Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

W32.Svich


  • Please log in to reply

#1
YellowRubberDuck

YellowRubberDuck

    Member

  • Member
  • PipPipPip
  • 109 posts
Hi,

I inserted my flash drive into a public sharing computer at Internet cafe.
Went home and my anti-virus software scanned & prompted me that my flash drive got W32.Svich virus.
What should I do next?
Please advise.
Thanks in advance.
  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,727 posts
  • MVP
Download Flash_Disinfector.exe by sUBs
http://download.blee...Disinfector.exe
and save it to your desktop.

* Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
* The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
* Wait until it has finished scanning and then exit the program.
* Reboot your computer when done.


Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.


Install Autorun Eater v2.4.
http://oldmcdonald.w...orun-eater-v24/

If you think it got on your PC (or just want to make sure it didn't)
follow the guide:
http://www.geekstogo...emoval-f37.html
Post (copy and paste) your logs.

Run
  • 0

#3
YellowRubberDuck

YellowRubberDuck

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 109 posts
Hi RKinner,

1. Download Flash_Disinfector.exe by sUBs & scan - done.
2. Install Autorun Eater v2.4. - done
3. The logs:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/6/2010 8:44:07 PM
mbam-log-2010-05-06 (20-44-07).txt

Scan type: Quick scan
Objects scanned: 134930
Time elapsed: 8 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-05-06 21:12:42
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\USER~2.USE\LOCALS~1\Temp\pggoqkoc.sys


---- System - GMER 1.0.15 ----

SSDT spsu.sys ZwEnumerateKey [0xF73A5CA2]
SSDT spsu.sys ZwEnumerateValueKey [0xF73A6030]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 865D81F8

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

Device \FileSystem\Fastfat \Fat 85BF41F8

AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys

Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

---- EOF - GMER 1.0.15 ----

OTL logfile created on: 5/6/2010 10:58:26 PM - Run 2
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Downloads\Software
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,015.00 Mb Total Physical Memory | 388.00 Mb Available Physical Memory | 38.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 79.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.89 Gb Total Space | 38.11 Gb Free Space | 68.18% Space Free | Partition Type: NTFS
Drive D: | 93.14 Gb Total Space | 45.55 Gb Free Space | 48.90% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 1.86 Gb Total Space | 0.47 Gb Free Space | 25.24% Space Free | Partition Type: FAT
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: USER-146E9E34C8
Current User Name: User
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/06 22:57:06 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Downloads\Software\OTL.exe
PRC - [2009/10/07 09:16:50 | 000,472,280 | ---- | M] (ESET) -- C:\Program Files\Eset\ESET NOD32 Antivirus\ekrn.exe
PRC - [2009/10/07 09:15:42 | 001,461,080 | ---- | M] (ESET) -- C:\Program Files\Eset\ESET NOD32 Antivirus\egui.exe
PRC - [2009/09/30 19:58:42 | 000,026,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Contacts\wlcomm.exe
PRC - [2009/05/26 22:57:08 | 000,411,108 | ---- | M] (Old McDonald's Farm) -- C:\Program Files\Autorun Eater\billy.exe
PRC - [2009/05/26 22:54:10 | 000,549,400 | ---- | M] (Old McDonald's Farm) -- C:\Program Files\Autorun Eater\oldmcdonald.exe
PRC - [2009/02/16 00:10:22 | 002,402,184 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\ZoneLabs\vsmon.exe
PRC - [2009/02/16 00:10:22 | 000,981,384 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
PRC - [2008/12/29 18:40:30 | 000,687,560 | ---- | M] (DT Soft Ltd) -- C:\Program Files\DAEMON Tools Lite\daemon.exe
PRC - [2008/12/11 20:04:14 | 000,054,784 | ---- | M] (Macrovision) -- C:\WINDOWS\system32\drivers\CDAC11BA.EXE
PRC - [2008/09/13 00:45:48 | 000,036,352 | ---- | M] () -- C:\Program Files\Winamp\winampa.exe
PRC - [2008/05/20 17:27:22 | 002,474,031 | ---- | M] (FreeDownloadManager.ORG) -- D:\PF\Free Download Manager\fdm.exe
PRC - [2008/04/14 08:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/09/20 15:35:40 | 001,410,344 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
PRC - [2007/09/20 15:35:10 | 000,202,024 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
PRC - [2007/07/11 15:57:42 | 000,880,640 | R--- | M] (Sony Ericsson Mobile Communications AB) -- D:\PF\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
PRC - [2007/06/13 08:16:02 | 000,528,384 | R--- | M] () -- D:\PF\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
PRC - [2007/03/16 03:23:20 | 000,983,040 | R--- | M] (Teleca AB) -- C:\Program Files\Common Files\Teleca Shared\Generic.exe
PRC - [2003/01/13 13:30:22 | 000,929,861 | ---- | M] () -- C:\Program Files\ADSL\ADSL USB MODEM\DSLMON.exe


========== Modules (SafeList) ==========

MOD - [2010/05/06 22:57:06 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Downloads\Software\OTL.exe
MOD - [2008/04/14 08:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2009/10/07 09:21:14 | 000,020,680 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe -- (EhttpSrv)
SRV - [2009/10/07 09:16:50 | 000,472,280 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe -- (ekrn)
SRV - [2009/08/01 00:59:04 | 000,077,944 | ---- | M] (Autodesk) [On_Demand | Stopped] -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe -- (Autodesk Licensing Service)
SRV - [2009/02/16 00:10:22 | 002,402,184 | ---- | M] (Check Point Software Technologies LTD) [Auto | Running] -- C:\WINDOWS\System32\ZoneLabs\vsmon.exe -- (vsmon)
SRV - [2008/12/11 20:04:14 | 000,054,784 | ---- | M] (Macrovision) [Auto | Running] -- C:\WINDOWS\system32\drivers\CDAC11BA.EXE -- (C-DillaCdaC11BA)


========== Driver Services (SafeList) ==========

DRV - [2010/02/22 18:16:18 | 000,066,632 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- D:\PF\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/22 18:16:18 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- D:\PF\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV)
DRV - [2010/02/22 18:16:18 | 000,012,872 | ---- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- D:\PF\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2009/10/07 09:18:36 | 000,035,168 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\epfwtdir.sys -- (epfwtdir)
DRV - [2009/10/07 09:12:22 | 000,054,184 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\easdrv.sys -- (easdrv)
DRV - [2009/10/07 09:11:10 | 000,040,824 | ---- | M] (ESET) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\eamon.sys -- (eamon)
DRV - [2009/03/24 18:59:19 | 000,717,296 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2009/02/16 00:10:26 | 000,353,672 | ---- | M] (Check Point Software Technologies LTD) [Kernel | System | Running] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2008/12/11 20:04:15 | 000,012,464 | ---- | M] (Macrovision Europe Ltd) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CDAC15BA.SYS -- (CdaC15BA)
DRV - [2008/11/17 02:24:00 | 000,051,688 | ---- | M] (Check Point Software Technologies LTD) [Kernel | Boot | Running] -- C:\WINDOWS\system32\ZoneLabs\srescan.sys -- (srescan)
DRV - [2008/10/29 07:46:02 | 000,016,608 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\gdrv.sys -- (gdrv)
DRV - [2008/04/14 00:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/02/15 13:12:06 | 005,854,752 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2008/02/14 17:04:06 | 004,676,096 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/01/03 22:10:16 | 000,105,856 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2007/06/19 09:51:20 | 000,107,304 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s816mdm.sys -- (s816mdm)
DRV - [2007/06/19 09:51:18 | 000,099,112 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s816mgmt.sys -- (s816mgmt) Sony Ericsson Device 816 USB WMC Device Management Drivers (WDM)
DRV - [2007/06/19 09:51:18 | 000,097,704 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s816unic.sys -- (s816unic) Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (WDM)
DRV - [2007/06/19 09:51:18 | 000,097,320 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s816obex.sys -- (s816obex)
DRV - [2007/06/19 09:51:18 | 000,021,928 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s816nd5.sys -- (s816nd5) Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (NDIS)
DRV - [2007/06/19 09:51:18 | 000,013,864 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s816mdfl.sys -- (s816mdfl)
DRV - [2007/06/19 09:51:16 | 000,081,832 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s816bus.sys -- (s816bus) Sony Ericsson Device 816 driver (WDM)
DRV - [2007/04/23 15:54:50 | 000,100,488 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s115mgmt.sys -- (s115mgmt) Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM)
DRV - [2007/04/23 15:54:50 | 000,098,568 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s115obex.sys -- (s115obex)
DRV - [2007/04/23 15:54:48 | 000,108,680 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s115mdm.sys -- (s115mdm)
DRV - [2007/04/23 15:54:48 | 000,015,112 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s115mdfl.sys -- (s115mdfl)
DRV - [2007/04/23 15:54:46 | 000,083,208 | R--- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s115bus.sys -- (s115bus) Sony Ericsson Device 115 driver (WDM)
DRV - [2003/05/22 15:21:46 | 000,127,561 | ---- | M] (Analog Devices Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\adiusbaw.sys -- (adiusbaw)
DRV - [2003/03/25 19:02:12 | 000,046,455 | ---- | M] (Analog Deivces) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\adildr.sys -- (ADILOADER) General Purpose USB Driver (adildr.sys)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo....e...-8&fr=b1ie7
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://malaysia.msn.com/iat/us_my.aspx
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 68 18 BF 84 F0 E2 CA 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34}:1.2.1.21
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/04 21:14:51 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/04 21:14:51 | 000,000,000 | ---D | M]

[2008/11/05 22:52:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User.USER-146E9E34C8\Application Data\Mozilla\Extensions
[2010/05/06 20:32:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User.USER-146E9E34C8\Application Data\Mozilla\Firefox\Profiles\utrmluts.default\extensions
[2010/04/11 21:48:20 | 000,000,000 | ---D | M] (FlashGot) -- C:\Documents and Settings\User.USER-146E9E34C8\Application Data\Mozilla\Firefox\Profiles\utrmluts.default\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
[2010/04/30 19:52:01 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\User.USER-146E9E34C8\Application Data\Mozilla\Firefox\Profiles\utrmluts.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/05/06 20:32:01 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/03/27 00:13:12 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2008/12/21 21:56:38 | 001,140,200 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\NPFxViewer.dll

O1 HOSTS File: ([2001/08/23 20:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Yahoo! Companion BHO) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_1.dll (Yahoo! Inc.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (FDMIECookiesBHO Class) - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - D:\PF\Free Download Manager\iefdm2.dll ()
O3 - HKLM\..\Toolbar: (&Yahoo! Companion) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_1.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (&Yahoo! Companion) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_1.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [2kadiras] C:\WINDOWS\2kadiras.exe ()
O4 - HKLM..\Run: [Autorun Eater] C:\Program Files\Autorun Eater\oldmcdonald.exe (Old McDonald's Farm)
O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [Sony Ericsson PC Suite] D:\PF\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe ()
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe ()
O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe (Nero AG)
O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\daemon.exe (DT Soft Ltd)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe (Autodesk, Inc)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DSLMON.lnk = C:\Program Files\ADSL\ADSL USB MODEM\DSLMON.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoComputersNearMe = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonScripts = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogoffScripts = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupScriptSync = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideStartupScripts = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 36
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoNetHood = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoComputersNearMe = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = FF FF FF FF [binary data]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonScripts = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogoffScripts = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideStartupScripts = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupScriptSync = 0
O15 - HKCU\..Trusted Domains: internet ([]about in Internet)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_19)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - D:\PF\SUPERAntiSpyware\SASWINLO.dll - D:\PF\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\User.USER-146E9E34C8\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\User.USER-146E9E34C8\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - D:\PF\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/19 17:58:31 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/05/06 20:34:17 | 000,000,000 | RHSD | M] - C:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2010/05/06 20:34:18 | 000,000,000 | RHSD | M] - D:\autorun.inf -- [ FAT32 ]
O32 - AutoRun File - [2009/10/05 01:12:36 | 000,000,000 | ---D | M] - G:\autorun.inf -- [ FAT ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2008/10/29 01:00:50 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17183584330711040)

========== Files/Folders - Created Within 30 Days ==========

[2010/05/06 21:13:01 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\User.USER-146E9E34C8\Recent
[2010/05/06 20:34:17 | 000,000,000 | RHSD | C] -- C:\autorun.inf
[2010/05/06 20:31:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Autorun Eater
[2010/05/06 20:31:13 | 000,000,000 | ---D | C] -- C:\Program Files\Autorun Eater
[2010/04/16 21:48:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User.USER-146E9E34C8\Local Settings\Application Data\ESET
[2010/04/15 22:48:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ESET
[2010/04/15 22:10:19 | 000,000,000 | ---D | C] -- C:\Program Files\BitDefender
[2010/04/15 22:09:29 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\BitDefender

========== Files - Modified Within 30 Days ==========

[2010/05/06 22:15:29 | 005,242,880 | ---- | M] () -- C:\Documents and Settings\User.USER-146E9E34C8\NTUSER.DAT
[2010/05/06 21:51:13 | 000,002,265 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2010/05/06 21:49:00 | 000,001,943 | ---- | M] () -- C:\WINDOWS\adiras.ini
[2010/05/06 21:48:58 | 000,000,586 | ---- | M] () -- C:\Documents and Settings\User.USER-146E9E34C8\Desktop\ADSL USB MODEM DIAL-UP.lnk
[2010/05/06 21:48:53 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2010/05/06 21:48:46 | 000,350,192 | ---- | M] () -- C:\WINDOWS\System32\vsconfig.xml
[2010/05/06 21:48:29 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/06 21:48:10 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/06 21:06:05 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\User.USER-146E9E34C8\ntuser.ini
[2010/05/06 20:20:07 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/02 13:22:10 | 004,238,978 | -H-- | M] () -- C:\Documents and Settings\User.USER-146E9E34C8\Local Settings\Application Data\IconCache.db
[2010/05/02 10:54:08 | 000,041,472 | ---- | M] () -- C:\Documents and Settings\User.USER-146E9E34C8\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/05/01 12:50:05 | 000,000,053 | ---- | M] () -- C:\WINDOWS\popcinfo.dat
[2010/04/29 21:54:48 | 000,321,328 | ---- | M] (BitTorrent, Inc.) -- C:\Documents and Settings\User.USER-146E9E34C8\Desktop\utorrent.exe
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/15 22:39:51 | 000,081,984 | ---- | M] () -- C:\WINDOWS\System32\bdod.bin
[2010/04/15 22:33:10 | 000,000,121 | ---- | M] () -- C:\WINDOWS\bdagent.INI
[2010/04/08 01:05:43 | 000,070,720 | ---- | M] () -- C:\Documents and Settings\User.USER-146E9E34C8\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

