Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Java virus and event viewer errors

Started by P Lazarou , Dec 21 2010 06:53 AM

  • Please log in to reply

#31
emeraldnzl
Posted 14 January 2011 - 04:37 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Leave MBAM for now.

Have a look and see if you have an AVG folder in programs, should look something like this:

Program Files\AVG\folder

If it is there delete it. If it is not there follow the instruction below and if ComboFix alerts you about AVG you should still be able to press continue.

Now

Download a new version of ComboFix from one of these locations:

Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.

    To disable Windows Firewall, follow these steps:
    • Go to Start > Run and type Firewall.cpl and click OK.
    • On the General tab, click Off (not recommended).
    • Click OK.


    Reverse the process to enable it when we have finished.
  • Make sure you have internet access enabled.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

Let the program run without interference even a mouse click and abort the process.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
  • 0

Advertisements

#32
P Lazarou
Posted 15 January 2011 - 07:26 AM

P Lazarou

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Hi Emeraldz

I deleted the AVG file but combofix still warned me that AVG was running, tried killing it with AVG deletion tool but combo still warned it was running so i went ahead with the scan and now have the log file for you

ComboFix 11-01-14.01 - Geoff 15/01/2011 12:38:30.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.552 [GMT 0:00]
Running from: c:\documents and settings\Geoff\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Geoff\LOCALS~1\Temp\clclean.0001.dir.0001\~df394b.tmp
c:\documents and settings\Geoff\Application Data\inst.exe
c:\documents and settings\Geoff\Application Data\PriceGong
c:\documents and settings\Geoff\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\z.xml
c:\documents and settings\Geoff\Local Settings\temp\clclean.0001.dir.0001\~df394b.tmp
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\system32\Data
c:\windows\system32\logs
c:\windows\system32\logs\{9B253154-38A3-4A3C-B71C-586141467653}.log
c:\windows\system32\tmp.reg
c:\windows\YAHELITE.INI

.
((((((((((((((((((((((((( Files Created from 2010-12-15 to 2011-01-15 )))))))))))))))))))))))))))))))
.

