Jump to content

can't get rid of uacinit.dll


Recommended Posts

  • Root Admin

RootRepeal - Rootkit Detector

  • Please download the following tool:
    RootRepeal - Rootkit Detector
  • Direct download link is here:
    RootRepeal.rar

  • If you don't already have a program to open a .RAR compressed file you can download a trial version from here:
    WinRAR

  • Extract the program file to a new folder such as
    C:\RootRepeal

  • Run the program
    RootRepeal.exe
    and go to the
    REPORT
    tab and click on the
    Scan
    button

  • Select
    ALL
    of the checkboxes and then click
    OK
    and it will start scanning your system.

  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.

  • When done, click on
    Save Report

  • Save it to the same location where you ran it from, such as
    C:\RootRepeal

  • Save it as
    your_name_rootrepeal.txt
    - where your_name is your
    forum name

  • This makes it more easy to track who the log belongs to.

  • Then open that log and select all and copy/paste it back on your next reply please.

  • Quit the RootRepeal program.

Download
DDS
and save it to your desktop

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click
dds.scr
to run the tool.

When done, the
DDS.txt
will open.

Click Yes at the next prompt for Optional Scan.
    When done, DDS will open two (2) logs:

  1. DDS.txt
  2. Attach.txt

  • Save both reports to your desktop
  • Please include the following logs in your next reply:
    DDS.txt
    and
    Attach.txt

    Please create a BOOTLOG
  • Restart the computer and press F8 when Windows start booting. This will bring up the startup options.
  • Select "Enable Boot Logging" option and press enter.
  • Windows prompts you to select a Windows Installation (even if there is only one windows installation)
  • This boots windows normally and creates a boot log named ntbtlog.txt and saves it to C:\Windows
Link to post
Share on other sites

Thank you for your help but I am having issues with it. When I try to run Rootrepeal.exe I get the following error message "Could not find kernel file on disk (C:\windows\system32\ntosknl.exe)". I also can not get to bleepingcomputer.com at all. I get the "Internet explorer cannot display webpage" error.

Link to post
Share on other sites

  • Root Admin

Can you download and burn the tools to a CD from a friends computer or a work computer?

If so try to get this tool and run it.

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites

Sorry it has taken me so long to reply it took me a while to get the downloads. Anyway here are the logs that I could get. I apologize in advance if any of this is done incorrectly. Please let me know what you think. Thank you again for your attention.

ComboFix 09-03-02.03 - Travis 2009-03-03 19:14:37.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.255.20 [GMT -5:00]

Running from: c:\documents and settings\Travis\Desktop\123456.exe

AV: Avanquest Fix-It *On-access scanning disabled* (Updated)

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Lyndsey\Application Data\ptads.bin

c:\documents and settings\Travis\Application Data\ptads.bin

c:\windows\system32\drivers\UACaanaqpqy.sys

c:\windows\system32\UACahswokug.dll

c:\windows\system32\UACfhcrgxwj.log

c:\windows\system32\UACkxiyrkpa.dat

c:\windows\system32\UAClghtsxoa.dll

c:\windows\system32\UACmvrhpqxp.log

c:\windows\system32\UACpqbdvgvw.dll

c:\windows\system32\UACrbvxdlhn.dll

c:\windows\system32\UACxpsdruaf.log

c:\windows\system32\uninstall.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-02-04 to 2009-03-04 )))))))))))))))))))))))))))))))

.

2009-02-27 09:26 . 2009-03-03 17:48 5,513 --a------ c:\windows\SYSTEM32\uacinit.dll

2009-02-26 18:35 . 2009-03-03 18:54 17,847 --a------ C:\RootRepeal.dmp

2009-02-26 17:37 . 2009-02-26 21:52 8 --a------ C:\settings.dat

2009-02-26 17:36 . 2008-12-20 18:00 446,464 --a------ C:\RootRepeal.exe

2009-02-26 09:45 . 2009-02-26 09:45 <DIR> d--hs---- c:\documents and settings\Lyndsey\IECompatCache

2009-02-24 11:34 . 2009-02-24 11:34 <DIR> d-------- c:\documents and settings\Lyndsey\Application Data\Malwarebytes

2009-02-23 19:47 . 2008-10-09 10:21 202,928 --a------ c:\windows\SYSTEM32\DRIVERS\sbtis.sys

2009-02-23 16:45 . 2003-10-06 14:16 262,144 --a------ c:\windows\SYSTEM32\nvrstr.dll

2009-02-23 16:45 . 2003-10-06 14:16 262,144 --a------ c:\windows\SYSTEM32\nvrssl.dll

2009-02-23 16:45 . 2003-10-06 14:16 258,048 --a------ c:\windows\SYSTEM32\nvrssv.dll

2009-02-23 16:45 . 2003-10-06 14:16 233,472 --a------ c:\windows\SYSTEM32\nvwrstr.dll

2009-02-23 16:45 . 2003-10-06 14:16 225,280 --a------ c:\windows\SYSTEM32\nvwrssv.dll

2009-02-23 16:45 . 2003-10-06 14:16 225,280 --a------ c:\windows\SYSTEM32\nvwrssl.dll

2009-02-23 16:45 . 2003-10-06 14:16 225,280 --a------ c:\windows\SYSTEM32\nvwrssk.dll

2009-02-23 16:45 . 2003-10-06 14:16 200,704 --a------ c:\windows\SYSTEM32\nvrszht.dll

2009-02-23 16:45 . 2003-10-06 14:16 200,704 --a------ c:\windows\SYSTEM32\nvrszhc.dll

2009-02-23 16:45 . 2003-10-06 14:16 131,072 --a------ c:\windows\SYSTEM32\nvwrszht.dll

2009-02-23 16:45 . 2003-10-06 14:16 126,976 --a------ c:\windows\SYSTEM32\nvwrszhc.dll

2009-02-22 19:34 . 2008-07-18 01:26 68,912 --a------ c:\windows\SYSTEM32\DRIVERS\sbapifs.sys

2009-02-22 19:34 . 2008-07-18 01:26 13,360 --a------ c:\windows\SYSTEM32\DRIVERS\sbaphd.sys

2009-02-22 19:33 . 2009-02-22 19:33 <DIR> d-------- c:\windows\SYSTEM32\CONFIG\systemprofile\Application Data\Avanquest

2009-02-22 19:32 . 2009-02-22 19:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avanquest

2009-02-22 19:29 . 2009-02-22 19:29 <DIR> dr-hs---- C:\_Backup.RC

2009-02-22 19:27 . 2009-02-23 19:44 <DIR> d-------- c:\program files\Common Files\AntiVirus

2009-02-22 19:27 . 2009-02-22 19:27 <DIR> d-------- c:\program files\Avanquest update

2009-02-22 19:27 . 2009-02-22 19:34 <DIR> d-------- c:\documents and settings\Travis\Application Data\Avanquest

2009-02-22 19:27 . 2009-03-03 19:12 <DIR> d--h----- C:\_Backup

2009-02-22 19:25 . 2009-02-22 19:25 <DIR> d-------- c:\program files\Avanquest

2009-02-22 19:14 . 2009-02-22 19:14 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard

2009-02-22 12:54 . 2009-02-22 12:54 <DIR> d--hs---- c:\documents and settings\Lyndsey\PrivacIE

2009-02-22 12:53 . 2009-02-22 12:53 <DIR> d--hs---- c:\documents and settings\Lyndsey\IETldCache

2009-02-22 00:04 . 2009-02-22 00:04 <DIR> d-------- c:\documents and settings\Travis\Application Data\Malwarebytes

2009-02-22 00:02 . 2009-02-11 10:19 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys

2009-02-22 00:02 . 2009-02-11 10:19 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys

2009-02-21 23:55 . 2009-02-22 00:04 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-02-21 23:55 . 2009-02-21 23:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-02-21 22:53 . 2009-02-21 22:53 <DIR> d-------- c:\program files\MSXML 4.0

2009-02-21 19:32 . 2009-02-21 19:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\SITEguard

2009-02-21 19:30 . 2009-02-21 19:30 <DIR> d-------- c:\program files\Common Files\iS3

2009-02-21 19:30 . 2009-02-26 22:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\STOPzilla!