========== Files Created - No Company Name ==========

[2010/04/15 22:14:52 | 000,000,121 | ---- | C] () -- C:\WINDOWS\bdagent.INI
[2010/04/15 22:11:07 | 000,081,984 | ---- | C] () -- C:\WINDOWS\System32\bdod.bin
[2010/03/12 20:43:57 | 000,000,105 | ---- | C] () -- C:\WINDOWS\mapiuid.ini
[2009/11/29 21:47:57 | 000,178,176 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009/11/29 21:47:56 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
[2009/11/29 21:47:44 | 000,881,664 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/11/29 21:47:44 | 000,205,824 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/11/29 21:47:36 | 000,085,504 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/11/29 21:47:36 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009/06/08 18:58:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\dsltest.INI
[2009/03/24 18:59:19 | 000,717,296 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2008/11/26 22:36:56 | 000,000,022 | ---- | C] () -- C:\WINDOWS\memory.ini
[2008/11/09 22:55:24 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/11/09 01:17:07 | 000,034,308 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2008/11/09 00:58:30 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4926.dll
[2008/11/07 23:45:56 | 000,000,110 | ---- | C] () -- C:\WINDOWS\OrdPus.ini
[2008/11/07 19:23:34 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/11/05 23:43:15 | 000,000,384 | ---- | C] () -- C:\WINDOWS\NJCOM.INI
[2008/11/05 22:21:36 | 000,796,048 | ---- | C] () -- C:\WINDOWS\System32\libeay32_0.9.6l.dll
[2008/10/29 19:00:00 | 000,000,245 | ---- | C] () -- C:\WINDOWS\kk.ini
[2008/10/29 07:54:51 | 000,000,154 | ---- | C] () -- C:\WINDOWS\adidsl.ini
[2008/10/29 07:54:43 | 000,001,943 | ---- | C] () -- C:\WINDOWS\adiras.ini
[2008/10/29 07:54:42 | 000,046,892 | ---- | C] () -- C:\WINDOWS\System32\ADADIX16.DLL
[2008/07/01 09:04:40 | 000,035,168 | ---- | C] () -- C:\WINDOWS\System32\drivers\epfwtdir.sys
[2003/08/07 14:01:50 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2000/07/27 01:13:02 | 000,053,760 | ---- | C] () -- C:\WINDOWS\System32\zlib.dll
[1994/07/26 00:23:00 | 000,014,928 | ---- | C] () -- C:\WINDOWS\System32\wingen.drv
[1994/04/07 23:23:00 | 000,000,462 | ---- | C] () -- C:\WINDOWS\lodbf13.ini

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2009/06/18 17:11:55 | 000,040,480 | ---- | M] () -- C:\acadminidump.dmp
[2006/09/19 17:58:31 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2008/10/29 00:56:58 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2008/12/23 22:50:41 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2004/08/03 23:00:00 | 000,260,272 | ---- | M] () -- C:\cmldr
[2006/09/19 17:58:31 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2008/10/29 07:46:34 | 000,000,058 | ---- | M] () -- C:\csb.log
[2006/09/19 17:58:31 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/05/06 20:25:53 | 000,000,109 | ---- | M] () -- C:\mbam-error.txt
[2006/09/19 17:58:31 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004/08/04 10:38:34 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/10/11 13:01:41 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/05/06 21:48:02 | 1598,029,824 | -HS- | M] () -- C:\pagefile.sys
[2008/10/29 07:44:50 | 000,000,429 | ---- | M] () -- C:\RHDSetup.log

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2008/10/29 08:44:21 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2008/10/29 08:44:21 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2008/10/29 08:44:21 | 000,897,024 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbam.sys
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
[2010/02/24 21:11:07 | 000,455,680 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\mrxsmb.sys
[2010/02/11 20:02:15 | 000,226,880 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\tcpip6.sys

========== Files - Unicode (All) ==========
[2009/03/26 20:25:21 | 000,000,485 | ---- | M] ()(C:\Documents and Settings\User.USER-146E9E34C8\Desktop\????.lnk) -- C:\Documents and Settings\User.USER-146E9E34C8\Desktop\三國志Ⅹ.lnk
[2009/03/26 20:25:21 | 000,000,485 | ---- | C] ()(C:\Documents and Settings\User.USER-146E9E34C8\Desktop\????.lnk) -- C:\Documents and Settings\User.USER-146E9E34C8\Desktop\三國志Ⅹ.lnk

========== Alternate Data Streams ==========

@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
< End of report >
  • 0

#4
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,727 posts
  • MVP
I don't much care for the looks of these two:

[2009/03/26 20:25:21 | 000,000,485 | ---- | M] ()(C:\Documents and Settings\User.USER-146E9E34C8\Desktop\????.lnk) -- C:\Documents and Settings\User.USER-146E9E34C8\Desktop\三國志Ⅹ.lnk
[2009/03/26 20:25:21 | 000,000,485 | ---- | C] ()(C:\Documents and Settings\User.USER-146E9E34C8\Desktop\????.lnk) -- C:\Documents and Settings\User.USER-146E9E34C8\Desktop\三國志Ⅹ.lnk

They are just shortcuts on your desktop but in some odd language. However, from the dates they have probably been there a while.

We can run combofix to make sure there is nothing else:

Download but do not yet run ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Rename this file -- (call it george.exe ) to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on george to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Re-activate your protection programs at this time :!:

Ron
  • 0

#5
YellowRubberDuck

YellowRubberDuck

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 109 posts
Hi Ron,

ComboFix.txt

ComboFix 10-05-06.05 - User 05/08/2010 14:43:48.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.630 [GMT 8:00]
Running from: c:\documents and settings\User.USER-146E9E34C8\Desktop\george.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2010-04-08 to 2010-05-08 )))))))))))))))))))))))))))))))
.

2010-05-07 16:40 . 2010-05-07 16:40 -------- d-----w- c:\documents and settings\User.USER-146E9E34C8\Application Data\AnvSoft
2010-05-06 12:31 . 2010-05-06 12:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Autorun Eater
2010-05-06 12:31 . 2010-05-06 12:31 -------- d-----w- c:\program files\Autorun Eater
2010-04-16 13:48 . 2010-04-16 13:48 -------- d-----w- c:\documents and settings\User.USER-146E9E34C8\Local Settings\Application Data\ESET
2010-04-15 14:48 . 2010-04-15 14:48 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2010-04-15 14:11 . 2010-04-15 14:39 81984 ----a-w- c:\windows\system32\bdod.bin
2010-04-15 14:10 . 2010-04-15 14:10 -------- d-----w- c:\program files\BitDefender
2010-04-15 14:09 . 2010-04-15 14:10 -------- d-----w- c:\program files\Common Files\BitDefender

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-07 19:35 . 2010-05-08 05:50 867840 ----a-w- c:\windows\Internet Logs\xDBC3.tmp
2010-05-07 19:33 . 2008-11-05 14:38 -------- d-----w- c:\documents and settings\User.USER-146E9E34C8\Application Data\uTorrent
2010-05-07 19:33 . 2010-03-26 16:15 -------- d-----w- c:\documents and settings\User.USER-146E9E34C8\Application Data\Skype
2010-05-07 19:33 . 2008-11-04 11:52 -------- d-----w- c:\documents and settings\User.USER-146E9E34C8\Application Data\Free Download Manager
2010-05-07 17:26 . 2010-03-26 16:22 -------- d-----w- c:\documents and settings\User.USER-146E9E34C8\Application Data\skypePM
2010-05-06 13:03 . 2010-05-06 13:04 2945536 ----a-w- c:\windows\Internet Logs\xDBC2.tmp
2010-05-06 12:25 . 2009-08-08 17:49 6153352 -c--a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-05-06 12:23 . 2008-11-05 14:18 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-06 12:22 . 2008-11-05 14:17 -------- d-----w- c:\program files\SpywareBlaster
2010-05-02 14:56 . 2010-05-03 17:53 281088 ----a-w- c:\windows\Internet Logs\xDBC1.tmp
2010-05-02 05:22 . 2010-05-02 12:38 316928 ----a-w- c:\windows\Internet Logs\xDBC0.tmp
2010-05-01 04:50 . 2008-10-29 00:01 53 ----a-w- c:\windows\popcinfo.dat
2010-04-30 16:49 . 2010-04-30 20:47 527872 ----a-w- c:\windows\Internet Logs\xDBBF.tmp
2010-04-29 16:54 . 2010-04-29 16:55 3017216 ----a-w- c:\windows\Internet Logs\xDBBE.tmp
2010-04-29 07:39 . 2009-08-02 13:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 07:39 . 2009-08-02 13:22 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-25 16:21 . 2010-04-29 13:50 1272832 ----a-w- c:\windows\Internet Logs\xDBBD.tmp
2010-04-23 17:37 . 2010-04-24 00:56 633344 ----a-w- c:\windows\Internet Logs\xDBBC.tmp
2010-04-20 17:23 . 2010-04-21 12:06 434176 ----a-w- c:\windows\Internet Logs\xDBBB.tmp
2010-04-18 15:43 . 2010-04-19 11:12 237056 ----a-w- c:\windows\Internet Logs\xDBBA.tmp
2010-04-16 17:07 . 2010-04-18 12:12 100352 ----a-w- c:\windows\Internet Logs\xDBB9.tmp
2010-04-16 13:27 . 2010-04-16 13:28 131584 ----a-w- c:\windows\Internet Logs\xDBB8.tmp
2010-04-15 16:52 . 2010-04-15 16:54 205312 ----a-w- c:\windows\Internet Logs\xDBB7.tmp
2010-04-15 14:48 . 2008-11-04 11:44 -------- d-----w- c:\program files\Eset
2010-04-14 17:08 . 2010-04-15 14:01 464384 ----a-w- c:\windows\Internet Logs\xDBB6.tmp
2010-04-12 16:17 . 2010-04-13 17:54 139264 ----a-w- c:\windows\Internet Logs\xDBB5.tmp
2010-04-11 16:12 . 2010-04-12 12:39 154112 ----a-w- c:\windows\Internet Logs\xDBB4.tmp
2010-04-11 13:48 . 2008-11-08 16:21 181096 ----a-w- c:\documents and settings\User.USER-146E9E34C8\Application Data\Mozilla\Firefox\Profiles\utrmluts.default\FlashGot.exe
2010-04-11 02:06 . 2010-04-11 12:34 317440 ----a-w- c:\windows\Internet Logs\xDBB3.tmp
2010-04-07 17:24 . 2010-04-09 11:06 242176 ----a-w- c:\windows\Internet Logs\xDBB0.tmp
2010-04-07 17:05 . 2008-11-01 18:22 70720 ----a-w- c:\documents and settings\User.USER-146E9E34C8\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-07 11:27 . 2010-04-07 13:18 420864 ----a-w- c:\windows\Internet Logs\xDBAF.tmp
2010-04-06 20:24 . 2010-04-07 10:08 29696 ----a-w- c:\windows\Internet Logs\xDBAE.tmp
2010-04-04 17:03 . 2010-04-05 12:11 151040 ----a-w- c:\windows\Internet Logs\xDBAD.tmp
2010-04-03 13:09 . 2010-04-04 12:52 325632 ----a-w- c:\windows\Internet Logs\xDBAC.tmp
2010-03-31 16:48 . 2010-04-01 11:28 87040 ----a-w- c:\windows\Internet Logs\xDBAB.tmp
2010-03-31 13:54 . 2010-03-31 13:54 61440 ----a-w- c:\documents and settings\User.USER-146E9E34C8\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-332d1e4e-n\decora-sse.dll
2010-03-31 13:54 . 2010-03-31 13:54 12800 ----a-w- c:\documents and settings\User.USER-146E9E34C8\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-332d1e4e-n\decora-d3d.dll
2010-03-31 13:54 . 2008-09-02 16:14 -------- d-----w- c:\program files\Common Files\Java
2010-03-31 13:54 . 2010-03-31 13:54 503808 ----a-w- c:\documents and settings\User.USER-146E9E34C8\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-694b4c5a-n\msvcp71.dll
2010-03-31 13:54 . 2010-03-31 13:54 499712 ----a-w- c:\documents and settings\User.USER-146E9E34C8\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-694b4c5a-n\jmc.dll
2010-03-31 13:54 . 2010-03-31 13:54 348160 ----a-w- c:\documents and settings\User.USER-146E9E34C8\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-694b4c5a-n\msvcr71.dll
2010-03-31 13:53 . 2008-09-02 16:18 -------- d-----w- c:\program files\Java
2010-03-29 23:24 . 2010-03-31 13:43 44032 ----a-w- c:\windows\Internet Logs\xDBAA.tmp
2010-03-28 15:53 . 2010-03-29 22:20 114176 ----a-w- c:\windows\Internet Logs\xDBA9.tmp
2010-03-28 05:52 . 2010-03-28 05:53 114176 ----a-w- c:\windows\Internet Logs\xDBA8.tmp
2010-03-28 04:34 . 2009-10-27 13:49 117760 ----a-w- c:\documents and settings\User.USER-146E9E34C8\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-27 17:07 . 2010-03-28 04:28 57344 ----a-w- c:\windows\Internet Logs\xDBA7.tmp
2010-03-27 03:35 . 2010-03-27 16:21 114688 ----a-w- c:\windows\Internet Logs\xDBA6.tmp
2010-03-26 17:24 . 2010-03-27 00:41 367104 ----a-w- c:\windows\Internet Logs\xDBA5.tmp
2010-03-26 16:22 . 2010-03-26 16:22 56 -c-ha-w- c:\windows\system32\ezsidmv.dat
2010-03-26 16:13 . 2010-03-26 16:11 -------- d-----r- c:\program files\Skype
2010-03-26 16:12 . 2010-03-26 16:12 -------- d-----w- c:\program files\Common Files\Skype
2010-03-26 16:11 . 2010-03-26 16:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-03-24 14:28 . 2010-03-25 17:58 200704 ----a-w- c:\windows\Internet Logs\xDBA4.tmp
2010-03-24 13:55 . 2008-11-05 15:43 -------- d-----w- c:\program files\NJStar Communicator
2010-03-21 17:01 . 2010-03-24 11:44 358400 ----a-w- c:\windows\Internet Logs\xDBA3.tmp
2010-03-17 15:46 . 2010-03-18 10:12 48640 ----a-w- c:\windows\Internet Logs\xDBA2.tmp
2010-03-14 16:25 . 2010-03-15 12:25 650752 ----a-w- c:\windows\Internet Logs\xDBA1.tmp
2010-03-12 17:02 . 2010-03-13 12:46 770048 ----a-w- c:\windows\Internet Logs\xDBA0.tmp
2010-03-11 16:18 . 2010-03-12 11:19 302592 ----a-w- c:\windows\Internet Logs\xDB9F.tmp
2010-03-10 06:15 . 2004-08-03 16:56 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 20:28 . 2008-11-01 18:47 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-28 17:58 . 2010-03-07 04:40 136704 ----a-w- c:\windows\Internet Logs\xDB9E.tmp
2010-02-26 18:19 . 2010-02-27 02:22 273920 ----a-w- c:\windows\Internet Logs\xDB9D.tmp
2010-02-25 06:24 . 2004-08-03 16:56 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 15:06 . 2010-02-24 18:10 160768 ----a-w- c:\windows\Internet Logs\xDB9C.tmp
2010-02-24 13:11 . 2004-08-03 15:15 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 15:18 . 2010-02-24 09:02 154624 ----a-w- c:\windows\Internet Logs\xDB9B.tmp
2010-02-22 16:56 . 2010-02-23 14:17 707072 ----a-w- c:\windows\Internet Logs\xDB9A.tmp
2010-02-21 19:25 . 2010-02-22 10:09 54784 ----a-w- c:\windows\Internet Logs\xDB99.tmp
2010-02-17 16:21 . 2010-02-21 18:53 152576 ----a-w- c:\windows\Internet Logs\xDB98.tmp
2010-02-16 14:08 . 2004-08-03 15:18 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-13 19:47 . 2010-02-17 12:31 556544 -c--a-w- c:\windows\Internet Logs\xDB97.tmp
2010-02-12 16:36 . 2010-02-12 16:37 28672 -c--a-w- c:\windows\Internet Logs\xDB96.tmp
2010-02-12 04:33 . 2004-08-03 16:56 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 20:40 . 2010-02-12 05:39 299008 -c--a-w- c:\windows\Internet Logs\xDB95.tmp
2010-02-11 12:02 . 2004-08-03 15:07 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-09 12:46 . 2010-02-09 16:06 2388480 -c--a-w- c:\windows\Internet Logs\xDB94.tmp
.

