Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91681 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Infected with Malware/Trojans


  • This topic is locked This topic is locked
18 replies to this topic

#1 drummerboy7

drummerboy7

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 29 October 2009 - 10:06 PM

Getting really frustrated with this! Keep getting pop ups for fake antivirus "Security Tool." Ran Hijack This in safe mode but unable to run in normal mode, it opens and closes immediately. Nowunable to open other programs (Word, Paint, etc) Constantly have a bubble in the lower right part of the screen that shows: Security Tool Warning wscsvc32.exe is infected with worm Lsas.Blaster.Keylogger. This worm is trying o send your credit card etails using wscsvs32.exe to connect to remote host. Please help, getting to point where I can't do anything.

    Advertisements

Register to Remove


#2 ken545

ken545

    Forum God

  • Classroom Teacher
  • 23,207 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 31 October 2009 - 07:22 PM

:welcome:

Please download RootRepeal one of these locations and save it to your desktop
Here
Here
Here
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check just these boxes:
  • Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:, and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your post.






Please download Malwarebytes from Here or Here

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
    Posted Image
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected .
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report and also a new HJT log please

Jeffce_zpsa19ee2e6.png

 

 

 

Want to help others, Join our Malware Removal Classroom  HERE

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif

 

Find us on Facebook
Please LIKE and SHARE

 

 

Just a reminder that threads will be closed if no reply in 3 days.


#3 drummerboy7

drummerboy7

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 01 November 2009 - 11:33 AM

Thank you for getting back with me!

Was able to run some anti-spyware/malware to get some things off, but still having problems.

Avira found TR/Crypt.ZPACK.Gen trojan.

Here's the RootRepeal logs...

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/01 10:32
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF77E0000 Size: 187776 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2189184 File Visible: - Signed: -
Status: -

Name: aeaudio.sys
Image Path: C:\WINDOWS\system32\drivers\aeaudio.sys
Address: 0xF7D83000 Size: 4384 File Visible: - Signed: -
Status: -

Name: Afc.sys
Image Path: C:\WINDOWS\system32\drivers\Afc.sys
Address: 0xF7C27000 Size: 32768 File Visible: - Signed: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xF571B000 Size: 138496 File Visible: - Signed: -
Status: -

Name: agp440.sys
Image Path: agp440.sys
Address: 0xF7ABF000 Size: 25472 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xF7798000 Size: 96512 File Visible: - Signed: -
Status: -

Name: ATMFD.DLL
Image Path: C:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA0000 Size: 286720 File Visible: - Signed: -
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\System32\DRIVERS\audstub.sys
Address: 0xF7EE0000 Size: 3072 File Visible: - Signed: -
Status: -

Name: avgio.sys
Image Path: C:\Program Files\Avira\AntiVir Desktop\avgio.sys
Address: 0xF7DA1000 Size: 6144 File Visible: - Signed: -
Status: -

Name: avgntflt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\avgntflt.sys
Address: 0xF43C4000 Size: 81920 File Visible: - Signed: -
Status: -

Name: avipbb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\avipbb.sys
Address: 0xF55F5000 Size: 114688 File Visible: - Signed: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF7D91000 Size: 4224 File Visible: - Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF7C3F000 Size: 12288 File Visible: - Signed: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xF3794000 Size: 63744 File Visible: - Signed: -
Status: -

Name: Cdr4_xp.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdr4_xp.SYS
Address: 0xF7EF6000 Size: 2432 File Visible: - Signed: -
Status: -

Name: Cdralw2k.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdralw2k.SYS
Address: 0xF7EF7000 Size: 2560 File Visible: - Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\System32\DRIVERS\cdrom.sys
Address: 0xF7A6F000 Size: 62976 File Visible: - Signed: -
Status: -

Name: cdudf_xp.SYS
Image Path: C:\WINDOWS\System32\Drivers\cdudf_xp.SYS
Address: 0xF5828000 Size: 241280 File Visible: - Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Address: 0xF786F000 Size: 53248 File Visible: - Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xF785F000 Size: 36352 File Visible: - Signed: -
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xF7A8F000 Size: 61440 File Visible: - Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF55B9000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7DE3000 Size: 8192 File Visible: No Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xF7CCB000 Size: 12288 File Visible: - Signed: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF9C3000 Size: 73728 File Visible: - Signed: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF7F02000 Size: 4096 File Visible: - Signed: -
Status: -

Name: e100b325.sys
Image Path: C:\WINDOWS\System32\DRIVERS\e100b325.sys
Address: 0xF6BA3000 Size: 139776 File Visible: - Signed: -
Status: -

Name: Fastfat.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xF55D1000 Size: 143744 File Visible: - Signed: -
Status: -

Name: fdc.sys
Image Path: C:\WINDOWS\System32\DRIVERS\fdc.sys
Address: 0xF7C0F000 Size: 27392 File Visible: - Signed: -
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xF78DF000 Size: 44544 File Visible: - Signed: -
Status: -

Name: flpydisk.sys
Image Path: C:\WINDOWS\System32\DRIVERS\flpydisk.sys
Address: 0xF7AEF000 Size: 20480 File Visible: - Signed: -
Status: -

Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xF7778000 Size: 129792 File Visible: - Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF7D8F000 Size: 7936 File Visible: - Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF77B0000 Size: 125056 File Visible: - Signed: -
Status: -

Name: GEARAspiWDM.sys
Image Path: C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
Address: 0xF7622000 Size: 9984 File Visible: - Signed: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806EE000 Size: 131840 File Visible: - Signed: -
Status: -

Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xF7AFF000 Size: 28672 File Visible: - Signed: -
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xF2EF8000 Size: 264832 File Visible: - Signed: -
Status: -

Name: i2omgmt.SYS
Image Path: C:\WINDOWS\System32\Drivers\i2omgmt.SYS
Address: 0xF7CDB000 Size: 8576 File Visible: - Signed: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\System32\DRIVERS\i8042prt.sys
Address: 0xF7A3F000 Size: 52480 File Visible: - Signed: -
Status: -

Name: Imapi.sys
Image Path: C:\WINDOWS\system32\drivers\Imapi.sys
Address: 0xF7A5F000 Size: 42112 File Visible: - Signed: -
Status: -

Name: intelppm.sys
Image Path: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Address: 0xF7A2F000 Size: 36352 File Visible: - Signed: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ipnat.sys
Address: 0xF56D4000 Size: 152832 File Visible: - Signed: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ipsec.sys
Address: 0xF57BE000 Size: 75264 File Visible: - Signed: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF782F000 Size: 37248 File Visible: - Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\System32\DRIVERS\kbdclass.sys
Address: 0xF7C17000 Size: 24576 File Visible: - Signed: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF7D2F000 Size: 8192 File Visible: - Signed: -
Status: -

Name: kmixer.sys
Image Path: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xF1C05000 Size: 172416 File Visible: - Signed: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ks.sys
Address: 0xF6B6C000 Size: 143360 File Visible: - Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF774F000 Size: 92928 File Visible: - Signed: -
Status: -

Name: Lbd.sys
Image Path: Lbd.sys
Address: 0xF787F000 Size: 57600 File Visible: - Signed: -
Status: -

Name: mmc_2K.SYS
Image Path: C:\WINDOWS\System32\Drivers\mmc_2K.SYS
Address: 0xF7AE7000 Size: 22720 File Visible: - Signed: -
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xF7D93000 Size: 4224 File Visible: - Signed: -
Status: -

Name: Modem.SYS
Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS
Address: 0xF7C07000 Size: 30080 File Visible: - Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mouclass.sys
Address: 0xF7C1F000 Size: 23040 File Visible: - Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF783F000 Size: 42368 File Visible: - Signed: -
Status: -

Name: mrxdav.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mrxdav.sys
Address: 0xF384F000 Size: 180608 File Visible: - Signed: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mrxsmb.sys
Address: 0xF5611000 Size: 455296 File Visible: - Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF7B0F000 Size: 19072 File Visible: - Signed: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\System32\DRIVERS\msgpc.sys
Address: 0xF7044000 Size: 35072 File Visible: - Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mssmbios.sys
Address: 0xF6E36000 Size: 15488 File Visible: - Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xF767B000 Size: 105344 File Visible: - Signed: -
Status: -

Name: MxlW2k.SYS
Image Path: C:\WINDOWS\System32\Drivers\MxlW2k.SYS
Address: 0xF7C2F000 Size: 25408 File Visible: - Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xF7695000 Size: 182656 File Visible: - Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndistapi.sys
Address: 0xF6E46000 Size: 10112 File Visible: - Signed: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndisuio.sys
Address: 0xF4404000 Size: 14592 File Visible: - Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndiswan.sys
Address: 0xF6A90000 Size: 91520 File Visible: - Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF7014000 Size: 40576 File Visible: - Signed: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\System32\DRIVERS\netbios.sys
Address: 0xF6FD4000 Size: 34688 File Visible: - Signed: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\System32\DRIVERS\netbt.sys
Address: 0xF573D000 Size: 162816 File Visible: - Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF7B17000 Size: 30848 File Visible: - Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF76C2000 Size: 574976 File Visible: - Signed: -
Status: -

Name: ntoskrnl.exe
Image Path: C:\WINDOWS\system32\ntoskrnl.exe
Address: 0x804D7000 Size: 2189184 File Visible: - Signed: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF7EED000 Size: 2944 File Visible: - Signed: -
Status: -

Name: nv4_disp.dll
Image Path: C:\WINDOWS\System32\nv4_disp.dll
Address: 0xBF9D5000 Size: 4247552 File Visible: - Signed: -
Status: -

Name: nv4_mini.sys
Image Path: C:\WINDOWS\System32\DRIVERS\nv4_mini.sys
Address: 0xF6CC0000 Size: 1465312 File Visible: - Signed: -
Status: -

Name: parport.sys
Image Path: C:\WINDOWS\System32\DRIVERS\parport.sys
Address: 0xF6B8F000 Size: 80128 File Visible: - Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF7AB7000 Size: 19712 File Visible: - Signed: -
Status: -

Name: ParVdm.SYS
Image Path: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Address: 0xF7DA5000 Size: 6784 File Visible: - Signed: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xF77CF000 Size: 68224 File Visible: - Signed: -
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xF7DF7000 Size: 3328 File Visible: - Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Address: 0xF7AAF000 Size: 28672 File Visible: - Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2189184 File Visible: - Signed: -
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xF6AA7000 Size: 147456 File Visible: - Signed: -
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\System32\DRIVERS\psched.sys
Address: 0xF6A7F000 Size: 69120 File Visible: - Signed: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ptilink.sys
Address: 0xF7AD7000 Size: 17792 File Visible: - Signed: -
Status: -

Name: pwd_2k.SYS
Image Path: C:\WINDOWS\System32\Drivers\pwd_2k.SYS
Address: 0xF6B4C000 Size: 127360 File Visible: - Signed: -
Status: -

Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xF788F000 Size: 36320 File Visible: - Signed: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rasacd.sys
Address: 0xF7CF7000 Size: 8832 File Visible: - Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rasl2tp.sys
Address: 0xF7A9F000 Size: 51328 File Visible: - Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspppoe.sys
Address: 0xF7054000 Size: 41472 File Visible: - Signed: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspptp.sys
Address: 0xF78EF000 Size: 48384 File Visible: - Signed: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspti.sys
Address: 0xF7ADF000 Size: 16512 File Visible: - Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2189184 File Visible: - Signed: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rdbss.sys
Address: 0xF56A9000 Size: 175744 File Visible: - Signed: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF7D95000 Size: 4224 File Visible: - Signed: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\System32\DRIVERS\redbook.sys
Address: 0xF7A7F000 Size: 57600 File Visible: - Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF1FC3000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SASDIFSV.SYS
Image Path: C:\SPYWARE STUFF\SASDIFSV.SYS
Address: 0xF7B27000 Size: 28672 File Visible: - Signed: -
Status: -

Name: SASENUM.SYS
Image Path: C:\SPYWARE STUFF\SASENUM.SYS
Address: 0xF7BCF000 Size: 20480 File Visible: - Signed: -
Status: -

Name: SASKUTIL.sys
Image Path: C:\SPYWARE STUFF\SASKUTIL.sys
Address: 0xF56FA000 Size: 135168 File Visible: - Signed: -
Status: -

Name: secdrv.sys
Image Path: C:\WINDOWS\System32\DRIVERS\secdrv.sys
Address: 0xF3744000 Size: 40960 File Visible: - Signed: -
Status: -

Name: serenum.sys
Image Path: C:\WINDOWS\System32\DRIVERS\serenum.sys
Address: 0xF7626000 Size: 15744 File Visible: - Signed: -
Status: -

Name: serial.sys
Image Path: C:\WINDOWS\System32\DRIVERS\serial.sys
Address: 0xF7A4F000 Size: 64512 File Visible: - Signed: -
Status: -

Name: smwdm.sys
Image Path: C:\WINDOWS\system32\drivers\smwdm.sys
Address: 0xF6ACB000 Size: 527360 File Visible: - Signed: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xF7766000 Size: 73472 File Visible: - Signed: -
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\System32\DRIVERS\srv.sys
Address: 0xF34EA000 Size: 333952 File Visible: - Signed: -
Status: -

Name: ssmdrv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
Address: 0xF7B1F000 Size: 23040 File Visible: - Signed: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\System32\DRIVERS\swenum.sys
Address: 0xF7D85000 Size: 4352 File Visible: - Signed: -
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xF79FF000 Size: 60800 File Visible: - Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\System32\DRIVERS\tcpip.sys
Address: 0xF5765000 Size: 361600 File Visible: - Signed: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\TDI.SYS
Address: 0xF7C37000 Size: 20480 File Visible: - Signed: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\System32\DRIVERS\termdd.sys
Address: 0xF7034000 Size: 40704 File Visible: - Signed: -
Status: -

Name: UdfReadr_xp.SYS
Image Path: C:\WINDOWS\System32\Drivers\UdfReadr_xp.SYS
Address: 0xF57E3000 Size: 206464 File Visible: - Signed: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\System32\DRIVERS\update.sys
Address: 0xF6A21000 Size: 384768 File Visible: - Signed: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\USBD.SYS
Address: 0xF7D8D000 Size: 8192 File Visible: - Signed: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbehci.sys
Address: 0xF7BFF000 Size: 30208 File Visible: - Signed: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbhub.sys
Address: 0xF7004000 Size: 59520 File Visible: - Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\USBPORT.SYS
Address: 0xF6C88000 Size: 147456 File Visible: - Signed: -
Status: -

Name: usbuhci.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbuhci.sys
Address: 0xF7BF7000 Size: 20608 File Visible: - Signed: -
Status: -

Name: USR1806.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\USR1806.SYS
Address: 0xF6BC6000 Size: 793568 File Visible: - Signed: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF7B07000 Size: 20992 File Visible: - Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS
Address: 0xF6CAC000 Size: 81920 File Visible: - Signed: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF784F000 Size: 52352 File Visible: - Signed: -
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\wanarp.sys
Address: 0xF78CF000 Size: 34560 File Visible: - Signed: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xF7B87000 Size: 20480 File Visible: - Signed: -
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xF383A000 Size: 83072 File Visible: - Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: WmBEnum.sys
Image Path: C:\WINDOWS\system32\drivers\WmBEnum.sys
Address: 0xF6E32000 Size: 10112 File Visible: - Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\WMILIB.SYS
Address: 0xF7D31000 Size: 8192 File Visible: - Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2189184 File Visible: - Signed: -
Status: -

Name: WmXlCore.sys
Image Path: C:\WINDOWS\system32\drivers\WmXlCore.sys
Address: 0xF7024000 Size: 39328 File Visible: - Signed: -
Status: -

Name: ws2ifsl.sys
Image Path: C:\WINDOWS\System32\drivers\ws2ifsl.sys
Address: 0xF7CFF000 Size: 12032 File Visible: - Signed: -
Status: -

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/01 10:32
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Processes
-------------------
Path: System
PID: 4 Status: -

Path: C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
PID: 448 Status: -

Path: C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe
PID: 472 Status: -

Path: C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PID: 496 Status: -

Path: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PID: 532 Status: -

Path: C:\Program Files\Bonjour\mDNSResponder.exe
PID: 556 Status: -

Path: C:\WINDOWS\SYSTEM32\smss.exe
PID: 568 Status: -

Path: C:\WINDOWS\SYSTEM32\cisvc.exe
PID: 624 Status: -

Path: C:\WINDOWS\SYSTEM32\csrss.exe
PID: 640 Status: -

Path: C:\WINDOWS\SYSTEM32\winlogon.exe
PID: 664 Status: -

Path: C:\WINDOWS\SYSTEM32\services.exe
PID: 708 Status: -

Path: C:\WINDOWS\SYSTEM32\lsass.exe
PID: 720 Status: -

Path: C:\WINDOWS\SYSTEM32\svchost.exe
PID: 896 Status: -

Path: C:\WINDOWS\SYSTEM32\svchost.exe
PID: 964 Status: -

Path: C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
PID: 1048 Status: -

Path: C:\WINDOWS\SYSTEM32\svchost.exe
PID: 1060 Status: -

Path: C:\WINDOWS\SYSTEM32\svchost.exe
PID: 1132 Status: -

Path: C:\Program Files\Common Files\LightScribe\LSSrvc.exe
PID: 1152 Status: -

Path: C:\WINDOWS\SYSTEM32\svchost.exe
PID: 1260 Status: -

Path: C:\WINDOWS\SYSTEM32\WBEM\UNSECAPP.EXE
PID: 1304 Status: -

Path: C:\WINDOWS\SYSTEM32\nvsvc32.exe
PID: 1332 Status: -

Path: C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
PID: 1416 Status: -

Path: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PID: 1516 Status: -

Path: C:\WINDOWS\explorer.exe
PID: 1524 Status: -

Path: C:\WINDOWS\SYSTEM32\svchost.exe
PID: 1556 Status: -

Path: C:\WINDOWS\SYSTEM32\spoolsv.exe
PID: 1676 Status: -

Path: C:\Program Files\Avira\AntiVir Desktop\sched.exe
PID: 1724 Status: -

Path: C:\WINDOWS\SYSTEM32\svchost.exe
PID: 1828 Status: -

Path: C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
PID: 2092 Status: -

Path: C:\WINDOWS\SYSTEM32\alg.exe
PID: 2136 Status: -

Path: C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe
PID: 2268 Status: -

Path: C:\Program Files\Common Files\Dell\EUSW\Support.exe
PID: 2404 Status: -

Path: C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
PID: 2436 Status: -

Path: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PID: 2532 Status: -

Path: C:\Program Files\QuickTime\QTTask.exe
PID: 2584 Status: -

Path: C:\Documents and Settings\Chris\Desktop\RootRepeal.exe
PID: 2600 Status: -

Path: C:\Program Files\comcasttb\CIDGlobalLight.exe
PID: 2632 Status: -

Path: C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe
PID: 2644 Status: -

Path: C:\WINDOWS\SYSTEM32\rundll32.exe
PID: 2704 Status: -

Path: C:\Program Files\Napster\napster.exe
PID: 2752 Status: -

Path: C:\Program Files\iTunes\iTunesHelper.exe
PID: 2800 Status: -

Path: C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
PID: 2836 Status: -

Path: C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PID: 2868 Status: -

Path: C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
PID: 2968 Status: -

Path: C:\SPYWARE STUFF\SpyBot\Spybot - Search & Destroy\TeaTimer.exe
PID: 3052 Status: -

Path: C:\SPYWARE STUFF\SUPERAntiSpyware.exe
PID: 3112 Status: -

Path: C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpy.exe
PID: 3152 Status: -

Path: C:\WINDOWS\SYSTEM32\CIDAEMON.EXE
PID: 3164 Status: -

Path: C:\Program Files\iPod\bin\iPodService.exe
PID: 3248 Status: -

Path: C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
PID: 3344 Status: -

Path: C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
PID: 3440 Status: -

Path: C:\Program Files\TrueSwitchComcast\TrueWizard.exe
PID: 3488 Status: -

Path: C:\Program Files\Internet Explorer\iexplore.exe
PID: 4052 Status: -

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/01 10:32
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

SSDT
-------------------
#: 000 Function Name: NtAcceptConnectPort
Status: Not hooked

#: 001 Function Name: NtAccessCheck
Status: Not hooked

#: 002 Function Name: NtAccessCheckAndAuditAlarm
Status: Not hooked

#: 003 Function Name: NtAccessCheckByType
Status: Not hooked

#: 004 Function Name: NtAccessCheckByTypeAndAuditAlarm
Status: Not hooked

#: 005 Function Name: NtAccessCheckByTypeResultList
Status: Not hooked

#: 006 Function Name: NtAccessCheckByTypeResultListAndAuditAlarm
Status: Not hooked

#: 007 Function Name: NtAccessCheckByTypeResultListAndAuditAlarmByHandle
Status: Not hooked

