1.2600.2627] . . c:\windows\system32\termsrv.dll

[-] 2004-08-04 . 9C3C12975C97119412802B181FBEEFFE . 167936 . . [5.1.2600.2180] . . c:\windows\system32\appmgmts.dll

[-] 2001-08-23 . 9859C0F6936E723E4892D7141B1327D5 . 11648 . . [5.1.2600.0] . . c:\windows\system32\drivers\acpiec.sys

[-] 2005-05-27 15:14 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . c:\windows\system32\drivers\aec.sys

[-] 2004-08-04 . 4448006B6BC60E6C027932CFC38D6855 . 29056 . . [5.1.2600.2180] . . c:\windows\system32\drivers\ip6fw.sys

[-] 2001-08-23 11:00 . DDF8D47ACF8FC3FE5F7F2B95C4D4D136 . 924432 . . [4.1.6140] . . c:\windows\system32\mfc40u.dll

[-] 2004-08-04 . 95FD808E4AC22ABA025A7B3EAC0375D2 . 33792 . . [5.1.2600.2180] . . c:\windows\system32\msgsvc.dll

[-] 2007-01-20 04:15 . B9715B9C18BC6C8F4B66733D208CC9F7 . 25088 . . [10.0.3790.4332] . . c:\windows\system32\mspmsnsv.dll

[-] 2007-01-20 . 1F9DD693DF8F6A1841E57EC62D22CC1C . 2017280 . . [5.1.2600.3023] . . c:\windows\system32\ntkrnlpa.exe

[-] 2004-08-04 07:56 . B62F29C00AC55A761B2E45877D85EA0F . 435200 . . [5.1.2400.2180] . . c:\windows\system32\ntmssvc.dll

[-] 2004-08-04 . 0546477BDE979E33294FE97F6B3DE84A . 185344 . . [5.1.2600.2180] . . c:\windows\system32\upnphost.dll

[-] 2004-08-04 . 55E148C01296696588EAFA425782C3E8 . 367616 . . [5.3.2600.2180] . . c:\windows\system32\dsound.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-04-17_07.29.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-12 07:02 . 2009-07-12 07:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
+ 2010-04-17 23:04 . 2010-04-17 23:04 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2010-04-17 23:04 . 2010-04-17 23:04 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2010-04-17 23:04 . 2010-04-17 23:04 5120 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe
+ 2009-07-12 07:02 . 2009-07-12 07:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
+ 2010-04-17 19:01 . 2010-04-17 19:01 219648 c:\windows\Installer\292c18.msi
+ 2010-04-17 23:04 . 2010-04-17 23:04 1583616 c:\windows\Installer\d64095.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 02:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 02:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 02:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 02:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 02:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 02:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 02:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 02:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2009-08-14 02:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-01 2010864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]
"kX Mixer"="c:\program files\kX Audio Driver\3550\kxmixer.exe" [2009-09-17 546312]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-25 61440]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-23 81920]
"awxDTools"="c:\progra~1\arniWORX\AWXDTO~1\awxDTools.dll" [2004-09-09 131072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-16 141608]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2010-02-18 177472]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-04-14 2790472]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2009-03-08 128512]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-1-3 108544]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-484763869-606747145-839522115-1004\Scripts\Logon\0\0]
"Script"=rundll32.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Visual Studio\\Common\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [11/10/2009 9:49 PM 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [11/10/2009 9:49 PM 5248]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/17/2010 12:02 PM 162768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/17/2010 12:02 PM 19024]
R3 kxwdmdrv;kX WDM Driver Service;c:\windows\system32\drivers\kx.sys [9/17/2009 4:08 PM 607496]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
S2 AtiUPS;Ati HotKey Poller AtiUPS;c:\windows\system32\amcompatk.exe srv --> c:\windows\system32\amcompatk.exe srv [?]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 8:01 AM 2799808]
.
Contents of the 'Scheduled Tasks' folder

2010-04-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-04-18 c:\windows\Tasks\User_Feed_Synchronization-{CC0A0A00-FDB0-415A-9AD1-837FDB6A9980}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 12:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Gary\Application Data\Mozilla\Firefox\Profiles\9aj99n42.default\
FF - plugin: c:\documents and settings\Gary\Application Data\Mozilla\Firefox\Profiles\9aj99n42.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\Gary\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.17\Plugins\npybrowserplus_2.4.17.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-18 08:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(780)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\cscui.dll

- - - - - - - > 'explorer.exe'(3132)
c:\windows\system32\WININET.dll
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\windows\System32\cscui.dll
c:\windows\system32\msi.dll
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\NETSHELL.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-04-18 09:01:00
ComboFix-quarantined-files.txt 2010-04-18 16:00
ComboFix2.txt 2010-04-18 15:55
ComboFix3.txt 2010-04-18 15:50
ComboFix4.txt 2010-04-18 07:33
ComboFix5.txt 2010-04-18 15:57

Pre-Run: 91,290,456,064 bytes free
Post-Run: 91,283,374,080 bytes free

- - End Of File - - B18A5791E415C6CFFEB38DC13031AB3D

#4 Essexboy

Group: GeekU Moderator
Posts: 55,596
Joined: 31-May 06

Posted 18 April 2010 - 11:03 AM

Hi I have some concerns about the results generated by combofix - So I would like to start with another AV scan

Save these instructions so you can have access to them while in Safe Mode.

Please click here to download AVP Tool by Kaspersky.

Save it to your desktop.
Reboot your computer into SafeMode.

You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
Use your up arrow key to highlight SafeMode then hit enter.
Double click the setup file to run it.
Click Next to continue.
Accept the Licence agreement and click on next
It will by default install it to your desktop folder.Click Next.
It will then open a box There will be a tab that says Automatic scan.
Under Automatic scan make sure these are checked.

Hidden Startup Objects

System Memory

Disk Boot Sectors.

My Computer.

Also any other drives (Removable that you may have)

Leave the rest of the settings as they appear as default.

Then click on Scan at the to right hand Corner.
It will automatically Neutralize any objects found.
If some objects are left un-neutralized then click the button that says Neutralize all
If it says it cannot be Neutralized then chooose The delete option when prompted.
After that is done click on the reports button at the bottom and save it to file name it Kas.
Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

Note: This tool will self uninstall when you close it so please save the log before closing it.

#5 marvolo

Group: Member
Posts: 8
Joined: 18-April 10

Posted 18 April 2010 - 04:08 PM

Below is my Kapersky log, made from Windows safe mode without networking.
I couldn't find a way to "Save" the log, but I was able to copy the "Important events" into notepad.

When I rebooted into Windows normal mode, the malware dialogs started popping up as usual.

Autoscan: completed 3 minutes ago (events: 16, objects: 2812597, time: 04:24:04)
4/18/2010 10:22:18 AM Task started
4/18/2010 10:36:02 AM Detected: Packed.Win32.Krap.ai C:\Program Files\Adobe\Photoshop 5.0\Plug-Ins\Automate\ContactSheet.8li
4/18/2010 10:43:24 AM Deleted: Packed.Win32.Krap.ai C:\Program Files\Adobe\Photoshop 5.0\Plug-Ins\Automate\ContactSheet.8li
4/18/2010 10:48:00 AM Detected: Packed.Win32.Krap.ai C:\System Volume Information\_restore{A9FD8B9D-F91C-4833-9327-805506CADD44}\RP6\A0007443.8li
4/18/2010 10:50:45 AM Deleted: Packed.Win32.Krap.ai C:\System Volume Information\_restore{A9FD8B9D-F91C-4833-9327-805506CADD44}\RP6\A0007443.8li
4/18/2010 11:52:16 AM Detected: Exploit.Win32.DComII.c E:\Backup\Games\Zelda Classic\zc192a184w.zip/zcmusic.dll
4/18/2010 11:53:34 AM Deleted: Exploit.Win32.DComII.c E:\Backup\Games\Zelda Classic\zc192a184w.zip/zcmusic.dll
4/18/2010 12:25:47 PM Detected: HEUR:Trojan.Win32.KillFiles E:\Backup\Programs\Tweak\wintricks_v4-0b.exe/wintricks.exe/data0003.res/data/HEViewer.exe/ASPack
4/18/2010 12:51:35 PM Deleted: HEUR:Trojan.Win32.KillFiles E:\Backup\Programs\Tweak\wintricks_v4-0b.exe
4/18/2010 1:45:56 PM Detected: Exploit.Win32.DComII.c G:\Backup\Games\Zelda Classic\zc192a184w.zip/zcmusic.dll
4/18/2010 1:46:04 PM Deleted: Exploit.Win32.DComII.c G:\Backup\Games\Zelda Classic\zc192a184w.zip/zcmusic.dll
4/18/2010 2:19:32 PM Detected: HEUR:Trojan.Win32.KillFiles G:\Backup\Programs\Tweak\wintricks_v4-0b.exe/wintricks.exe/data0003.res/data/HEViewer.exe/ASPack
4/18/2010 2:26:37 PM Deleted: HEUR:Trojan.Win32.KillFiles G:\Backup\Programs\Tweak\wintricks_v4-0b.exe
4/18/2010 2:44:53 PM Detected: HEUR:Trojan.Win32.KillFiles G:\System Volume Information\_restore{A9FD8B9D-F91C-4833-9327-805506CADD44}\RP6\A0007445.exe/wintricks.exe/data0003.res/data/HEViewer.exe/ASPack
4/18/2010 2:46:17 PM Deleted: HEUR:Trojan.Win32.KillFiles G:\System Volume Information\_restore{A9FD8B9D-F91C-4833-9327-805506CADD44}\RP6\A0007445.exe
4/18/2010 2:46:22 PM Task completed