((((((((((((((((((((((((((((( [email protected]_06.00.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-08 06:42 . 2010-05-08 06:42 16384 c:\windows\Temp\Perflib_Perfdata_e4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 202024]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"RTHDCPL"="RTHDCPL.EXE" [2008-02-13 16857600]
"2kadiras"="2kadiras.exe" [2003-07-18 32768]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-09-12 36352]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
"Sony Ericsson PC Suite"="d:\pf\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-06-13 528384]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-10-07 1461080]
"Autorun Eater"="c:\program files\Autorun Eater\oldmcdonald.exe" [2009-05-26 549400]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart17.exe [2006-3-5 11000]
DSLMON.lnk - c:\program files\ADSL\ADSL USB MODEM\dslmon.exe [2008-10-29 929861]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\pf\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 07:21 548352 ----a-w- d:\pf\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\User.USER-146E9E34C8\\Desktop\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [7/1/2008 9:04 AM 35168]
R1 SASDIFSV;SASDIFSV;d:\pf\SUPERAntiSpyware\SASDIFSV.SYS [9/3/2009 3:22 PM 12872]
R1 SASKUTIL;SASKUTIL;d:\pf\SUPERAntiSpyware\SASKUTIL.SYS [9/3/2009 3:22 PM 66632]
R2 ekrn;Eset Service;c:\program files\Eset\ESET NOD32 Antivirus\ekrn.exe [10/7/2009 9:16 AM 472280]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/24/2009 6:59 PM 717296]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);c:\windows\system32\drivers\s115bus.sys [11/20/2008 9:09 PM 83208]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\system32\drivers\s115mdfl.sys [11/20/2008 9:09 PM 15112]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\system32\drivers\s115mdm.sys [11/20/2008 9:09 PM 108680]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s115mgmt.sys [11/20/2008 9:09 PM 100488]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\system32\drivers\s115obex.sys [11/20/2008 9:09 PM 98568]
S3 s816bus;Sony Ericsson Device 816 driver (WDM);c:\windows\system32\drivers\s816bus.sys [11/16/2008 11:06 PM 81832]
S3 s816mdfl;Sony Ericsson Device 816 USB WMC Modem Filter;c:\windows\system32\drivers\s816mdfl.sys [11/17/2008 7:08 PM 13864]
S3 s816mdm;Sony Ericsson Device 816 USB WMC Modem Driver;c:\windows\system32\drivers\s816mdm.sys [11/17/2008 7:08 PM 107304]
S3 s816mgmt;Sony Ericsson Device 816 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s816mgmt.sys [11/30/2008 4:04 AM 99112]
S3 s816nd5;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (NDIS);c:\windows\system32\drivers\s816nd5.sys [11/30/2008 4:04 AM 21928]
S3 s816obex;Sony Ericsson Device 816 USB WMC OBEX Interface;c:\windows\system32\drivers\s816obex.sys [11/30/2008 4:04 AM 97320]
S3 s816unic;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (WDM);c:\windows\system32\drivers\s816unic.sys [11/30/2008 4:04 AM 97704]
S3 SASENUM;SASENUM;d:\pf\SUPERAntiSpyware\SASENUM.SYS [9/3/2009 3:22 PM 12872]
.
Contents of the 'Scheduled Tasks' folder

2010-05-08 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-10-26 14:18]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.yahoo.com/
FF - ProfilePath - c:\documents and settings\User.USER-146E9E34C8\Application Data\Mozilla\Firefox\Profiles\utrmluts.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-08 14:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
d:\pf\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2010-05-08 14:50:14
ComboFix-quarantined-files.txt 2010-05-08 06:50
ComboFix2.txt 2010-05-08 06:02

Pre-Run: 40,536,170,496 bytes free
Post-Run: 40,497,950,720 bytes free

- - End Of File - - 9F2FB0689BE2769A7D5F9021711E7BBD
  • 0

#6
YellowRubberDuck

YellowRubberDuck

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 109 posts
Hi Ron,

ComboFix.txt

ComboFix 10-05-06.05 - User 05/08/2010 14:43:48.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.630 [GMT 8:00]
Running from: c:\documents and settings\User.USER-146E9E34C8\Desktop\george.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2010-04-08 to 2010-05-08 )))))))))))))))))))))))))))))))
.

2010-05-07 16:40 . 2010-05-07 16:40 -------- d-----w- c:\documents and settings\User.USER-146E9E34C8\Application Data\AnvSoft
2010-05-06 12:31 . 2010-05-06 12:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Autorun Eater
2010-05-06 12:31 . 2010-05-06 12:31 -------- d-----w- c:\program files\Autorun Eater
2010-04-16 13:48 . 2010-04-16 13:48 -------- d-----w- c:\documents and settings\User.USER-146E9E34C8\Local Settings\Application Data\ESET
2010-04-15 14:48 . 2010-04-15 14:48 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2010-04-15 14:11 . 2010-04-15 14:39 81984 ----a-w- c:\windows\system32\bdod.bin
2010-04-15 14:10 . 2010-04-15 14:10 -------- d-----w- c:\program files\BitDefender
2010-04-15 14:09 . 2010-04-15 14:10 -------- d-----w- c:\program files\Common Files\BitDefender

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-07 19:35 . 2010-05-08 05:50 867840 ----a-w- c:\windows\Internet Logs\xDBC3.tmp
2010-05-07 19:33 . 2008-11-05 14:38 -------- d-----w- c:\documents and settings\User.USER-146E9E34C8\Application Data\uTorrent
2010-05-07 19:33 . 2010-03-26 16:15 -------- d-----w- c:\documents and settings\User.USER-146E9E34C8\Application Data\Skype
2010-05-07 19:33 . 2008-11-04 11:52 -------- d-----w- c:\documents and settings\User.USER-146E9E34C8\Application Data\Free Download Manager
2010-05-07 17:26 . 2010-03-26 16:22 -------- d-----w- c:\documents and settings\User.USER-146E9E34C8\Application Data\skypePM
2010-05-06 13:03 . 2010-05-06 13:04 2945536 ----a-w- c:\windows\Internet Logs\xDBC2.tmp
2010-05-06 12:25 . 2009-08-08 17:49 6153352 -c--a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-05-06 12:23 . 2008-11-05 14:18 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-06 12:22 . 2008-11-05 14:17 -------- d-----w- c:\program files\SpywareBlaster
2010-05-02 14:56 . 2010-05-03 17:53 281088 ----a-w- c:\windows\Internet Logs\xDBC1.tmp
2010-05-02 05:22 . 2010-05-02 12:38 316928 ----a-w- c:\windows\Internet Logs\xDBC0.tmp
2010-05-01 04:50 . 2008-10-29 00:01 53 ----a-w- c:\windows\popcinfo.dat
2010-04-30 16:49 . 2010-04-30 20:47 527872 ----a-w- c:\windows\Internet Logs\xDBBF.tmp
2010-04-29 16:54 . 2010-04-29 16:55 3017216 ----a-w- c:\windows\Internet Logs\xDBBE.tmp
2010-04-29 07:39 . 2009-08-02 13:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 07:39 . 2009-08-02 13:22 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-25 16:21 . 2010-04-29 13:50 1272832 ----a-w- c:\windows\Internet Logs\xDBBD.tmp
2010-04-23 17:37 . 2010-04-24 00:56 633344 ----a-w- c:\windows\Internet Logs\xDBBC.tmp
2010-04-20 17:23 . 2010-04-21 12:06 434176 ----a-w- c:\windows\Internet Logs\xDBBB.tmp
2010-04-18 15:43 . 2010-04-19 11:12 237056 ----a-w- c:\windows\Internet Logs\xDBBA.tmp
2010-04-16 17:07 . 2010-04-18 12:12 100352 ----a-w- c:\windows\Internet Logs\xDBB9.tmp
2010-04-16 13:27 . 2010-04-16 13:28 131584 ----a-w- c:\windows\Internet Logs\xDBB8.tmp
2010-04-15 16:52 . 2010-04-15 16:54 205312 ----a-w- c:\windows\Internet Logs\xDBB7.tmp
2010-04-15 14:48 . 2008-11-04 11:44 -------- d-----w- c:\program files\Eset
2010-04-14 17:08 . 2010-04-15 14:01 464384 ----a-w- c:\windows\Internet Logs\xDBB6.tmp
2010-04-12 16:17 . 2010-04-13 17:54 139264 ----a-w- c:\windows\Internet Logs\xDBB5.tmp
2010-04-11 16:12 . 2010-04-12 12:39 154112 ----a-w- c:\windows\Internet Logs\xDBB4.tmp
2010-04-11 13:48 . 2008-11-08 16:21 181096 ----a-w- c:\documents and settings\User.USER-146E9E34C8\Application Data\Mozilla\Firefox\Profiles\utrmluts.default\FlashGot.exe
2010-04-11 02:06 . 2010-04-11 12:34 317440 ----a-w- c:\windows\Internet Logs\xDBB3.tmp
2010-04-07 17:24 . 2010-04-09 11:06 242176 ----a-w- c:\windows\Internet Logs\xDBB0.tmp
2010-04-07 17:05 . 2008-11-01 18:22 70720 ----a-w- c:\documents and settings\User.USER-146E9E34C8\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-07 11:27 . 2010-04-07 13:18 420864 ----a-w- c:\windows\Internet Logs\xDBAF.tmp
2010-04-06 20:24 . 2010-04-07 10:08 29696 ----a-w- c:\windows\Internet Logs\xDBAE.tmp
2010-04-04 17:03 . 2010-04-05 12:11 151040 ----a-w- c:\windows\Internet Logs\xDBAD.tmp
2010-04-03 13:09 . 2010-04-04 12:52 325632 ----a-w- c:\windows\Internet Logs\xDBAC.tmp
2010-03-31 16:48 . 2010-04-01 11:28 87040 ----a-w- c:\windows\Internet Logs\xDBAB.tmp
2010-03-31 13:54 . 2010-03-31 13:54 61440 ----a-w- c:\documents and settings\User.USER-146E9E34C8\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-332d1e4e-n\decora-sse.dll
2010-03-31 13:54 . 2010-03-31 13:54 12800 ----a-w- c:\documents and settings\User.USER-146E9E34C8\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-332d1e4e-n\decora-d3d.dll
2010-03-31 13:54 . 2008-09-02 16:14 -------- d-----w- c:\program files\Common Files\Java
2010-03-31 13:54 . 2010-03-31 13:54 503808 ----a-w- c:\documents and settings\User.USER-146E9E34C8\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-694b4c5a-n\msvcp71.dll
2010-03-31 13:54 . 2010-03-31 13:54 499712 ----a-w- c:\documents and settings\User.USER-146E9E34C8\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-694b4c5a-n\jmc.dll
2010-03-31 13:54 . 2010-03-31 13:54 348160 ----a-w- c:\documents and settings\User.USER-146E9E34C8\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-694b4c5a-n\msvcr71.dll
2010-03-31 13:53 . 2008-09-02 16:18 -------- d-----w- c:\program files\Java
2010-03-29 23:24 . 2010-03-31 13:43 44032 ----a-w- c:\windows\Internet Logs\xDBAA.tmp
2010-03-28 15:53 . 2010-03-29 22:20 114176 ----a-w- c:\windows\Internet Logs\xDBA9.tmp
2010-03-28 05:52 . 2010-03-28 05:53 114176 ----a-w- c:\windows\Internet Logs\xDBA8.tmp
2010-03-28 04:34 . 2009-10-27 13:49 117760 ----a-w- c:\documents and settings\User.USER-146E9E34C8\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-27 17:07 . 2010-03-28 04:28 57344 ----a-w- c:\windows\Internet Logs\xDBA7.tmp
2010-03-27 03:35 . 2010-03-27 16:21 114688 ----a-w- c:\windows\Internet Logs\xDBA6.tmp
2010-03-26 17:24 . 2010-03-27 00:41 367104 ----a-w- c:\windows\Internet Logs\xDBA5.tmp
2010-03-26 16:22 . 2010-03-26 16:22 56 -c-ha-w- c:\windows\system32\ezsidmv.dat
2010-03-26 16:13 . 2010-03-26 16:11 -------- d-----r- c:\program files\Skype
2010-03-26 16:12 . 2010-03-26 16:12 -------- d-----w- c:\program files\Common Files\Skype
2010-03-26 16:11 . 2010-03-26 16:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-03-24 14:28 . 2010-03-25 17:58 200704 ----a-w- c:\windows\Internet Logs\xDBA4.tmp
2010-03-24 13:55 . 2008-11-05 15:43 -------- d-----w- c:\program files\NJStar Communicator
2010-03-21 17:01 . 2010-03-24 11:44 358400 ----a-w- c:\windows\Internet Logs\xDBA3.tmp
2010-03-17 15:46 . 2010-03-18 10:12 48640 ----a-w- c:\windows\Internet Logs\xDBA2.tmp
2010-03-14 16:25 . 2010-03-15 12:25 650752 ----a-w- c:\windows\Internet Logs\xDBA1.tmp
2010-03-12 17:02 . 2010-03-13 12:46 770048 ----a-w- c:\windows\Internet Logs\xDBA0.tmp
2010-03-11 16:18 . 2010-03-12 11:19 302592 ----a-w- c:\windows\Internet Logs\xDB9F.tmp
2010-03-10 06:15 . 2004-08-03 16:56 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 20:28 . 2008-11-01 18:47 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-28 17:58 . 2010-03-07 04:40 136704 ----a-w- c:\windows\Internet Logs\xDB9E.tmp
2010-02-26 18:19 . 2010-02-27 02:22 273920 ----a-w- c:\windows\Internet Logs\xDB9D.tmp
2010-02-25 06:24 . 2004-08-03 16:56 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 15:06 . 2010-02-24 18:10 160768 ----a-w- c:\windows\Internet Logs\xDB9C.tmp
2010-02-24 13:11 . 2004-08-03 15:15 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 15:18 . 2010-02-24 09:02 154624 ----a-w- c:\windows\Internet Logs\xDB9B.tmp
2010-02-22 16:56 . 2010-02-23 14:17 707072 ----a-w- c:\windows\Internet Logs\xDB9A.tmp
2010-02-21 19:25 . 2010-02-22 10:09 54784 ----a-w- c:\windows\Internet Logs\xDB99.tmp
2010-02-17 16:21 . 2010-02-21 18:53 152576 ----a-w- c:\windows\Internet Logs\xDB98.tmp
2010-02-16 14:08 . 2004-08-03 15:18 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-13 19:47 . 2010-02-17 12:31 556544 -c--a-w- c:\windows\Internet Logs\xDB97.tmp
2010-02-12 16:36 . 2010-02-12 16:37 28672 -c--a-w- c:\windows\Internet Logs\xDB96.tmp
2010-02-12 04:33 . 2004-08-03 16:56 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 20:40 . 2010-02-12 05:39 299008 -c--a-w- c:\windows\Internet Logs\xDB95.tmp
2010-02-11 12:02 . 2004-08-03 15:07 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-09 12:46 . 2010-02-09 16:06 2388480 -c--a-w- c:\windows\Internet Logs\xDB94.tmp
.