#: 008 Function Name: NtAddAtom
Status: Not hooked

#: 009 Function Name: NtAddBootEntry
Status: Not hooked

#: 010 Function Name: NtAdjustGroupsToken
Status: Not hooked

#: 011 Function Name: NtAdjustPrivilegesToken
Status: Not hooked

#: 012 Function Name: NtAlertResumeThread
Status: Not hooked

#: 013 Function Name: NtAlertThread
Status: Not hooked

#: 014 Function Name: NtAllocateLocallyUniqueId
Status: Not hooked

#: 015 Function Name: NtAllocateUserPhysicalPages
Status: Not hooked

#: 016 Function Name: NtAllocateUuids
Status: Not hooked

#: 017 Function Name: NtAllocateVirtualMemory
Status: Not hooked

#: 018 Function Name: NtAreMappedFilesTheSame
Status: Not hooked

#: 019 Function Name: NtAssignProcessToJobObject
Status: Not hooked

#: 020 Function Name: NtCallbackReturn
Status: Not hooked

#: 021 Function Name: NtCancelDeviceWakeupRequest
Status: Not hooked

#: 022 Function Name: NtCancelIoFile
Status: Not hooked

#: 023 Function Name: NtCancelTimer
Status: Not hooked

#: 024 Function Name: NtClearEvent
Status: Not hooked

#: 025 Function Name: NtClose
Status: Not hooked

#: 026 Function Name: NtCloseObjectAuditAlarm
Status: Not hooked

#: 027 Function Name: NtCompactKeys
Status: Not hooked

#: 028 Function Name: NtCompareTokens
Status: Not hooked

#: 029 Function Name: NtCompleteConnectPort
Status: Not hooked

#: 030 Function Name: NtCompressKey
Status: Not hooked

#: 031 Function Name: NtConnectPort
Status: Not hooked

#: 032 Function Name: NtContinue
Status: Not hooked

#: 033 Function Name: NtCreateDebugObject
Status: Not hooked

#: 034 Function Name: NtCreateDirectoryObject
Status: Not hooked

#: 035 Function Name: NtCreateEvent
Status: Not hooked

#: 036 Function Name: NtCreateEventPair
Status: Not hooked

#: 037 Function Name: NtCreateFile
Status: Not hooked

#: 038 Function Name: NtCreateIoCompletion
Status: Not hooked

#: 039 Function Name: NtCreateJobObject
Status: Not hooked

#: 040 Function Name: NtCreateJobSet
Status: Not hooked

#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xf7f1f1f6

#: 042 Function Name: NtCreateMailslotFile
Status: Not hooked

#: 043 Function Name: NtCreateMutant
Status: Not hooked

#: 044 Function Name: NtCreateNamedPipeFile
Status: Not hooked

#: 045 Function Name: NtCreatePagingFile
Status: Not hooked

#: 046 Function Name: NtCreatePort
Status: Not hooked

#: 047 Function Name: NtCreateProcess
Status: Not hooked

#: 048 Function Name: NtCreateProcessEx
Status: Not hooked

#: 049 Function Name: NtCreateProfile
Status: Not hooked

#: 050 Function Name: NtCreateSection
Status: Not hooked

#: 051 Function Name: NtCreateSemaphore
Status: Not hooked

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Not hooked

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xf7f1f1ec

#: 054 Function Name: NtCreateTimer
Status: Not hooked

#: 055 Function Name: NtCreateToken
Status: Not hooked

#: 056 Function Name: NtCreateWaitablePort
Status: Not hooked

#: 057 Function Name: NtDebugActiveProcess
Status: Not hooked

#: 058 Function Name: NtDebugContinue
Status: Not hooked

#: 059 Function Name: NtDelayExecution
Status: Not hooked

#: 060 Function Name: NtDeleteAtom
Status: Not hooked

#: 061 Function Name: NtDeleteBootEntry
Status: Not hooked

#: 062 Function Name: NtDeleteFile
Status: Not hooked

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xf7f1f1fb

#: 064 Function Name: NtDeleteObjectAuditAlarm
Status: Not hooked

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xf7f1f205

#: 066 Function Name: NtDeviceIoControlFile
Status: Not hooked

#: 067 Function Name: NtDisplayString
Status: Not hooked

#: 068 Function Name: NtDuplicateObject
Status: Not hooked

#: 069 Function Name: NtDuplicateToken
Status: Not hooked

#: 070 Function Name: NtEnumerateBootEntries
Status: Not hooked

#: 071 Function Name: NtEnumerateKey
Status: Not hooked

#: 072 Function Name: NtEnumerateSystemEnvironmentValuesEx
Status: Not hooked

#: 073 Function Name: NtEnumerateValueKey
Status: Not hooked

#: 074 Function Name: NtExtendSection
Status: Not hooked

#: 075 Function Name: NtFilterToken
Status: Not hooked

#: 076 Function Name: NtFindAtom
Status: Not hooked

#: 077 Function Name: NtFlushBuffersFile
Status: Not hooked

#: 078 Function Name: NtFlushInstructionCache
Status: Not hooked

#: 079 Function Name: NtFlushKey
Status: Not hooked

#: 080 Function Name: NtFlushVirtualMemory
Status: Not hooked

#: 081 Function Name: NtFlushWriteBuffer
Status: Not hooked

#: 082 Function Name: NtFreeUserPhysicalPages
Status: Not hooked

#: 083 Function Name: NtFreeVirtualMemory
Status: Not hooked

#: 084 Function Name: NtFsControlFile
Status: Not hooked

#: 085 Function Name: NtGetContextThread
Status: Not hooked

#: 086 Function Name: NtGetDevicePowerState
Status: Not hooked

#: 087 Function Name: NtGetPlugPlayEvent
Status: Not hooked

#: 088 Function Name: NtGetWriteWatch
Status: Not hooked

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Not hooked

#: 090 Function Name: NtImpersonateClientOfPort
Status: Not hooked

#: 091 Function Name: NtImpersonateThread
Status: Not hooked

#: 092 Function Name: NtInitializeRegistry
Status: Not hooked

#: 093 Function Name: NtInitiatePowerAction
Status: Not hooked

#: 094 Function Name: NtIsProcessInJob
Status: Not hooked

#: 095 Function Name: NtIsSystemResumeAutomatic
Status: Not hooked

#: 096 Function Name: NtListenPort
Status: Not hooked

#: 097 Function Name: NtLoadDriver
Status: Not hooked

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xf7f1f20a

#: 099 Function Name: NtLoadKey2
Status: Not hooked

#: 100 Function Name: NtLockFile
Status: Not hooked

#: 101 Function Name: NtLockProductActivationKeys
Status: Not hooked

#: 102 Function Name: NtLockRegistryKey
Status: Not hooked

#: 103 Function Name: NtLockVirtualMemory
Status: Not hooked

#: 104 Function Name: NtMakePermanentObject
Status: Not hooked

#: 105 Function Name: NtMakeTemporaryObject
Status: Not hooked

#: 106 Function Name: NtMapUserPhysicalPages
Status: Not hooked

#: 107 Function Name: NtMapUserPhysicalPagesScatter
Status: Not hooked

#: 108 Function Name: NtMapViewOfSection
Status: Not hooked

#: 109 Function Name: NtModifyBootEntry
Status: Not hooked

#: 110 Function Name: NtNotifyChangeDirectoryFile
Status: Not hooked

#: 111 Function Name: NtNotifyChangeKey
Status: Not hooked

#: 112 Function Name: NtNotifyChangeMultipleKeys
Status: Not hooked

#: 113 Function Name: NtOpenDirectoryObject
Status: Not hooked

#: 114 Function Name: NtOpenEvent
Status: Not hooked

#: 115 Function Name: NtOpenEventPair
Status: Not hooked

#: 116 Function Name: NtOpenFile
Status: Not hooked

#: 117 Function Name: NtOpenIoCompletion
Status: Not hooked

#: 118 Function Name: NtOpenJobObject
Status: Not hooked

#: 119 Function Name: NtOpenKey
Status: Not hooked

#: 120 Function Name: NtOpenMutant
Status: Not hooked

#: 121 Function Name: NtOpenObjectAuditAlarm
Status: Not hooked

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xf7f1f1d8

#: 123 Function Name: NtOpenProcessToken
Status: Not hooked

#: 124 Function Name: NtOpenProcessTokenEx
Status: Not hooked

#: 125 Function Name: NtOpenSection
Status: Not hooked

#: 126 Function Name: NtOpenSemaphore
Status: Not hooked

#: 127 Function Name: NtOpenSymbolicLinkObject
Status: Not hooked

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xf7f1f1dd

#: 129 Function Name: NtOpenThreadToken
Status: Not hooked

#: 130 Function Name: NtOpenThreadTokenEx
Status: Not hooked

#: 131 Function Name: NtOpenTimer
Status: Not hooked

#: 132 Function Name: NtPlugPlayControl
Status: Not hooked

#: 133 Function Name: NtPowerInformation
Status: Not hooked

#: 134 Function Name: NtPrivilegeCheck
Status: Not hooked

#: 135 Function Name: NtPrivilegeObjectAuditAlarm
Status: Not hooked

#: 136 Function Name: NtPrivilegedServiceAuditAlarm
Status: Not hooked

#: 137 Function Name: NtProtectVirtualMemory
Status: Not hooked

#: 138 Function Name: NtPulseEvent
Status: Not hooked

#: 139 Function Name: NtQueryAttributesFile
Status: Not hooked

#: 140 Function Name: NtQueryBootEntryOrder
Status: Not hooked

#: 141 Function Name: NtQueryBootOptions
Status: Not hooked

#: 142 Function Name: NtQueryDebugFilterState
Status: Not hooked

#: 143 Function Name: NtQueryDefaultLocale
Status: Not hooked

#: 144 Function Name: NtQueryDefaultUILanguage
Status: Not hooked

#: 145 Function Name: NtQueryDirectoryFile
Status: Not hooked

#: 146 Function Name: NtQueryDirectoryObject
Status: Not hooked

#: 147 Function Name: NtQueryEaFile
Status: Not hooked

#: 148 Function Name: NtQueryEvent
Status: Not hooked

#: 149 Function Name: NtQueryFullAttributesFile
Status: Not hooked

#: 150 Function Name: NtQueryInformationAtom
Status: Not hooked

#: 151 Function Name: NtQueryInformationFile
Status: Not hooked

#: 152 Function Name: NtQueryInformationJobObject
Status: Not hooked

#: 153 Function Name: NtQueryInformationPort
Status: Not hooked

#: 154 Function Name: NtQueryInformationProcess
Status: Not hooked

#: 155 Function Name: NtQueryInformationThread
Status: Not hooked

#: 156 Function Name: NtQueryInformationToken
Status: Not hooked

#: 157 Function Name: NtQueryInstallUILanguage
Status: Not hooked

#: 158 Function Name: NtQueryIntervalProfile
Status: Not hooked

#: 159 Function Name: NtQueryIoCompletion
Status: Not hooked

#: 160 Function Name: NtQueryKey
Status: Not hooked

#: 161 Function Name: NtQueryMultipleValueKey
Status: Not hooked

#: 162 Function Name: NtQueryMutant
Status: Not hooked

#: 163 Function Name: NtQueryObject
Status: Not hooked

#: 164 Function Name: NtQueryOpenSubKeys
Status: Not hooked

#: 165 Function Name: NtQueryPerformanceCounter
Status: Not hooked

#: 166 Function Name: NtQueryQuotaInformationFile
Status: Not hooked

#: 167 Function Name: NtQuerySection
Status: Not hooked

#: 168 Function Name: NtQuerySecurityObject
Status: Not hooked

#: 169 Function Name: NtQuerySemaphore
Status: Not hooked

#: 170 Function Name: NtQuerySymbolicLinkObject
Status: Not hooked

#: 171 Function Name: NtQuerySystemEnvironmentValue
Status: Not hooked

#: 172 Function Name: NtQuerySystemEnvironmentValueEx
Status: Not hooked

#: 173 Function Name: NtQuerySystemInformation
Status: Not hooked

#: 174 Function Name: NtQuerySystemTime
Status: Not hooked

#: 175 Function Name: NtQueryTimer
Status: Not hooked

#: 176 Function Name: NtQueryTimerResolution
Status: Not hooked

#: 177 Function Name: NtQueryValueKey
Status: Not hooked

#: 178 Function Name: NtQueryVirtualMemory
Status: Not hooked

#: 179 Function Name: NtQueryVolumeInformationFile
Status: Not hooked

#: 180 Function Name: NtQueueApcThread
Status: Not hooked

#: 181 Function Name: NtRaiseException
Status: Not hooked

#: 182 Function Name: NtRaiseHardError
Status: Not hooked

#: 183 Function Name: NtReadFile
Status: Not hooked

#: 184 Function Name: NtReadFileScatter
Status: Not hooked

#: 185 Function Name: NtReadRequestData
Status: Not hooked