2011-01-10 15:27 . 2010-12-20 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-10 15:27 . 2010-12-20 18:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-10 15:27 . 2011-01-14 20:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-07 14:20 . 2008-04-14 01:12 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2011-01-07 14:20 . 2001-08-17 22:36 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2011-01-07 14:20 . 2008-04-14 01:12 18944 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2011-01-07 14:19 . 2001-08-17 22:37 27648 ----a-w- c:\windows\system32\dllcache\xrxftplt.exe
2011-01-07 14:19 . 2001-08-17 22:37 4608 ----a-w- c:\windows\system32\dllcache\xrxflnch.exe
2011-01-07 14:19 . 2001-08-17 22:37 99865 ----a-w- c:\windows\system32\dllcache\xlog.exe
2011-01-07 14:19 . 2001-08-17 12:11 16970 ----a-w- c:\windows\system32\dllcache\xem336n5.sys
2011-01-07 14:19 . 2004-08-03 22:29 19455 ----a-w- c:\windows\system32\dllcache\wvchntxx.sys
2011-01-07 14:19 . 2004-08-03 22:29 12063 ----a-w- c:\windows\system32\dllcache\wsiintxx.sys
2011-01-07 14:18 . 2008-04-13 19:36 8832 ----a-w- c:\windows\system32\dllcache\wmiacpi.sys
2011-01-07 14:18 . 2004-08-03 22:31 154624 ----a-w- c:\windows\system32\dllcache\wlluc48.sys
2011-01-07 14:18 . 2001-08-17 12:12 34890 ----a-w- c:\windows\system32\dllcache\wlandrv2.sys
2011-01-07 14:18 . 2001-08-17 13:28 771581 ----a-w- c:\windows\system32\dllcache\winacisa.sys
2011-01-07 14:18 . 2001-08-17 22:36 53760 ----a-w- c:\windows\system32\dllcache\wiamsmud.dll
2011-01-07 14:18 . 2004-08-10 05:00 31232 ----a-w- c:\windows\system32\dllcache\weitekp9.sys
2011-01-07 14:18 . 2001-08-17 22:36 87040 ----a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2011-01-07 14:18 . 2004-08-10 05:00 41600 ----a-w- c:\windows\system32\dllcache\weitekp9.dll
2011-01-07 14:18 . 2001-08-17 13:28 701386 ----a-w- c:\windows\system32\dllcache\wdhaalba.sys
2011-01-07 14:16 . 2001-08-17 13:28 224802 ----a-w- c:\windows\system32\dllcache\usr1807a.sys
2011-01-07 14:15 . 2001-08-17 12:51 166784 ----a-w- c:\windows\system32\dllcache\tridxpm.sys
2011-01-07 14:14 . 2004-08-10 05:00 21896 ----a-w- c:\windows\system32\dllcache\tdipx.sys
2011-01-07 14:13 . 2001-08-17 22:36 24660 ----a-w- c:\windows\system32\dllcache\spxupchk.dll
2011-01-07 14:12 . 2004-08-10 05:00 31744 ----a-w- c:\windows\system32\dllcache\sma3w.dll
2011-01-07 14:11 . 2001-08-17 13:53 6784 ----a-w- c:\windows\system32\dllcache\serscan.sys
2011-01-07 14:10 . 2001-08-17 12:50 166720 ----a-w- c:\windows\system32\dllcache\s3m.sys
2011-01-07 14:09 . 2001-08-17 13:28 130942 ----a-w- c:\windows\system32\dllcache\ptserlv.sys
2011-01-07 14:08 . 2001-08-17 12:11 29769 ----a-w- c:\windows\system32\dllcache\pcntn5m.sys
2011-01-07 14:07 . 2001-08-17 12:50 198144 ----a-w- c:\windows\system32\dllcache\nv3.sys
2011-01-07 14:06 . 2001-08-17 14:56 35392 ----a-w- c:\windows\system32\dllcache\n9i128.dll
2011-01-07 14:05 . 2001-08-17 13:52 6528 ----a-w- c:\windows\system32\dllcache\miniqic.sys
2011-01-07 14:04 . 2001-08-17 13:51 15744 ----a-w- c:\windows\system32\dllcache\lit220p.sys
2011-01-07 14:03 . 2004-08-10 05:00 44032 ----a-w- c:\windows\system32\dllcache\imekrmig.exe
2011-01-07 14:02 . 2001-08-17 13:28 57471 ----a-w- c:\windows\system32\dllcache\hsf_samp.sys
2011-01-07 14:01 . 2004-08-10 05:00 36864 ----a-w- c:\windows\system32\dllcache\hanjadic.dll
2011-01-07 14:00 . 2001-08-17 22:36 45568 ----a-w- c:\windows\system32\dllcache\esunib.dll
2011-01-07 13:59 . 2001-08-17 12:12 19594 ----a-w- c:\windows\system32\dllcache\e100isa4.sys
2011-01-07 13:58 . 2001-08-17 22:36 27648 ----a-w- c:\windows\system32\dllcache\cyzports.dll
2011-01-07 13:57 . 2001-08-17 13:51 13824 ----a-w- c:\windows\system32\dllcache\bulltlp3.sys
2011-01-07 13:35 . 2004-08-10 05:00 7168 ----a-w- c:\windows\system32\dllcache\wamregps.dll
2011-01-07 13:35 . 2001-08-17 14:56 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
2011-01-07 13:35 . 2004-08-10 05:00 7680 ----a-w- c:\windows\system32\dllcache\inetmgr.exe