((((((((((((((((((((((((((((( [email protected]_06.00.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-08 06:42 . 2010-05-08 06:42 16384 c:\windows\Temp\Perflib_Perfdata_e4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 202024]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"RTHDCPL"="RTHDCPL.EXE" [2008-02-13 16857600]
"2kadiras"="2kadiras.exe" [2003-07-18 32768]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-09-12 36352]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
"Sony Ericsson PC Suite"="d:\pf\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-06-13 528384]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-10-07 1461080]
"Autorun Eater"="c:\program files\Autorun Eater\oldmcdonald.exe" [2009-05-26 549400]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart17.exe [2006-3-5 11000]
DSLMON.lnk - c:\program files\ADSL\ADSL USB MODEM\dslmon.exe [2008-10-29 929861]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\pf\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 07:21 548352 ----a-w- d:\pf\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\User.USER-146E9E34C8\\Desktop\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [7/1/2008 9:04 AM 35168]
R1 SASDIFSV;SASDIFSV;d:\pf\SUPERAntiSpyware\SASDIFSV.SYS [9/3/2009 3:22 PM 12872]
R1 SASKUTIL;SASKUTIL;d:\pf\SUPERAntiSpyware\SASKUTIL.SYS [9/3/2009 3:22 PM 66632]
R2 ekrn;Eset Service;c:\program files\Eset\ESET NOD32 Antivirus\ekrn.exe [10/7/2009 9:16 AM 472280]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/24/2009 6:59 PM 717296]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);c:\windows\system32\drivers\s115bus.sys [11/20/2008 9:09 PM 83208]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\system32\drivers\s115mdfl.sys [11/20/2008 9:09 PM 15112]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\system32\drivers\s115mdm.sys [11/20/2008 9:09 PM 108680]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s115mgmt.sys [11/20/2008 9:09 PM 100488]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\system32\drivers\s115obex.sys [11/20/2008 9:09 PM 98568]
S3 s816bus;Sony Ericsson Device 816 driver (WDM);c:\windows\system32\drivers\s816bus.sys [11/16/2008 11:06 PM 81832]
S3 s816mdfl;Sony Ericsson Device 816 USB WMC Modem Filter;c:\windows\system32\drivers\s816mdfl.sys [11/17/2008 7:08 PM 13864]
S3 s816mdm;Sony Ericsson Device 816 USB WMC Modem Driver;c:\windows\system32\drivers\s816mdm.sys [11/17/2008 7:08 PM 107304]
S3 s816mgmt;Sony Ericsson Device 816 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s816mgmt.sys [11/30/2008 4:04 AM 99112]
S3 s816nd5;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (NDIS);c:\windows\system32\drivers\s816nd5.sys [11/30/2008 4:04 AM 21928]
S3 s816obex;Sony Ericsson Device 816 USB WMC OBEX Interface;c:\windows\system32\drivers\s816obex.sys [11/30/2008 4:04 AM 97320]
S3 s816unic;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (WDM);c:\windows\system32\drivers\s816unic.sys [11/30/2008 4:04 AM 97704]
S3 SASENUM;SASENUM;d:\pf\SUPERAntiSpyware\SASENUM.SYS [9/3/2009 3:22 PM 12872]
.
Contents of the 'Scheduled Tasks' folder

2010-05-08 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-10-26 14:18]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.yahoo.com/
FF - ProfilePath - c:\documents and settings\User.USER-146E9E34C8\Application Data\Mozilla\Firefox\Profiles\utrmluts.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-08 14:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
d:\pf\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2010-05-08 14:50:14
ComboFix-quarantined-files.txt 2010-05-08 06:50
ComboFix2.txt 2010-05-08 06:02

Pre-Run: 40,536,170,496 bytes free
Post-Run: 40,497,950,720 bytes free

- - End Of File - - 9F2FB0689BE2769A7D5F9021711E7BBD
  • 0

#7
YellowRubberDuck

YellowRubberDuck

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 109 posts
Hi Ron,

ComboFix.txt

ComboFix 10-05-06.05 - User 05/08/2010 14:43:48.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.630 [GMT 8:00]
Running from: c:\documents and settings\User.USER-146E9E34C8\Desktop\george.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2010-04-08 to 2010-05-08 )))))))))))))))))))))))))))))))
.

2010-05-07 16:40 . 2010-05-07 16:40 -------- d-----w- c:\documents and settings\User.USER-146E9E34C8\Application Data\AnvSoft
2010-05-06 12:31 . 2010-05-06 12:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Autorun Eater
2010-05-06 12:31 . 2010-05-06 12:31 -------- d-----w- c:\program files\Autorun Eater
2010-04-16 13:48 . 2010-04-16 13:48 -------- d-----w- c:\documents and settings\User.USER-146E9E34C8\Local Settings\Application Data\ESET
2010-04-15 14:48 . 2010-04-15 14:48 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2010-04-15 14:11 . 2010-04-15 14:39 81984 ----a-w- c:\windows\system32\bdod.bin
2010-04-15 14:10 . 2010-04-15 14:10 -------- d-----w- c:\program files\BitDefender
2010-04-15 14:09 . 2010-04-15 14:10 -------- d-----w- c:\program files\Common Files\BitDefender