#: 186 Function Name: NtReadVirtualMemory
Status: Not hooked

#: 187 Function Name: NtRegisterThreadTerminatePort
Status: Not hooked

#: 188 Function Name: NtReleaseMutant
Status: Not hooked

#: 189 Function Name: NtReleaseSemaphore
Status: Not hooked

#: 190 Function Name: NtRemoveIoCompletion
Status: Not hooked

#: 191 Function Name: NtRemoveProcessDebug
Status: Not hooked

#: 192 Function Name: NtRenameKey
Status: Not hooked

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xf7f1f214

#: 194 Function Name: NtReplyPort
Status: Not hooked

#: 195 Function Name: NtReplyWaitReceivePort
Status: Not hooked

#: 196 Function Name: NtReplyWaitReceivePortEx
Status: Not hooked

#: 197 Function Name: NtReplyWaitReplyPort
Status: Not hooked

#: 198 Function Name: NtRequestDeviceWakeup
Status: Not hooked

#: 199 Function Name: NtRequestPort
Status: Not hooked

#: 200 Function Name: NtRequestWaitReplyPort
Status: Not hooked

#: 201 Function Name: NtRequestWakeupLatency
Status: Not hooked

#: 202 Function Name: NtResetEvent
Status: Not hooked

#: 203 Function Name: NtResetWriteWatch
Status: Not hooked

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xf7f1f20f

#: 205 Function Name: NtResumeProcess
Status: Not hooked

#: 206 Function Name: NtResumeThread
Status: Not hooked

#: 207 Function Name: NtSaveKey
Status: Not hooked

#: 208 Function Name: NtSaveKeyEx
Status: Not hooked

#: 209 Function Name: NtSaveMergedKeys
Status: Not hooked

#: 210 Function Name: NtSecureConnectPort
Status: Not hooked

#: 211 Function Name: NtSetBootEntryOrder
Status: Not hooked

#: 212 Function Name: NtSetBootOptions
Status: Not hooked

#: 213 Function Name: NtSetContextThread
Status: Not hooked

#: 214 Function Name: NtSetDebugFilterState
Status: Not hooked

#: 215 Function Name: NtSetDefaultHardErrorPort
Status: Not hooked

#: 216 Function Name: NtSetDefaultLocale
Status: Not hooked

#: 217 Function Name: NtSetDefaultUILanguage
Status: Not hooked

#: 218 Function Name: NtSetEaFile
Status: Not hooked

#: 219 Function Name: NtSetEvent
Status: Not hooked

#: 220 Function Name: NtSetEventBoostPriority
Status: Not hooked

#: 221 Function Name: NtSetHighEventPair
Status: Not hooked

#: 222 Function Name: NtSetHighWaitLowEventPair
Status: Not hooked

#: 223 Function Name: NtSetInformationDebugObject
Status: Not hooked

#: 224 Function Name: NtSetInformationFile
Status: Not hooked

#: 225 Function Name: NtSetInformationJobObject
Status: Not hooked

#: 226 Function Name: NtSetInformationKey
Status: Not hooked

#: 227 Function Name: NtSetInformationObject
Status: Not hooked

#: 228 Function Name: NtSetInformationProcess
Status: Not hooked

#: 229 Function Name: NtSetInformationThread
Status: Not hooked

#: 230 Function Name: NtSetInformationToken
Status: Not hooked

#: 231 Function Name: NtSetIntervalProfile
Status: Not hooked

#: 232 Function Name: NtSetIoCompletion
Status: Not hooked

#: 233 Function Name: NtSetLdtEntries
Status: Not hooked

#: 234 Function Name: NtSetLowEventPair
Status: Not hooked

#: 235 Function Name: NtSetLowWaitHighEventPair
Status: Not hooked

#: 236 Function Name: NtSetQuotaInformationFile
Status: Not hooked

#: 237 Function Name: NtSetSecurityObject
Status: Not hooked

#: 238 Function Name: NtSetSystemEnvironmentValue
Status: Not hooked

#: 239 Function Name: NtSetSystemEnvironmentValueEx
Status: Not hooked

#: 240 Function Name: NtSetSystemInformation
Status: Not hooked

#: 241 Function Name: NtSetSystemPowerState
Status: Not hooked

#: 242 Function Name: NtSetSystemTime
Status: Not hooked

#: 243 Function Name: NtSetThreadExecutionState
Status: Not hooked

#: 244 Function Name: NtSetTimer
Status: Not hooked

#: 245 Function Name: NtSetTimerResolution
Status: Not hooked

#: 246 Function Name: NtSetUuidSeed
Status: Not hooked

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xf7f1f200

#: 248 Function Name: NtSetVolumeInformationFile
Status: Not hooked

#: 249 Function Name: NtShutdownSystem
Status: Not hooked

#: 250 Function Name: NtSignalAndWaitForSingleObject
Status: Not hooked

#: 251 Function Name: NtStartProfile
Status: Not hooked

#: 252 Function Name: NtStopProfile
Status: Not hooked

#: 253 Function Name: NtSuspendProcess
Status: Not hooked

#: 254 Function Name: NtSuspendThread
Status: Not hooked

#: 255 Function Name: NtSystemDebugControl
Status: Not hooked

#: 256 Function Name: NtTerminateJobObject
Status: Not hooked

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\SPYWARE STUFF\SASKUTIL.sys" at address 0xf5702f20

#: 258 Function Name: NtTerminateThread
Status: Not hooked

#: 259 Function Name: NtTestAlert
Status: Not hooked

#: 260 Function Name: NtTraceEvent
Status: Not hooked

#: 261 Function Name: NtTranslateFilePath
Status: Not hooked

#: 262 Function Name: NtUnloadDriver
Status: Not hooked

#: 263 Function Name: NtUnloadKey
Status: Not hooked

#: 264 Function Name: NtUnloadKeyEx
Status: Not hooked

#: 265 Function Name: NtUnlockFile
Status: Not hooked

#: 266 Function Name: NtUnlockVirtualMemory
Status: Not hooked

#: 267 Function Name: NtUnmapViewOfSection
Status: Not hooked

#: 268 Function Name: NtVdmControl
Status: Not hooked

#: 269 Function Name: NtWaitForDebugEvent
Status: Not hooked

#: 270 Function Name: NtWaitForMultipleObjects
Status: Not hooked

#: 271 Function Name: NtWaitForSingleObject
Status: Not hooked

#: 272 Function Name: NtWaitHighEventPair
Status: Not hooked

#: 273 Function Name: NtWaitLowEventPair
Status: Not hooked

#: 274 Function Name: NtWriteFile
Status: Not hooked

#: 275 Function Name: NtWriteFileGather
Status: Not hooked

#: 276 Function Name: NtWriteRequestData
Status: Not hooked

#: 277 Function Name: NtWriteVirtualMemory
Status: Not hooked

#: 278 Function Name: NtYieldExecution
Status: Not hooked

#: 279 Function Name: NtCreateKeyedEvent
Status: Not hooked

#: 280 Function Name: NtOpenKeyedEvent
Status: Not hooked

#: 281 Function Name: NtReleaseKeyedEvent
Status: Not hooked

#: 282 Function Name: NtWaitForKeyedEvent
Status: Not hooked

#: 283 Function Name: NtQueryPortInformationProcess
Status: Not hooked


There were no hidden services

Have run Ad-Aware, Avira, Spybot. I finally was able to run Malwarebyte Anti-Malware, gave me fits.

Malwarebytes' Anti-Malware 1.41
Database version: 3078
Windows 5.1.2600 Service Pack 3

11/1/2009 11:17:11 AM
mbam-log-2009-11-01 (11-17-11).txt

Scan type: Quick Scan
Objects scanned: 120807
Time elapsed: 10 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 4
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\SYSTEM32\mivekele.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{682eab94-06d7-4e85-83f2-4c4fcb8eb56e} (Trojan.Vundo.H) -> Delete on reboot.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\janonekiv (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{682eab94-06d7-4e85-83f2-4c4fcb8eb56e} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mibagirap (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nebosoriri (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\mivekele.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\mivekele.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\SYSTEM32\mivekele.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\HEViewer.exe (Trojan.Skillis) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\tagurupo.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\tovituta.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\kofirawa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\penitoro.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris\Desktop\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.


Here's HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:26:16 AM, on 11/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Napster\napster.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\SPYWARE STUFF\SpyBot\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe
C:\SPYWARE STUFF\SUPERAntiSpyware.exe
C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\Program Files\TrueSwitchComcast\TrueWizard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYWAR~1\SpyBot\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {660296fb-41f7-4051-980b-90010d288bc6} - gerogije.dll (file missing)
O2 - BHO: Comcast Toolbar - {79CEEA4E-C231-4614-9E3B-53B2A02F39B7} - C:\Program Files\comcasttb\comcastdx.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Comcast Toolbar - {79CEEA4E-C231-4614-9E3B-53B2A02F39B7} - C:\Program Files\comcasttb\comcastdx.dll
O3 - Toolbar: (no name) - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - (no file)
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [NewsUpd] C:\Program Files\Creative\News\NewsUpd.EXE /q
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [au] C:\Program Files\Dealio\DealioAU.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [NetGuard Lite] "C:\Program Files\FBM Software\ZeroSpyware Lite\NetGuard Lite.exe" /STARTUP
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\SPYWARE STUFF\SpyBot\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\SPYWARE STUFF\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ComcastAntispyClient] "C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe" /hide
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueSwitchComcast\TrueWizard.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\SPYWAR~1\SpyBot\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\SPYWAR~1\SpyBot\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.h...ctDetection.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O20 - Winlogon Notify: !SASWinLogon - C:\SPYWARE STUFF\SASWINLO.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Comcast AntiSpyware (AntiSpywareService) - Unknown owner - C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe

--
End of file - 11039 bytes

Thanks again for the help and time!!!

#4 ken545

ken545

    Forum God

  • Classroom Teacher
  • 23,207 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 01 November 2009 - 01:20 PM

Hi,

No problem with helping you, that's why were here :)

ZeroSpyware Lite <--Legit program but the reviews are not so hot, there are better programs out there so your call to uninstall it

Dealio <--This program is under review, its debatable so if you don't use it uninstall this also

Viewpoint Manager <--Another piece of foistware, it installs without your knowledge or consent and is not needed, I would uninstall this also



Disable the TeaTimer, leave it disabled, do not turn it back on until we're done or it will prevent fixes from taking

  • Run Spybot-S&D in Advanced Mode.
  • If it is not already set to do this Go to the Mode menu select "Advanced Mode"
  • On the left hand side, Click on Tools
  • Then click on the Resident Icon in the List
  • Uncheck "Resident TeaTimer" and OK any prompts.
  • Restart your computer.<--You need to do this for it to take effect




Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.


O1 - Hosts: ::1 localhost

O2 - BHO: (no name) - {660296fb-41f7-4051-980b-90010d288bc6} - gerogije.dll (file missing)

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe


If a systems administrator set these then leave them be other wise you can fix these also
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present





Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • See this Link for programs that need to be disabled and instruction on how to disable them.
  • Remember to re-enable them when we're done.

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Jeffce_zpsa19ee2e6.png

 

 

 

Want to help others, Join our Malware Removal Classroom  HERE

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif

 

Find us on Facebook
Please LIKE and SHARE

 

 

Just a reminder that threads will be closed if no reply in 3 days.


#5 drummerboy7

drummerboy7

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 01 November 2009 - 07:18 PM

ComboFix 09-10-30.01 - Chris 11/01/2009 18:38.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.491 [GMT -6:00]
Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Chris\My Documents\ZbThumbnail.info
c:\program files\Search Settings\kb125\res\ErrorPageTemplate.css
c:\program files\Search Settings\kb125\res\help.gif
c:\program files\Search Settings\kb125\res\pixel.gif
c:\program files\Search Settings\kb125\res\tab_icon.png
c:\program files\Search Settings\kb125\res\tabdata.js
c:\program files\Search Settings\kb125\res\tablib.js
c:\program files\Search Settings\kb125\res\tabwelcome_en.html
c:\program files\Search Settings\kb125\res\toolbar_background.gif
c:\program files\Search Settings\kb125\res\vista_directions.png
c:\program files\Search Settings\kb125\res\xp_directions.png
c:\program files\Search Settings\kb125\res\yahoo_search.gif
c:\program files\Search Settings\SearchSettings.exe
c:\windows\MailSwitch.ocx
c:\windows\patch.exe
c:\windows\Web\default.htt

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((( Files Created from 2009-10-02 to 2009-11-02 )))))))))))))))))))))))))))))))
.

2009-11-02 00:46 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-02 00:46 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-01 17:03 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-01 17:03 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-01 17:03 . 2009-11-01 17:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-01 05:21 . 2009-11-01 05:21 -------- dc----w- C:\VundoFix Backups
2009-11-01 05:09 . 2009-11-01 05:09 -------- d-----w- c:\documents and settings\Chris\Application Data\AVG8
2009-11-01 00:27 . 2009-10-31 21:37 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-10-31 21:37 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-10-31 21:37 . 2009-10-31 21:37 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-10-31 21:35 . 2009-10-31 21:35 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-31 21:34 . 2009-10-31 21:37 -------- dc----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-10-31 21:34 . 2009-10-31 21:34 -------- d-----w- c:\program files\Lavasoft
2009-10-31 11:38 . 2009-10-31 11:38 -------- d-----w- c:\documents and settings\Chris\Application Data\Malwarebytes
2009-10-30 23:59 . 2009-10-30 23:59 -------- dc----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-30 23:59 . 2009-10-30 23:59 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-30 03:22 . 2009-10-30 03:22 -------- d-----w- c:\program files\Trend Micro
2009-10-30 01:03 . 2009-10-30 01:03 -------- d-----w- c:\program files\CCleaner
2009-10-28 02:31 . 2009-10-28 02:31 -------- dc----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-10-28 02:00 . 2009-10-28 12:08 -------- d-----w- c:\program files\cfutxc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-02 00:46 . 2008-03-12 04:45 -------- d-----w- c:\program files\Search Settings
2009-11-01 23:28 . 2009-06-21 15:47 -------- d-----w- c:\program files\TrueSwitchComcast
2009-11-01 22:12 . 2009-06-13 03:19 -------- d-----w- c:\documents and settings\Chris\Application Data\CallingID
2009-10-31 14:08 . 2004-07-10 00:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-30 00:20 . 2004-05-07 01:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-10-30 00:20 . 2002-10-25 23:01 -------- d-----w- c:\program files\Viewpoint
2009-09-11 14:18 . 2001-08-18 11:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2001-08-18 11:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2004-02-06 23:05 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2001-08-18 11:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2003-12-21 03:47 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-15 12:48 . 2002-10-25 22:59 148520 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-07 00:24 . 2004-08-12 23:48 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 00:24 . 2004-08-12 23:48 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 00:24 . 2005-05-26 09:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 00:24 . 2004-08-12 23:48 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 00:24 . 2001-08-18 11:00 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-07 00:24 . 2003-12-21 02:29 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 00:23 . 2004-08-12 23:48 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 00:23 . 2006-12-09 14:12 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-07 00:23 . 2006-12-09 14:12 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 00:23 . 2001-08-18 11:00 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-06 01:55 . 2009-07-11 16:34 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-05 09:01 . 2004-08-08 12:46 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 01:44 . 1980-01-01 05:00 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-05 00:52 . 2009-08-05 00:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-04 14:20 . 1980-01-01 05:00 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2005-02-27 19:03 . 2005-02-27 19:03 11079 ---h--w- c:\program files\folder.htt
2004-02-03 03:16 . 2004-02-03 03:16 47652464 ----a-w- c:\program files\PlusDME_Full.exe
2003-03-07 02:17 . 2003-03-07 02:17 2765 ----a-w- c:\program files\Common Files\AutoUpdate.rtf
2003-01-27 16:50 . 2003-01-27 16:50 1000448 ----a-w- c:\program files\Common Files\AutoUpdate.exe
2002-04-08 01:55 . 2007-10-27 14:34 23040 ----a-w- c:\program files\CodecViewer.exe
.

------- Sigcheck -------

[7] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ctfmon.exe
[7] 2004-08-04 . 24232996A38C0B0CF151C2140AE29FC8 . 15360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ctfmon.exe

[7] 2008-04-13 . 08FD04AA961BDC77FB983F328334E3D7 . 42368 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\agp440.sys
[7] 2004-08-04 . 2C428FA0C3E3A01ED93C9B2A27D8D4BB . 42368 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\agp440.sys
[-] 2001-08-17 . 65880045C51AA36184841CEE915A61DF . 25472 . . [5.1.2600.0] . . c:\windows\SYSTEM32\DRIVERS\AGP440.SYS
[-] 2001-08-17 . 65880045C51AA36184841CEE915A61DF . 25472 . . [5.1.2600.0] . . c:\windows\SYSTEM32\ReinstallBackups\0014\DriverFiles\i386\AGP440.SYS

c:\windows\system32\ctfmon.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopUpStopperFreeEdition"="c:\progra~1\PANICW~1\POP-UP~1\PSFree.exe" [2003-10-29 524288]
"MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe" [2001-07-25 184376]
"NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-10-06 49152]
"SUPERAntiSpyware"="c:\spyware stuff\SUPERAntiSpyware.exe" [2009-02-17 1830128]
"ComcastAntispyClient"="c:\program files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe" [2009-05-05 1622488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-08-14 90112]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2004-05-28 323584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2003-11-17 684032]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2003-10-06 49152]
"NapsterShell"="c:\program files\Napster\napster.exe" [2008-09-08 323216]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2003-10-06 741376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Image Transfer.lnk - c:\program files\Sony Corporation\Image Transfer\SonyTray.exe [2005-5-26 73728]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-8-7 24633]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\spyware stuff\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\spyware stuff\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\EA SPORTS\\Madden NFL 2003\\mainapp.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe"=
"c:\\Program Files\\MsnMusic\\4226251\\MsnMusic.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\Directcd.exe"=
"c:\\Program Files\\Common Files\\Dell\\EUSW\\Support.exe"=
"c:\\Program Files\\comcasttb\\CIDGlobalLight.exe"=
"c:\\WINDOWS\\SYSTEM32\\WBEM\\wmiprvse.exe"=
"c:\\Program Files\\Panicware\\Pop-Up Stopper Free Edition\\PSFree.exe"=
"c:\\SPYWARE STUFF\\SpyBot\\Spybot - Search & Destroy\\SpybotSD.exe"=
"c:\\Program Files\\comcasttb\\ComcastSpywareScan\\ComcastAntiSpy.exe"=

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [10/31/2009 3:37 PM 64288]
R1 SASDIFSV;SASDIFSV;c:\spyware stuff\sasdifsv.sys [2/17/2009 10:43 AM 8944]
R1 SASKUTIL;SASKUTIL;c:\spyware stuff\SASKUTIL.SYS [2/17/2009 10:43 AM 55024]
R2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [5/5/2009 7:19 AM 616408]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/11/2009 10:34 AM 108289]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 5:17 AM 1179232]
R3 SASENUM;SASENUM;c:\spyware stuff\SASENUM.SYS [2/17/2009 10:43 AM 7408]
R3 USR1806;U.S. Robotics Faxmodem Driver 1806;c:\windows\SYSTEM32\DRIVERS\USR1806.SYS [11/5/2002 6:00 PM 793598]
S2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [9/10/2007 11:45 PM 124832]
S3 NMUSB;NMUSB;c:\windows\SYSTEM32\DRIVERS\nmusb.sys [1/4/2006 7:48 PM 23520]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CLASSPNP_2
*NewlyCreated* - MBR
*NewlyCreated* - PCIIDEX_2
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
*Deregistered* - PCIIDEX_2
.
Contents of the 'Scheduled Tasks' folder

2009-11-01 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 21:36]

2009-11-01 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 17:20]

2005-09-25 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2002-10-25 17:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Update Page Content
IE: View All Originals On Page
IE: View Original Image
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-NetGuard Lite - c:\program files\FBM Software\ZeroSpyware Lite\NetGuard Lite.exe
HKCU-Run-Microsoft Works Update Detection - c:\program files\Microsoft Works\WkDetect.exe
HKCU-Run-Start WingMan Profiler - (no file)
HKLM-Run-PestPatrol Control Center - c:\progra~1\PESTPA~1\PPControl.exe
HKLM-Run-PPMemCheck - c:\progra~1\PESTPA~1\PPMemCheck.exe
HKLM-Run-CookiePatrol - c:\progra~1\PESTPA~1\CookiePatrol.exe
HKLM-Run-NewsUpd - c:\program files\Creative\News\NewsUpd.EXE
HKLM-Run-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
AddRemove-DJ ToneXpress - g:\dj tonexpress 4\uninst.exe
AddRemove-WinAce Archiver - e:\program files\SXUNINST.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-01 18:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
MMTray = c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe?w???g@O??V??g@O??SOFTWARE\MusicMatch\MusicMatch Jukebox\4.0\TrayApp??????? ?w?????????????\?wp ?w???????w???g ??????????g?????CY????????gBO??2???????????<???? @???X???X???????????????????Y?????F?Q?????
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???????X:??????x???0???X???????????0???P????(?w'(?w????????????(???w??????w????????????0????$?w7(?w?o?wS??w???w????????????x'@?????????X????????"@?e?????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{f352a22b-a372-4e0a-93d2-be0bd34ae21d}\InprocServer32]
@DACL=(02 0000)
@="c:\\windows\\system32\\pobefoli.dll"
"ThreadingModel"="Both"

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Toolbar\AncestryToolbar\Options]
@DACL=(02 0000)
"Visible"=dword:00000001
"Welcome"=dword:00000001
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(660)
c:\spyware stuff\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\CA\PPRT\bin\CACheck.dll
c:\program files\CA\PPRT\bin\CAHook.dll
c:\program files\CA\PPRT\bin\CAServer.dll
.
Completion time: 2009-11-02 18:53
ComboFix-quarantined-files.txt 2009-11-02 00:52

Pre-Run: 3,252,781,056 bytes free
Post-Run: 3,492,638,720 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 65268748DA4E4E72CA0BBDED394C7709



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:12:39 PM, on 11/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Napster\napster.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\SPYWARE STUFF\SUPERAntiSpyware.exe
C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe
C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe
C:\Program Files\TrueSwitchComcast\TrueWizard.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\comcasttb\CIDGlobalLight.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYWAR~1\SpyBot\SPYBOT~1\SDHelper.dll
O2 - BHO: Comcast Toolbar - {79CEEA4E-C231-4614-9E3B-53B2A02F39B7} - C:\Program Files\comcasttb\comcastdx.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Comcast Toolbar - {79CEEA4E-C231-4614-9E3B-53B2A02F39B7} - C:\Program Files\comcasttb\comcastdx.dll
O3 - Toolbar: (no name) - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - (no file)
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\SPYWARE STUFF\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ComcastAntispyClient] "C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe" /hide
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueSwitchComcast\TrueWizard.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\SPYWAR~1\SpyBot\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\SPYWAR~1\SpyBot\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.h...ctDetection.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O20 - Winlogon Notify: !SASWinLogon - C:\SPYWARE STUFF\SASWINLO.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Comcast AntiSpyware (AntiSpywareService) - Unknown owner - C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe

--
End of file - 9998 bytes

#6 ken545

ken545

    Forum God

  • Classroom Teacher
  • 23,207 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 01 November 2009 - 08:18 PM

Hi,

c:\program files\cfutxc <--Can you tell me what this is ?



Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above FCopy::


FCopy:: 
C:\WINDOWS\ServicePackFiles\i386\ctfmon.exe | c:\windows\system32\ctfmon.exe

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Jeffce_zpsa19ee2e6.png

 

 

 

Want to help others, Join our Malware Removal Classroom  HERE

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif

 

Find us on Facebook
Please LIKE and SHARE

 

 

Just a reminder that threads will be closed if no reply in 3 days.


#7 drummerboy7

drummerboy7

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 01 November 2009 - 09:47 PM

Not sure what this is: c:\program files\cfutxc Looks like the folder is empty, and might have been created the night I started having trouble.

ComboFix 09-10-30.01 - Chris 11/01/2009 21:16.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.455 [GMT -6:00]
Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Chris\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Search Settings

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\ctfmon.exe --> c:\windows\system32\ctfmon.exe
.
((((((((((((((((((((((((( Files Created from 2009-10-02 to 2009-11-02 )))))))))))))))))))))))))))))))
.

2009-11-02 03:16 . 2008-04-14 00:12 15360 ----a-w- c:\windows\system32\dllcache\ctfmon.exe
2009-11-02 03:16 . 2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
2009-11-02 00:46 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-02 00:46 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-01 17:03 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-01 17:03 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-01 17:03 . 2009-11-01 17:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-01 05:21 . 2009-11-01 05:21 -------- dc----w- C:\VundoFix Backups
2009-11-01 05:09 . 2009-11-01 05:09 -------- d-----w- c:\documents and settings\Chris\Application Data\AVG8
2009-11-01 00:27 . 2009-10-31 21:37 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-10-31 21:37 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-10-31 21:37 . 2009-10-31 21:37 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-10-31 21:35 . 2009-10-31 21:35 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-31 21:34 . 2009-10-31 21:37 -------- dc----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-10-31 21:34 . 2009-10-31 21:34 -------- d-----w- c:\program files\Lavasoft
2009-10-31 11:38 . 2009-10-31 11:38 -------- d-----w- c:\documents and settings\Chris\Application Data\Malwarebytes
2009-10-30 23:59 . 2009-10-30 23:59 -------- dc----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-30 23:59 . 2009-10-30 23:59 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-30 03:22 . 2009-10-30 03:22 -------- d-----w- c:\program files\Trend Micro
2009-10-30 01:03 . 2009-10-30 01:03 -------- d-----w- c:\program files\CCleaner
2009-10-28 02:31 . 2009-10-28 02:31 -------- dc----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-10-28 02:00 . 2009-10-28 12:08 -------- d-----w- c:\program files\cfutxc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-02 01:44 . 2009-06-13 03:19 -------- d-----w- c:\documents and settings\Chris\Application Data\CallingID
2009-11-01 23:28 . 2009-06-21 15:47 -------- d-----w- c:\program files\TrueSwitchComcast
2009-10-31 14:08 . 2004-07-10 00:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-30 00:20 . 2004-05-07 01:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-10-30 00:20 . 2002-10-25 23:01 -------- d-----w- c:\program files\Viewpoint
2009-09-11 14:18 . 2001-08-18 11:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2001-08-18 11:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2004-02-06 23:05 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2001-08-18 11:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2003-12-21 03:47 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-15 12:48 . 2002-10-25 22:59 148520 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-07 00:24 . 2004-08-12 23:48 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 00:24 . 2004-08-12 23:48 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 00:24 . 2005-05-26 09:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 00:24 . 2004-08-12 23:48 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 00:24 . 2001-08-18 11:00 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-07 00:24 . 2003-12-21 02:29 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 00:23 . 2004-08-12 23:48 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 00:23 . 2006-12-09 14:12 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-07 00:23 . 2006-12-09 14:12 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 00:23 . 2001-08-18 11:00 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-06 01:55 . 2009-07-11 16:34 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-05 09:01 . 2004-08-08 12:46 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 01:44 . 1980-01-01 05:00 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-05 00:52 . 2009-08-05 00:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-04 14:20 . 1980-01-01 05:00 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2005-02-27 19:03 . 2005-02-27 19:03 11079 ---h--w- c:\program files\folder.htt
2004-02-03 03:16 . 2004-02-03 03:16 47652464 ----a-w- c:\program files\PlusDME_Full.exe
2003-03-07 02:17 . 2003-03-07 02:17 2765 ----a-w- c:\program files\Common Files\AutoUpdate.rtf
2003-01-27 16:50 . 2003-01-27 16:50 1000448 ----a-w- c:\program files\Common Files\AutoUpdate.exe
2002-04-08 01:55 . 2007-10-27 14:34 23040 ----a-w- c:\program files\CodecViewer.exe
.

------- Sigcheck -------

[7] 2008-04-13 . 08FD04AA961BDC77FB983F328334E3D7 . 42368 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\agp440.sys
[7] 2004-08-04 . 2C428FA0C3E3A01ED93C9B2A27D8D4BB . 42368 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\agp440.sys
[-] 2001-08-17 . 65880045C51AA36184841CEE915A61DF . 25472 . . [5.1.2600.0] . . c:\windows\SYSTEM32\DRIVERS\AGP440.SYS
[-] 2001-08-17 . 65880045C51AA36184841CEE915A61DF . 25472 . . [5.1.2600.0] . . c:\windows\SYSTEM32\ReinstallBackups\0014\DriverFiles\i386\AGP440.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopUpStopperFreeEdition"="c:\progra~1\PANICW~1\POP-UP~1\PSFree.exe" [2003-10-29 524288]
"MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe" [2001-07-25 184376]
"NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-10-06 49152]
"SUPERAntiSpyware"="c:\spyware stuff\SUPERAntiSpyware.exe" [2009-02-17 1830128]
"ComcastAntispyClient"="c:\program files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe" [2009-05-05 1622488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-08-14 90112]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2004-05-28 323584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2003-11-17 684032]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2003-10-06 49152]
"NapsterShell"="c:\program files\Napster\napster.exe" [2008-09-08 323216]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2003-10-06 741376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Image Transfer.lnk - c:\program files\Sony Corporation\Image Transfer\SonyTray.exe [2005-5-26 73728]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-8-7 24633]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\spyware stuff\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\spyware stuff\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\EA SPORTS\\Madden NFL 2003\\mainapp.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe"=
"c:\\Program Files\\MsnMusic\\4226251\\MsnMusic.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\Directcd.exe"=
"c:\\Program Files\\Common Files\\Dell\\EUSW\\Support.exe"=
"c:\\Program Files\\comcasttb\\CIDGlobalLight.exe"=
"c:\\WINDOWS\\SYSTEM32\\WBEM\\wmiprvse.exe"=
"c:\\Program Files\\Panicware\\Pop-Up Stopper Free Edition\\PSFree.exe"=
"c:\\SPYWARE STUFF\\SpyBot\\Spybot - Search & Destroy\\SpybotSD.exe"=
"c:\\Program Files\\comcasttb\\ComcastSpywareScan\\ComcastAntiSpy.exe"=

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [10/31/2009 3:37 PM 64288]
R1 SASDIFSV;SASDIFSV;c:\spyware stuff\sasdifsv.sys [2/17/2009 10:43 AM 8944]
R1 SASKUTIL;SASKUTIL;c:\spyware stuff\SASKUTIL.SYS [2/17/2009 10:43 AM 55024]
R2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [5/5/2009 7:19 AM 616408]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/11/2009 10:34 AM 108289]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 5:17 AM 1179232]
R3 SASENUM;SASENUM;c:\spyware stuff\SASENUM.SYS [2/17/2009 10:43 AM 7408]
R3 USR1806;U.S. Robotics Faxmodem Driver 1806;c:\windows\SYSTEM32\DRIVERS\USR1806.SYS [11/5/2002 6:00 PM 793598]
S2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [9/10/2007 11:45 PM 124832]
S3 NMUSB;NMUSB;c:\windows\SYSTEM32\DRIVERS\nmusb.sys [1/4/2006 7:48 PM 23520]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CLASSPNP_2
*NewlyCreated* - MBR
*NewlyCreated* - PCIIDEX_2
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
*Deregistered* - PCIIDEX_2
.
Contents of the 'Scheduled Tasks' folder

2009-11-01 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 21:36]

2009-11-02 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 17:20]

2005-09-25 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2002-10-25 17:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Update Page Content
IE: View All Originals On Page
IE: View Original Image
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-01 21:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
MMTray = c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe?w???g@O??V??g@O??SOFTWARE\MusicMatch\MusicMatch Jukebox\4.0\TrayApp??????? ?w?????????????\?wp ?w???????w???g ??????????g?????CY????????gBO??2???????????<???? @???X???X???????????????????Y?????F?Q?????
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???????X:??????x???0???X???????????0???P????(?w'(?w????????????(???w??????w????????????0????$?w7(?w?o?wS??w???w????????????x'@?????????X????????"@?e?????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{f352a22b-a372-4e0a-93d2-be0bd34ae21d}\InprocServer32]
@DACL=(02 0000)
@="c:\\windows\\system32\\pobefoli.dll"
"ThreadingModel"="Both"

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Toolbar\AncestryToolbar\Options]
@DACL=(02 0000)
"Visible"=dword:00000001
"Welcome"=dword:00000001
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(660)
c:\spyware stuff\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\CA\PPRT\bin\CACheck.dll
c:\program files\CA\PPRT\bin\CAHook.dll
c:\program files\CA\PPRT\bin\CAServer.dll