2009-02-21 15:38 . 2009-02-21 15:38 <DIR> d-------- C:\Binaries

2009-02-21 13:57 . 2009-02-21 13:57 <DIR> d--hs---- c:\documents and settings\Travis\IECompatCache

2009-02-21 13:54 . 2009-02-21 13:54 <DIR> d--hs---- c:\documents and settings\Travis\PrivacIE

2009-02-21 13:54 . 2009-02-21 13:54 <DIR> d--hs---- c:\documents and settings\Travis\IETldCache

2009-02-21 13:48 . 2009-02-21 13:49 <DIR> d--h-c--- c:\windows\ie8

2009-02-18 11:55 . 2009-02-18 11:55 54,156 --ah----- c:\windows\QTFont.qfn

2009-02-18 11:55 . 2009-02-18 11:55 1,409 --a------ c:\windows\QTFont.for

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-26 02:22 --------- d-----w c:\documents and settings\All Users\Application Data\BVRP Software

2009-02-23 00:27 --------- d--h--w c:\program files\InstallShield Installation Information

2009-02-21 20:27 164 ----a-w C:\install.dat

2009-02-21 00:37 --------- d-----w c:\program files\Common Files\Adobe

2009-01-19 21:21 --------- d-----w c:\documents and settings\Travis\Application Data\U3

2009-01-12 23:29 --------- d-----w c:\documents and settings\Travis\Application Data\ZoomBrowser EX

2009-01-12 22:58 --------- d-----w c:\documents and settings\Travis\Application Data\CameraWindowDC

2009-01-12 22:44 --------- d-----w c:\documents and settings\Travis\Application Data\CANON INC

2009-01-12 22:20 --------- d-----w c:\program files\Canon

2009-01-12 21:56 --------- d-----w c:\documents and settings\All Users\Application Data\ZoomBrowser

2009-01-12 21:48 --------- d-----w c:\program files\Common Files\Canon

2005-07-23 02:45 97,816 -c--a-w c:\documents and settings\Lyndsey\Application Data\GDIPFONTCACHEV1.DAT

2004-06-26 01:47 97,040 -c--a-w c:\documents and settings\Travis\Application Data\GDIPFONTCACHEV1.DAT

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-10-06 49152]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-09-13 50688]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]

"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-14 28672]

"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-04-10 679936]

"Dell AIO Printer A940"="c:\program files\Dell AIO Printer A940\dlbabmgr.exe" [2003-02-08 86102]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-05-03 98304]

"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"VX3000"="c:\windows\vVX3000.exe" [2006-12-05 707360]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2003-10-06 49152]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]

"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]

"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 c:\windows\BCMSMMSG.exe]

"nwiz"="nwiz.exe" [2003-10-06 c:\windows\SYSTEM32\nwiz.exe]

"P17Helper"="P17.dll" [2005-05-03 c:\windows\SYSTEM32\P17.dll]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2002-12-08 45056]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk /r \??\C:\0autocheck autochk *

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=

R0 szkg5;szkg;c:\windows\SYSTEM32\DRIVERS\SZKG.sys [2008-12-02 54656]

R2 SBAMSvc;Fix-It;c:\program files\Common Files\AntiVirus\SBAMSvc.exe [2008-10-28 886056]

S3 ACCSKMD;Canon Camera Storage Device;c:\windows\SYSTEM32\DRIVERS\accskmd.sys [2002-06-26 26240]

S3 SBRE;SBRE;c:\windows\SYSTEM32\DRIVERS\SBREDrv.sys [2008-10-23 92464]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]

\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a3efb1d2-c49f-11dc-8071-0007e9a8b336}]

\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b2aeb09a-e0fc-11dd-9ff8-0007e9a8b336}]

\Shell\AutoRun\command - F:\DPFMate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-03-03 c:\windows\Tasks\User_Feed_Synchronization-{8428D2E1-72BA-4AAC-B001-F8DF14D9CE97}.job

- c:\windows\system32\msfeedssync.exe [2009-01-15 02:01]

.

- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)

HKCU-Run-Performance Center - c:\program files\Ascentive\Performance Center\ApcMain.exe

HKLM-Run-LifeCamSetup - D:\setupstb.exe

HKLM-Run-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

HKLM-Run-CmPCIaudio - CMICNFG3.CPL

.

------- Supplementary Scan -------

.

uStart Page = hxxp://cm.my.yahoo.com/

uInternet Settings,ProxyServer = http=

uInternet Settings,ProxyOverride = <local>;127.0.0.1

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000

LSP: c:\program files\Common Files\iS3\Anti-Spyware\iS3lsp.dll

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {50A28604-52F2-11D6-8F0F-5254AB11D5C2} - hxxp://contactme.idilis.ro/webcam.exe

DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - hxxp://207.188.7.150/23afdbeb2c345bb70a20/netzip/RdxIE601.cab

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-03 19:20:46

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(788)

c:\program files\Common Files\iS3\Anti-Spyware\iS3lsp.dll

.

Completion time: 2009-03-03 19:24:41

ComboFix-quarantined-files.txt 2009-03-04 00:24:36

Pre-Run: 42,817,961,984 bytes free

Post-Run: 42,860,797,952 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4

197 --- E O F --- 2009-03-03 23:42:43

DDS (Ver_09-02-01.01) - NTFSx86

Run by Travis at 17:34:18.18 on Tue 03/03/2009

Internet Explorer: 8.0.6001.18372

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.255.33 [GMT -5:00]

AV: Avanquest Fix-It *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\Program Files\Common Files\AntiVirus\SBAMSvc.exe

C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\WINDOWS\BCMSMMSG.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe

C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe

C:\WINDOWS\system32\Rundll32.exe

C:\WINDOWS\vVX3000.exe

C:\Program Files\Dell AIO Printer A940\dlbabmon.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Travis\Desktop\dds.scr

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://cm.my.yahoo.com/

uSearch Bar = hxxp://start.earthlink.net/AL/Search

uInternet Settings,ProxyServer = http=

uInternet Settings,ProxyOverride = <local>;127.0.0.1

mSearchAssistant = hxxp://start.earthlink.net/AL/Search

BHO: ZILLAbar Browser Helper Object: {1827766b-9f49-4854-8034-f6ee26fcb1ec} - c:\program files\stopzilla!\SZSG.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll

BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll

BHO: {fdd3b846-8d59-4ffb-8758-209b6ad74acc} - c:\program files\microsoft money\system\mnyviewer.dll

TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll

TB: STOPzilla: {98828ded-a591-462f-83ba-d2f62a68b8b8} - c:\program files\stopzilla!\SZSG.dll

TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File

TB: {C7768536-96F8-4001-B1A2-90EE21279187} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [Performance Center] c:\program files\ascentive\performance center\ApcMain.exe -m

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [Microsoft Works Update Detection] "c:\program files\common files\microsoft shared\works shared\WkUFind.exe"

mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup

mRun: [bCMSMMSG] BCMSMMSG.exe

mRun: [DVDSentry] c:\windows\system32\DSentry.exe

mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"

mRun: [Dell AIO Printer A940] "c:\program files\dell aio printer a940\dlbabmgr.exe"

mRun: [nwiz] "nwiz.exe" /install

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd

mRun: [CTSysVol] "c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe" /r

mRun: [P17Helper] Rundll32 P17.dll,P17Helper

mRun: [updReg] c:\windows\UpdReg.EXE

mRun: [VX3000] c:\windows\vVX3000.exe

mRun: [LifeCamSetup] "D:\setupstb.exe"

mRun: [NvMediaCenter] "RUNDLL32.EXE" c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"

mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"

mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office10\OSA.EXE

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {301DA1EE-F65C-4188-A417-9E915CC8FBFA} - c:\program files\microsoft money\system\mnyviewer.dll

LSP: c:\program files\common files\is3\anti-spyware\iS3lsp.dll

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB

DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxp://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab

DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} - hxxp://64.124.45.181/downloads/ccpm_0237.cab

DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - hxxp://download.yahoo.com/dl/installs/yinstc.cab

DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - hxxp://www.symantec.com/techsupp/asa/ctrl/SymAData.cab

DPF: {3BA3B159-7533-4F96-A2CE-EE5894BBD3D5} - hxxp://i.dell.com/images/global/js/scanner/SYSSCANNER.cab

DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab

DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab

DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe

DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} - hxxp://zone.msn.com/bingame/rock/default/popcaploader1.cab

DPF: {50A28604-52F2-11D6-8F0F-5254AB11D5C2} - hxxp://contactme.idilis.ro/webcam.exe

DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - hxxp://207.188.7.150/23afdbeb2c345bb70a20/netzip/RdxIE601.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1235319349359

DPF: {76D90D08-EAB7-46D8-BF99-87445BF59E72} - hxxp://www.choosedway.com/dwayready/dpcsysinfo.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab

DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - hxxp://sc.communities.msn.com/controls/chat/msnchat45.cab

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

============= SERVICES / DRIVERS ===============

R0 szkg5;szkg;c:\windows\system32\drivers\SZKG.sys [2008-12-2 54656]

R2 SBAMSvc;Fix-It;c:\program files\common files\antivirus\SBAMSvc.exe [2008-10-28 886056]

S3 ACCSKMD;Canon Camera Storage Device;c:\windows\system32\drivers\accskmd.sys [2002-6-26 26240]

S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2008-10-23 92464]

=============== Created Last 30 ================

2009-02-26 18:35 17,847 a------- C:\RootRepeal.dmp

2009-02-26 17:37 8 a------- C:\settings.dat

2009-02-26 17:36 446,464 a------- C:\RootRepeal.exe

2009-02-23 19:47 202,928 a------- c:\windows\system32\drivers\sbtis.sys

2009-02-23 16:45 262,144 a------- c:\windows\system32\nvrstr.dll

2009-02-23 16:45 233,472 a------- c:\windows\system32\nvwrstr.dll

2009-02-23 16:45 200,704 a------- c:\windows\system32\nvrszht.dll

2009-02-23 16:45 200,704 a------- c:\windows\system32\nvrszhc.dll

2009-02-23 16:45 131,072 a------- c:\windows\system32\nvwrszht.dll

2009-02-23 16:45 126,976 a------- c:\windows\system32\nvwrszhc.dll

2009-02-23 16:45 262,144 a------- c:\windows\system32\nvrssl.dll

2009-02-23 16:45 258,048 a------- c:\windows\system32\nvrssv.dll

2009-02-23 16:45 225,280 a------- c:\windows\system32\nvwrssv.dll

2009-02-23 16:45 225,280 a------- c:\windows\system32\nvwrssl.dll

2009-02-23 16:45 225,280 a------- c:\windows\system32\nvwrssk.dll

2009-02-22 19:34 68,912 a------- c:\windows\system32\drivers\sbapifs.sys

2009-02-22 19:34 13,360 a------- c:\windows\system32\drivers\sbaphd.sys

2009-02-22 19:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avanquest

2009-02-22 19:29 <DIR> --dshr-- C:\_Backup.RC

2009-02-22 19:27 <DIR> --d-h--- C:\_Backup

2009-02-22 19:27 <DIR> --d----- c:\docume~1\travis\applic~1\Avanquest

2009-02-22 19:27 <DIR> --d----- c:\program files\Avanquest update

2009-02-22 19:27 <DIR> --d----- c:\program files\common files\AntiVirus

2009-02-22 19:25 <DIR> --d----- c:\program files\Avanquest

2009-02-22 19:14 <DIR> --d----- c:\program files\common files\Wise Installation Wizard

2009-02-22 00:04 <DIR> --d----- c:\docume~1\travis\applic~1\Malwarebytes

2009-02-22 00:02 15,504 a------- c:\windows\system32\drivers\mbam.sys

2009-02-22 00:02 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-21 23:55 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

2009-02-21 23:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

2009-02-21 22:53 <DIR> --d----- c:\program files\MSXML 4.0

2009-02-21 19:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard

2009-02-21 19:30 <DIR> --d----- c:\program files\common files\iS3

2009-02-21 19:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!

2009-02-21 15:38 <DIR> --d----- C:\Binaries

2009-02-21 13:57 <DIR> --dsh--- c:\documents and settings\travis\IECompatCache

2009-02-21 13:54 <DIR> --dsh--- c:\documents and settings\travis\PrivacIE

2009-02-21 13:54 <DIR> --dsh--- c:\documents and settings\travis\IETldCache

2009-02-21 13:48 <DIR> -cd-h--- c:\windows\ie8

2009-02-18 11:55 54,156 a---h--- c:\windows\QTFont.qfn

2009-02-18 11:55 1,409 a------- c:\windows\QTFont.for

==================== Find3M ====================

2009-02-21 15:27 164 a------- C:\install.dat

2009-01-15 02:17 636,264 a------- c:\windows\system32\dllcache\iexplore.exe

2009-01-15 02:17 392,040 a------- c:\windows\system32\dllcache\iedkcs32.dll

2009-01-15 02:13 5,888,512 a------- c:\windows\system32\dllcache\mshtml.dll

2009-01-15 02:12 10,963,968 a------- c:\windows\system32\dllcache\ieframe.dll

2009-01-15 02:06 1,182,720 a------- c:\windows\system32\dllcache\urlmon.dll

2009-01-15 02:06 236,544 a------- c:\windows\system32\dllcache\webcheck.dll

2009-01-15 02:06 105,984 a------- c:\windows\system32\dllcache\url.dll

2009-01-15 02:05 911,872 a------- c:\windows\system32\wininet.dll

2009-01-15 02:05 911,872 a------- c:\windows\system32\dllcache\wininet.dll

2009-01-15 02:05 193,536 a------- c:\windows\system32\dllcache\msrating.dll

2009-01-15 02:05 109,056 a------- c:\windows\system32\dllcache\occache.dll

2009-01-15 02:05 43,008 a------- c:\windows\system32\licmgr10.dll

2009-01-15 02:05 43,008 a------- c:\windows\system32\dllcache\licmgr10.dll

2009-01-15 02:04 755,200 a------- c:\windows\system32\dllcache\VGX.dll

2009-01-15 02:04 18,944 a------- c:\windows\system32\dllcache\corpol.dll

2009-01-15 02:04 18,944 a------- c:\windows\system32\corpol.dll

2009-01-15 02:04 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll

2009-01-15 02:02 1,975,296 a------- c:\windows\system32\dllcache\iertutil.dll

2009-01-15 02:02 593,920 a------- c:\windows\system32\dllcache\msfeeds.dll

2009-01-15 02:02 611,840 a------- c:\windows\system32\dllcache\mstime.dll

2009-01-15 02:01 183,808 a------- c:\windows\system32\dllcache\iepeers.dll

2009-01-15 02:01 59,904 a------- c:\windows\system32\dllcache\icardie.dll

2009-01-15 02:01 54,272 a------- c:\windows\system32\dllcache\msfeedsbs.dll

2009-01-15 02:01 34,304 a------- c:\windows\system32\imgutil.dll

2009-01-15 02:01 34,304 a------- c:\windows\system32\dllcache\imgutil.dll

2009-01-15 02:01 348,160 a------- c:\windows\system32\dllcache\dxtmsft.dll

2009-01-15 02:01 46,592 a------- c:\windows\system32\dllcache\pngfilt.dll

2009-01-15 02:01 216,064 a------- c:\windows\system32\dllcache\dxtrans.dll

2009-01-15 02:01 66,560 a------- c:\windows\system32\dllcache\mshtmled.dll

2009-01-15 02:00 48,128 a------- c:\windows\system32\mshtmler.dll

2009-01-15 02:00 48,128 a------- c:\windows\system32\dllcache\mshtmler.dll

2009-01-15 02:00 45,568 a------- c:\windows\system32\mshta.exe

2009-01-15 02:00 45,568 a------- c:\windows\system32\dllcache\mshta.exe

2009-01-15 01:53 68,608 a------- c:\windows\system32\dllcache\hmmapi.dll

2009-01-15 01:50 156,160 a------- c:\windows\system32\msls31.dll

2009-01-15 01:50 156,160 a------- c:\windows\system32\dllcache\msls31.dll

2009-01-15 01:35 445,440 a------- c:\windows\system32\dllcache\ieapfltr.dll

2008-12-17 17:26 17,408 a----r-- c:\windows\system32\SZIO5.dll

2008-12-17 17:25 282,624 a----r-- c:\windows\system32\SZBase5.dll

2008-12-17 17:24 540,672 a----r-- c:\windows\system32\SZComp5.dll

2008-12-14 17:12 3,698,040 a------- c:\windows\system32\dllcache\ieapfltr.dat

2008-12-11 06:57 333,184 -------- c:\windows\system32\dllcache\srv.sys

2005-02-24 13:03 77,727 ac--h--- c:\docume~1\travis\applic~1\ptads.bin

2004-06-25 20:47 97,040 ac------ c:\docume~1\travis\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 17:35:31.48 ===============

Link to post
Share on other sites

  • Root Admin

STEP 01

Download but do not yet run ComboFix

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::

File::
c:\windows\SYSTEM32\uacinit.dll


DirLook::
C:\_Backup.RC
C:\_Backup


Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"=-

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 02

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

Link to post
Share on other sites

The requested logs follow. I noticed a program running that I am unfamiliar with and wondered where it came from and if I need it (it seems to have slowed my computer to a crawl). It is SBAMSvc.exe What do you think?

ComboFix 09-03-04.01 - Travis 2009-03-05 21:05:26.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.255.58 [GMT -5:00]

Running from: c:\documents and settings\Travis\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Travis\Desktop\CFscript.txt

AV: Avanquest Fix-It *On-access scanning disabled* (Updated)

* Created a new restore point

FILE ::

c:\windows\SYSTEM32\uacinit.dll

.

((((((((((((((((((((((((( Files Created from 2009-02-06 to 2009-03-06 )))))))))))))))))))))))))))))))

.

2009-03-05 21:12 . 2009-03-05 21:12 344 --a------ c:\windows\SYSTEM32\DRIVERS\kgpfr2.cfg

2009-03-05 21:11 . 2009-03-05 21:13 1,688 --a------ c:\windows\SYSTEM32\DRIVERS\kgpcpy.cfg

2009-03-04 18:57 . 2009-03-04 18:57 <DIR> d-------- c:\program files\Trend Micro

2009-02-26 18:35 . 2009-03-03 21:10 17,847 --a------ C:\RootRepeal.dmp

2009-02-26 17:37 . 2009-02-26 21:52 8 --a------ C:\settings.dat

2009-02-26 17:36 . 2008-12-20 18:00 446,464 --a------ C:\RootRepeal.exe

2009-02-26 09:45 . 2009-02-26 09:45 <DIR> d--hs---- c:\documents and settings\Lyndsey\IECompatCache

2009-02-24 11:34 . 2009-02-24 11:34 <DIR> d-------- c:\documents and settings\Lyndsey\Application Data\Malwarebytes

2009-02-23 19:47 . 2008-10-09 10:21 202,928 --a------ c:\windows\SYSTEM32\DRIVERS\sbtis.sys

2009-02-23 16:45 . 2003-10-06 14:16 262,144 --a------ c:\windows\SYSTEM32\nvrstr.dll

2009-02-23 16:45 . 2003-10-06 14:16 262,144 --a------ c:\windows\SYSTEM32\nvrssl.dll

2009-02-23 16:45 . 2003-10-06 14:16 258,048 --a------ c:\windows\SYSTEM32\nvrssv.dll

2009-02-23 16:45 . 2003-10-06 14:16 233,472 --a------ c:\windows\SYSTEM32\nvwrstr.dll

2009-02-23 16:45 . 2003-10-06 14:16 225,280 --a------ c:\windows\SYSTEM32\nvwrssv.dll

2009-02-23 16:45 . 2003-10-06 14:16 225,280 --a------ c:\windows\SYSTEM32\nvwrssl.dll

2009-02-23 16:45 . 2003-10-06 14:16 225,280 --a------ c:\windows\SYSTEM32\nvwrssk.dll

2009-02-23 16:45 . 2003-10-06 14:16 200,704 --a------ c:\windows\SYSTEM32\nvrszht.dll

2009-02-23 16:45 . 2003-10-06 14:16 200,704 --a------ c:\windows\SYSTEM32\nvrszhc.dll

2009-02-23 16:45 . 2003-10-06 14:16 131,072 --a------ c:\windows\SYSTEM32\nvwrszht.dll

2009-02-23 16:45 . 2003-10-06 14:16 126,976 --a------ c:\windows\SYSTEM32\nvwrszhc.dll

2009-02-22 19:34 . 2008-09-12 11:12 69,168 --a------ c:\windows\SYSTEM32\DRIVERS\sbapifs.sys

2009-02-22 19:34 . 2008-09-12 11:12 13,360 --a------ c:\windows\SYSTEM32\DRIVERS\sbaphd.sys

2009-02-22 19:33 . 2009-02-22 19:33 <DIR> d-------- c:\windows\SYSTEM32\CONFIG\systemprofile\Application Data\Avanquest

2009-02-22 19:32 . 2009-02-22 19:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avanquest

2009-02-22 19:29 . 2009-02-22 19:29 <DIR> dr-hs---- C:\_Backup.RC

2009-02-22 19:27 . 2009-02-23 19:44 <DIR> d-------- c:\program files\Common Files\AntiVirus

2009-02-22 19:27 . 2009-02-22 19:27 <DIR> d-------- c:\program files\Avanquest update

2009-02-22 19:27 . 2009-02-22 19:34 <DIR> d-------- c:\documents and settings\Travis\Application Data\Avanquest

2009-02-22 19:27 . 2009-03-05 21:11 <DIR> d--h----- C:\_Backup

2009-02-22 19:25 . 2009-02-22 19:25 <DIR> d-------- c:\program files\Avanquest

2009-02-22 19:14 . 2009-02-22 19:14 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard

2009-02-22 12:54 . 2009-02-22 12:54 <DIR> d--hs---- c:\documents and settings\Lyndsey\PrivacIE

2009-02-22 12:53 . 2009-02-22 12:53 <DIR> d--hs---- c:\documents and settings\Lyndsey\IETldCache

2009-02-22 00:04 . 2009-02-22 00:04 <DIR> d-------- c:\documents and settings\Travis\Application Data\Malwarebytes

2009-02-22 00:02 . 2009-02-11 10:19 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys

2009-02-22 00:02 . 2009-02-11 10:19 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys

2009-02-21 23:55 . 2009-02-22 00:04 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-02-21 23:55 . 2009-02-21 23:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-02-21 22:53 . 2009-02-21 22:53 <DIR> d-------- c:\program files\MSXML 4.0

2009-02-21 19:32 . 2009-02-21 19:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\SITEguard

2009-02-21 19:30 . 2009-02-21 19:30 <DIR> d-------- c:\program files\Common Files\iS3

2009-02-21 19:30 . 2009-03-05 21:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\STOPzilla!

2009-02-21 15:38 . 2009-02-21 15:38 <DIR> d-------- C:\Binaries

2009-02-21 13:57 . 2009-02-21 13:57 <DIR> d--hs---- c:\documents and settings\Travis\IECompatCache

2009-02-21 13:54 . 2009-02-21 13:54 <DIR> d--hs---- c:\documents and settings\Travis\PrivacIE

2009-02-21 13:54 . 2009-02-21 13:54 <DIR> d--hs---- c:\documents and settings\Travis\IETldCache

2009-02-21 13:48 . 2009-02-21 13:49 <DIR> d--h-c--- c:\windows\ie8

2009-02-18 11:55 . 2009-02-18 11:55 54,156 --ah----- c:\windows\QTFont.qfn

2009-02-18 11:55 . 2009-02-18 11:55 1,409 --a------ c:\windows\QTFont.for

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-26 02:22 --------- d-----w c:\documents and settings\All Users\Application Data\BVRP Software

2009-02-23 00:27 --------- d--h--w c:\program files\InstallShield Installation Information

2009-02-21 20:27 164 ----a-w C:\install.dat

2009-02-21 00:37 --------- d-----w c:\program files\Common Files\Adobe

2009-01-19 21:21 --------- d-----w c:\documents and settings\Travis\Application Data\U3

2009-01-12 23:29 --------- d-----w c:\documents and settings\Travis\Application Data\ZoomBrowser EX

2009-01-12 22:58 --------- d-----w c:\documents and settings\Travis\Application Data\CameraWindowDC

2009-01-12 22:44 --------- d-----w c:\documents and settings\Travis\Application Data\CANON INC

2009-01-12 22:20 --------- d-----w c:\program files\Canon

2009-01-12 21:56 --------- d-----w c:\documents and settings\All Users\Application Data\ZoomBrowser

2009-01-12 21:48 --------- d-----w c:\program files\Common Files\Canon

2005-07-23 02:45 97,816 -c--a-w c:\documents and settings\Lyndsey\Application Data\GDIPFONTCACHEV1.DAT

2004-06-26 01:47 97,040 -c--a-w c:\documents and settings\Travis\Application Data\GDIPFONTCACHEV1.DAT

.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

---- Directory of C:\_Backup ----

2009-03-05 21:03 38821 --a------ c:\_backup\errcap.log

2009-03-05 20:01 8439 --a------ c:\_backup\Fix-It.Log

2009-03-05 20:01 1599488 --a------ c:\_backup\Fix-It-Log.db

2009-02-23 17:06 286 --a------ c:\_backup\DiagLoad.ctl

2009-02-22 19:44 65536 --a------ c:\_backup\Fix-ItWEL.evt

---- Directory of C:\_Backup.RC ----

2009-03-05 17:47 5628 --a------ c:\_backup.rc\WINDOWS\y2009m03.log

2009-03-05 17:46 48493 --a------ c:\_backup.rc\WINDOWS\SFCFiles.rcd

2009-03-05 17:46 114 --a------ c:\_backup.rc\WINDOWS\DriveMap.rcd

2009-03-05 09:58 69419 --a------ c:\_backup.rc\WINDOWS\Services.rcd

2009-03-04 18:55 5869568 ---h----- c:\_backup.rc\WINDOWS\CP5\NTUSER4.DAT

2009-03-04 18:55 49152 ---h----- c:\_backup.rc\WINDOWS\CP5\UsrClass4.dat

2009-03-04 18:55 2012 --a------ c:\_backup.rc\WINDOWS\CP5\Info.rcd

2009-03-04 18:53 8687616 ---h----- c:\_backup.rc\WINDOWS\CP5\SYSTEM

2009-03-04 18:53 8192 ---h----- c:\_backup.rc\WINDOWS\CP5\UsrClass3.dat

2009-03-04 18:53 8192 ---h----- c:\_backup.rc\WINDOWS\CP5\UsrClass2.dat

2009-03-04 18:53 299008 ---h----- c:\_backup.rc\WINDOWS\CP5\NTUSER1.DAT

2009-03-04 18:53 237568 ---h----- c:\_backup.rc\WINDOWS\CP5\NTUSER3.DAT

2009-03-04 18:53 229376 ---h----- c:\_backup.rc\WINDOWS\CP5\NTUSER2.DAT

2009-03-04 18:50 29511680 ---h----- c:\_backup.rc\WINDOWS\CP5\SOFTWARE

2009-03-04 18:42 49152 ---h----- c:\_backup.rc\WINDOWS\CP5\SECURITY

2009-03-04 18:42 24576 ---h----- c:\_backup.rc\WINDOWS\CP5\SAM

2009-03-04 18:41 33280 --a------ c:\_backup.rc\WINDOWS\CP5\MBR80

2009-03-04 18:41 299008 ---h----- c:\_backup.rc\WINDOWS\CP5\DEFAULT

2009-03-03 18:58 281 -rahs---- c:\_backup.rc\WINDOWS\CP5\boot.ini.rcd

2009-03-02 13:44 5505024 --a------ c:\_backup.rc\WINDOWS\CP5\NTUSER5.DAT

2009-02-27 17:47 19229 --a------ c:\_backup.rc\WINDOWS\y2009m02.log

2009-02-27 17:31 8667136 ---h----- c:\_backup.rc\WINDOWS\CP4\SYSTEM

2009-02-27 17:31 8192 ---h----- c:\_backup.rc\WINDOWS\CP4\UsrClass3.dat

2009-02-27 17:31 8192 ---h----- c:\_backup.rc\WINDOWS\CP4\UsrClass2.dat

2009-02-27 17:31 5820416 ---h----- c:\_backup.rc\WINDOWS\CP4\NTUSER4.DAT

2009-02-27 17:31 49152 ---h----- c:\_backup.rc\WINDOWS\CP4\UsrClass4.dat

2009-02-27 17:31 299008 ---h----- c:\_backup.rc\WINDOWS\CP4\NTUSER1.DAT

2009-02-27 17:31 29495296 ---h----- c:\_backup.rc\WINDOWS\CP4\SOFTWARE

2009-02-27 17:31 237568 ---h----- c:\_backup.rc\WINDOWS\CP4\NTUSER3.DAT

2009-02-27 17:31 233472 ---h----- c:\_backup.rc\WINDOWS\CP4\NTUSER2.DAT

2009-02-27 17:31 1932 --a------ c:\_backup.rc\WINDOWS\CP4\Info.rcd

2009-02-27 17:30 49152 ---h----- c:\_backup.rc\WINDOWS\CP4\SECURITY

2009-02-27 17:30 33280 --a------ c:\_backup.rc\WINDOWS\CP4\MBR80

2009-02-27 17:30 299008 ---h----- c:\_backup.rc\WINDOWS\CP4\DEFAULT

2009-02-27 17:30 24576 ---h----- c:\_backup.rc\WINDOWS\CP4\SAM

2009-02-26 21:57 8667136 ---h----- c:\_backup.rc\WINDOWS\CP3\SYSTEM

2009-02-26 21:57 8192 ---h----- c:\_backup.rc\WINDOWS\CP3\UsrClass3.dat

2009-02-26 21:57 8192 ---h----- c:\_backup.rc\WINDOWS\CP3\UsrClass2.dat

2009-02-26 21:57 5799936 ---h----- c:\_backup.rc\WINDOWS\CP3\NTUSER4.DAT

2009-02-26 21:57 49152 ---h----- c:\_backup.rc\WINDOWS\CP3\UsrClass4.dat

2009-02-26 21:57 299008 ---h----- c:\_backup.rc\WINDOWS\CP3\NTUSER1.DAT

2009-02-26 21:57 29495296 ---h----- c:\_backup.rc\WINDOWS\CP3\SOFTWARE

2009-02-26 21:57 237568 ---h----- c:\_backup.rc\WINDOWS\CP3\NTUSER3.DAT

2009-02-26 21:57 233472 ---h----- c:\_backup.rc\WINDOWS\CP3\NTUSER2.DAT

2009-02-26 21:57 2022 --a------ c:\_backup.rc\WINDOWS\CP3\Info.rcd

2009-02-26 21:56 49152 ---h----- c:\_backup.rc\WINDOWS\CP3\SECURITY

2009-02-26 21:56 33280 --a------ c:\_backup.rc\WINDOWS\CP3\MBR80

2009-02-26 21:56 299008 ---h----- c:\_backup.rc\WINDOWS\CP3\DEFAULT

2009-02-26 21:56 24576 ---h----- c:\_backup.rc\WINDOWS\CP3\SAM

2009-02-26 17:13 5505024 --a------ c:\_backup.rc\WINDOWS\CP4\NTUSER5.DAT

2009-02-26 17:13 5505024 --a------ c:\_backup.rc\WINDOWS\CP3\NTUSER5.DAT

2009-02-25 21:19 8699904 ---h----- c:\_backup.rc\WINDOWS\CP2\SYSTEM

2009-02-25 21:19 8192 ---h----- c:\_backup.rc\WINDOWS\CP2\UsrClass3.dat

2009-02-25 21:19 8192 ---h----- c:\_backup.rc\WINDOWS\CP2\UsrClass2.dat

2009-02-25 21:19 5709824 ---h----- c:\_backup.rc\WINDOWS\CP2\NTUSER4.DAT

2009-02-25 21:19 45056 ---h----- c:\_backup.rc\WINDOWS\CP2\UsrClass4.dat

2009-02-25 21:19 299008 ---h----- c:\_backup.rc\WINDOWS\CP2\NTUSER1.DAT

2009-02-25 21:19 29421568 ---h----- c:\_backup.rc\WINDOWS\CP2\SOFTWARE

2009-02-25 21:19 237568 ---h----- c:\_backup.rc\WINDOWS\CP2\NTUSER3.DAT

2009-02-25 21:19 229376 ---h----- c:\_backup.rc\WINDOWS\CP2\NTUSER2.DAT

2009-02-25 21:19 1932 --a------ c:\_backup.rc\WINDOWS\CP2\Info.rcd

2009-02-25 21:17 49152 ---h----- c:\_backup.rc\WINDOWS\CP2\SECURITY

2009-02-25 21:17 33280 --a------ c:\_backup.rc\WINDOWS\CP2\MBR80

2009-02-25 21:17 299008 ---h----- c:\_backup.rc\WINDOWS\CP2\DEFAULT

2009-02-25 21:17 24576 ---h----- c:\_backup.rc\WINDOWS\CP2\SAM

2009-02-25 21:07 29421568 --a------ c:\_backup.rc\WINDOWS\CP1\SOFTWARE

2009-02-25 21:05 49152 ---h----- c:\_backup.rc\WINDOWS\CP1\SECURITY

2009-02-25 21:05 33280 --a------ c:\_backup.rc\WINDOWS\CP1\MBR80

2009-02-25 21:05 299008 ---h----- c:\_backup.rc\WINDOWS\CP1\DEFAULT

2009-02-25 21:05 24576 ---h----- c:\_backup.rc\WINDOWS\CP1\SAM

2009-02-24 17:35 5505024 --a------ c:\_backup.rc\WINDOWS\CP2\NTUSER5.DAT

2009-02-22 19:32 8654848 ---h----- c:\_backup.rc\WINDOWS\CP0\SYSTEM

2009-02-22 19:32 8192 ---h----- c:\_backup.rc\WINDOWS\CP0\UsrClass3.dat

2009-02-22 19:32 8192 ---h----- c:\_backup.rc\WINDOWS\CP0\UsrClass2.dat

2009-02-22 19:32 5709824 ---h----- c:\_backup.rc\WINDOWS\CP0\NTUSER4.DAT

2009-02-22 19:32 45056 ---h----- c:\_backup.rc\WINDOWS\CP0\UsrClass4.dat

2009-02-22 19:32 299008 ---h----- c:\_backup.rc\WINDOWS\CP0\NTUSER1.DAT

2009-02-22 19:32 237568 ---h----- c:\_backup.rc\WINDOWS\CP0\NTUSER3.DAT

2009-02-22 19:32 233472 ---h----- c:\_backup.rc\WINDOWS\CP0\NTUSER2.DAT

2009-02-22 19:32 1980 --a------ c:\_backup.rc\WINDOWS\CP0\Info.rcd

2009-02-22 19:31 29532160 ---h----- c:\_backup.rc\WINDOWS\CP0\SOFTWARE

2009-02-22 19:29 49152 ---h----- c:\_backup.rc\WINDOWS\CP0\SECURITY

2009-02-22 19:29 33280 --a------ c:\_backup.rc\WINDOWS\CP0\MBR80

2009-02-22 19:29 299008 ---h----- c:\_backup.rc\WINDOWS\CP0\DEFAULT

2009-02-22 19:29 24576 ---h----- c:\_backup.rc\WINDOWS\CP0\SAM

2009-02-21 22:24 5505024 --a------ c:\_backup.rc\WINDOWS\CP0\NTUSER5.DAT

2008-10-12 18:59 69632 --a------ c:\_backup.rc\WINDOWS\CP5\UsrClass5.dat

2008-10-12 18:59 69632 --a------ c:\_backup.rc\WINDOWS\CP4\UsrClass5.dat

2008-10-12 18:59 69632 --a------ c:\_backup.rc\WINDOWS\CP3\UsrClass5.dat

2008-10-12 18:59 69632 --a------ c:\_backup.rc\WINDOWS\CP2\UsrClass5.dat

2008-10-12 18:59 69632 --a------ c:\_backup.rc\WINDOWS\CP0\UsrClass5.dat

2008-04-12 18:16 211 --ahs---- c:\_backup.rc\WINDOWS\CP4\boot.ini.rcd

2008-04-12 18:16 211 --ahs---- c:\_backup.rc\WINDOWS\CP3\boot.ini.rcd

2008-04-12 18:16 211 --ahs---- c:\_backup.rc\WINDOWS\CP2\boot.ini.rcd

2008-04-12 18:16 211 --ahs---- c:\_backup.rc\WINDOWS\CP0\boot.ini.rcd

2004-11-04 12:53 47564 -rahs---- c:\_backup.rc\WINDOWS\CP5\ntdetect.com.rcd

2004-11-04 12:53 47564 -rahs---- c:\_backup.rc\WINDOWS\CP4\ntdetect.com.rcd

2004-11-04 12:53 47564 -rahs---- c:\_backup.rc\WINDOWS\CP3\ntdetect.com.rcd

2004-11-04 12:53 47564 -rahs---- c:\_backup.rc\WINDOWS\CP2\ntdetect.com.rcd

2004-11-04 12:53 47564 -rahs---- c:\_backup.rc\WINDOWS\CP0\ntdetect.com.rcd

2004-11-04 12:53 250032 -rahs---- c:\_backup.rc\WINDOWS\CP5\ntldr.rcd

2004-11-04 12:53 250032 -rahs---- c:\_backup.rc\WINDOWS\CP4\ntldr.rcd

2004-11-04 12:53 250032 -rahs---- c:\_backup.rc\WINDOWS\CP3\ntldr.rcd

2004-11-04 12:53 250032 -rahs---- c:\_backup.rc\WINDOWS\CP2\ntldr.rcd

2004-11-04 12:53 250032 -rahs---- c:\_backup.rc\WINDOWS\CP0\ntldr.rcd

2002-12-08 12:26 262144 --ah----- c:\_backup.rc\WINDOWS\CP5\UsrClass1.dat

2002-12-08 12:26 262144 --ah----- c:\_backup.rc\WINDOWS\CP4\UsrClass1.dat

2002-12-08 12:26 262144 --ah----- c:\_backup.rc\WINDOWS\CP3\UsrClass1.dat

2002-12-08 12:26 262144 --ah----- c:\_backup.rc\WINDOWS\CP2\UsrClass1.dat

2002-12-08 12:26 262144 --ah----- c:\_backup.rc\WINDOWS\CP0\UsrClass1.dat

((((((((((((((((((((((((((((( SnapShot@2009-03-03_19.23.18.14 )))))))))))))))))))))))))))))))))))))))))

.

- 2007-02-15 23:01:04 1,476,992 ------w c:\windows\SYSTEM32\LegitCheckControl.dll

+ 2008-03-20 23:06:36 1,480,232 ------w c:\windows\SYSTEM32\LegitCheckControl.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-10-06 49152]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-09-13 50688]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]

"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-14 28672]

"Dell AIO Printer A940"="c:\program files\Dell AIO Printer A940\dlbabmgr.exe" [2003-02-08 86102]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-05-03 98304]

"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"VX3000"="c:\windows\vVX3000.exe" [2006-12-05 707360]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2003-10-06 49152]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]

"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]

"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 c:\windows\BCMSMMSG.exe]

"nwiz"="nwiz.exe" [2003-10-06 c:\windows\SYSTEM32\nwiz.exe]

"P17Helper"="P17.dll" [2005-05-03 c:\windows\SYSTEM32\P17.dll]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2002-12-08 45056]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=

R3 ACCSKMD;Canon Camera Storage Device;c:\windows\system32\DRIVERS\accskmd.sys [2002-06-26 26240]

R3 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [2008-10-23 92464]

S0 szkg5;szkg;c:\windows\system32\DRIVERS\szkg.sys [2008-12-02 54656]

S1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2008-09-12 13360]

S2 SBAMSvc;Fix-It;c:\program files\Common Files\AntiVirus\SBAMSvc.exe [2008-10-28 886056]

S2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2008-09-12 69168]

--- Other Services/Drivers In Memory ---

*Deregistered* - AFD

*Deregistered* - agp440

*Deregistered* - ALG

*Deregistered* - Arp1394

*Deregistered* - AudioSrv

*Deregistered* - audstub

*Deregistered* - Beep

*Deregistered* - BITS

*Deregistered* - CCALib8

*Deregistered* - Cdfs

*Deregistered* - cdudf_xp

*Deregistered* - Creative Service for CDROM Access

*Deregistered* - CryptSvc

*Deregistered* - ctsfm2k

*Deregistered* - DcomLaunch

*Deregistered* - Dhcp

*Deregistered* - Dnscache

*Deregistered* - dsunidrv

*Deregistered* - dvd_2K

*Deregistered* - ERSvc

*Deregistered* - EventSystem

*Deregistered* - FastUserSwitchingCompatibility

*Deregistered* - Fips

*Deregistered* - Fix-It Task Manager

*Deregistered* - FltMgr

*Deregistered* - Ftdisk

*Deregistered* - Gpc

*Deregistered* - helpsvc

*Deregistered* - HTTP

*Deregistered* - HTTPFilter

*Deregistered* - i2omgmt

*Deregistered* - IpNat

*Deregistered* - IPSec

*Deregistered* - KSecDD

*Deregistered* - lanmanserver

*Deregistered* - lanmanworkstation

*Deregistered* - LexBceS

*Deregistered* - LightScribeService

*Deregistered* - MDM

*Deregistered* - mnmdd

*Deregistered* - MountMgr

*Deregistered* - MRxDAV

*Deregistered* - MRxSmb

*Deregistered* - Msfs

*Deregistered* - mssmbios

*Deregistered* - Mup

*Deregistered* - NDIS

*Deregistered* - NdisTapi

*Deregistered* - Ndisuio

*Deregistered* - NdisWan

*Deregistered* - NDProxy

*Deregistered* - NetBIOS

*Deregistered* - NetBT

*Deregistered* - Netman

*Deregistered* - Npfs

*Deregistered* - Ntfs

*Deregistered* - Null

*Deregistered* - NVSvc

*Deregistered* - omci

*Deregistered* - ossrv

*Deregistered* - ParVdm

*Deregistered* - PolicyAgent

*Deregistered* - PptpMiniport

*Deregistered* - ProtectedStorage

*Deregistered* - PSched

*Deregistered* - RasAcd

*Deregistered* - Rasl2tp

*Deregistered* - RasMan

*Deregistered* - RasPppoe

*Deregistered* - Raspti

*Deregistered* - Rdbss

*Deregistered* - RDPCDD

*Deregistered* - RichVideo

*Deregistered* - ROOTMODEM

*Deregistered* - RpcSs

*Deregistered* - SamSs

*Deregistered* - SBAMSvc

*Deregistered* - sbaphd

*Deregistered* - sbapifs

*Deregistered* - Schedule

*Deregistered* - seclogon

*Deregistered* - SENS

*Deregistered* - SharedAccess

*Deregistered* - ShellHWDetection

*Deregistered* - Spooler

*Deregistered* - sr

*Deregistered* - srservice

*Deregistered* - Srv

*Deregistered* - SSDPSRV

*Deregistered* - stisvc

*Deregistered* - swenum

*Deregistered* - szkg5

*Deregistered* - szserver

*Deregistered* - TapiSrv

*Deregistered* - Tcpip

*Deregistered* - TermDD

*Deregistered* - TermService

*Deregistered* - Themes

*Deregistered* - TrkWks

*Deregistered* - UdfReadr_xp

*Deregistered* - Update

*Deregistered* - upnphost

*Deregistered* - VgaSave

*Deregistered* - VolSnap

*Deregistered* - w32time

*Deregistered* - Wanarp

*Deregistered* - WebClient

*Deregistered* - winmgmt

*Deregistered* - WMPNetworkSvc

*Deregistered* - WS2IFSL

*Deregistered* - wscsvc

*Deregistered* - wuauserv

*Deregistered* - WudfPf

*Deregistered* - WudfSvc

*Deregistered* - WZCSVC

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]

\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a3efb1d2-c49f-11dc-8071-0007e9a8b336}]

\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b2aeb09a-e0fc-11dd-9ff8-0007e9a8b336}]

\Shell\AutoRun\command - F:\DPFMate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-03-06 c:\windows\Tasks\User_Feed_Synchronization-{8428D2E1-72BA-4AAC-B001-F8DF14D9CE97}.job

- c:\windows\system32\msfeedssync.exe [2009-01-15 02:01]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://cm.my.yahoo.com/

uInternet Settings,ProxyServer = http=

uInternet Settings,ProxyOverride = <local>;127.0.0.1

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000

LSP: c:\program files\Common Files\iS3\Anti-Spyware\iS3lsp.dll

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-05 21:14:55

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(776)

c:\program files\Common Files\iS3\Anti-Spyware\iS3lsp.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\iS3\Anti-Spyware\SZServer.exe

c:\windows\SYSTEM32\LEXBCES.EXE

c:\windows\SYSTEM32\LEXPPS.EXE

c:\windows\SYSTEM32\CTSVCCDA.EXE

c:\progra~1\AVANQU~1\Fix-It\mxtask.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\windows\SYSTEM32\nvsvc32.exe

c:\program files\CyberLink\Shared Files\RichVideo.exe

c:\progra~1\AVANQU~1\Fix-It\mxtask.exe

c:\program files\Windows Media Player\wmpnetwk.exe

c:\program files\Canon\CAL\CALMAIN.exe

c:\program files\Dell AIO Printer A940\dlbabmon.exe

c:\windows\SYSTEM32\rundll32.exe

c:\windows\SYSTEM32\rundll32.exe

.

**************************************************************************

.

Completion time: 2009-03-05 21:26:13 - machine was rebooted

ComboFix-quarantined-files.txt 2009-03-06 02:25:57

ComboFix2.txt 2009-03-04 00:24:43

Pre-Run: 42,492,248,064 bytes free

Post-Run: 42,872,348,672 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4

429 --- E O F --- 2009-03-03 23:42:43

Malwarebytes' Anti-Malware 1.34

Database version: 1822

Windows 5.1.2600 Service Pack 2

3/5/2009 9:37:36 PM

mbam-log-2009-03-05 (21-37-36).txt

Scan type: Quick Scan

Objects scanned: 98187

Time elapsed: 4 minute(s), 41 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:39:02 PM, on 3/5/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18372)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\CTsvcCDA.exe

C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe

C:\Program Files\Common Files\AntiVirus\SBAMSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\WINDOWS\BCMSMMSG.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe

C:\Program Files\Dell AIO Printer A940\dlbabmon.exe

C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe

C:\WINDOWS\system32\Rundll32.exe

C:\WINDOWS\vVX3000.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=

O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll (file missing)

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll (file missing)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll (file missing)

O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" /r

O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe

O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab

O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab

O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab

O16 - DPF: {3BA3B159-7533-4F96-A2CE-EE5894BBD3D5} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SYSSCANNER.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/default/popcaploader1.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1235319349359

O16 - DPF: {76D90D08-EAB7-46D8-BF99-87445BF59E72} (SystemInfo Class) - http://www.choosedway.com/dwayready/dpcsysinfo.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://sc.communities.msn.com/controls/chat/msnchat45.cab

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: Fix-It Task Manager - Avanquest North America, Inc. - C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

O23 - Service: Fix-It (SBAMSvc) - Sunbelt Software - C:\Program Files\Common Files\AntiVirus\SBAMSvc.exe

O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe

--

End of file - 9220 bytes

Link to post
Share on other sites

  • Root Admin

If you look in your Add/Remove you should see the Sunbelt AV software.

Stop or kill the process with Task Manager if you need to and upload it and have it scanned for Malware.

Upload a File to Jotti

Please visit http://virusscan.jotti.org/

Copy/paste this file and path into the white box at the top:

c:\program files\Common Files\AntiVirus\SBAMSvc.exe

Press Submit - this will submit the file for testing.

Please wait for all the scanners to finish then copy and paste the results in your next response.

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.