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-07 19:35 . 2010-05-08 05:50 867840 ----a-w- c:\windows\Internet Logs\xDBC3.tmp
2010-05-07 19:33 . 2008-11-05 14:38 -------- d-----w- c:\documents and settings\User.USER-146E9E34C8\Application Data\uTorrent
2010-05-07 19:33 . 2010-03-26 16:15 -------- d-----w- c:\documents and settings\User.USER-146E9E34C8\Application Data\Skype
2010-05-07 19:33 . 2008-11-04 11:52 -------- d-----w- c:\documents and settings\User.USER-146E9E34C8\Application Data\Free Download Manager
2010-05-07 17:26 . 2010-03-26 16:22 -------- d-----w- c:\documents and settings\User.USER-146E9E34C8\Application Data\skypePM
2010-05-06 13:03 . 2010-05-06 13:04 2945536 ----a-w- c:\windows\Internet Logs\xDBC2.tmp
2010-05-06 12:25 . 2009-08-08 17:49 6153352 -c--a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-05-06 12:23 . 2008-11-05 14:18 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-06 12:22 . 2008-11-05 14:17 -------- d-----w- c:\program files\SpywareBlaster
2010-05-02 14:56 . 2010-05-03 17:53 281088 ----a-w- c:\windows\Internet Logs\xDBC1.tmp
2010-05-02 05:22 . 2010-05-02 12:38 316928 ----a-w- c:\windows\Internet Logs\xDBC0.tmp
2010-05-01 04:50 . 2008-10-29 00:01 53 ----a-w- c:\windows\popcinfo.dat
2010-04-30 16:49 . 2010-04-30 20:47 527872 ----a-w- c:\windows\Internet Logs\xDBBF.tmp
2010-04-29 16:54 . 2010-04-29 16:55 3017216 ----a-w- c:\windows\Internet Logs\xDBBE.tmp
2010-04-29 07:39 . 2009-08-02 13:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 07:39 . 2009-08-02 13:22 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-25 16:21 . 2010-04-29 13:50 1272832 ----a-w- c:\windows\Internet Logs\xDBBD.tmp
2010-04-23 17:37 . 2010-04-24 00:56 633344 ----a-w- c:\windows\Internet Logs\xDBBC.tmp
2010-04-20 17:23 . 2010-04-21 12:06 434176 ----a-w- c:\windows\Internet Logs\xDBBB.tmp
2010-04-18 15:43 . 2010-04-19 11:12 237056 ----a-w- c:\windows\Internet Logs\xDBBA.tmp
2010-04-16 17:07 . 2010-04-18 12:12 100352 ----a-w- c:\windows\Internet Logs\xDBB9.tmp
2010-04-16 13:27 . 2010-04-16 13:28 131584 ----a-w- c:\windows\Internet Logs\xDBB8.tmp
2010-04-15 16:52 . 2010-04-15 16:54 205312 ----a-w- c:\windows\Internet Logs\xDBB7.tmp
2010-04-15 14:48 . 2008-11-04 11:44 -------- d-----w- c:\program files\Eset
2010-04-14 17:08 . 2010-04-15 14:01 464384 ----a-w- c:\windows\Internet Logs\xDBB6.tmp
2010-04-12 16:17 . 2010-04-13 17:54 139264 ----a-w- c:\windows\Internet Logs\xDBB5.tmp
2010-04-11 16:12 . 2010-04-12 12:39 154112 ----a-w- c:\windows\Internet Logs\xDBB4.tmp
2010-04-11 13:48 . 2008-11-08 16:21 181096 ----a-w- c:\documents and settings\User.USER-146E9E34C8\Application Data\Mozilla\Firefox\Profiles\utrmluts.default\FlashGot.exe
2010-04-11 02:06 . 2010-04-11 12:34 317440 ----a-w- c:\windows\Internet Logs\xDBB3.tmp
2010-04-07 17:24 . 2010-04-09 11:06 242176 ----a-w- c:\windows\Internet Logs\xDBB0.tmp
2010-04-07 17:05 . 2008-11-01 18:22 70720 ----a-w- c:\documents and settings\User.USER-146E9E34C8\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-07 11:27 . 2010-04-07 13:18 420864 ----a-w- c:\windows\Internet Logs\xDBAF.tmp
2010-04-06 20:24 . 2010-04-07 10:08 29696 ----a-w- c:\windows\Internet Logs\xDBAE.tmp
2010-04-04 17:03 . 2010-04-05 12:11 151040 ----a-w- c:\windows\Internet Logs\xDBAD.tmp
2010-04-03 13:09 . 2010-04-04 12:52 325632 ----a-w- c:\windows\Internet Logs\xDBAC.tmp
2010-03-31 16:48 . 2010-04-01 11:28 87040 ----a-w- c:\windows\Internet Logs\xDBAB.tmp
2010-03-31 13:54 . 2010-03-31 13:54 61440 ----a-w- c:\documents and settings\User.USER-146E9E34C8\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-332d1e4e-n\decora-sse.dll
2010-03-31 13:54 . 2010-03-31 13:54 12800 ----a-w- c:\documents and settings\User.USER-146E9E34C8\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-332d1e4e-n\decora-d3d.dll
2010-03-31 13:54 . 2008-09-02 16:14 -------- d-----w- c:\program files\Common Files\Java
2010-03-31 13:54 . 2010-03-31 13:54 503808 ----a-w- c:\documents and settings\User.USER-146E9E34C8\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-694b4c5a-n\msvcp71.dll
2010-03-31 13:54 . 2010-03-31 13:54 499712 ----a-w- c:\documents and settings\User.USER-146E9E34C8\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-694b4c5a-n\jmc.dll
2010-03-31 13:54 . 2010-03-31 13:54 348160 ----a-w- c:\documents and settings\User.USER-146E9E34C8\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-694b4c5a-n\msvcr71.dll
2010-03-31 13:53 . 2008-09-02 16:18 -------- d-----w- c:\program files\Java
2010-03-29 23:24 . 2010-03-31 13:43 44032 ----a-w- c:\windows\Internet Logs\xDBAA.tmp
2010-03-28 15:53 . 2010-03-29 22:20 114176 ----a-w- c:\windows\Internet Logs\xDBA9.tmp
2010-03-28 05:52 . 2010-03-28 05:53 114176 ----a-w- c:\windows\Internet Logs\xDBA8.tmp
2010-03-28 04:34 . 2009-10-27 13:49 117760 ----a-w- c:\documents and settings\User.USER-146E9E34C8\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-27 17:07 . 2010-03-28 04:28 57344 ----a-w- c:\windows\Internet Logs\xDBA7.tmp
2010-03-27 03:35 . 2010-03-27 16:21 114688 ----a-w- c:\windows\Internet Logs\xDBA6.tmp
2010-03-26 17:24 . 2010-03-27 00:41 367104 ----a-w- c:\windows\Internet Logs\xDBA5.tmp
2010-03-26 16:22 . 2010-03-26 16:22 56 -c-ha-w- c:\windows\system32\ezsidmv.dat
2010-03-26 16:13 . 2010-03-26 16:11 -------- d-----r- c:\program files\Skype
2010-03-26 16:12 . 2010-03-26 16:12 -------- d-----w- c:\program files\Common Files\Skype
2010-03-26 16:11 . 2010-03-26 16:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-03-24 14:28 . 2010-03-25 17:58 200704 ----a-w- c:\windows\Internet Logs\xDBA4.tmp
2010-03-24 13:55 . 2008-11-05 15:43 -------- d-----w- c:\program files\NJStar Communicator
2010-03-21 17:01 . 2010-03-24 11:44 358400 ----a-w- c:\windows\Internet Logs\xDBA3.tmp
2010-03-17 15:46 . 2010-03-18 10:12 48640 ----a-w- c:\windows\Internet Logs\xDBA2.tmp
2010-03-14 16:25 . 2010-03-15 12:25 650752 ----a-w- c:\windows\Internet Logs\xDBA1.tmp
2010-03-12 17:02 . 2010-03-13 12:46 770048 ----a-w- c:\windows\Internet Logs\xDBA0.tmp
2010-03-11 16:18 . 2010-03-12 11:19 302592 ----a-w- c:\windows\Internet Logs\xDB9F.tmp
2010-03-10 06:15 . 2004-08-03 16:56 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 20:28 . 2008-11-01 18:47 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-28 17:58 . 2010-03-07 04:40 136704 ----a-w- c:\windows\Internet Logs\xDB9E.tmp
2010-02-26 18:19 . 2010-02-27 02:22 273920 ----a-w- c:\windows\Internet Logs\xDB9D.tmp
2010-02-25 06:24 . 2004-08-03 16:56 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 15:06 . 2010-02-24 18:10 160768 ----a-w- c:\windows\Internet Logs\xDB9C.tmp
2010-02-24 13:11 . 2004-08-03 15:15 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 15:18 . 2010-02-24 09:02 154624 ----a-w- c:\windows\Internet Logs\xDB9B.tmp
2010-02-22 16:56 . 2010-02-23 14:17 707072 ----a-w- c:\windows\Internet Logs\xDB9A.tmp
2010-02-21 19:25 . 2010-02-22 10:09 54784 ----a-w- c:\windows\Internet Logs\xDB99.tmp
2010-02-17 16:21 . 2010-02-21 18:53 152576 ----a-w- c:\windows\Internet Logs\xDB98.tmp
2010-02-16 14:08 . 2004-08-03 15:18 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-13 19:47 . 2010-02-17 12:31 556544 -c--a-w- c:\windows\Internet Logs\xDB97.tmp
2010-02-12 16:36 . 2010-02-12 16:37 28672 -c--a-w- c:\windows\Internet Logs\xDB96.tmp
2010-02-12 04:33 . 2004-08-03 16:56 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 20:40 . 2010-02-12 05:39 299008 -c--a-w- c:\windows\Internet Logs\xDB95.tmp
2010-02-11 12:02 . 2004-08-03 15:07 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-09 12:46 . 2010-02-09 16:06 2388480 -c--a-w- c:\windows\Internet Logs\xDB94.tmp
.

((((((((((((((((((((((((((((( [email protected]_06.00.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-08 06:42 . 2010-05-08 06:42 16384 c:\windows\Temp\Perflib_Perfdata_e4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 202024]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"RTHDCPL"="RTHDCPL.EXE" [2008-02-13 16857600]
"2kadiras"="2kadiras.exe" [2003-07-18 32768]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-09-12 36352]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
"Sony Ericsson PC Suite"="d:\pf\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-06-13 528384]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-10-07 1461080]
"Autorun Eater"="c:\program files\Autorun Eater\oldmcdonald.exe" [2009-05-26 549400]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart17.exe [2006-3-5 11000]
DSLMON.lnk - c:\program files\ADSL\ADSL USB MODEM\dslmon.exe [2008-10-29 929861]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\pf\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 07:21 548352 ----a-w- d:\pf\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\User.USER-146E9E34C8\\Desktop\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [7/1/2008 9:04 AM 35168]
R1 SASDIFSV;SASDIFSV;d:\pf\SUPERAntiSpyware\SASDIFSV.SYS [9/3/2009 3:22 PM 12872]
R1 SASKUTIL;SASKUTIL;d:\pf\SUPERAntiSpyware\SASKUTIL.SYS [9/3/2009 3:22 PM 66632]
R2 ekrn;Eset Service;c:\program files\Eset\ESET NOD32 Antivirus\ekrn.exe [10/7/2009 9:16 AM 472280]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/24/2009 6:59 PM 717296]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);c:\windows\system32\drivers\s115bus.sys [11/20/2008 9:09 PM 83208]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\system32\drivers\s115mdfl.sys [11/20/2008 9:09 PM 15112]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\system32\drivers\s115mdm.sys [11/20/2008 9:09 PM 108680]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s115mgmt.sys [11/20/2008 9:09 PM 100488]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\system32\drivers\s115obex.sys [11/20/2008 9:09 PM 98568]
S3 s816bus;Sony Ericsson Device 816 driver (WDM);c:\windows\system32\drivers\s816bus.sys [11/16/2008 11:06 PM 81832]
S3 s816mdfl;Sony Ericsson Device 816 USB WMC Modem Filter;c:\windows\system32\drivers\s816mdfl.sys [11/17/2008 7:08 PM 13864]
S3 s816mdm;Sony Ericsson Device 816 USB WMC Modem Driver;c:\windows\system32\drivers\s816mdm.sys [11/17/2008 7:08 PM 107304]
S3 s816mgmt;Sony Ericsson Device 816 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s816mgmt.sys [11/30/2008 4:04 AM 99112]
S3 s816nd5;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (NDIS);c:\windows\system32\drivers\s816nd5.sys [11/30/2008 4:04 AM 21928]
S3 s816obex;Sony Ericsson Device 816 USB WMC OBEX Interface;c:\windows\system32\drivers\s816obex.sys [11/30/2008 4:04 AM 97320]
S3 s816unic;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (WDM);c:\windows\system32\drivers\s816unic.sys [11/30/2008 4:04 AM 97704]
S3 SASENUM;SASENUM;d:\pf\SUPERAntiSpyware\SASENUM.SYS [9/3/2009 3:22 PM 12872]
.
Contents of the 'Scheduled Tasks' folder

2010-05-08 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-10-26 14:18]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.yahoo.com/
FF - ProfilePath - c:\documents and settings\User.USER-146E9E34C8\Application Data\Mozilla\Firefox\Profiles\utrmluts.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-08 14:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
d:\pf\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2010-05-08 14:50:14
ComboFix-quarantined-files.txt 2010-05-08 06:50
ComboFix2.txt 2010-05-08 06:02

Pre-Run: 40,536,170,496 bytes free
Post-Run: 40,497,950,720 bytes free

- - End Of File - - 9F2FB0689BE2769A7D5F9021711E7BBD
  • 0

#8
YellowRubberDuck

YellowRubberDuck

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 109 posts
Hi Ron,

ComboFix.txt

ComboFix 10-05-06.05 - User 05/08/2010 14:43:48.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.630 [GMT 8:00]
Running from: c:\documents and settings\User.USER-146E9E34C8\Desktop\george.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2010-04-08 to 2010-05-08 )))))))))))))))))))))))))))))))
.

2010-05-07 16:40 . 2010-05-07 16:40 -------- d-----w- c:\documents and settings\User.USER-146E9E34C8\Application Data\AnvSoft
2010-05-06 12:31 . 2010-05-06 12:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Autorun Eater
2010-05-06 12:31 . 2010-05-06 12:31 -------- d-----w- c:\program files\Autorun Eater
2010-04-16 13:48 . 2010-04-16 13:48 -------- d-----w- c:\documents and settings\User.USER-146E9E34C8\Local Settings\Application Data\ESET
2010-04-15 14:48 . 2010-04-15 14:48 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2010-04-15 14:11 . 2010-04-15 14:39 81984 ----a-w- c:\windows\system32\bdod.bin
2010-04-15 14:10 . 2010-04-15 14:10 -------- d-----w- c:\program files\BitDefender
2010-04-15 14:09 . 2010-04-15 14:10 -------- d-----w- c:\program files\Common Files\BitDefender