- - - - - - - > 'explorer.exe'(2784)
c:\windows\system32\WININET.dll
c:\program files\CA\PPRT\bin\CACheck.dll
c:\program files\CA\PPRT\bin\CAHook.dll
c:\program files\CA\PPRT\bin\CAServer.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-02 21:30
ComboFix-quarantined-files.txt 2009-11-02 03:30
ComboFix2.txt 2009-11-02 00:53

Pre-Run: 3,502,940,160 bytes free
Post-Run: 3,502,157,824 bytes free

- - End Of File - - 421A97A63CA01C0220CFB7912A88FD4C


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:41:15 PM, on 11/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Napster\napster.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\SPYWARE STUFF\SUPERAntiSpyware.exe
C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe
C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe
C:\Program Files\TrueSwitchComcast\TrueWizard.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYWAR~1\SpyBot\SPYBOT~1\SDHelper.dll
O2 - BHO: Comcast Toolbar - {79CEEA4E-C231-4614-9E3B-53B2A02F39B7} - C:\Program Files\comcasttb\comcastdx.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Comcast Toolbar - {79CEEA4E-C231-4614-9E3B-53B2A02F39B7} - C:\Program Files\comcasttb\comcastdx.dll
O3 - Toolbar: (no name) - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - (no file)
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\SPYWARE STUFF\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ComcastAntispyClient] "C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe" /hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueSwitchComcast\TrueWizard.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\SPYWAR~1\SpyBot\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\SPYWAR~1\SpyBot\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.h...ctDetection.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O20 - Winlogon Notify: !SASWinLogon - C:\SPYWARE STUFF\SASWINLO.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Comcast AntiSpyware (AntiSpywareService) - Unknown owner - C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe

--
End of file - 10079 bytes

#8 ken545

ken545

    Forum God

  • Classroom Teacher
  • 23,207 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 02 November 2009 - 05:58 AM

Lets do this

Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::


File::
c:\windows\system32\pobefoli.dll

Folder::
c:\program files\cfutxc

RegLockDel::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{f352a22b-a372-4e0a-93d2-be0bd34ae21d}\InprocServer32]

Registry::
[-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{f352a22b-a372-4e0a-93d2-be0bd34ae21d}]

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Jeffce_zpsa19ee2e6.png

 

 

 

Want to help others, Join our Malware Removal Classroom  HERE

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif

 

Find us on Facebook
Please LIKE and SHARE

 

 

Just a reminder that threads will be closed if no reply in 3 days.


#9 drummerboy7

drummerboy7

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 02 November 2009 - 09:35 PM

ComboFix 09-11-01.04 - Chris 11/02/2009 20:11.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.417 [GMT -6:00]
Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Chris\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\windows\system32\pobefoli.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Chris\Desktop\exeHelper.com
c:\program files\cfutxc

.
((((((((((((((((((((((((( Files Created from 2009-10-03 to 2009-11-03 )))))))))))))))))))))))))))))))
.

2009-11-02 03:16 . 2008-04-14 00:12 15360 ----a-w- c:\windows\system32\dllcache\ctfmon.exe
2009-11-02 03:16 . 2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe
2009-11-02 00:46 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-02 00:46 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-01 17:03 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-01 17:03 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-01 17:03 . 2009-11-01 17:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-01 05:21 . 2009-11-01 05:21 -------- dc----w- C:\VundoFix Backups
2009-11-01 05:09 . 2009-11-01 05:09 -------- d-----w- c:\documents and settings\Chris\Application Data\AVG8
2009-11-01 00:27 . 2009-10-31 21:37 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-10-31 21:37 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-10-31 21:37 . 2009-10-31 21:37 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-10-31 21:35 . 2009-10-31 21:35 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-31 21:34 . 2009-10-31 21:37 -------- dc----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-10-31 21:34 . 2009-10-31 21:34 -------- d-----w- c:\program files\Lavasoft
2009-10-31 11:38 . 2009-10-31 11:38 -------- d-----w- c:\documents and settings\Chris\Application Data\Malwarebytes
2009-10-30 23:59 . 2009-10-30 23:59 -------- dc----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-30 23:59 . 2009-10-30 23:59 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-30 03:22 . 2009-10-30 03:22 -------- d-----w- c:\program files\Trend Micro
2009-10-30 01:03 . 2009-10-30 01:03 -------- d-----w- c:\program files\CCleaner
2009-10-28 02:31 . 2009-10-28 02:31 -------- dc----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-03 02:07 . 2009-06-13 03:19 -------- d-----w- c:\documents and settings\Chris\Application Data\CallingID
2009-11-03 02:00 . 2009-06-21 15:47 -------- d-----w- c:\program files\TrueSwitchComcast
2009-10-31 14:08 . 2004-07-10 00:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-30 00:20 . 2004-05-07 01:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-10-30 00:20 . 2002-10-25 23:01 -------- d-----w- c:\program files\Viewpoint
2009-09-11 14:18 . 2001-08-18 11:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2001-08-18 11:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2004-02-06 23:05 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2001-08-18 11:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2003-12-21 03:47 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-15 12:48 . 2002-10-25 22:59 148520 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-07 00:24 . 2004-08-12 23:48 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 00:24 . 2004-08-12 23:48 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 00:24 . 2005-05-26 09:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 00:24 . 2004-08-12 23:48 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 00:24 . 2001-08-18 11:00 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-07 00:24 . 2003-12-21 02:29 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 00:23 . 2004-08-12 23:48 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 00:23 . 2006-12-09 14:12 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-07 00:23 . 2006-12-09 14:12 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 00:23 . 2001-08-18 11:00 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-06 01:55 . 2009-07-11 16:34 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-05 09:01 . 2004-08-08 12:46 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2005-02-27 19:03 . 2005-02-27 19:03 11079 ---h--w- c:\program files\folder.htt
2004-02-03 03:16 . 2004-02-03 03:16 47652464 ----a-w- c:\program files\PlusDME_Full.exe
2003-03-07 02:17 . 2003-03-07 02:17 2765 ----a-w- c:\program files\Common Files\AutoUpdate.rtf
2003-01-27 16:50 . 2003-01-27 16:50 1000448 ----a-w- c:\program files\Common Files\AutoUpdate.exe
2002-04-08 01:55 . 2007-10-27 14:34 23040 ----a-w- c:\program files\CodecViewer.exe
.

------- Sigcheck -------

[7] 2008-04-13 . 08FD04AA961BDC77FB983F328334E3D7 . 42368 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\agp440.sys
[7] 2004-08-04 . 2C428FA0C3E3A01ED93C9B2A27D8D4BB . 42368 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\agp440.sys
[-] 2001-08-17 . 65880045C51AA36184841CEE915A61DF . 25472 . . [5.1.2600.0] . . c:\windows\SYSTEM32\DRIVERS\AGP440.SYS
[-] 2001-08-17 . 65880045C51AA36184841CEE915A61DF . 25472 . . [5.1.2600.0] . . c:\windows\SYSTEM32\ReinstallBackups\0014\DriverFiles\i386\AGP440.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopUpStopperFreeEdition"="c:\progra~1\PANICW~1\POP-UP~1\PSFree.exe" [2003-10-29 524288]
"MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe" [2001-07-25 184376]
"NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-10-06 49152]
"SUPERAntiSpyware"="c:\spyware stuff\SUPERAntiSpyware.exe" [2009-02-17 1830128]
"ComcastAntispyClient"="c:\program files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe" [2009-05-05 1622488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-08-14 90112]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2004-05-28 323584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2003-11-17 684032]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2003-10-06 49152]
"NapsterShell"="c:\program files\Napster\napster.exe" [2008-09-08 323216]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2003-10-06 741376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Image Transfer.lnk - c:\program files\Sony Corporation\Image Transfer\SonyTray.exe [2005-5-26 73728]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-8-7 24633]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\spyware stuff\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\spyware stuff\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\EA SPORTS\\Madden NFL 2003\\mainapp.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe"=
"c:\\Program Files\\MsnMusic\\4226251\\MsnMusic.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\Directcd.exe"=
"c:\\Program Files\\Common Files\\Dell\\EUSW\\Support.exe"=
"c:\\Program Files\\comcasttb\\CIDGlobalLight.exe"=
"c:\\WINDOWS\\SYSTEM32\\WBEM\\wmiprvse.exe"=
"c:\\Program Files\\Panicware\\Pop-Up Stopper Free Edition\\PSFree.exe"=
"c:\\SPYWARE STUFF\\SpyBot\\Spybot - Search & Destroy\\SpybotSD.exe"=
"c:\\Program Files\\comcasttb\\ComcastSpywareScan\\ComcastAntiSpy.exe"=

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [10/31/2009 3:37 PM 64288]
R1 SASDIFSV;SASDIFSV;c:\spyware stuff\sasdifsv.sys [2/17/2009 10:43 AM 8944]
R1 SASKUTIL;SASKUTIL;c:\spyware stuff\SASKUTIL.SYS [2/17/2009 10:43 AM 55024]
R2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [5/5/2009 7:19 AM 616408]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/11/2009 10:34 AM 108289]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 5:17 AM 1179232]
R3 SASENUM;SASENUM;c:\spyware stuff\SASENUM.SYS [2/17/2009 10:43 AM 7408]
R3 USR1806;U.S. Robotics Faxmodem Driver 1806;c:\windows\SYSTEM32\DRIVERS\USR1806.SYS [11/5/2002 6:00 PM 793598]
S2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [9/10/2007 11:45 PM 124832]
S3 NMUSB;NMUSB;c:\windows\SYSTEM32\DRIVERS\nmusb.sys [1/4/2006 7:48 PM 23520]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PROCEXP113
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-11-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 21:36]

2009-11-02 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 17:20]

2005-09-25 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2002-10-25 17:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Update Page Content
IE: View All Originals On Page
IE: View Original Image
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-02 20:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
MMTray = c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe?w???g@O??V??g@O??SOFTWARE\MusicMatch\MusicMatch Jukebox\4.0\TrayApp??????? ?w?????????????\?wp ?w???????w???g ??????????g?????CY????????gBO??2???????????<???? @???X???X???????????????????Y?????F?Q?????
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???????X:??????x???0???X???????????0???P????(?w'(?w????????????(???w??????w????????????0????$?w7(?w?o?wS??w???w????????????x'@?????????X????????"@?e?????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Toolbar\AncestryToolbar\Options]
@DACL=(02 0000)
"Visible"=dword:00000001
"Welcome"=dword:00000001
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(660)
c:\spyware stuff\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\CA\PPRT\bin\CACheck.dll
c:\program files\CA\PPRT\bin\CAHook.dll
c:\program files\CA\PPRT\bin\CAServer.dll
.
Completion time: 2009-11-03 20:29
ComboFix-quarantined-files.txt 2009-11-03 02:28
ComboFix2.txt 2009-11-02 03:30
ComboFix3.txt 2009-11-02 00:53

Pre-Run: 3,489,034,240 bytes free
Post-Run: 3,474,034,688 bytes free

- - End Of File - - 0E2E5DF44B6EE4AB376DC9B09082161D


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:33:06 PM, on 11/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Napster\napster.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\SPYWARE STUFF\SUPERAntiSpyware.exe
C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe
C:\Program Files\TrueSwitchComcast\TrueWizard.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYWAR~1\SpyBot\SPYBOT~1\SDHelper.dll
O2 - BHO: Comcast Toolbar - {79CEEA4E-C231-4614-9E3B-53B2A02F39B7} - C:\Program Files\comcasttb\comcastdx.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Comcast Toolbar - {79CEEA4E-C231-4614-9E3B-53B2A02F39B7} - C:\Program Files\comcasttb\comcastdx.dll
O3 - Toolbar: (no name) - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - (no file)
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\SPYWARE STUFF\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ComcastAntispyClient] "C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe" /hide
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueSwitchComcast\TrueWizard.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\SPYWAR~1\SpyBot\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\SPYWAR~1\SpyBot\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.h...ctDetection.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O20 - Winlogon Notify: !SASWinLogon - C:\SPYWARE STUFF\SASWINLO.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Comcast AntiSpyware (AntiSpywareService) - Unknown owner - C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe

--
End of file - 9987 bytes

#10 ken545

ken545

    Forum God

  • Classroom Teacher
  • 23,207 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 03 November 2009 - 03:24 AM

Good Morning,

You can remove this entry with HJT
O3 - Toolbar: (no name) - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - (no file)


You need to enable windows to show all files and folders, instructions Here

Go to VirusTotal and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see.

c:\program files\Common Files\AutoUpdate.exe <--This file

How are things running now ??

