Jump to content

Rootkit continued


Recommended Posts

Hi all,

I've tried everything I've read here - MalwareBytes, ComboFix, ATF-Cleaner, SuperAntiSpyware, DrWeb-CureIt, RootRepeal, Avenger, you name it.... - multiple times, safe mode, restarts, full instructions carried out to T, but it is still haunting me. It is a rootkit that makes my search engine links go to advertising sites and the file is clearly identified in the logs below but unable to be removed by anything. MalwareBytes says it can delete one immediately and one on reboot, but it always comes back. I'm running XP inside VirtualBox on my Macbook, with a VPN into my work up and running (Juniper). Here's the logs from MalwareBytes, HijackThis, and Avenger (others available if you need it, but you can see what file it is - have seen a similar one in the last couple of days in this forum). With Avenger I tried entering a simple script to delete the file upon restart, but to no avail. Any help would be greatly appreciated.

Euchrid

Malwarebytes' Anti-Malware 1.39

Database version: 2421

Windows 5.1.2600 Service Pack 3

7/15/2009 8:55:04 PM

mbam-log-2009-07-15 (20-54-59).txt

Scan type: Full Scan (C:\|D:\|E:\|)

Objects scanned: 13749

Time elapsed: 28 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

\\?\globalroot\systemroot\system32\geyekrpjxtedtf.dll (Trojan.TDSS) -> No action taken.

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

\\?\globalroot\systemroot\system32\geyekrpjxtedtf.dll (Trojan.TDSS) -> No action taken.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:46:19 PM, on 7/15/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\VBoxService.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Juniper\NetScreen-Remote\IPSecMon.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Juniper\NetScreen-Remote\IreIKE.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\VBoxTray.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Everything\Everything.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Live Mesh\Bin\Servicing\0.9.4014.7\MoeMonitor.exe

C:\Program Files\Free Download Manager\fdm.exe

C:\Program Files\uTorrent\uTorrent.exe

C:\Program Files\LClock\LClock.exe

C:\Program Files\Growl for Windows\Growl.exe

C:\Program Files\Markus Mohnen\Gmail Growl\gmailgrowl.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Juniper\NetScreen-Remote\SafeCfg.exe

C:\Program Files\MagicDisc\MagicDisc.exe

C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\FolderSize\FolderSizeSvc.exe

C:\Program Files\Hotspot Shield\bin\openvpnas.exe

C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Live Mesh\GacBase\Moe.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Live Mesh\Remote Desktop\wlcrasvc.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.teezcricket.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL

O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll

O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.29.0\gears.dll

O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\hssie\HssIE.dll

O4 - HKLM\..\Run: [VBoxTray] C:\WINDOWS\system32\VBoxTray.exe

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [PostCopy] C:\WINDOWS\system32\BELKIN\F5D5050\PostCopy.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [Everything] "C:\Program Files\Everything\Everything.exe" -startup

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [MoeMonitor.exe] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Live Mesh\Bin\Servicing\0.9.4014.7\MoeMonitor.exe"

O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun

O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"

O4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\LClock.exe

O4 - HKCU\..\Run: [Growl] C:\Program Files\Growl for Windows\Growl.exe

O4 - HKCU\..\Run: [Gmail Growl] C:\Program Files\Markus Mohnen\Gmail Growl\gmailgrowl.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe

O4 - Global Startup: NetScreen-Remote.lnk = C:\Program Files\Juniper\NetScreen-Remote\SafeCfg.exe

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm

O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm

O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm

O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.29.0\gears.dll

O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.29.0\gears.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O20 - Winlogon Notify: wlcrdplauncher - C:\Program Files\Live Mesh\Remote Desktop\wlcrdplauncher.dll

O22 - SharedTaskScheduler: Fences - {EC654325-1273-C2A9-2B7C-45A29BCE2FBD} - C:\Program Files\Stardock\Fences\DesktopDock.dll

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe

O23 - Service: Google Update Service (gupdate1c9c1b183ad1450) (gupdate1c9c1b183ad1450) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe

O23 - Service: Hotspot Shield Helper Service (HssSrv) - AnchorFree Inc. - C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe

O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE

O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\Juniper\NetScreen-Remote\IPSecMon.exe

O23 - Service: SafeNet IKE Service (IreIKE) - SafeNet - C:\Program Files\Juniper\NetScreen-Remote\IreIKE.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: VirtualBox Guest Additions Service (VBoxService) - Sun Microsystems, Inc. - C:\WINDOWS\system32\VBoxService.exe

O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--

End of file - 7995 bytes

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

Error: could not delete file "c:\Windows\System32\geyekrpjxtedtf.dll"

Deletion of file "c:\Windows\System32\geyekrpjxtedtf.dll" failed!

Status: 0xc0000156

Completed script processing.

*******************

Finished! Terminate.

Link to post
Share on other sites

  • Root Admin

Please disable your Anti-Virus and delete your current copy of Combofix and get a NEW fresh copy and run it. Then post back the log.

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites

Thanks for your assistance. Here are the two logs:

ComboFix 09-07-14.08 - Administrator 07/16/2009 21:51.4.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1540 [GMT -4:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

.

((((((((((((((((((((((((( Files Created from 2009-06-17 to 2009-07-17 )))))))))))))))))))))))))))))))

.

2009-07-16 01:20 . 2009-07-17 01:41 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com

2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com

2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\docume~1\ADMINI~1\APPLIC~1\SUPERAntiSpyware.com

2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-07-15 04:41 . 2009-07-15 04:41 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb

2009-07-15 03:50 . 2009-07-15 03:50 -------- d-----w- c:\program files\Trend Micro

2009-07-15 02:40 . 2009-07-15 02:40 -------- d-----w- c:\windows\Sun

2009-07-15 01:26 . 2009-07-15 01:26 -------- d-----w- c:\windows\system32\wbem\snmp

2009-07-15 01:26 . 2009-07-15 01:26 -------- d-----w- c:\windows\system32\oobe

2009-07-15 01:26 . 2009-07-15 01:26 -------- d-----w- c:\windows\srchasst

2009-07-15 01:26 . 2009-07-15 01:26 -------- d-----w- c:\windows\system32\xircom

2009-07-15 01:25 . 2009-07-15 01:25 -------- d-----w- c:\program files\microsoft frontpage

2009-07-14 23:02 . 2009-07-14 23:02 0 ----a-w- c:\windows\system32\cd.dat

2009-07-14 18:14 . 2009-07-14 18:14 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp

2009-07-14 18:14 . 2009-07-14 18:14 -------- d-----w- c:\docume~1\ADMINI~1\LOCALS~1\APPLIC~1\Temp

2009-07-14 17:40 . 2009-07-14 17:59 -------- d--h--w- C:\$AVG8.VAULT$

2009-07-10 14:56 . 2009-07-10 14:56 195472 ----a-w- c:\windows\system32\drivers\VBoxSF.sys

2009-07-10 14:55 . 2009-07-10 14:55 1059344 ----a-w- c:\windows\system32\VBoxService.exe

2009-07-10 14:55 . 2009-07-10 14:55 588304 ----a-w- c:\windows\system32\VBoxOGLfeedbackspu.dll

2009-07-10 14:55 . 2009-07-10 14:55 1346064 ----a-w- c:\windows\system32\VBoxOGLpackspu.dll

2009-07-10 14:55 . 2009-07-10 14:55 109072 ----a-w- c:\windows\system32\VBoxOGLpassthroughspu.dll

2009-07-10 14:55 . 2009-07-10 14:55 432656 ----a-w- c:\windows\system32\VBoxOGLarrayspu.dll

2009-07-10 14:55 . 2009-07-10 14:55 305680 ----a-w- c:\windows\system32\VBoxOGL.dll

2009-07-10 14:55 . 2009-07-10 14:55 65552 ----a-w- c:\windows\system32\VBoxHook.dll

2009-07-10 14:55 . 2009-07-10 14:55 645648 ----a-w- c:\windows\system32\VBoxGINA.dll

2009-07-10 14:54 . 2009-07-10 14:54 145936 ----a-w- c:\windows\system32\VBoxOGLerrorspu.dll

2009-07-10 14:54 . 2009-07-10 14:54 203280 ----a-w- c:\windows\system32\VBoxOGLcrutil.dll

2009-07-08 15:44 . 2009-07-08 15:44 -------- d-----w- c:\program files\Markus Mohnen

2009-07-08 15:38 . 2009-07-08 15:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Growl

2009-07-08 15:38 . 2009-07-08 15:38 -------- d-----w- c:\docume~1\ADMINI~1\LOCALS~1\APPLIC~1\Growl

2009-07-08 15:37 . 2009-07-08 15:37 -------- d-----w- c:\program files\Growl for Windows

2009-07-08 15:02 . 2009-07-08 15:02 -------- d-----w- c:\program files\SopCast

2009-07-08 14:49 . 2009-07-08 14:50 -------- d-----w- c:\program files\TVAnts

2009-07-08 14:43 . 2009-07-08 14:43 -------- d-----w- c:\documents and settings\Administrator\LocalLow

2009-07-08 14:43 . 2009-07-08 14:43 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\TVU Networks

2009-07-08 14:43 . 2009-07-08 14:43 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\TVU Networks

2009-07-08 14:43 . 2009-07-08 14:43 -------- d-----w- c:\docume~1\ADMINI~1\LOCALS~1\APPLIC~1\TVU Networks

2009-07-07 23:48 . 2009-07-07 02:44 937984 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\libs\PicLensHelper.exe

2009-07-07 23:48 . 2009-07-07 02:44 103424 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\libs\pixomatic.dll

2009-07-07 23:48 . 2009-07-07 02:44 65536 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\components\coolirisstub.dll

2009-07-07 23:48 . 2009-07-07 02:44 106496 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll

2009-07-07 23:48 . 2009-07-07 02:44 4722688 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\libs\cooliris19.dll

2009-07-07 23:48 . 2009-07-07 02:44 344064 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe

2009-07-03 22:37 . 2009-07-03 22:39 -------- d-----w- c:\documents and settings\Administrator\Ekahau Site Survey

2009-07-03 22:35 . 2009-07-03 22:54 -------- d-----w- c:\program files\Ekahau

2009-07-01 04:08 . 2009-07-15 02:45 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Phanfare2

2009-07-01 04:08 . 2009-07-15 02:45 -------- d-----w- c:\docume~1\ADMINI~1\LOCALS~1\APPLIC~1\Phanfare2

2009-07-01 04:08 . 2009-06-29 18:23 172032 ----a-w- c:\windows\system32\Phanfare Screensaver.scr

2009-07-01 04:08 . 2009-06-29 18:22 323624 ----a-w- c:\windows\system32\wiaaut.dll

2009-07-01 04:07 . 2009-07-15 03:41 327968 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2009-07-01 04:02 . 2009-07-01 04:02 -------- d-----w- c:\windows\system32\XPSViewer

2009-07-01 04:00 . 2009-07-01 04:00 -------- d-----w- c:\program files\Reference Assemblies

2009-07-01 03:58 . 2006-06-29 17:07 14048 ------w- c:\windows\system32\spmsg2.dll

2009-07-01 03:57 . 2006-06-29 17:07 22752 ----a-w- c:\windows\system32\spupdsvc.exe

2009-07-01 03:03 . 2009-07-01 03:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\Desktopicon

2009-07-01 03:03 . 2009-07-01 03:50 -------- d-----w- c:\docume~1\ADMINI~1\APPLIC~1\Desktopicon

2009-07-01 03:01 . 2009-07-01 03:02 -------- d-----w- c:\program files\FormatFactory

2009-06-30 23:54 . 2009-05-07 12:23 63488 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\WINNT_x86-msvc\components\WeaveCrypto.dll

2009-06-30 21:27 . 2009-06-30 21:27 410984 ----a-w- c:\windows\system32\deploytk.dll

2009-06-30 21:27 . 2009-06-30 21:27 -------- d-----w- c:\program files\Java

2009-06-30 21:25 . 2009-06-30 21:25 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_14\lzma.dll

2009-06-30 02:25 . 2009-07-03 22:38 57164 ---ha-w- c:\windows\system32\mlfcache.dat

2009-06-28 06:36 . 2009-06-28 06:36 -------- d-----w- c:\program files\AnyBizSoft

2009-06-28 06:31 . 2009-06-28 06:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\Stardock

2009-06-28 06:31 . 2009-06-28 06:31 -------- d-----w- c:\docume~1\ADMINI~1\APPLIC~1\Stardock

2009-06-28 06:31 . 2009-06-28 06:31 -------- dc-h--w- c:\docume~1\ALLUSE~1\APPLIC~1\{067CEB81-A49B-4597-9505-A5515881D672}

2009-06-28 06:31 . 2009-06-28 06:31 -------- d-----w- c:\program files\Stardock

2009-06-19 21:37 . 2008-08-21 05:45 138296 ----a-w- c:\windows\system32\drivers\IpSecDrv.sys

2009-06-19 21:37 . 2008-08-21 06:02 90164 ----a-w- c:\windows\system32\cmondll.dll

2009-06-19 21:37 . 2008-08-21 06:02 28726 ----a-w- c:\windows\system32\SnPolicy.dll

2009-06-19 21:37 . 2008-08-21 06:02 233526 ----a-w- c:\windows\system32\IreComn.dll

2009-06-19 21:37 . 2008-01-17 04:35 536634 ------w- c:\windows\system32\drivers\Crypto.sys

2009-06-19 21:37 . 2008-01-14 04:21 159804 ------w- c:\windows\system32\IreBase.dll

2009-06-19 21:37 . 2008-01-14 04:21 90166 ------w- c:\windows\system32\IreSC.dll

2009-06-19 21:37 . 2008-01-14 04:20 344122 ------w- c:\windows\system32\IreCGX.dll

2009-06-19 21:37 . 1997-09-17 16:00 207120 ------r- c:\windows\system32\Msoss.dll

2009-06-19 21:36 . 2009-06-19 21:36 -------- d-----w- c:\program files\Common Files\Deterministic Networks

2009-06-19 21:36 . 2008-06-19 09:27 125584 ----a-w- c:\windows\system32\drivers\dne2000.sys

2009-06-19 21:36 . 2008-05-24 05:22 106768 ----a-w- c:\windows\system32\dneinobj.dll

2009-06-19 21:36 . 2000-09-12 11:34 28160 ------r- c:\windows\system32\cstrain.dll

2009-06-19 21:36 . 2000-09-12 11:25 78848 ------r- c:\windows\system32\soedber.dll

2009-06-19 21:36 . 2000-09-12 11:25 46080 ------r- c:\windows\system32\soedapi.dll

2009-06-19 21:36 . 2000-09-12 11:25 16896 ------r- c:\windows\system32\ossdmem.dll

2009-06-19 21:36 . 2000-09-12 11:25 23552 ------r- c:\windows\system32\ossapi.dll

2009-06-19 21:36 . 2008-08-21 06:03 344116 ----a-w- c:\windows\system32\IreMgmt.dll

2009-06-19 21:36 . 2000-09-12 11:25 11264 ------r- c:\windows\system32\soedoid.dll

2009-06-19 21:36 . 2008-01-02 09:48 29184 ----a-w- c:\windows\system32\drivers\vap.sys

2009-06-19 21:36 . 2009-06-19 21:36 -------- d-----w- c:\program files\Juniper

2009-06-19 21:35 . 2009-06-19 21:35 -------- d-----w- c:\program files\Common Files\InstallShield

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-17 02:02 . 2009-04-20 12:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\Free Download Manager

2009-07-17 02:02 . 2009-04-20 12:13 -------- d-----w- c:\docume~1\ADMINI~1\APPLIC~1\Free Download Manager

2009-07-17 02:00 . 2009-05-05 12:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent

2009-07-17 02:00 . 2009-05-05 12:21 -------- d-----w- c:\docume~1\ADMINI~1\APPLIC~1\uTorrent

2009-07-15 19:18 . 2009-04-20 13:43 664 ----a-w- c:\windows\system32\d3d9caps.dat

2009-07-15 01:03 . 2009-04-20 12:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-07-14 18:14 . 2009-04-20 12:13 -------- d-----w- c:\program files\Google

2009-07-13 17:36 . 2009-04-20 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-07-13 17:36 . 2009-04-20 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-10 14:56 . 2008-11-21 18:30 84496 ----a-w- c:\windows\system32\vbcoinst.dll

2009-07-10 14:56 . 2008-11-21 18:30 641552 ----a-w- c:\windows\system32\VBoxControl.exe

2009-07-10 14:56 . 2008-11-21 18:30 39376 ----a-w- c:\windows\system32\drivers\VBoxGuest.sys

2009-07-10 14:56 . 2008-11-21 18:30 1026576 ----a-w- c:\windows\system32\VBoxTray.exe

2009-07-10 14:56 . 2008-11-21 18:30 63632 ----a-w- c:\windows\system32\VBoxDisp.dll

2009-07-10 14:56 . 2008-11-21 18:30 57872 ----a-w- c:\windows\system32\drivers\VBoxVideo.sys

2009-07-10 14:56 . 2008-11-21 18:29 39888 ----a-w- c:\windows\system32\drivers\VBoxMouse.sys

2009-07-10 14:55 . 2008-11-21 18:28 645648 ----a-w- c:\windows\system32\VBoxMRXNP.dll

2009-07-01 04:26 . 2009-04-16 10:32 70400 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT

2009-07-01 04:07 . 2009-04-16 07:10 -------- d-----w- c:\program files\MSBuild

2009-06-26 04:13 . 2009-05-30 16:24 -------- d-----w- c:\program files\Digsby

2009-06-26 04:00 . 2009-04-20 12:05 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-06-26 04:00 . 2009-04-20 12:05 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-06-26 04:00 . 2009-04-20 12:05 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-06-21 16:29 . 2009-04-20 12:11 -------- d-----w- c:\program files\Everything

2009-06-11 06:29 . 2009-06-11 06:29 -------- d-----w- c:\program files\Common Files\Blackbaud

2009-06-11 06:27 . 2009-06-11 06:27 -------- d-----w- c:\program files\Blackbaud

2009-06-11 05:16 . 2009-06-11 05:16 -------- d-----w- c:\program files\Common Files\Business Objects

2009-06-11 05:16 . 2009-06-11 05:16 -------- d-----w- c:\program files\Business Objects

2009-06-11 05:14 . 2009-06-11 05:14 -------- d-----w- c:\program files\MSXML 4.0

2009-06-01 14:36 . 2009-06-04 06:17 3184128 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\library\SSS.dll

2009-05-30 18:27 . 2009-05-30 18:27 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Digsby

2009-05-30 16:45 . 2009-05-30 16:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\Digsby

2009-05-30 16:45 . 2009-05-30 16:24 -------- d-----w- c:\docume~1\ADMINI~1\APPLIC~1\Digsby

2009-05-08 02:55 . 2009-04-20 12:05 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2009-05-04 19:03 . 2009-05-04 19:03 59904 ----a-w- c:\windows\system32\zlib1.dll

2009-05-04 18:53 . 2009-05-04 18:53 286720 ----a-w- c:\windows\system32\libcurl.dll

2009-05-04 18:53 . 2009-05-04 18:53 196608 ----a-w- c:\windows\system32\ssleay32.dll

2009-05-04 18:53 . 2009-05-04 18:53 1028096 ----a-w- c:\windows\system32\libeay32.dll

2009-05-04 18:53 . 2009-05-04 18:53 143360 ----a-w- c:\windows\system32\libexpatw.dll

2009-04-23 04:47 . 2009-06-04 06:17 28672 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll

2009-04-21 03:05 . 2009-04-21 03:05 695642 ----a-w- c:\documents and settings\Administrator\Application Data\UBitMenu\unins000.exe

2009-04-20 13:45 . 2009-04-20 13:45 768 ----a-w- c:\windows\system32\d3d8caps.dat

2009-06-24 13:26 . 2009-04-16 09:47 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll

2008-05-05 20:14 . 2008-12-01 20:22 34048 ----a-w- c:\program files\opera\program\plugins\upd62i9x.dll

2008-05-05 20:14 . 2008-12-01 20:22 45056 ----a-w- c:\program files\opera\program\plugins\upd62int.dll

.

------- Sigcheck -------

[-] 2008-05-06 12:00 361344 ACCF5A9A1FFAA490F33DBA1C632B95E1 c:\windows\system32\drivers\tcpip.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]

2009-05-08 04:46 218160 ----a-w- c:\program files\Hotspot Shield\hssie\HssIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MoeMonitor.exe"="c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft\Live Mesh\Bin\Servicing\0.9.4014.7\MoeMonitor.exe" [2009-07-03 1315152]

"Free Download Manager"="c:\program files\Free Download Manager\fdm.exe" [2009-01-30 3399727]

"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-05-05 274224]

"LClock"="c:\program files\LClock\LClock.exe" [2004-09-19 65536]

"Growl"="c:\program files\Growl for Windows\Growl.exe" [2009-07-07 1146880]

"Gmail Growl"="c:\program files\Markus Mohnen\Gmail Growl\gmailgrowl.exe" [2009-06-04 900489]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"VBoxTray"="c:\windows\system32\VBoxTray.exe" [2009-07-10 1026576]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]

"PostCopy"="c:\windows\system32\BELKIN\F5D5050\PostCopy.exe" [2001-07-25 20480]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-26 1948440]

"Everything"="c:\program files\Everything\Everything.exe" [2009-03-13 602624]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-30 148888]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-4-16 534016]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\

NetScreen-Remote.lnk - c:\program files\Juniper\NetScreen-Remote\SafeCfg.exe [2009-6-19 77876]

c:\docume~1\ADMINI~1\STARTM~1\Programs\Startup\

MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-4-16 534016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"MemCheckBoxInRunDlg"= 1 (0x1)

"StartMenuFavorites"= 0 (0x0)

"Start_ShowMyComputer"= 1 (0x1)

"Start_ShowMyDocs"= 1 (0x1)

"Start_ShowMyMusic"= 0 (0x0)

"Start_ShowRun"= 1 (0x1)

"Start_ShowSearch"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveTrack"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

"ForceClassicControlPanel"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"MemCheckBoxInRunDlg"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]

"{EC654325-1273-C2A9-2B7C-45A29BCE2FBD}"= "c:\program files\Stardock\Fences\DesktopDock.dll" [2009-02-25 517480]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlcrdplauncher]

2009-07-03 19:41 21840 ----a-w- c:\program files\Live Mesh\Remote Desktop\wlcrdplauncher.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-06-26 04:00 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"e:\\Program Files\\Phanfare\\Phanfare.exe"=

"c:\\Program Files\\Live Mesh\\Remote Desktop\\wlcrasvc.exe"=

"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Microsoft\\Live Mesh\\GacBase\\Moe.exe"=

"c:\\Program Files\\Juniper\\NetScreen-Remote\\IreIKE.exe"=

"c:\program files\Juniper\NetScreen-Remote\ViewLog.exe"= c:\program files\Juniper\NetScreen-Remote\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog

"c:\program files\Juniper\NetScreen-Remote\CmonApp.exe"= c:\program files\Juniper\NetScreen-Remote\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp

"c:\program files\Juniper\NetScreen-Remote\vpn.exe"= c:\program files\Juniper\NetScreen-Remote\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager

R0 VBoxGuest;VirtualBox Guest Driver;c:\windows\system32\drivers\VBoxGuest.sys [11/21/2008 2:30 PM 39376]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/20/2009 8:05 AM 327688]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/20/2009 8:05 AM 108552]

R1 IPSECDRV;SafeNet IPSec Plugin;c:\windows\system32\drivers\IpSecDrv.sys [6/19/2009 5:37 PM 138296]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]

R1 VBoxSF;VirtualBox Shared Folders;c:\windows\system32\drivers\VBoxSF.sys [7/10/2009 10:56 AM 195472]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/20/2009 8:05 AM 298776]

R2 Crypto;Crypto;c:\windows\system32\drivers\Crypto.sys [6/19/2009 5:37 PM 536634]

R2 Ekauio;Ekahau NDIS Usermode I/O Protocol;c:\windows\system32\drivers\ekauio.sys [4/7/2009 8:45 AM 12416]

R2 HssSrv;Hotspot Shield Helper Service;c:\program files\Hotspot Shield\HssWPR\hsssrv.exe [4/21/2009 9:12 PM 328752]

R2 VBoxService;VirtualBox Guest Additions Service;system32\VBoxService.exe --> system32\VBoxService.exe [?]