#6 Essexboy

Group: GeekU Moderator
Posts: 55,596
Joined: 31-May 06

Posted 18 April 2010 - 04:38 PM

Hi we may need to run SFC later - but we will see how this goes first

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Unregister Dlls]
[Registry - Safe List]
< File Associations - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\
YN -> .exe [@ = secfile] -> Reg Error: Key error.
< File Associations - Select to Repair > -> HKEY_USERS\.DEFAULT\SOFTWARE\Classes\<extension>\
YY -> .exe [@ = secfile] -> C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe
YY -> .exe [@ = secfile] -> C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe
YN -> .exe [@ = exefile] -> Reg Error: Key error.
[Files/Folders - Created Within 30 Days]
NY ->  ABCD24203A -> C:\ABCD24203A
NY ->  ABCD -> C:\ABCD
NY ->  avG -> C:\Documents and Settings\LocalService\Local Settings\Application Data\avG
NY ->  avG -> C:\Documents and Settings\All Users\Application Data\avG
[Files/Folders - Modified Within 30 Days]
NY ->  XYZA32.exe -> C:\Documents and Settings\Gary\Desktop\XYZA32.exe
NY ->  ABCD.exe -> C:\Documents and Settings\Gary\Desktop\ABCD.exe
NY ->  R1s4u54x0W8I -> C:\Documents and Settings\Gary\Local Settings\Application Data\R1s4u54x0W8I
NY ->  R1s4u54x0W8I -> C:\Documents and Settings\All Users\Application Data\R1s4u54x0W8I
NY ->  3Yfi -> C:\Documents and Settings\Gary\Local Settings\Application Data\3Yfi
NY ->  3Yfi -> C:\Documents and Settings\All Users\Application Data\3Yfi
NY ->  4019432185 -> C:\Documents and Settings\All Users\Application Data\4019432185
[Files - No Company Name]
NY ->  XYZA32.exe -> C:\Documents and Settings\Gary\Desktop\XYZA32.exe
NY ->  ABCD.exe -> C:\Documents and Settings\Gary\Desktop\ABCD.exe
NY ->  R1s4u54x0W8I -> C:\Documents and Settings\Gary\Local Settings\Application Data\R1s4u54x0W8I
NY ->  R1s4u54x0W8I -> C:\Documents and Settings\All Users\Application Data\R1s4u54x0W8I
NY ->  4019432185 -> C:\Documents and Settings\All Users\Application Data\4019432185
NY ->  3Yfi -> C:\Documents and Settings\Gary\Local Settings\Application Data\3Yfi
NY ->  3Yfi -> C:\Documents and Settings\NetworkService\Local Settings\Application Data\3Yfi
NY ->  3Yfi -> C:\Documents and Settings\All Users\Application Data\3Yfi
[File - Lop Check]
NY ->  avG -> C:\Documents and Settings\All Users\Application Data\avG
NY ->  WildTangent -> C:\Documents and Settings\All Users\Application Data\WildTangent
NY ->  WildTangent -> C:\Documents and Settings\Gary\Application Data\WildTangent
[Custom Items]
:reg
[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"
[HKEY_CLASSES_ROOT\.exe\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"
[HKEY_CLASSES_ROOT\exefile]
@="Application"
"EditFlags"=hex:38,07,00,00
"TileInfo"="prop:FileDescription;Company;FileVersion"
"InfoTip"="prop:FileDescription;Company;FileVersion;Create;Size"
[HKEY_CLASSES_ROOT\exefile\DefaultIcon]
@="%1"
[HKEY_CLASSES_ROOT\exefile\shell]
[HKEY_CLASSES_ROOT\exefile\shell\open]
"EditFlags"=hex:00,00,00,00
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
[HKEY_CLASSES_ROOT\exefile\shell\runas]
[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
@="\"%1\" %*"
[HKEY_CLASSES_ROOT\exefile\shellex]
[HKEY_CLASSES_ROOT\exefile\shellex\DropHandler]
@="{86C86720-42A0-1069-A2E8-08002B30309D}"
[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers]
[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PEAnalyser]
@="{09A63660-16F9-11d0-B1DF-004F56001CA7}"
[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PifProps]
@="{86F19A00-42A0-1069-A2E9-08002B30309D}"
[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page]
@="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"
[-HKEY_CURRENT_USER\Software\Classes\exefile]
[-HKEY_CURRENT_USER\Software\Classes\.exe]
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
:end
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

#7 marvolo

Group: Member
Posts: 8
Joined: 18-April 10

Posted 18 April 2010 - 07:01 PM

Attached is the OTS fix log, zipped up

04182010_163517.zip (27.49K)
Number of downloads: 64.
Also, attached is the post-fix OTS log.

OTS.Txt (124.9K)
Number of downloads: 74

OTS had to reboot to finish its deletions. After I plugged the network cord in the malware dialog popped up a couple of minutes later and IE shut down. Therefore, I had to run combofix to get IE working again. The first combofix blue-screened with a DRIVER_IRQ_NOT_EQUAL mbr.sys error; the second time it worked.

#8 Essexboy

Group: GeekU Moderator
Posts: 55,596
Joined: 31-May 06

Posted 19 April 2010 - 11:29 AM

Could I see the combofix log please

#9 marvolo

Group: Member
Posts: 8
Joined: 18-April 10

Posted 19 April 2010 - 08:52 PM

I tried rebooting and the malware came back, so I ran combofix again to suppress it temporarily. The latest combofix log is attached.

ComboFix.txt (25.32K)
Number of downloads: 71

BTW, I'm not sure whether the following information is relevant. A few days ago combofix was saying there was a possible rootkit and needed to reboot. It tends not to do this any more. Also, from a few days ago, the combofix log contained the following message; it seems to no longer report this. Perhaps this is one reason why I shouldn't have run combofix without supervision

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x892D7AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf10
\Driver\ACPI -> ACPI.sys @ 0xb9f59cb8
\Driver\atapi -> 0x890b0830
\Driver\iaStor -> iaStor.sys @ 0xb9e4ef78
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058244a
ParseProcedure -> ntkrnlpa.exe @ 0x8058158a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058244a
ParseProcedure -> ntkrnlpa.exe @ 0x8058158a
NDIS: Marvell Yukon 88E8056 PCI-E Gigabit Ethernet Controller -> SendCompleteHandler -> NDIS.sys @ 0xb9d28ba0
PacketIndicateHandler -> NDIS.sys @ 0xb9d35b21
SendHandler -> NDIS.sys @ 0xb9d1387b
Warning: possible MBR rootkit infection !
user & kernel MBR OK

#10 Essexboy

Group: GeekU Moderator
Posts: 55,596
Joined: 31-May 06

Posted 20 April 2010 - 11:31 AM

OK lets use a different analysis tool

Download avz4.zip from HERE

Unzip it to your desktop to a folder named avz4
Double click on AVZ.exe to run it.
Run an update by clicking the Auto Update button on the Right of the Log window:
Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

Start AVZ.
Choose from the menu "File" => "Standard scripts " and mark the "Advanced System Analysis with malware removal mode enabled" check box.
Click on the “Execute selected scripts”.
Automatic scanning, healing and system check will be executed.
A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
All applications will work properly after the system restart.

When restarted

Start AVZ.
Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Analysis" check box.
Click on the "Execute selected scripts".
A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Attach both virusinfo_syscure.zip and virusinfo_syscheck.zip to your next post

To attach a file, do the following:

Click Add Reply
Under the reply panel is the Attachments Panel
Browse for the attachment file you want to upload, then click the green Upload button
Once it has uploaded, click the Manage Current Attachments drop down box
Click on to insert the attachment into your post

#11 marvolo

Group: Member
Posts: 8
Joined: 18-April 10

Posted 20 April 2010 - 01:43 PM

virusinfo_syscure.zip (66.81K)
Number of downloads: 62

virusinfo_syscheck.zip (64.43K)
Number of downloads: 56

virusinfo_syscheck2.zip (63.6K)
Number of downloads: 23

The zip I renamed to "syscheck2" was created at a time when the malware was active (I hadn't run combofix yet in that session).