2011-01-07 13:35 . 2004-08-10 05:00 19968 ----a-w- c:\windows\system32\dllcache\inetsloc.dll
2011-01-07 13:35 . 2004-08-10 05:00 5632 ----a-w- c:\windows\system32\dllcache\iisrstap.dll
2011-01-07 13:35 . 2004-08-10 05:00 169984 ----a-w- c:\windows\system32\dllcache\iisui.dll
2011-01-07 13:35 . 2004-08-10 05:00 6144 ----a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2011-01-07 13:35 . 2004-08-10 05:00 14336 ----a-w- c:\windows\system32\dllcache\iisreset.exe
2011-01-02 16:58 . 2011-01-02 16:58 -------- d-----w- c:\program files\MP3 Player Utilities
2011-01-01 22:25 . 2009-08-11 21:18 497664 ----a-w- c:\windows\system32\ac3filter.acm
2011-01-01 22:25 . 2011-01-01 22:25 -------- d-----w- c:\program files\AC3Filter
2011-01-01 22:18 . 2011-01-01 22:18 -------- d-----w- c:\program files\Conduit
2011-01-01 22:18 . 2011-01-01 22:18 -------- d-----w- c:\documents and settings\Geoff\Local Settings\Application Data\Conduit
2011-01-01 22:18 . 2011-01-01 22:18 -------- d-----w- c:\documents and settings\Geoff\Local Settings\Application Data\Elf_1
2011-01-01 22:17 . 2011-01-01 22:18 -------- d-----w- c:\program files\Elf_1
2011-01-01 22:17 . 2011-01-01 22:17 -------- d-----w- c:\documents and settings\Geoff\Local Settings\Application Data\temp
2010-12-31 23:38 . 2010-12-31 23:38 -------- d-----w- c:\documents and settings\Geoff\Application Data\Media Player Classic
2010-12-31 22:59 . 2010-03-15 10:31 165376 ----a-w- c:\windows\system32\unrar.dll
2010-12-31 22:58 . 2010-11-03 19:08 237568 ----a-w- c:\windows\system32\yv12vfw.dll
2010-12-31 22:58 . 2010-01-17 16:18 151552 ----a-w- c:\windows\system32\ac3acm.acm
2010-12-31 22:58 . 2008-09-24 19:41 839680 ----a-w- c:\windows\system32\lameACM.acm
2010-12-31 22:58 . 2010-12-07 18:40 183808 ----a-w- c:\windows\system32\xvidvfw.dll
2010-12-31 22:58 . 2010-12-07 18:22 810496 ----a-w- c:\windows\system32\xvidcore.dll
2010-12-31 22:58 . 2010-12-27 08:00 80896 ----a-w- c:\windows\system32\ff_vfw.dll
2010-12-31 22:58 . 2010-12-31 23:00 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-12-30 19:36 . 2010-12-30 19:36 -------- d-----w- c:\program files\Sophos
2010-12-30 17:20 . 2010-12-30 17:24 -------- d-----w- c:\documents and settings\Geoff\Application Data\ElevatedDiagnostics
2010-12-30 11:55 . 2010-12-30 11:55 -------- d-----w- C:\TDSSKiller_Quarantine
2010-12-28 19:37 . 2010-12-28 19:37 -------- d-----w- c:\documents and settings\Geoff\Application Data\Vivox
2010-12-28 19:33 . 2010-12-28 19:49 -------- d-----w- c:\documents and settings\Geoff\Application Data\IMVU
2010-12-28 09:51 . 2010-12-28 09:51 -------- d-----w- C:\_OTL
2010-12-24 09:44 . 2010-12-24 09:44 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-12-24 08:14 . 2010-12-24 08:14 -------- d-----w- c:\windows\system32\wbem\Repository
2010-12-20 07:01 . 2010-12-20 07:01 -------- d-----w- C:\found.000
2010-12-17 23:30 . 2010-12-20 00:09 -------- d-----w- c:\documents and settings\Geoff\Application Data\skypePM
2010-12-17 23:25 . 2010-12-24 08:11 -------- d-----w- c:\documents and settings\Geoff\Application Data\Skype
2010-12-17 23:25 . 2010-12-24 08:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2005-08-16 04:40 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-12 18:53 . 2010-07-29 09:59 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-12 16:34 . 2009-04-15 17:18 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-09 14:52 . 2005-08-16 04:18 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26 . 2005-08-16 04:18 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2005-08-16 04:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2005-08-16 04:18 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2005-08-16 04:18 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2005-08-16 04:18 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2005-08-16 04:18 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2005-08-16 04:18 1853312 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{22e03916-85c5-44b0-8dc9-1830c11238d9}"= "c:\program files\Elf_1\tbElf_.dll" [2010-12-09 3911776]