R2 wlcrasvc;Live Mesh Remote Desktop;c:\program files\Live Mesh\Remote Desktop\wlcrasvc.exe [4/16/2009 6:24 AM 44880]

R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\drivers\vap.sys [6/19/2009 5:36 PM 29184]

R3 RDPDISPM;RDPDISPM;c:\windows\system32\drivers\rdpdispm.sys [4/16/2009 6:24 AM 9024]

R3 RDPVDD;RDPVDD;c:\windows\system32\drivers\rdpvmp.sys [4/16/2009 6:24 AM 19392]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]

R3 VBoxMouse;VirtualBox Guest Mouse Service;c:\windows\system32\drivers\VBoxMouse.sys [11/21/2008 2:29 PM 39888]

R3 VBoxVideo;VBoxVideo;c:\windows\system32\drivers\VBoxVideo.sys [11/21/2008 2:30 PM 57872]

R3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys [12/1/2008 4:09 PM 11568]

S2 gupdate1c9c1b183ad1450;Google Update Service (gupdate1c9c1b183ad1450);c:\program files\Google\Update\GoogleUpdate.exe [4/20/2009 8:14 AM 133104]

S3 HssTrayService;Hotspot Shield Tray Service;c:\program files\Hotspot Shield\bin\HssTrayService.exe [4/22/2009 5:34 PM 34352]

S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys [12/1/2008 4:09 PM 29488]

S4 zlportio;zlportio;\??\g:\zlportio.sys --> g:\zlportio.sys [?]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.teezcricket.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mStart Page = hxxp://www.google.com

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm

IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm

IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm

IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\docume~1\ADMINI~1\APPLIC~1\Mozilla\Firefox\Profiles\2epl54kr.Donny\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/|http://ebiss/default.aspx|http://studywiz.biss.com.cn/|https://ibis.ibo.org/index.cfm|https://web4.ibo.org/ibnet/|http://online.ibo.org/ibis/occ/guest/home.cfm|http://docs.google.com/#not-in-folders|https://secure.members.easynews.com/global4/search.html?fly=1|http://www.abc.net.au/news/|http://www.google.com/reader/shared/10493336563511901340|http://www.newser.com/

FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll

FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\WINNT_x86-msvc\components\WeaveCrypto.dll

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll

FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff35\gears.dll

FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-16 22:02

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files:

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1212)

geyekrpjxtedtf.dll 10000000 36864 \\?\globalroot\systemroot\system32\geyekrpjxtedtf.dll

c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3448)

geyekrpjxtedtf.dll 10000000 36864 \\?\globalroot\systemroot\system32\geyekrpjxtedtf.dll

c:\windows\system32\VBoxMRXNP.dll

c:\program files\LClock\LC.dll

c:\program files\Stardock\Fences\DesktopDock.dll

c:\program files\SUPERAntiSpyware\SASSEH.DLL

.

Completion time: 2009-07-17 22:07

ComboFix-quarantined-files.txt 2009-07-17 02:07

ComboFix2.txt 2009-07-15 06:58

Pre-Run: 1,792,401,408 bytes free

Post-Run: 1,808,146,432 bytes free

351

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:15:15 PM, on 7/16/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\VBoxService.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Juniper\NetScreen-Remote\IPSecMon.exe

C:\Program Files\Juniper\NetScreen-Remote\IreIKE.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\FolderSize\FolderSizeSvc.exe

C:\Program Files\Hotspot Shield\bin\openvpnas.exe

C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Live Mesh\Remote Desktop\wlcrasvc.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\VBoxTray.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Everything\Everything.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Free Download Manager\fdm.exe

C:\Program Files\uTorrent\uTorrent.exe

C:\Program Files\LClock\LClock.exe

C:\Program Files\Growl for Windows\Growl.exe

C:\Program Files\Markus Mohnen\Gmail Growl\gmailgrowl.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Juniper\NetScreen-Remote\SafeCfg.exe

C:\Program Files\MagicDisc\MagicDisc.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.teezcricket.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL

O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll

O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.29.0\gears.dll

O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\hssie\HssIE.dll

O4 - HKLM\..\Run: [VBoxTray] C:\WINDOWS\system32\VBoxTray.exe

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [PostCopy] C:\WINDOWS\system32\BELKIN\F5D5050\PostCopy.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [Everything] "C:\Program Files\Everything\Everything.exe" -startup

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [MoeMonitor.exe] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Live Mesh\Bin\Servicing\0.9.4014.7\MoeMonitor.exe"

O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun

O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"

O4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\LClock.exe

O4 - HKCU\..\Run: [Growl] C:\Program Files\Growl for Windows\Growl.exe

O4 - HKCU\..\Run: [Gmail Growl] C:\Program Files\Markus Mohnen\Gmail Growl\gmailgrowl.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe

O4 - Global Startup: NetScreen-Remote.lnk = C:\Program Files\Juniper\NetScreen-Remote\SafeCfg.exe

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm

O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm

O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm

O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.29.0\gears.dll

O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.29.0\gears.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O20 - Winlogon Notify: wlcrdplauncher - C:\Program Files\Live Mesh\Remote Desktop\wlcrdplauncher.dll

O22 - SharedTaskScheduler: Fences - {EC654325-1273-C2A9-2B7C-45A29BCE2FBD} - C:\Program Files\Stardock\Fences\DesktopDock.dll

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: CiSvc - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)

O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe

O23 - Service: Google Update Service (gupdate1c9c1b183ad1450) (gupdate1c9c1b183ad1450) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe

O23 - Service: Hotspot Shield Helper Service (HssSrv) - AnchorFree Inc. - C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe

O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE

O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\Juniper\NetScreen-Remote\IPSecMon.exe

O23 - Service: SafeNet IKE Service (IreIKE) - SafeNet - C:\Program Files\Juniper\NetScreen-Remote\IreIKE.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: VirtualBox Guest Additions Service (VBoxService) - Sun Microsystems, Inc. - C:\WINDOWS\system32\VBoxService.exe

O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--

End of file - 7739 bytes

Link to post
Share on other sites

  • Root Admin

You have an infected copy of c:\windows\system32\drivers\tcpip.sys Do you have the Windows XP CD or access to another XP SP3 computer to get one from?

This probably will not work as there appears to be something hiding that we'll need to track down but we can try.

STEP 01

Download but do not yet run ComboFix

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::
File::
c:\windows\system32\geyekrpjxtedtf.dll
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Free Download Manager"=-
"uTorrent"=-

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 02

    Please create a BOOTLOG
  • Delete the following file if it exists. C:\Windows\ntbtlog.txt
  • Restart the computer and press F8 when Windows start booting. This will bring up the startup options.
  • Select "Enable Boot Logging" option and press enter.
  • Windows prompts you to select a Windows Installation (even if there is only one windows installation)
  • This boots windows normally and creates a boot log named ntbtlog.txt and saves it to C:\Windows
Link to post
Share on other sites

Again, thanks for your help. Here's the latest set of info for you. The driversigned command didn't work - it spat back "ERROR: Provider load failure" so I didn't post the empty text file (I ran it in the cmd window, added the exe, lots of versions - still didn't work).

ComboFix 09-07-14.08 - Administrator 07/17/2009 12:08.5.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1617 [GMT -4:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Administrator\Desktop\CFscript.txt

FILE ::

"c:\windows\system32\geyekrpjxtedtf.dll"

.

((((((((((((((((((((((((( Files Created from 2009-06-17 to 2009-07-17 )))))))))))))))))))))))))))))))

.

2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com

2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com

2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-07-15 04:41 . 2009-07-15 04:41 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb

2009-07-15 03:50 . 2009-07-15 03:50 -------- d-----w- c:\program files\Trend Micro

2009-07-15 02:40 . 2009-07-15 02:40 -------- d-----w- c:\windows\Sun

2009-07-15 01:26 . 2009-07-15 01:26 -------- d-----w- c:\windows\system32\wbem\snmp

2009-07-15 01:26 . 2009-07-15 01:26 -------- d-----w- c:\windows\system32\oobe

2009-07-15 01:26 . 2009-07-15 01:26 -------- d-----w- c:\windows\srchasst

2009-07-15 01:26 . 2009-07-15 01:26 -------- d-----w- c:\windows\system32\xircom

2009-07-15 01:25 . 2009-07-15 01:25 -------- d-----w- c:\program files\microsoft frontpage

2009-07-14 23:02 . 2009-07-14 23:02 0 ----a-w- c:\windows\system32\cd.dat

2009-07-14 18:14 . 2009-07-14 18:14 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp

2009-07-14 17:40 . 2009-07-14 17:59 -------- d--h--w- C:\$AVG8.VAULT$

2009-07-10 14:56 . 2009-07-10 14:56 195472 ----a-w- c:\windows\system32\drivers\VBoxSF.sys

2009-07-10 14:55 . 2009-07-10 14:55 1059344 ----a-w- c:\windows\system32\VBoxService.exe

2009-07-10 14:55 . 2009-07-10 14:55 588304 ----a-w- c:\windows\system32\VBoxOGLfeedbackspu.dll

2009-07-10 14:55 . 2009-07-10 14:55 1346064 ----a-w- c:\windows\system32\VBoxOGLpackspu.dll

2009-07-10 14:55 . 2009-07-10 14:55 109072 ----a-w- c:\windows\system32\VBoxOGLpassthroughspu.dll

2009-07-10 14:55 . 2009-07-10 14:55 432656 ----a-w- c:\windows\system32\VBoxOGLarrayspu.dll

2009-07-10 14:55 . 2009-07-10 14:55 305680 ----a-w- c:\windows\system32\VBoxOGL.dll

2009-07-10 14:55 . 2009-07-10 14:55 65552 ----a-w- c:\windows\system32\VBoxHook.dll

2009-07-10 14:55 . 2009-07-10 14:55 645648 ----a-w- c:\windows\system32\VBoxGINA.dll

2009-07-10 14:54 . 2009-07-10 14:54 145936 ----a-w- c:\windows\system32\VBoxOGLerrorspu.dll

2009-07-10 14:54 . 2009-07-10 14:54 203280 ----a-w- c:\windows\system32\VBoxOGLcrutil.dll

2009-07-08 15:44 . 2009-07-08 15:44 -------- d-----w- c:\program files\Markus Mohnen

2009-07-08 15:38 . 2009-07-08 15:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Growl

2009-07-08 15:37 . 2009-07-08 15:37 -------- d-----w- c:\program files\Growl for Windows

2009-07-08 15:02 . 2009-07-08 15:02 -------- d-----w- c:\program files\SopCast

2009-07-08 14:49 . 2009-07-08 14:50 -------- d-----w- c:\program files\TVAnts

2009-07-08 14:43 . 2009-07-08 14:43 -------- d-----w- c:\documents and settings\Administrator\LocalLow

2009-07-08 14:43 . 2009-07-08 14:43 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\TVU Networks

2009-07-08 14:43 . 2009-07-08 14:43 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\TVU Networks

2009-07-07 23:48 . 2009-07-07 02:44 937984 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\libs\PicLensHelper.exe

2009-07-07 23:48 . 2009-07-07 02:44 103424 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\libs\pixomatic.dll

2009-07-07 23:48 . 2009-07-07 02:44 65536 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\components\coolirisstub.dll

2009-07-07 23:48 . 2009-07-07 02:44 106496 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll

2009-07-07 23:48 . 2009-07-07 02:44 4722688 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\libs\cooliris19.dll

2009-07-07 23:48 . 2009-07-07 02:44 344064 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe

2009-07-03 22:37 . 2009-07-03 22:39 -------- d-----w- c:\documents and settings\Administrator\Ekahau Site Survey

2009-07-03 22:35 . 2009-07-03 22:54 -------- d-----w- c:\program files\Ekahau

2009-07-01 04:08 . 2009-07-15 02:45 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Phanfare2

2009-07-01 04:08 . 2009-06-29 18:23 172032 ----a-w- c:\windows\system32\Phanfare Screensaver.scr

2009-07-01 04:08 . 2009-06-29 18:22 323624 ----a-w- c:\windows\system32\wiaaut.dll

2009-07-01 04:07 . 2009-07-15 03:41 327968 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2009-07-01 04:02 . 2009-07-01 04:02 -------- d-----w- c:\windows\system32\XPSViewer

2009-07-01 04:00 . 2009-07-01 04:00 -------- d-----w- c:\program files\Reference Assemblies

2009-07-01 03:58 . 2006-06-29 17:07 14048 ------w- c:\windows\system32\spmsg2.dll

2009-07-01 03:57 . 2006-06-29 17:07 22752 ----a-w- c:\windows\system32\spupdsvc.exe

2009-07-01 03:03 . 2009-07-01 03:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\Desktopicon

2009-07-01 03:01 . 2009-07-01 03:02 -------- d-----w- c:\program files\FormatFactory

2009-06-30 23:54 . 2009-05-07 12:23 63488 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\WINNT_x86-msvc\components\WeaveCrypto.dll

2009-06-30 21:27 . 2009-06-30 21:27 410984 ----a-w- c:\windows\system32\deploytk.dll

2009-06-30 21:27 . 2009-06-30 21:27 -------- d-----w- c:\program files\Java

2009-06-30 21:25 . 2009-06-30 21:25 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_14\lzma.dll

2009-06-30 02:25 . 2009-07-03 22:38 57164 ---ha-w- c:\windows\system32\mlfcache.dat

2009-06-28 06:36 . 2009-06-28 06:36 -------- d-----w- c:\program files\AnyBizSoft

2009-06-28 06:31 . 2009-06-28 06:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\Stardock

2009-06-28 06:31 . 2009-06-28 06:31 -------- dc-h--w- c:\docume~1\ALLUSE~1\APPLIC~1\{067CEB81-A49B-4597-9505-A5515881D672}

2009-06-28 06:31 . 2009-06-28 06:31 -------- d-----w- c:\program files\Stardock

2009-06-19 21:37 . 2008-08-21 05:45 138296 ----a-w- c:\windows\system32\drivers\IpSecDrv.sys

2009-06-19 21:37 . 2008-08-21 06:02 90164 ----a-w- c:\windows\system32\cmondll.dll

2009-06-19 21:37 . 2008-08-21 06:02 28726 ----a-w- c:\windows\system32\SnPolicy.dll

2009-06-19 21:37 . 2008-08-21 06:02 233526 ----a-w- c:\windows\system32\IreComn.dll

2009-06-19 21:37 . 2008-01-17 04:35 536634 ------w- c:\windows\system32\drivers\Crypto.sys

2009-06-19 21:37 . 2008-01-14 04:21 159804 ------w- c:\windows\system32\IreBase.dll

2009-06-19 21:37 . 2008-01-14 04:21 90166 ------w- c:\windows\system32\IreSC.dll

2009-06-19 21:37 . 2008-01-14 04:20 344122 ------w- c:\windows\system32\IreCGX.dll

2009-06-19 21:37 . 1997-09-17 16:00 207120 ------r- c:\windows\system32\Msoss.dll

2009-06-19 21:36 . 2009-06-19 21:36 -------- d-----w- c:\program files\Common Files\Deterministic Networks

2009-06-19 21:36 . 2008-06-19 09:27 125584 ----a-w- c:\windows\system32\drivers\dne2000.sys

2009-06-19 21:36 . 2008-05-24 05:22 106768 ----a-w- c:\windows\system32\dneinobj.dll

2009-06-19 21:36 . 2000-09-12 11:34 28160 ------r- c:\windows\system32\cstrain.dll

2009-06-19 21:36 . 2000-09-12 11:25 78848 ------r- c:\windows\system32\soedber.dll

2009-06-19 21:36 . 2000-09-12 11:25 46080 ------r- c:\windows\system32\soedapi.dll

2009-06-19 21:36 . 2000-09-12 11:25 16896 ------r- c:\windows\system32\ossdmem.dll

2009-06-19 21:36 . 2000-09-12 11:25 23552 ------r- c:\windows\system32\ossapi.dll

2009-06-19 21:36 . 2008-08-21 06:03 344116 ----a-w- c:\windows\system32\IreMgmt.dll

2009-06-19 21:36 . 2000-09-12 11:25 11264 ------r- c:\windows\system32\soedoid.dll

2009-06-19 21:36 . 2008-01-02 09:48 29184 ----a-w- c:\windows\system32\drivers\vap.sys

2009-06-19 21:36 . 2009-06-19 21:36 -------- d-----w- c:\program files\Juniper

2009-06-19 21:35 . 2009-06-19 21:35 -------- d-----w- c:\program files\Common Files\InstallShield

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-17 16:21 . 2009-07-16 01:20 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-07-17 16:03 . 2009-04-20 12:11 -------- d-----w- c:\program files\Everything

2009-07-17 16:03 . 2009-04-20 12:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\Free Download Manager

2009-07-17 16:03 . 2009-05-05 12:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent

2009-07-15 19:18 . 2009-04-20 13:43 664 ----a-w- c:\windows\system32\d3d9caps.dat

2009-07-15 01:03 . 2009-04-20 12:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-07-14 18:14 . 2009-04-20 12:13 -------- d-----w- c:\program files\Google

2009-07-13 17:36 . 2009-04-20 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-07-13 17:36 . 2009-04-20 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-10 14:56 . 2008-11-21 18:30 84496 ----a-w- c:\windows\system32\vbcoinst.dll

2009-07-10 14:56 . 2008-11-21 18:30 641552 ----a-w- c:\windows\system32\VBoxControl.exe

2009-07-10 14:56 . 2008-11-21 18:30 39376 ----a-w- c:\windows\system32\drivers\VBoxGuest.sys

2009-07-10 14:56 . 2008-11-21 18:30 1026576 ----a-w- c:\windows\system32\VBoxTray.exe

2009-07-10 14:56 . 2008-11-21 18:30 63632 ----a-w- c:\windows\system32\VBoxDisp.dll

2009-07-10 14:56 . 2008-11-21 18:30 57872 ----a-w- c:\windows\system32\drivers\VBoxVideo.sys

2009-07-10 14:56 . 2008-11-21 18:29 39888 ----a-w- c:\windows\system32\drivers\VBoxMouse.sys

2009-07-10 14:55 . 2008-11-21 18:28 645648 ----a-w- c:\windows\system32\VBoxMRXNP.dll

2009-07-01 04:26 . 2009-04-16 10:32 70400 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT

2009-07-01 04:07 . 2009-04-16 07:10 -------- d-----w- c:\program files\MSBuild

2009-06-26 04:13 . 2009-05-30 16:24 -------- d-----w- c:\program files\Digsby

2009-06-26 04:00 . 2009-04-20 12:05 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-06-26 04:00 . 2009-04-20 12:05 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-06-26 04:00 . 2009-04-20 12:05 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-06-11 06:29 . 2009-06-11 06:29 -------- d-----w- c:\program files\Common Files\Blackbaud

2009-06-11 06:27 . 2009-06-11 06:27 -------- d-----w- c:\program files\Blackbaud

2009-06-11 05:16 . 2009-06-11 05:16 -------- d-----w- c:\program files\Common Files\Business Objects

2009-06-11 05:16 . 2009-06-11 05:16 -------- d-----w- c:\program files\Business Objects

2009-06-11 05:14 . 2009-06-11 05:14 -------- d-----w- c:\program files\MSXML 4.0

2009-06-01 14:36 . 2009-06-04 06:17 3184128 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\library\SSS.dll

2009-05-30 18:27 . 2009-05-30 18:27 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Digsby

2009-05-30 16:45 . 2009-05-30 16:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\Digsby

2009-05-08 02:55 . 2009-04-20 12:05 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2009-05-04 19:03 . 2009-05-04 19:03 59904 ----a-w- c:\windows\system32\zlib1.dll

2009-05-04 18:53 . 2009-05-04 18:53 286720 ----a-w- c:\windows\system32\libcurl.dll

2009-05-04 18:53 . 2009-05-04 18:53 196608 ----a-w- c:\windows\system32\ssleay32.dll

2009-05-04 18:53 . 2009-05-04 18:53 1028096 ----a-w- c:\windows\system32\libeay32.dll

2009-05-04 18:53 . 2009-05-04 18:53 143360 ----a-w- c:\windows\system32\libexpatw.dll

2009-04-23 04:47 . 2009-06-04 06:17 28672 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll

2009-04-21 03:05 . 2009-04-21 03:05 695642 ----a-w- c:\documents and settings\Administrator\Application Data\UBitMenu\unins000.exe

2009-04-20 13:45 . 2009-04-20 13:45 768 ----a-w- c:\windows\system32\d3d8caps.dat

2009-06-24 13:26 . 2009-04-16 09:47 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll

2008-05-05 20:14 . 2008-12-01 20:22 34048 ----a-w- c:\program files\opera\program\plugins\upd62i9x.dll

2008-05-05 20:14 . 2008-12-01 20:22 45056 ----a-w- c:\program files\opera\program\plugins\upd62int.dll

.

------- Sigcheck -------

[-] 2008-05-06 12:00 361344 ACCF5A9A1FFAA490F33DBA1C632B95E1 c:\windows\system32\drivers\tcpip.sys

.

((((((((((((((((((((((((((((( SnapShot@2009-07-17_02.02.53 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-07-17 16:21 . 2009-07-17 16:21 16384 c:\windows\temp\Perflib_Perfdata_1a0.dat

+ 2008-05-06 12:00 . 2009-07-17 15:53 66148 c:\windows\system32\perfc009.dat

- 2008-05-06 12:00 . 2009-07-17 01:44 66148 c:\windows\system32\perfc009.dat

+ 2009-07-14 17:45 . 2009-07-17 15:49 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2009-07-14 17:45 . 2009-07-17 01:40 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-07-14 17:45 . 2009-07-17 15:49 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2009-07-14 17:45 . 2009-07-17 01:40 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2009-07-14 17:45 . 2009-07-17 01:40 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-07-14 17:45 . 2009-07-17 15:49 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2008-05-06 12:00 . 2009-07-17 15:53 428224 c:\windows\system32\perfh009.dat

- 2008-05-06 12:00 . 2009-07-17 01:44 428224 c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]

2009-05-08 04:46 218160 ----a-w- c:\program files\Hotspot Shield\hssie\HssIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MoeMonitor.exe"="c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft\Live Mesh\Bin\Servicing\0.9.4014.7\MoeMonitor.exe" [2009-07-03 1315152]

"LClock"="c:\program files\LClock\LClock.exe" [2004-09-19 65536]

"Growl"="c:\program files\Growl for Windows\Growl.exe" [2009-07-07 1146880]

"Gmail Growl"="c:\program files\Markus Mohnen\Gmail Growl\gmailgrowl.exe" [2009-06-04 900489]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"VBoxTray"="c:\windows\system32\VBoxTray.exe" [2009-07-10 1026576]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]

"PostCopy"="c:\windows\system32\BELKIN\F5D5050\PostCopy.exe" [2001-07-25 20480]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-26 1948440]

"Everything"="c:\program files\Everything\Everything.exe" [2009-03-13 602624]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-30 148888]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-4-16 534016]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\

NetScreen-Remote.lnk - c:\program files\Juniper\NetScreen-Remote\SafeCfg.exe [2009-6-19 77876]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"MemCheckBoxInRunDlg"= 1 (0x1)

"StartMenuFavorites"= 0 (0x0)

"Start_ShowMyComputer"= 1 (0x1)

"Start_ShowMyDocs"= 1 (0x1)

"Start_ShowMyMusic"= 0 (0x0)

"Start_ShowRun"= 1 (0x1)

"Start_ShowSearch"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveTrack"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

"ForceClassicControlPanel"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"MemCheckBoxInRunDlg"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]

"{EC654325-1273-C2A9-2B7C-45A29BCE2FBD}"= "c:\program files\Stardock\Fences\DesktopDock.dll" [2009-02-25 517480]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlcrdplauncher]

2009-07-03 19:41 21840 ----a-w- c:\program files\Live Mesh\Remote Desktop\wlcrdplauncher.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-06-26 04:00 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"e:\\Program Files\\Phanfare\\Phanfare.exe"=

"c:\\Program Files\\Live Mesh\\Remote Desktop\\wlcrasvc.exe"=

"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Microsoft\\Live Mesh\\GacBase\\Moe.exe"=

"c:\\Program Files\\Juniper\\NetScreen-Remote\\IreIKE.exe"=

"c:\program files\Juniper\NetScreen-Remote\ViewLog.exe"= c:\program files\Juniper\NetScreen-Remote\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog

"c:\program files\Juniper\NetScreen-Remote\CmonApp.exe"= c:\program files\Juniper\NetScreen-Remote\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp

"c:\program files\Juniper\NetScreen-Remote\vpn.exe"= c:\program files\Juniper\NetScreen-Remote\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager

R0 VBoxGuest;VirtualBox Guest Driver;c:\windows\system32\drivers\VBoxGuest.sys [11/21/2008 2:30 PM 39376]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/20/2009 8:05 AM 327688]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/20/2009 8:05 AM 108552]

R1 IPSECDRV;SafeNet IPSec Plugin;c:\windows\system32\drivers\IpSecDrv.sys [6/19/2009 5:37 PM 138296]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]

R1 VBoxSF;VirtualBox Shared Folders;c:\windows\system32\drivers\VBoxSF.sys [7/10/2009 10:56 AM 195472]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/20/2009 8:05 AM 298776]

R2 Crypto;Crypto;c:\windows\system32\drivers\Crypto.sys [6/19/2009 5:37 PM 536634]

R2 Ekauio;Ekahau NDIS Usermode I/O Protocol;c:\windows\system32\drivers\ekauio.sys [4/7/2009 8:45 AM 12416]

R2 HssSrv;Hotspot Shield Helper Service;c:\program files\Hotspot Shield\HssWPR\hsssrv.exe [4/21/2009 9:12 PM 328752]

R2 VBoxService;VirtualBox Guest Additions Service;system32\VBoxService.exe --> system32\VBoxService.exe [?]

