Jump to content

Recommended Posts

Hi, thanks for your help. The only noticeable symptoms that I'm still experiencing are redirects to websites that want me to download more software. I have scanned with Super Anti Spyware, PC Cillan, Dr. Web Cure It, and MBAM. Below are my logs.

Malwarebytes' Anti-Malware 1.37

Database version: 2266

Windows 5.1.2600 Service Pack 2

6/12/2009 11:29:31 AM

mbam-log-2009-06-12 (11-29-31).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|)

Objects scanned: 56134

Time elapsed: 15 minute(s), 19 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:01:05 PM, on 6/12/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\stsystra.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\DAEMON Tools Lite\daemon.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\PROGRA~1\BANDWI~1\Bandwidth Monitor Pro.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Siemens\SpeedStream Wireless PCI\SSPCICfg.exe

C:\Program Files\AutoHotkey\AutoHotkey.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Mozilla Thunderbird\thunderbird.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0070105

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install

O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [bandwidth Monitor Pro] "C:\PROGRA~1\BANDWI~1\Bandwidth Monitor Pro.exe" /minimized

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')

O4 - Startup: Shortcut to AutoHotkey.lnk = C:\Program Files\AutoHotkey\AutoHotkey.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: Siemens SpeedStream Wireless PCI.lnk = C:\Program Files\Siemens\SpeedStream Wireless PCI\SSPCICfg.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - https://h20364.www2.hp.com/CSMWeb/Customer/...DataManager.CAB

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE

O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe

O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe

--

End of file - 8698 bytes

Link to post
Share on other sites

Hello and Welcome to the Malwarebytes' Malware Removal forum.

There's nothing unusual in your HJT log.

I have scanned with Super Anti Spyware, PC Cillan, Dr. Web Cure It, and MBAM.

Can I see you DrWeb and SuperAntispyware logs please?

Do the redirects occur both when using Internet Explorer and when using Firefox or any other alternate browser.

Please test this.

Please download ATF Cleaner by Atribune

  • Close Internet Explorer and any other open browsers
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click

  • No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Reboot

Next, download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.

Disable the active protection component of your TrendMicro antivirus and all antispyware programs by following the directions that apply here:

http://www.bleepingcomputer.com/forums/topic114351.html

Next, please perform a rootkit scan:

  • Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
  • When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  • When the scan is finished (a few seconds, click the Rootkit/Malware tab,and then select the Scan button.
  • Leave your system completely idle while this longer scan is in progress.
  • When the scan is done, save the scan log to the Windows clipboard
  • Open Notepad or a similar text editor
  • Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  • Exit the Program
  • Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.

You may now re-enable any active protection you disabled before performing the scan.

Download DDS and save it to your desktop from here

dds_scr.gif

Disable any script blocking programs you may have installed (such as Norton script blocking), and then double-click dss.scr to run the tool.

  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt

    [*]Save both reports to your desktop

    [*]Please copy and paste both logs into your next reply,

To sum it up, I need to see:

1. DrWeb and SAS logs

2. ARK.txt

3. DDS - DDS.txt & Attach.txt posted in your reply - not attached

Link to post
Share on other sites

Sorry for the delay... I was with my family all weekend.

Thanks again!

Drew

Dr Web:

A0052914.bat;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP312;Probably BATCH.Virus;;

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

Generated 06/14/2009 at 09:35 PM

Application Version : 4.26.1004

Core Rules Database Version : 3936

Trace Rules Database Version: 1879

Scan type : Complete Scan

Total Scan Time : 00:25:18

Memory items scanned : 509

Memory threats detected : 0

Registry items scanned : 5547

Registry threats detected : 0

File items scanned : 19212

File threats detected : 0

GMER 1.0.15.14972 - http://www.gmer.net

Rootkit scan 2009-06-14 21:10:16

Windows 5.1.2600 Service Pack 2

.text ...

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\Drivers\aklb1mir.SYS[HAL.dll!KfReleaseSpinLock] 000000BD

IAT \SystemRoot\System32\Drivers\aklb1mir.SYS[HAL.dll!KfRaiseIrql] 0001BC83

IAT \SystemRoot\System32\Drivers\aklb1mir.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 0208B389

IAT \SystemRoot\System32\Drivers\aklb1mir.SYS[HAL.dll!KfAcquireSpinLock] 0C8D1C46

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xB0 0x17 0x7B 0xA8 ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xB0 0x17 0x7B 0xA8 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xC8 0x3C 0xA6 0x42 ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xC8 0x3C 0xA6 0x42 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xEE 0xFC 0xAA 0x3F ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xEE 0xFC 0xAA 0x3F ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@Installed 1

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@Installed 1

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@NoChange 1

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@Installed 1

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\Drivers\aklb1mir.SYS[HAL.dll!KfLowerIrql] 24468B00

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\Drivers\aklb1mir.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 7400067E

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\Drivers\aklb1mir.SYS[HAL.dll!READ_PORT_USHORT] 83660000

IAT \SystemRoot\System32\Drivers\aklb1mir.SYS[HAL.dll!KeStallExecutionProcessor] 860F1639

IAT \SystemRoot\System32\Drivers\aklb1mir.SYS[HAL.dll!KeGetCurrentIrql] 89000001

IAT \SystemRoot\System32\Drivers\aklb1mir.SYS[HAL.dll!HalGetInterruptVector] 89820C8D

IAT \SystemRoot\System32\Drivers\aklb1mir.SYS[HAL.dll!WRITE_PORT_UCHAR] 89D60320

---- Devices - GMER 1.0.15 ----

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A079500

Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A079500

Device \Driver\USBSTOR \Device\00000075 8A2501F8

Device \Driver\USBSTOR \Device\00000076 8A2501F8

Device \Driver\USBSTOR \Device\0000007b 8A2501F8

Device \Driver\USBSTOR \Device\0000007c 8A2501F8

Device \Driver\USBSTOR \Device\0000007d 8A2501F8

Device \Driver\USBSTOR \Device\0000007e 8A2501F8

Device \Driver\USBSTOR \Device\0000007f 8A2501F8

Device \FileSystem\Fastfat \FatCdrom 8A267500

Device \FileSystem\Fastfat \Fat 8A267500

Device \FileSystem\Cdfs \Cdfs 8A4F7500

Device \Driver\aklb1mir \Device\Scsi\aklb1mir1 8A516500

Device \Driver\aklb1mir \Device\Scsi\aklb1mir1Port4Path0Target0Lun0 8A516500

Device \Driver\NetBT \Device\NetBT_Tcpip_{62053026-17FB-4802-BAE6-88D76E632490} 8A5561F8

Device \Driver\NetBT \Device\NetBt_Wins_Export 8A5561F8

Device \Driver\NetBT \Device\NetbiosSmb 8A5561F8

---- System - GMER 1.0.15 ----

INT 0x83 ? 8A55CE08

INT 0xB4 ? 8A55CE08

Device \Driver\usbohci \Device\USBPDO-0 8A5F5500

Device \Driver\usbohci \Device\USBFDO-0 8A5F5500

Device \Driver\usbehci \Device\USBPDO-1 8A5F7500

Device \Driver\usbehci \Device\USBFDO-1 8A5F7500

Device \Driver\Cdrom \Device\CdRom0 8A6001F8

Device \Driver\Cdrom \Device\CdRom1 8A6001F8

Device \FileSystem\Ntfs \Ntfs 8A6EC1F8

Device \Driver\Ftdisk \Device\HarddiskVolume1 8A6EE1F8

Device \Driver\Ftdisk \Device\HarddiskVolume2 8A6EE1F8

Device \Driver\Ftdisk \Device\HarddiskVolume3 8A6EE1F8

Device \Driver\Ftdisk \Device\FtControl 8A6EE1F8

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 8A75D1F8

Device \Driver\atapi \Device\Ide\IdePort0 8A75D1F8

Device \Driver\atapi \Device\Ide\IdePort1 8A75D1F8

Device \Driver\atapi \Device\Ide\IdePort2 8A75D1F8

Device \Driver\atapi \Device\Ide\IdePort3 8A75D1F8

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 8A75D1F8

INT 0x73 ? 8A75DBF8

INT 0x73 ? 8A75DBF8

INT 0x73 ? 8A75DBF8

INT 0x83 ? 8A75DBF8

INT 0x83 ? 8A75DBF8

INT 0x83 ? 8A75DBF8

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\Drivers\aklb1mir.SYS[WMILIB.SYS!WmiSystemControl] 8D168B00