[HKEY_CLASSES_ROOT\clsid\{22e03916-85c5-44b0-8dc9-1830c11238d9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{22e03916-85c5-44b0-8dc9-1830c11238d9}]
2010-12-09 12:51 3911776 ----a-w- c:\program files\Elf_1\tbElf_.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-12-09 12:51 3911776 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{22e03916-85c5-44b0-8dc9-1830c11238d9}"= "c:\program files\Elf_1\tbElf_.dll" [2010-12-09 3911776]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-12-09 3911776]

[HKEY_CLASSES_ROOT\clsid\{22e03916-85c5-44b0-8dc9-1830c11238d9}]

[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{22E03916-85C5-44B0-8DC9-1830C11238D9}"= "c:\program files\Elf_1\tbElf_.dll" [2010-12-09 3911776]

[HKEY_CLASSES_ROOT\clsid\{22e03916-85c5-44b0-8dc9-1830c11238d9}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 24576]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-13 136136]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-01-18 196608]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-01-15 2424560]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-10 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-09-15 57344]
"MBMon"="CTMBHA.DLL" [2005-05-19 1345520]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2004-10-08 221184]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-03-08 98304]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-10 86960]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-10 218032]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-10-08 198160]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-21 61440]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
CamTrack.lnk - c:\program files\DigitalPeers\CamTrack\camtrack.exe [2006-4-10 425984]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG111T Smart Wizard.lnk - c:\program files\NETGEAR\WG111T\wlan111t.exe [2008-10-30 884840]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
CamTrack.lnk - c:\program files\DigitalPeers\CamTrack\camtrack.exe [2006-4-10 425984]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-06 19:44 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=c:\windows\pss\BTTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wanadoo Connection Kit.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Wanadoo Connection Kit.lnk
backup=c:\windows\pss\Wanadoo Connection Kit.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Geoff^Start Menu^Programs^Startup^Trillian.lnk]
path=c:\documents and settings\Geoff\Start Menu\Programs\Startup\Trillian.lnk
backup=c:\windows\pss\Trillian.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 10:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2009-05-21 09:55 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
2007-03-13 08:29 67128 ----a-w- c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-06-01 09:17 5252408 ----a-w- c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
2007-09-20 08:51 1836328 ----a-w- c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 14:57 153136 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-09-15 13:11 1242448 ----a-w- c:\program files\Valve\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoiceCenter]
2005-09-19 07:42 1159168 ------w- c:\program files\Creative\VoiceCenter\AndreaVC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RemoteRegistry"=2 (0x2)
"RasMan"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"ehSched"=2 (0x2)
"ehRecvr"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Uniblue RegistryBooster 2009"=c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe /S

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\EA Games\\Command and Conquer Generals\\game.dat"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\Common Files\\Nero\\Nero Web\\SetupX.exe"=
"c:\\WINDOWS\\network diagnostic\\xpnetdiag.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Civilization4.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msvs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcstart.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Documents and Settings\\Geoff\\Application Data\\IMVUClient\\1VivoxVoice.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [12/04/2009 21:29 28544]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/10/2007 17:48 685816]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [22/12/2008 11:06 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [22/12/2008 11:05 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [28/02/2010 12:19 108289]
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [30/10/2008 14:17 17149]
S3 lac97inf;lac97inf;\??\c:\docume~1\Geoff\LOCALS~1\Temp\lac97inf.sys --> c:\docume~1\Geoff\LOCALS~1\Temp\lac97inf.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\F.tmp --> c:\windows\system32\F.tmp [?]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\DRIVERS\wg111v3.sys --> c:\windows\system32\DRIVERS\wg111v3.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [22/12/2008 11:06 12872]
S3 WLIU2KG125S;BUFFALO WLI-U2-KG125S Wireless LAN Adapter Driver;c:\windows\system32\drivers\usb8023.sys [16/08/2005 04:18 12800]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SASDIFSV