R2 wlcrasvc;Live Mesh Remote Desktop;c:\program files\Live Mesh\Remote Desktop\wlcrasvc.exe [4/16/2009 6:24 AM 44880]

R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\drivers\vap.sys [6/19/2009 5:36 PM 29184]

R3 RDPDISPM;RDPDISPM;c:\windows\system32\drivers\rdpdispm.sys [4/16/2009 6:24 AM 9024]

R3 RDPVDD;RDPVDD;c:\windows\system32\drivers\rdpvmp.sys [4/16/2009 6:24 AM 19392]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]

R3 VBoxMouse;VirtualBox Guest Mouse Service;c:\windows\system32\drivers\VBoxMouse.sys [11/21/2008 2:29 PM 39888]

R3 VBoxVideo;VBoxVideo;c:\windows\system32\drivers\VBoxVideo.sys [11/21/2008 2:30 PM 57872]

R3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys [12/1/2008 4:09 PM 11568]

S2 gupdate1c9c1b183ad1450;Google Update Service (gupdate1c9c1b183ad1450);c:\program files\Google\Update\GoogleUpdate.exe [4/20/2009 8:14 AM 133104]

S3 HssTrayService;Hotspot Shield Tray Service;c:\program files\Hotspot Shield\bin\HssTrayService.exe [4/22/2009 5:34 PM 34352]

S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys [12/1/2008 4:09 PM 29488]

S4 zlportio;zlportio;\??\g:\zlportio.sys --> g:\zlportio.sys [?]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.teezcricket.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mStart Page = hxxp://www.google.com

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm

IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm

IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm

IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\docume~1\ADMINI~1\APPLIC~1\Mozilla\Firefox\Profiles\2epl54kr.Donny\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/|http://ebiss/default.aspx|http://studywiz.biss.com.cn/|https://ibis.ibo.org/index.cfm|https://web4.ibo.org/ibnet/|http://online.ibo.org/ibis/occ/guest/home.cfm|http://docs.google.com/#not-in-folders|https://secure.members.easynews.com/global4/search.html?fly=1|http://www.abc.net.au/news/|http://www.google.com/reader/shared/10493336563511901340|http://www.newser.com/

FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll

FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\WINNT_x86-msvc\components\WeaveCrypto.dll

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll

FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff35\gears.dll

FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-17 12:21

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files:

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1220)

geyekrpjxtedtf.dll 10000000 32768 \\?\globalroot\systemroot\system32\geyekrpjxtedtf.dll

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\cscdll.dll

- - - - - - - > 'explorer.exe'(2356)

geyekrpjxtedtf.dll 10000000 32768 \\?\globalroot\systemroot\system32\geyekrpjxtedtf.dll

c:\program files\LClock\LC.dll

c:\program files\Stardock\Fences\DesktopDock.dll

c:\program files\SUPERAntiSpyware\SASSEH.DLL

c:\windows\system32\VBoxMRXNP.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\VBoxService.exe

c:\program files\Juniper\NetScreen-Remote\IPSecMon.exe

c:\program files\Juniper\NetScreen-Remote\IreIKE.exe

c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe

c:\program files\FolderSize\FolderSizeSvc.exe

c:\program files\Hotspot Shield\bin\openvpnas.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\AVG\AVG8\avgrsx.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

.

**************************************************************************

.

Completion time: 2009-07-17 12:27 - machine was rebooted

ComboFix-quarantined-files.txt 2009-07-17 16:27

ComboFix2.txt 2009-07-17 02:07

ComboFix3.txt 2009-07-15 06:58

Pre-Run: 1,793,105,920 bytes free

Post-Run: 1,811,038,208 bytes free

370

Service Pack 3 7 17 2009 12:30:52.500

Loaded driver \WINDOWS\system32\ntoskrnl.exe

Loaded driver \WINDOWS\system32\hal.dll

Loaded driver \WINDOWS\system32\KDCOM.DLL

Loaded driver \WINDOWS\system32\BOOTVID.dll

Loaded driver ACPI.sys

Loaded driver \WINDOWS\system32\DRIVERS\WMILIB.SYS

Loaded driver pci.sys

Loaded driver isapnp.sys

Loaded driver compbatt.sys

Loaded driver \WINDOWS\system32\DRIVERS\BATTC.SYS

Loaded driver intelide.sys

Loaded driver \WINDOWS\system32\DRIVERS\PCIIDEX.SYS

Loaded driver MountMgr.sys

Loaded driver ftdisk.sys

Loaded driver dmload.sys

Loaded driver dmio.sys

Loaded driver PartMgr.sys

Loaded driver VolSnap.sys

Loaded driver atapi.sys

Loaded driver disk.sys

Loaded driver \WINDOWS\system32\DRIVERS\CLASSPNP.SYS

Loaded driver fltMgr.sys

Loaded driver sr.sys

Loaded driver PxHelp20.sys

Loaded driver KSecDD.sys

Loaded driver VBoxGuest.sys

Loaded driver Ntfs.sys

Loaded driver NDIS.sys

Loaded driver Mup.sys

Loaded driver \SystemRoot\system32\DRIVERS\rdpdispm.sys

Loaded driver \SystemRoot\system32\DRIVERS\rdpvmp.sys

Loaded driver \SystemRoot\system32\DRIVERS\i8042prt.sys

Loaded driver \SystemRoot\system32\DRIVERS\kbdclass.sys

Loaded driver \SystemRoot\system32\DRIVERS\fdc.sys

Loaded driver \SystemRoot\system32\DRIVERS\vmmouse.sys

Loaded driver \SystemRoot\system32\DRIVERS\VBoxMouse.sys

Loaded driver \SystemRoot\system32\DRIVERS\mouclass.sys

Loaded driver \SystemRoot\system32\DRIVERS\parport.sys

Loaded driver \SystemRoot\system32\DRIVERS\cdrom.sys

Loaded driver \SystemRoot\system32\DRIVERS\VBoxVideo.sys

Loaded driver \SystemRoot\system32\DRIVERS\pcntpci5.sys

Loaded driver \SystemRoot\system32\drivers\ac97intc.sys

Loaded driver \SystemRoot\system32\DRIVERS\usbohci.sys

Loaded driver \SystemRoot\system32\DRIVERS\usbehci.sys

Loaded driver \SystemRoot\system32\DRIVERS\CmBatt.sys

Loaded driver \SystemRoot\system32\DRIVERS\dne2000.sys

Loaded driver \SystemRoot\system32\DRIVERS\vap.sys

Loaded driver \SystemRoot\system32\DRIVERS\audstub.sys

Loaded driver \SystemRoot\system32\DRIVERS\rasl2tp.sys

Loaded driver \SystemRoot\system32\DRIVERS\ndistapi.sys

Loaded driver \SystemRoot\system32\DRIVERS\ndiswan.sys

Loaded driver \SystemRoot\system32\DRIVERS\raspppoe.sys

Loaded driver \SystemRoot\system32\DRIVERS\raspptp.sys

Loaded driver \SystemRoot\system32\DRIVERS\msgpc.sys

Loaded driver \SystemRoot\system32\DRIVERS\psched.sys

Loaded driver \SystemRoot\system32\DRIVERS\ptilink.sys

Loaded driver \SystemRoot\system32\DRIVERS\raspti.sys

Loaded driver \SystemRoot\system32\DRIVERS\tapvpn.sys

Loaded driver \SystemRoot\system32\DRIVERS\rdpdr.sys

Loaded driver \SystemRoot\system32\DRIVERS\termdd.sys

Loaded driver \SystemRoot\system32\DRIVERS\mcdbus.sys

Loaded driver \SystemRoot\system32\DRIVERS\swenum.sys

Loaded driver \SystemRoot\system32\DRIVERS\update.sys

Loaded driver \SystemRoot\system32\DRIVERS\mssmbios.sys

Loaded driver \SystemRoot\system32\DRIVERS\usbhub.sys

Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS

Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS

Loaded driver \SystemRoot\system32\DRIVERS\redbook.sys

Loaded driver \SystemRoot\system32\DRIVERS\flpydisk.sys

Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS

Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS

Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS

Loaded driver \SystemRoot\System32\Drivers\Null.SYS

Loaded driver \SystemRoot\System32\Drivers\Beep.SYS

Loaded driver \SystemRoot\System32\drivers\vga.sys

Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS

Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys

Loaded driver \systemroot\system32\drivers\geyekrnoqvdksc.sys

Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS

Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS

Loaded driver \SystemRoot\system32\DRIVERS\rasacd.sys

Loaded driver \SystemRoot\system32\DRIVERS\ipsec.sys

Loaded driver \??\C:\WINDOWS\system32\Drivers\IPSECDRV.sys

Loaded driver \SystemRoot\system32\DRIVERS\tcpip.sys

Loaded driver \SystemRoot\System32\Drivers\avgtdix.sys

Loaded driver \SystemRoot\system32\DRIVERS\netbt.sys

Loaded driver \SystemRoot\System32\drivers\afd.sys

Loaded driver \SystemRoot\system32\DRIVERS\netbios.sys

Loaded driver \SystemRoot\system32\drivers\VBoxSF.sys

Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS

Loaded driver \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys

Loaded driver \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS

Loaded driver \SystemRoot\system32\DRIVERS\rdbss.sys

Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb.sys

Did not load driver \SystemRoot\system32\DRIVERS\imapi.sys

Loaded driver \SystemRoot\System32\Drivers\Fips.SYS

Loaded driver \SystemRoot\System32\Drivers\avgmfx86.sys

Loaded driver \SystemRoot\system32\DRIVERS\ipnat.sys

Loaded driver \SystemRoot\system32\DRIVERS\wanarp.sys

Loaded driver \SystemRoot\System32\Drivers\avgldx86.sys

Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS

Loaded driver \SystemRoot\system32\DRIVERS\ekauio.sys

Loaded driver \SystemRoot\system32\DRIVERS\ndisuio.sys

Loaded driver \??\C:\WINDOWS\system32\Drivers\Crypto.sys

Did not load driver \SystemRoot\system32\DRIVERS\rdbss.sys

Did not load driver \SystemRoot\system32\DRIVERS\mrxsmb.sys

Loaded driver \SystemRoot\System32\Drivers\Fastfat.SYS

Loaded driver \SystemRoot\system32\drivers\wdmaud.sys

Loaded driver \SystemRoot\system32\drivers\sysaudio.sys

Loaded driver \SystemRoot\system32\drivers\splitter.sys

Loaded driver \SystemRoot\system32\drivers\aec.sys

Loaded driver \SystemRoot\system32\drivers\swmidi.sys

Loaded driver \SystemRoot\system32\drivers\DMusic.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Loaded driver \SystemRoot\system32\drivers\drmkaud.sys

Loaded driver \SystemRoot\system32\DRIVERS\mrxdav.sys

Loaded driver \SystemRoot\System32\Drivers\ParVdm.SYS

Did not load driver \SystemRoot\System32\Drivers\Serial.SYS

Loaded driver \SystemRoot\system32\DRIVERS\srv.sys

Did not load driver \SystemRoot\system32\DRIVERS\ipnat.sys

Loaded driver \SystemRoot\System32\Drivers\HTTP.sys

Loaded driver \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS

gmerlog.zip

DriversGeneral.txt

gmerlog.zip

DriversGeneral.txt

Link to post
Share on other sites

  • Root Admin

Not going to be able to fix this unless you can get this file replaced with a known good one.

This has to be fixed so we can finish cleaning up.

You have an infected copy of c:\windows\system32\drivers\tcpip.sys Do you have the Windows XP CD or access to another XP SP3 computer to get one from?

Link to post
Share on other sites

I replaced the TCPIP.SYS file (using expand D:\I386\TCPIP.SY_ C:\WINDOWS\SYSTEM32\DRIVERS\TCPIP.SYS), ran MalwareBytes, and it seems like the problem is gone! Search engines working fine, thanks!! Could I ask, which part of the logs identified the TCPIP.SYS file was the infected one?

Lennox

Log below (it deleted avenger.exe upon restart - funny it didn't pick it up earlier though....):

Malwarebytes' Anti-Malware 1.39

Database version: 2421

Windows 5.1.2600 Service Pack 3

7/17/2009 11:18:36 PM

mbam-log-2009-07-17 (23-18-33).txt

Scan type: Full Scan (C:\|)

Objects scanned: 130255

Time elapsed: 21 minute(s), 43 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\documents and settings\administrator\Desktop\avenger.exe (Trojan.Agent) -> No action taken.

Link to post
Share on other sites

Apologies - out of range for a couple of days. Here is the latest Combofix log (upgraded to the latest Combofix) - seems like the file is still there.

ComboFix 09-07-20.05 - Administrator 07/21/2009 12:17.6.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1646 [GMT -4:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

.

((((((((((((((((((((((((( Files Created from 2009-06-21 to 2009-07-21 )))))))))))))))))))))))))))))))

.

2009-07-18 02:33 . 2009-07-18 02:33 -------- d-----w- c:\program files\Growl for Windows

2009-07-17 16:21 . 2009-07-17 16:21 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Stardock

2009-07-16 01:20 . 2009-07-21 15:07 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com

2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com

2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-07-15 04:41 . 2009-07-15 04:41 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb

2009-07-15 03:50 . 2009-07-15 03:50 -------- d-----w- c:\program files\Trend Micro

2009-07-15 02:40 . 2009-07-15 02:40 -------- d-----w- c:\windows\Sun

2009-07-15 01:26 . 2009-07-15 01:26 -------- d-----w- c:\windows\system32\wbem\snmp

2009-07-15 01:26 . 2009-07-15 01:26 -------- d-----w- c:\windows\system32\oobe

2009-07-15 01:26 . 2009-07-15 01:26 -------- d-----w- c:\windows\srchasst

2009-07-15 01:26 . 2009-07-15 01:26 -------- d-----w- c:\windows\system32\xircom

2009-07-15 01:25 . 2009-07-15 01:25 -------- d-----w- c:\program files\microsoft frontpage

2009-07-14 23:02 . 2009-07-14 23:02 0 ----a-w- c:\windows\system32\cd.dat

2009-07-14 18:14 . 2009-07-18 03:15 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp

2009-07-14 17:40 . 2009-07-14 17:59 -------- d--h--w- C:\$AVG8.VAULT$

2009-07-10 14:56 . 2009-07-10 14:56 195472 ----a-w- c:\windows\system32\drivers\VBoxSF.sys

2009-07-10 14:55 . 2009-07-10 14:55 1059344 ----a-w- c:\windows\system32\VBoxService.exe

2009-07-10 14:55 . 2009-07-10 14:55 588304 ----a-w- c:\windows\system32\VBoxOGLfeedbackspu.dll

2009-07-10 14:55 . 2009-07-10 14:55 1346064 ----a-w- c:\windows\system32\VBoxOGLpackspu.dll

2009-07-10 14:55 . 2009-07-10 14:55 109072 ----a-w- c:\windows\system32\VBoxOGLpassthroughspu.dll

2009-07-10 14:55 . 2009-07-10 14:55 432656 ----a-w- c:\windows\system32\VBoxOGLarrayspu.dll

2009-07-10 14:55 . 2009-07-10 14:55 305680 ----a-w- c:\windows\system32\VBoxOGL.dll

2009-07-10 14:55 . 2009-07-10 14:55 65552 ----a-w- c:\windows\system32\VBoxHook.dll

2009-07-10 14:55 . 2009-07-10 14:55 645648 ----a-w- c:\windows\system32\VBoxGINA.dll

2009-07-10 14:54 . 2009-07-10 14:54 145936 ----a-w- c:\windows\system32\VBoxOGLerrorspu.dll

2009-07-10 14:54 . 2009-07-10 14:54 203280 ----a-w- c:\windows\system32\VBoxOGLcrutil.dll

2009-07-08 15:44 . 2009-07-08 15:44 -------- d-----w- c:\program files\Markus Mohnen

2009-07-08 15:38 . 2009-07-08 15:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Growl

2009-07-08 15:02 . 2009-07-08 15:02 -------- d-----w- c:\program files\SopCast

2009-07-08 14:49 . 2009-07-08 14:50 -------- d-----w- c:\program files\TVAnts

2009-07-08 14:43 . 2009-07-08 14:43 -------- d-----w- c:\documents and settings\Administrator\LocalLow

2009-07-08 14:43 . 2009-07-08 14:43 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\TVU Networks

2009-07-08 14:43 . 2009-07-08 14:43 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\TVU Networks

2009-07-07 23:48 . 2009-07-07 02:44 937984 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\libs\PicLensHelper.exe

2009-07-07 23:48 . 2009-07-07 02:44 103424 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\libs\pixomatic.dll

2009-07-07 23:48 . 2009-07-07 02:44 65536 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\components\coolirisstub.dll

2009-07-07 23:48 . 2009-07-07 02:44 106496 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll

2009-07-07 23:48 . 2009-07-07 02:44 4722688 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\libs\cooliris19.dll

2009-07-07 23:48 . 2009-07-07 02:44 344064 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe

2009-07-03 22:37 . 2009-07-03 22:39 -------- d-----w- c:\documents and settings\Administrator\Ekahau Site Survey

2009-07-03 22:35 . 2009-07-03 22:54 -------- d-----w- c:\program files\Ekahau

2009-07-01 04:08 . 2009-07-15 02:45 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Phanfare2

2009-07-01 04:08 . 2009-06-29 18:23 172032 ----a-w- c:\windows\system32\Phanfare Screensaver.scr

2009-07-01 04:08 . 2009-06-29 18:22 323624 ----a-w- c:\windows\system32\wiaaut.dll

2009-07-01 04:07 . 2009-07-15 03:41 327968 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2009-07-01 04:02 . 2009-07-01 04:02 -------- d-----w- c:\windows\system32\XPSViewer

2009-07-01 04:00 . 2009-07-01 04:00 -------- d-----w- c:\program files\Reference Assemblies

2009-07-01 03:58 . 2006-06-29 17:07 14048 ------w- c:\windows\system32\spmsg2.dll

2009-07-01 03:57 . 2006-06-29 17:07 22752 ----a-w- c:\windows\system32\spupdsvc.exe

2009-07-01 03:03 . 2009-07-01 03:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\Desktopicon

2009-07-01 03:01 . 2009-07-01 03:02 -------- d-----w- c:\program files\FormatFactory

2009-06-30 23:54 . 2009-05-07 12:23 63488 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\WINNT_x86-msvc\components\WeaveCrypto.dll

2009-06-30 21:27 . 2009-06-30 21:27 410984 ----a-w- c:\windows\system32\deploytk.dll

2009-06-30 21:27 . 2009-06-30 21:27 -------- d-----w- c:\program files\Java

2009-06-30 21:25 . 2009-06-30 21:25 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_14\lzma.dll

2009-06-30 02:25 . 2009-07-03 22:38 57164 ---ha-w- c:\windows\system32\mlfcache.dat

2009-06-28 06:36 . 2009-06-28 06:36 -------- d-----w- c:\program files\AnyBizSoft

2009-06-28 06:31 . 2009-06-28 06:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\Stardock

2009-06-28 06:31 . 2009-06-28 06:31 -------- dc-h--w- c:\docume~1\ALLUSE~1\APPLIC~1\{067CEB81-A49B-4597-9505-A5515881D672}

2009-06-28 06:31 . 2009-06-28 06:31 -------- d-----w- c:\program files\Stardock

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-18 03:15 . 2009-04-20 12:13 -------- d-----w- c:\program files\Google

2009-07-17 16:03 . 2009-04-20 12:11 -------- d-----w- c:\program files\Everything

2009-07-17 16:03 . 2009-04-20 12:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\Free Download Manager

2009-07-17 16:03 . 2009-05-05 12:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent

2009-07-15 19:18 . 2009-04-20 13:43 664 ----a-w- c:\windows\system32\d3d9caps.dat

2009-07-15 01:03 . 2009-04-20 12:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-07-13 17:36 . 2009-04-20 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-07-13 17:36 . 2009-04-20 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-10 14:56 . 2008-11-21 18:30 84496 ----a-w- c:\windows\system32\vbcoinst.dll

2009-07-10 14:56 . 2008-11-21 18:30 641552 ----a-w- c:\windows\system32\VBoxControl.exe

2009-07-10 14:56 . 2008-11-21 18:30 39376 ----a-w- c:\windows\system32\drivers\VBoxGuest.sys

2009-07-10 14:56 . 2008-11-21 18:30 1026576 ----a-w- c:\windows\system32\VBoxTray.exe

2009-07-10 14:56 . 2008-11-21 18:30 63632 ----a-w- c:\windows\system32\VBoxDisp.dll

2009-07-10 14:56 . 2008-11-21 18:30 57872 ----a-w- c:\windows\system32\drivers\VBoxVideo.sys

2009-07-10 14:56 . 2008-11-21 18:29 39888 ----a-w- c:\windows\system32\drivers\VBoxMouse.sys

2009-07-10 14:55 . 2008-11-21 18:28 645648 ----a-w- c:\windows\system32\VBoxMRXNP.dll

2009-07-01 04:26 . 2009-04-16 10:32 70400 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT

2009-07-01 04:07 . 2009-04-16 07:10 -------- d-----w- c:\program files\MSBuild

2009-06-26 04:13 . 2009-05-30 16:24 -------- d-----w- c:\program files\Digsby

2009-06-26 04:00 . 2009-04-20 12:05 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-06-26 04:00 . 2009-04-20 12:05 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-06-26 04:00 . 2009-04-20 12:05 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-06-19 21:36 . 2009-06-19 21:36 -------- d-----w- c:\program files\Common Files\Deterministic Networks

2009-06-19 21:36 . 2009-06-19 21:36 -------- d-----w- c:\program files\Juniper

2009-06-19 21:35 . 2009-06-19 21:35 -------- d-----w- c:\program files\Common Files\InstallShield

2009-06-11 06:29 . 2009-06-11 06:29 -------- d-----w- c:\program files\Common Files\Blackbaud

2009-06-11 06:27 . 2009-06-11 06:27 -------- d-----w- c:\program files\Blackbaud

2009-06-11 05:16 . 2009-06-11 05:16 -------- d-----w- c:\program files\Common Files\Business Objects

2009-06-11 05:16 . 2009-06-11 05:16 -------- d-----w- c:\program files\Business Objects

2009-06-11 05:14 . 2009-06-11 05:14 -------- d-----w- c:\program files\MSXML 4.0

2009-06-01 14:36 . 2009-06-04 06:17 3184128 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\library\SSS.dll

2009-05-30 18:27 . 2009-05-30 18:27 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Digsby

2009-05-30 16:45 . 2009-05-30 16:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\Digsby

2009-05-08 02:55 . 2009-04-20 12:05 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2009-05-04 19:03 . 2009-05-04 19:03 59904 ----a-w- c:\windows\system32\zlib1.dll

2009-05-04 18:53 . 2009-05-04 18:53 286720 ----a-w- c:\windows\system32\libcurl.dll

2009-05-04 18:53 . 2009-05-04 18:53 196608 ----a-w- c:\windows\system32\ssleay32.dll

2009-05-04 18:53 . 2009-05-04 18:53 1028096 ----a-w- c:\windows\system32\libeay32.dll

2009-05-04 18:53 . 2009-05-04 18:53 143360 ----a-w- c:\windows\system32\libexpatw.dll

2009-04-23 04:47 . 2009-06-04 06:17 28672 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll

2009-06-24 13:26 . 2009-04-16 09:47 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll

2008-05-05 20:14 . 2008-12-01 20:22 34048 ----a-w- c:\program files\opera\program\plugins\upd62i9x.dll

2008-05-05 20:14 . 2008-12-01 20:22 45056 ----a-w- c:\program files\opera\program\plugins\upd62int.dll

.

------- Sigcheck -------

[-] 2008-05-05 18:38 361344 ACCF5A9A1FFAA490F33DBA1C632B95E1 c:\windows\system32\drivers\tcpip.sys

.

((((((((((((((((((((((((((((( SnapShot@2009-07-17_02.02.53 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-07-21 16:16 . 2009-07-21 16:16 16384 c:\windows\temp\Perflib_Perfdata_3d0.dat

+ 2008-05-06 12:00 . 2009-07-21 16:20 66148 c:\windows\system32\perfc009.dat

- 2008-05-06 12:00 . 2009-07-17 01:44 66148 c:\windows\system32\perfc009.dat

+ 2009-07-14 17:45 . 2009-07-21 16:15 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2009-07-14 17:45 . 2009-07-17 01:40 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-07-14 17:45 . 2009-07-21 16:15 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2009-07-14 17:45 . 2009-07-17 01:40 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2009-07-14 17:45 . 2009-07-17 01:40 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-07-14 17:45 . 2009-07-21 16:15 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-07-18 03:15 . 2009-07-18 03:15 47104 c:\windows\Installer\2c856f.msi

+ 2009-07-18 02:33 . 2009-07-18 02:33 9662 c:\windows\Installer\{8870D0D8-4427-49BC-A0E7-ABAE34227983}\_D679D4221C9B860547047F.exe

+ 2009-07-18 02:33 . 2009-07-18 02:33 9662 c:\windows\Installer\{8870D0D8-4427-49BC-A0E7-ABAE34227983}\_C7AC1C9AA4412B85789A75.exe

+ 2009-07-18 02:33 . 2009-07-18 02:33 9662 c:\windows\Installer\{8870D0D8-4427-49BC-A0E7-ABAE34227983}\_6FEFF9B68218417F98F549.exe

+ 2008-05-06 12:00 . 2009-07-21 16:20 428224 c:\windows\system32\perfh009.dat

- 2008-05-06 12:00 . 2009-07-17 01:44 428224 c:\windows\system32\perfh009.dat

+ 2009-07-18 02:33 . 2009-07-18 02:33 424960 c:\windows\Installer\5a6a3.msi

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]

2009-05-08 04:46 218160 ----a-w- c:\program files\Hotspot Shield\hssie\HssIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MoeMonitor.exe"="c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft\Live Mesh\Bin\Servicing\0.9.4014.7\MoeMonitor.exe" [2009-07-03 1315152]

"LClock"="c:\program files\LClock\LClock.exe" [2004-09-19 65536]

"Growl"="c:\program files\Growl for Windows\Growl.exe" [2009-07-17 1171456]

"Gmail Growl"="c:\program files\Markus Mohnen\Gmail Growl\gmailgrowl.exe" [2009-06-04 900489]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"VBoxTray"="c:\windows\system32\VBoxTray.exe" [2009-07-10 1026576]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]

"PostCopy"="c:\windows\system32\BELKIN\F5D5050\PostCopy.exe" [2001-07-25 20480]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-26 1948440]

"Everything"="c:\program files\Everything\Everything.exe" [2009-03-13 602624]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-30 148888]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-4-16 534016]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\

NetScreen-Remote.lnk - c:\program files\Juniper\NetScreen-Remote\SafeCfg.exe [2009-6-19 77876]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"MemCheckBoxInRunDlg"= 1 (0x1)

"StartMenuFavorites"= 0 (0x0)

"Start_ShowMyComputer"= 1 (0x1)

"Start_ShowMyDocs"= 1 (0x1)

"Start_ShowMyMusic"= 0 (0x0)

"Start_ShowRun"= 1 (0x1)

"Start_ShowSearch"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveTrack"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

"ForceClassicControlPanel"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"MemCheckBoxInRunDlg"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]

"{EC654325-1273-C2A9-2B7C-45A29BCE2FBD}"= "c:\program files\Stardock\Fences\DesktopDock.dll" [2009-02-25 517480]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlcrdplauncher]

2009-07-03 19:41 21840 ----a-w- c:\program files\Live Mesh\Remote Desktop\wlcrdplauncher.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-06-26 04:00 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"e:\\Program Files\\Phanfare\\Phanfare.exe"=

"c:\\Program Files\\Live Mesh\\Remote Desktop\\wlcrasvc.exe"=

"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Microsoft\\Live Mesh\\GacBase\\Moe.exe"=

"c:\\Program Files\\Juniper\\NetScreen-Remote\\IreIKE.exe"=

"c:\program files\Juniper\NetScreen-Remote\ViewLog.exe"= c:\program files\Juniper\NetScreen-Remote\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog

"c:\program files\Juniper\NetScreen-Remote\CmonApp.exe"= c:\program files\Juniper\NetScreen-Remote\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp

"c:\program files\Juniper\NetScreen-Remote\vpn.exe"= c:\program files\Juniper\NetScreen-Remote\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager

R0 VBoxGuest;VirtualBox Guest Driver;c:\windows\system32\drivers\VBoxGuest.sys [11/21/2008 2:30 PM 39376]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/20/2009 8:05 AM 327688]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/20/2009 8:05 AM 108552]

R1 IPSECDRV;SafeNet IPSec Plugin;c:\windows\system32\drivers\IpSecDrv.sys [6/19/2009 5:37 PM 138296]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]

R1 VBoxSF;VirtualBox Shared Folders;c:\windows\system32\drivers\VBoxSF.sys [7/10/2009 10:56 AM 195472]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/20/2009 8:05 AM 298776]

R2 Crypto;Crypto;c:\windows\system32\drivers\Crypto.sys [6/19/2009 5:37 PM 536634]

R2 Ekauio;Ekahau NDIS Usermode I/O Protocol;c:\windows\system32\drivers\ekauio.sys [4/7/2009 8:45 AM 12416]

R2 HssSrv;Hotspot Shield Helper Service;c:\program files\Hotspot Shield\HssWPR\hsssrv.exe [4/21/2009 9:12 PM 328752]

R2 VBoxService;VirtualBox Guest Additions Service;system32\VBoxService.exe --> system32\VBoxService.exe [?]

R2 wlcrasvc;Live Mesh Remote Desktop;c:\program files\Live Mesh\Remote Desktop\wlcrasvc.exe [4/16/2009 6:24 AM 44880]

R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\drivers\vap.sys [6/19/2009 5:36 PM 29184]

R3 RDPDISPM;RDPDISPM;c:\windows\system32\drivers\rdpdispm.sys [4/16/2009 6:24 AM 9024]

R3 RDPVDD;RDPVDD;c:\windows\system32\drivers\rdpvmp.sys [4/16/2009 6:24 AM 19392]

R3 VBoxMouse;VirtualBox Guest Mouse Service;c:\windows\system32\drivers\VBoxMouse.sys [11/21/2008 2:29 PM 39888]

R3 VBoxVideo;VBoxVideo;c:\windows\system32\drivers\VBoxVideo.sys [11/21/2008 2:30 PM 57872]

R3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys [12/1/2008 4:09 PM 11568]

S2 gupdate1c9c1b183ad1450;Google Update Service (gupdate1c9c1b183ad1450);c:\program files\Google\Update\GoogleUpdate.exe [4/20/2009 8:14 AM 133104]

S3 HssTrayService;Hotspot Shield Tray Service;c:\program files\Hotspot Shield\bin\HssTrayService.exe [4/22/2009 5:34 PM 34352]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]

S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys [12/1/2008 4:09 PM 29488]

S4 zlportio;zlportio;\??\g:\zlportio.sys --> g:\zlportio.sys [?]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.teezcricket.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mStart Page = hxxp://www.google.com

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm

IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm

IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm

IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\docume~1\ADMINI~1\APPLIC~1\Mozilla\Firefox\Profiles\2epl54kr.Donny\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/|http://ebiss/default.aspx|http://studywiz.biss.com.cn/|https://ibis.ibo.org/index.cfm|https://web4.ibo.org/ibnet/|http://online.ibo.org/ibis/occ/guest/home.cfm|http://docs.google.com/#not-in-folders|https://secure.members.easynews.com/global4/search.html?fly=1|http://www.abc.net.au/news/|http://www.google.com/reader/shared/10493336563511901340|http://www.newser.com/

FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll

FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\WINNT_x86-msvc\components\WeaveCrypto.dll

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll

FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff35\gears.dll

FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-21 12:32

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files:

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1220)

geyekrpjxtedtf.dll 10000000 32768 \\?\globalroot\systemroot\system32\geyekrpjxtedtf.dll

c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

Completion time: 2009-07-21 12:38

ComboFix-quarantined-files.txt 2009-07-21 16:38

ComboFix2.txt 2009-07-17 16:27

ComboFix3.txt 2009-07-17 02:07

ComboFix4.txt 2009-07-15 06:58

Pre-Run: 1,785,806,848 bytes free

Post-Run: 1,788,710,912 bytes free

332

Link to post
Share on other sites

Have run Combofix again from XP Safe Mode with the script from before, restarted the machine then ran MalwareBytes again. Seems like the file is gone, as is tcpip.sys. Missing tcpip.sys doesn't seem to be making any difference to my machine, which may be because it is running inside of VirtualBox. Here are the logs:

ComboFix 09-07-21.01 - Administrator 07/21/2009 21:55.7.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1643 [GMT -4:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Administrator\Desktop\CFscript.txt

FILE ::

"c:\windows\system32\geyekrpjxtedtf.dll"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\tcpip.sys

.

((((((((((((((((((((((((( Files Created from 2009-06-22 to 2009-07-22 )))))))))))))))))))))))))))))))

.

2009-07-18 02:33 . 2009-07-18 02:33 -------- d-----w- c:\program files\Growl for Windows

2009-07-17 16:21 . 2009-07-17 16:21 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Stardock

2009-07-16 01:20 . 2009-07-22 00:08 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com

2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com

2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-07-15 04:41 . 2009-07-15 04:41 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb

2009-07-15 03:50 . 2009-07-15 03:50 -------- d-----w- c:\program files\Trend Micro

2009-07-15 02:40 . 2009-07-15 02:40 -------- d-----w- c:\windows\Sun

2009-07-15 01:26 . 2009-07-15 01:26 -------- d-----w- c:\windows\system32\wbem\snmp

2009-07-15 01:26 . 2009-07-15 01:26 -------- d-----w- c:\windows\system32\oobe

2009-07-15 01:26 . 2009-07-15 01:26 -------- d-----w- c:\windows\srchasst

2009-07-15 01:26 . 2009-07-15 01:26 -------- d-----w- c:\windows\system32\xircom

2009-07-15 01:25 . 2009-07-15 01:25 -------- d-----w- c:\program files\microsoft frontpage

2009-07-14 23:02 . 2009-07-14 23:02 0 ----a-w- c:\windows\system32\cd.dat

2009-07-14 18:14 . 2009-07-18 03:15 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp

2009-07-14 17:40 . 2009-07-21 17:55 -------- d--h--w- C:\$AVG8.VAULT$

2009-07-10 14:56 . 2009-07-10 14:56 195472 ----a-w- c:\windows\system32\drivers\VBoxSF.sys

2009-07-10 14:55 . 2009-07-10 14:55 1059344 ----a-w- c:\windows\system32\VBoxService.exe

2009-07-10 14:55 . 2009-07-10 14:55 588304 ----a-w- c:\windows\system32\VBoxOGLfeedbackspu.dll

2009-07-10 14:55 . 2009-07-10 14:55 1346064 ----a-w- c:\windows\system32\VBoxOGLpackspu.dll

2009-07-10 14:55 . 2009-07-10 14:55 109072 ----a-w- c:\windows\system32\VBoxOGLpassthroughspu.dll

2009-07-10 14:55 . 2009-07-10 14:55 432656 ----a-w- c:\windows\system32\VBoxOGLarrayspu.dll

2009-07-10 14:55 . 2009-07-10 14:55 305680 ----a-w- c:\windows\system32\VBoxOGL.dll

2009-07-10 14:55 . 2009-07-10 14:55 65552 ----a-w- c:\windows\system32\VBoxHook.dll

2009-07-10 14:55 . 2009-07-10 14:55 645648 ----a-w- c:\windows\system32\VBoxGINA.dll

2009-07-10 14:54 . 2009-07-10 14:54 145936 ----a-w- c:\windows\system32\VBoxOGLerrorspu.dll

2009-07-10 14:54 . 2009-07-10 14:54 203280 ----a-w- c:\windows\system32\VBoxOGLcrutil.dll

2009-07-08 15:44 . 2009-07-08 15:44 -------- d-----w- c:\program files\Markus Mohnen

2009-07-08 15:38 . 2009-07-08 15:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Growl

2009-07-08 15:02 . 2009-07-08 15:02 -------- d-----w- c:\program files\SopCast

2009-07-08 14:49 . 2009-07-08 14:50 -------- d-----w- c:\program files\TVAnts

2009-07-08 14:43 . 2009-07-08 14:43 -------- d-----w- c:\documents and settings\Administrator\LocalLow

2009-07-08 14:43 . 2009-07-08 14:43 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\TVU Networks

2009-07-08 14:43 . 2009-07-08 14:43 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\TVU Networks

2009-07-07 23:48 . 2009-07-07 02:44 937984 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\libs\PicLensHelper.exe

2009-07-07 23:48 . 2009-07-07 02:44 103424 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\libs\pixomatic.dll

2009-07-07 23:48 . 2009-07-07 02:44 65536 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\components\coolirisstub.dll

2009-07-07 23:48 . 2009-07-07 02:44 106496 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll

2009-07-07 23:48 . 2009-07-07 02:44 4722688 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\libs\cooliris19.dll

2009-07-07 23:48 . 2009-07-07 02:44 344064 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe

2009-07-03 22:37 . 2009-07-03 22:39 -------- d-----w- c:\documents and settings\Administrator\Ekahau Site Survey

2009-07-03 22:35 . 2009-07-03 22:54 -------- d-----w- c:\program files\Ekahau

2009-07-01 04:08 . 2009-07-21 23:22 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Phanfare2

2009-07-01 04:08 . 2009-06-29 18:23 172032 ----a-w- c:\windows\system32\Phanfare Screensaver.scr

2009-07-01 04:08 . 2009-06-29 18:22 323624 ----a-w- c:\windows\system32\wiaaut.dll

2009-07-01 04:07 . 2009-07-22 00:06 327968 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2009-07-01 04:02 . 2009-07-01 04:02 -------- d-----w- c:\windows\system32\XPSViewer

2009-07-01 04:00 . 2009-07-01 04:00 -------- d-----w- c:\program files\Reference Assemblies

2009-07-01 03:58 . 2006-06-29 17:07 14048 ------w- c:\windows\system32\spmsg2.dll

2009-07-01 03:57 . 2006-06-29 17:07 22752 ----a-w- c:\windows\system32\spupdsvc.exe

2009-07-01 03:03 . 2009-07-01 03:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\Desktopicon

2009-07-01 03:01 . 2009-07-01 03:02 -------- d-----w- c:\program files\FormatFactory

2009-06-30 23:54 . 2009-05-07 12:23 63488 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\WINNT_x86-msvc\components\WeaveCrypto.dll

2009-06-30 21:27 . 2009-06-30 21:27 410984 ----a-w- c:\windows\system32\deploytk.dll

2009-06-30 21:27 . 2009-06-30 21:27 -------- d-----w- c:\program files\Java

2009-06-30 21:25 . 2009-06-30 21:25 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_14\lzma.dll

2009-06-30 02:25 . 2009-07-03 22:38 57164 ---ha-w- c:\windows\system32\mlfcache.dat

2009-06-28 06:36 . 2009-06-28 06:36 -------- d-----w- c:\program files\AnyBizSoft

2009-06-28 06:31 . 2009-06-28 06:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\Stardock

2009-06-28 06:31 . 2009-06-28 06:31 -------- dc-h--w- c:\docume~1\ALLUSE~1\APPLIC~1\{067CEB81-A49B-4597-9505-A5515881D672}

2009-06-28 06:31 . 2009-06-28 06:31 -------- d-----w- c:\program files\Stardock

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-22 00:13 . 2009-04-20 12:11 -------- d-----w- c:\program files\Everything

2009-07-21 23:22 . 2009-04-20 13:43 664 ----a-w- c:\windows\system32\d3d9caps.dat

2009-07-18 03:15 . 2009-04-20 12:13 -------- d-----w- c:\program files\Google

2009-07-17 16:03 . 2009-04-20 12:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\Free Download Manager

2009-07-17 16:03 . 2009-05-05 12:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent

2009-07-15 01:03 . 2009-04-20 12:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-07-13 17:36 . 2009-04-20 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-07-13 17:36 . 2009-04-20 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-10 14:56 . 2008-11-21 18:30 84496 ----a-w- c:\windows\system32\vbcoinst.dll

2009-07-10 14:56 . 2008-11-21 18:30 641552 ----a-w- c:\windows\system32\VBoxControl.exe

2009-07-10 14:56 . 2008-11-21 18:30 39376 ----a-w- c:\windows\system32\drivers\VBoxGuest.sys

2009-07-10 14:56 . 2008-11-21 18:30 1026576 ----a-w- c:\windows\system32\VBoxTray.exe

2009-07-10 14:56 . 2008-11-21 18:30 63632 ----a-w- c:\windows\system32\VBoxDisp.dll

2009-07-10 14:56 . 2008-11-21 18:30 57872 ----a-w- c:\windows\system32\drivers\VBoxVideo.sys

2009-07-10 14:56 . 2008-11-21 18:29 39888 ----a-w- c:\windows\system32\drivers\VBoxMouse.sys

2009-07-10 14:55 . 2008-11-21 18:28 645648 ----a-w- c:\windows\system32\VBoxMRXNP.dll

2009-07-01 04:26 . 2009-04-16 10:32 70400 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT

2009-07-01 04:07 . 2009-04-16 07:10 -------- d-----w- c:\program files\MSBuild

2009-06-26 04:13 . 2009-05-30 16:24 -------- d-----w- c:\program files\Digsby

2009-06-26 04:00 . 2009-04-20 12:05 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-06-26 04:00 . 2009-04-20 12:05 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-06-26 04:00 . 2009-04-20 12:05 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-06-19 21:36 . 2009-06-19 21:36 -------- d-----w- c:\program files\Common Files\Deterministic Networks

2009-06-19 21:36 . 2009-06-19 21:36 -------- d-----w- c:\program files\Juniper

2009-06-19 21:35 . 2009-06-19 21:35 -------- d-----w- c:\program files\Common Files\InstallShield

2009-06-11 06:29 . 2009-06-11 06:29 -------- d-----w- c:\program files\Common Files\Blackbaud

2009-06-11 06:27 . 2009-06-11 06:27 -------- d-----w- c:\program files\Blackbaud

2009-06-11 05:16 . 2009-06-11 05:16 -------- d-----w- c:\program files\Common Files\Business Objects

2009-06-11 05:16 . 2009-06-11 05:16 -------- d-----w- c:\program files\Business Objects

2009-06-11 05:14 . 2009-06-11 05:14 -------- d-----w- c:\program files\MSXML 4.0

2009-06-01 14:36 . 2009-06-04 06:17 3184128 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\library\SSS.dll

2009-05-30 18:27 . 2009-05-30 18:27 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Digsby

2009-05-30 16:45 . 2009-05-30 16:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\Digsby

2009-05-08 02:55 . 2009-04-20 12:05 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2009-05-04 19:03 . 2009-05-04 19:03 59904 ----a-w- c:\windows\system32\zlib1.dll

2009-05-04 18:53 . 2009-05-04 18:53 286720 ----a-w- c:\windows\system32\libcurl.dll

2009-05-04 18:53 . 2009-05-04 18:53 196608 ----a-w- c:\windows\system32\ssleay32.dll

2009-05-04 18:53 . 2009-05-04 18:53 1028096 ----a-w- c:\windows\system32\libeay32.dll

2009-05-04 18:53 . 2009-05-04 18:53 143360 ----a-w- c:\windows\system32\libexpatw.dll

2009-04-23 04:47 . 2009-06-04 06:17 28672 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll

2009-06-24 13:26 . 2009-04-16 09:47 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll

2008-05-05 20:14 . 2008-12-01 20:22 34048 ----a-w- c:\program files\opera\program\plugins\upd62i9x.dll

2008-05-05 20:14 . 2008-12-01 20:22 45056 ----a-w- c:\program files\opera\program\plugins\upd62int.dll

.

------- Sigcheck -------

[-] 2008-05-05 18:38 361344 ACCF5A9A1FFAA490F33DBA1C632B95E1 c:\windows\system32\drivers\tcpip.sys

.

((((((((((((((((((((((((((((( SnapShot@2009-07-17_02.02.53 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-07-22 01:54 . 2009-07-22 01:54 16384 c:\windows\temp\Perflib_Perfdata_238.dat

+ 2008-05-06 12:00 . 2009-07-22 01:58 66148 c:\windows\system32\perfc009.dat

- 2008-05-06 12:00 . 2009-07-17 01:44 66148 c:\windows\system32\perfc009.dat

+ 2009-07-14 17:45 . 2009-07-22 01:53 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2009-07-14 17:45 . 2009-07-17 01:40 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-07-14 17:45 . 2009-07-22 01:53 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2009-07-14 17:45 . 2009-07-17 01:40 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2009-07-14 17:45 . 2009-07-17 01:40 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-07-14 17:45 . 2009-07-22 01:53 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-07-18 03:15 . 2009-07-18 03:15 47104 c:\windows\Installer\2c856f.msi

+ 2009-07-18 02:33 . 2009-07-18 02:33 9662 c:\windows\Installer\{8870D0D8-4427-49BC-A0E7-ABAE34227983}\_D679D4221C9B860547047F.exe

+ 2009-07-18 02:33 . 2009-07-18 02:33 9662 c:\windows\Installer\{8870D0D8-4427-49BC-A0E7-ABAE34227983}\_C7AC1C9AA4412B85789A75.exe

+ 2009-07-18 02:33 . 2009-07-18 02:33 9662 c:\windows\Installer\{8870D0D8-4427-49BC-A0E7-ABAE34227983}\_6FEFF9B68218417F98F549.exe

+ 2008-05-06 12:00 . 2009-07-22 01:58 428224 c:\windows\system32\perfh009.dat

- 2008-05-06 12:00 . 2009-07-17 01:44 428224 c:\windows\system32\perfh009.dat

+ 2009-07-18 02:33 . 2009-07-18 02:33 424960 c:\windows\Installer\5a6a3.msi

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]

2009-05-08 04:46 218160 ----a-w- c:\program files\Hotspot Shield\hssie\HssIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MoeMonitor.exe"="c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft\Live Mesh\Bin\Servicing\0.9.4014.7\MoeMonitor.exe" [2009-07-03 1315152]

"LClock"="c:\program files\LClock\LClock.exe" [2004-09-19 65536]

"Growl"="c:\program files\Growl for Windows\Growl.exe" [2009-07-17 1171456]

"Gmail Growl"="c:\program files\Markus Mohnen\Gmail Growl\gmailgrowl.exe" [2009-06-04 900489]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"VBoxTray"="c:\windows\system32\VBoxTray.exe" [2009-07-10 1026576]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]

"PostCopy"="c:\windows\system32\BELKIN\F5D5050\PostCopy.exe" [2001-07-25 20480]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-26 1948440]

"Everything"="c:\program files\Everything\Everything.exe" [2009-03-13 602624]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-4-16 534016]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\

NetScreen-Remote.lnk - c:\program files\Juniper\NetScreen-Remote\SafeCfg.exe [2009-6-19 77876]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"MemCheckBoxInRunDlg"= 1 (0x1)

"StartMenuFavorites"= 0 (0x0)

"Start_ShowMyComputer"= 1 (0x1)

"Start_ShowMyDocs"= 1 (0x1)

"Start_ShowMyMusic"= 0 (0x0)

"Start_ShowRun"= 1 (0x1)

"Start_ShowSearch"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveTrack"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

"ForceClassicControlPanel"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"MemCheckBoxInRunDlg"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]

"{EC654325-1273-C2A9-2B7C-45A29BCE2FBD}"= "c:\program files\Stardock\Fences\DesktopDock.dll" [2009-02-25 517480]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlcrdplauncher]

2009-07-03 19:41 21840 ----a-w- c:\program files\Live Mesh\Remote Desktop\wlcrdplauncher.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-06-26 04:00 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"e:\\Program Files\\Phanfare\\Phanfare.exe"=

"c:\\Program Files\\Live Mesh\\Remote Desktop\\wlcrasvc.exe"=

"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Microsoft\\Live Mesh\\GacBase\\Moe.exe"=

"c:\\Program Files\\Juniper\\NetScreen-Remote\\IreIKE.exe"=

"c:\program files\Juniper\NetScreen-Remote\ViewLog.exe"= c:\program files\Juniper\NetScreen-Remote\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog

"c:\program files\Juniper\NetScreen-Remote\CmonApp.exe"= c:\program files\Juniper\NetScreen-Remote\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp

"c:\program files\Juniper\NetScreen-Remote\vpn.exe"= c:\program files\Juniper\NetScreen-Remote\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager

R0 VBoxGuest;VirtualBox Guest Driver;c:\windows\system32\drivers\VBoxGuest.sys [11/21/2008 2:30 PM 39376]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/20/2009 8:05 AM 327688]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/20/2009 8:05 AM 108552]

R1 IPSECDRV;SafeNet IPSec Plugin;c:\windows\system32\drivers\IpSecDrv.sys [6/19/2009 5:37 PM 138296]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]

R1 VBoxSF;VirtualBox Shared Folders;c:\windows\system32\drivers\VBoxSF.sys [7/10/2009 10:56 AM 195472]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/20/2009 8:05 AM 298776]

R2 Crypto;Crypto;c:\windows\system32\drivers\Crypto.sys [6/19/2009 5:37 PM 536634]

R2 Ekauio;Ekahau NDIS Usermode I/O Protocol;c:\windows\system32\drivers\ekauio.sys [4/7/2009 8:45 AM 12416]

R2 HssSrv;Hotspot Shield Helper Service;c:\program files\Hotspot Shield\HssWPR\hsssrv.exe [4/21/2009 9:12 PM 328752]

R2 VBoxService;VirtualBox Guest Additions Service;system32\VBoxService.exe --> system32\VBoxService.exe [?]