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [b9EA8042] spzg.sys

IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [b9EA80C0] spzg.sys

IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [b9EA813E] spzg.sys

IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [b9EA86D6] spzg.sys

IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [b9EA8800] spzg.sys

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{E3C9CE04-ED8E-488a-B76B-9EEF26B4F65C}\InProcServer32@ThreadingModel Apartment

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\Drivers\aklb1mir.SYS[HAL.dll!READ_PORT_UCHAR] B08B8932

---- Kernel code sections - GMER 1.0.15 ----

.text aklb1mir.SYS B94A4386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]

.text aklb1mir.SYS B94A43AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]

.text aklb1mir.SYS B94A43C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}

.text aklb1mir.SYS B94A43C9 1 Byte [30]

.text aklb1mir.SYS B94A43C9 11 Bytes [30, 00, 00, 00, 5C, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESP; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}

.text USBPORT.SYS!DllUnload B953D68E 5 Bytes JMP 8A55C3E8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SOFTWARE\Classes\CLSID\{E3C9CE04-ED8E-488a-B76B-9EEF26B4F65C}\InProcServer32@ C:\WINDOWS\system32\iehelper.dll

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\Drivers\aklb1mir.SYS[HAL.dll!HalTranslateBusAddress] D18BF84D

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\Drivers\aklb1mir.SYS[WMILIB.SYS!WmiCompleteRequest] F0003284

Device \Driver\sptd \Device\3545855628 spzg.sys

Device \Driver\PCI_PNP4378 \Device\0000004e spzg.sys

AttachedDevice \FileSystem\Ntfs \Ntfs SSFS0509.SYS (Spy Sweeper FileSystem Filter Driver/Webroot Software Inc (www.webroot.com))

AttachedDevice \FileSystem\Fastfat \Fat SSFS0509.SYS (Spy Sweeper FileSystem Filter Driver/Webroot Software Inc (www.webroot.com))

---- Kernel code sections - GMER 1.0.15 ----

? spzg.sys The system cannot find the file specified. !

? System32\Drivers\hiber_WMILIB.SYS The system cannot find the path specified. !

AttachedDevice \FileSystem\Ntfs \Ntfs tmpreflt.sys (Pre-Filter For XP/Trend Micro Inc.)

AttachedDevice \FileSystem\Fastfat \Fat tmpreflt.sys (Pre-Filter For XP/Trend Micro Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

SSDT spzg.sys ZwCreateKey [0xB9EA70E0]

SSDT spzg.sys ZwEnumerateKey [0xB9EC5CA4]

SSDT spzg.sys ZwEnumerateValueKey [0xB9EC6032]

SSDT spzg.sys ZwOpenKey [0xB9EA70C0]

SSDT spzg.sys ZwQueryKey [0xB9EC610A]

SSDT spzg.sys ZwQueryValueKey [0xB9EC5F8A]

SSDT spzg.sys ZwSetValueKey [0xB9EC619C]

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB5D64DF0]

---- EOF - GMER 1.0.15 ----

DDS (Ver_09-05-14.01) - NTFSx86

Run by Dad at 20:16:46.20 on Sun 06/14/2009

Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_14

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1982.1269 [GMT -4:00]

AV: PC-cillin Internet Security - Virus Protection *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}

FW: PC-cillin Internet Security - Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe

C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\stsystra.exe

C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\DAEMON Tools Lite\daemon.exe

C:\PROGRA~1\BANDWI~1\Bandwidth Monitor Pro.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Siemens\SpeedStream Wireless PCI\SSPCICfg.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\Program Files\AutoHotkey\AutoHotkey.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Dad\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/

uInternet Settings,ProxyServer = http=localhost:7171

uInternet Settings,ProxyOverride = *.local;<local>

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun

uRun: [bandwidth Monitor Pro] "c:\progra~1\bandwi~1\Bandwidth Monitor Pro.exe" /minimized

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] "nwiz.exe" /install

mRun: [NvMediaCenter] "RUNDLL32.EXE" c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [pccguide.exe] "c:\program files\trend micro\internet security 14\pccguide.exe"

mRun: [iSUSPM Startup] "c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe" -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe

StartupFolder: c:\docume~1\dad\startm~1\programs\startup\shortc~1.lnk - c:\program files\autohotkey\AutoHotkey.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\siemen~1.lnk - c:\program files\siemens\speedstream wireless pci\SSPCICfg.exe

IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} - hxxps://h20364.www2.hp.com/CSMWeb/Customer/cabs/HPISDataManager.CAB

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dad\applic~1\mozilla\firefox\profiles\gyp9yg0m.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - component: c:\documents and settings\dad\application data\mozilla\firefox\profiles\gyp9yg0m.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll

FF - component: c:\documents and settings\dad\application data\mozilla\firefox\profiles\gyp9yg0m.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]

R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2006-9-25 345696]

R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2006-9-25 923216]

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2006-9-25 36368]

R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2006-9-25 566872]

R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]

R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2006-9-25 280392]

S0 Spssys;Toshiba SPS Service;c:\windows\system32\drivers\spssys.sys --> c:\windows\system32\drivers\spssys.sys [?]

S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-5-31 33176]

S3 Qisddm;Qisddm; [x]

S3 SSPCIV27;Siemens SpeedStream Wireless PCI Driver;c:\windows\system32\drivers\SSPCIV27.sys [2007-1-9 171648]

=============== Created Last 30 ================

2009-06-13 11:11 <DIR> --d----- C:\gmer

2009-06-13 10:52 50,688 a------- C:\ATF-Cleaner.exe

2009-06-12 08:03 <DIR> --d----- c:\documents and settings\dad\DoctorWeb

2009-06-12 02:58 <DIR> --d----- c:\windows\pss

2009-06-12 02:55 410,984 a------- c:\windows\system32\deploytk.dll

2009-06-12 02:55 73,728 a------- c:\windows\system32\javacpl.cpl

2009-06-12 02:40 93,879 a------- C:\MGlogs.zip

2009-06-12 02:40 <DIR> --d----- C:\MGtools

2009-06-12 02:27 <DIR> a-dshr-- C:\cmdcons

2009-06-12 02:26 161,792 a------- c:\windows\SWREG.exe

2009-06-12 02:26 155,136 a------- c:\windows\PEV.exe

2009-06-12 02:26 98,816 a------- c:\windows\sed.exe

2009-06-12 02:26 <DIR> --ds---- C:\ComboFix

2009-06-12 02:26 388,608 a------- c:\windows\system32\CF17877.exe

2009-06-12 02:11 <DIR> --d----- c:\docume~1\dad\applic~1\Malwarebytes

2009-06-12 02:11 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-06-12 02:11 19,096 a------- c:\windows\system32\drivers\mbam.sys

2009-06-12 02:11 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

2009-06-12 02:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

2009-06-12 01:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2009-06-12 01:20 <DIR> --d----- c:\program files\SUPERAntiSpyware

2009-06-12 01:20 <DIR> --d----- c:\docume~1\dad\applic~1\SUPERAntiSpyware.com

2009-06-12 01:20 <DIR> --d----- c:\program files\common files\Wise Installation Wizard