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{028E2D30-93C4-EAEB-0801-040005020704}]
2004-08-03 22:59 28112 ----a-w- c:\windows\system32\drwatson.exe
.
Contents of the 'Scheduled Tasks' folder

2011-01-15 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-05-26 14:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.orange.co.uk/
uSearchMigratedDefaultURL = hxxp://search.orange.co.uk/all?brand=ouk&tab=web&p=_adr&q={searchTerms}
mWindow Title = Microsoft Internet Explorer Provided by Wanadoo
IE: Search with Wanadoo - c:\windows\system32\WSBar.dll/VSearch.htm
IE: Send To &Bluetooth - c:\program files\Sitecom\Bluetooth Software\btsendto_ie_ctx.htm
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Geoff\Start Menu\Programs\IMVU\Run IMVU.lnk
Trusted Zone: internet
Trusted Zone: mcafee.com
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
.
- - - - ORPHANS REMOVED - - - -

Notify-avgrsstarter - avgrsstx.dll
MSConfigStartUp-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-15 12:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\F.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3978038109-150875750-2949445910-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-3978038109-150875750-2949445910-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:80,12,6e,98,68,26,e2,93,3b,47,ff,eb,dc,85,b8,89,8f,6b,2c,42,0f,5e,34,
7a,5c,97,cd,85,fb,c6,b7,1b,33,17,9d,37,09,92,e2,a2,f1,05,28,a6,c0,32,c8,23,\
"??"=hex:96,7f,89,4a,dd,52,5c,2f,4e,d9,73,28,ee,9c,86,17

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1020)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2011-01-15 12:58:17
ComboFix-quarantined-files.txt 2011-01-15 12:58
ComboFix2.txt 2008-09-10 15:51

Pre-Run: 22,951,583,744 bytes free
Post-Run: 23,568,994,304 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - D17753C04CE044935BACE91FE6D7A082
  • 0

#33
emeraldnzl
Posted 15 January 2011 - 12:59 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello P Lazarou,

Lot do do in this one. Just take your time and follow each step one by one. Come back and ask if you have any problems.

In this post we want to remove some more bad ones and if you are happy to work with us we would like to get another look at the mbr on your machine.

Firstly

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

Driver::
lac97inf
MEMSWEEP2

File::
c:\docume~1\Geoff\LOCALS~1\Temp\lac97inf.sys
c:\windows\Tasks\Scheduled Update for Ask Toolbar.job

Folder::
c:\program files\Ask.com

Reboot::

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt. Please post that here for further review.

Now after that

That mbr has been analysed and is very unusual. We would like a better look at it. Would you mind doing the following which will allow for a fuller report.

Involves using a different tool. You will need a USB drive.

Download http://unetbootin.so...dows-latest.exe & http://noahdfear.net.../xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • It will install a little bootable OS on your USB
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Next download http://noahdfear.net.../beta/ransom.sh to your USB
  • Reboot your computer
  • Press F12 and choose to boot from the USB (if pressing F12 doesn't work please tell me - some old computers don't have that facility)
  • Follow the prompts
  • A Welcome to xPUD screen will appear (note a language image appears first, make sure it is set to English and wait)
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see bash ransom.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash ransom.sh
  • Press Enter
  • The script will prompt you to dump the first track of each drive found (usb drives included).
  • Answer Y to the drive that corresponds to your operating system drive, usually sda.
  • You will be informed of the name of the dump (and the log created). Make a note of the name (sda bin or somesuch).
  • Click the X (top right hand of the black screen Window) to exit.
  • Remove the USB stick and reboot you computer normally (you may need to physically turn it off and start up again).
  • Re-insert your USB stick and navigate to the log created.

Copy and zip (right click > Send to > Compressed (zipped) folder) it and upload to here

Note: Don't forget to re-set your computer to boot from the hard drive once we have finished.
  • 0

#34
P Lazarou
Posted 19 January 2011 - 07:57 AM

P Lazarou

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Hi Emeralnzl

I was unable to boot from the USB, i followed your steps and when I selected boot from USB it gave me error message device not ready choose F1 to retry boot or F2 to select utilities.
I have the log file for you

ComboFix 11-01-18.04 - Geoff 19/01/2011 12:29:06.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.622 [GMT 0:00]
Running from: c:\documents and settings\Geoff\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Geoff\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\docume~1\Geoff\LOCALS~1\Temp\lac97inf.sys"
"c:\windows\Tasks\Scheduled Update for Ask Toolbar.job"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Geoff\Application Data\PriceGong
c:\documents and settings\Geoff\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Geoff\Application Data\PriceGong\Data\z.xml
c:\program files\Ask.com
c:\program files\Ask.com\cobrand.ico
c:\program files\Ask.com\config.xml
c:\program files\Ask.com\favicon.ico
c:\program files\Ask.com\fv_63.ico
c:\program files\Ask.com\mupcfg.xml
c:\program files\Ask.com\SaUpdate.exe
c:\program files\Ask.com\UpdateTask.exe
c:\windows\Tasks\Scheduled Update for Ask Toolbar.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LAC97INF
-------\Legacy_MEMSWEEP2
-------\Service_lac97inf
-------\Service_MEMSWEEP2


((((((((((((((((((((((((( Files Created from 2010-12-19 to 2011-01-19 )))))))))))))))))))))))))))))))
.