R2 wlcrasvc;Live Mesh Remote Desktop;c:\program files\Live Mesh\Remote Desktop\wlcrasvc.exe [4/16/2009 6:24 AM 44880]

R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\drivers\vap.sys [6/19/2009 5:36 PM 29184]

R3 RDPDISPM;RDPDISPM;c:\windows\system32\drivers\rdpdispm.sys [4/16/2009 6:24 AM 9024]

R3 RDPVDD;RDPVDD;c:\windows\system32\drivers\rdpvmp.sys [4/16/2009 6:24 AM 19392]

R3 VBoxMouse;VirtualBox Guest Mouse Service;c:\windows\system32\drivers\VBoxMouse.sys [11/21/2008 2:29 PM 39888]

R3 VBoxVideo;VBoxVideo;c:\windows\system32\drivers\VBoxVideo.sys [11/21/2008 2:30 PM 57872]

R3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys [12/1/2008 4:09 PM 11568]

S2 gupdate1c9c1b183ad1450;Google Update Service (gupdate1c9c1b183ad1450);c:\program files\Google\Update\GoogleUpdate.exe [4/20/2009 8:14 AM 133104]

S3 HssTrayService;Hotspot Shield Tray Service;c:\program files\Hotspot Shield\bin\HssTrayService.exe [4/22/2009 5:34 PM 34352]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]

S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys [12/1/2008 4:09 PM 29488]

S4 zlportio;zlportio;\??\g:\zlportio.sys --> g:\zlportio.sys [?]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.teezcricket.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mStart Page = hxxp://www.google.com

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm

IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm

IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm

IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\docume~1\ADMINI~1\APPLIC~1\Mozilla\Firefox\Profiles\2epl54kr.Donny\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/|http://ebiss/default.aspx|http://studywiz.biss.com.cn/|https://ibis.ibo.org/index.cfm|https://web4.ibo.org/ibnet/|http://online.ibo.org/ibis/occ/guest/home.cfm|http://docs.google.com/#not-in-folders|https://secure.members.easynews.com/global4/search.html?fly=1|http://www.abc.net.au/news/|http://www.google.com/reader/shared/10493336563511901340|http://www.newser.com/

FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll

FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\WINNT_x86-msvc\components\WeaveCrypto.dll

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll

FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff35\gears.dll

FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-21 22:07

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files:

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1220)

geyekrpjxtedtf.dll 10000000 32768 \\?\globalroot\systemroot\system32\geyekrpjxtedtf.dll

c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

Completion time: 2009-07-22 22:12

ComboFix-quarantined-files.txt 2009-07-22 02:12

ComboFix2.txt 2009-07-21 16:38

ComboFix3.txt 2009-07-17 16:27

ComboFix4.txt 2009-07-17 02:07

ComboFix5.txt 2009-07-22 01:49

Pre-Run: 1,576,513,536 bytes free

Post-Run: 1,582,829,568 bytes free

338

Malwarebytes' Anti-Malware 1.39

Database version: 2421

Windows 5.1.2600 Service Pack 3

7/21/2009 11:58:44 PM

mbam-log-2009-07-21 (23-58-44).txt

Scan type: Full Scan (C:\|)

Objects scanned: 130464

Time elapsed: 16 minute(s), 0 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Root Admin

Well first and foremost you need to delete this file and get a GOOD CLEAN copy of it from CD or another Clean XP computer

c:\windows\system32\drivers\tcpip.sys

We are spinning our wheels and we will not be able to clean the computer properly until this file is replaced with a clean version.

STEP 01

Download but do not yet run ComboFix

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::
Driver::
geyekrpjxtedtf
File::
c:\windows\system32\geyekrpjxtedtf.dll

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 02

Please download and run these tools which are designed to restore some standard policy settings. They are not harmful.

    VArestorepolicies.INF
  • Download this INF repair file from here: VArestorepolicies.zip by MS-MVP Miekiemoes
  • Unzip or open the file VArestorepolicies.zip
  • Open the folder VArestorepolicies and Right-click the file inside, VArestorepolicies.INF and choose Install
    FixPolicies.exe
  • Download this self-extracting ZIP archive from here: FixPolicies.exe by MS-MVP Bill Castner and save it to your desktop.
  • Double-click FixPolicies.exe
  • Click the "Install" button on the bottom toolbar of the box that will open
  • The program will create a new Folder called FixPolicies
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd
  • A black box will briefly appear and then close
  • These fixes may prove temporary. Active malware may revert these changes on your next startup. You can safely run these utilities again.
Link to post
Share on other sites

All done, exactly as posted. Here is the Combofix log:

ComboFix 09-07-22.07 - Administrator 07/23/2009 10:40.8.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1644 [GMT -4:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Administrator\Desktop\CFscript.txt

FILE ::

"c:\windows\system32\geyekrpjxtedtf.dll"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\tcpip.sys

.

((((((((((((((((((((((((( Files Created from 2009-06-23 to 2009-07-23 )))))))))))))))))))))))))))))))

.

2009-07-23 14:19 . 2008-05-05 18:38 361344 ----a-w- c:\windows\system32\drivers\tcpip.sys

2009-07-22 22:06 . 2008-05-05 18:38 361344 ----a-w- C:\tcpip.sys

2009-07-18 02:33 . 2009-07-18 02:33 -------- d-----w- c:\program files\Growl for Windows

2009-07-17 16:21 . 2009-07-17 16:21 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Stardock

2009-07-16 01:20 . 2009-07-22 00:08 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com

2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com

2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-07-15 04:41 . 2009-07-15 04:41 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb

2009-07-15 03:50 . 2009-07-15 03:50 -------- d-----w- c:\program files\Trend Micro

2009-07-15 02:40 . 2009-07-15 02:40 -------- d-----w- c:\windows\Sun

2009-07-15 01:26 . 2009-07-15 01:26 -------- d-----w- c:\windows\system32\wbem\snmp

2009-07-15 01:26 . 2009-07-15 01:26 -------- d-----w- c:\windows\system32\oobe

2009-07-15 01:26 . 2009-07-15 01:26 -------- d-----w- c:\windows\srchasst

2009-07-15 01:26 . 2009-07-15 01:26 -------- d-----w- c:\windows\system32\xircom

2009-07-15 01:25 . 2009-07-15 01:25 -------- d-----w- c:\program files\microsoft frontpage

2009-07-14 23:02 . 2009-07-14 23:02 0 ----a-w- c:\windows\system32\cd.dat

2009-07-14 18:14 . 2009-07-18 03:15 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp

2009-07-14 17:40 . 2009-07-21 17:55 -------- d--h--w- C:\$AVG8.VAULT$

2009-07-10 14:56 . 2009-07-10 14:56 195472 ----a-w- c:\windows\system32\drivers\VBoxSF.sys

2009-07-10 14:55 . 2009-07-10 14:55 1059344 ----a-w- c:\windows\system32\VBoxService.exe

2009-07-10 14:55 . 2009-07-10 14:55 588304 ----a-w- c:\windows\system32\VBoxOGLfeedbackspu.dll

2009-07-10 14:55 . 2009-07-10 14:55 1346064 ----a-w- c:\windows\system32\VBoxOGLpackspu.dll

2009-07-10 14:55 . 2009-07-10 14:55 109072 ----a-w- c:\windows\system32\VBoxOGLpassthroughspu.dll

2009-07-10 14:55 . 2009-07-10 14:55 432656 ----a-w- c:\windows\system32\VBoxOGLarrayspu.dll

2009-07-10 14:55 . 2009-07-10 14:55 305680 ----a-w- c:\windows\system32\VBoxOGL.dll

2009-07-10 14:55 . 2009-07-10 14:55 65552 ----a-w- c:\windows\system32\VBoxHook.dll

2009-07-10 14:55 . 2009-07-10 14:55 645648 ----a-w- c:\windows\system32\VBoxGINA.dll

2009-07-10 14:54 . 2009-07-10 14:54 145936 ----a-w- c:\windows\system32\VBoxOGLerrorspu.dll

2009-07-10 14:54 . 2009-07-10 14:54 203280 ----a-w- c:\windows\system32\VBoxOGLcrutil.dll

2009-07-08 15:44 . 2009-07-08 15:44 -------- d-----w- c:\program files\Markus Mohnen

2009-07-08 15:38 . 2009-07-08 15:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Growl

2009-07-08 15:02 . 2009-07-08 15:02 -------- d-----w- c:\program files\SopCast

2009-07-08 14:49 . 2009-07-08 14:50 -------- d-----w- c:\program files\TVAnts

2009-07-08 14:43 . 2009-07-08 14:43 -------- d-----w- c:\documents and settings\Administrator\LocalLow

2009-07-08 14:43 . 2009-07-08 14:43 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\TVU Networks

2009-07-08 14:43 . 2009-07-08 14:43 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\TVU Networks

2009-07-07 23:48 . 2009-07-07 02:44 937984 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\libs\PicLensHelper.exe

2009-07-07 23:48 . 2009-07-07 02:44 103424 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\libs\pixomatic.dll

2009-07-07 23:48 . 2009-07-07 02:44 65536 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\components\coolirisstub.dll

2009-07-07 23:48 . 2009-07-07 02:44 106496 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll

2009-07-07 23:48 . 2009-07-07 02:44 4722688 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\libs\cooliris19.dll

2009-07-07 23:48 . 2009-07-07 02:44 344064 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe

2009-07-03 22:37 . 2009-07-03 22:39 -------- d-----w- c:\documents and settings\Administrator\Ekahau Site Survey

2009-07-03 22:35 . 2009-07-03 22:54 -------- d-----w- c:\program files\Ekahau

2009-07-01 04:08 . 2009-07-23 02:25 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Phanfare2

2009-07-01 04:08 . 2009-06-29 18:23 172032 ----a-w- c:\windows\system32\Phanfare Screensaver.scr

2009-07-01 04:08 . 2009-06-29 18:22 323624 ----a-w- c:\windows\system32\wiaaut.dll

2009-07-01 04:07 . 2009-07-23 02:22 344560 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2009-07-01 04:02 . 2009-07-01 04:02 -------- d-----w- c:\windows\system32\XPSViewer

2009-07-01 04:00 . 2009-07-01 04:00 -------- d-----w- c:\program files\Reference Assemblies

2009-07-01 03:58 . 2006-06-29 17:07 14048 ------w- c:\windows\system32\spmsg2.dll

2009-07-01 03:57 . 2006-06-29 17:07 22752 ----a-w- c:\windows\system32\spupdsvc.exe

2009-07-01 03:03 . 2009-07-01 03:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\Desktopicon

2009-07-01 03:01 . 2009-07-01 03:02 -------- d-----w- c:\program files\FormatFactory

2009-06-30 23:54 . 2009-05-07 12:23 63488 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\WINNT_x86-msvc\components\WeaveCrypto.dll

2009-06-30 21:27 . 2009-06-30 21:27 410984 ----a-w- c:\windows\system32\deploytk.dll

2009-06-30 21:27 . 2009-06-30 21:27 -------- d-----w- c:\program files\Java

2009-06-30 21:25 . 2009-06-30 21:25 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_14\lzma.dll

2009-06-30 02:25 . 2009-07-03 22:38 57164 ---ha-w- c:\windows\system32\mlfcache.dat

2009-06-28 06:36 . 2009-06-28 06:36 -------- d-----w- c:\program files\AnyBizSoft

2009-06-28 06:31 . 2009-06-28 06:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\Stardock

2009-06-28 06:31 . 2009-06-28 06:31 -------- dc-h--w- c:\docume~1\ALLUSE~1\APPLIC~1\{067CEB81-A49B-4597-9505-A5515881D672}

2009-06-28 06:31 . 2009-06-28 06:31 -------- d-----w- c:\program files\Stardock

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-23 14:32 . 2009-04-20 12:11 -------- d-----w- c:\program files\Everything

2009-07-23 14:32 . 2009-04-20 12:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\Free Download Manager

2009-07-23 02:30 . 2009-04-20 13:43 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2009-07-18 03:15 . 2009-04-20 12:13 -------- d-----w- c:\program files\Google

2009-07-17 16:03 . 2009-05-05 12:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent

2009-07-15 01:03 . 2009-04-20 12:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-07-13 17:36 . 2009-04-20 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-07-13 17:36 . 2009-04-20 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-10 14:56 . 2008-11-21 18:30 84496 ----a-w- c:\windows\system32\vbcoinst.dll

2009-07-10 14:56 . 2008-11-21 18:30 641552 ----a-w- c:\windows\system32\VBoxControl.exe

2009-07-10 14:56 . 2008-11-21 18:30 39376 ----a-w- c:\windows\system32\drivers\VBoxGuest.sys

2009-07-10 14:56 . 2008-11-21 18:30 1026576 ----a-w- c:\windows\system32\VBoxTray.exe

2009-07-10 14:56 . 2008-11-21 18:30 63632 ----a-w- c:\windows\system32\VBoxDisp.dll

2009-07-10 14:56 . 2008-11-21 18:30 57872 ----a-w- c:\windows\system32\drivers\VBoxVideo.sys

2009-07-10 14:56 . 2008-11-21 18:29 39888 ----a-w- c:\windows\system32\drivers\VBoxMouse.sys

2009-07-10 14:55 . 2008-11-21 18:28 645648 ----a-w- c:\windows\system32\VBoxMRXNP.dll

2009-07-01 04:26 . 2009-04-16 10:32 70400 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT

2009-07-01 04:07 . 2009-04-16 07:10 -------- d-----w- c:\program files\MSBuild

2009-06-26 04:13 . 2009-05-30 16:24 -------- d-----w- c:\program files\Digsby

2009-06-26 04:00 . 2009-04-20 12:05 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-06-26 04:00 . 2009-04-20 12:05 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-06-26 04:00 . 2009-04-20 12:05 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-06-19 21:36 . 2009-06-19 21:36 -------- d-----w- c:\program files\Common Files\Deterministic Networks

2009-06-19 21:36 . 2009-06-19 21:36 -------- d-----w- c:\program files\Juniper

2009-06-19 21:35 . 2009-06-19 21:35 -------- d-----w- c:\program files\Common Files\InstallShield

2009-06-11 06:29 . 2009-06-11 06:29 -------- d-----w- c:\program files\Common Files\Blackbaud

2009-06-11 06:27 . 2009-06-11 06:27 -------- d-----w- c:\program files\Blackbaud

2009-06-11 05:16 . 2009-06-11 05:16 -------- d-----w- c:\program files\Common Files\Business Objects

2009-06-11 05:16 . 2009-06-11 05:16 -------- d-----w- c:\program files\Business Objects

2009-06-11 05:14 . 2009-06-11 05:14 -------- d-----w- c:\program files\MSXML 4.0

2009-06-01 14:36 . 2009-06-04 06:17 3184128 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\library\SSS.dll

2009-05-30 18:27 . 2009-05-30 18:27 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Digsby

2009-05-30 16:45 . 2009-05-30 16:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\Digsby

2009-05-08 02:55 . 2009-04-20 12:05 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2009-05-04 19:03 . 2009-05-04 19:03 59904 ----a-w- c:\windows\system32\zlib1.dll

2009-05-04 18:53 . 2009-05-04 18:53 286720 ----a-w- c:\windows\system32\libcurl.dll

2009-05-04 18:53 . 2009-05-04 18:53 196608 ----a-w- c:\windows\system32\ssleay32.dll

2009-05-04 18:53 . 2009-05-04 18:53 1028096 ----a-w- c:\windows\system32\libeay32.dll

2009-05-04 18:53 . 2009-05-04 18:53 143360 ----a-w- c:\windows\system32\libexpatw.dll

2009-06-24 13:26 . 2009-04-16 09:47 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll

2008-05-05 20:14 . 2008-12-01 20:22 34048 ----a-w- c:\program files\opera\program\plugins\upd62i9x.dll

2008-05-05 20:14 . 2008-12-01 20:22 45056 ----a-w- c:\program files\opera\program\plugins\upd62int.dll

.

------- Sigcheck -------

[-] 2008-05-05 18:38 361344 ACCF5A9A1FFAA490F33DBA1C632B95E1 c:\windows\system32\drivers\tcpip.sys

.

((((((((((((((((((((((((((((( SnapShot@2009-07-17_02.02.53 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-07-23 14:38 . 2009-07-23 14:38 16384 c:\windows\temp\Perflib_Perfdata_1f0.dat

+ 2008-05-06 12:00 . 2009-07-23 14:43 66148 c:\windows\system32\perfc009.dat

- 2008-05-06 12:00 . 2009-07-17 01:44 66148 c:\windows\system32\perfc009.dat

+ 2009-07-14 17:45 . 2009-07-23 14:37 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2009-07-14 17:45 . 2009-07-17 01:40 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-07-14 17:45 . 2009-07-23 14:37 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2009-07-14 17:45 . 2009-07-17 01:40 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2009-07-14 17:45 . 2009-07-17 01:40 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-07-14 17:45 . 2009-07-23 14:37 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-07-18 03:15 . 2009-07-18 03:15 47104 c:\windows\Installer\2c856f.msi

+ 2009-07-18 02:33 . 2009-07-18 02:33 9662 c:\windows\Installer\{8870D0D8-4427-49BC-A0E7-ABAE34227983}\_D679D4221C9B860547047F.exe

+ 2009-07-18 02:33 . 2009-07-18 02:33 9662 c:\windows\Installer\{8870D0D8-4427-49BC-A0E7-ABAE34227983}\_C7AC1C9AA4412B85789A75.exe

+ 2009-07-18 02:33 . 2009-07-18 02:33 9662 c:\windows\Installer\{8870D0D8-4427-49BC-A0E7-ABAE34227983}\_6FEFF9B68218417F98F549.exe

+ 2008-05-06 12:00 . 2009-07-23 14:43 428224 c:\windows\system32\perfh009.dat

- 2008-05-06 12:00 . 2009-07-17 01:44 428224 c:\windows\system32\perfh009.dat

+ 2009-07-18 02:33 . 2009-07-18 02:33 424960 c:\windows\Installer\5a6a3.msi

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]

2009-05-08 04:46 218160 ----a-w- c:\program files\Hotspot Shield\hssie\HssIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MoeMonitor.exe"="c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft\Live Mesh\Bin\Servicing\0.9.4014.7\MoeMonitor.exe" [2009-07-03 1315152]

"LClock"="c:\program files\LClock\LClock.exe" [2004-09-19 65536]

"Growl"="c:\program files\Growl for Windows\Growl.exe" [2009-07-17 1171456]

"Gmail Growl"="c:\program files\Markus Mohnen\Gmail Growl\gmailgrowl.exe" [2009-06-04 900489]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"VBoxTray"="c:\windows\system32\VBoxTray.exe" [2009-07-10 1026576]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]

"PostCopy"="c:\windows\system32\BELKIN\F5D5050\PostCopy.exe" [2001-07-25 20480]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-26 1948440]

"Everything"="c:\program files\Everything\Everything.exe" [2009-03-13 602624]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-4-16 534016]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\

NetScreen-Remote.lnk - c:\program files\Juniper\NetScreen-Remote\SafeCfg.exe [2009-6-19 77876]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"MemCheckBoxInRunDlg"= 1 (0x1)

"StartMenuFavorites"= 0 (0x0)

"Start_ShowMyComputer"= 1 (0x1)

"Start_ShowMyDocs"= 1 (0x1)

"Start_ShowMyMusic"= 0 (0x0)

"Start_ShowRun"= 1 (0x1)

"Start_ShowSearch"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveTrack"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

"ForceClassicControlPanel"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"MemCheckBoxInRunDlg"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]

"{EC654325-1273-C2A9-2B7C-45A29BCE2FBD}"= "c:\program files\Stardock\Fences\DesktopDock.dll" [2009-02-25 517480]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlcrdplauncher]

2009-07-03 19:41 21840 ----a-w- c:\program files\Live Mesh\Remote Desktop\wlcrdplauncher.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-06-26 04:00 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"e:\\Program Files\\Phanfare\\Phanfare.exe"=

"c:\\Program Files\\Live Mesh\\Remote Desktop\\wlcrasvc.exe"=

"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Microsoft\\Live Mesh\\GacBase\\Moe.exe"=

"c:\\Program Files\\Juniper\\NetScreen-Remote\\IreIKE.exe"=

"c:\program files\Juniper\NetScreen-Remote\ViewLog.exe"= c:\program files\Juniper\NetScreen-Remote\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog

"c:\program files\Juniper\NetScreen-Remote\CmonApp.exe"= c:\program files\Juniper\NetScreen-Remote\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp

"c:\program files\Juniper\NetScreen-Remote\vpn.exe"= c:\program files\Juniper\NetScreen-Remote\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager

R0 VBoxGuest;VirtualBox Guest Driver;c:\windows\system32\drivers\VBoxGuest.sys [11/21/2008 2:30 PM 39376]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/20/2009 8:05 AM 327688]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/20/2009 8:05 AM 108552]

R1 IPSECDRV;SafeNet IPSec Plugin;c:\windows\system32\drivers\IpSecDrv.sys [6/19/2009 5:37 PM 138296]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]

R1 VBoxSF;VirtualBox Shared Folders;c:\windows\system32\drivers\VBoxSF.sys [7/10/2009 10:56 AM 195472]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/20/2009 8:05 AM 298776]

R2 Crypto;Crypto;c:\windows\system32\drivers\Crypto.sys [6/19/2009 5:37 PM 536634]

R2 Ekauio;Ekahau NDIS Usermode I/O Protocol;c:\windows\system32\drivers\ekauio.sys [4/7/2009 8:45 AM 12416]

R2 HssSrv;Hotspot Shield Helper Service;c:\program files\Hotspot Shield\HssWPR\hsssrv.exe [4/21/2009 9:12 PM 328752]

R2 VBoxService;VirtualBox Guest Additions Service;system32\VBoxService.exe --> system32\VBoxService.exe [?]

R2 wlcrasvc;Live Mesh Remote Desktop;c:\program files\Live Mesh\Remote Desktop\wlcrasvc.exe [4/16/2009 6:24 AM 44880]

R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\drivers\vap.sys [6/19/2009 5:36 PM 29184]

R3 RDPDISPM;RDPDISPM;c:\windows\system32\drivers\rdpdispm.sys [4/16/2009 6:24 AM 9024]

R3 RDPVDD;RDPVDD;c:\windows\system32\drivers\rdpvmp.sys [4/16/2009 6:24 AM 19392]

R3 VBoxMouse;VirtualBox Guest Mouse Service;c:\windows\system32\drivers\VBoxMouse.sys [11/21/2008 2:29 PM 39888]

R3 VBoxVideo;VBoxVideo;c:\windows\system32\drivers\VBoxVideo.sys [11/21/2008 2:30 PM 57872]

R3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys [12/1/2008 4:09 PM 11568]

S2 gupdate1c9c1b183ad1450;Google Update Service (gupdate1c9c1b183ad1450);c:\program files\Google\Update\GoogleUpdate.exe [4/20/2009 8:14 AM 133104]

S3 HssTrayService;Hotspot Shield Tray Service;c:\program files\Hotspot Shield\bin\HssTrayService.exe [4/22/2009 5:34 PM 34352]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]

S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys [12/1/2008 4:09 PM 29488]

S4 zlportio;zlportio;\??\g:\zlportio.sys --> g:\zlportio.sys [?]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.teezcricket.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mStart Page = hxxp://www.google.com

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm

IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm

IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm

IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\docume~1\ADMINI~1\APPLIC~1\Mozilla\Firefox\Profiles\2epl54kr.Donny\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/|http://ebiss/default.aspx|http://studywiz.biss.com.cn/|https://ibis.ibo.org/index.cfm|https://web4.ibo.org/ibnet/|http://online.ibo.org/ibis/occ/guest/home.cfm|http://docs.google.com/#not-in-folders|https://secure.members.easynews.com/global4/search.html?fly=1|http://www.abc.net.au/news/|http://www.google.com/reader/shared/10493336563511901340|http://www.newser.com/

FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll

FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\WINNT_x86-msvc\components\WeaveCrypto.dll

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll

FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff35\gears.dll

FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-23 10:50

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files:

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1220)

geyekrpjxtedtf.dll 10000000 32768 \\?\globalroot\systemroot\system32\geyekrpjxtedtf.dll

c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

Completion time: 2009-07-23 10:55

ComboFix-quarantined-files.txt 2009-07-23 14:55

ComboFix2.txt 2009-07-22 02:12

ComboFix3.txt 2009-07-21 16:38

ComboFix4.txt 2009-07-17 16:27

ComboFix5.txt 2009-07-23 14:33

Pre-Run: 1,567,268,864 bytes free

Post-Run: 1,571,405,824 bytes free

339

Link to post
Share on other sites

  • Root Admin

Okay well at this point unless you can obtain the Windows XP CD or a copy of the TCPIP.SYS file from a clean system we cannot repair your computer. All versions of it on your system must be located and deleted. Then a CLEAN copy put back in its place.

Once you have the XP CD and you need help locating and replacing these files please let me know.

Link to post
Share on other sites

  • Root Admin

Maybe miscommunication as it did not appear that you were replacing it.

You may have the Windows File Protection kicking in and replacing files. Please try the following.

STEP 01

Reconfigure Windows XP to show hidden files:

To enable the viewing of Hidden files follow these steps:

* Close all programs so that you are at your desktop.

* Double-click on the My Computer icon.

* Select the Tools menu and click Folder Options.

* After the new window appears select the View tab.

* Put a checkmark in the checkbox labeled Display the contents of system folders.

* Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.

* Remove the checkmark from the checkbox labeled Hide file extensions for known file types.

* Remove the checkmark from the checkbox labeled Hide protected operating system files.

* Press the Apply button and then the OK button and exit My Computer.

* Now your computer is configured to show all hidden files.

STEP 02

Visit these sites on what File Protection is and how to disable it temporarily and then disable it.

http://support.microsoft.com/kb/222193

http://en.wikipedia.org/wiki/Windows_File_Protection

http://www.pctools.com/guides/registry/detail/790/

STEP 03

AFTER File Protection is disabled run the following

Click on START - RUN and Copy/Paste this into the run line and click OK

cmd /c ATTRIB -R -A -S -H /S TCPIP.SYS

Click on START - RUN and Copy/Paste this into the run line and click OK

cmd /c DEL /S TCPIP.SYS

This should delete ALL copies of TCPIP.SYS from the system.

STEP 04

Now restart the computer and once it starts back up do a search (including hidden and system files) for TCPIP.SYS and it should NOT find any copies of it.

The place the Windows XP CD into the CD drive and expand the TCPIP.SY_ to c:\windows\system32\drivers\tcpip.sys

Then restart the computer again.

How to expand Windows XP files from the installation disk

http://support.microsoft.com/kb/888017

STEP 05

Delete your current copy of Combofix.exe and download a NEW fresh copy and run it and post back the NEW log please.

Thanks.

Link to post
Share on other sites

All done again, exactly as requested. Log:

ComboFix 09-07-24.01 - Administrator 07/25/2009 13:26.9.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1638 [GMT -4:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix-1.exe

.

((((((((((((((((((((((((( Files Created from 2009-06-25 to 2009-07-25 )))))))))))))))))))))))))))))))

.

2009-07-25 17:11 . 2008-05-05 18:38 361344 ----a-w- c:\windows\system32\drivers\tcpip.sys

2009-07-18 02:33 . 2009-07-18 02:33 -------- d-----w- c:\program files\Growl for Windows

2009-07-17 16:21 . 2009-07-17 16:21 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Stardock

2009-07-16 01:20 . 2009-07-22 00:08 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com

2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com

2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-07-15 04:41 . 2009-07-15 04:41 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb

2009-07-15 03:50 . 2009-07-15 03:50 -------- d-----w- c:\program files\Trend Micro

2009-07-15 02:40 . 2009-07-15 02:40 -------- d-----w- c:\windows\Sun

2009-07-15 01:26 . 2009-07-15 01:26 -------- d-----w- c:\windows\system32\wbem\snmp

2009-07-15 01:26 . 2009-07-15 01:26 -------- d-----w- c:\windows\system32\oobe

2009-07-15 01:26 . 2009-07-15 01:26 -------- d-----w- c:\windows\srchasst

2009-07-15 01:26 . 2009-07-15 01:26 -------- d-----w- c:\windows\system32\xircom

2009-07-15 01:25 . 2009-07-15 01:25 -------- d-----w- c:\program files\microsoft frontpage

2009-07-14 23:02 . 2009-07-14 23:02 0 ----a-w- c:\windows\system32\cd.dat

2009-07-14 18:14 . 2009-07-18 03:15 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp

2009-07-14 17:40 . 2009-07-21 17:55 -------- d--h--w- C:\$AVG8.VAULT$

2009-07-10 14:56 . 2009-07-10 14:56 195472 ----a-w- c:\windows\system32\drivers\VBoxSF.sys

2009-07-10 14:55 . 2009-07-10 14:55 1059344 ----a-w- c:\windows\system32\VBoxService.exe

2009-07-10 14:55 . 2009-07-10 14:55 588304 ----a-w- c:\windows\system32\VBoxOGLfeedbackspu.dll

2009-07-10 14:55 . 2009-07-10 14:55 1346064 ----a-w- c:\windows\system32\VBoxOGLpackspu.dll

2009-07-10 14:55 . 2009-07-10 14:55 109072 ----a-w- c:\windows\system32\VBoxOGLpassthroughspu.dll

2009-07-10 14:55 . 2009-07-10 14:55 432656 ----a-w- c:\windows\system32\VBoxOGLarrayspu.dll

2009-07-10 14:55 . 2009-07-10 14:55 305680 ----a-w- c:\windows\system32\VBoxOGL.dll

2009-07-10 14:55 . 2009-07-10 14:55 65552 ----a-w- c:\windows\system32\VBoxHook.dll

2009-07-10 14:55 . 2009-07-10 14:55 645648 ----a-w- c:\windows\system32\VBoxGINA.dll

2009-07-10 14:54 . 2009-07-10 14:54 145936 ----a-w- c:\windows\system32\VBoxOGLerrorspu.dll

2009-07-10 14:54 . 2009-07-10 14:54 203280 ----a-w- c:\windows\system32\VBoxOGLcrutil.dll

2009-07-08 15:44 . 2009-07-08 15:44 -------- d-----w- c:\program files\Markus Mohnen

2009-07-08 15:38 . 2009-07-08 15:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Growl

2009-07-08 15:02 . 2009-07-08 15:02 -------- d-----w- c:\program files\SopCast

2009-07-08 14:49 . 2009-07-08 14:50 -------- d-----w- c:\program files\TVAnts

2009-07-08 14:43 . 2009-07-08 14:43 -------- d-----w- c:\documents and settings\Administrator\LocalLow

2009-07-08 14:43 . 2009-07-08 14:43 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\TVU Networks

2009-07-08 14:43 . 2009-07-08 14:43 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\TVU Networks

2009-07-07 23:48 . 2009-07-07 02:44 937984 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\libs\PicLensHelper.exe

2009-07-07 23:48 . 2009-07-07 02:44 103424 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\libs\pixomatic.dll

2009-07-07 23:48 . 2009-07-07 02:44 65536 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\components\coolirisstub.dll

2009-07-07 23:48 . 2009-07-07 02:44 106496 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll

2009-07-07 23:48 . 2009-07-07 02:44 4722688 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\libs\cooliris19.dll

2009-07-07 23:48 . 2009-07-07 02:44 344064 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe

2009-07-03 22:37 . 2009-07-03 22:39 -------- d-----w- c:\documents and settings\Administrator\Ekahau Site Survey

2009-07-03 22:35 . 2009-07-03 22:54 -------- d-----w- c:\program files\Ekahau

2009-07-01 04:08 . 2009-07-23 02:25 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Phanfare2

2009-07-01 04:08 . 2009-06-29 18:23 172032 ----a-w- c:\windows\system32\Phanfare Screensaver.scr

2009-07-01 04:08 . 2009-06-29 18:22 323624 ----a-w- c:\windows\system32\wiaaut.dll

2009-07-01 04:07 . 2009-07-23 02:22 344560 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2009-07-01 04:02 . 2009-07-01 04:02 -------- d-----w- c:\windows\system32\XPSViewer

2009-07-01 04:00 . 2009-07-01 04:00 -------- d-----w- c:\program files\Reference Assemblies

2009-07-01 03:58 . 2006-06-29 17:07 14048 ------w- c:\windows\system32\spmsg2.dll

2009-07-01 03:57 . 2006-06-29 17:07 22752 ----a-w- c:\windows\system32\spupdsvc.exe

2009-07-01 03:03 . 2009-07-01 03:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\Desktopicon

2009-07-01 03:01 . 2009-07-01 03:02 -------- d-----w- c:\program files\FormatFactory

2009-06-30 23:54 . 2009-05-07 12:23 63488 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\WINNT_x86-msvc\components\WeaveCrypto.dll

2009-06-30 21:27 . 2009-06-30 21:27 410984 ----a-w- c:\windows\system32\deploytk.dll

2009-06-30 21:27 . 2009-06-30 21:27 -------- d-----w- c:\program files\Java

2009-06-30 21:25 . 2009-06-30 21:25 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_14\lzma.dll

2009-06-30 02:25 . 2009-07-03 22:38 57164 ---ha-w- c:\windows\system32\mlfcache.dat

2009-06-28 06:36 . 2009-06-28 06:36 -------- d-----w- c:\program files\AnyBizSoft

2009-06-28 06:31 . 2009-06-28 06:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\Stardock

2009-06-28 06:31 . 2009-06-28 06:31 -------- dc-h--w- c:\docume~1\ALLUSE~1\APPLIC~1\{067CEB81-A49B-4597-9505-A5515881D672}

2009-06-28 06:31 . 2009-06-28 06:31 -------- d-----w- c:\program files\Stardock

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-23 14:32 . 2009-04-20 12:11 -------- d-----w- c:\program files\Everything

2009-07-23 14:32 . 2009-04-20 12:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\Free Download Manager

2009-07-23 02:30 . 2009-04-20 13:43 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2009-07-18 03:15 . 2009-04-20 12:13 -------- d-----w- c:\program files\Google

2009-07-17 16:03 . 2009-05-05 12:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent

2009-07-15 01:03 . 2009-04-20 12:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-07-13 17:36 . 2009-04-20 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-07-13 17:36 . 2009-04-20 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-10 14:56 . 2008-11-21 18:30 84496 ----a-w- c:\windows\system32\vbcoinst.dll

2009-07-10 14:56 . 2008-11-21 18:30 641552 ----a-w- c:\windows\system32\VBoxControl.exe

2009-07-10 14:56 . 2008-11-21 18:30 39376 ----a-w- c:\windows\system32\drivers\VBoxGuest.sys

2009-07-10 14:56 . 2008-11-21 18:30 1026576 ----a-w- c:\windows\system32\VBoxTray.exe

2009-07-10 14:56 . 2008-11-21 18:30 63632 ----a-w- c:\windows\system32\VBoxDisp.dll

2009-07-10 14:56 . 2008-11-21 18:30 57872 ----a-w- c:\windows\system32\drivers\VBoxVideo.sys

2009-07-10 14:56 . 2008-11-21 18:29 39888 ----a-w- c:\windows\system32\drivers\VBoxMouse.sys

2009-07-10 14:55 . 2008-11-21 18:28 645648 ----a-w- c:\windows\system32\VBoxMRXNP.dll

2009-07-01 04:26 . 2009-04-16 10:32 70400 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT

2009-07-01 04:07 . 2009-04-16 07:10 -------- d-----w- c:\program files\MSBuild

2009-06-26 04:13 . 2009-05-30 16:24 -------- d-----w- c:\program files\Digsby

2009-06-26 04:00 . 2009-04-20 12:05 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-06-26 04:00 . 2009-04-20 12:05 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-06-26 04:00 . 2009-04-20 12:05 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-06-19 21:36 . 2009-06-19 21:36 -------- d-----w- c:\program files\Common Files\Deterministic Networks

2009-06-19 21:36 . 2009-06-19 21:36 -------- d-----w- c:\program files\Juniper

2009-06-19 21:35 . 2009-06-19 21:35 -------- d-----w- c:\program files\Common Files\InstallShield

2009-06-11 06:29 . 2009-06-11 06:29 -------- d-----w- c:\program files\Common Files\Blackbaud

2009-06-11 06:27 . 2009-06-11 06:27 -------- d-----w- c:\program files\Blackbaud

2009-06-11 05:16 . 2009-06-11 05:16 -------- d-----w- c:\program files\Common Files\Business Objects

2009-06-11 05:16 . 2009-06-11 05:16 -------- d-----w- c:\program files\Business Objects

2009-06-11 05:14 . 2009-06-11 05:14 -------- d-----w- c:\program files\MSXML 4.0

2009-06-01 14:36 . 2009-06-04 06:17 3184128 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\library\SSS.dll

2009-05-30 18:27 . 2009-05-30 18:27 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Digsby

2009-05-30 16:45 . 2009-05-30 16:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\Digsby

2009-05-08 02:55 . 2009-04-20 12:05 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2009-05-04 19:03 . 2009-05-04 19:03 59904 ----a-w- c:\windows\system32\zlib1.dll

2009-05-04 18:53 . 2009-05-04 18:53 286720 ----a-w- c:\windows\system32\libcurl.dll

2009-05-04 18:53 . 2009-05-04 18:53 196608 ----a-w- c:\windows\system32\ssleay32.dll

2009-05-04 18:53 . 2009-05-04 18:53 1028096 ----a-w- c:\windows\system32\libeay32.dll

2009-05-04 18:53 . 2009-05-04 18:53 143360 ----a-w- c:\windows\system32\libexpatw.dll

2009-06-24 13:26 . 2009-04-16 09:47 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll

2008-05-05 20:14 . 2008-12-01 20:22 34048 ----a-w- c:\program files\opera\program\plugins\upd62i9x.dll

2008-05-05 20:14 . 2008-12-01 20:22 45056 ----a-w- c:\program files\opera\program\plugins\upd62int.dll

.

------- Sigcheck -------

[-] 2008-05-05 18:38 361344 ACCF5A9A1FFAA490F33DBA1C632B95E1 c:\windows\system32\drivers\tcpip.sys

.

((((((((((((((((((((((((((((( SnapShot@2009-07-17_02.02.53 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-07-25 17:24 . 2009-07-25 17:24 16384 c:\windows\temp\Perflib_Perfdata_1f0.dat

+ 2008-05-06 12:00 . 2009-07-25 17:29 66148 c:\windows\system32\perfc009.dat

- 2008-05-06 12:00 . 2009-07-17 01:44 66148 c:\windows\system32\perfc009.dat

+ 2009-07-14 17:45 . 2009-07-25 17:24 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2009-07-14 17:45 . 2009-07-17 01:40 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-07-14 17:45 . 2009-07-25 17:24 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2009-07-14 17:45 . 2009-07-17 01:40 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2009-07-14 17:45 . 2009-07-17 01:40 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-07-14 17:45 . 2009-07-25 17:24 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-07-18 03:15 . 2009-07-18 03:15 47104 c:\windows\Installer\2c856f.msi

+ 2009-07-18 02:33 . 2009-07-18 02:33 9662 c:\windows\Installer\{8870D0D8-4427-49BC-A0E7-ABAE34227983}\_D679D4221C9B860547047F.exe

+ 2009-07-18 02:33 . 2009-07-18 02:33 9662 c:\windows\Installer\{8870D0D8-4427-49BC-A0E7-ABAE34227983}\_C7AC1C9AA4412B85789A75.exe

+ 2009-07-18 02:33 . 2009-07-18 02:33 9662 c:\windows\Installer\{8870D0D8-4427-49BC-A0E7-ABAE34227983}\_6FEFF9B68218417F98F549.exe

+ 2008-05-06 12:00 . 2009-07-25 17:29 428224 c:\windows\system32\perfh009.dat

- 2008-05-06 12:00 . 2009-07-17 01:44 428224 c:\windows\system32\perfh009.dat

+ 2009-07-18 02:33 . 2009-07-18 02:33 424960 c:\windows\Installer\5a6a3.msi

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]

2009-05-08 04:46 218160 ----a-w- c:\program files\Hotspot Shield\hssie\HssIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MoeMonitor.exe"="c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft\Live Mesh\Bin\Servicing\0.9.4014.7\MoeMonitor.exe" [2009-07-03 1315152]

"LClock"="c:\program files\LClock\LClock.exe" [2004-09-19 65536]

"Growl"="c:\program files\Growl for Windows\Growl.exe" [2009-07-17 1171456]

"Gmail Growl"="c:\program files\Markus Mohnen\Gmail Growl\gmailgrowl.exe" [2009-06-04 900489]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"VBoxTray"="c:\windows\system32\VBoxTray.exe" [2009-07-10 1026576]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]

"PostCopy"="c:\windows\system32\BELKIN\F5D5050\PostCopy.exe" [2001-07-25 20480]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-26 1948440]

"Everything"="c:\program files\Everything\Everything.exe" [2009-03-13 602624]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-4-16 534016]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\

NetScreen-Remote.lnk - c:\program files\Juniper\NetScreen-Remote\SafeCfg.exe [2009-6-19 77876]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"MemCheckBoxInRunDlg"= 1 (0x1)

"StartMenuFavorites"= 0 (0x0)

"Start_ShowMyComputer"= 1 (0x1)

"Start_ShowMyDocs"= 1 (0x1)

"Start_ShowMyMusic"= 0 (0x0)

"Start_ShowRun"= 1 (0x1)

"Start_ShowSearch"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveTrack"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

"ForceClassicControlPanel"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"MemCheckBoxInRunDlg"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]

"{EC654325-1273-C2A9-2B7C-45A29BCE2FBD}"= "c:\program files\Stardock\Fences\DesktopDock.dll" [2009-02-25 517480]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlcrdplauncher]

2009-07-03 19:41 21840 ----a-w- c:\program files\Live Mesh\Remote Desktop\wlcrdplauncher.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-06-26 04:00 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"e:\\Program Files\\Phanfare\\Phanfare.exe"=

"c:\\Program Files\\Live Mesh\\Remote Desktop\\wlcrasvc.exe"=

"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Microsoft\\Live Mesh\\GacBase\\Moe.exe"=

"c:\\Program Files\\Juniper\\NetScreen-Remote\\IreIKE.exe"=

"c:\program files\Juniper\NetScreen-Remote\ViewLog.exe"= c:\program files\Juniper\NetScreen-Remote\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog

"c:\program files\Juniper\NetScreen-Remote\CmonApp.exe"= c:\program files\Juniper\NetScreen-Remote\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp

"c:\program files\Juniper\NetScreen-Remote\vpn.exe"= c:\program files\Juniper\NetScreen-Remote\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager

R0 VBoxGuest;VirtualBox Guest Driver;c:\windows\system32\drivers\VBoxGuest.sys [11/21/2008 2:30 PM 39376]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/20/2009 8:05 AM 327688]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/20/2009 8:05 AM 108552]

R1 IPSECDRV;SafeNet IPSec Plugin;c:\windows\system32\drivers\IpSecDrv.sys [6/19/2009 5:37 PM 138296]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]

R1 VBoxSF;VirtualBox Shared Folders;c:\windows\system32\drivers\VBoxSF.sys [7/10/2009 10:56 AM 195472]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/20/2009 8:05 AM 298776]

R2 Crypto;Crypto;c:\windows\system32\drivers\Crypto.sys [6/19/2009 5:37 PM 536634]

R2 Ekauio;Ekahau NDIS Usermode I/O Protocol;c:\windows\system32\drivers\ekauio.sys [4/7/2009 8:45 AM 12416]

R2 HssSrv;Hotspot Shield Helper Service;c:\program files\Hotspot Shield\HssWPR\hsssrv.exe [4/21/2009 9:12 PM 328752]

R2 VBoxService;VirtualBox Guest Additions Service;system32\VBoxService.exe --> system32\VBoxService.exe [?]

R2 wlcrasvc;Live Mesh Remote Desktop;c:\program files\Live Mesh\Remote Desktop\wlcrasvc.exe [4/16/2009 6:24 AM 44880]

R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\drivers\vap.sys [6/19/2009 5:36 PM 29184]

R3 RDPDISPM;RDPDISPM;c:\windows\system32\drivers\rdpdispm.sys [4/16/2009 6:24 AM 9024]

R3 RDPVDD;RDPVDD;c:\windows\system32\drivers\rdpvmp.sys [4/16/2009 6:24 AM 19392]

R3 VBoxMouse;VirtualBox Guest Mouse Service;c:\windows\system32\drivers\VBoxMouse.sys [11/21/2008 2:29 PM 39888]

R3 VBoxVideo;VBoxVideo;c:\windows\system32\drivers\VBoxVideo.sys [11/21/2008 2:30 PM 57872]

R3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys [12/1/2008 4:09 PM 11568]

S2 gupdate1c9c1b183ad1450;Google Update Service (gupdate1c9c1b183ad1450);c:\program files\Google\Update\GoogleUpdate.exe [4/20/2009 8:14 AM 133104]

S3 HssTrayService;Hotspot Shield Tray Service;c:\program files\Hotspot Shield\bin\HssTrayService.exe [4/22/2009 5:34 PM 34352]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]

S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys [12/1/2008 4:09 PM 29488]

S4 zlportio;zlportio;\??\g:\zlportio.sys --> g:\zlportio.sys [?]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.teezcricket.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mStart Page = hxxp://www.google.com

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm

IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm

IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm

IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\docume~1\ADMINI~1\APPLIC~1\Mozilla\Firefox\Profiles\2epl54kr.Donny\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/|http://ebiss/default.aspx|http://studywiz.biss.com.cn/|https://ibis.ibo.org/index.cfm|https://web4.ibo.org/ibnet/|http://online.ibo.org/ibis/occ/guest/home.cfm|http://docs.google.com/#not-in-folders|https://secure.members.easynews.com/global4/search.html?fly=1|http://www.abc.net.au/news/|http://www.google.com/reader/shared/10493336563511901340|http://www.newser.com/

FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll

FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\WINNT_x86-msvc\components\WeaveCrypto.dll

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll

FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff35\gears.dll

FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-25 13:36

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files:

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1220)

geyekrpjxtedtf.dll 10000000 32768 \\?\globalroot\systemroot\system32\geyekrpjxtedtf.dll

c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

Completion time: 2009-07-25 13:40

ComboFix-quarantined-files.txt 2009-07-25 17:40

ComboFix2.txt 2009-07-23 14:55

ComboFix3.txt 2009-07-22 02:12

ComboFix4.txt 2009-07-21 16:38

ComboFix5.txt 2009-07-25 17:20

Pre-Run: 1,560,051,712 bytes free

Post-Run: 1,562,075,136 bytes free

331

Link to post
Share on other sites

  • Root Admin

I aplogize for the delay but circumstances beyond my control have prevented me from responding.

You're best bet at this time is to start a NEW post and reference this current post so that someone else can assist you.

I will be out of town for the next week and probably will not have access to assist you with this.

Link to post
Share on other sites

Welcome to Malwarebytes!!!! <_<

Please download Sysprot AntiRootkit

Unzip it into a folder on your desktop.

  • Double-Click Sysprot.exe to start the program.
  • Click on the log tab.
  • In the Write to log box select all items.
  • Click on the Create Log button on the Bottom Right.
  • After a few seconds a new windows should appear.
  • Select Scan Root Drive. Click on the Start button.
  • When it is complete a new window will appear to indicate that the scan is finished.
  • The log will be saved automatically in the same folder Sysprot.exe was extracted too.
  • Open the text file and copy/paste the log here
Link to post
Share on other sites

Thanks for picking up this thread. Here is the log:

SysProt AntiRootkit v1.0.1.0

by swatkat

********************************************************************************

**********

********************************************************************************

**********

Process:

Name: [system Idle Process]

PID: 0

Hidden: No

Window Visible: No

Name: System

PID: 4

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\smss.exe

PID: 1056

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\csrss.exe

PID: 1192

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\winlogon.exe

PID: 1216

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\services.exe

PID: 1260

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\lsass.exe

PID: 1272

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\VBoxService.exe

PID: 1432

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe

PID: 1444

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe

PID: 1556

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe

PID: 1788

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe

PID: 1924

Hidden: No

Window Visible: No

Name: C:\Program Files\Juniper\NetScreen-Remote\IPSecMon.exe

PID: 328

Hidden: No

Window Visible: No

Name: C:\Program Files\Juniper\NetScreen-Remote\IreIKE.exe

PID: 428

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe

PID: 740

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\spoolsv.exe

PID: 1020

Hidden: No

Window Visible: No

Name: C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe

PID: 1660

Hidden: No

Window Visible: No

Name: C:\WINDOWS\explorer.exe

PID: 1732

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\VBoxTray.exe

PID: 1308

Hidden: No

Window Visible: No

Name: C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

PID: 1936

Hidden: No

Window Visible: No

Name: C:\PROGRA~1\AVG\AVG8\avgtray.exe

PID: 1972

Hidden: No

Window Visible: No

Name: C:\Program Files\Everything\Everything.exe

PID: 1988

Hidden: No

Window Visible: No

Name: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Live Mesh\Bin\Servicing\0.9.4014.7\MoeMonitor.exe

PID: 2000

Hidden: No

Window Visible: No

Name: C:\Program Files\LClock\LClock.exe

PID: 2008

Hidden: No

Window Visible: No

Name: C:\Program Files\Growl for Windows\Growl.exe

PID: 2016

Hidden: No

Window Visible: No

Name: C:\Program Files\Markus Mohnen\Gmail Growl\gmailgrowl.exe

PID: 2024

Hidden: No

Window Visible: No

Name: C:\Program Files\Juniper\NetScreen-Remote\SafeCfg.exe

PID: 132

Hidden: No

Window Visible: No

Name: C:\Program Files\MagicDisc\MagicDisc.exe

PID: 184

Hidden: No

Window Visible: No

Name: C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

PID: 1892

Hidden: No

Window Visible: No

Name: C:\Program Files\FolderSize\FolderSizeSvc.exe

PID: 540

Hidden: No

Window Visible: No

Name: C:\Program Files\Hotspot Shield\bin\openvpnas.exe

PID: 708

Hidden: No

Window Visible: No

Name: C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe

PID: 856

Hidden: No

Window Visible: No

Name: C:\Program Files\Java\jre6\bin\jqs.exe

PID: 996

Hidden: No

Window Visible: No

Name: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Live Mesh\GacBase\Moe.exe

PID: 1112

Hidden: No

Window Visible: No

Name: C:\Program Files\Live Mesh\Remote Desktop\wlcrasvc.exe

PID: 1496

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe

PID: 2536

Hidden: No

Window Visible: No

Name: C:\Program Files\AVG\AVG8\avgrsx.exe

PID: 2644

Hidden: No

Window Visible: No

Name: C:\PROGRA~1\AVG\AVG8\avgnsx.exe

PID: 2672

Hidden: No

Window Visible: No

Name: C:\WINDOWS\system32\alg.exe

PID: 3124

Hidden: No

Window Visible: No

Name: C:\WINDOWS\explorer.exe

PID: 3140

Hidden: No

Window Visible: No

Name: C:\Documents and Settings\Administrator\Desktop\SysProt\SysProt.exe

PID: 3540

Hidden: No

Window Visible: Yes

********************************************************************************

**********

********************************************************************************

**********

Kernel Modules:

Module Name: \??\C:\Documents and Settings\Administrator\Desktop\SysProt\SysProtDrv.sys

Service Name: SysProtDrv.sys

Module Base: B7AD0000

Module End: B7ADB000

Hidden: No

Module Name: \WINDOWS\system32\ntoskrnl.exe

Service Name: ---

Module Base: 804D7000

Module End: 806ED680

Hidden: No

Module Name: \WINDOWS\system32\hal.dll

Service Name: ---

Module Base: 806EE000

Module End: 80701D00

Hidden: No

Module Name: \WINDOWS\system32\KDCOM.DLL

Service Name: ---

Module Base: F7987000

Module End: F7989000

Hidden: No

Module Name: \WINDOWS\system32\BOOTVID.dll

Service Name: ---

Module Base: F7897000

Module End: F789A000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ACPI.sys

Service Name: ACPI

Module Base: F75A8000

Module End: F75D6000

Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\WMILIB.SYS

Service Name: ---

Module Base: F7989000

Module End: F798B000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pci.sys

Service Name: PCI

Module Base: F7597000

Module End: F75A8000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\isapnp.sys

Service Name: isapnp

Module Base: F75F7000

Module End: F7601000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\compbatt.sys

Service Name: Compbatt

Module Base: F789B000

Module End: F789E000

Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\BATTC.SYS

Service Name: BattC

Module Base: F789F000

Module End: F78A3000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\intelide.sys

Service Name: IntelIde

Module Base: F798B000

Module End: F798D000

Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\PCIIDEX.SYS

Service Name: ---

Module Base: F7707000

Module End: F770E000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys

Service Name: MountMgr

Module Base: F7607000

Module End: F7612000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys

Service Name: Disk

Module Base: F74D8000

Module End: F74F7000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dmload.sys

Service Name: dmload

Module Base: F798D000

Module End: F798F000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dmio.sys

Service Name: dmio

Module Base: F74B2000

Module End: F74D8000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys

Service Name: PartMgr

Module Base: F770F000

Module End: F7714000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys

Service Name: VolSnap

Module Base: F7617000

Module End: F7624000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\atapi.sys

Service Name: atapi

Module Base: F749A000

Module End: F74B2000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\disk.sys

Service Name: ---

Module Base: F7627000

Module End: F7630000

Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\CLASSPNP.SYS

Service Name: ---

Module Base: F7637000

Module End: F7644000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\fltMgr.sys

Service Name: FltMgr

Module Base: F747A000

Module End: F749A000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sr.sys

Service Name: sr

Module Base: F7468000

Module End: F747A000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PxHelp20.sys

Service Name: PxHelp20

Module Base: F7647000

Module End: F7651000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys

Service Name: KSecDD

Module Base: F7451000

Module End: F7468000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\VBoxGuest.sys

Service Name: VBoxGuest

Module Base: F7717000

Module End: F771F000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Ntfs.sys

Service Name: Ntfs

Module Base: F7B52000

Module End: F7BDF000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\NDIS.sys

Service Name: NDIS

Module Base: F7424000

Module End: F7451000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Mup.sys

Service Name: Mup

Module Base: F740A000

Module End: F7424000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rdpdispm.sys

Service Name: RDPDISPM

Module Base: B90D6000

Module End: B90D7000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS

Service Name: ---

Module Base: B7CF8000

Module End: B7D0C000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rdpvmp.sys

Service Name: RDPVDD

Module Base: BAFD0000

Module End: BAFD4000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\i8042prt.sys

Service Name: i8042prt

Module Base: F7677000

Module End: F7684000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\kbdclass.sys

Service Name: Kbdclass

Module Base: F781F000

Module End: F7825000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\vmmouse.sys

Service Name: vmmouse

Module Base: F79AD000

Module End: F79AF000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\VBoxMouse.sys

Service Name: VBoxMouse

Module Base: B7D9C000

Module End: B7DA5000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mouclass.sys

Service Name: Mouclass

Module Base: F7737000

Module End: F773D000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\parport.sys

Service Name: Parport

Module Base: B7CA2000

Module End: B7CB6000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\cdrom.sys

Service Name: Cdrom

Module Base: B7D8C000

Module End: B7D9C000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\VBoxVideo.sys

Service Name: VBoxVideo

Module Base: B7D7C000

Module End: B7D89000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\pcntpci5.sys

Service Name: PCnet

Module Base: B7D6C000

Module End: B7D75000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ac97intc.sys

Service Name: ac97intc

Module Base: B7C8A000

Module End: B7CA2000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\portcls.sys

Service Name: ---

Module Base: B7C66000

Module End: B7C8A000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\drmk.sys

Service Name: ---

Module Base: B7D5C000

Module End: B7D6B000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ks.sys

Service Name: ---

Module Base: B7C43000

Module End: B7C66000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbohci.sys

Service Name: usbohci

Module Base: B7EEF000

Module End: B7EF4000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS

Service Name: ---

Module Base: B7C0E000

Module End: B7C32000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbehci.sys

Service Name: usbehci

Module Base: B7EE7000

Module End: B7EEF000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\CmBatt.sys

Service Name: CmBatt

Module Base: BAFC8000

Module End: BAFCC000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\dne2000.sys

Service Name: DNE

Module Base: B7BF0000

Module End: B7C0E000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\vap.sys

Service Name: DniVap

Module Base: B7EDF000

Module End: B7EE7000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\audstub.sys

Service Name: audstub

Module Base: F7A94000

Module End: F7A95000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

Service Name: Rasl2tp

Module Base: B7D3C000

Module End: B7D49000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndistapi.sys

Service Name: NdisTapi

Module Base: BAFC4000

Module End: BAFC7000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndiswan.sys

Service Name: NdisWan

Module Base: B7BA5000

Module End: B7BBC000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspppoe.sys

Service Name: RasPppoe

Module Base: B7D2C000

Module End: B7D37000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspptp.sys

Service Name: PptpMiniport

Module Base: B7D1C000

Module End: B7D28000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\TDI.SYS

Service Name: ---

Module Base: B7ED7000

Module End: B7EDC000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\psched.sys

Service Name: PSched

Module Base: B7B94000

Module End: B7BA5000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\msgpc.sys

Service Name: Gpc

Module Base: B8FBC000

Module End: B8FC5000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ptilink.sys

Service Name: Ptilink

Module Base: B743A000

Module End: B743F000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspti.sys

Service Name: Raspti

Module Base: B7432000

Module End: B7437000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\tapvpn.sys

Service Name: tapvpn

Module Base: F7587000

Module End: F7592000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rdpdr.sys

Service Name: rdpdr

Module Base: B6C83000

Module End: B6CB3000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\termdd.sys

Service Name: TermDD

Module Base: B903C000

Module End: B9046000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mcdbus.sys

Service Name: mcdbus

Module Base: B6C4E000

Module End: B6C65000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\SCSIPORT.SYS

Service Name: ---

Module Base: B6C36000

Module End: B6C4E000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\swenum.sys

Service Name: swenum

Module Base: F7995000

Module End: F7997000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\update.sys

Service Name: Update

Module Base: B6BD8000

Module End: B6C36000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mssmbios.sys

Service Name: mssmbios

Module Base: F7927000

Module End: F792B000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbhub.sys

Service Name: usbhub

Module Base: B7160000

Module End: B716F000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBD.SYS

Service Name: ---

Module Base: F79A5000

Module End: F79A7000

Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS

Service Name: NDProxy

Module Base: B7150000

Module End: B715A000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\redbook.sys

Service Name: redbook

Module Base: B7140000

Module End: B714F000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\flpydisk.sys

Service Name: Flpydisk

Module Base: F7787000

Module End: F778C000

Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS

Service Name: Fs_Rec

Module Base: B76F3000

Module End: B76F5000

Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Null.SYS

Service Name: Null

Module Base: B71CF000

Module End: B71D0000

Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Beep.SYS

Service Name: Beep

Module Base: B76F1000

Module End: B76F3000

Hidden: No

Module Name: C:\WINDOWS\System32\drivers\vga.sys

Service Name: VgaSave

Module Base: B7472000

Module End: B7478000

Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS

Service Name: mnmdd

Module Base: B76EF000

Module End: B76F1000

Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys

Service Name: RDPCDD

Module Base: B76ED000

Module End: B76EF000

Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS

Service Name: Msfs

Module Base: B6CFB000

Module End: B6D00000

Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS

Service Name: Npfs

Module Base: B6CF3000

Module End: B6CFB000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasacd.sys

Service Name: RasAcd

Module Base: B6B62000

Module End: B6B65000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipsec.sys

Service Name: IPSec

Module Base: B64B5000

Module End: B64C8000

Hidden: No

Module Name: \??\C:\WINDOWS\system32\Drivers\IPSECDRV.sys

Service Name: IPSECDRV

Module Base: B648D000

Module End: B64B5000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\tcpip.sys

Service Name: Tcpip

Module Base: B6434000

Module End: B648D000

Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\avgtdix.sys

Service Name: AvgTdiX

Module Base: B6403000

Module End: B641C000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbt.sys

Service Name: NetBT

Module Base: B63C7000

Module End: B63EF000

Hidden: No

Module Name: C:\WINDOWS\System32\drivers\afd.sys

Service Name: AFD

Module Base: B639B000

Module End: B63BD000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbios.sys

Service Name: NetBIOS

Module Base: B6D63000

Module End: B6D6C000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\VBoxSF.sys

Service Name: VBoxSF

Module Base: B636C000

Module End: B639B000

Hidden: No

Module Name: \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys

Service Name: SASKUTIL

Module Base: B62D6000

Module End: B62FB000

Hidden: No

Module Name: \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS

Service Name: SASDIFSV

Module Base: B6CEB000

Module End: B6CF1000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rdbss.sys

Service Name: Rdbss

Module Base: B62AB000

Module End: B62D6000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

Service Name: MRxSmb

Module Base: B623B000

Module End: B62AB000

Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS

Service Name: Fips

Module Base: B6D43000

Module End: B6D4E000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipnat.sys

Service Name: IpNat

Module Base: B6215000

Module End: B623B000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\wanarp.sys

Service Name: Wanarp

Module Base: B6D23000

Module End: B6D2C000

Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\avgmfx86.sys

Service Name: AvgMfx86

Module Base: F77DF000

Module End: F77E5000

Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\avgldx86.sys

Service Name: AvgLdx86

Module Base: B5FB7000

Module End: B6006000

Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Cdfs.SYS

Service Name: Cdfs

Module Base: B4A84000

Module End: B4A94000

Hidden: No

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys

Service Name: ---

Module Base: AFB93000

Module End: AFBAB000

Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS

Service Name: ---

Module Base: B7257000

Module End: B7259000

Hidden: Yes

Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys

Service Name: ---

Module Base: B2294000

Module End: B2297000

Hidden: No

Module Name: C:\WINDOWS\System32\watchdog.sys

Service Name: ---

Module Base: F773F000

Module End: F7744000

Hidden: No

Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys

Service Name: ---

Module Base: B7054000

Module End: B7055000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ekauio.sys

Service Name: Ekauio

Module Base: B0A6C000

Module End: B0A70000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndisuio.sys

Service Name: Ndisuio

Module Base: B0A5C000

Module End: B0A60000

Hidden: No

Module Name: \??\C:\WINDOWS\system32\Drivers\Crypto.sys

Service Name: Crypto

Module Base: AEFAA000

Module End: AF044000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys

Service Name: wdmaud

Module Base: AEEA5000

Module End: AEEBA000

Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys

Service Name: sysaudio

Module Base: B4AC4000

Module End: B4AD3000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxdav.sys

Service Name: MRxDAV

Module Base: AED12000

Module End: AED3F000

Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\ParVdm.SYS

Service Name: ParVdm

Module Base: B76E5000

Module End: B76E7000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\srv.sys

Service Name: Srv

Module Base: AE938000

Module End: AE98A000

Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\HTTP.sys

Service Name: HTTP

Module Base: AE5AF000

Module End: AE5F0000

Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\fdc.sys

Service Name: Fdc

Module Base: F772F000

Module End: F7736000

Hidden: No

********************************************************************************

**********

********************************************************************************

**********

No SSDT Hooks found

********************************************************************************

**********

********************************************************************************

**********

Kernel Hooks:

Hooked Function: ZwSaveKeyEx

At Address: 8064EE7D

Jump To: 89831A82

Module Name: _unknown_

Hooked Function: ZwSaveKey

At Address: 8064ED92

Jump To: 8987ECEA

Module Name: _unknown_

Hooked Function: ZwFlushInstructionCache

At Address: 80577693

Jump To: 89870A94

Module Name: _unknown_

Hooked Function: ZwEnumerateKey

At Address: 80570D64

Jump To: 8982BA84

Module Name: _unknown_

Hooked Function: IofCompleteRequest

At Address: 804E3BF6

Jump To: 89887E83

Module Name: _unknown_

Hooked Function: IofCallDriver

At Address: 804E37C5

Jump To: 8984CDA3

Module Name: _unknown_

********************************************************************************

**********

********************************************************************************

**********

No IRP Hooks found

********************************************************************************

**********

********************************************************************************

**********

Ports:

Local Address: EXPERIEN-F1FAFA:23053

Remote Address: LOCALHOST:1034

Type: TCP

Process: C:\Program Files\Growl for Windows\Growl.exe

State: ESTABLISHED

Local Address: EXPERIEN-F1FAFA:18080

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe

State: LISTENING

Local Address: EXPERIEN-F1FAFA:13128

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe

State: LISTENING

Local Address: EXPERIEN-F1FAFA:10080

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe

State: LISTENING

Local Address: EXPERIEN-F1FAFA:5152

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\Program Files\Java\jre6\bin\jqs.exe

State: LISTENING

Local Address: EXPERIEN-F1FAFA:1037

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\WINDOWS\system32\alg.exe

State: LISTENING

Local Address: EXPERIEN-F1FAFA:1034

Remote Address: LOCALHOST:23053

Type: TCP

Process: C:\Program Files\Markus Mohnen\Gmail Growl\gmailgrowl.exe

State: ESTABLISHED

Local Address: EXPERIEN-F1FAFA:895

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\Program Files\Hotspot Shield\bin\openvpnas.exe

State: LISTENING

Local Address: EXPERIEN-F1FAFA.BJBISS:1096

Remote Address: 78.46.213.91:HTTPS

Type: TCP

Process: C:\WINDOWS\system32\svchost.exe

State: CLOSE_WAIT

Local Address: EXPERIEN-F1FAFA.BJBISS:NETBIOS-SSN

Remote Address: 0.0.0.0:0

Type: TCP

Process: System

State: LISTENING

Local Address: EXPERIEN-F1FAFA:23053

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\Program Files\Growl for Windows\Growl.exe

State: LISTENING

Local Address: EXPERIEN-F1FAFA:MICROSOFT-DS

Remote Address: 0.0.0.0:0

Type: TCP

Process: System

State: LISTENING

Local Address: EXPERIEN-F1FAFA:EPMAP

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\WINDOWS\system32\svchost.exe

State: LISTENING

Local Address: EXPERIEN-F1FAFA:1900

Remote Address: NA

Type: UDP

Process: C:\WINDOWS\system32\svchost.exe

State: NA

Local Address: EXPERIEN-F1FAFA:1052

Remote Address: NA

Type: UDP

Process: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Live Mesh\GacBase\Moe.exe

State: NA

Local Address: EXPERIEN-F1FAFA:1047

Remote Address: NA

Type: UDP

Process: C:\WINDOWS\system32\svchost.exe

State: NA

Local Address: EXPERIEN-F1FAFA:123

Remote Address: NA

Type: UDP

Process: C:\WINDOWS\system32\svchost.exe

State: NA

Local Address: EXPERIEN-F1FAFA.BJBISS:1900

Remote Address: NA

Type: UDP

Process: C:\WINDOWS\system32\svchost.exe

State: NA

Local Address: EXPERIEN-F1FAFA.BJBISS:138

Remote Address: NA

Type: UDP

Process: System

State: NA

Local Address: EXPERIEN-F1FAFA.BJBISS:NETBIOS-NS

Remote Address: NA

Type: UDP

Process: System

State: NA

Local Address: EXPERIEN-F1FAFA.BJBISS:123

Remote Address: NA

Type: UDP

Process: C:\WINDOWS\system32\svchost.exe

State: NA

Local Address: EXPERIEN-F1FAFA:62514

Remote Address: NA

Type: UDP

Process: C:\Program Files\Juniper\NetScreen-Remote\IreIKE.exe

State: NA

Local Address: EXPERIEN-F1FAFA:9888

Remote Address: NA

Type: UDP

Process: C:\Program Files\Growl for Windows\Growl.exe

State: NA

Local Address: EXPERIEN-F1FAFA:9887

Remote Address: NA

Type: UDP

Process: C:\Program Files\Growl for Windows\Growl.exe

State: NA

Local Address: EXPERIEN-F1FAFA:4500

Remote Address: NA

Type: UDP

Process: C:\Program Files\Juniper\NetScreen-Remote\IreIKE.exe

State: NA

Local Address: EXPERIEN-F1FAFA:1046

Remote Address: NA

Type: UDP

Process: C:\WINDOWS\system32\svchost.exe

State: NA

Local Address: EXPERIEN-F1FAFA:1045

Remote Address: NA

Type: UDP

Process: C:\WINDOWS\system32\svchost.exe

State: NA

Local Address: EXPERIEN-F1FAFA:1044

Remote Address: NA

Type: UDP

Process: C:\WINDOWS\system32\svchost.exe

State: NA

Local Address: EXPERIEN-F1FAFA:1043

Remote Address: NA

Type: UDP

Process: C:\WINDOWS\system32\svchost.exe

State: NA

Local Address: EXPERIEN-F1FAFA:1036

Remote Address: NA

Type: UDP

Process: C:\WINDOWS\system32\svchost.exe

State: NA

Local Address: EXPERIEN-F1FAFA:1035

Remote Address: NA

Type: UDP

Process: C:\WINDOWS\system32\svchost.exe

State: NA

Local Address: EXPERIEN-F1FAFA:1033

Remote Address: NA

Type: UDP

Process: C:\WINDOWS\system32\svchost.exe

State: NA

Local Address: EXPERIEN-F1FAFA:1032

Remote Address: NA

Type: UDP

Process: C:\WINDOWS\system32\svchost.exe

State: NA

Local Address: EXPERIEN-F1FAFA:1030

Remote Address: NA

Type: UDP

Process: C:\WINDOWS\system32\svchost.exe

State: NA

Local Address: EXPERIEN-F1FAFA:1029

Remote Address: NA

Type: UDP

Process: C:\Program Files\Juniper\NetScreen-Remote\SafeCfg.exe

State: NA

Local Address: EXPERIEN-F1FAFA:1028

Remote Address: NA

Type: UDP

Process: C:\Program Files\Juniper\NetScreen-Remote\IreIKE.exe

State: NA

Local Address: EXPERIEN-F1FAFA:1027

Remote Address: NA

Type: UDP

Process: C:\WINDOWS\system32\svchost.exe

State: NA

Local Address: EXPERIEN-F1FAFA:500

Remote Address: NA

Type: UDP

Process: C:\Program Files\Juniper\NetScreen-Remote\IreIKE.exe

State: NA

Local Address: EXPERIEN-F1FAFA:MICROSOFT-DS

Remote Address: NA

Type: UDP

Process: System

State: NA

********************************************************************************

**********

********************************************************************************

**********

Hidden files/folders:

Object: C:\Documents and Settings\Administrator\Local Settings\Temp\geyekr000

Status: Hidden

Object: C:\Documents and Settings\Administrator\Local Settings\Temp\geyekrqlrmqwru000

Status: Hidden

Object: C:\WINDOWS\system32\drivers\geyekrnoqvdksc.sys

Status: Hidden

Object: C:\WINDOWS\system32\geyekrawjnkjee.dat

Status: Hidden

Object: C:\WINDOWS\system32\geyekrpjxtedtf.dll

Status: Hidden

Object: C:\WINDOWS\system32\geyekrqxbqpmul.dll

Status: Hidden

Object: C:\WINDOWS\system32\geyekrvhossrsi.dat

Status: Hidden

Object: C:\WINDOWS\temp\geyekrhbyabdrmfs.tmp

Status: Hidden

Link to post
Share on other sites

Download the attached file CFScript.txt to your Desktop

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt". In your next reply, please include the ComboFix log and a fresh HIjackthis log.