Jeffce_zpsa19ee2e6.png

 

 

 

Want to help others, Join our Malware Removal Classroom  HERE

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif

 

Find us on Facebook
Please LIKE and SHARE

 

 

Just a reminder that threads will be closed if no reply in 3 days.

    Advertisements

Register to Remove


#11 drummerboy7

drummerboy7

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 04 November 2009 - 01:34 AM

Hey Ken,

Here's the Virus Total scan

Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.09.14 -
AhnLab-V3 5.0.0.2 2009.09.13 -
AntiVir 7.9.1.14 2009.09.14 -
Antiy-AVL 2.0.3.7 2009.09.14 -
Authentium 5.1.2.4 2009.09.14 -
Avast 4.8.1351.0 2009.09.13 -
AVG 8.5.0.412 2009.09.14 -
BitDefender 7.2 2009.09.14 -
CAT-QuickHeal 10.00 2009.09.14 -
ClamAV 0.94.1 2009.09.14 -
Comodo 2315 2009.09.14 -
DrWeb 5.0.0.12182 2009.09.14 -
eSafe 7.0.17.0 2009.09.14 -
eTrust-Vet 31.6.6736 2009.09.14 -
F-Prot 4.5.1.85 2009.09.13 -
F-Secure 8.0.14470.0 2009.09.13 -
Fortinet 3.120.0.0 2009.09.14 -
GData 19 2009.09.14 -
Ikarus T3.1.1.72.0 2009.09.14 -
Jiangmin 11.0.800 2009.09.14 -
K7AntiVirus 7.10.843 2009.09.12 -
Kaspersky 7.0.0.125 2009.09.14 -
McAfee 5740 2009.09.13 -
McAfee+Artemis 5740 2009.09.13 Suspect-29!797E17F220B7
McAfee-GW-Edition 6.8.5 2009.09.14 -
Microsoft 1.5005 2009.09.14 -
NOD32 4423 2009.09.14 -
Norman 6.01.09 2009.09.11 -
nProtect 2009.1.8.0 2009.09.14 -
Panda 10.0.2.2 2009.09.13 -
PCTools 4.4.2.0 2009.09.14 -
Prevx 3.0 2009.09.14 -
Rising 21.47.03.00 2009.09.14 Packer.Win32.UnkPacker.a
Sophos 4.45.0 2009.09.14 -
Sunbelt 3.2.1858.2 2009.09.13 -
Symantec 1.4.4.12 2009.09.14 -
TheHacker 6.3.4.4.402 2009.09.12 -
TrendMicro 8.950.0.1094 2009.09.14 -
VBA32 3.12.10.10 2009.09.13 -
ViRobot 2009.9.14.1934 2009.09.14 -
VirusBuster 4.6.5.0 2009.09.13 -
Additional information
File size: 1000448 bytes
MD5 : 797e17f220b719b65f95636f6b30c43a
SHA1 : b5b7601ab352abd1b6ddc03693fd48c71566c917
SHA256: 2204d580c5b6beba5614e4e569e845e5a600794de73dd889d615fc8157350920
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xAC028
timedatestamp.....: 0x2A425E19 (Sat Jun 20 00:22:17 1992)
machinetype.......: 0x14C (Intel I386)

( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0xAB09C 0xAB200 6.35 90e4b320120f0cc300b79ae7acaee17e
DATA 0xAD000 0x2EE4 0x3000 6.28 1b0e06ad862c1ef10e323a9c8d898f28
BSS 0xB0000 0xD31 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0xB1000 0x298E 0x2A00 5.01 6fdc58afc4d1add78b8339f116374899
.tls 0xB4000 0x40 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rdata 0xB5000 0x18 0x200 0.21 3e4c1a81720157a6a463a5ff471c0fcc
.reloc 0xB6000 0xBB50 0xBC00 6.60 c0c9307e6bc4962e0d45bb1f28df5038
.rsrc 0xC2000 0x37600 0x37600 5.77 f1fce67b65bbf73b44af1e10f865d3e2

( 13 imports )

> advapi32.dll: RegQueryValueExA, RegOpenKeyExA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegQueryInfoKeyA, RegOpenKeyExA, RegFlushKey, RegEnumKeyExA, RegCreateKeyExA, RegCloseKey
> comctl32.dll: ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
> gdi32.dll: UnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, Polygon, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPointA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
> kernel32.dll: DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, SetCurrentDirectoryA, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCurrentDirectoryA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, ExitThread, CreateThread, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle, TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA, lstrcpyA, lstrcmpA, _lwrite, _lread, _lopen, _llseek, _lcreat, _lclose, WritePrivateProfileStringA, WriteFile, WinExec, WaitForSingleObject, VirtualQuery, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetLastError, SetFileTime, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, MoveFileA, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetWindowsDirectoryA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetTempPathA, GetTempFileNameA, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProfileIntA, GetProcAddress, GetPrivateProfileStringA, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeThread, GetExitCodeProcess, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, GetACP, FreeResource, InterlockedIncrement, InterlockedExchange, InterlockedDecrement, FreeLibrary, FormatMessageA, FindResourceA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnumCalendarInfoA, EnterCriticalSection, DosDateTimeToFileTime, DeleteFileA, DeleteCriticalSection, CreateThread, CreateProcessA, CreateFileA, CreateEventA, CreateDirectoryA, CompareStringA, CloseHandle, Sleep
> lz32.dll: LZOpenFileA, LZCopy, LZClose, GetExpandedNameA
> ole32.dll: CoTaskMemAlloc, CoCreateInstance, CoUninitialize, CoInitialize
> oleaut32.dll: SysFreeString, SysReAllocStringLen, SysAllocStringLen, SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit, GetErrorInfo, SysFreeString
> shell32.dll: ShellExecuteA
> urlmon.dll: CreateURLMoniker
> user32.dll: GetKeyboardType, LoadStringA, MessageBoxA, CharNextA, CreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, ShowCaret, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClipboardData, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OpenClipboard, OffsetRect, OemToCharA, MsgWaitForMultipleObjects, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LockWindowUpdate, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, HideCaret, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetAsyncKeyState, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextA, DrawStateA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, CloseClipboard, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
> version.dll: VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
> wininet.dll: InternetReadFile, InternetOpenUrlA, InternetOpenA, InternetGetLastResponseInfoA, InternetConnectA, InternetCloseHandle, HttpSendRequestA, HttpQueryInfoA, HttpOpenRequestA, FtpSetCurrentDirectoryA, FtpOpenFileA, FtpFindFirstFileA
> winmm.dll: timeGetTime, sndPlaySoundA

( 0 exports )

TrID : File type identification
47.3% (.EXE) Win32 Executable Borland Delphi 7 (669831/31/56)
31.9% (.EXE) Win32 Executable Borland Delphi 5 (451463/56/28)
18.5% (.EXE) Win32 Executable Borland Delphi 6 (262644/60)
1.0% (.EXE) Win32 Executable Delphi generic (14687/80/4)
0.6% (.EXE) Win32 Executable Generic (8527/13/3)
ThreatExpert: http://www.threatexp...f95636f6b30c43a
ssdeep: 12288:40EBuc3LUgmuXEX8TiZBzCTdnezAYkU2j+u5iLBpwsrdtpVzOodRd:EhwWUX8TiadnezAYklj+
u5iLoY
PEiD : BobSoft Mini Delphi -> BoB / BobSoft
RDS : NSRL Reference Data Set



Things are running MUCH better than they were. I'm just afraid there's something lurking on my hard drive, maybe I'm just paranoid.

#12 ken545

ken545

    Forum God

  • Classroom Teacher
  • 23,207 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 04 November 2009 - 03:26 AM

Good Morning,

Logs look fine and that file appears to be ok. Do this


Please run this free online virus scanner from ESET
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Jeffce_zpsa19ee2e6.png

 

 

 

Want to help others, Join our Malware Removal Classroom  HERE

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif

 

Find us on Facebook
Please LIKE and SHARE

 

 

Just a reminder that threads will be closed if no reply in 3 days.


#13 drummerboy7

drummerboy7

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 05 November 2009 - 10:03 PM

Hey Ken, Here's the Eset scan ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=7 # iexplore.exe=7.00.6000.16915 (vista_gdr.090826-0339) # OnlineScanner.ocx=1.0.0.6211 # api_version=3.0.2 # EOSSerial=87ae6c884ae88849a99a697aa41fd664 # end=finished # remove_checked=true # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2009-11-05 01:52:57 # local_time=2009-11-05 07:52:57 (-0600, Central Standard Time) # country="United States" # lang=9 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=512 16777215 100 0 0 0 0 0 # compatibility_mode=768 16777215 100 0 0 0 0 0 # compatibility_mode=1024 16777215 100 0 0 0 0 0 # compatibility_mode=1797 16775129 100 100 0 33750797 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=140115 # found=0 # cleaned=0 # scan_time=7624 Looks like it didn't find anything! What do you think?

#14 ken545

ken545

    Forum God

  • Classroom Teacher
  • 23,207 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 06 November 2009 - 05:36 AM

Good Morning, Looks good, how are things running now ?

Jeffce_zpsa19ee2e6.png

 

 

 

Want to help others, Join our Malware Removal Classroom  HERE

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif

 

Find us on Facebook
Please LIKE and SHARE

 

 

Just a reminder that threads will be closed if no reply in 3 days.


#15 drummerboy7

drummerboy7

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 06 November 2009 - 08:54 AM

Morning Ken, Computer's starting up a little slower than before all this happened. But not noticing any other issues. Not getting any of the annoying so-called anti-virus pop-ups like before (Security System 2009 and Active Security...I think were the names). Is there something I can do the speed it up? Maybe something's running on startup that should not be. Thanks

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users