#12 Essexboy

Group: GeekU Moderator
Posts: 55,596
Joined: 31-May 06

Posted 20 April 2010 - 02:13 PM

I would like to run GMER again as I feel it is a TDSS variant but I cannot see where it is starting from, do you use a router ?

GMER Rootkit Scanner - Download - Homepage
[*] Download GMER
[*] Extract the contents of the zipped file to desktop.
[*] Double click GMER.exe.
Posted Image

[*] If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
[*] In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...

IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)

Click the image to enlarge it

Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
Save the log where you can easily find it, such as your desktop.

**Caution**Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.

#13 marvolo

Group: Member
Posts: 8
Joined: 18-April 10

Posted 20 April 2010 - 06:30 PM

The XP machine having the problem is connected directly to a D-Link Router.
The devices wirelessly connected to the router, like a Vista laptop and iPhone, don't seem to have problems.

This GMER log was made while the malware was active:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-20 17:18:27
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\Gary\LOCALS~1\Temp\fxddapow.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xA6600C08]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xA6600AC4]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwCreatePagingFile [0xB9F82A20]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xA6601078]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xA6600FA2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xA660069A]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateKey [0xB9F832A8]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateValueKey [0xB9F8E910]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xA6600B9E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xA66005DA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xA660063E]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwQueryKey [0xB9F832C8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xA6600CBE]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xA6601146]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xA6600C7E]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwSetSystemPowerState [0xB9F8E0B0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xA6600DFE]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA66C3320]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2CB8 80503B94 4 Bytes JMP A866F591
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB9258000, 0x1C5D58, 0xE8000020]
pnidata C:\WINDOWS\system32\DRIVERS\secdrv.sys unknown last section [0x9A3B8F00, 0x24000, 0x48000000]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[496] SHELL32.dll!SHFileOperationW 7CA70488 5 Bytes JMP 00C01102 C:\Program Files\Unlocker\UnlockerHook.dll

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 89E281B8

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Cdrom \Device\CdRom0 890CB4B0
Device \FileSystem\Rdbss \Device\FsWrap 890DC9C0
Device \FileSystem\Srv \Device\LanmanServer 88E5A650

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 88E4E290
Device \FileSystem\MRxSmb \Device\LanmanRedirector 88E4E290
Device \FileSystem\Npfs \Device\NamedPipe 890ED150
Device \FileSystem\Msfs \Device\Mailslot 88EAE150
Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 890CB930
Device \Driver\d347prt \Device\Scsi\d347prt1 890CB930
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 88E4D5B0
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 88E4D5B0
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 88E4D5B0
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 88E4D5B0
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 88E4D5B0
Device \FileSystem\Cdfs \Cdfs 88E1B1E8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@khjeh 0x20 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z0 0x99 0x2B 0xB9 0x13 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- EOF - GMER 1.0.15 ----

#14 marvolo

Group: Member
Posts: 8
Joined: 18-April 10

Posted 20 April 2010 - 06:41 PM

I disconnected the cable leading from the PC to the wireless router and plugged directly into the cable modem, bypassing the router. The malware did come back after rebooting, even when the wireless router wasn't connected to the PC.

Is it worth flashing the motherboard BIOS? I can try that if it will help.

Update: well I'm about ready to throw in the towel. Combofix is crashing at random points (sometimes in a program called sed.cfxxe) and I'm regularly getting various bluescreens and CHKDSK is detecting random corrupt files at bootup. Second update: I can't start Windows in either normal or safe mode now.

Thanks a lot for trying to help me; I am probably going to give up and try a low-level format of the disk and reinstall Windows.

#15 Essexboy

Group: GeekU Moderator
Posts: 55,596
Joined: 31-May 06

Posted 21 April 2010 - 12:00 PM

I think that may be your best idea as I can see nothing that would cause this. It sounds like a file infector but, nothing is showing that confirms this

Unless it is this that has been subborned d347prt it is legitimate and part of Daemon tools but ! I don't know

Sorry I could not be of more help

Back to Virus, Spyware, Malware Removal

Share this topic:

2 Pages
1
2
→

Please log in to reply

CSRCS.exe scareware [Solved] - Geeks to Go Forums