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-07 19:35 . 2010-05-08 05:50 867840 ----a-w- c:\windows\Internet Logs\xDBC3.tmp
2010-05-07 19:33 . 2008-11-05 14:38 -------- d-----w- c:\documents and settings\User.USER-146E9E34C8\Application Data\uTorrent
2010-05-07 19:33 . 2010-03-26 16:15 -------- d-----w- c:\documents and settings\User.USER-146E9E34C8\Application Data\Skype
2010-05-07 19:33 . 2008-11-04 11:52 -------- d-----w- c:\documents and settings\User.USER-146E9E34C8\Application Data\Free Download Manager
2010-05-07 17:26 . 2010-03-26 16:22 -------- d-----w- c:\documents and settings\User.USER-146E9E34C8\Application Data\skypePM
2010-05-06 13:03 . 2010-05-06 13:04 2945536 ----a-w- c:\windows\Internet Logs\xDBC2.tmp
2010-05-06 12:25 . 2009-08-08 17:49 6153352 -c--a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-05-06 12:23 . 2008-11-05 14:18 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-06 12:22 . 2008-11-05 14:17 -------- d-----w- c:\program files\SpywareBlaster
2010-05-02 14:56 . 2010-05-03 17:53 281088 ----a-w- c:\windows\Internet Logs\xDBC1.tmp
2010-05-02 05:22 . 2010-05-02 12:38 316928 ----a-w- c:\windows\Internet Logs\xDBC0.tmp
2010-05-01 04:50 . 2008-10-29 00:01 53 ----a-w- c:\windows\popcinfo.dat
2010-04-30 16:49 . 2010-04-30 20:47 527872 ----a-w- c:\windows\Internet Logs\xDBBF.tmp
2010-04-29 16:54 . 2010-04-29 16:55 3017216 ----a-w- c:\windows\Internet Logs\xDBBE.tmp
2010-04-29 07:39 . 2009-08-02 13:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 07:39 . 2009-08-02 13:22 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-25 16:21 . 2010-04-29 13:50 1272832 ----a-w- c:\windows\Internet Logs\xDBBD.tmp
2010-04-23 17:37 . 2010-04-24 00:56 633344 ----a-w- c:\windows\Internet Logs\xDBBC.tmp
2010-04-20 17:23 . 2010-04-21 12:06 434176 ----a-w- c:\windows\Internet Logs\xDBBB.tmp
2010-04-18 15:43 . 2010-04-19 11:12 237056 ----a-w- c:\windows\Internet Logs\xDBBA.tmp
2010-04-16 17:07 . 2010-04-18 12:12 100352 ----a-w- c:\windows\Internet Logs\xDBB9.tmp
2010-04-16 13:27 . 2010-04-16 13:28 131584 ----a-w- c:\windows\Internet Logs\xDBB8.tmp
2010-04-15 16:52 . 2010-04-15 16:54 205312 ----a-w- c:\windows\Internet Logs\xDBB7.tmp
2010-04-15 14:48 . 2008-11-04 11:44 -------- d-----w- c:\program files\Eset
2010-04-14 17:08 . 2010-04-15 14:01 464384 ----a-w- c:\windows\Internet Logs\xDBB6.tmp
2010-04-12 16:17 . 2010-04-13 17:54 139264 ----a-w- c:\windows\Internet Logs\xDBB5.tmp
2010-04-11 16:12 . 2010-04-12 12:39 154112 ----a-w- c:\windows\Internet Logs\xDBB4.tmp
2010-04-11 13:48 . 2008-11-08 16:21 181096 ----a-w- c:\documents and settings\User.USER-146E9E34C8\Application Data\Mozilla\Firefox\Profiles\utrmluts.default\FlashGot.exe
2010-04-11 02:06 . 2010-04-11 12:34 317440 ----a-w- c:\windows\Internet Logs\xDBB3.tmp
2010-04-07 17:24 . 2010-04-09 11:06 242176 ----a-w- c:\windows\Internet Logs\xDBB0.tmp
2010-04-07 17:05 . 2008-11-01 18:22 70720 ----a-w- c:\documents and settings\User.USER-146E9E34C8\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-07 11:27 . 2010-04-07 13:18 420864 ----a-w- c:\windows\Internet Logs\xDBAF.tmp
2010-04-06 20:24 . 2010-04-07 10:08 29696 ----a-w- c:\windows\Internet Logs\xDBAE.tmp
2010-04-04 17:03 . 2010-04-05 12:11 151040 ----a-w- c:\windows\Internet Logs\xDBAD.tmp
2010-04-03 13:09 . 2010-04-04 12:52 325632 ----a-w- c:\windows\Internet Logs\xDBAC.tmp
2010-03-31 16:48 . 2010-04-01 11:28 87040 ----a-w- c:\windows\Internet Logs\xDBAB.tmp
2010-03-31 13:54 . 2010-03-31 13:54 61440 ----a-w- c:\documents and settings\User.USER-146E9E34C8\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-332d1e4e-n\decora-sse.dll
2010-03-31 13:54 . 2010-03-31 13:54 12800 ----a-w- c:\documents and settings\User.USER-146E9E34C8\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-332d1e4e-n\decora-d3d.dll
2010-03-31 13:54 . 2008-09-02 16:14 -------- d-----w- c:\program files\Common Files\Java
2010-03-31 13:54 . 2010-03-31 13:54 503808 ----a-w- c:\documents and settings\User.USER-146E9E34C8\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-694b4c5a-n\msvcp71.dll
2010-03-31 13:54 . 2010-03-31 13:54 499712 ----a-w- c:\documents and settings\User.USER-146E9E34C8\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-694b4c5a-n\jmc.dll
2010-03-31 13:54 . 2010-03-31 13:54 348160 ----a-w- c:\documents and settings\User.USER-146E9E34C8\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-694b4c5a-n\msvcr71.dll
2010-03-31 13:53 . 2008-09-02 16:18 -------- d-----w- c:\program files\Java
2010-03-29 23:24 . 2010-03-31 13:43 44032 ----a-w- c:\windows\Internet Logs\xDBAA.tmp
2010-03-28 15:53 . 2010-03-29 22:20 114176 ----a-w- c:\windows\Internet Logs\xDBA9.tmp
2010-03-28 05:52 . 2010-03-28 05:53 114176 ----a-w- c:\windows\Internet Logs\xDBA8.tmp
2010-03-28 04:34 . 2009-10-27 13:49 117760 ----a-w- c:\documents and settings\User.USER-146E9E34C8\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-27 17:07 . 2010-03-28 04:28 57344 ----a-w- c:\windows\Internet Logs\xDBA7.tmp
2010-03-27 03:35 . 2010-03-27 16:21 114688 ----a-w- c:\windows\Internet Logs\xDBA6.tmp
2010-03-26 17:24 . 2010-03-27 00:41 367104 ----a-w- c:\windows\Internet Logs\xDBA5.tmp
2010-03-26 16:22 . 2010-03-26 16:22 56 -c-ha-w- c:\windows\system32\ezsidmv.dat
2010-03-26 16:13 . 2010-03-26 16:11 -------- d-----r- c:\program files\Skype
2010-03-26 16:12 . 2010-03-26 16:12 -------- d-----w- c:\program files\Common Files\Skype
2010-03-26 16:11 . 2010-03-26 16:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-03-24 14:28 . 2010-03-25 17:58 200704 ----a-w- c:\windows\Internet Logs\xDBA4.tmp
2010-03-24 13:55 . 2008-11-05 15:43 -------- d-----w- c:\program files\NJStar Communicator
2010-03-21 17:01 . 2010-03-24 11:44 358400 ----a-w- c:\windows\Internet Logs\xDBA3.tmp
2010-03-17 15:46 . 2010-03-18 10:12 48640 ----a-w- c:\windows\Internet Logs\xDBA2.tmp
2010-03-14 16:25 . 2010-03-15 12:25 650752 ----a-w- c:\windows\Internet Logs\xDBA1.tmp
2010-03-12 17:02 . 2010-03-13 12:46 770048 ----a-w- c:\windows\Internet Logs\xDBA0.tmp
2010-03-11 16:18 . 2010-03-12 11:19 302592 ----a-w- c:\windows\Internet Logs\xDB9F.tmp
2010-03-10 06:15 . 2004-08-03 16:56 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 20:28 . 2008-11-01 18:47 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-28 17:58 . 2010-03-07 04:40 136704 ----a-w- c:\windows\Internet Logs\xDB9E.tmp
2010-02-26 18:19 . 2010-02-27 02:22 273920 ----a-w- c:\windows\Internet Logs\xDB9D.tmp
2010-02-25 06:24 . 2004-08-03 16:56 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 15:06 . 2010-02-24 18:10 160768 ----a-w- c:\windows\Internet Logs\xDB9C.tmp
2010-02-24 13:11 . 2004-08-03 15:15 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 15:18 . 2010-02-24 09:02 154624 ----a-w- c:\windows\Internet Logs\xDB9B.tmp
2010-02-22 16:56 . 2010-02-23 14:17 707072 ----a-w- c:\windows\Internet Logs\xDB9A.tmp
2010-02-21 19:25 . 2010-02-22 10:09 54784 ----a-w- c:\windows\Internet Logs\xDB99.tmp
2010-02-17 16:21 . 2010-02-21 18:53 152576 ----a-w- c:\windows\Internet Logs\xDB98.tmp
2010-02-16 14:08 . 2004-08-03 15:18 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-13 19:47 . 2010-02-17 12:31 556544 -c--a-w- c:\windows\Internet Logs\xDB97.tmp
2010-02-12 16:36 . 2010-02-12 16:37 28672 -c--a-w- c:\windows\Internet Logs\xDB96.tmp
2010-02-12 04:33 . 2004-08-03 16:56 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 20:40 . 2010-02-12 05:39 299008 -c--a-w- c:\windows\Internet Logs\xDB95.tmp
2010-02-11 12:02 . 2004-08-03 15:07 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-09 12:46 . 2010-02-09 16:06 2388480 -c--a-w- c:\windows\Internet Logs\xDB94.tmp
.

((((((((((((((((((((((((((((( [email protected]_06.00.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-08 06:42 . 2010-05-08 06:42 16384 c:\windows\Temp\Perflib_Perfdata_e4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 202024]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"RTHDCPL"="RTHDCPL.EXE" [2008-02-13 16857600]
"2kadiras"="2kadiras.exe" [2003-07-18 32768]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-09-12 36352]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
"Sony Ericsson PC Suite"="d:\pf\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-06-13 528384]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-10-07 1461080]
"Autorun Eater"="c:\program files\Autorun Eater\oldmcdonald.exe" [2009-05-26 549400]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart17.exe [2006-3-5 11000]
DSLMON.lnk - c:\program files\ADSL\ADSL USB MODEM\dslmon.exe [2008-10-29 929861]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\pf\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 07:21 548352 ----a-w- d:\pf\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\User.USER-146E9E34C8\\Desktop\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [7/1/2008 9:04 AM 35168]
R1 SASDIFSV;SASDIFSV;d:\pf\SUPERAntiSpyware\SASDIFSV.SYS [9/3/2009 3:22 PM 12872]
R1 SASKUTIL;SASKUTIL;d:\pf\SUPERAntiSpyware\SASKUTIL.SYS [9/3/2009 3:22 PM 66632]
R2 ekrn;Eset Service;c:\program files\Eset\ESET NOD32 Antivirus\ekrn.exe [10/7/2009 9:16 AM 472280]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/24/2009 6:59 PM 717296]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);c:\windows\system32\drivers\s115bus.sys [11/20/2008 9:09 PM 83208]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\system32\drivers\s115mdfl.sys [11/20/2008 9:09 PM 15112]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\system32\drivers\s115mdm.sys [11/20/2008 9:09 PM 108680]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s115mgmt.sys [11/20/2008 9:09 PM 100488]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\system32\drivers\s115obex.sys [11/20/2008 9:09 PM 98568]
S3 s816bus;Sony Ericsson Device 816 driver (WDM);c:\windows\system32\drivers\s816bus.sys [11/16/2008 11:06 PM 81832]
S3 s816mdfl;Sony Ericsson Device 816 USB WMC Modem Filter;c:\windows\system32\drivers\s816mdfl.sys [11/17/2008 7:08 PM 13864]
S3 s816mdm;Sony Ericsson Device 816 USB WMC Modem Driver;c:\windows\system32\drivers\s816mdm.sys [11/17/2008 7:08 PM 107304]
S3 s816mgmt;Sony Ericsson Device 816 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s816mgmt.sys [11/30/2008 4:04 AM 99112]
S3 s816nd5;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (NDIS);c:\windows\system32\drivers\s816nd5.sys [11/30/2008 4:04 AM 21928]
S3 s816obex;Sony Ericsson Device 816 USB WMC OBEX Interface;c:\windows\system32\drivers\s816obex.sys [11/30/2008 4:04 AM 97320]
S3 s816unic;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (WDM);c:\windows\system32\drivers\s816unic.sys [11/30/2008 4:04 AM 97704]
S3 SASENUM;SASENUM;d:\pf\SUPERAntiSpyware\SASENUM.SYS [9/3/2009 3:22 PM 12872]
.
Contents of the 'Scheduled Tasks' folder

2010-05-08 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-10-26 14:18]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.yahoo.com/
FF - ProfilePath - c:\documents and settings\User.USER-146E9E34C8\Application Data\Mozilla\Firefox\Profiles\utrmluts.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-08 14:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
d:\pf\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2010-05-08 14:50:14
ComboFix-quarantined-files.txt 2010-05-08 06:50
ComboFix2.txt 2010-05-08 06:02

Pre-Run: 40,536,170,496 bytes free
Post-Run: 40,497,950,720 bytes free

- - End Of File - - 9F2FB0689BE2769A7D5F9021711E7BBD
  • 0

#9
YellowRubberDuck

YellowRubberDuck

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 109 posts
Hi Ron,

ComboFix.txt

ComboFix 10-05-06.05 - User 05/08/2010 14:43:48.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.630 [GMT 8:00]
Running from: c:\documents and settings\User.USER-146E9E34C8\Desktop\george.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2010-04-08 to 2010-05-08 )))))))))))))))))))))))))))))))
.

2010-05-07 16:40 . 2010-05-07 16:40 -------- d-----w- c:\documents and settings\User.USER-146E9E34C8\Application Data\AnvSoft
2010-05-06 12:31 . 2010-05-06 12:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Autorun Eater
2010-05-06 12:31 . 2010-05-06 12:31 -------- d-----w- c:\program files\Autorun Eater
2010-04-16 13:48 . 2010-04-16 13:48 -------- d-----w- c:\documents and settings\User.USER-146E9E34C8\Local Settings\Application Data\ESET
2010-04-15 14:48 . 2010-04-15 14:48 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2010-04-15 14:11 . 2010-04-15 14:39 81984 ----a-w- c:\windows\system32\bdod.bin
2010-04-15 14:10 . 2010-04-15 14:10 -------- d-----w- c:\program files\BitDefender
2010-04-15 14:09 . 2010-04-15 14:10 -------- d-----w- c:\program files\Common Files\BitDefender