2011-01-10 15:27 . 2010-12-20 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-10 15:27 . 2010-12-20 18:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-10 15:27 . 2011-01-14 20:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-07 14:20 . 2008-04-14 01:12 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2011-01-07 14:20 . 2001-08-17 22:36 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2011-01-07 14:20 . 2008-04-14 01:12 18944 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2011-01-07 14:19 . 2001-08-17 22:37 27648 ----a-w- c:\windows\system32\dllcache\xrxftplt.exe
2011-01-07 14:19 . 2001-08-17 22:37 4608 ----a-w- c:\windows\system32\dllcache\xrxflnch.exe
2011-01-07 14:19 . 2001-08-17 22:37 99865 ----a-w- c:\windows\system32\dllcache\xlog.exe
2011-01-07 14:19 . 2001-08-17 12:11 16970 ----a-w- c:\windows\system32\dllcache\xem336n5.sys
2011-01-07 14:19 . 2004-08-03 22:29 19455 ----a-w- c:\windows\system32\dllcache\wvchntxx.sys
2011-01-07 14:19 . 2004-08-03 22:29 12063 ----a-w- c:\windows\system32\dllcache\wsiintxx.sys
2011-01-07 14:18 . 2008-04-13 19:36 8832 ----a-w- c:\windows\system32\dllcache\wmiacpi.sys
2011-01-07 14:18 . 2004-08-03 22:31 154624 ----a-w- c:\windows\system32\dllcache\wlluc48.sys
2011-01-07 14:18 . 2001-08-17 12:12 34890 ----a-w- c:\windows\system32\dllcache\wlandrv2.sys
2011-01-07 14:18 . 2001-08-17 13:28 771581 ----a-w- c:\windows\system32\dllcache\winacisa.sys
2011-01-07 14:18 . 2001-08-17 22:36 53760 ----a-w- c:\windows\system32\dllcache\wiamsmud.dll
2011-01-07 14:18 . 2004-08-10 05:00 31232 ----a-w- c:\windows\system32\dllcache\weitekp9.sys
2011-01-07 14:18 . 2001-08-17 22:36 87040 ----a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2011-01-07 14:18 . 2004-08-10 05:00 41600 ----a-w- c:\windows\system32\dllcache\weitekp9.dll
2011-01-07 14:18 . 2001-08-17 13:28 701386 ----a-w- c:\windows\system32\dllcache\wdhaalba.sys
2011-01-07 14:16 . 2001-08-17 13:28 224802 ----a-w- c:\windows\system32\dllcache\usr1807a.sys
2011-01-07 14:15 . 2001-08-17 12:51 166784 ----a-w- c:\windows\system32\dllcache\tridxpm.sys
2011-01-07 14:14 . 2004-08-10 05:00 21896 ----a-w- c:\windows\system32\dllcache\tdipx.sys
2011-01-07 14:13 . 2001-08-17 22:36 24660 ----a-w- c:\windows\system32\dllcache\spxupchk.dll
2011-01-07 14:12 . 2004-08-10 05:00 31744 ----a-w- c:\windows\system32\dllcache\sma3w.dll
2011-01-07 14:11 . 2001-08-17 13:53 6784 ----a-w- c:\windows\system32\dllcache\serscan.sys
2011-01-07 14:10 . 2001-08-17 12:50 166720 ----a-w- c:\windows\system32\dllcache\s3m.sys
2011-01-07 14:09 . 2001-08-17 13:28 130942 ----a-w- c:\windows\system32\dllcache\ptserlv.sys
2011-01-07 14:08 . 2001-08-17 12:11 29769 ----a-w- c:\windows\system32\dllcache\pcntn5m.sys
2011-01-07 14:07 . 2001-08-17 12:50 198144 ----a-w- c:\windows\system32\dllcache\nv3.sys
2011-01-07 14:06 . 2001-08-17 14:56 35392 ----a-w- c:\windows\system32\dllcache\n9i128.dll
2011-01-07 14:05 . 2001-08-17 13:52 6528 ----a-w- c:\windows\system32\dllcache\miniqic.sys
2011-01-07 14:04 . 2001-08-17 13:51 15744 ----a-w- c:\windows\system32\dllcache\lit220p.sys
2011-01-07 14:03 . 2004-08-10 05:00 44032 ----a-w- c:\windows\system32\dllcache\imekrmig.exe
2011-01-07 14:02 . 2001-08-17 13:28 57471 ----a-w- c:\windows\system32\dllcache\hsf_samp.sys
2011-01-07 14:01 . 2004-08-10 05:00 36864 ----a-w- c:\windows\system32\dllcache\hanjadic.dll
2011-01-07 14:00 . 2001-08-17 22:36 45568 ----a-w- c:\windows\system32\dllcache\esunib.dll
2011-01-07 13:59 . 2001-08-17 12:12 19594 ----a-w- c:\windows\system32\dllcache\e100isa4.sys
2011-01-07 13:58 . 2001-08-17 22:36 27648 ----a-w- c:\windows\system32\dllcache\cyzports.dll
2011-01-07 13:57 . 2001-08-17 13:51 13824 ----a-w- c:\windows\system32\dllcache\bulltlp3.sys
2011-01-07 13:35 . 2004-08-10 05:00 7168 ----a-w- c:\windows\system32\dllcache\wamregps.dll
2011-01-07 13:35 . 2001-08-17 14:56 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
2011-01-07 13:35 . 2004-08-10 05:00 7680 ----a-w- c:\windows\system32\dllcache\inetmgr.exe
2011-01-07 13:35 . 2004-08-10 05:00 19968 ----a-w- c:\windows\system32\dllcache\inetsloc.dll
2011-01-07 13:35 . 2004-08-10 05:00 5632 ----a-w- c:\windows\system32\dllcache\iisrstap.dll
2011-01-07 13:35 . 2004-08-10 05:00 169984 ----a-w- c:\windows\system32\dllcache\iisui.dll
2011-01-07 13:35 . 2004-08-10 05:00 6144 ----a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2011-01-07 13:35 . 2004-08-10 05:00 14336 ----a-w- c:\windows\system32\dllcache\iisreset.exe
2011-01-02 16:58 . 2011-01-02 16:58 -------- d-----w- c:\program files\MP3 Player Utilities
2011-01-01 22:25 . 2009-08-11 21:18 497664 ----a-w- c:\windows\system32\ac3filter.acm
2011-01-01 22:25 . 2011-01-01 22:25 -------- d-----w- c:\program files\AC3Filter
2011-01-01 22:18 . 2011-01-01 22:18 -------- d-----w- c:\program files\Conduit
2011-01-01 22:18 . 2011-01-01 22:18 -------- d-----w- c:\documents and settings\Geoff\Local Settings\Application Data\Conduit
2011-01-01 22:18 . 2011-01-01 22:18 -------- d-----w- c:\documents and settings\Geoff\Local Settings\Application Data\Elf_1
2011-01-01 22:17 . 2011-01-01 22:18 -------- d-----w- c:\program files\Elf_1
2011-01-01 22:17 . 2011-01-01 22:17 -------- d-----w- c:\documents and settings\Geoff\Local Settings\Application Data\temp
2010-12-31 23:38 . 2010-12-31 23:38 -------- d-----w- c:\documents and settings\Geoff\Application Data\Media Player Classic
2010-12-31 22:59 . 2010-03-15 10:31 165376 ----a-w- c:\windows\system32\unrar.dll
2010-12-31 22:58 . 2010-11-03 19:08 237568 ----a-w- c:\windows\system32\yv12vfw.dll
2010-12-31 22:58 . 2010-01-17 16:18 151552 ----a-w- c:\windows\system32\ac3acm.acm
2010-12-31 22:58 . 2008-09-24 19:41 839680 ----a-w- c:\windows\system32\lameACM.acm
2010-12-31 22:58 . 2010-12-07 18:40 183808 ----a-w- c:\windows\system32\xvidvfw.dll
2010-12-31 22:58 . 2010-12-07 18:22 810496 ----a-w- c:\windows\system32\xvidcore.dll
2010-12-31 22:58 . 2010-12-27 08:00 80896 ----a-w- c:\windows\system32\ff_vfw.dll
2010-12-31 22:58 . 2010-12-31 23:00 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-12-30 19:36 . 2010-12-30 19:36 -------- d-----w- c:\program files\Sophos
2010-12-30 17:20 . 2010-12-30 17:24 -------- d-----w- c:\documents and settings\Geoff\Application Data\ElevatedDiagnostics
2010-12-30 11:55 . 2010-12-30 11:55 -------- d-----w- C:\TDSSKiller_Quarantine
2010-12-28 19:37 . 2010-12-28 19:37 -------- d-----w- c:\documents and settings\Geoff\Application Data\Vivox
2010-12-28 19:33 . 2010-12-28 19:49 -------- d-----w- c:\documents and settings\Geoff\Application Data\IMVU
2010-12-28 09:51 . 2010-12-28 09:51 -------- d-----w- C:\_OTL
2010-12-24 09:44 . 2010-12-24 09:44 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-12-24 08:14 . 2010-12-24 08:14 -------- d-----w- c:\windows\system32\wbem\Repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2005-08-16 04:40 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-12 18:53 . 2010-07-29 09:59 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-12 16:34 . 2009-04-15 17:18 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-09 14:52 . 2005-08-16 04:18 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26 . 2005-08-16 04:18 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2005-08-16 04:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2005-08-16 04:18 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2005-08-16 04:18 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2005-08-16 04:18 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2005-08-16 04:18 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2005-08-16 04:18 1853312 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{22e03916-85c5-44b0-8dc9-1830c11238d9}"= "c:\program files\Elf_1\tbElf_.dll" [2010-12-09 3911776]