Note:

Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note:Please do not use this script on another computer, you may damage the system. The script is made especially for this user's computer only!!!!

CFScript.txt

CFScript.txt

Link to post
Share on other sites

All done, here are the logs:

ComboFix 09-08-01.09 - Administrator 08/02/2009 13:36.10.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1628 [GMT -4:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix-3.exe

Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\hkxiojz.dll

.

((((((((((((((((((((((((( Files Created from 2009-07-02 to 2009-08-02 )))))))))))))))))))))))))))))))

.

2009-07-25 17:11 . 2008-05-05 18:38 361344 ----a-w- c:\windows\system32\drivers\tcpip.sys

2009-07-18 02:33 . 2009-07-18 02:33 -------- d-----w- c:\program files\Growl for Windows

2009-07-17 16:21 . 2009-07-17 16:21 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Stardock

2009-07-16 01:20 . 2009-07-22 00:08 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com

2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com

2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-07-15 04:41 . 2009-07-15 04:41 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb

2009-07-15 03:50 . 2009-07-15 03:50 -------- d-----w- c:\program files\Trend Micro

2009-07-15 02:40 . 2009-07-15 02:40 -------- d-----w- c:\windows\Sun

2009-07-15 01:26 . 2009-07-15 01:26 -------- d-----w- c:\windows\system32\wbem\snmp

2009-07-15 01:26 . 2009-07-15 01:26 -------- d-----w- c:\windows\system32\oobe

2009-07-15 01:26 . 2009-07-15 01:26 -------- d-----w- c:\windows\srchasst

2009-07-15 01:26 . 2009-07-15 01:26 -------- d-----w- c:\windows\system32\xircom

2009-07-15 01:25 . 2009-07-15 01:25 -------- d-----w- c:\program files\microsoft frontpage

2009-07-14 23:02 . 2009-07-14 23:02 0 ----a-w- c:\windows\system32\cd.dat

2009-07-14 18:14 . 2009-07-18 03:15 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp

2009-07-14 17:40 . 2009-07-21 17:55 -------- d--h--w- C:\$AVG8.VAULT$

2009-07-10 14:56 . 2009-07-10 14:56 195472 ----a-w- c:\windows\system32\drivers\VBoxSF.sys

2009-07-10 14:55 . 2009-07-10 14:55 1059344 ----a-w- c:\windows\system32\VBoxService.exe

2009-07-10 14:55 . 2009-07-10 14:55 588304 ----a-w- c:\windows\system32\VBoxOGLfeedbackspu.dll

2009-07-10 14:55 . 2009-07-10 14:55 1346064 ----a-w- c:\windows\system32\VBoxOGLpackspu.dll

2009-07-10 14:55 . 2009-07-10 14:55 109072 ----a-w- c:\windows\system32\VBoxOGLpassthroughspu.dll

2009-07-10 14:55 . 2009-07-10 14:55 432656 ----a-w- c:\windows\system32\VBoxOGLarrayspu.dll

2009-07-10 14:55 . 2009-07-10 14:55 305680 ----a-w- c:\windows\system32\VBoxOGL.dll

2009-07-10 14:55 . 2009-07-10 14:55 65552 ----a-w- c:\windows\system32\VBoxHook.dll

2009-07-10 14:55 . 2009-07-10 14:55 645648 ----a-w- c:\windows\system32\VBoxGINA.dll

2009-07-10 14:54 . 2009-07-10 14:54 145936 ----a-w- c:\windows\system32\VBoxOGLerrorspu.dll

2009-07-10 14:54 . 2009-07-10 14:54 203280 ----a-w- c:\windows\system32\VBoxOGLcrutil.dll

2009-07-08 15:44 . 2009-07-08 15:44 -------- d-----w- c:\program files\Markus Mohnen

2009-07-08 15:38 . 2009-07-08 15:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Growl

2009-07-08 15:02 . 2009-07-08 15:02 -------- d-----w- c:\program files\SopCast

2009-07-08 14:49 . 2009-07-08 14:50 -------- d-----w- c:\program files\TVAnts

2009-07-08 14:43 . 2009-07-08 14:43 -------- d-----w- c:\documents and settings\Administrator\LocalLow

2009-07-08 14:43 . 2009-07-08 14:43 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\TVU Networks

2009-07-08 14:43 . 2009-07-08 14:43 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\TVU Networks

2009-07-07 23:48 . 2009-07-07 02:44 937984 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\libs\PicLensHelper.exe

2009-07-07 23:48 . 2009-07-07 02:44 103424 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\libs\pixomatic.dll

2009-07-07 23:48 . 2009-07-07 02:44 65536 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\components\coolirisstub.dll

2009-07-07 23:48 . 2009-07-07 02:44 106496 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll

2009-07-07 23:48 . 2009-07-07 02:44 4722688 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\libs\cooliris19.dll

2009-07-07 23:48 . 2009-07-07 02:44 344064 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe

2009-07-03 22:37 . 2009-07-03 22:39 -------- d-----w- c:\documents and settings\Administrator\Ekahau Site Survey

2009-07-03 22:35 . 2009-07-03 22:54 -------- d-----w- c:\program files\Ekahau

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-23 14:32 . 2009-04-20 12:11 -------- d-----w- c:\program files\Everything

2009-07-23 14:32 . 2009-04-20 12:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\Free Download Manager

2009-07-23 02:30 . 2009-04-20 13:43 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2009-07-23 02:22 . 2009-07-01 04:07 344560 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2009-07-18 03:15 . 2009-04-20 12:13 -------- d-----w- c:\program files\Google

2009-07-17 16:03 . 2009-05-05 12:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent

2009-07-15 01:03 . 2009-04-20 12:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-07-13 17:36 . 2009-04-20 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-07-13 17:36 . 2009-04-20 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-10 14:56 . 2008-11-21 18:30 84496 ----a-w- c:\windows\system32\vbcoinst.dll

2009-07-10 14:56 . 2008-11-21 18:30 641552 ----a-w- c:\windows\system32\VBoxControl.exe

2009-07-10 14:56 . 2008-11-21 18:30 39376 ----a-w- c:\windows\system32\drivers\VBoxGuest.sys

2009-07-10 14:56 . 2008-11-21 18:30 1026576 ----a-w- c:\windows\system32\VBoxTray.exe

2009-07-10 14:56 . 2008-11-21 18:30 63632 ----a-w- c:\windows\system32\VBoxDisp.dll

2009-07-10 14:56 . 2008-11-21 18:30 57872 ----a-w- c:\windows\system32\drivers\VBoxVideo.sys

2009-07-10 14:56 . 2008-11-21 18:29 39888 ----a-w- c:\windows\system32\drivers\VBoxMouse.sys

2009-07-10 14:55 . 2008-11-21 18:28 645648 ----a-w- c:\windows\system32\VBoxMRXNP.dll

2009-07-03 22:38 . 2009-06-30 02:25 57164 ---ha-w- c:\windows\system32\mlfcache.dat

2009-07-01 04:26 . 2009-04-16 10:32 70400 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT

2009-07-01 04:07 . 2009-04-16 07:10 -------- d-----w- c:\program files\MSBuild

2009-07-01 04:00 . 2009-07-01 04:00 -------- d-----w- c:\program files\Reference Assemblies

2009-07-01 03:50 . 2009-07-01 03:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\Desktopicon

2009-07-01 03:02 . 2009-07-01 03:01 -------- d-----w- c:\program files\FormatFactory

2009-06-30 21:27 . 2009-06-30 21:27 410984 ----a-w- c:\windows\system32\deploytk.dll

2009-06-30 21:27 . 2009-06-30 21:27 -------- d-----w- c:\program files\Java

2009-06-30 21:25 . 2009-06-30 21:25 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_14\lzma.dll

2009-06-29 18:23 . 2009-07-01 04:08 172032 ----a-w- c:\windows\system32\Phanfare Screensaver.scr

2009-06-29 18:22 . 2009-07-01 04:08 323624 ----a-w- c:\windows\system32\wiaaut.dll

2009-06-28 06:36 . 2009-06-28 06:36 -------- d-----w- c:\program files\AnyBizSoft

2009-06-28 06:31 . 2009-06-28 06:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\Stardock

2009-06-28 06:31 . 2009-06-28 06:31 -------- dc-h--w- c:\docume~1\ALLUSE~1\APPLIC~1\{067CEB81-A49B-4597-9505-A5515881D672}

2009-06-28 06:31 . 2009-06-28 06:31 -------- d-----w- c:\program files\Stardock

2009-06-26 04:13 . 2009-05-30 16:24 -------- d-----w- c:\program files\Digsby

2009-06-26 04:00 . 2009-04-20 12:05 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-06-26 04:00 . 2009-04-20 12:05 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-06-26 04:00 . 2009-04-20 12:05 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-06-19 21:36 . 2009-06-19 21:36 -------- d-----w- c:\program files\Common Files\Deterministic Networks

2009-06-19 21:36 . 2009-06-19 21:36 -------- d-----w- c:\program files\Juniper

2009-06-19 21:35 . 2009-06-19 21:35 -------- d-----w- c:\program files\Common Files\InstallShield

2009-06-11 06:29 . 2009-06-11 06:29 -------- d-----w- c:\program files\Common Files\Blackbaud

2009-06-11 06:27 . 2009-06-11 06:27 -------- d-----w- c:\program files\Blackbaud

2009-06-11 05:16 . 2009-06-11 05:16 -------- d-----w- c:\program files\Common Files\Business Objects

2009-06-11 05:16 . 2009-06-11 05:16 -------- d-----w- c:\program files\Business Objects

2009-06-11 05:14 . 2009-06-11 05:14 -------- d-----w- c:\program files\MSXML 4.0

2009-06-01 14:36 . 2009-06-04 06:17 3184128 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\library\SSS.dll

2009-05-08 02:55 . 2009-04-20 12:05 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2009-05-07 12:23 . 2009-06-30 23:54 63488 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\WINNT_x86-msvc\components\WeaveCrypto.dll

2009-05-04 19:03 . 2009-05-04 19:03 59904 ----a-w- c:\windows\system32\zlib1.dll

2009-05-04 18:53 . 2009-05-04 18:53 286720 ----a-w- c:\windows\system32\libcurl.dll

2009-05-04 18:53 . 2009-05-04 18:53 196608 ----a-w- c:\windows\system32\ssleay32.dll

2009-05-04 18:53 . 2009-05-04 18:53 1028096 ----a-w- c:\windows\system32\libeay32.dll

2009-05-04 18:53 . 2009-05-04 18:53 143360 ----a-w- c:\windows\system32\libexpatw.dll

2009-06-24 13:26 . 2009-04-16 09:47 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll

2008-05-05 20:14 . 2008-12-01 20:22 34048 ----a-w- c:\program files\opera\program\plugins\upd62i9x.dll

2008-05-05 20:14 . 2008-12-01 20:22 45056 ----a-w- c:\program files\opera\program\plugins\upd62int.dll

.

------- Sigcheck -------

[-] 2008-05-05 18:38 361344 ACCF5A9A1FFAA490F33DBA1C632B95E1 c:\windows\system32\drivers\tcpip.sys

.

((((((((((((((((((((((((((((( SnapShot@2009-07-17_02.02.53 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-08-02 17:50 . 2009-08-02 17:50 16384 c:\windows\temp\Perflib_Perfdata_30c.dat

+ 2008-05-06 12:00 . 2009-08-02 17:39 66148 c:\windows\system32\perfc009.dat

- 2008-05-06 12:00 . 2009-07-17 01:44 66148 c:\windows\system32\perfc009.dat

+ 2009-07-14 17:45 . 2009-08-02 17:34 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2009-07-14 17:45 . 2009-07-17 01:40 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-07-14 17:45 . 2009-08-02 17:34 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2009-07-14 17:45 . 2009-07-17 01:40 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2009-07-14 17:45 . 2009-07-17 01:40 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-07-14 17:45 . 2009-08-02 17:34 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-07-18 03:15 . 2009-07-18 03:15 47104 c:\windows\Installer\2c856f.msi

+ 2009-07-18 02:33 . 2009-07-18 02:33 9662 c:\windows\Installer\{8870D0D8-4427-49BC-A0E7-ABAE34227983}\_D679D4221C9B860547047F.exe

+ 2009-07-18 02:33 . 2009-07-18 02:33 9662 c:\windows\Installer\{8870D0D8-4427-49BC-A0E7-ABAE34227983}\_C7AC1C9AA4412B85789A75.exe

+ 2009-07-18 02:33 . 2009-07-18 02:33 9662 c:\windows\Installer\{8870D0D8-4427-49BC-A0E7-ABAE34227983}\_6FEFF9B68218417F98F549.exe

+ 2008-05-06 12:00 . 2009-08-02 17:39 428224 c:\windows\system32\perfh009.dat

- 2008-05-06 12:00 . 2009-07-17 01:44 428224 c:\windows\system32\perfh009.dat

+ 2008-05-06 12:00 . 2008-05-06 12:00 102400 c:\windows\system32\iacyyjo.dll

+ 2009-07-18 02:33 . 2009-07-18 02:33 424960 c:\windows\Installer\5a6a3.msi

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]

2009-05-08 04:46 218160 ----a-w- c:\program files\Hotspot Shield\hssie\HssIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MoeMonitor.exe"="c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft\Live Mesh\Bin\Servicing\0.9.4014.7\MoeMonitor.exe" [2009-07-03 1315152]

"LClock"="c:\program files\LClock\LClock.exe" [2004-09-19 65536]

"Growl"="c:\program files\Growl for Windows\Growl.exe" [2009-07-17 1171456]

"Gmail Growl"="c:\program files\Markus Mohnen\Gmail Growl\gmailgrowl.exe" [2009-06-04 900489]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"VBoxTray"="c:\windows\system32\VBoxTray.exe" [2009-07-10 1026576]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]

"PostCopy"="c:\windows\system32\BELKIN\F5D5050\PostCopy.exe" [2001-07-25 20480]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-26 1948440]

"Everything"="c:\program files\Everything\Everything.exe" [2009-03-13 602624]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-4-16 534016]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\

NetScreen-Remote.lnk - c:\program files\Juniper\NetScreen-Remote\SafeCfg.exe [2009-6-19 77876]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"MemCheckBoxInRunDlg"= 1 (0x1)

"StartMenuFavorites"= 0 (0x0)

"Start_ShowMyComputer"= 1 (0x1)

"Start_ShowMyDocs"= 1 (0x1)

"Start_ShowMyMusic"= 0 (0x0)

"Start_ShowRun"= 1 (0x1)

"Start_ShowSearch"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveTrack"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

"ForceClassicControlPanel"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"MemCheckBoxInRunDlg"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]

"{EC654325-1273-C2A9-2B7C-45A29BCE2FBD}"= "c:\program files\Stardock\Fences\DesktopDock.dll" [2009-02-25 517480]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlcrdplauncher]

2009-07-03 19:41 21840 ----a-w- c:\program files\Live Mesh\Remote Desktop\wlcrdplauncher.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-06-26 04:00 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"e:\\Program Files\\Phanfare\\Phanfare.exe"=

"c:\\Program Files\\Live Mesh\\Remote Desktop\\wlcrasvc.exe"=

"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Microsoft\\Live Mesh\\GacBase\\Moe.exe"=

"c:\\Program Files\\Juniper\\NetScreen-Remote\\IreIKE.exe"=

"c:\program files\Juniper\NetScreen-Remote\ViewLog.exe"= c:\program files\Juniper\NetScreen-Remote\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog

"c:\program files\Juniper\NetScreen-Remote\CmonApp.exe"= c:\program files\Juniper\NetScreen-Remote\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp

"c:\program files\Juniper\NetScreen-Remote\vpn.exe"= c:\program files\Juniper\NetScreen-Remote\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager

R0 VBoxGuest;VirtualBox Guest Driver;c:\windows\system32\drivers\VBoxGuest.sys [11/21/2008 2:30 PM 39376]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/20/2009 8:05 AM 327688]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/20/2009 8:05 AM 108552]

R1 IPSECDRV;SafeNet IPSec Plugin;c:\windows\system32\drivers\IpSecDrv.sys [6/19/2009 5:37 PM 138296]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]

R1 VBoxSF;VirtualBox Shared Folders;c:\windows\system32\drivers\VBoxSF.sys [7/10/2009 10:56 AM 195472]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/20/2009 8:05 AM 298776]

R2 Crypto;Crypto;c:\windows\system32\drivers\Crypto.sys [6/19/2009 5:37 PM 536634]

R2 Ekauio;Ekahau NDIS Usermode I/O Protocol;c:\windows\system32\drivers\ekauio.sys [4/7/2009 8:45 AM 12416]

R2 HssSrv;Hotspot Shield Helper Service;c:\program files\Hotspot Shield\HssWPR\hsssrv.exe [4/21/2009 9:12 PM 328752]

R2 nxfafzoa;Digital CD Audio Playback Filter Monitor;c:\windows\System32\svchost.exe -k netsvcs [5/6/2008 8:00 AM 14336]

R2 VBoxService;VirtualBox Guest Additions Service;system32\VBoxService.exe --> system32\VBoxService.exe [?]

R2 wlcrasvc;Live Mesh Remote Desktop;c:\program files\Live Mesh\Remote Desktop\wlcrasvc.exe [4/16/2009 6:24 AM 44880]

R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\drivers\vap.sys [6/19/2009 5:36 PM 29184]

R3 RDPDISPM;RDPDISPM;c:\windows\system32\drivers\rdpdispm.sys [4/16/2009 6:24 AM 9024]

R3 RDPVDD;RDPVDD;c:\windows\system32\drivers\rdpvmp.sys [4/16/2009 6:24 AM 19392]

R3 VBoxMouse;VirtualBox Guest Mouse Service;c:\windows\system32\drivers\VBoxMouse.sys [11/21/2008 2:29 PM 39888]

R3 VBoxVideo;VBoxVideo;c:\windows\system32\drivers\VBoxVideo.sys [11/21/2008 2:30 PM 57872]

R3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys [12/1/2008 4:09 PM 11568]

S2 gupdate1c9c1b183ad1450;Google Update Service (gupdate1c9c1b183ad1450);c:\program files\Google\Update\GoogleUpdate.exe [4/20/2009 8:14 AM 133104]

S3 HssTrayService;Hotspot Shield Tray Service;c:\program files\Hotspot Shield\bin\HssTrayService.exe [4/22/2009 5:34 PM 34352]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]

S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys [12/1/2008 4:09 PM 29488]

S4 zlportio;zlportio;\??\g:\zlportio.sys --> g:\zlportio.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

nxfafzoa

.

- - - - ORPHANS REMOVED - - - -

BHO-{F305282D-0461-4337-B1C9-4A9827020598} - c:\windows\system32\hkxiojz.dll

Notify-itbdvntd - hkxiojz.dll

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.teezcricket.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mStart Page = hxxp://www.google.com

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm

IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm

IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm

IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\docume~1\ADMINI~1\APPLIC~1\Mozilla\Firefox\Profiles\2epl54kr.Donny\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/|http://ebiss/default.aspx|http://studywiz.biss.com.cn/|https://ibis.ibo.org/index.cfm|https://web4.ibo.org/ibnet/|http://online.ibo.org/ibis/occ/guest/home.cfm|http://docs.google.com/#not-in-folders|https://secure.members.easynews.com/global4/search.html?fly=1|http://www.abc.net.au/news/|http://www.google.com/reader/shared/10493336563511901340|http://www.newser.com/

FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll

FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\WINNT_x86-msvc\components\WeaveCrypto.dll

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll

FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff35\gears.dll

FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-02 13:50

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1224)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\hkxiojz.dll

- - - - - - - > 'explorer.exe'(3028)

c:\program files\LClock\LC.dll

c:\program files\Stardock\Fences\DesktopDock.dll

c:\windows\system32\hnetcfg.dll

c:\program files\SUPERAntiSpyware\SASSEH.DLL

c:\windows\system32\VBoxMRXNP.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\VBoxService.exe

c:\program files\Juniper\NetScreen-Remote\IPSecMon.exe

c:\program files\Juniper\NetScreen-Remote\IreIKE.exe

c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe

c:\program files\FolderSize\FolderSizeSvc.exe

c:\program files\Hotspot Shield\bin\openvpnas.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\AVG\AVG8\avgrsx.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

c:\windows\system32\wbem\wmiadap.exe

.

**************************************************************************

.

Completion time: 2009-08-02 13:54 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-02 17:54

ComboFix2.txt 2009-07-25 17:40

ComboFix3.txt 2009-07-23 14:55

ComboFix4.txt 2009-07-22 02:12

ComboFix5.txt 2009-08-02 17:30

Pre-Run: 1,537,724,416 bytes free

Post-Run: 1,492,455,424 bytes free

358

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:55:38 PM, on 8/2/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\VBoxService.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Juniper\NetScreen-Remote\IPSecMon.exe

C:\Program Files\Juniper\NetScreen-Remote\IreIKE.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\FolderSize\FolderSizeSvc.exe

C:\Program Files\Hotspot Shield\bin\openvpnas.exe

C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Live Mesh\Remote Desktop\wlcrasvc.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\WINDOWS\system32\VBoxTray.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Everything\Everything.exe

C:\Program Files\LClock\LClock.exe

C:\Program Files\Growl for Windows\Growl.exe

C:\Program Files\Markus Mohnen\Gmail Growl\gmailgrowl.exe

C:\Program Files\Juniper\NetScreen-Remote\SafeCfg.exe

C:\Program Files\MagicDisc\MagicDisc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.teezcricket.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL

O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll

O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.30.0\gears.dll

O2 - BHO: (no name) - {F305282D-0461-4337-B1C9-4A9827020598} - c:\windows\system32\hkxiojz.dll (file missing)

O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\hssie\HssIE.dll

O4 - HKLM\..\Run: [VBoxTray] C:\WINDOWS\system32\VBoxTray.exe

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [PostCopy] C:\WINDOWS\system32\BELKIN\F5D5050\PostCopy.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [Everything] "C:\Program Files\Everything\Everything.exe" -startup

O4 - HKCU\..\Run: [MoeMonitor.exe] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Live Mesh\Bin\Servicing\0.9.4014.7\MoeMonitor.exe"

O4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\LClock.exe

O4 - HKCU\..\Run: [Growl] C:\Program Files\Growl for Windows\Growl.exe

O4 - HKCU\..\Run: [Gmail Growl] C:\Program Files\Markus Mohnen\Gmail Growl\gmailgrowl.exe

O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe

O4 - Global Startup: NetScreen-Remote.lnk = C:\Program Files\Juniper\NetScreen-Remote\SafeCfg.exe

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm

O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm

O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm

O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.30.0\gears.dll

O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.30.0\gears.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O20 - Winlogon Notify: itbdvntd - hkxiojz.dll (file missing)

O20 - Winlogon Notify: wlcrdplauncher - C:\Program Files\Live Mesh\Remote Desktop\wlcrdplauncher.dll

O22 - SharedTaskScheduler: Fences - {EC654325-1273-C2A9-2B7C-45A29BCE2FBD} - C:\Program Files\Stardock\Fences\DesktopDock.dll

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: CiSvc - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)

O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe

O23 - Service: Google Update Service (gupdate1c9c1b183ad1450) (gupdate1c9c1b183ad1450) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe

O23 - Service: Hotspot Shield Helper Service (HssSrv) - AnchorFree Inc. - C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe

O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE

O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\Juniper\NetScreen-Remote\IPSecMon.exe

O23 - Service: SafeNet IKE Service (IreIKE) - SafeNet - C:\Program Files\Juniper\NetScreen-Remote\IreIKE.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: VirtualBox Guest Additions Service (VBoxService) - Sun Microsystems, Inc. - C:\WINDOWS\system32\VBoxService.exe

O24 - Desktop Component 0: (no name) - (no file)

--

End of file - 7459 bytes

Link to post
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.