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-07 19:35 . 2010-05-08 05:50 867840 ----a-w- c:\windows\Internet Logs\xDBC3.tmp
2010-05-07 19:33 . 2008-11-05 14:38 -------- d-----w- c:\documents and settings\User.USER-146E9E34C8\Application Data\uTorrent
2010-05-07 19:33 . 2010-03-26 16:15 -------- d-----w- c:\documents and settings\User.USER-146E9E34C8\Application Data\Skype
2010-05-07 19:33 . 2008-11-04 11:52 -------- d-----w- c:\documents and settings\User.USER-146E9E34C8\Application Data\Free Download Manager
2010-05-07 17:26 . 2010-03-26 16:22 -------- d-----w- c:\documents and settings\User.USER-146E9E34C8\Application Data\skypePM
2010-05-06 13:03 . 2010-05-06 13:04 2945536 ----a-w- c:\windows\Internet Logs\xDBC2.tmp
2010-05-06 12:25 . 2009-08-08 17:49 6153352 -c--a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-05-06 12:23 . 2008-11-05 14:18 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-06 12:22 . 2008-11-05 14:17 -------- d-----w- c:\program files\SpywareBlaster
2010-05-02 14:56 . 2010-05-03 17:53 281088 ----a-w- c:\windows\Internet Logs\xDBC1.tmp
2010-05-02 05:22 . 2010-05-02 12:38 316928 ----a-w- c:\windows\Internet Logs\xDBC0.tmp
2010-05-01 04:50 . 2008-10-29 00:01 53 ----a-w- c:\windows\popcinfo.dat
2010-04-30 16:49 . 2010-04-30 20:47 527872 ----a-w- c:\windows\Internet Logs\xDBBF.tmp
2010-04-29 16:54 . 2010-04-29 16:55 3017216 ----a-w- c:\windows\Internet Logs\xDBBE.tmp
2010-04-29 07:39 . 2009-08-02 13:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 07:39 . 2009-08-02 13:22 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-25 16:21 . 2010-04-29 13:50 1272832 ----a-w- c:\windows\Internet Logs\xDBBD.tmp
2010-04-23 17:37 . 2010-04-24 00:56 633344 ----a-w- c:\windows\Internet Logs\xDBBC.tmp
2010-04-20 17:23 . 2010-04-21 12:06 434176 ----a-w- c:\windows\Internet Logs\xDBBB.tmp
2010-04-18 15:43 . 2010-04-19 11:12 237056 ----a-w- c:\windows\Internet Logs\xDBBA.tmp
2010-04-16 17:07 . 2010-04-18 12:12 100352 ----a-w- c:\windows\Internet Logs\xDBB9.tmp
2010-04-16 13:27 . 2010-04-16 13:28 131584 ----a-w- c:\windows\Internet Logs\xDBB8.tmp
2010-04-15 16:52 . 2010-04-15 16:54 205312 ----a-w- c:\windows\Internet Logs\xDBB7.tmp
2010-04-15 14:48 . 2008-11-04 11:44 -------- d-----w- c:\program files\Eset
2010-04-14 17:08 . 2010-04-15 14:01 464384 ----a-w- c:\windows\Internet Logs\xDBB6.tmp
2010-04-12 16:17 . 2010-04-13 17:54 139264 ----a-w- c:\windows\Internet Logs\xDBB5.tmp
2010-04-11 16:12 . 2010-04-12 12:39 154112 ----a-w- c:\windows\Internet Logs\xDBB4.tmp
2010-04-11 13:48 . 2008-11-08 16:21 181096 ----a-w- c:\documents and settings\User.USER-146E9E34C8\Application Data\Mozilla\Firefox\Profiles\utrmluts.default\FlashGot.exe
2010-04-11 02:06 . 2010-04-11 12:34 317440 ----a-w- c:\windows\Internet Logs\xDBB3.tmp
2010-04-07 17:24 . 2010-04-09 11:06 242176 ----a-w- c:\windows\Internet Logs\xDBB0.tmp
2010-04-07 17:05 . 2008-11-01 18:22 70720 ----a-w- c:\documents and settings\User.USER-146E9E34C8\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-07 11:27 . 2010-04-07 13:18 420864 ----a-w- c:\windows\Internet Logs\xDBAF.tmp
2010-04-06 20:24 . 2010-04-07 10:08 29696 ----a-w- c:\windows\Internet Logs\xDBAE.tmp
2010-04-04 17:03 . 2010-04-05 12:11 151040 ----a-w- c:\windows\Internet Logs\xDBAD.tmp
2010-04-03 13:09 . 2010-04-04 12:52 325632 ----a-w- c:\windows\Internet Logs\xDBAC.tmp
2010-03-31 16:48 . 2010-04-01 11:28 87040 ----a-w- c:\windows\Internet Logs\xDBAB.tmp
2010-03-31 13:54 . 2010-03-31 13:54 61440 ----a-w- c:\documents and settings\User.USER-146E9E34C8\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-332d1e4e-n\decora-sse.dll
2010-03-31 13:54 . 2010-03-31 13:54 12800 ----a-w- c:\documents and settings\User.USER-146E9E34C8\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-332d1e4e-n\decora-d3d.dll
2010-03-31 13:54 . 2008-09-02 16:14 -------- d-----w- c:\program files\Common Files\Java
2010-03-31 13:54 . 2010-03-31 13:54 503808 ----a-w- c:\documents and settings\User.USER-146E9E34C8\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-694b4c5a-n\msvcp71.dll
2010-03-31 13:54 . 2010-03-31 13:54 499712 ----a-w- c:\documents and settings\User.USER-146E9E34C8\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-694b4c5a-n\jmc.dll
2010-03-31 13:54 . 2010-03-31 13:54 348160 ----a-w- c:\documents and settings\User.USER-146E9E34C8\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-694b4c5a-n\msvcr71.dll
2010-03-31 13:53 . 2008-09-02 16:18 -------- d-----w- c:\program files\Java
2010-03-29 23:24 . 2010-03-31 13:43 44032 ----a-w- c:\windows\Internet Logs\xDBAA.tmp
2010-03-28 15:53 . 2010-03-29 22:20 114176 ----a-w- c:\windows\Internet Logs\xDBA9.tmp
2010-03-28 05:52 . 2010-03-28 05:53 114176 ----a-w- c:\windows\Internet Logs\xDBA8.tmp
2010-03-28 04:34 . 2009-10-27 13:49 117760 ----a-w- c:\documents and settings\User.USER-146E9E34C8\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-27 17:07 . 2010-03-28 04:28 57344 ----a-w- c:\windows\Internet Logs\xDBA7.tmp
2010-03-27 03:35 . 2010-03-27 16:21 114688 ----a-w- c:\windows\Internet Logs\xDBA6.tmp
2010-03-26 17:24 . 2010-03-27 00:41 367104 ----a-w- c:\windows\Internet Logs\xDBA5.tmp
2010-03-26 16:22 . 2010-03-26 16:22 56 -c-ha-w- c:\windows\system32\ezsidmv.dat
2010-03-26 16:13 . 2010-03-26 16:11 -------- d-----r- c:\program files\Skype
2010-03-26 16:12 . 2010-03-26 16:12 -------- d-----w- c:\program files\Common Files\Skype
2010-03-26 16:11 . 2010-03-26 16:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-03-24 14:28 . 2010-03-25 17:58 200704 ----a-w- c:\windows\Internet Logs\xDBA4.tmp
2010-03-24 13:55 . 2008-11-05 15:43 -------- d-----w- c:\program files\NJStar Communicator
2010-03-21 17:01 . 2010-03-24 11:44 358400 ----a-w- c:\windows\Internet Logs\xDBA3.tmp
2010-03-17 15:46 . 2010-03-18 10:12 48640 ----a-w- c:\windows\Internet Logs\xDBA2.tmp
2010-03-14 16:25 . 2010-03-15 12:25 650752 ----a-w- c:\windows\Internet Logs\xDBA1.tmp
2010-03-12 17:02 . 2010-03-13 12:46 770048 ----a-w- c:\windows\Internet Logs\xDBA0.tmp
2010-03-11 16:18 . 2010-03-12 11:19 302592 ----a-w- c:\windows\Internet Logs\xDB9F.tmp
2010-03-10 06:15 . 2004-08-03 16:56 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 20:28 . 2008-11-01 18:47 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-28 17:58 . 2010-03-07 04:40 136704 ----a-w- c:\windows\Internet Logs\xDB9E.tmp
2010-02-26 18:19 . 2010-02-27 02:22 273920 ----a-w- c:\windows\Internet Logs\xDB9D.tmp
2010-02-25 06:24 . 2004-08-03 16:56 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 15:06 . 2010-02-24 18:10 160768 ----a-w- c:\windows\Internet Logs\xDB9C.tmp
2010-02-24 13:11 . 2004-08-03 15:15 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 15:18 . 2010-02-24 09:02 154624 ----a-w- c:\windows\Internet Logs\xDB9B.tmp
2010-02-22 16:56 . 2010-02-23 14:17 707072 ----a-w- c:\windows\Internet Logs\xDB9A.tmp
2010-02-21 19:25 . 2010-02-22 10:09 54784 ----a-w- c:\windows\Internet Logs\xDB99.tmp
2010-02-17 16:21 . 2010-02-21 18:53 152576 ----a-w- c:\windows\Internet Logs\xDB98.tmp
2010-02-16 14:08 . 2004-08-03 15:18 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-13 19:47 . 2010-02-17 12:31 556544 -c--a-w- c:\windows\Internet Logs\xDB97.tmp
2010-02-12 16:36 . 2010-02-12 16:37 28672 -c--a-w- c:\windows\Internet Logs\xDB96.tmp
2010-02-12 04:33 . 2004-08-03 16:56 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 20:40 . 2010-02-12 05:39 299008 -c--a-w- c:\windows\Internet Logs\xDB95.tmp
2010-02-11 12:02 . 2004-08-03 15:07 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-09 12:46 . 2010-02-09 16:06 2388480 -c--a-w- c:\windows\Internet Logs\xDB94.tmp
.

((((((((((((((((((((((((((((( [email protected]_06.00.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-08 06:42 . 2010-05-08 06:42 16384 c:\windows\Temp\Perflib_Perfdata_e4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 202024]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"RTHDCPL"="RTHDCPL.EXE" [2008-02-13 16857600]
"2kadiras"="2kadiras.exe" [2003-07-18 32768]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-09-12 36352]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
"Sony Ericsson PC Suite"="d:\pf\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-06-13 528384]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-10-07 1461080]
"Autorun Eater"="c:\program files\Autorun Eater\oldmcdonald.exe" [2009-05-26 549400]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart17.exe [2006-3-5 11000]
DSLMON.lnk - c:\program files\ADSL\ADSL USB MODEM\dslmon.exe [2008-10-29 929861]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\pf\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 07:21 548352 ----a-w- d:\pf\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\User.USER-146E9E34C8\\Desktop\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [7/1/2008 9:04 AM 35168]
R1 SASDIFSV;SASDIFSV;d:\pf\SUPERAntiSpyware\SASDIFSV.SYS [9/3/2009 3:22 PM 12872]
R1 SASKUTIL;SASKUTIL;d:\pf\SUPERAntiSpyware\SASKUTIL.SYS [9/3/2009 3:22 PM 66632]
R2 ekrn;Eset Service;c:\program files\Eset\ESET NOD32 Antivirus\ekrn.exe [10/7/2009 9:16 AM 472280]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/24/2009 6:59 PM 717296]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);c:\windows\system32\drivers\s115bus.sys [11/20/2008 9:09 PM 83208]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\system32\drivers\s115mdfl.sys [11/20/2008 9:09 PM 15112]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\system32\drivers\s115mdm.sys [11/20/2008 9:09 PM 108680]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s115mgmt.sys [11/20/2008 9:09 PM 100488]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\system32\drivers\s115obex.sys [11/20/2008 9:09 PM 98568]
S3 s816bus;Sony Ericsson Device 816 driver (WDM);c:\windows\system32\drivers\s816bus.sys [11/16/2008 11:06 PM 81832]
S3 s816mdfl;Sony Ericsson Device 816 USB WMC Modem Filter;c:\windows\system32\drivers\s816mdfl.sys [11/17/2008 7:08 PM 13864]
S3 s816mdm;Sony Ericsson Device 816 USB WMC Modem Driver;c:\windows\system32\drivers\s816mdm.sys [11/17/2008 7:08 PM 107304]
S3 s816mgmt;Sony Ericsson Device 816 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s816mgmt.sys [11/30/2008 4:04 AM 99112]
S3 s816nd5;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (NDIS);c:\windows\system32\drivers\s816nd5.sys [11/30/2008 4:04 AM 21928]
S3 s816obex;Sony Ericsson Device 816 USB WMC OBEX Interface;c:\windows\system32\drivers\s816obex.sys [11/30/2008 4:04 AM 97320]
S3 s816unic;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (WDM);c:\windows\system32\drivers\s816unic.sys [11/30/2008 4:04 AM 97704]
S3 SASENUM;SASENUM;d:\pf\SUPERAntiSpyware\SASENUM.SYS [9/3/2009 3:22 PM 12872]
.
Contents of the 'Scheduled Tasks' folder

2010-05-08 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-10-26 14:18]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.yahoo.com/
FF - ProfilePath - c:\documents and settings\User.USER-146E9E34C8\Application Data\Mozilla\Firefox\Profiles\utrmluts.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-08 14:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
d:\pf\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2010-05-08 14:50:14
ComboFix-quarantined-files.txt 2010-05-08 06:50
ComboFix2.txt 2010-05-08 06:02

Pre-Run: 40,536,170,496 bytes free
Post-Run: 40,497,950,720 bytes free

- - End Of File - - 9F2FB0689BE2769A7D5F9021711E7BBD
  • 0

#10
YellowRubberDuck

YellowRubberDuck

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 109 posts
Hi Ron,

ComboFix.txt

ComboFix 10-05-06.05 - User 05/08/2010 14:43:48.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.630 [GMT 8:00]
Running from: c:\documents and settings\User.USER-146E9E34C8\Desktop\george.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2010-04-08 to 2010-05-08 )))))))))))))))))))))))))))))))
.

2010-05-07 16:40 . 2010-05-07 16:40 -------- d-----w- c:\documents and settings\User.USER-146E9E34C8\Application Data\AnvSoft
2010-05-06 12:31 . 2010-05-06 12:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Autorun Eater
2010-05-06 12:31 . 2010-05-06 12:31 -------- d-----w- c:\program files\Autorun Eater
2010-04-16 13:48 . 2010-04-16 13:48 -------- d-----w- c:\documents and settings\User.USER-146E9E34C8\Local Settings\Application Data\ESET
2010-04-15 14:48 . 2010-04-15 14:48 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2010-04-15 14:11 . 2010-04-15 14:39 81984 ----a-w- c:\windows\system32\bdod.bin
2010-04-15 14:10 . 2010-04-15 14:10 -------- d-----w- c:\program files\BitDefender
2010-04-15 14:09 . 2010-04-15 14:10 -------- d-----w- c:\program files\Common Files\BitDefender

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-07 19:35 . 2010-05-08 05:50 867840 ----a-w- c:\windows\Internet Logs\xDBC3.tmp
2010-05-07 19:33 . 2008-11-05 14:38 -------- d-----w- c:\documents and settings\User.USER-146E9E34C8\Application Data\uTorrent
2010-05-07 19:33 . 2010-03-26 16:15 -------- d-----w- c:\documents and settings\User.USER-146E9E34C8\Application Data\Skype
2010-05-07 19:33 . 2008-11-04 11:52 -------- d-----w- c:\documents and settings\User.USER-146E9E34C8\Application Data\Free Download Manager
2010-05-07 17:26 . 2010-03-26 16:22 -------- d-----w- c:\documents and settings\User.USER-146E9E34C8\Application Data\skypePM
2010-05-06 13:03 . 2010-05-06 13:04 2945536 ----a-w- c:\windows\Internet Logs\xDBC2.tmp
2010-05-06 12:25 . 2009-08-08 17:49 6153352 -c--a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-05-06 12:23 . 2008-11-05 14:18 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-06 12:22 . 2008-11-05 14:17 -------- d-----w- c:\program files\SpywareBlaster
2010-05-02 14:56 . 2010-05-03 17:53 281088 ----a-w- c:\windows\Internet Logs\xDBC1.tmp
2010-05-02 05:22 . 2010-05-02 12:38 316928 ----a-w- c:\windows\Internet Logs\xDBC0.tmp
2010-05-01 04:50 . 2008-10-29 00:01 53 ----a-w- c:\windows\popcinfo.dat
2010-04-30 16:49 . 2010-04-30 20:47 527872 ----a-w- c:\windows\Internet Logs\xDBBF.tmp
2010-04-29 16:54 . 2010-04-29 16:55 3017216 ----a-w- c:\windows\Internet Logs\xDBBE.tmp
2010-04-29 07:39 . 2009-08-02 13:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 07:39 . 2009-08-02 13:22 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-25 16:21 . 2010-04-29 13:50 1272832 ----a-w- c:\windows\Internet Logs\xDBBD.tmp
2010-04-23 17:37 . 2010-04-24 00:56 633344 ----a-w- c:\windows\Internet Logs\xDBBC.tmp
2010-04-20 17:23 . 2010-04-21 12:06 434176 ----a-w- c:\windows\Internet Logs\xDBBB.tmp
2010-04-18 15:43 . 2010-04-19 11:12 237056 ----a-w- c:\windows\Internet Logs\xDBBA.tmp
2010-04-16 17:07 . 2010-04-18 12:12 100352 ----a-w- c:\windows\Internet Logs\xDBB9.tmp
2010-04-16 13:27 . 2010-04-16 13:28 131584 ----a-w- c:\windows\Internet Logs\xDBB8.tmp
2010-04-15 16:52 . 2010-04-15 16:54 205312 ----a-w- c:\windows\Internet Logs\xDBB7.tmp
2010-04-15 14:48 . 2008-11-04 11:44 -------- d-----w- c:\program files\Eset
2010-04-14 17:08 . 2010-04-15 14:01 464384 ----a-w- c:\windows\Internet Logs\xDBB6.tmp
2010-04-12 16:17 . 2010-04-13 17:54 139264 ----a-w- c:\windows\Internet Logs\xDBB5.tmp
2010-04-11 16:12 . 2010-04-12 12:39 154112 ----a-w- c:\windows\Internet Logs\xDBB4.tmp
2010-04-11 13:48 . 2008-11-08 16:21 181096 ----a-w- c:\documents and settings\User.USER-146E9E34C8\Application Data\Mozilla\Firefox\Profiles\utrmluts.default\FlashGot.exe
2010-04-11 02:06 . 2010-04-11 12:34 317440 ----a-w- c:\windows\Internet Logs\xDBB3.tmp
2010-04-07 17:24 . 2010-04-09 11:06 242176 ----a-w- c:\windows\Internet Logs\xDBB0.tmp
2010-04-07 17:05 . 2008-11-01 18:22 70720 ----a-w- c:\documents and settings\User.USER-146E9E34C8\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-07 11:27 . 2010-04-07 13:18 420864 ----a-w- c:\windows\Internet Logs\xDBAF.tmp
2010-04-06 20:24 . 2010-04-07 10:08 29696 ----a-w- c:\windows\Internet Logs\xDBAE.tmp
2010-04-04 17:03 . 2010-04-05 12:11 151040 ----a-w- c:\windows\Internet Logs\xDBAD.tmp
2010-04-03 13:09 . 2010-04-04 12:52 325632 ----a-w- c:\windows\Internet Logs\xDBAC.tmp
2010-03-31 16:48 . 2010-04-01 11:28 87040 ----a-w- c:\windows\Internet Logs\xDBAB.tmp
2010-03-31 13:54 . 2010-03-31 13:54 61440 ----a-w- c:\documents and settings\User.USER-146E9E34C8\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-332d1e4e-n\decora-sse.dll
2010-03-31 13:54 . 2010-03-31 13:54 12800 ----a-w- c:\documents and settings\User.USER-146E9E34C8\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-332d1e4e-n\decora-d3d.dll
2010-03-31 13:54 . 2008-09-02 16:14 -------- d-----w- c:\program files\Common Files\Java
2010-03-31 13:54 . 2010-03-31 13:54 503808 ----a-w- c:\documents and settings\User.USER-146E9E34C8\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-694b4c5a-n\msvcp71.dll
2010-03-31 13:54 . 2010-03-31 13:54 499712 ----a-w- c:\documents and settings\User.USER-146E9E34C8\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-694b4c5a-n\jmc.dll
2010-03-31 13:54 . 2010-03-31 13:54 348160 ----a-w- c:\documents and settings\User.USER-146E9E34C8\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-694b4c5a-n\msvcr71.dll
2010-03-31 13:53 . 2008-09-02 16:18 -------- d-----w- c:\program files\Java
2010-03-29 23:24 . 2010-03-31 13:43 44032 ----a-w- c:\windows\Internet Logs\xDBAA.tmp
2010-03-28 15:53 . 2010-03-29 22:20 114176 ----a-w- c:\windows\Internet Logs\xDBA9.tmp
2010-03-28 05:52 . 2010-03-28 05:53 114176 ----a-w- c:\windows\Internet Logs\xDBA8.tmp
2010-03-28 04:34 . 2009-10-27 13:49 117760 ----a-w- c:\documents and settings\User.USER-146E9E34C8\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-27 17:07 . 2010-03-28 04:28 57344 ----a-w- c:\windows\Internet Logs\xDBA7.tmp
2010-03-27 03:35 . 2010-03-27 16:21 114688 ----a-w- c:\windows\Internet Logs\xDBA6.tmp
2010-03-26 17:24 . 2010-03-27 00:41 367104 ----a-w- c:\windows\Internet Logs\xDBA5.tmp
2010-03-26 16:22 . 2010-03-26 16:22 56 -c-ha-w- c:\windows\system32\ezsidmv.dat
2010-03-26 16:13 . 2010-03-26 16:11 -------- d-----r- c:\program files\Skype
2010-03-26 16:12 . 2010-03-26 16:12 -------- d-----w- c:\program files\Common Files\Skype
2010-03-26 16:11 . 2010-03-26 16:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-03-24 14:28 . 2010-03-25 17:58 200704 ----a-w- c:\windows\Internet Logs\xDBA4.tmp
2010-03-24 13:55 . 2008-11-05 15:43 -------- d-----w- c:\program files\NJStar Communicator
2010-03-21 17:01 . 2010-03-24 11:44 358400 ----a-w- c:\windows\Internet Logs\xDBA3.tmp
2010-03-17 15:46 . 2010-03-18 10:12 48640 ----a-w- c:\windows\Internet Logs\xDBA2.tmp
2010-03-14 16:25 . 2010-03-15 12:25 650752 ----a-w- c:\windows\Internet Logs\xDBA1.tmp
2010-03-12 17:02 . 2010-03-13 12:46 770048 ----a-w- c:\windows\Internet Logs\xDBA0.tmp
2010-03-11 16:18 . 2010-03-12 11:19 302592 ----a-w- c:\windows\Internet Logs\xDB9F.tmp
2010-03-10 06:15 . 2004-08-03 16:56 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 20:28 . 2008-11-01 18:47 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-28 17:58 . 2010-03-07 04:40 136704 ----a-w- c:\windows\Internet Logs\xDB9E.tmp
2010-02-26 18:19 . 2010-02-27 02:22 273920 ----a-w- c:\windows\Internet Logs\xDB9D.tmp
2010-02-25 06:24 . 2004-08-03 16:56 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 15:06 . 2010-02-24 18:10 160768 ----a-w- c:\windows\Internet Logs\xDB9C.tmp
2010-02-24 13:11 . 2004-08-03 15:15 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 15:18 . 2010-02-24 09:02 154624 ----a-w- c:\windows\Internet Logs\xDB9B.tmp
2010-02-22 16:56 . 2010-02-23 14:17 707072 ----a-w- c:\windows\Internet Logs\xDB9A.tmp
2010-02-21 19:25 . 2010-02-22 10:09 54784 ----a-w- c:\windows\Internet Logs\xDB99.tmp
2010-02-17 16:21 . 2010-02-21 18:53 152576 ----a-w- c:\windows\Internet Logs\xDB98.tmp
2010-02-16 14:08 . 2004-08-03 15:18 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-13 19:47 . 2010-02-17 12:31 556544 -c--a-w- c:\windows\Internet Logs\xDB97.tmp
2010-02-12 16:36 . 2010-02-12 16:37 28672 -c--a-w- c:\windows\Internet Logs\xDB96.tmp
2010-02-12 04:33 . 2004-08-03 16:56 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 20:40 . 2010-02-12 05:39 299008 -c--a-w- c:\windows\Internet Logs\xDB95.tmp
2010-02-11 12:02 . 2004-08-03 15:07 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-09 12:46 . 2010-02-09 16:06 2388480 -c--a-w- c:\windows\Internet Logs\xDB94.tmp
.

((((((((((((((((((((((((((((( [email protected]_06.00.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-08 06:42 . 2010-05-08 06:42 16384 c:\windows\Temp\Perflib_Perfdata_e4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 202024]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"RTHDCPL"="RTHDCPL.EXE" [2008-02-13 16857600]
"2kadiras"="2kadiras.exe" [2003-07-18 32768]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-09-12 36352]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
"Sony Ericsson PC Suite"="d:\pf\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-06-13 528384]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-10-07 1461080]
"Autorun Eater"="c:\program files\Autorun Eater\oldmcdonald.exe" [2009-05-26 549400]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart17.exe [2006-3-5 11000]
DSLMON.lnk - c:\program files\ADSL\ADSL USB MODEM\dslmon.exe [2008-10-29 929861]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\pf\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 07:21 548352 ----a-w- d:\pf\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\User.USER-146E9E34C8\\Desktop\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [7/1/2008 9:04 AM 35168]
R1 SASDIFSV;SASDIFSV;d:\pf\SUPERAntiSpyware\SASDIFSV.SYS [9/3/2009 3:22 PM 12872]
R1 SASKUTIL;SASKUTIL;d:\pf\SUPERAntiSpyware\SASKUTIL.SYS [9/3/2009 3:22 PM 66632]
R2 ekrn;Eset Service;c:\program files\Eset\ESET NOD32 Antivirus\ekrn.exe [10/7/2009 9:16 AM 472280]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/24/2009 6:59 PM 717296]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);c:\windows\system32\drivers\s115bus.sys [11/20/2008 9:09 PM 83208]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\system32\drivers\s115mdfl.sys [11/20/2008 9:09 PM 15112]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\system32\drivers\s115mdm.sys [11/20/2008 9:09 PM 108680]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s115mgmt.sys [11/20/2008 9:09 PM 100488]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\system32\drivers\s115obex.sys [11/20/2008 9:09 PM 98568]
S3 s816bus;Sony Ericsson Device 816 driver (WDM);c:\windows\system32\drivers\s816bus.sys [11/16/2008 11:06 PM 81832]
S3 s816mdfl;Sony Ericsson Device 816 USB WMC Modem Filter;c:\windows\system32\drivers\s816mdfl.sys [11/17/2008 7:08 PM 13864]
S3 s816mdm;Sony Ericsson Device 816 USB WMC Modem Driver;c:\windows\system32\drivers\s816mdm.sys [11/17/2008 7:08 PM 107304]
S3 s816mgmt;Sony Ericsson Device 816 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s816mgmt.sys [11/30/2008 4:04 AM 99112]
S3 s816nd5;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (NDIS);c:\windows\system32\drivers\s816nd5.sys [11/30/2008 4:04 AM 21928]
S3 s816obex;Sony Ericsson Device 816 USB WMC OBEX Interface;c:\windows\system32\drivers\s816obex.sys [11/30/2008 4:04 AM 97320]
S3 s816unic;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (WDM);c:\windows\system32\drivers\s816unic.sys [11/30/2008 4:04 AM 97704]
S3 SASENUM;SASENUM;d:\pf\SUPERAntiSpyware\SASENUM.SYS [9/3/2009 3:22 PM 12872]
.
Contents of the 'Scheduled Tasks' folder

2010-05-08 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-10-26 14:18]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.yahoo.com/
FF - ProfilePath - c:\documents and settings\User.USER-146E9E34C8\Application Data\Mozilla\Firefox\Profiles\utrmluts.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-08 14:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
d:\pf\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2010-05-08 14:50:14
ComboFix-quarantined-files.txt 2010-05-08 06:50
ComboFix2.txt 2010-05-08 06:02

Pre-Run: 40,536,170,496 bytes free
Post-Run: 40,497,950,720 bytes free

- - End Of File - - 9F2FB0689BE2769A7D5F9021711E7BBD
  • 0

#11
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,727 posts
  • MVP
Looks like Eset did its job.

You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:

"%userprofile%\Desktop\george.exe" /Uninstall

Start, Run, cmd, OK then right click, Paste, then hit Enter.

To hide hidden files again:

# Close all programs so that you are at your desktop.
# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Uncheck the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the 'Hide protected operating system files (recommended)' option.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and shutdown My Computer.



You may not have the latest Java (5 update 20). Get the latest at:

http://www.java.com/...nload/index.jsp


Once you install it, go into Control Panel, Add/Remove Software and remove any old versions (which may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE)


Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat. Adobe is fond of foisting GetPlus on you. You can let them install it and then afterwards, go into Control Panel, Add/Remove Software and remove it. It probably doesn't hurt to leave it but I don't see the need for it and it has caused problems in the past.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

I recommend you install the free WinPatrol 2010 from http://www.winpatrol.com/download.html

It's a small program that will sit in your systray and warn you if something tries to make changes to your system.

Ron
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP