Jump to content

CLB driver infection

dansar
 Share

Recommended Posts

dansar

dansar

Posted
Posted

TREPEAL © AD, 2007-2009

==================================================

Scan Time: 2009/06/07 18:50

Program Version: Version 1.3.0.0

Windows Version: Windows XP SP3

==================================================

Hidden/Locked Files

-------------------

Path: C:\hiberfil.sys

Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\UACaocjmfccahguptd.dll

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACfplhwnmlvjbfrjy.log

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACgdvivsrugholuym.dll

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uacinit.dll

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACixwmbrkntcbxflj.db

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UAClmjeksnqvpwroai.dll

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UAClqsmkjejihyckyt.dll

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACotrmwwsnwoeyenk.dat

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uactmp.db

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACxkuyonqhhlxqlsw.dll

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACjnqnhlgkskvlppu.dll

Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\TMP000000C5245228A17A0B157D

Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\system32\drivers\SKYNEToyfjtpeo.sys

Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Dan\Local Settings\Temp\UAC9fb.tmp

Status: Invisible to the Windows API!

I hope someone can tell me if anything here is malware. Thank you in advance Dan

Link to post
Share on other sites
dansar

dansar

Posted
  • Author
Posted

I rescanned and this is the new report.ROOTREPEAL © AD, 2007-2009

==================================================

Scan Time: 2009/06/07 19:33

Program Version: Version 1.3.0.0

Windows Version: Windows XP SP3

==================================================

Hidden/Locked Files

-------------------

Path: C:\hiberfil.sys

Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dan\settings.dat

Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\system32\UACaocjmfccahguptd.dll

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACfplhwnmlvjbfrjy.log

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACgdvivsrugholuym.dll

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uacinit.dll

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACixwmbrkntcbxflj.db

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UAClmjeksnqvpwroai.dll

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UAClqsmkjejihyckyt.dll

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACotrmwwsnwoeyenk.dat

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uactmp.db

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACxkuyonqhhlxqlsw.dll

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACjnqnhlgkskvlppu.dll

Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACfebe.tmp

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\SKYNEToyfjtpeo.sys

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\UAClnrhkbdoqcnoofq.sys

Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Dan\Local Settings\Temp\UAC9fb.tmp

Status: Invisible to the Windows API!

Link to post
Share on other sites
dansar

dansar

Posted
  • Author
Posted

Oh..I'm sorry. I followed the directions of another poster who suggested a quick fix by downloading rootrepeal and if I wasn't sure what to delete I could post the report to the forum. My problem is I uninstalled Malwarebytes when it wouldn't open. Tried reinstalling by changing the name. I had no luck there. Same thing with SuperAntiSpyware. My McAfee virus scan works but it seems to quarantine the same trojan everytime I run it. I downloaded the beta of HOUSECALL and it supposedly got rid of a trojan but it does not open anymore either. Now I get strange virus alerts and virus programs load into my taskbar. I've been to several forums with no luck. The one thing that they all say is that Malware bytes will fix it if you can get it to work. I figured that this is the forum I have the best shot to accomplish this. Thank you in advance for any help or replies. Dan

Link to post
Share on other sites
Fatdcuk

Fatdcuk

Posted
Posted

Hi my bad on communication AS,my CLB walkthrough suggested folks start topic in HJT forum if they were not sure which driver to hit and post up rootrepeal log.

Hi Dansar and welcome to the MBAM forums :P

You have 2 variants of CLB driver infection onboard, UAC and the very recent Skynet variant

These are they 2 drivers you need to wipe with rootrepeal after hidden file scan then reboot.

Path: C:\WINDOWS\system32\drivers\SKYNEToyfjtpeo.sys

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\UAClnrhkbdoqcnoofq.sys

Status: Invisible to the Windows API!

Once rebooted attempt to install,update and run Quickscan with MBAM :)

Link to post
Share on other sites
dansar

dansar

Posted
  • Author
Posted

If you look at the 1st rootrepeal you will notice that the UAC sys. file is not there. I did wipe it but on rescan you'll see ( my 2nd log ) that it reappeared. I looked in Hidden Services on rootrepeal and it is there too but when I try to wipe it I get a message saying unable to remove. The Skynet file is there too.

Link to post
Share on other sites
Fatdcuk

Fatdcuk

Posted
Posted

Ok it is possible that you have an active dropper on your pc that installed the older variant and service entry is not to be worried about for now.

If we kill both drivers present then we can get your PC cleaned up from there :P

For now please do as i have directed>>>

Open RootRepeal and run hidden file scan only,

Locate both the following lines only and select *wipe file* for each one.

Path: C:\WINDOWS\system32\drivers\SKYNEToyfjtpeo.sys

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\UAClnrhkbdoqcnoofq.sys

Status: Invisible to the Windows API!

Next you most reboot your PC, install update and run MBAM quickscan and then post back the log that MBAM generates.

Thanks in advance :)

Link to post
Share on other sites
dansar

dansar

Posted
  • Author
Posted

I finally was able to get to the infected computer. What a mess! I had to go safe mode and I was able to wipe out SKYNET. Still in Safe mode I ran Malware Bytes and got rid of 18 bad files. I rebooted and my IE wouldn't work but the AOL browser did open if I signed on. I redownloaded Malware bytes and it completed. removed 2 more bad files but still will not update from program. McAfee detects one called NTQueryDirectoryFile Generic rootkit but can not do anything about it. Heres the latest rootrepeal scans.ROOTREPEAL © AD, 2007-2009

==================================================

Scan Time: 2009/06/08 19:53

Program Version: Version 1.3.0.0

Windows Version: Windows XP SP3

==================================================

Hidden/Locked Files

-------------------

Path: C:\hiberfil.sys

Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TMP0000002AD93C9EE49D1697C5

Status: Invisible to the Windows API!

Path: c:\windows\$ntservicepackuninstall$\ndis.sys

Status: Size mismatch (API: 182656, Raw: 182912)

Path: c:\windows\system32\dllcache\ndis.sys

Status: Size mismatch (API: 182656, Raw: 212224)

Path: c:\windows\system32\drivers\ndis.sys

Status: Size mismatch (API: 182656, Raw: 212224)

Path: C:\Documents and Settings\Dan\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys

Status: Size mismatch (API: 182656, Raw: 0)

and a hidden services scan

OOTREPEAL © AD, 2007-2009

==================================================

Scan Time: 2009/06/08 19:54

Program Version: Version 1.3.0.0

Windows Version: Windows XP SP3

==================================================

Hidden Services

-------------------

Service Name: kungsfepsflgme

Image Path: C:\WINDOWS\system32\drivers\kungsfydjnpsac.sys

Service Name: SKYNETkbfpmpdw

Image Path: C:\WINDOWS\system32\drivers\SKYNEToyfjtpeo.sys

Service Name: UACd.sys

Image Path: C:\WINDOWS\system32\drivers\UAClnrhkbdoqcnoofq.sys

THANK YOU in advance for any help. Dan

Link to post
Share on other sites
Fatdcuk

Fatdcuk

Posted
Posted

Ok thats getting a bit better,

Those service entries are only orphaned values as the driver(s) they load no longer exist but we will clean them up shortly.

Just noticed you now have a 4th rootkit onboard NDIS.sys patcher,that was some nasty infection you have had onboard :P

Lets try and attack this and cleanup the orphaned values :)

STEP 01

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:
You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.
Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

http://www.forospyware.com/sUBs/ComboFix.exe' rel="external nofollow">

Note:
The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.
Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites
dansar

dansar

Posted
  • Author
Posted

After using Combo Fix I was able to update Malwarebytes and SuperAntiSpyware. Both programs have found more malware and McAfee blocked a trojan and keeps blocking a buffer overflow. WOW..Seems like I'm under attack but everything is much better. All programs are operating as they should. Keeping my fingers crossed. thank you again. Dan

Link to post
Share on other sites
dansar

dansar

Posted
  • Author
Posted

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:16:53 PM, on 6/9/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16827)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\QuickTime\QTTask.exe

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Common Files\AOL\1242056371\ee\AOLSoftware.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe

C:\Program Files\Common Files\AOL\1242056371\ee\AOLDesktop.exe

C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\9129837.exe

C:\WINDOWS\system32\wuauclt.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\McAfee\VirusScan\McShield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://comcast.net

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL Toolbar\aoltb.dll

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [VAIO Recovery] C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe

O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1242056371\ee\AOLSoftware.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - Startup: AOL Desktop.lnk = C:\Program Files\Common Files\AOL\Launch\aollaunch.exe

O4 - Startup: zqosys32.exe

O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?

O8 - Extra context menu item: &AOL Toolbar Search - C:\Documents and Settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1241873418609

O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--

End of file - 7250 ComboFix 09-06-09.01 - Dan 06/09/2009 15:02.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1016.585 [GMT -5:00]

Running from: c:\documents and settings\Dan\Desktop\ComboFix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Dan\Application Data\wiaserva.log

c:\documents and settings\Dan\Application Data\wiaservg.log

c:\documents and settings\Dan\Start Menu\Programs\Startup\fmnupd32.exe

c:\windows\run_1244436627.exe

c:\windows\system32\avast!Antivirus.exe

c:\windows\system32\drivers\SKYNEToyfjtpeo.sys

c:\windows\system32\kungsflwjjxqty.dat

c:\windows\system32\UACixwmbrkntcbxflj.db

c:\windows\system32\UACotrmwwsnwoeyenk.dat

C:\xcrashdump.dat

Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected

Restored copy from - The cat ate it :P

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_AVAST!ANTIVIRUS

-------\Service_avast!Antivirus

-------\Service_kungsfepsflgme

-------\Service_SKYNETkbfpmpdw

((((((((((((((((((((((((( Files Created from 2009-05-09 to 2009-06-09 )))))))))))))))))))))))))))))))

.

2009-06-09 02:01 . 2009-06-09 20:07 117760 ----a-w- c:\documents and settings\Dan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-06-09 02:01 . 2009-06-09 02:01 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-06-09 02:00 . 2009-06-09 02:00 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-06-09 02:00 . 2009-06-09 02:00 -------- d-----w- c:\documents and settings\Dan\Application Data\SUPERAntiSpyware.com

2009-06-09 02:00 . 2009-06-09 02:00 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-06-09 01:06 . 2009-06-09 01:06 60586 ----a-w- c:\documents and settings\Dan\Application Data\Instant Housecall\Free Edition\Specialist\UninstallSignIn.exe

2009-06-09 01:06 . 2009-06-09 01:06 -------- d-----w- c:\documents and settings\Dan\Application Data\Instant Housecall

2009-06-08 22:27 . 2009-06-08 22:27 33888 ----a-w- c:\windows\system32\drivers\olpad17.sys

2009-06-08 22:17 . 2009-06-08 22:17 -------- d-----w- c:\documents and settings\Dan\Application Data\Malwarebytes

2009-06-08 03:42 . 2009-06-09 19:59 182656 -c--a-w- c:\windows\system32\dllcache\ndis.sys

2009-06-08 00:29 . 2009-06-08 00:29 0 ----a-w- c:\documents and settings\Dan\settings.dat

2009-06-07 22:29 . 2009-06-09 00:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-06-07 22:29 . 2009-06-07 22:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-06-07 22:13 . 2009-06-09 02:25 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\jZip

2009-06-07 22:13 . 2009-06-07 22:13 -------- d-----w- c:\documents and settings\Dan\Application Data\Yahoo!

2009-06-07 22:13 . 2009-06-08 04:17 -------- d-----w- c:\program files\Yahoo!

2009-06-07 21:55 . 2009-06-07 21:55 -------- d-----w- c:\documents and settings\Dan\Application Data\Uniblue

2009-06-06 01:21 . 2004-05-11 15:56 423784 ----a-w- c:\windows\system32\XceedBkp.dll

2009-06-06 01:21 . 2003-11-19 19:59 512688 ----a-w- c:\windows\system32\XceedCry.dll

2009-06-06 01:21 . 2000-07-15 11:00 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL

2009-06-06 01:21 . 2000-07-15 05:00 118784 ----a-w- c:\windows\system32\msstdfmt.dll

2009-06-06 00:03 . 2009-06-06 00:03 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\Identities

2009-06-05 18:59 . 2009-06-06 01:00 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-06-05 16:24 . 2009-06-05 17:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2009-06-05 15:09 . 2009-06-05 15:09 -------- d-----w- c:\program files\Trend Micro

2009-06-05 12:34 . 2009-05-26 18:20 75024 ----a-w- c:\documents and settings\FLUFFY\mbamext.dll

2009-06-05 12:34 . 2009-05-26 18:20 1283344 ----a-w- c:\documents and settings\FLUFFY\mbam.exe

2009-06-05 12:34 . 2009-06-05 12:41 -------- d-----w- c:\documents and settings\FLUFFY

2009-06-05 03:58 . 2009-06-05 03:58 -------- d-----w- c:\program files\Windows Defender

2009-06-05 02:06 . 2009-06-05 02:06 -------- d-----w- c:\program files\VS Revo Group

2009-05-22 03:33 . 2009-05-22 03:33 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple

2009-05-19 19:53 . 2009-06-09 01:54 -------- d-----w- c:\documents and settings\Dan\Application Data\IObit

2009-05-19 19:53 . 2009-05-19 19:53 -------- d-----w- c:\program files\IObit

2009-05-14 02:28 . 2009-05-14 02:28 -------- d-----w- c:\documents and settings\Dan\Application Data\Apple Computer

2009-05-14 02:28 . 2009-03-19 21:32 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys

2009-05-14 02:28 . 2008-04-17 17:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll

2009-05-14 02:28 . 2009-05-14 02:28 -------- d-----w- c:\program files\iPod

2009-05-14 02:27 . 2009-05-14 02:28 -------- d-----w- c:\program files\iTunes

2009-05-14 02:27 . 2009-05-14 02:28 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

2009-05-14 02:27 . 2009-05-14 02:27 -------- d-----w- c:\program files\Bonjour

2009-05-14 02:26 . 2009-05-14 02:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer

2009-05-14 02:25 . 2009-05-14 02:25 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\Apple

2009-05-14 02:25 . 2009-05-14 02:25 -------- d-----w- c:\program files\Apple Software Update

2009-05-14 02:24 . 2009-06-05 17:03 -------- dc----w- c:\windows\system32\DRVSTORE

2009-05-14 02:24 . 2009-05-14 02:28 -------- d-----w- c:\program files\Common Files\Apple

2009-05-14 02:24 . 2009-05-14 02:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

2009-05-14 02:23 . 2009-05-14 02:23 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\Apple Computer

2009-05-11 16:14 . 2009-05-11 16:14 -------- d-----w- c:\documents and settings\Dan\Application Data\AOL

2009-05-11 15:44 . 2009-05-11 15:44 -------- d-----w- c:\documents and settings\Dan\Application Data\acccore

2009-05-11 15:42 . 2009-05-11 15:42 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\AOL

2009-05-11 15:42 . 2009-06-09 01:54 -------- d-----w- c:\program files\AOL Toolbar

2009-05-11 15:41 . 2003-01-10 21:13 33588 ----a-r- c:\windows\system32\drivers\wanatw4.sys

2009-05-11 15:41 . 2009-05-24 02:42 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\AOL

2009-05-11 15:40 . 2009-05-11 15:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint

2009-05-11 15:39 . 2009-05-11 15:41 -------- d-----w- c:\program files\Common Files\AOL

2009-05-11 15:39 . 2009-05-11 15:39 -------- d-----w- c:\program files\Common Files\aolshare

2009-05-11 15:37 . 2009-05-11 15:41 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL

2009-05-11 15:37 . 2009-05-11 15:37 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL OCP

2009-05-11 15:37 . 2009-05-11 15:37 686928 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\SinfInst.exe

2009-05-11 15:37 . 2009-05-11 15:37 607392 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\wbsetup.exe

2009-05-11 15:37 . 2009-05-11 15:37 7976 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\wappchck.dll

2009-05-11 15:37 . 2009-05-11 15:37 95792 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\AOLFwMgr.dll

2009-05-11 15:36 . 2009-05-11 15:37 1174536 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\prfrd.exe

2009-05-11 15:36 . 2009-05-11 15:36 383128 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\tbsetup.exe

2009-05-11 15:36 . 2009-05-11 15:36 1651320 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\reginst4.exe

2009-05-11 15:36 . 2009-05-11 15:36 205360 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\maillang.exe

2009-05-11 15:36 . 2009-05-11 15:36 6363152 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\ocpinst.exe

2009-05-11 15:36 . 2009-05-11 15:36 641960 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\SLinst.exe

2009-05-11 15:36 . 2009-05-11 15:36 357304 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\frntinst.exe

2009-05-11 15:36 . 2009-05-11 15:36 2439824 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\ocpinsti.exe

2009-05-11 15:36 . 2009-05-11 15:36 17192 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\brwschk.dll

2009-05-11 15:36 . 2009-05-11 15:36 7976 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\jgchck.dll

2009-05-11 15:34 . 2009-05-11 15:34 96096 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\instph.dll

2009-05-11 15:34 . 2009-05-11 15:34 215864 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\wsfinst.exe

2009-05-11 15:34 . 2009-05-11 15:34 376568 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\unagi3.exe

2009-05-11 15:34 . 2009-05-11 15:34 1364064 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\fdosetup.exe

2009-05-11 15:34 . 2009-05-11 15:34 11048 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\ocfcheck.dll

2009-05-11 15:34 . 2009-05-11 15:34 294376 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\iacinst.exe

2009-05-11 15:34 . 2009-05-11 15:34 45864 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\ACSInstA.dll

2009-05-11 15:34 . 2009-05-11 15:34 74536 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\instSup.dll

2009-05-11 15:34 . 2009-05-11 15:34 1612544 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\acslang.exe

2009-05-11 15:34 . 2009-05-11 15:34 83808 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\ProgUpd.dll

2009-05-11 15:33 . 2009-05-11 15:34 10533216 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\noneCodesignFilesBundle.exe

2009-05-11 15:33 . 2009-05-11 15:33 7976 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\suitedet.dll

2009-05-11 15:33 . 2009-05-11 15:33 1484136 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\acscore.exe

2009-05-11 15:33 . 2009-05-11 15:33 420152 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\AIMLang.exe

2009-05-11 15:33 . 2009-05-11 15:33 122832 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\jginst.exe

2009-05-11 15:33 . 2009-05-11 15:33 7464 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\ie7chck.dll

2009-05-11 15:33 . 2009-05-11 15:33 2426184 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\frntlang.exe

2009-05-11 15:33 . 2009-05-11 15:33 11048 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\tbinst.dll

2009-05-11 15:33 . 2009-05-11 15:33 10856 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\wsfixchk.dll

2009-05-11 15:33 . 2009-05-11 15:33 155432 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\upgrade.exe

2009-05-11 15:33 . 2009-05-11 15:33 335 ----a-w- c:\windows\nsreg.dat

2009-05-11 15:33 . 2009-05-11 15:33 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-06-09 20:08 . 2009-06-09 20:08 101182 ----a-w- c:\windows\system32\drivers\a0cb222d.sys

2009-06-09 20:08 . 2009-06-09 20:08 24576 ----a-w- c:\windows\9129837.exe

2009-06-09 20:04 . 2003-08-14 02:58 182656 ----a-w- c:\windows\system32\drivers\ndis.sys

2009-06-08 03:42 . 2009-05-09 03:56 -------- d-----w- c:\documents and settings\Dan\Application Data\AdobeUM

2009-06-05 03:58 . 2009-05-09 14:22 30600 ----a-w- c:\documents and settings\Dan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-05-26 18:20 . 2009-05-09 15:47 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-05-26 18:19 . 2009-05-09 15:47 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-05-16 02:20 . 2003-08-14 21:50 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-05-16 02:20 . 2003-08-15 19:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony Corporation

2009-05-16 02:12 . 2009-05-09 04:03 -------- d-----w- c:\program files\Microsoft Works

2009-05-16 01:59 . 2003-08-15 01:09 -------- d-----w- c:\program files\Sony

2009-05-14 02:27 . 2003-08-15 19:22 -------- d-----w- c:\program files\QuickTime

2009-05-11 15:40 . 2003-08-15 19:21 -------- d-----w- c:\program files\Viewpoint

2009-05-10 01:37 . 2009-05-09 16:08 -------- d-----w- c:\program files\McAfee

2009-05-09 18:16 . 2009-05-09 18:16 -------- d-----w- c:\program files\CCleaner

2009-05-09 17:05 . 2009-05-09 17:05 -------- d-----w- c:\documents and settings\Dan\Application Data\Sony Corporation

2009-05-09 16:41 . 2009-05-09 16:41 -------- d-----w- c:\documents and settings\Dan\Application Data\Drag'n Drop CD+DVD

2009-05-09 16:31 . 2009-05-09 03:56 -------- d-----w- c:\documents and settings\Dan\Application Data\MSN6

2009-05-09 16:30 . 2003-08-15 19:28 -------- d-----w- c:\program files\MoodLogic

2009-05-09 16:14 . 2009-05-09 16:00 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2009-05-09 16:10 . 2009-05-09 16:09 -------- d-----w- c:\program files\Common Files\McAfee

2009-05-09 16:09 . 2009-05-09 16:09 -------- d-----w- c:\program files\McAfee.com

2009-05-09 15:43 . 2009-05-09 15:41 -------- d-----w- c:\program files\Google

2009-05-09 14:59 . 2003-08-14 03:07 87711 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat

2009-05-09 12:38 . 2009-05-09 12:38 -------- d-----w- c:\program files\NETGEAR

2009-05-09 04:17 . 2009-05-09 04:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2009-05-09 04:05 . 2009-05-09 04:05 -------- d-----w- c:\program files\Encarta Online

2009-05-09 04:02 . 2009-05-09 04:02 -------- d-----w- c:\documents and settings\Dan\Application Data\Symantec

2009-05-09 03:57 . 2009-05-09 03:57 -------- d-----w- c:\program files\drag'n drop cd+dvd

2009-05-09 03:57 . 2009-05-09 03:57 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink

2009-05-09 03:57 . 2009-05-09 03:57 -------- d-----w- c:\program files\cyberlink

2009-05-09 03:56 . 2009-05-09 03:56 0 ---ha-r- c:\windows\system32\drivers\Sony_PCV-RS411(UC)_.mrk

2009-05-09 02:28 . 2009-05-09 04:01 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-04-02 21:29 . 2009-04-02 21:29 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe

2009-03-25 11:29 . 2009-03-25 11:29 130432 ----a-w- c:\windows\system32\drivers\Rtnicxp.sys

2009-03-19 21:32 . 2009-03-19 21:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-09 39408]

"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-05-01 2329936]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-26 1830128]

"ttool"="c:\windows\9129837.exe" [2009-06-09 24576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]

"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-06 335872]

"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]

"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]

"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]

"HostManager"="c:\program files\Common Files\AOL\1242056371\ee\AOLSoftware.exe" [2008-06-24 41824]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]

"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2003-02-14 88107]

c:\documents and settings\Dan\Start Menu\Programs\Startup\

AOL Desktop.lnk - c:\program files\Common Files\AOL\Launch\aollaunch.exe [2008-6-24 41824]

zqosys32.exe [2008-4-13 27648]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

WG111v2 Smart Wizard Wireless Setting.lnk - c:\program files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe [2009-5-9 745472]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"c:\\Program Files\\Common Files\\AOL\\1242056371\\ee\\aolsoftware.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AOL\\1242056371\\ee\\AOLDesktop.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]

R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [5/9/2009 7:38 AM 66048]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [5/9/2009 7:38 AM 272128]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]

R3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [5/9/2009 7:38 AM 13532]

S0 bnnsr;bnnsr;c:\windows\system32\drivers\ayqdekw.sys --> c:\windows\system32\drivers\ayqdekw.sys [?]

S1 olpad17;olpad17;c:\windows\system32\drivers\olpad17.sys [6/8/2009 5:27 PM 33888]

.

Contents of the 'Scheduled Tasks' folder

2009-05-29 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-05-09 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-05-09 18:32]

2009-06-01 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-05-09 18:32]

2009-06-09 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

2009-05-09 c:\windows\Tasks\Registration reminder 2.job

- c:\windows\System32\OOBE\oobebaln.exe [2003-08-14 00:12]

.

- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys

.

------- Supplementary Scan -------

.

uStart Page = hxxp://comcast.net

uInternet Settings,ProxyOverride = *.local;<local>

uInternet Settings,ProxyServer = http=localhost:7171

IE: &AOL Toolbar Search - c:\documents and settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html

Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-06-09 15:07

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\a0cb222d]

"ImagePath"="\SystemRoot\System32\drivers\a0cb222d.sys"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(828)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\AOL\1242056371\ee\AOLDesktop.exe

c:\program files\Common Files\AOL\ACS\AOLacsd.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe

c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe

c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe

c:\progra~1\McAfee\VIRUSS~1\mcvsshld.exe

c:\program files\McAfee\MPF\MpfSrv.exe

.

**************************************************************************

.

Completion time: 2009-06-09 15:12 - machine was rebooted

ComboFix-quarantined-files.txt 2009-06-09 20:12

Pre-Run: 6,592,372,736 bytes free

Post-Run: 6,614,429,696 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

300 --- E O F --- 2009-05-14 02:34

Link to post
Share on other sites
Fatdcuk

Fatdcuk

Posted
Posted

Hi Dansar,

Unfortuently there is still malware on your pc including a 5th rootkit infection(Backdoor.Rustock),

I have added defs for MBAM to attack your variant overnight so please update and run MBAM QS then post back the log generated.

Also please rerun combofix as you did earliar and post back the new combofix log + new HiJackThis log.

Thanks in advance ;)

Link to post
Share on other sites
dansar

dansar

Posted
  • Author
Posted

ComboFix 09-06-11.05 - Dan 06/11/2009 14:51.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1016.558 [GMT -5:00]

Running from: c:\documents and settings\Dan\Desktop\ComboFix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\Downloaded Program Files\ODCTOOLS

.

((((((((((((((((((((((((( Files Created from 2009-05-11 to 2009-06-11 )))))))))))))))))))))))))))))))

.

2009-06-11 17:45 . 2009-06-11 17:46 117760 ----a-w- c:\documents and settings\sherry\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-06-11 17:45 . 2009-06-11 17:45 -------- d-----w- c:\documents and settings\sherry\Application Data\SUPERAntiSpyware.com

2009-06-11 02:04 . 2009-06-11 02:04 -------- d-----w- c:\documents and settings\sherry\Local Settings\Application Data\AOL

2009-06-11 02:04 . 2009-06-11 02:04 -------- d-----w- c:\documents and settings\sherry\Application Data\Malwarebytes

2009-06-08 00:29 . 2009-06-08 00:29 0 ----a-w- c:\documents and settings\Dan\settings.dat

2009-06-07 22:29 . 2009-06-09 00:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-06-07 22:29 . 2009-06-07 22:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-06-07 22:13 . 2009-06-09 02:25 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\jZip

2009-06-07 22:13 . 2009-06-07 22:13 -------- d-----w- c:\documents and settings\Dan\Application Data\Yahoo!

2009-06-07 22:13 . 2009-06-08 04:17 -------- d-----w- c:\program files\Yahoo!

2009-06-07 21:55 . 2009-06-07 21:55 -------- d-----w- c:\documents and settings\Dan\Application Data\Uniblue

2009-06-06 01:21 . 2004-05-11 15:56 423784 ----a-w- c:\windows\system32\XceedBkp.dll

2009-06-06 01:21 . 2003-11-19 19:59 512688 ----a-w- c:\windows\system32\XceedCry.dll

2009-06-06 01:21 . 2000-07-15 11:00 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL

2009-06-06 01:21 . 2000-07-15 05:00 118784 ----a-w- c:\windows\system32\msstdfmt.dll

2009-06-06 00:03 . 2009-06-06 00:03 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\Identities

2009-06-05 18:59 . 2009-06-06 01:00 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-06-05 16:24 . 2009-06-05 17:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2009-06-05 15:09 . 2009-06-05 15:09 -------- d-----w- c:\program files\Trend Micro

2009-06-05 12:34 . 2009-05-26 18:20 75024 ----a-w- c:\documents and settings\FLUFFY\mbamext.dll

2009-06-05 12:34 . 2009-05-26 18:20 1283344 ----a-w- c:\documents and settings\FLUFFY\mbam.exe

2009-06-05 12:34 . 2009-06-05 12:41 -------- d-----w- c:\documents and settings\FLUFFY

2009-06-05 03:58 . 2009-06-05 03:58 -------- d-----w- c:\program files\Windows Defender

2009-06-05 02:06 . 2009-06-05 02:06 -------- d-----w- c:\program files\VS Revo Group

2009-05-22 03:33 . 2009-05-22 03:33 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple

2009-05-19 19:53 . 2009-06-09 01:54 -------- d-----w- c:\documents and settings\Dan\Application Data\IObit

2009-05-19 19:53 . 2009-05-19 19:53 -------- d-----w- c:\program files\IObit

2009-05-14 02:28 . 2009-05-14 02:28 -------- d-----w- c:\documents and settings\Dan\Application Data\Apple Computer

2009-05-14 02:28 . 2009-03-19 21:32 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys

2009-05-14 02:28 . 2008-04-17 17:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll

2009-05-14 02:28 . 2009-05-14 02:28 -------- d-----w- c:\program files\iPod

2009-05-14 02:27 . 2009-05-14 02:28 -------- d-----w- c:\program files\iTunes

2009-05-14 02:27 . 2009-05-14 02:28 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

2009-05-14 02:27 . 2009-05-14 02:27 -------- d-----w- c:\program files\Bonjour

2009-05-14 02:26 . 2009-05-14 02:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer

2009-05-14 02:25 . 2009-05-14 02:25 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\Apple

2009-05-14 02:25 . 2009-05-14 02:25 -------- d-----w- c:\program files\Apple Software Update

2009-05-14 02:24 . 2009-06-05 17:03 -------- dc----w- c:\windows\system32\DRVSTORE

2009-05-14 02:24 . 2009-05-14 02:28 -------- d-----w- c:\program files\Common Files\Apple

2009-05-14 02:24 . 2009-05-14 02:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

2009-05-14 02:23 . 2009-05-14 02:23 -------- d-----w- c:\documents and settings\Dan\Local Settings\Application Data\Apple Computer

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-06-11 18:34 . 2009-06-09 02:01 117760 ----a-w- c:\documents and settings\Dan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-06-11 02:03 . 2009-06-11 02:03 30600 ----a-w- c:\documents and settings\sherry\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-06-09 20:04 . 2003-08-14 02:58 182656 ----a-w- c:\windows\system32\drivers\ndis.sys

2009-06-09 02:01 . 2009-06-09 02:01 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-06-09 02:00 . 2009-06-09 02:00 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-06-09 02:00 . 2009-06-09 02:00 -------- d-----w- c:\documents and settings\Dan\Application Data\SUPERAntiSpyware.com

2009-06-09 02:00 . 2009-06-09 02:00 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-06-09 01:54 . 2009-05-11 15:42 -------- d-----w- c:\program files\AOL Toolbar

2009-06-09 01:06 . 2009-06-09 01:06 60586 ----a-w- c:\documents and settings\Dan\Application Data\Instant Housecall\Free Edition\Specialist\UninstallSignIn.exe

2009-06-09 01:06 . 2009-06-09 01:06 -------- d-----w- c:\documents and settings\Dan\Application Data\Instant Housecall

2009-06-08 22:17 . 2009-06-08 22:17 -------- d-----w- c:\documents and settings\Dan\Application Data\Malwarebytes

2009-06-08 03:42 . 2009-05-09 03:56 -------- d-----w- c:\documents and settings\Dan\Application Data\AdobeUM

2009-06-05 03:58 . 2009-05-09 14:22 30600 ----a-w- c:\documents and settings\Dan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-05-26 18:20 . 2009-05-09 15:47 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-05-26 18:19 . 2009-05-09 15:47 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-05-16 02:20 . 2003-08-14 21:50 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-05-16 02:20 . 2003-08-15 19:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony Corporation

2009-05-16 02:12 . 2009-05-09 04:03 -------- d-----w- c:\program files\Microsoft Works

2009-05-16 01:59 . 2003-08-15 01:09 -------- d-----w- c:\program files\Sony

2009-05-14 02:27 . 2003-08-15 19:22 -------- d-----w- c:\program files\QuickTime

2009-05-11 16:14 . 2009-05-11 16:14 -------- d-----w- c:\documents and settings\Dan\Application Data\AOL

2009-05-11 15:44 . 2009-05-11 15:44 -------- d-----w- c:\documents and settings\Dan\Application Data\acccore

2009-05-11 15:41 . 2009-05-11 15:39 -------- d-----w- c:\program files\Common Files\AOL

2009-05-11 15:41 . 2009-05-11 15:37 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL

2009-05-11 15:40 . 2009-05-11 15:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint

2009-05-11 15:40 . 2003-08-15 19:21 -------- d-----w- c:\program files\Viewpoint

2009-05-11 15:39 . 2009-05-11 15:39 -------- d-----w- c:\program files\Common Files\aolshare

2009-05-11 15:37 . 2009-05-11 15:37 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL OCP

2009-05-11 15:37 . 2009-05-11 15:37 686928 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\SinfInst.exe

2009-05-11 15:37 . 2009-05-11 15:37 607392 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\wbsetup.exe

2009-05-11 15:37 . 2009-05-11 15:37 7976 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\wappchck.dll

2009-05-11 15:37 . 2009-05-11 15:37 95792 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\AOLFwMgr.dll

2009-05-11 15:37 . 2009-05-11 15:36 1174536 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\prfrd.exe

2009-05-11 15:36 . 2009-05-11 15:36 383128 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\tbsetup.exe

2009-05-11 15:36 . 2009-05-11 15:36 1651320 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\reginst4.exe

2009-05-11 15:36 . 2009-05-11 15:36 205360 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\maillang.exe

2009-05-11 15:36 . 2009-05-11 15:36 6363152 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\ocpinst.exe

2009-05-11 15:36 . 2009-05-11 15:36 641960 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\SLinst.exe

2009-05-11 15:36 . 2009-05-11 15:36 357304 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\frntinst.exe

2009-05-11 15:36 . 2009-05-11 15:36 2439824 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\ocpinsti.exe

2009-05-11 15:36 . 2009-05-11 15:36 17192 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\brwschk.dll

2009-05-11 15:36 . 2009-05-11 15:36 7976 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\jgchck.dll

2009-05-11 15:34 . 2009-05-11 15:34 96096 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\instph.dll

2009-05-11 15:34 . 2009-05-11 15:34 215864 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\wsfinst.exe

2009-05-11 15:34 . 2009-05-11 15:34 376568 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\unagi3.exe

2009-05-11 15:34 . 2009-05-11 15:34 1364064 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\fdosetup.exe

2009-05-11 15:34 . 2009-05-11 15:34 11048 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\ocfcheck.dll

2009-05-11 15:34 . 2009-05-11 15:34 294376 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\iacinst.exe

2009-05-11 15:34 . 2009-05-11 15:34 45864 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\ACSInstA.dll

2009-05-11 15:34 . 2009-05-11 15:34 74536 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\instSup.dll

2009-05-11 15:34 . 2009-05-11 15:34 1612544 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\acslang.exe

2009-05-11 15:34 . 2009-05-11 15:34 83808 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\ProgUpd.dll

2009-05-11 15:34 . 2009-05-11 15:33 10533216 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\noneCodesignFilesBundle.exe

2009-05-11 15:33 . 2009-05-11 15:33 7976 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\suitedet.dll

2009-05-11 15:33 . 2009-05-11 15:33 1484136 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\acscore.exe

2009-05-11 15:33 . 2009-05-11 15:33 420152 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\AIMLang.exe

2009-05-11 15:33 . 2009-05-11 15:33 122832 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\jginst.exe

2009-05-11 15:33 . 2009-05-11 15:33 7464 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\ie7chck.dll

2009-05-11 15:33 . 2009-05-11 15:33 2426184 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\frntlang.exe

2009-05-11 15:33 . 2009-05-11 15:33 11048 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\tbinst.dll

2009-05-11 15:33 . 2009-05-11 15:33 10856 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\comps\wsfixchk.dll

2009-05-11 15:33 . 2009-05-11 15:33 155432 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\NexusSuite\2.1.84.1\upgrade.exe

2009-05-11 15:33 . 2009-05-11 15:33 335 ----a-w- c:\windows\nsreg.dat

2009-05-11 15:33 . 2009-05-11 15:33 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads

2009-05-10 01:37 . 2009-05-09 16:08 -------- d-----w- c:\program files\McAfee

2009-05-09 18:16 . 2009-05-09 18:16 -------- d-----w- c:\program files\CCleaner

2009-05-09 17:05 . 2009-05-09 17:05 -------- d-----w- c:\documents and settings\Dan\Application Data\Sony Corporation

2009-05-09 16:41 . 2009-05-09 16:41 -------- d-----w- c:\documents and settings\Dan\Application Data\Drag'n Drop CD+DVD

2009-05-09 16:31 . 2009-05-09 03:56 -------- d-----w- c:\documents and settings\Dan\Application Data\MSN6

2009-05-09 16:30 . 2003-08-15 19:28 -------- d-----w- c:\program files\MoodLogic

2009-05-09 16:14 . 2009-05-09 16:00 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2009-05-09 16:10 . 2009-05-09 16:09 -------- d-----w- c:\program files\Common Files\McAfee

2009-05-09 16:09 . 2009-05-09 16:09 -------- d-----w- c:\program files\McAfee.com

2009-05-09 15:43 . 2009-05-09 15:41 -------- d-----w- c:\program files\Google

2009-05-09 14:59 . 2003-08-14 03:07 87711 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat

2009-05-09 12:38 . 2009-05-09 12:38 -------- d-----w- c:\program files\NETGEAR

2009-05-09 04:17 . 2009-05-09 04:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2009-05-09 04:05 . 2009-05-09 04:05 -------- d-----w- c:\program files\Encarta Online

2009-05-09 04:02 . 2009-05-09 04:02 -------- d-----w- c:\documents and settings\Dan\Application Data\Symantec

2009-05-09 03:57 . 2009-05-09 03:57 -------- d-----w- c:\program files\drag'n drop cd+dvd

2009-05-09 03:57 . 2009-05-09 03:57 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink

2009-05-09 03:57 . 2009-05-09 03:57 -------- d-----w- c:\program files\cyberlink

2009-05-09 03:56 . 2009-05-09 03:56 0 ---ha-r- c:\windows\system32\drivers\Sony_PCV-RS411(UC)_.mrk

2009-05-09 02:28 . 2009-05-09 04:01 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-04-02 21:29 . 2009-04-02 21:29 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe

2009-03-25 11:29 . 2009-03-25 11:29 130432 ----a-w- c:\windows\system32\drivers\Rtnicxp.sys

2009-03-19 21:32 . 2009-03-19 21:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys

.

((((((((((((((((((((((((((((( SnapShot@2009-06-09_20.08.12 )))))))))))))))))))))))))))))))))))))))))

.

+ 2003-08-14 03:09 . 2009-06-11 16:30 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2003-08-14 03:09 . 2009-06-09 19:19 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2003-08-14 03:09 . 2009-06-11 16:30 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2003-08-14 03:09 . 2009-06-09 19:19 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2003-08-14 03:09 . 2009-06-11 16:30 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2003-08-14 03:09 . 2009-06-09 19:19 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2008-07-10 21:54 . 2008-07-10 21:54 409168 c:\windows\Downloaded Program Files\MSDcode.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-09 39408]

"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-05-01 2329936]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-26 1830128]

"Google Update"="c:\documents and settings\Dan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-06-10 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]

"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-06 335872]

"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]

"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]

"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]

"HostManager"="c:\program files\Common Files\AOL\1242056371\ee\AOLSoftware.exe" [2008-06-24 41824]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]

"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2003-02-14 88107]

c:\documents and settings\Dan\Start Menu\Programs\Startup\

AOL Desktop.lnk - c:\program files\Common Files\AOL\Launch\aollaunch.exe [2008-6-24 41824]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

WG111v2 Smart Wizard Wireless Setting.lnk - c:\program files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe [2009-5-9 745472]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"c:\\Program Files\\Common Files\\AOL\\1242056371\\ee\\aolsoftware.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AOL\\1242056371\\ee\\AOLDesktop.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]

R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [5/9/2009 7:38 AM 66048]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [5/9/2009 7:38 AM 272128]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]

R3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [5/9/2009 7:38 AM 13532]

S0 bnnsr;bnnsr;c:\windows\system32\drivers\ayqdekw.sys --> c:\windows\system32\drivers\ayqdekw.sys [?]

.

Contents of the 'Scheduled Tasks' folder

2009-05-29 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-06-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-860267971-3276669125-4260065072-1005.job

- c:\documents and settings\Dan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-10 23:58]

2009-05-09 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-05-09 18:32]

2009-06-01 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-05-09 18:32]

2009-06-11 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

2009-05-09 c:\windows\Tasks\Registration reminder 2.job

- c:\windows\System32\OOBE\oobebaln.exe [2003-08-14 00:12]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://comcast.net

uInternet Settings,ProxyOverride = *.local;<local>

uInternet Settings,ProxyServer = http=localhost:7171

IE: &AOL Toolbar Search - c:\documents and settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html

Trusted Zone: microsoft.com\widowsupdate

Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-06-11 14:53

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-860267971-3276669125-4260065072-1005\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(824)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\igfxsrvc.dll

c:\windows\system32\hccutils.DLL

- - - - - - - > 'winlogon.exe'(4048)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

Completion time: 2009-06-11 14:55

ComboFix-quarantined-files.txt 2009-06-11 19:54

ComboFix2.txt 2009-06-09 20:12

Pre-Run: 7,587,807,232 bytes free

Post-Run: 7,582,994,432 bytes free

274 --- E O F --- 2009-05-14 02:34

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:15:15 PM, on 6/11/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16850)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\Program Files\McAfee\VirusScan\McShield.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\QuickTime\QTTask.exe

C:\WINDOWS\System32\ezSP_Px.exe

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\Common Files\AOL\1242056371\ee\AOLSoftware.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe

C:\Program Files\Common Files\AOL\1242056371\ee\AOLDesktop.exe

C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://comcast.net

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL Toolbar\aoltb.dll

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [VAIO Recovery] C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe

O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1242056371\ee\AOLSoftware.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - Startup: AOL Desktop.lnk = C:\Program Files\Common Files\AOL\Launch\aollaunch.exe

O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?

O8 - Extra context menu item: &AOL Toolbar Search - C:\Documents and Settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople

O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1241873418609

O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

--

End of file - 7326 bytes

Malwarebytes' Anti-Malware 1.37

Database version: 2263

Windows 5.1.2600 Service Pack 3

6/11/2009 3:21:12 PM

mbam-log-2009-06-11 (15-21-12).txt

Scan type: Quick Scan

Objects scanned: 91123

Time elapsed: 4 minute(s), 23 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites
Fatdcuk

Fatdcuk

Posted
Posted

Your welcome ;)

Here's some handy reading tho Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Safe surfing :)

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.