[HKEY_CLASSES_ROOT\clsid\{22e03916-85c5-44b0-8dc9-1830c11238d9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{22e03916-85c5-44b0-8dc9-1830c11238d9}]
2010-12-09 12:51 3911776 ----a-w- c:\program files\Elf_1\tbElf_.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-12-09 12:51 3911776 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{22e03916-85c5-44b0-8dc9-1830c11238d9}"= "c:\program files\Elf_1\tbElf_.dll" [2010-12-09 3911776]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-12-09 3911776]

[HKEY_CLASSES_ROOT\clsid\{22e03916-85c5-44b0-8dc9-1830c11238d9}]

[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{22E03916-85C5-44B0-8DC9-1830C11238D9}"= "c:\program files\Elf_1\tbElf_.dll" [2010-12-09 3911776]

[HKEY_CLASSES_ROOT\clsid\{22e03916-85c5-44b0-8dc9-1830c11238d9}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 24576]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-13 136136]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-01-18 196608]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-01-15 2424560]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-10 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-09-15 57344]
"MBMon"="CTMBHA.DLL" [2005-05-19 1345520]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2004-10-08 221184]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-03-08 98304]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-10 86960]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-10 218032]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-10-08 198160]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-21 61440]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
CamTrack.lnk - c:\program files\DigitalPeers\CamTrack\camtrack.exe [2006-4-10 425984]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG111T Smart Wizard.lnk - c:\program files\NETGEAR\WG111T\wlan111t.exe [2008-10-30 884840]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-06 19:44 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=c:\windows\pss\BTTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wanadoo Connection Kit.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Wanadoo Connection Kit.lnk
backup=c:\windows\pss\Wanadoo Connection Kit.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Geoff^Start Menu^Programs^Startup^Trillian.lnk]
path=c:\documents and settings\Geoff\Start Menu\Programs\Startup\Trillian.lnk
backup=c:\windows\pss\Trillian.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 10:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2009-05-21 09:55 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
2007-03-13 08:29 67128 ----a-w- c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-06-01 09:17 5252408 ----a-w- c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
2007-09-20 08:51 1836328 ----a-w- c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 14:57 153136 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-09-15 13:11 1242448 ----a-w- c:\program files\Valve\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoiceCenter]
2005-09-19 07:42 1159168 ------w- c:\program files\Creative\VoiceCenter\AndreaVC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RemoteRegistry"=2 (0x2)
"RasMan"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"ehSched"=2 (0x2)
"ehRecvr"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Uniblue RegistryBooster 2009"=c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe /S

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\EA Games\\Command and Conquer Generals\\game.dat"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\Common Files\\Nero\\Nero Web\\SetupX.exe"=
"c:\\WINDOWS\\network diagnostic\\xpnetdiag.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Civilization4.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msvs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcstart.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Documents and Settings\\Geoff\\Application Data\\IMVUClient\\1VivoxVoice.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [12/04/2009 21:29 28544]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/10/2007 17:48 685816]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [22/12/2008 11:06 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [22/12/2008 11:05 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [28/02/2010 12:19 108289]
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [30/10/2008 14:17 17149]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\DRIVERS\wg111v3.sys --> c:\windows\system32\DRIVERS\wg111v3.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [22/12/2008 11:06 12872]
S3 WLIU2KG125S;BUFFALO WLI-U2-KG125S Wireless LAN Adapter Driver;c:\windows\system32\drivers\usb8023.sys [16/08/2005 04:18 12800]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{028E2D30-93C4-EAEB-0801-040005020704}]
2004-08-03 22:59 28112 ----a-w- c:\windows\system32\drwatson.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.orange.co.uk/
uSearchMigratedDefaultURL = hxxp://search.orange.co.uk/all?brand=ouk&tab=web&p=_adr&q={searchTerms}
mWindow Title = Microsoft Internet Explorer Provided by Wanadoo
IE: Search with Wanadoo - c:\windows\system32\WSBar.dll/VSearch.htm
IE: Send To &Bluetooth - c:\program files\Sitecom\Bluetooth Software\btsendto_ie_ctx.htm
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Geoff\Start Menu\Programs\IMVU\Run IMVU.lnk
Trusted Zone: internet
Trusted Zone: mcafee.com
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-19 12:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3978038109-150875750-2949445910-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-3978038109-150875750-2949445910-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:80,12,6e,98,68,26,e2,93,3b,47,ff,eb,dc,85,b8,89,8f,6b,2c,42,0f,5e,34,
7a,5c,97,cd,85,fb,c6,b7,1b,33,17,9d,37,09,92,e2,a2,f1,05,28,a6,c0,32,c8,23,\
"??"=hex:96,7f,89,4a,dd,52,5c,2f,4e,d9,73,28,ee,9c,86,17

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1016)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2956)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Sitecom\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\stsystra.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\Rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\docume~1\Geoff\LOCALS~1\Temp\clclean.0001
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
.
**************************************************************************
.
Completion time: 2011-01-19 12:53:02 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-19 12:52
ComboFix2.txt 2011-01-15 12:58
ComboFix3.txt 2008-09-10 15:51

Pre-Run: 22,342,356,992 bytes free
Post-Run: 22,374,014,976 bytes free

- - End Of File - - E7C7A2C6800E23E18814CFBF273EAD41
  • 0

#35
emeraldnzl
Posted 19 January 2011 - 01:34 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello P Lazarou,

when I selected boot from USB it gave me error message device not ready choose F1 to retry boot or F2 to select utilities


A question here - did you carry out these actions?