2009-06-12 01:18 1,342,151 a------- C:\MGtools.exe

2009-06-12 01:05 <DIR> --d----- c:\program files\CCleaner

2009-06-11 21:53 <DIR> --ds---- c:\documents and settings\dad\UserData

2009-06-11 20:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\BOINC

2009-06-07 12:32 <DIR> --d----- c:\program files\uTorrent

2009-06-07 12:31 <DIR> --d----- c:\docume~1\dad\applic~1\uTorrent

2009-06-06 01:10 0 a------- c:\windows\hpqEmlSz.INI

2009-06-06 01:08 54,156 a---h--- c:\windows\QTFont.qfn

2009-06-06 01:08 1,409 a------- c:\windows\QTFont.for

2009-06-05 15:33 <DIR> --d----- C:\bin

2009-06-05 15:31 <DIR> --d----- c:\program files\common files\HP

2009-06-05 15:25 69,632 a------- c:\windows\system32\HPZipm12.3

2009-06-05 15:00 117,092 a------- c:\windows\hpoins11.dat

2009-06-05 14:57 11,634 a------- c:\windows\hpomdl11.dat

2009-06-05 14:06 69,632 a------- c:\windows\system32\HPZipm12.2

2009-06-05 13:27 693 a------- c:\windows\hpntwksetup.ini

2009-06-05 13:26 69,632 a------- c:\windows\system32\HPZipm12.1

2009-06-05 12:48 110,390 -------- c:\windows\hpoins11.dat.temp

2009-06-05 12:48 6,947 -------- c:\windows\hpomdl11.dat.temp

2009-06-05 10:54 <DIR> --d----- c:\program files\VideoLAN

2009-06-05 10:53 <DIR> --d----- c:\docume~1\dad\applic~1\DAEMON Tools Pro

2009-06-02 21:51 86,016 a------- c:\windows\unvise32.exe

2009-06-02 21:51 <DIR> --d----- c:\program files\Bandwidth Monitor Pro

2009-06-02 21:31 <DIR> --d----- c:\program files\NewsBinGN

2009-06-02 21:26 <DIR> --d----- c:\program files\NewsLeecher

2009-06-02 21:23 <DIR> --d----- c:\documents and settings\dad\Downloads

2009-06-02 21:23 <DIR> --d----- c:\docume~1\dad\applic~1\NewsLeecher

2009-05-29 16:24 401,408 -------- c:\windows\system32\dllcache\rpcss.dll

2009-05-29 16:24 284,160 -------- c:\windows\system32\dllcache\pdh.dll

2009-05-29 16:24 110,592 -------- c:\windows\system32\dllcache\services.exe

2009-05-29 16:24 60,416 -------- c:\windows\system32\dllcache\colbact.dll

2009-05-29 16:24 35,328 -------- c:\windows\system32\dllcache\sc.exe

2009-05-29 16:24 473,088 -------- c:\windows\system32\dllcache\fastprox.dll

2009-05-29 16:24 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe

2009-05-29 16:24 715,264 -------- c:\windows\system32\dllcache\ntdll.dll

2009-05-29 16:24 617,984 -------- c:\windows\system32\dllcache\advapi32.dll

2009-05-29 16:23 1,193,414 -------- c:\windows\system32\dllcache\sysmain.sdb

2009-05-29 16:23 215,552 -------- c:\windows\system32\dllcache\wordpad.exe

2009-05-29 15:01 56 a---h--- c:\windows\system32\ezsidmv.dat

2009-05-29 14:59 <DIR> --d--r-- c:\program files\Skype

2009-05-29 13:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DAEMON Tools Lite

2009-05-29 13:55 <DIR> --d----- c:\program files\DAEMON Tools Toolbar

2009-05-29 13:55 <DIR> --d----- c:\program files\DAEMON Tools Lite

2009-05-29 13:52 <DIR> --d----- c:\program files\AutoHotkey

2009-05-29 13:36 721,904 a------- c:\windows\system32\drivers\sptd.sys

2009-05-29 13:36 <DIR> --d----- c:\docume~1\dad\applic~1\DAEMON Tools Lite

2009-05-29 13:35 <DIR> --d----- c:\program files\IrfanView

2009-05-29 12:20 <DIR> --d----- c:\windows\system32\scripting

2009-05-29 12:20 <DIR> --d----- c:\windows\l2schemas

2009-05-29 12:20 <DIR> --d----- c:\windows\system32\en

2009-05-29 12:20 <DIR> --d----- c:\windows\system32\bits

2009-05-29 12:09 <DIR> --d----- c:\windows\EHome

2009-05-29 11:13 561,688 a------- c:\windows\system32\wuapi.dll.wusetup.3556523393.new

==================== Find3M ====================

2009-05-29 15:33 4,711 a------- c:\windows\mozver.dat

2009-03-21 10:18 986,112 a------- c:\windows\system32\dllcache\kernel32.dll

============= FINISH: 20:17:11.07 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-05-14.01)

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume2

Install Date: 1/9/2007 3:55:59 PM

System Uptime: 6/14/2009 6:19:28 PM (2 hours ago)

Motherboard: Dell Inc | | 0UW457

Processor: AMD Athlon 64 X2 Dual Core Processor 5200+ | Socket M2 | 2605/1000mhz

Processor: AMD Athlon 64 X2 Dual Core Processor 5200+ | Socket M2 | 2605/1000mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 71 GiB total, 10.265 GiB free.

D: is CDROM ()

E: is Removable

F: is Removable

G: is Removable

H: is Removable

I: is CDROM ()

J: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}

Description: Linksys Wireless-G PCI Network Adapter with SpeedBooster

Device ID: PCI\VEN_14E4&DEV_4318&SUBSYS_00421737&REV_02\4&DC268A3&0&4880

Manufacturer: Linksys

Name: Linksys Wireless-G PCI Network Adapter with SpeedBooster

PNP Device ID: PCI\VEN_14E4&DEV_4318&SUBSYS_00421737&REV_02\4&DC268A3&0&4880

Service: BCM43XX

==== System Restore Points ===================

RP289: 6/11/2009 9:00:20 PM - Removed Dell CinePlayer

RP290: 6/11/2009 9:00:21 PM - Removed EarthLink Setup Files

RP291: 6/11/2009 9:00:21 PM - Software Distribution Service 3.0

RP292: 6/11/2009 9:00:21 PM - Software Distribution Service 3.0

RP293: 6/11/2009 9:00:21 PM - SPTD setup V1.58

RP294: 6/11/2009 9:00:21 PM - Software Distribution Service 3.0

RP295: 6/11/2009 9:00:22 PM - System Checkpoint

RP296: 6/11/2009 9:00:22 PM - System Checkpoint

RP297: 6/11/2009 9:00:22 PM - System Checkpoint

RP298: 6/11/2009 9:00:22 PM - System Checkpoint

RP299: 6/11/2009 9:00:22 PM - System Checkpoint

RP300: 6/11/2009 9:00:23 PM - System Checkpoint

RP301: 6/11/2009 9:00:23 PM - Printer Driver HP Photosmart C6100 series Installed

RP302: 6/11/2009 9:00:23 PM - Installed HPSU306Stub

RP303: 6/11/2009 9:00:23 PM - Printer Driver HP Photosmart C6100 series fax Installed

RP304: 6/11/2009 9:00:23 PM - Installed Pivot Stickfigure Animator

RP305: 6/11/2009 9:00:23 PM - System Checkpoint

RP306: 6/11/2009 9:00:24 PM - System Checkpoint

RP307: 6/11/2009 9:00:24 PM - System Checkpoint

RP308: 6/11/2009 9:00:24 PM - System Checkpoint

RP309: 6/11/2009 9:00:24 PM - System Checkpoint

RP310: 6/11/2009 9:00:24 PM - Installed BOINC

RP311: 6/12/2009 2:53:43 AM - Removed J2SE Runtime Environment 5.0 Update 6

RP312: 6/12/2009 2:54:58 AM - Installed Java 6 Update 14

RP313: 6/13/2009 12:21:34 PM - System Checkpoint

RP314: 6/14/2009 7:23:59 PM - System Checkpoint

==== Installed Programs ======================

Link to post
Share on other sites

You're welcome.

Daemon Tools creates so many entries in the antirootkit scan results that it makes it difficult to decipher the good from the bad.

Download mbr.exe to your desktop.

Double-click mbr.exe to run it. Alternatively, if your operating system is Vista, please right-click mbr.exe and choose "Run as Administrator".

It will create a file called mbr.log on your desktop

Open mbr.log in Notepad by double-clicking it, and post the contents of mbr.log in your next reply.

I noticed you already ran Combofix so I want to see that scan report from your first run.

Then do the following to run Combofix again following my instructions:

Please download Combofix from one of these locations:

HERE or HERE

I want you to rename Combofix.exe as you download it to a name of your choice such as remover.exe

Notes:

  • It is very important that save the newly renamed EXE file to your desktop.
  • You must rename Combofixe.exe as you download it and not after it is on your computer.
    You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
  • For Firefox
    • Open Firefox and click Tools -> Options -> Main
    • Under the downloads section check the button that says "Always ask me where to save files".
    • Click OK

    [*]For Internet Explorer:

    • When downloading, choose to save, not open the file
    • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console if you have not done that already:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

http://www.bleepingcomputer.com/forums/topic114351.html

Also, disable your firewall!

You can enable the Window firewall in the interim, until the scan is complete.

Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

  • Close any open browsers.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

1. Double click on the renamed combofix.exe (remover.exe) & follow the prompts.

2. When finished, it will produce a logfile located at C:\ComboFix.txt

3. Post the contents of that log in your next reply with a new hijackthis log.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Please post back ARK.txt, your original Combofix log (most likely ComboFix2.txt ), and the new C:\Combofix.txt

Link to post
Share on other sites

Again thanks for your help.

The symptoms that I am still experiencing are within Firefox, and IE. I am getting redirected to spam/malware pages when I click on links in a google search.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

kernel: MBR read successfully

user & kernel MBR OK

#1

ComboFix 09-06-11.06 - Dad 06/12/2009 2:28.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1982.1446 [GMT -4:00]

Running from: c:\documents and settings\Dad\Desktop\ComboFix.exe

AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}

FW: PC-cillin Internet Security - Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\_003089_.tmp.dll

c:\windows\system32\_003090_.tmp.dll

c:\windows\system32\_003091_.tmp.dll

c:\windows\system32\_003092_.tmp.dll

c:\windows\system32\_003099_.tmp.dll

c:\windows\system32\_003100_.tmp.dll

c:\windows\system32\_003101_.tmp.dll

c:\windows\system32\_003102_.tmp.dll

c:\windows\system32\_003104_.tmp.dll

c:\windows\system32\_003105_.tmp.dll

c:\windows\system32\_003108_.tmp.dll

c:\windows\system32\_003109_.tmp.dll

c:\windows\system32\_003111_.tmp.dll

c:\windows\system32\_003112_.tmp.dll

c:\windows\system32\_003113_.tmp.dll

c:\windows\system32\_003115_.tmp.dll

c:\windows\system32\_003118_.tmp.dll

c:\windows\system32\_003119_.tmp.dll

c:\windows\system32\_003123_.tmp.dll

c:\windows\system32\_003124_.tmp.dll

c:\windows\system32\_003126_.tmp.dll

c:\windows\system32\_003128_.tmp.dll

c:\windows\system32\_003129_.tmp.dll

c:\windows\system32\_003131_.tmp.dll

c:\windows\system32\_003132_.tmp.dll

c:\windows\system32\_003133_.tmp.dll

c:\windows\system32\_003134_.tmp.dll

c:\windows\system32\_003135_.tmp.dll

c:\windows\system32\_003138_.tmp.dll

c:\windows\system32\_003139_.tmp.dll

c:\windows\system32\_003140_.tmp.dll

c:\windows\system32\_003141_.tmp.dll

c:\windows\system32\_003142_.tmp.dll

c:\windows\system32\_003147_.tmp.dll

c:\windows\system32\_003149_.tmp.dll

c:\windows\system32\SKYNETnkvuwurj.dat

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_SKYNETkxxiltnu

((((((((((((((((((((((((( Files Created from 2009-05-12 to 2009-06-12 )))))))))))))))))))))))))))))))

.

2009-06-12 06:11 . 2009-06-12 06:11 -------- d-----w- c:\documents and settings\Dad\Application Data\Malwarebytes

2009-06-12 06:11 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-06-12 06:11 . 2009-06-12 06:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-06-12 06:11 . 2009-06-12 06:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-06-12 06:11 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-06-12 05:21 . 2009-06-12 06:33 117760 ----a-w- c:\documents and settings\Dad\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-06-12 05:21 . 2009-06-12 05:21 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-06-12 05:20 . 2009-06-12 05:20 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-06-12 05:20 . 2009-06-12 05:20 -------- d-----w- c:\documents and settings\Dad\Application Data\SUPERAntiSpyware.com

2009-06-12 05:20 . 2009-06-12 05:20 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-06-12 05:18 . 2009-06-12 05:18 1342151 ----a-w- C:\MGtools.exe

2009-06-12 05:05 . 2009-06-12 05:05 -------- d-----w- c:\program files\CCleaner

2009-06-12 03:32 . 2009-06-12 03:32 94 ----a-w- c:\documents and settings\All Users\Application Data\BOINC\slots\1\camb_2.16_windows_intelx86.exe

2009-06-12 03:31 . 2009-06-12 03:31 94 ----a-w- c:\documents and settings\All Users\Application Data\BOINC\slots\0\camb_2.16_windows_intelx86.exe

2009-06-12 03:30 . 2009-06-12 03:30 1794048 ----a-w- c:\documents and settings\All Users\Application Data\BOINC\projects\www.cosmologyathome.org\camb_2.16_windows_intelx86.exe

2009-06-12 03:27 . 2009-06-12 03:27 -------- d-----w- c:\documents and settings\Dad\Application Data\Sonic

2009-06-12 03:27 . 2009-06-12 03:27 -------- d-----w- c:\documents and settings\Dad\Application Data\Leadertech

2009-06-12 01:53 . 2009-06-12 01:53 -------- d-s---w- c:\documents and settings\Dad\UserData

2009-06-12 00:53 . 2009-06-12 03:32 -------- d-----w- c:\documents and settings\All Users\Application Data\BOINC

2009-06-07 16:43 . 2009-06-07 16:43 -------- d-----w- c:\documents and settings\Dad\Local Settings\Application Data\Apple

2009-06-07 16:32 . 2009-06-07 16:32 -------- d-----w- c:\program files\uTorrent

2009-06-07 16:31 . 2009-06-09 22:24 -------- d-----w- c:\documents and settings\Dad\Application Data\uTorrent

2009-06-06 17:56 . 2009-06-06 17:56 -------- d-----w- c:\documents and settings\Jacob\Local Settings\Application Data\IsolatedStorage

2009-06-06 17:56 . 2009-06-06 17:56 -------- d-----w- c:\documents and settings\Jacob\Local Settings\Application Data\HP

2009-06-05 19:58 . 2009-06-05 21:05 -------- d-----w- c:\documents and settings\Dad\Application Data\HP

2009-06-05 19:57 . 2009-06-05 19:57 -------- d-----w- c:\documents and settings\Dad\Local Settings\Application Data\IsolatedStorage

2009-06-05 19:55 . 2009-06-05 19:55 -------- d-----w- c:\documents and settings\Dad\Local Settings\Application Data\HP

2009-06-05 19:55 . 2009-06-05 19:55 126 ----a-w- c:\documents and settings\Dad\Local Settings\Application Data\fusioncache.dat

2009-06-05 19:54 . 2009-06-05 19:58 -------- d-----w- c:\documents and settings\All Users\Application Data\HP

2009-06-05 19:33 . 2009-06-05 19:33 -------- d-----w- C:\bin

2009-06-05 19:31 . 2009-06-05 19:32 -------- d-----w- c:\program files\Common Files\HP

2009-06-05 19:30 . 2009-06-05 19:30 -------- d-----w- c:\program files\Hewlett-Packard

2009-06-05 19:00 . 2009-06-05 20:01 117092 ----a-w- c:\windows\hpoins11.dat

2009-06-05 18:57 . 2006-05-05 21:18 11634 ----a-w- c:\windows\hpomdl11.dat

2009-06-05 14:59 . 2009-06-05 17:10 -------- d-----w- c:\documents and settings\Dad\Application Data\vlc

2009-06-05 14:59 . 2009-06-12 03:28 -------- d-----w- c:\documents and settings\Dad\Application Data\dvdcss

2009-06-05 14:54 . 2009-06-05 14:54 -------- d-----w- c:\program files\VideoLAN

2009-06-05 14:53 . 2009-06-05 14:53 -------- d-----w- c:\documents and settings\Dad\Application Data\DAEMON Tools Pro

2009-06-03 01:51 . 1999-12-17 14:13 86016 ----a-w- c:\windows\unvise32.exe

2009-06-03 01:51 . 2009-06-03 01:51 -------- d-----w- c:\program files\Bandwidth Monitor Pro

2009-06-03 01:31 . 2009-06-10 00:23 -------- d-----w- c:\documents and settings\Dad\Local Settings\Application Data\NewsBin

2009-06-03 01:31 . 2009-06-03 01:31 -------- d-----w- c:\program files\NewsBinGN

2009-06-03 01:26 . 2009-06-03 01:26 -------- d-----w- c:\program files\NewsLeecher

2009-06-03 01:23 . 2009-06-03 02:01 -------- d-----w- c:\documents and settings\Dad\Downloads

2009-06-03 01:23 . 2009-06-03 02:00 -------- d-----w- c:\documents and settings\Dad\Application Data\NewsLeecher

2009-06-01 19:54 . 2009-06-01 19:54 0 ----a-w- c:\documents and settings\Jacob\jagex_runescape_preferences.dat

2009-06-01 03:41 . 2009-06-01 03:41 -------- d-----w- c:\documents and settings\Dad\Local Settings\Application Data\Identities

2009-05-31 18:55 . 2009-05-31 23:14 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2009-05-31 18:55 . 2009-05-31 18:55 -------- d-----w- c:\program files\NOS

2009-05-31 18:55 . 2009-03-03 18:53 109420 ----a-w- c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\gyp9yg0m.default\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}\plugins\np_gp.dll

2009-05-31 18:55 . 2009-03-03 18:53 17464 ----a-w- c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\gyp9yg0m.default\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}\chrome\content\getPlus_Adobe_reg.exe

2009-05-31 18:55 . 2009-03-03 18:53 12792 ----a-w- c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\gyp9yg0m.default\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}\chrome\content\getPlus_Adobe_reg_bootstrap.exe

2009-05-31 18:54 . 2009-05-31 18:54 -------- d-----w- c:\documents and settings\Dad\Application Data\Talkback

2009-05-31 18:53 . 2009-05-31 18:53 -------- d-----w- c:\documents and settings\Dad\Local Settings\Application Data\Thunderbird

2009-05-31 18:53 . 2009-05-31 18:53 -------- d-----w- c:\documents and settings\Dad\Application Data\Thunderbird

2009-05-31 18:53 . 2009-06-12 01:14 -------- d-----w- c:\program files\Mozilla Thunderbird

2009-05-30 20:16 . 2008-10-10 10:36 43008 ----a-w- c:\documents and settings\Jacob\Application Data\Mozilla\Firefox\Profiles\qswwrroh.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metricsloader.dll

2009-05-30 20:16 . 2008-10-10 10:36 43008 ----a-w- c:\documents and settings\Jacob\Application Data\Mozilla\Firefox\Profiles\qswwrroh.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll

2009-05-30 20:16 . 2008-10-10 10:36 233984 ----a-w- c:\documents and settings\Jacob\Application Data\Mozilla\Firefox\Profiles\qswwrroh.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll

2009-05-30 20:16 . 2008-10-10 10:36 239616 ----a-w- c:\documents and settings\Jacob\Application Data\Mozilla\Firefox\Profiles\qswwrroh.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll

2009-05-30 20:16 . 2008-10-10 10:36 245248 ----a-w- c:\documents and settings\Jacob\Application Data\Mozilla\Firefox\Profiles\qswwrroh.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\metrics-ff2.dll

2009-05-30 20:16 . 2008-10-10 10:36 243200 ----a-w- c:\documents and settings\Jacob\Application Data\Mozilla\Firefox\Profiles\qswwrroh.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\metrics-ff3.dll

2009-05-29 20:24 . 2009-03-06 14:00 284160 ------w- c:\windows\system32\dllcache\pdh.dll

2009-05-29 20:24 . 2009-02-09 10:01 401408 ------w- c:\windows\system32\dllcache\rpcss.dll

2009-05-29 20:24 . 2009-02-06 10:22 110592 ------w- c:\windows\system32\dllcache\services.exe

2009-05-29 20:24 . 2009-02-06 09:54 35328 ------w- c:\windows\system32\dllcache\sc.exe

2009-05-29 20:24 . 2005-07-26 04:20 60416 ------w- c:\windows\system32\dllcache\colbact.dll

2009-05-29 20:24 . 2009-02-09 10:01 473088 ------w- c:\windows\system32\dllcache\fastprox.dll

2009-05-29 20:24 . 2009-02-06 09:41 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe

2009-05-29 20:24 . 2009-02-09 10:01 617984 ------w- c:\windows\system32\dllcache\advapi32.dll

2009-05-29 20:24 . 2009-02-09 10:01 715264 ------w- c:\windows\system32\dllcache\ntdll.dll

2009-05-29 20:23 . 2008-04-21 10:02 215552 ------w- c:\windows\system32\dllcache\wordpad.exe

2009-05-29 19:42 . 2009-05-29 19:42 -------- d-----w- c:\documents and settings\Dad\Application Data\AdobeUM

2009-05-29 19:41 . 2009-05-31 18:55 -------- d-----w- c:\documents and settings\Dad\Local Settings\Application Data\Adobe

2009-05-29 19:01 . 2009-05-29 19:01 56 ---ha-w- c:\windows\system32\ezsidmv.dat

2009-05-29 19:01 . 2009-06-12 06:10 -------- d-----w- c:\documents and settings\Dad\Application Data\skypePM

2009-05-29 18:59 . 2009-06-12 06:26 -------- d-----w- c:\documents and settings\Dad\Application Data\Skype

2009-05-29 18:59 . 2009-05-29 18:59 -------- d-----w- c:\program files\Common Files\Skype

2009-05-29 18:59 . 2009-05-29 18:59 -------- d-----r- c:\program files\Skype

2009-05-29 18:59 . 2009-05-29 18:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype

2009-05-29 17:58 . 2009-05-29 17:58 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite

2009-05-29 17:55 . 2009-05-29 17:55 -------- d-----w- c:\program files\DAEMON Tools Toolbar

2009-05-29 17:55 . 2009-05-30 07:11 -------- d-----w- c:\program files\DAEMON Tools Lite

2009-05-29 17:52 . 2009-05-29 17:52 -------- d-----w- c:\program files\AutoHotkey

2009-05-29 17:36 . 2009-05-29 17:36 721904 ----a-w- c:\windows\system32\drivers\sptd.sys

2009-05-29 17:36 . 2009-06-05 17:22 -------- d-----w- c:\documents and settings\Dad\Application Data\DAEMON Tools Lite

2009-05-29 17:35 . 2009-05-29 17:35 -------- d-----w- c:\program files\IrfanView

2009-05-29 17:11 . 2009-05-29 17:11 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles

2009-05-29 16:20 . 2009-05-29 16:23 -------- d-----w- c:\windows\system32\scripting

2009-05-29 16:20 . 2009-05-29 16:23 -------- d-----w- c:\windows\l2schemas

2009-05-29 16:20 . 2009-05-29 16:23 -------- d-----w- c:\windows\system32\en

2009-05-29 16:20 . 2009-05-29 16:23 -------- d-----w- c:\windows\system32\bits

2009-05-29 16:09 . 2009-05-29 16:09 -------- d-----w- c:\windows\EHome

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-06-12 05:18 . 2008-03-17 23:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-06-12 05:09 . 2007-01-05 18:48 -------- d-----w- c:\program files\Dell

2009-06-09 22:26 . 2007-09-18 23:54 -------- d-----w- c:\program files\Apple Software Update

2009-06-06 17:55 . 2007-01-09 20:56 81344 ----a-w- c:\documents and settings\Jacob\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-06-05 19:53 . 2007-09-25 23:51 81344 ----a-w- c:\documents and settings\Dad\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-06-05 19:33 . 2007-01-05 18:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic

2009-06-05 19:33 . 2007-01-05 18:48 -------- d-----w- c:\program files\Common Files\Sonic Shared

2009-06-05 19:30 . 2008-02-29 01:58 -------- d-----w- c:\program files\HP

2009-06-04 19:22 . 2007-04-16 23:26 -------- d-----w- c:\program files\Trillian

2009-05-29 19:33 . 2007-01-11 20:51 4711 ----a-w- c:\windows\mozver.dat

2009-03-27 02:46 . 2009-04-02 01:42 1104 ----a-w- c:\windows\system32\ASPRTMM9.DLL

2007-09-16 06:35 . 2007-09-26 00:02 66408 ----a-w- c:\program files\mozilla firefox\components\jar50.dll

2007-09-16 06:35 . 2007-09-26 00:02 54112 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll

2007-09-16 06:35 . 2007-09-26 00:02 34688 ----a-w- c:\program files\mozilla firefox\components\myspell.dll

2007-09-16 06:35 . 2007-09-26 00:02 46456 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll

2007-09-16 06:35 . 2007-09-26 00:02 171880 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-04-16 24264488]

"Bandwidth Monitor Pro"="c:\progra~1\BANDWI~1\Bandwidth Monitor Pro.exe" [2005-02-16 225280]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-26 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7630848]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-23 86016]

"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-09-14 267064]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-08-23 1617920]

"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-08-15 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-08-17 439872]

c:\documents and settings\Dad\Start Menu\Programs\Startup\

Shortcut to AutoHotkey.lnk - c:\program files\AutoHotkey\AutoHotkey.exe [2009-5-3 244736]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-3-5 113664]

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-1-5 24576]

HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]

Siemens SpeedStream Wireless PCI.lnk - c:\program files\Siemens\SpeedStream Wireless PCI\SSPCICfg.exe [2007-1-9 167936]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\NewsBinGN\\NewsbinGN.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"23023:TCP"= 23023:TCP:Sheep

"23024:TCP"= 23024:TCP:Sheep2

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [9/25/2006 9:26 AM 36368]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]

R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [9/25/2006 9:26 AM 280392]

S0 Spssys;Toshiba SPS Service;c:\windows\system32\drivers\spssys.sys --> c:\windows\system32\drivers\spssys.sys [?]

S2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [9/25/2006 9:26 AM 345696]

S2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [9/25/2006 9:26 AM 923216]

S2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [9/25/2006 9:26 AM 566872]

S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [5/31/2009 2:55 PM 33176]

S3 Qisddm;Qisddm; [x]

S3 SSPCIV27;Siemens SpeedStream Wireless PCI Driver;c:\windows\system32\drivers\SSPCIV27.sys [1/9/2007 5:25 PM 171648]

.

Contents of the 'Scheduled Tasks' folder

2009-06-09 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

.

- - - - ORPHANS REMOVED - - - -

Notify-dimsntfy - (no file)

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/

uInternet Settings,ProxyServer = http=localhost:7171

uInternet Settings,ProxyOverride = *.local;<local>

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath -

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-06-12 02:33

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E3C9CE04-ED8E-488a-B76B-9EEF26B4F65C}\InProcServer32]

@DACL=(02 0000)

@="c:\\WINDOWS\\system32\\iehelper.dll"

"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

@DACL=(02 0000)

"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

@DACL=(02 0000)

"Installed"="1"

"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

@DACL=(02 0000)

"Installed"="1"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(964)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\system32\nvsvc32.exe

c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe

c:\windows\system32\HPZipm12.exe

c:\windows\system32\wdfmgr.exe

c:\program files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe

c:\program files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe

c:\windows\system32\CF17877.exe

c:\windows\system32\rundll32.exe

c:\program files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe

c:\program files\HP\Digital Imaging\bin\hpqimzone.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Skype\Plugin Manager\skypePM.exe

.

**************************************************************************

.

Completion time: 2009-06-12 2:37 - machine was rebooted

ComboFix-quarantined-files.txt 2009-06-12 06:37

Pre-Run: 8,256,679,936 bytes free

Post-Run: 11,186,335,744 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

315 --- E O F --- 2009-05-31 07:00

#2

ComboFix 09-06-15.04 - Dad 06/15/2009 19:29.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1982.1489 [GMT -4:00]

Running from: c:\documents and settings\Dad\Desktop\ClomberNixer.exe

AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}

FW: PC-cillin Internet Security - Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

.

((((((((((((((((((((((((( Files Created from 2009-05-15 to 2009-06-15 )))))))))))))))))))))))))))))))

.

2009-06-15 00:20 . 2009-06-15 00:20 286208 ----a-w- C:\932u4iom.exe

2009-06-13 15:11 . 2009-06-13 15:11 -------- d-----w- C:\gmer

2009-06-13 14:52 . 2009-06-13 14:50 50688 ----a-w- C:\ATF-Cleaner.exe

2009-06-12 15:32 . 2009-06-12 15:33 -------- d-----w- c:\documents and settings\Administrator

2009-06-12 12:03 . 2009-06-12 12:13 -------- d-----w- c:\documents and settings\Dad\DoctorWeb

2009-06-12 06:55 . 2009-06-12 06:55 410984 ----a-w- c:\windows\system32\deploytk.dll

2009-06-12 06:40 . 2009-06-12 06:43 93879 ----a-w- C:\MGlogs.zip

2009-06-12 06:40 . 2009-06-12 06:43 -------- d-----w- C:\MGtools

2009-06-12 06:26 . 2009-06-15 23:28 -------- d-s---w- C:\ComboFix

2009-06-12 06:11 . 2009-06-12 06:11 -------- d-----w- c:\documents and settings\Dad\Application Data\Malwarebytes

2009-06-12 06:11 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-06-12 06:11 . 2009-06-12 06:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-06-12 06:11 . 2009-06-12 06:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-06-12 06:11 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-06-12 05:21 . 2009-06-15 22:56 117760 ----a-w- c:\documents and settings\Dad\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-06-12 05:21 . 2009-06-12 05:21 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-06-12 05:20 . 2009-06-12 05:20 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-06-12 05:20 . 2009-06-12 05:20 -------- d-----w- c:\documents and settings\Dad\Application Data\SUPERAntiSpyware.com

2009-06-12 05:20 . 2009-06-12 05:20 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-06-12 05:18 . 2009-06-12 05:18 1342151 ----a-w- C:\MGtools.exe

2009-06-12 05:05 . 2009-06-12 05:05 -------- d-----w- c:\program files\CCleaner

2009-06-12 03:32 . 2009-06-12 03:32 94 ----a-w- c:\documents and settings\All Users\Application Data\BOINC\slots\1\camb_2.16_windows_intelx86.exe

2009-06-12 03:31 . 2009-06-12 03:31 94 ----a-w- c:\documents and settings\All Users\Application Data\BOINC\slots\0\camb_2.16_windows_intelx86.exe

2009-06-12 03:30 . 2009-06-12 03:30 1794048 ----a-w- c:\documents and settings\All Users\Application Data\BOINC\projects\www.cosmologyathome.org\camb_2.16_windows_intelx86.exe

2009-06-12 03:27 . 2009-06-12 03:27 -------- d-----w- c:\documents and settings\Dad\Application Data\Sonic

2009-06-12 03:27 . 2009-06-12 03:27 -------- d-----w- c:\documents and settings\Dad\Application Data\Leadertech

2009-06-12 01:53 . 2009-06-12 01:53 -------- d-s---w- c:\documents and settings\Dad\UserData

2009-06-12 00:53 . 2009-06-12 03:32 -------- d-----w- c:\documents and settings\All Users\Application Data\BOINC

2009-06-07 16:43 . 2009-06-07 16:43 -------- d-----w- c:\documents and settings\Dad\Local Settings\Application Data\Apple

2009-06-07 16:32 . 2009-06-07 16:32 -------- d-----w- c:\program files\uTorrent

2009-06-07 16:31 . 2009-06-09 22:24 -------- d-----w- c:\documents and settings\Dad\Application Data\uTorrent

2009-06-06 17:56 . 2009-06-06 17:56 -------- d-----w- c:\documents and settings\Jacob\Local Settings\Application Data\IsolatedStorage

2009-06-06 17:56 . 2009-06-06 17:56 -------- d-----w- c:\documents and settings\Jacob\Local Settings\Application Data\HP

2009-06-05 19:58 . 2009-06-05 21:05 -------- d-----w- c:\documents and settings\Dad\Application Data\HP

2009-06-05 19:57 . 2009-06-05 19:57 -------- d-----w- c:\documents and settings\Dad\Local Settings\Application Data\IsolatedStorage

2009-06-05 19:55 . 2009-06-05 19:55 -------- d-----w- c:\documents and settings\Dad\Local Settings\Application Data\HP

2009-06-05 19:55 . 2009-06-05 19:55 126 ----a-w- c:\documents and settings\Dad\Local Settings\Application Data\fusioncache.dat

2009-06-05 19:54 . 2009-06-05 19:58 -------- d-----w- c:\documents and settings\All Users\Application Data\HP

2009-06-05 19:33 . 2009-06-05 19:33 -------- d-----w- C:\bin

2009-06-05 19:31 . 2009-06-05 19:32 -------- d-----w- c:\program files\Common Files\HP

2009-06-05 19:30 . 2009-06-05 19:30 -------- d-----w- c:\program files\Hewlett-Packard

2009-06-05 19:00 . 2009-06-05 20:01 117092 ----a-w- c:\windows\hpoins11.dat

2009-06-05 18:57 . 2006-05-05 21:18 11634 ----a-w- c:\windows\hpomdl11.dat

2009-06-05 14:59 . 2009-06-05 17:10 -------- d-----w- c:\documents and settings\Dad\Application Data\vlc

2009-06-05 14:59 . 2009-06-12 03:28 -------- d-----w- c:\documents and settings\Dad\Application Data\dvdcss

2009-06-05 14:54 . 2009-06-05 14:54 -------- d-----w- c:\program files\VideoLAN

2009-06-05 14:53 . 2009-06-05 14:53 -------- d-----w- c:\documents and settings\Dad\Application Data\DAEMON Tools Pro

2009-06-03 01:51 . 1999-12-17 14:13 86016 ----a-w- c:\windows\unvise32.exe

2009-06-03 01:51 . 2009-06-03 01:51 -------- d-----w- c:\program files\Bandwidth Monitor Pro

2009-06-03 01:31 . 2009-06-10 00:23 -------- d-----w- c:\documents and settings\Dad\Local Settings\Application Data\NewsBin

2009-06-03 01:31 . 2009-06-03 01:31 -------- d-----w- c:\program files\NewsBinGN

2009-06-03 01:26 . 2009-06-03 01:26 -------- d-----w- c:\program files\NewsLeecher

2009-06-03 01:23 . 2009-06-03 02:01 -------- d-----w- c:\documents and settings\Dad\Downloads

2009-06-03 01:23 . 2009-06-03 02:00 -------- d-----w- c:\documents and settings\Dad\Application Data\NewsLeecher

2009-06-01 19:54 . 2009-06-01 19:54 0 ----a-w- c:\documents and settings\Jacob\jagex_runescape_preferences.dat

2009-06-01 03:41 . 2009-06-01 03:41 -------- d-----w- c:\documents and settings\Dad\Local Settings\Application Data\Identities

2009-05-31 18:55 . 2009-05-31 23:14 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2009-05-31 18:55 . 2009-05-31 18:55 -------- d-----w- c:\program files\NOS

2009-05-31 18:55 . 2009-03-03 18:53 109420 ----a-w- c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\gyp9yg0m.default\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}\plugins\np_gp.dll

2009-05-31 18:55 . 2009-03-03 18:53 17464 ----a-w- c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\gyp9yg0m.default\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}\chrome\content\getPlus_Adobe_reg.exe

2009-05-31 18:55 . 2009-03-03 18:53 12792 ----a-w- c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\gyp9yg0m.default\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}\chrome\content\getPlus_Adobe_reg_bootstrap.exe

2009-05-31 18:54 . 2009-05-31 18:54 -------- d-----w- c:\documents and settings\Dad\Application Data\Talkback

2009-05-31 18:53 . 2009-05-31 18:53 -------- d-----w- c:\documents and settings\Dad\Local Settings\Application Data\Thunderbird

2009-05-31 18:53 . 2009-05-31 18:53 -------- d-----w- c:\documents and settings\Dad\Application Data\Thunderbird

2009-05-31 18:53 . 2009-06-15 00:09 -------- d-----w- c:\program files\Mozilla Thunderbird

2009-05-30 20:16 . 2008-10-10 10:36 43008 ----a-w- c:\documents and settings\Jacob\Application Data\Mozilla\Firefox\Profiles\qswwrroh.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metricsloader.dll

2009-05-30 20:16 . 2008-10-10 10:36 43008 ----a-w- c:\documents and settings\Jacob\Application Data\Mozilla\Firefox\Profiles\qswwrroh.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll

2009-05-30 20:16 . 2008-10-10 10:36 233984 ----a-w- c:\documents and settings\Jacob\Application Data\Mozilla\Firefox\Profiles\qswwrroh.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll

2009-05-30 20:16 . 2008-10-10 10:36 239616 ----a-w- c:\documents and settings\Jacob\Application Data\Mozilla\Firefox\Profiles\qswwrroh.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll

2009-05-30 20:16 . 2008-10-10 10:36 245248 ----a-w- c:\documents and settings\Jacob\Application Data\Mozilla\Firefox\Profiles\qswwrroh.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\metrics-ff2.dll

2009-05-30 20:16 . 2008-10-10 10:36 243200 ----a-w- c:\documents and settings\Jacob\Application Data\Mozilla\Firefox\Profiles\qswwrroh.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\metrics-ff3.dll

2009-05-29 20:24 . 2009-03-06 14:00 284160 ------w- c:\windows\system32\dllcache\pdh.dll

2009-05-29 20:24 . 2009-02-09 10:01 401408 ------w- c:\windows\system32\dllcache\rpcss.dll

2009-05-29 20:24 . 2009-02-06 10:22 110592 ------w- c:\windows\system32\dllcache\services.exe

2009-05-29 20:24 . 2009-02-06 09:54 35328 ------w- c:\windows\system32\dllcache\sc.exe

2009-05-29 20:24 . 2005-07-26 04:20 60416 ------w- c:\windows\system32\dllcache\colbact.dll

2009-05-29 20:24 . 2009-02-09 10:01 473088 ------w- c:\windows\system32\dllcache\fastprox.dll

2009-05-29 20:24 . 2009-02-06 09:41 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe

2009-05-29 20:24 . 2009-02-09 10:01 617984 ------w- c:\windows\system32\dllcache\advapi32.dll

2009-05-29 20:24 . 2009-02-09 10:01 715264 ------w- c:\windows\system32\dllcache\ntdll.dll

2009-05-29 20:23 . 2008-04-21 10:02 215552 ------w- c:\windows\system32\dllcache\wordpad.exe

2009-05-29 19:42 . 2009-05-29 19:42 -------- d-----w- c:\documents and settings\Dad\Application Data\AdobeUM

2009-05-29 19:41 . 2009-05-31 18:55 -------- d-----w- c:\documents and settings\Dad\Local Settings\Application Data\Adobe

2009-05-29 19:01 . 2009-05-29 19:01 56 ---ha-w- c:\windows\system32\ezsidmv.dat

2009-05-29 19:01 . 2009-06-12 20:03 -------- d-----w- c:\documents and settings\Dad\Application Data\skypePM

2009-05-29 18:59 . 2009-06-12 22:36 -------- d-----w- c:\documents and settings\Dad\Application Data\Skype

2009-05-29 18:59 . 2009-05-29 18:59 -------- d-----w- c:\program files\Common Files\Skype

2009-05-29 18:59 . 2009-05-29 18:59 -------- d-----r- c:\program files\Skype

2009-05-29 18:59 . 2009-05-29 18:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype

2009-05-29 17:58 . 2009-05-29 17:58 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite

2009-05-29 17:55 . 2009-05-29 17:55 -------- d-----w- c:\program files\DAEMON Tools Toolbar

2009-05-29 17:55 . 2009-05-30 07:11 -------- d-----w- c:\program files\DAEMON Tools Lite

2009-05-29 17:52 . 2009-05-29 17:52 -------- d-----w- c:\program files\AutoHotkey

2009-05-29 17:36 . 2009-05-29 17:36 721904 ----a-w- c:\windows\system32\drivers\sptd.sys

2009-05-29 17:36 . 2009-06-05 17:22 -------- d-----w- c:\documents and settings\Dad\Application Data\DAEMON Tools Lite

2009-05-29 17:35 . 2009-05-29 17:35 -------- d-----w- c:\program files\IrfanView

2009-05-29 17:11 . 2009-05-29 17:11 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles

2009-05-29 16:20 . 2009-05-29 16:23 -------- d-----w- c:\windows\system32\scripting

2009-05-29 16:20 . 2009-05-29 16:23 -------- d-----w- c:\windows\l2schemas

2009-05-29 16:20 . 2009-05-29 16:23 -------- d-----w- c:\windows\system32\en

2009-05-29 16:20 . 2009-05-29 16:23 -------- d-----w- c:\windows\system32\bits

2009-05-29 16:09 . 2009-05-29 16:09 -------- d-----w- c:\windows\EHome

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-06-12 07:05 . 2007-01-05 18:51 -------- d-----w- c:\program files\Trend Micro

2009-06-12 06:55 . 2007-01-05 18:46 -------- d-----w- c:\program files\Java

2009-06-12 05:18 . 2008-03-17 23:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-06-12 05:09 . 2007-01-05 18:48 -------- d-----w- c:\program files\Dell

2009-06-09 22:26 . 2007-09-18 23:54 -------- d-----w- c:\program files\Apple Software Update

2009-06-06 17:55 . 2007-01-09 20:56 81344 ----a-w- c:\documents and settings\Jacob\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-06-05 19:53 . 2007-09-25 23:51 81344 ----a-w- c:\documents and settings\Dad\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-06-05 19:33 . 2007-01-05 18:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic

2009-06-05 19:33 . 2007-01-05 18:48 -------- d-----w- c:\program files\Common Files\Sonic Shared

2009-06-05 19:30 . 2008-02-29 01:58 -------- d-----w- c:\program files\HP

2009-06-04 19:22 . 2007-04-16 23:26 -------- d-----w- c:\program files\Trillian

2009-05-29 19:33 . 2007-01-11 20:51 4711 ----a-w- c:\windows\mozver.dat

2009-03-27 02:46 . 2009-04-02 01:42 1104 ----a-w- c:\windows\system32\ASPRTMM9.DLL

2007-09-16 06:35 . 2007-09-26 00:02 66408 ----a-w- c:\program files\mozilla firefox\components\jar50.dll

2007-09-16 06:35 . 2007-09-26 00:02 54112 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll

2007-09-16 06:35 . 2007-09-26 00:02 34688 ----a-w- c:\program files\mozilla firefox\components\myspell.dll

2007-09-16 06:35 . 2007-09-26 00:02 46456 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll

2007-09-16 06:35 . 2007-09-26 00:02 171880 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]

"Bandwidth Monitor Pro"="c:\progra~1\BANDWI~1\Bandwidth Monitor Pro.exe" [2005-02-16 225280]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-26 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7630848]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-23 86016]

"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-09-14 267064]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-12 148888]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-01-11 185896]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-08-23 1617920]

"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-08-15 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-08-17 439872]

c:\documents and settings\Dad\Start Menu\Programs\Startup\

Shortcut to AutoHotkey.lnk - c:\program files\AutoHotkey\AutoHotkey.exe [2009-5-3 244736]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-3-5 113664]

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-1-5 24576]

HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]

Siemens SpeedStream Wireless PCI.lnk - c:\program files\Siemens\SpeedStream Wireless PCI\SSPCICfg.exe [2007-1-9 167936]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\NewsBinGN\\NewsbinGN.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"23023:TCP"= 23023:TCP:Sheep

"23024:TCP"= 23024:TCP:Sheep2

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [9/25/2006 9:26 AM 36368]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]

R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [9/25/2006 9:26 AM 280392]

S0 Spssys;Toshiba SPS Service;c:\windows\system32\drivers\spssys.sys --> c:\windows\system32\drivers\spssys.sys [?]

S2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [9/25/2006 9:26 AM 345696]

S2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [9/25/2006 9:26 AM 923216]

S2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [9/25/2006 9:26 AM 566872]

S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [5/31/2009 2:55 PM 33176]

S3 Qisddm;Qisddm; [x]

S3 SSPCIV27;Siemens SpeedStream Wireless PCI Driver;c:\windows\system32\drivers\SSPCIV27.sys [1/9/2007 5:25 PM 171648]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5

*NewlyCreated* - MBR

*Deregistered* - mbr

.

Contents of the 'Scheduled Tasks' folder

2009-06-09 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

.

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/

uInternet Settings,ProxyServer = http=localhost:7171

uInternet Settings,ProxyOverride = *.local;<local>

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath -

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-06-15 19:33

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E3C9CE04-ED8E-488a-B76B-9EEF26B4F65C}\InProcServer32]

@DACL=(02 0000)

@="c:\\WINDOWS\\system32\\iehelper.dll"

"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

@DACL=(02 0000)

"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

@DACL=(02 0000)

"Installed"="1"

"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

@DACL=(02 0000)

"Installed"="1"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(940)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

Completion time: 2009-06-15 19:34

ComboFix-quarantined-files.txt 2009-06-15 23:34

Pre-Run: 11,003,285,504 bytes free

Post-Run: 10,990,014,464 bytes free

262 --- E O F --- 2009-05-31 07:00

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.