  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • It will install a little bootable OS on your USB

If you haven't carried out those actions please try again. If you did carry them out and it didn't work perhaps a different approach using a CD might work better for you.

Here are some instructions for that:

CD version.

For this you will need a blank CD and a clean USB drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download http://noahdfear.net.../beta/ransom.sh to your USB
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD

    Note: If your computer does not have the F12 facility you will have to set your bios to boot first from your CD drive.

    To set your computer BIOS to boot from a CD

    1. Restart your computer. Watch the start-up instructions that are displayed on-screen.

    A message will be displayed instructing you to press a named key (often F2, F12, or Delete) to go into settings/setup/configuration. (The key and the message will vary according to the type of computer that you are running.)

    Press this key to enter the BIOS setup mode.

    (If your computer is particularly fast, it may remove the message before you have the chance to press the key; in this case, try pressing the key once a second, starting the moment you reboot.)

    Some examples:

    • On a Dell computer, you should hit F2 to enter the BIOS.
    • Other computers may require you to hit the DEL (Delete) button to enter the BIOS.
    • On newer computers, you may be able to hit F12 to select a temporary boot device rather than changing the permanent boot sequence in the BIOS itself. If your computer offers this option, simply select the CD or DVD drive containing the antivirus CD as your temporary boot device, and skip steps 2 and 3.
    2. In the BIOS window, find the area that controls the boot sequence and rearrange the list of devices so that your CD or DVD drive is checked before your hard drive.

    For most situations, a suitable sequence is:
    1. A (Floppy)
    2. CDROM (or DVDROM)
    3. HD1 (or C).
    If your drives are listed in this order, then when you keep the CD in your CD or DVD drive during a reboot, your computer will be told to run and check for viruses on your system. (If the hard drive is listed earlier than the CD drive, your computer will not detect the CDs presence and will simply boot into Windows.)

    3. Save the settings and exit.

    4. When your computer reboots, it will check the CD or DVD drive containing the disk before it checks the hard drive.

    Thanks to Cities site University of Illinois for these instructions

  • Follow the prompts
  • A Welcome to xPUD screen will appear (note a language image appears first, make sure it is set to English and wait)
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see bash ransom.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash ransom.sh
  • Press Enter
  • The script will prompt you to dump the first track of each drive found (usb drives included).
  • Answer Y to the drive that corresponds to your operating system drive, usually sda.
  • You will be informed of the name of the dump (and the log created). Make a note of the name (sda bin or some such).
  • Click the X (top right hand of the black screen Window) to exit.
  • Remove the USB stick and reboot you computer normally (you may need to physically turn it off and start up again)..
  • Re-insert your USB stick and navigate to the log created.
Copy and zip (right click > Send to > Compressed (zipped) folder) it and upload to here

Note: Don't forget to re-set your computer to boot from the hard drive once we have finished.
  • 0

#36
P Lazarou
Posted 26 January 2011 - 07:05 AM

P Lazarou

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Hi Emeraldz

I tried again to boot from the USB but it still would not work, this is the sceen shot from the 2 programmes that are saved to the USB

Posted Image

Are they correct, thanks
  • 0

#37
emeraldnzl
Posted 26 January 2011 - 12:03 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
I think that is okay. It might be that the computer is not going to the USB first (the F12 bit)

Have you tried the CD version?
  • 0

#38
P Lazarou
Posted 27 January 2011 - 10:21 AM

P Lazarou

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Hi Emeraldz

Download GETxPUD.exe to the desktop of your clean computer

Sorry to be dumn but does that mean I download to a different computer.

In the previous number 33 post

Download http://unetbootin.so...dows-latest.exe & http://noahdfear.net.../xpud-0.9.2.iso to the desktop of your clean computer

So if that is the case then I made a mistake and downloaded those programmes to the PC we are working at

Edited by P Lazarou, 27 January 2011 - 10:22 AM.

  • 0

#39
emeraldnzl
Posted 27 January 2011 - 12:55 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
No your not dumb. Actually that was my fault I should have taken into account your situation.

Quite alright to download to your computer. Just to follow the other directions to use the CD (if you are using the CD version - actually that is the only way I can do it on my XP machine... it is so old) and the USB.

The reference to sick computer really relates to those who cannot boot their computer at all.
  • 0

#40
P Lazarou
Posted 04 February 2011 - 09:10 AM

P Lazarou

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
hi emeraldnzl no problem,

I followed your instructions up to this point

Confirm that you see bash ransom.sh that you downloaded there

I could not find that in the list and it is on my USB. I checked the other SDA 2 and 3 but not in there either
  • 0

Advertisements

#41
emeraldnzl
Posted 04 February 2011 - 02:21 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hmm... I have just tried again with my machine and it comes up fine under sdb1. I can see the file on the USB drive. As it happens I have other stuff on the USB stick and I can see those files as well.

Note: it is sdb1 not sda1. Also, I am sure you will have, but just to check, you do have your USB stick inserted don't you.

What is showing under mnt when you expand it?
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP