Jump to content

Another Unruy.d infection


Recommended Posts

As others have posted, this bugger just doesn't want to go away.

MS Security Essentials would identify it, claim to remove it, but upon reboot it recycles and is back again. For some reason, I thought maybe a reinstall of MSSE would help. Unfortunately, after removing the older edition, I'm unable to install a new one. So now I'm without MSSE.

Another program that at least recognizes it is Hitman 3.5. But once again... after the reboot, it comes back.

Here's the DDS.txt (and attach.txt is attached).

DDS (Ver_10-03-17.01) - NTFSx86

Run by User at 21:47:37.28 on Sat 06/12/2010

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_20

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2175 [GMT -7:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\acs.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

svchost.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe

C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe

C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\system32\Rundll32.exe

C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe

C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe

C:\Program Files\lg_fwupdate\fwupdate.exe

G:\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE

C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe

C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank

uInternet Settings,ProxyOverride = *.local

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [sRS Audio Sandbox] "c:\program files\srs labs\audio sandbox\SRSSSC.exe" /hideme

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [CTSysVol] c:\program files\creative\sound blaster live! 24-bit\surround mixer\CTSysVol.exe /r

mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [P17Helper] Rundll32 P17.dll,P17Helper

mRun: [blackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [updateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"

mRun: [CLMLServer] "c:\program files\cyberlink\power2go\CLMLSvc.exe"

mRun: [updateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"

mRun: [RemoteControl8] "c:\program files\cyberlink\powerdvd8\PDVD8Serv.exe"

mRun: [PDVD8LanguageShortcut] "c:\program files\cyberlink\powerdvd8\language\Language.exe"

mRun: [updatePPShortCut] "c:\program files\cyberlink\powerproducer\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerproducer" updatewithcreateonce "software\cyberlink\powerproducer\5.0"

mRun: [uCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" updatewithcreateonce "software\cyberlink\youcam\2.0"

mRun: [LGODDFU] "c:\program files\lg_fwupdate\fwupdate.exe" blrun

mRun: [updatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"

mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon

mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon

mRun: [iTunesHelper] "g:\itunes\iTunesHelper.exe"

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [gcasServ] "c:\program files\microsoft antispyware\gcasServ.exe"

mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wdsmar~1.lnk - c:\program files\western digital\wd smartware\front parlor\WDSmartWare.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1267860478421

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

SEH: Microsoft.AntiSpyware.ShellExecuteHook.1: {9ef34ff2-3396-4527-9d27-04c8c1c67806} - c:\program files\microsoft antispyware\shellextension.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\e2pvniz3.default\

FF - prefs.js: browser.startup.homepage - hxxps://my.waldenu.edu/portal/User/LCPLogin.aspx?ReturnUrl=%2fportal%2fLearning%2fDefault.aspx

FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\e2pvniz3.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll

FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: g:\itunes\mozilla plugins\npitunes.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-3-5 164048]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-3-5 19024]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-5 40384]

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

R2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2009-11-13 110592]

R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]

R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-5 40384]

R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-5 40384]

R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [2010-3-5 57344]

R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2010-3-5 11520]

S1 SABKUTIL;SABKUTIL;\??\c:\program files\superantispyware\sabkutil.sys --> c:\program files\superantispyware\SABKUTIL.sys [?]

S2 HitmanPro35CrusaderBoot;Hitman Pro 3.5 Crusader (Boot);c:\program files\hitman pro 3.5\HitmanPro35.exe [2010-6-11 5937984]

S2 MLPTDR_Q;MLPTDR_Q;c:\windows\system32\MLPTDR_Q.SYS [2003-7-23 18848]

S3 cpuz132;cpuz132;\??\c:\docume~1\user\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\user\locals~1\temp\cpuz132\cpuz132_x32.sys [?]

S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\d-link\d-link dwa-552 xtreme n desktop adapter\jswpsapi.exe [2010-3-5 356434]

S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]

S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2009-11-26 34384]

S3 SRS_iWowPC_Service;SRS Labs iWow PC;c:\windows\system32\drivers\SRS_iWowPC_i386.sys [2010-3-7 37888]

S3 tenCapture;tenCapture;c:\windows\system32\drivers\tenCapture.sys [2007-4-21 9344]

=============== Created Last 30 ================

2010-06-13 03:56:22 288 ----a-w- c:\windows\system32\bootdelete.lst

2010-06-13 03:56:22 12872 ----a-w- c:\windows\system32\bootdelete.exe

2010-06-12 05:55:00 696 ----a-w- c:\windows\system32\.crusader

2010-06-12 05:51:49 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2010-06-12 05:51:16 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro

2010-06-12 05:51:15 0 d-----w- c:\program files\Hitman Pro 3.5

2010-06-11 00:58:21 230 ----a-w- c:\windows\system32\spupdsvc.inf

2010-06-08 03:30:55 0 d-----w- c:\docume~1\user\applic~1\Malwarebytes

2010-06-08 03:30:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-08 03:30:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-06-08 03:30:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-08 03:30:41 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-06 20:31:08 0 d-----w- c:\docume~1\user\applic~1\SUPERAntiSpyware.com

2010-06-06 20:31:08 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2010-06-06 20:30:54 0 d-----w- c:\program files\SUPERAntiSpyware

2010-06-06 20:26:56 0 d-----w- c:\program files\Microsoft AntiSpyware

2010-06-06 20:26:36 0 d-----w- c:\windows\Downloaded Installations

2010-06-06 17:34:28 0 d-----w- c:\program files\Enigma Software Group

2010-06-06 17:32:59 0 d-----w- c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP

2010-06-06 17:32:52 0 d-----w- c:\program files\common files\Wise Installation Wizard

2010-06-06 03:14:08 0 d-----w- c:\docume~1\user\applic~1\Screaming Bee

2010-06-06 03:13:32 0 d-----w- c:\program files\Screaming Bee

2010-06-06 03:13:32 0 d-----w- c:\docume~1\alluse~1\applic~1\Screaming Bee

2010-05-29 21:57:52 0 d-----w- c:\docume~1\user\applic~1\ActiveState

2010-05-29 21:56:42 0 d-----w- c:\program files\ActiveState Komodo Edit 5

2010-05-29 19:25:51 0 d-----w- c:\docume~1\user\applic~1\LimeWire

2010-05-29 19:25:24 0 d-----w- c:\program files\LimeWire

2010-05-29 01:22:26 0 d-----w- c:\program files\TweetDeck

2010-05-27 14:17:09 409600 ----a-w- c:\windows\system32\wrap_oal.dll

2010-05-27 13:36:02 0 d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)

2010-05-27 13:35:59 0 d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)

2010-05-27 13:35:58 0 d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)

2010-05-27 13:35:55 0 d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)

2010-05-27 13:32:01 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2010-05-27 13:31:53 0 d-----w- c:\program files\Spybot - Search & Destroy

2010-05-24 00:33:15 0 d-----w- c:\program files\BackStreet Browser 3.1

2010-05-17 20:36:00 0 d-----w- c:\docume~1\user\applic~1\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1

2010-05-15 18:10:19 0 d-----w- c:\program files\Citrix

2010-05-15 18:09:59 72080 ----a-w- c:\documents and settings\user\g2mdlhlpx.exe

==================== Find3M ====================

2010-06-13 03:41:36 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs

2010-06-13 03:41:29 0 ----a-w- c:\windows\system32\drivers\logiflt.iad

2010-06-02 00:07:44 108620 ----a-w- c:\windows\fonts\BEAUTYSC.TTF

2010-06-02 00:07:33 28940 ----a-w- c:\windows\fonts\UNDERGRO.TTF

2010-06-02 00:07:19 3930 ----a-w- c:\windows\fonts\PlatinumHubCapsSolid.txt

2010-06-02 00:07:19 37732 ----a-w- c:\windows\fonts\PlatinumHubCapsSolid.ttf

2010-06-02 00:06:59 136136 ----a-w- c:\windows\fonts\OLDGATEL.TTF

2010-05-28 00:07:36 19996 ----a-w- c:\windows\fonts\Tallys_15.otf

2010-05-27 14:17:09 114688 ----a-w- c:\windows\system32\OpenAL32.dll

2010-05-06 17:36:38 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-05-04 17:20:34 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-05-04 17:20:32 17408 ----a-w- c:\windows\system32\corpol.dll

2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-05-01 16:12:37 188048 ---ha-w- c:\windows\system32\mlfcache.dat

2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-16 16:09:09 667136 ----a-w- c:\windows\system32\wininet.dll

2010-04-13 00:29:19 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-04-10 15:11:27 16384 ----a-w- c:\windows\system32\lgfwunis.exe

2010-04-10 14:58:56 29480 ----a-w- c:\windows\system32\msxml3a.dll

2010-04-10 14:58:55 505128 ----a-w- c:\windows\system32\msvcp71.dll

2010-04-10 14:58:55 353576 ----a-w- c:\windows\system32\msvcr71.dll

2010-04-08 20:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-04-08 20:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-03-16 14:11:33 73728 ----a-w- c:\windows\system32\np_plugin.dll

2010-03-16 10:37:50 278120 ----a-w- c:\windows\system32\nvmccs.dll

2010-03-16 10:37:50 154216 ----a-w- c:\windows\system32\nvsvc32.exe

2010-03-16 10:37:50 145000 ----a-w- c:\windows\system32\nvcolor.exe

2010-03-16 10:37:50 13670504 ----a-w- c:\windows\system32\nvcpl.dll

2010-03-16 10:37:50 110696 ----a-w- c:\windows\system32\nvmctray.dll

2010-03-16 10:37:44 81920 ----a-w- c:\windows\system32\nvwddi.dll

2010-03-16 06:51:59 6432128 ----a-w- c:\windows\system32\nv4_disp.dll

2010-03-16 06:51:59 61440 ----a-w- c:\windows\system32\OpenCL.dll

2010-03-16 06:51:59 600680 ----a-w- c:\windows\system32\nvudisp.exe

2010-03-16 06:51:59 4075520 ----a-w- c:\windows\system32\nvcuda.dll

2010-03-16 06:51:59 2646632 ----a-w- c:\windows\system32\nvcuvenc.dll

2010-03-16 06:51:59 2183470 ----a-w- c:\windows\system32\nvdata.bin

2010-03-16 06:51:59 215656 ----a-w- c:\windows\system32\nvcodins.dll

2010-03-16 06:51:59 215656 ----a-w- c:\windows\system32\nvcod.dll

2010-03-16 06:51:59 2030184 ----a-w- c:\windows\system32\nvcuvid.dll

2010-03-16 06:51:59 14757888 ----a-w- c:\windows\system32\nvoglnt.dll

2010-03-16 06:51:59 11640832 ----a-w- c:\windows\system32\nvcompiler.dll

2010-03-16 06:51:59 1097728 ----a-w- c:\windows\system32\nvapi.dll

============= FINISH: 21:48:05.73 ===============

Attach.zip

Link to post
Share on other sites

Hi,

1. Download Bootkit Remover (note: it's a RAR archived file so you have to install compatible program, like 7-Zip if there's not one installed).

2. Extract the contents to own folder (BRemover folder) on your desktop.

3. Click start->run->type cmd.exe and press enter.

4. In command prompt type this (I assume you extracted folder contents to BRemover folder on your desktop):

"%userprofile%\desktop\Bremover\remover.exe" >"%userprofile%\desktop\logit.txt"

5. Press enter once more to bring cursor back visible after entering the command above. After that operation there should be logit.txt file on your desktop. Attach it to your post, please.

Link to post
Share on other sites

Hi,

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.
  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt

New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Link to post
Share on other sites

Combofix.txt:

ComboFix 10-06-20.03 - User 06/20/2010 22:28:26.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2377 [GMT -7:00]

Running from: c:\documents and settings\User\Desktop\ComboFix.exe

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\User\g2mdlhlpx.exe

c:\windows\system32\Data

c:\windows\system32\VB6KO.DLL

c:\windows\TEMP\logishrd\LVPrcInj01.dll

.

((((((((((((((((((((((((( Files Created from 2010-05-21 to 2010-06-21 )))))))))))))))))))))))))))))))

.

2010-06-20 19:55 . 2010-06-20 19:55 -------- d-----w- c:\program files\7-Zip

2010-06-12 05:51 . 2010-06-20 20:37 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2010-06-12 05:51 . 2010-06-12 05:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro

2010-06-12 05:51 . 2010-06-12 05:51 -------- d-----w- c:\program files\Hitman Pro 3.5

2010-06-12 05:42 . 2010-06-12 05:42 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\PCHealth

2010-06-08 17:26 . 2010-06-16 14:02 -------- d-----w- c:\program files\Windows Live Safety Center

2010-06-08 03:30 . 2010-06-08 03:30 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes

2010-06-08 03:30 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-08 03:30 . 2010-06-08 03:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-06-08 03:30 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-08 03:30 . 2010-06-08 03:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-06 20:31 . 2010-06-06 20:31 -------- d-----w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com

2010-06-06 20:31 . 2010-06-06 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-06-06 20:30 . 2010-06-11 04:52 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-06-06 20:26 . 2010-06-21 05:36 -------- d-----w- c:\program files\Microsoft AntiSpyware

2010-06-06 20:26 . 2010-06-06 20:26 -------- d-----w- c:\windows\Downloaded Installations

2010-06-06 17:34 . 2010-06-06 17:34 -------- d-----w- c:\program files\Enigma Software Group

2010-06-06 17:32 . 2010-06-06 20:11 -------- d-----w- c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP

2010-06-06 17:32 . 2010-06-06 17:32 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2010-06-06 03:14 . 2010-06-06 03:14 -------- d-----w- c:\documents and settings\User\Application Data\Screaming Bee

2010-06-06 03:13 . 2010-06-11 00:57 -------- d-----w- c:\program files\Screaming Bee

2010-06-06 03:13 . 2010-06-06 03:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Screaming Bee

2010-05-31 20:03 . 2010-05-31 20:03 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\ActiveState

2010-05-29 21:57 . 2010-05-29 21:57 -------- d-----w- c:\documents and settings\User\Application Data\ActiveState

2010-05-29 21:56 . 2010-05-29 21:56 -------- d-----w- c:\program files\ActiveState Komodo Edit 5

2010-05-29 19:25 . 2010-06-20 09:43 -------- d-----w- c:\documents and settings\User\Application Data\LimeWire

2010-05-29 19:25 . 2010-06-05 07:13 -------- d-----w- c:\program files\LimeWire

2010-05-29 01:22 . 2010-05-29 01:22 -------- d-----w- c:\program files\TweetDeck

2010-05-27 14:17 . 2010-05-27 14:17 409600 ----a-w- c:\windows\system32\wrap_oal.dll

2010-05-27 13:36 . 2010-05-27 13:36 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)

2010-05-27 13:35 . 2010-05-27 13:36 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)

2010-05-27 13:35 . 2010-05-27 13:36 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)

2010-05-27 13:35 . 2010-05-27 13:35 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)

2010-05-27 13:32 . 2010-06-06 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-05-27 13:31 . 2010-06-06 16:33 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-05-24 00:33 . 2010-05-27 03:14 -------- d-----w- c:\program files\BackStreet Browser 3.1

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-21 05:36 . 2010-04-10 15:09 -------- d-----w- c:\program files\lg_fwupdate

2010-06-21 05:34 . 2010-03-13 16:53 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs

2010-06-21 05:34 . 2010-03-13 16:52 0 ----a-w- c:\windows\system32\drivers\logiflt.iad

2010-06-21 00:48 . 2010-03-06 02:24 -------- d-----w- c:\program files\City of Heroes

2010-06-20 09:43 . 2010-03-09 04:30 -------- d-----w- c:\documents and settings\User\Application Data\vlc

2010-06-19 17:48 . 2010-05-17 20:35 -------- d-----w- c:\program files\Common Files\Adobe AIR

2010-06-19 17:47 . 2010-06-19 17:50 53632 ----a-w- c:\documents and settings\User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2010-06-12 05:58 . 2010-03-13 20:34 291000 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-06-12 05:41 . 2010-03-13 18:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-06-06 20:31 . 2010-06-06 20:31 63488 ----a-w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

2010-06-06 20:31 . 2010-06-06 20:31 52224 ----a-w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-06-06 20:31 . 2010-06-06 20:31 117760 ----a-w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-05-29 17:48 . 2010-04-20 03:21 -------- d-----w- c:\documents and settings\All Users\Application Data\CanonIJPLM

2010-05-27 14:18 . 2010-03-05 07:22 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-05-27 14:17 . 2010-03-05 15:27 -------- d-----w- c:\program files\Creative

2010-05-27 14:17 . 2003-03-28 11:24 114688 ----a-w- c:\windows\system32\OpenAL32.dll

2010-05-27 14:02 . 2010-03-13 18:15 -------- d-----w- c:\documents and settings\User\Application Data\Skype

2010-05-27 14:00 . 2010-03-13 18:16 -------- d-----w- c:\documents and settings\User\Application Data\skypePM

2010-05-25 03:32 . 2010-05-25 03:32 503808 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-75ff8234-n\msvcp71.dll

2010-05-25 03:32 . 2010-05-25 03:32 499712 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-75ff8234-n\jmc.dll

2010-05-25 03:32 . 2010-05-25 03:32 61440 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-324100ca-n\decora-sse.dll

2010-05-25 03:32 . 2010-05-25 03:32 348160 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-75ff8234-n\msvcr71.dll

2010-05-25 03:32 . 2010-05-25 03:32 12800 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-324100ca-n\decora-d3d.dll

2010-05-17 20:36 . 2010-05-17 20:36 -------- d-----w- c:\documents and settings\User\Application Data\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1

2010-05-15 18:10 . 2010-05-15 18:10 -------- d-----w- c:\program files\Citrix

2010-05-13 00:05 . 2010-04-05 20:37 -------- d-----w- c:\program files\Java

2010-05-06 20:59 . 2010-03-06 06:00 165032 ----a-w- c:\windows\system32\aswBoot.exe

2010-05-06 20:39 . 2010-03-06 06:00 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2010-05-06 20:39 . 2010-03-06 06:00 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys

2010-05-06 20:34 . 2010-03-06 06:00 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2010-05-06 20:33 . 2010-03-06 06:00 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2010-05-06 20:33 . 2010-03-06 06:00 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys

2010-05-06 20:33 . 2010-03-06 06:00 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2010-05-06 20:33 . 2010-03-06 06:00 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2010-05-06 17:36 . 2010-03-06 06:14 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-05-04 18:43 . 2010-05-04 18:43 -------- d-----w- c:\program files\LightScribe Template Labeler

2010-05-04 17:20 . 2004-08-10 11:00 832512 ----a-w- c:\windows\system32\wininet.dll

2010-05-04 17:20 . 2004-08-10 11:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-05-04 17:20 . 2004-08-10 11:00 17408 ----a-w- c:\windows\system32\corpol.dll

2010-05-02 05:22 . 2004-08-10 11:00 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-05-02 03:06 . 2010-03-11 02:41 256 ----a-w- c:\windows\system32\pool.bin

2010-05-01 16:12 . 2010-05-01 16:12 188048 ---ha-w- c:\windows\system32\mlfcache.dat

2010-05-01 01:28 . 2010-05-01 01:28 -------- d-----w- c:\documents and settings\User\Application Data\LegalSounds

2010-05-01 01:28 . 2010-05-01 01:28 -------- d-----w- c:\program files\LegalSounds

2010-04-29 04:33 . 2010-04-29 04:33 -------- d-----w- c:\program files\iPod

2010-04-29 04:33 . 2010-03-13 16:57 -------- d-----w- c:\program files\Common Files\Apple

2010-04-29 04:29 . 2010-04-29 04:29 -------- d-----w- c:\program files\Bonjour

2010-04-29 04:27 . 2010-04-29 04:27 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe

2010-04-20 05:30 . 2004-08-10 11:00 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-14 16:47 . 2010-03-06 06:00 38848 ----a-w- c:\windows\system32\avastSS.scr

2010-04-13 00:29 . 2010-05-13 00:05 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-04-10 15:11 . 2010-04-10 15:09 16384 ----a-w- c:\windows\system32\lgfwunis.exe

2010-04-10 15:10 . 2010-04-10 15:10 53319 ----a-w- c:\documents and settings\All Users\Application Data\Temp\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\PostBuild.exe

2010-04-10 15:03 . 2010-04-10 15:03 36864 ----a-w- c:\documents and settings\All Users\Application Data\Temp\{01FB4998-33C4-4431-85ED-079E3EEFE75D}\PostBuild.exe

2010-04-10 15:00 . 2010-04-10 15:00 36864 ----a-w- c:\documents and settings\All Users\Application Data\Temp\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\PostBuild.exe

2010-04-10 14:58 . 2010-04-10 14:59 29480 ----a-w- c:\windows\system32\msxml3a.dll

2010-04-10 14:58 . 2010-04-10 14:59 53319 ----a-w- c:\documents and settings\All Users\Application Data\Temp\{2BF2E31F-B8BB-40A7-B650-98D28E0F7D47}\PostBuild.exe

2010-04-10 14:58 . 2003-03-19 04:14 505128 ----a-w- c:\windows\system32\msvcp71.dll

2010-04-10 14:58 . 2003-02-21 12:42 353576 ----a-w- c:\windows\system32\msvcr71.dll

2010-04-10 14:56 . 2010-04-10 14:56 36864 ----a-w- c:\documents and settings\All Users\Application Data\Temp\{40BF1E83-20EB-11D8-97C5-0009C5020658}\PostBuild.exe

2010-04-10 14:54 . 2010-04-10 14:54 53319 ----a-w- c:\documents and settings\All Users\Application Data\Temp\{C59C179C-668D-49A9-B6EA-0121CCFC1243}\PostBuild.exe

2010-04-10 14:53 . 2010-04-10 14:53 53319 ----a-w- c:\documents and settings\All Users\Application Data\Temp\{5DB1DF0C-AABC-4362-8A6D-CEFDFB036E41}\PostBuild.exe

2010-04-08 20:20 . 2010-04-08 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-04-08 20:20 . 2010-04-08 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-04-05 20:37 . 2010-04-05 20:37 503808 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4835d3b9-n\msvcp71.dll

2010-04-05 20:37 . 2010-04-05 20:37 61440 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-47639360-n\decora-sse.dll

2010-04-05 20:37 . 2010-04-05 20:37 499712 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4835d3b9-n\jmc.dll

2010-04-05 20:37 . 2010-04-05 20:37 348160 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4835d3b9-n\msvcr71.dll

2010-04-05 20:37 . 2010-04-05 20:37 12800 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-47639360-n\decora-d3d.dll

2010-03-26 17:33 . 2010-04-14 05:15 1496064 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\e2pvniz3.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

2010-03-26 17:33 . 2010-04-14 05:15 43008 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\e2pvniz3.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll

2010-03-26 17:33 . 2010-04-14 05:15 339456 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\e2pvniz3.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll

2010-03-26 17:32 . 2010-04-14 05:15 346112 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\e2pvniz3.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SRS Audio Sandbox"="c:\program files\SRS Labs\Audio Sandbox\SRSSSC.exe" [2010-01-07 3216664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]

"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]

"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

"P17Helper"="P17.dll" [2005-05-04 64512]

"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-11 648536]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-03-16 13670504]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-03-16 110696]

"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]

"CLMLServer"="c:\program files\CyberLink\Power2Go\CLMLSvc.exe" [2009-06-04 103720]

"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]

"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2009-04-16 91432]

"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2009-04-16 50472]

"UpdatePPShortCut"="c:\program files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]

"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-02-18 218408]

"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2010-04-10 557056]

"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2009-09-26 210216]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-27 1983816]

"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-18 767312]

"iTunesHelper"="g:\itunes\iTunesHelper.exe" [2010-04-28 142120]

"gcasServ"="c:\program files\Microsoft AntiSpyware\gcasServ.exe" [2005-11-15 473928]

"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-06-12 5937984]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10e.exe" [2010-01-27 256280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2009-11-13 2057536]

WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2009-11-13 9117504]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\mmc.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"g:\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"g:\\FTP\\WS_FTP95.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/5/2010 11:00 PM 164048]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/5/2010 11:00 PM 19024]

R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [11/13/2009 12:28 PM 110592]

R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 9:58 AM 20480]

R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [3/5/2010 8:34 AM 57344]

R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [3/5/2010 6:06 PM 11520]

S1 SABKUTIL;SABKUTIL;\??\c:\program files\SUPERAntiSpyware\SABKUTIL.sys --> c:\program files\SUPERAntiSpyware\SABKUTIL.sys [?]

S2 MLPTDR_Q;MLPTDR_Q;c:\windows\system32\MLPTDR_Q.SYS [7/23/2003 2:44 AM 18848]

S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\jswpsapi.exe [3/5/2010 8:34 AM 356434]

S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]

S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [11/26/2009 1:06 AM 34384]

S3 SRS_iWowPC_Service;SRS Labs iWow PC;c:\windows\system32\drivers\SRS_iWowPC_i386.sys [3/7/2010 2:02 AM 37888]

S3 tenCapture;tenCapture;c:\windows\system32\drivers\tenCapture.sys [4/21/2007 7:15 AM 9344]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

2009-08-20 20:24 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe

.

Contents of the 'Scheduled Tasks' folder

2010-06-17 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB

FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\e2pvniz3.default\

FF - prefs.js: browser.startup.homepage - hxxps://my.waldenu.edu/portal/User/LCPLogin.aspx?ReturnUrl=%2fportal%2fLearning%2fDefault.aspx

FF - component: c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\e2pvniz3.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll

FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

FF - plugin: g:\itunes\Mozilla Plugins\npitunes.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-20 22:36

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1092)

c:\windows\WlanGINA\Version\1.0.4.0\WlanGINA.dll

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(5844)

c:\windows\system32\WININET.dll

c:\windows\TEMP\logishrd\LVPrcInj01.dll

c:\windows\system32\ieframe.dll

.

------------------------ Other Running Processes ------------------------

.

c:\system volume information\Microsoft\services.exe

c:\system volume information\Microsoft\smss.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Alwil Software\Avast5\AvastSvc.exe

c:\program files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\acs.exe

c:\windows\system32\Rundll32.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\CTsvcCDA.EXE

c:\windows\system32\RUNDLL32.EXE

c:\windows\eHome\ehRecvr.exe

c:\windows\eHome\ehSched.exe

c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe

c:\program files\Microsoft AntiSpyware\gcasDtServ.exe

c:\program files\Canon\IJPLM\IJPLMSVC.EXE

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

c:\program files\CyberLink\Shared Files\RichVideo.exe

c:\windows\system32\MsPMSPSv.exe

c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe

c:\windows\ehome\mcrdsvc.exe

c:\windows\system32\dllhost.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\eHome\ehmsas.exe

c:\windows\system32\wscntfy.exe

c:\program files\Internet Explorer\IEXPLORE.EXE

.

**************************************************************************

.

Completion time: 2010-06-20 22:45:00 - machine was rebooted

ComboFix-quarantined-files.txt 2010-06-21 05:44

Pre-Run: 107,038,564,352 bytes free

Post-Run: 107,285,561,344 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - BB21685BDC126C1216D0A6B0DCC6732E

DDS.txt:

DDS (Ver_10-03-17.01) - NTFSx86

Run by User at 22:47:16.78 on Sun 06/20/2010

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2257 [GMT -7:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\acs.exe

svchost.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe

C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe

C:\WINDOWS\system32\Rundll32.exe

C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\eHome\ehRecvr.exe

C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe

C:\Program Files\lg_fwupdate\fwupdate.exe

C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe

G:\iTunes\iTunesHelper.exe

C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

svchost.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe

C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe

C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\User\Desktop\dds.scr

C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank

uInternet Settings,ProxyOverride = *.local

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [sRS Audio Sandbox] "c:\program files\srs labs\audio sandbox\SRSSSC.exe" /hideme

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [CTSysVol] c:\program files\creative\sound blaster live! 24-bit\surround mixer\CTSysVol.exe /r

mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [P17Helper] Rundll32 P17.dll,P17Helper

mRun: [blackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [updateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"

mRun: [CLMLServer] "c:\program files\cyberlink\power2go\CLMLSvc.exe"

mRun: [updateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"

mRun: [RemoteControl8] "c:\program files\cyberlink\powerdvd8\PDVD8Serv.exe"

mRun: [PDVD8LanguageShortcut] "c:\program files\cyberlink\powerdvd8\language\Language.exe"

mRun: [updatePPShortCut] "c:\program files\cyberlink\powerproducer\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerproducer" updatewithcreateonce "software\cyberlink\powerproducer\5.0"

mRun: [uCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" updatewithcreateonce "software\cyberlink\youcam\2.0"

mRun: [LGODDFU] "c:\program files\lg_fwupdate\fwupdate.exe" blrun

mRun: [updatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"

mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon

mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon

mRun: [iTunesHelper] "g:\itunes\iTunesHelper.exe"

mRun: [gcasServ] "c:\program files\microsoft antispyware\gcasServ.exe"

mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot

dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10e.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wdsmar~1.lnk - c:\program files\western digital\wd smartware\front parlor\WDSmartWare.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1267860478421

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

SEH: Microsoft.AntiSpyware.ShellExecuteHook.1: {9ef34ff2-3396-4527-9d27-04c8c1c67806} - c:\program files\microsoft antispyware\shellextension.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\e2pvniz3.default\

FF - prefs.js: browser.startup.homepage - hxxps://my.waldenu.edu/portal/User/LCPLogin.aspx?ReturnUrl=%2fportal%2fLearning%2fDefault.aspx

FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\e2pvniz3.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll

FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: g:\itunes\mozilla plugins\npitunes.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-3-5 164048]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-3-5 19024]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-5 40384]

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

R2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2009-11-13 110592]

R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]

R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-5 40384]

R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-5 40384]

R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [2010-3-5 57344]

R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2010-3-5 11520]

S1 SABKUTIL;SABKUTIL;\??\c:\program files\superantispyware\sabkutil.sys --> c:\program files\superantispyware\SABKUTIL.sys [?]

S2 MLPTDR_Q;MLPTDR_Q;c:\windows\system32\MLPTDR_Q.SYS [2003-7-23 18848]

S3 cpuz132;cpuz132;\??\c:\docume~1\user\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\user\locals~1\temp\cpuz132\cpuz132_x32.sys [?]

S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\d-link\d-link dwa-552 xtreme n desktop adapter\jswpsapi.exe [2010-3-5 356434]

S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]

S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2009-11-26 34384]

S3 SRS_iWowPC_Service;SRS Labs iWow PC;c:\windows\system32\drivers\SRS_iWowPC_i386.sys [2010-3-7 37888]

S3 tenCapture;tenCapture;c:\windows\system32\drivers\tenCapture.sys [2007-4-21 9344]

=============== Created Last 30 ================

2010-06-21 05:27:06 0 d-sha-r- C:\cmdcons

2010-06-21 05:23:09 98816 ----a-w- c:\windows\sed.exe

2010-06-21 05:23:09 77312 ----a-w- c:\windows\MBR.exe

2010-06-21 05:23:09 256512 ----a-w- c:\windows\PEV.exe

2010-06-21 05:23:09 161792 ----a-w- c:\windows\SWREG.exe

2010-06-12 05:55:00 696 ----a-w- c:\windows\system32\.crusader

2010-06-12 05:51:49 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2010-06-12 05:51:16 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro

2010-06-12 05:51:15 0 d-----w- c:\program files\Hitman Pro 3.5

2010-06-08 03:30:55 0 d-----w- c:\docume~1\user\applic~1\Malwarebytes

2010-06-08 03:30:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-08 03:30:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-06-08 03:30:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-08 03:30:41 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-06 20:31:08 0 d-----w- c:\docume~1\user\applic~1\SUPERAntiSpyware.com

2010-06-06 20:31:08 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2010-06-06 20:30:54 0 d-----w- c:\program files\SUPERAntiSpyware

2010-06-06 20:26:56 0 d-----w- c:\program files\Microsoft AntiSpyware

2010-06-06 20:26:36 0 d-----w- c:\windows\Downloaded Installations

2010-06-06 17:34:28 0 d-----w- c:\program files\Enigma Software Group

2010-06-06 17:32:59 0 d-----w- c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP

2010-06-06 17:32:52 0 d-----w- c:\program files\common files\Wise Installation Wizard

2010-06-06 03:14:08 0 d-----w- c:\docume~1\user\applic~1\Screaming Bee

2010-06-06 03:13:32 0 d-----w- c:\program files\Screaming Bee

2010-06-06 03:13:32 0 d-----w- c:\docume~1\alluse~1\applic~1\Screaming Bee

2010-05-29 21:57:52 0 d-----w- c:\docume~1\user\applic~1\ActiveState

2010-05-29 21:56:42 0 d-----w- c:\program files\ActiveState Komodo Edit 5

2010-05-29 19:25:51 0 d-----w- c:\docume~1\user\applic~1\LimeWire

2010-05-29 19:25:24 0 d-----w- c:\program files\LimeWire

2010-05-29 01:22:26 0 d-----w- c:\program files\TweetDeck

2010-05-27 14:17:09 409600 ----a-w- c:\windows\system32\wrap_oal.dll

2010-05-27 13:36:02 0 d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)

2010-05-27 13:35:59 0 d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)

2010-05-27 13:35:58 0 d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)

2010-05-27 13:35:55 0 d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)

2010-05-27 13:32:01 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2010-05-27 13:31:53 0 d-----w- c:\program files\Spybot - Search & Destroy

2010-05-24 00:33:15 0 d-----w- c:\program files\BackStreet Browser 3.1

==================== Find3M ====================

2010-06-21 05:34:57 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs

2010-06-21 05:34:54 0 ----a-w- c:\windows\system32\drivers\logiflt.iad

2010-06-02 00:07:44 108620 ----a-w- c:\windows\fonts\BEAUTYSC.TTF

2010-06-02 00:07:33 28940 ----a-w- c:\windows\fonts\UNDERGRO.TTF

2010-06-02 00:07:19 3930 ----a-w- c:\windows\fonts\PlatinumHubCapsSolid.txt

2010-06-02 00:07:19 37732 ----a-w- c:\windows\fonts\PlatinumHubCapsSolid.ttf

2010-06-02 00:06:59 136136 ----a-w- c:\windows\fonts\OLDGATEL.TTF

2010-05-28 00:07:36 19996 ----a-w- c:\windows\fonts\Tallys_15.otf

2010-05-27 14:17:09 114688 ----a-w- c:\windows\system32\OpenAL32.dll

2010-05-06 17:36:38 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-05-04 17:20:39 832512 ----a-w- c:\windows\system32\wininet.dll

2010-05-04 17:20:34 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-05-04 17:20:32 17408 ----a-w- c:\windows\system32\corpol.dll

2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-05-01 16:12:37 188048 ---ha-w- c:\windows\system32\mlfcache.dat

2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-13 00:29:19 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-04-10 15:11:27 16384 ----a-w- c:\windows\system32\lgfwunis.exe

2010-04-10 14:58:56 29480 ----a-w- c:\windows\system32\msxml3a.dll

2010-04-10 14:58:55 505128 ----a-w- c:\windows\system32\msvcp71.dll

2010-04-10 14:58:55 353576 ----a-w- c:\windows\system32\msvcr71.dll

2010-04-08 20:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-04-08 20:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe

============= FINISH: 22:47:46.45 ===============

Link to post
Share on other sites

Hi,

Could you give me some details about your c: and g: drive? Is there any operating system installed on g: drive too or is the only one on c: drive?

The g: drive is an external WD "My Book" hard drive, USB connected, and has no operating system installed. The c: drive is the "main" drive.

Link to post
Share on other sites

Ok. Thanks for the info.

1. Click start->run->type cmd.exe and press enter.

2. In command prompt type this:

"%userprofile%\desktop\Bremover\remover.exe" fix \\.\PhysicalDrive0

3. Type exit and press enter to close command prompt window.

4. Reboot and run ComboFix again. Post back the report + fresh dds log.

Start MBAM, update its database and run a quick scan letting it remove all found items. Post back the report.

Link to post
Share on other sites

Reports are below. MBAM found nothing... but then, it never did detect this to begin with.

ComboFix 10-06-20.03 - User 06/21/2010 10:43:22.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2452 [GMT -7:00]

Running from: c:\documents and settings\User\Desktop\ComboFix.exe

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\TEMP\logishrd\LVPrcInj01.dll

.

((((((((((((((((((((((((( Files Created from 2010-05-21 to 2010-06-21 )))))))))))))))))))))))))))))))

.

2010-06-20 19:55 . 2010-06-20 19:55 -------- d-----w- c:\program files\7-Zip

2010-06-19 17:50 . 2010-06-19 17:47 53632 ----a-w- c:\documents and settings\User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2010-06-12 05:51 . 2010-06-21 17:40 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2010-06-12 05:51 . 2010-06-12 05:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro

2010-06-12 05:51 . 2010-06-12 05:51 -------- d-----w- c:\program files\Hitman Pro 3.5

2010-06-12 05:42 . 2010-06-12 05:42 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\PCHealth

2010-06-08 17:26 . 2010-06-16 14:02 -------- d-----w- c:\program files\Windows Live Safety Center

2010-06-08 03:30 . 2010-06-08 03:30 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes

2010-06-08 03:30 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-08 03:30 . 2010-06-08 03:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-06-08 03:30 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-08 03:30 . 2010-06-08 03:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-06 20:31 . 2010-06-06 20:31 63488 ----a-w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

2010-06-06 20:31 . 2010-06-06 20:31 52224 ----a-w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-06-06 20:31 . 2010-06-06 20:31 117760 ----a-w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-06-06 20:31 . 2010-06-06 20:31 -------- d-----w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com

2010-06-06 20:31 . 2010-06-06 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-06-06 20:30 . 2010-06-11 04:52 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-06-06 20:26 . 2010-06-21 17:51 -------- d-----w- c:\program files\Microsoft AntiSpyware

2010-06-06 20:26 . 2010-06-06 20:26 -------- d-----w- c:\windows\Downloaded Installations

2010-06-06 17:34 . 2010-06-06 17:34 -------- d-----w- c:\program files\Enigma Software Group

2010-06-06 17:32 . 2010-06-06 20:11 -------- d-----w- c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP

2010-06-06 17:32 . 2010-06-06 17:32 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2010-06-06 03:14 . 2010-06-06 03:14 -------- d-----w- c:\documents and settings\User\Application Data\Screaming Bee

2010-06-06 03:13 . 2010-06-11 00:57 -------- d-----w- c:\program files\Screaming Bee

2010-06-06 03:13 . 2010-06-06 03:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Screaming Bee

2010-05-31 20:03 . 2010-05-31 20:03 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\ActiveState

2010-05-29 21:57 . 2010-05-29 21:57 -------- d-----w- c:\documents and settings\User\Application Data\ActiveState

2010-05-29 21:56 . 2010-05-29 21:56 -------- d-----w- c:\program files\ActiveState Komodo Edit 5

2010-05-29 19:25 . 2010-06-20 09:43 -------- d-----w- c:\documents and settings\User\Application Data\LimeWire

2010-05-29 19:25 . 2010-06-05 07:13 -------- d-----w- c:\program files\LimeWire

2010-05-29 01:22 . 2010-05-29 01:22 -------- d-----w- c:\program files\TweetDeck

2010-05-27 14:17 . 2010-05-27 14:17 409600 ----a-w- c:\windows\system32\wrap_oal.dll

2010-05-27 13:36 . 2010-05-27 13:36 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)

2010-05-27 13:35 . 2010-05-27 13:36 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)

2010-05-27 13:35 . 2010-05-27 13:36 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)

2010-05-27 13:35 . 2010-05-27 13:35 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)

2010-05-27 13:32 . 2010-06-06 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-05-27 13:31 . 2010-06-06 16:33 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-05-25 03:32 . 2010-05-25 03:32 503808 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-75ff8234-n\msvcp71.dll

2010-05-25 03:32 . 2010-05-25 03:32 499712 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-75ff8234-n\jmc.dll

2010-05-25 03:32 . 2010-05-25 03:32 61440 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-324100ca-n\decora-sse.dll

2010-05-25 03:32 . 2010-05-25 03:32 348160 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-75ff8234-n\msvcr71.dll

2010-05-25 03:32 . 2010-05-25 03:32 12800 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-324100ca-n\decora-d3d.dll

2010-05-24 00:33 . 2010-05-27 03:14 -------- d-----w- c:\program files\BackStreet Browser 3.1

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-21 17:51 . 2010-04-10 15:09 -------- d-----w- c:\program files\lg_fwupdate

2010-06-21 17:50 . 2010-03-13 16:53 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs

2010-06-21 17:50 . 2010-03-13 16:52 0 ----a-w- c:\windows\system32\drivers\logiflt.iad

2010-06-21 00:48 . 2010-03-06 02:24 -------- d-----w- c:\program files\City of Heroes

2010-06-20 09:43 . 2010-03-09 04:30 -------- d-----w- c:\documents and settings\User\Application Data\vlc

2010-06-19 17:48 . 2010-05-17 20:35 -------- d-----w- c:\program files\Common Files\Adobe AIR

2010-06-12 05:58 . 2010-03-13 20:34 291000 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-06-12 05:41 . 2010-03-13 18:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-05-29 17:48 . 2010-04-20 03:21 -------- d-----w- c:\documents and settings\All Users\Application Data\CanonIJPLM

2010-05-28 00:07 . 2006-10-07 17:48 70 ----a-w- c:\windows\Fonts\._Tallys_15.otf

2010-05-27 14:18 . 2010-03-05 07:22 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-05-27 14:17 . 2010-03-05 15:27 -------- d-----w- c:\program files\Creative

2010-05-27 14:17 . 2003-03-28 11:24 114688 ----a-w- c:\windows\system32\OpenAL32.dll

2010-05-27 14:02 . 2010-03-13 18:15 -------- d-----w- c:\documents and settings\User\Application Data\Skype

2010-05-27 14:00 . 2010-03-13 18:16 -------- d-----w- c:\documents and settings\User\Application Data\skypePM

2010-05-17 20:36 . 2010-05-17 20:36 -------- d-----w- c:\documents and settings\User\Application Data\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1

2010-05-15 18:10 . 2010-05-15 18:10 -------- d-----w- c:\program files\Citrix

2010-05-13 00:05 . 2010-04-05 20:37 -------- d-----w- c:\program files\Java

2010-05-06 20:59 . 2010-03-06 06:00 165032 ----a-w- c:\windows\system32\aswBoot.exe

2010-05-06 20:39 . 2010-03-06 06:00 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2010-05-06 20:39 . 2010-03-06 06:00 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys

2010-05-06 20:34 . 2010-03-06 06:00 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2010-05-06 20:33 . 2010-03-06 06:00 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2010-05-06 20:33 . 2010-03-06 06:00 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys

2010-05-06 20:33 . 2010-03-06 06:00 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2010-05-06 20:33 . 2010-03-06 06:00 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2010-05-06 17:36 . 2010-03-06 06:14 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-05-04 18:43 . 2010-05-04 18:43 -------- d-----w- c:\program files\LightScribe Template Labeler

2010-05-04 17:20 . 2004-08-10 11:00 832512 ----a-w- c:\windows\system32\wininet.dll

2010-05-04 17:20 . 2004-08-10 11:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-05-04 17:20 . 2004-08-10 11:00 17408 ----a-w- c:\windows\system32\corpol.dll

2010-05-02 05:22 . 2004-08-10 11:00 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-05-02 03:06 . 2010-03-11 02:41 256 ----a-w- c:\windows\system32\pool.bin

2010-05-01 16:12 . 2010-05-01 16:12 188048 ---ha-w- c:\windows\system32\mlfcache.dat

2010-05-01 01:28 . 2010-05-01 01:28 -------- d-----w- c:\documents and settings\User\Application Data\LegalSounds

2010-05-01 01:28 . 2010-05-01 01:28 -------- d-----w- c:\program files\LegalSounds

2010-04-29 04:33 . 2010-04-29 04:33 -------- d-----w- c:\program files\iPod

2010-04-29 04:33 . 2010-03-13 16:57 -------- d-----w- c:\program files\Common Files\Apple

2010-04-29 04:29 . 2010-04-29 04:29 -------- d-----w- c:\program files\Bonjour

2010-04-29 04:27 . 2010-04-29 04:27 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe

2010-04-20 05:30 . 2004-08-10 11:00 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-14 16:47 . 2010-03-06 06:00 38848 ----a-w- c:\windows\system32\avastSS.scr

2010-04-13 00:29 . 2010-05-13 00:05 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-04-10 15:11 . 2010-04-10 15:09 16384 ----a-w- c:\windows\system32\lgfwunis.exe

2010-04-10 15:10 . 2010-04-10 15:10 53319 ----a-w- c:\documents and settings\All Users\Application Data\Temp\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\PostBuild.exe

2010-04-10 15:03 . 2010-04-10 15:03 36864 ----a-w- c:\documents and settings\All Users\Application Data\Temp\{01FB4998-33C4-4431-85ED-079E3EEFE75D}\PostBuild.exe

2010-04-10 15:00 . 2010-04-10 15:00 36864 ----a-w- c:\documents and settings\All Users\Application Data\Temp\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\PostBuild.exe

2010-04-10 14:58 . 2010-04-10 14:59 29480 ----a-w- c:\windows\system32\msxml3a.dll

2010-04-10 14:58 . 2010-04-10 14:59 53319 ----a-w- c:\documents and settings\All Users\Application Data\Temp\{2BF2E31F-B8BB-40A7-B650-98D28E0F7D47}\PostBuild.exe

2010-04-10 14:58 . 2003-03-19 04:14 505128 ----a-w- c:\windows\system32\msvcp71.dll

2010-04-10 14:58 . 2003-02-21 12:42 353576 ----a-w- c:\windows\system32\msvcr71.dll

2010-04-10 14:56 . 2010-04-10 14:56 36864 ----a-w- c:\documents and settings\All Users\Application Data\Temp\{40BF1E83-20EB-11D8-97C5-0009C5020658}\PostBuild.exe

2010-04-10 14:54 . 2010-04-10 14:54 53319 ----a-w- c:\documents and settings\All Users\Application Data\Temp\{C59C179C-668D-49A9-B6EA-0121CCFC1243}\PostBuild.exe

2010-04-10 14:53 . 2010-04-10 14:53 53319 ----a-w- c:\documents and settings\All Users\Application Data\Temp\{5DB1DF0C-AABC-4362-8A6D-CEFDFB036E41}\PostBuild.exe

2010-04-08 20:20 . 2010-04-08 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-04-08 20:20 . 2010-04-08 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-04-05 20:37 . 2010-04-05 20:37 503808 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4835d3b9-n\msvcp71.dll

2010-04-05 20:37 . 2010-04-05 20:37 61440 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-47639360-n\decora-sse.dll

2010-04-05 20:37 . 2010-04-05 20:37 499712 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4835d3b9-n\jmc.dll

2010-04-05 20:37 . 2010-04-05 20:37 348160 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4835d3b9-n\msvcr71.dll

2010-04-05 20:37 . 2010-04-05 20:37 12800 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-47639360-n\decora-d3d.dll

2010-03-26 17:33 . 2010-04-14 05:15 1496064 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\e2pvniz3.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

2010-03-26 17:33 . 2010-04-14 05:15 43008 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\e2pvniz3.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll

2010-03-26 17:33 . 2010-04-14 05:15 339456 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\e2pvniz3.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll

2010-03-26 17:32 . 2010-04-14 05:15 346112 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\e2pvniz3.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SRS Audio Sandbox"="c:\program files\SRS Labs\Audio Sandbox\SRSSSC.exe" [2010-01-07 3216664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]

"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

"P17Helper"="P17.dll" [2005-05-04 64512]

"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-11 648536]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-03-16 13670504]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-03-16 110696]

"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]

"CLMLServer"="c:\program files\CyberLink\Power2Go\CLMLSvc.exe" [2009-06-04 103720]

"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]

"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2009-04-16 91432]

"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2009-04-16 50472]

"UpdatePPShortCut"="c:\program files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]

"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-02-18 218408]

"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2010-04-10 557056]

"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2009-09-26 210216]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-27 1983816]

"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-18 767312]

"iTunesHelper"="g:\itunes\iTunesHelper.exe" [2010-04-28 142120]

"gcasServ"="c:\program files\Microsoft AntiSpyware\gcasServ.exe" [2005-11-15 473928]

"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-06-21 6112064]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10e.exe" [2010-01-27 256280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2009-11-13 2057536]

WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2009-11-13 9117504]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\mmc.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"g:\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"g:\\FTP\\WS_FTP95.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/5/2010 11:00 PM 164048]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/5/2010 11:00 PM 19024]

R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [11/13/2009 12:28 PM 110592]

R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 9:58 AM 20480]

R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [3/5/2010 8:34 AM 57344]

R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [3/5/2010 6:06 PM 11520]

S1 SABKUTIL;SABKUTIL;\??\c:\program files\SUPERAntiSpyware\SABKUTIL.sys --> c:\program files\SUPERAntiSpyware\SABKUTIL.sys [?]

S2 MLPTDR_Q;MLPTDR_Q;c:\windows\system32\MLPTDR_Q.SYS [7/23/2003 2:44 AM 18848]

S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\jswpsapi.exe [3/5/2010 8:34 AM 356434]

S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]

S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [11/26/2009 1:06 AM 34384]

S3 SRS_iWowPC_Service;SRS Labs iWow PC;c:\windows\system32\drivers\SRS_iWowPC_i386.sys [3/7/2010 2:02 AM 37888]

S3 tenCapture;tenCapture;c:\windows\system32\drivers\tenCapture.sys [4/21/2007 7:15 AM 9344]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

2009-08-20 20:24 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe

.

Contents of the 'Scheduled Tasks' folder

2010-06-17 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB

FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\e2pvniz3.default\

FF - prefs.js: browser.startup.homepage - hxxps://my.waldenu.edu/portal/User/LCPLogin.aspx?ReturnUrl=%2fportal%2fLearning%2fDefault.aspx

FF - component: c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\e2pvniz3.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll

FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

FF - plugin: g:\itunes\Mozilla Plugins\npitunes.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-21 10:52

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1080)

c:\windows\WlanGINA\Version\1.0.4.0\WlanGINA.dll

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2824)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\program files\Alwil Software\Avast5\AvastSvc.exe

c:\program files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\acs.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\CTsvcCDA.EXE

c:\windows\eHome\ehRecvr.exe

c:\windows\eHome\ehSched.exe

c:\program files\Canon\IJPLM\IJPLMSVC.EXE

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\windows\system32\Rundll32.exe

c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

c:\program files\CyberLink\Shared Files\RichVideo.exe

c:\windows\system32\RUNDLL32.EXE

c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe

c:\windows\system32\MsPMSPSv.exe

c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe

c:\windows\ehome\mcrdsvc.exe

c:\program files\Microsoft AntiSpyware\gcasDtServ.exe

c:\windows\system32\dllhost.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\eHome\ehmsas.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2010-06-21 10:57:51 - machine was rebooted

ComboFix-quarantined-files.txt 2010-06-21 17:57

ComboFix2.txt 2010-06-21 05:45

Pre-Run: 107,234,136,064 bytes free

Post-Run: 107,326,828,544 bytes free

- - End Of File - - 9D7A566AE051588B2878E5EEE0CF0B10

DDS (Ver_10-03-17.01) - NTFSx86

Run by User at 10:58:13.82 on Mon 06/21/2010

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2406 [GMT -7:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\acs.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe

C:\WINDOWS\system32\Rundll32.exe

C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

svchost.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe

C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe

C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe

C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe

C:\Program Files\lg_fwupdate\fwupdate.exe

C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe

G:\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe

C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank

uInternet Settings,ProxyOverride = *.local

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [sRS Audio Sandbox] "c:\program files\srs labs\audio sandbox\SRSSSC.exe" /hideme

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [CTSysVol] c:\program files\creative\sound blaster live! 24-bit\surround mixer\CTSysVol.exe /r

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [P17Helper] Rundll32 P17.dll,P17Helper

mRun: [blackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [updateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"

mRun: [CLMLServer] "c:\program files\cyberlink\power2go\CLMLSvc.exe"

mRun: [updateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"

mRun: [RemoteControl8] "c:\program files\cyberlink\powerdvd8\PDVD8Serv.exe"

mRun: [PDVD8LanguageShortcut] "c:\program files\cyberlink\powerdvd8\language\Language.exe"

mRun: [updatePPShortCut] "c:\program files\cyberlink\powerproducer\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerproducer" updatewithcreateonce "software\cyberlink\powerproducer\5.0"

mRun: [uCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" updatewithcreateonce "software\cyberlink\youcam\2.0"

mRun: [LGODDFU] "c:\program files\lg_fwupdate\fwupdate.exe" blrun

mRun: [updatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"

mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon

mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon

mRun: [iTunesHelper] "g:\itunes\iTunesHelper.exe"

mRun: [gcasServ] "c:\program files\microsoft antispyware\gcasServ.exe"

mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot

dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10e.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wdsmar~1.lnk - c:\program files\western digital\wd smartware\front parlor\WDSmartWare.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1267860478421

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

SEH: Microsoft.AntiSpyware.ShellExecuteHook.1: {9ef34ff2-3396-4527-9d27-04c8c1c67806} - c:\program files\microsoft antispyware\shellextension.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\e2pvniz3.default\

FF - prefs.js: browser.startup.homepage - hxxps://my.waldenu.edu/portal/User/LCPLogin.aspx?ReturnUrl=%2fportal%2fLearning%2fDefault.aspx

FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\e2pvniz3.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll

FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: g:\itunes\mozilla plugins\npitunes.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-3-5 164048]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-3-5 19024]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-5 40384]

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

R2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2009-11-13 110592]

R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]

R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-5 40384]

R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-5 40384]

R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [2010-3-5 57344]

R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2010-3-5 11520]

S1 SABKUTIL;SABKUTIL;\??\c:\program files\superantispyware\sabkutil.sys --> c:\program files\superantispyware\SABKUTIL.sys [?]

S2 MLPTDR_Q;MLPTDR_Q;c:\windows\system32\MLPTDR_Q.SYS [2003-7-23 18848]

S3 cpuz132;cpuz132;\??\c:\docume~1\user\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\user\locals~1\temp\cpuz132\cpuz132_x32.sys [?]

S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\d-link\d-link dwa-552 xtreme n desktop adapter\jswpsapi.exe [2010-3-5 356434]

S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]

S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2009-11-26 34384]

S3 SRS_iWowPC_Service;SRS Labs iWow PC;c:\windows\system32\drivers\SRS_iWowPC_i386.sys [2010-3-7 37888]

S3 tenCapture;tenCapture;c:\windows\system32\drivers\tenCapture.sys [2007-4-21 9344]

=============== Created Last 30 ================

2010-06-21 05:27:06 0 d-sha-r- C:\cmdcons

2010-06-21 05:23:09 98816 ----a-w- c:\windows\sed.exe

2010-06-21 05:23:09 77312 ----a-w- c:\windows\MBR.exe

2010-06-21 05:23:09 256512 ----a-w- c:\windows\PEV.exe

2010-06-21 05:23:09 161792 ----a-w- c:\windows\SWREG.exe

2010-06-12 05:55:00 366 ----a-w- c:\windows\system32\.crusader

2010-06-12 05:51:49 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2010-06-12 05:51:16 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro

2010-06-12 05:51:15 0 d-----w- c:\program files\Hitman Pro 3.5

2010-06-08 03:30:55 0 d-----w- c:\docume~1\user\applic~1\Malwarebytes

2010-06-08 03:30:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-08 03:30:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-06-08 03:30:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-08 03:30:41 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-06 20:31:08 0 d-----w- c:\docume~1\user\applic~1\SUPERAntiSpyware.com

2010-06-06 20:31:08 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2010-06-06 20:30:54 0 d-----w- c:\program files\SUPERAntiSpyware

2010-06-06 20:26:56 0 d-----w- c:\program files\Microsoft AntiSpyware

2010-06-06 20:26:36 0 d-----w- c:\windows\Downloaded Installations

2010-06-06 17:34:28 0 d-----w- c:\program files\Enigma Software Group

2010-06-06 17:32:59 0 d-----w- c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP

2010-06-06 17:32:52 0 d-----w- c:\program files\common files\Wise Installation Wizard

2010-06-06 03:14:08 0 d-----w- c:\docume~1\user\applic~1\Screaming Bee

2010-06-06 03:13:32 0 d-----w- c:\program files\Screaming Bee

2010-06-06 03:13:32 0 d-----w- c:\docume~1\alluse~1\applic~1\Screaming Bee

2010-05-29 21:57:52 0 d-----w- c:\docume~1\user\applic~1\ActiveState

2010-05-29 21:56:42 0 d-----w- c:\program files\ActiveState Komodo Edit 5

2010-05-29 19:25:51 0 d-----w- c:\docume~1\user\applic~1\LimeWire

2010-05-29 19:25:24 0 d-----w- c:\program files\LimeWire

2010-05-29 01:22:26 0 d-----w- c:\program files\TweetDeck

2010-05-27 14:17:09 409600 ----a-w- c:\windows\system32\wrap_oal.dll

2010-05-27 13:36:02 0 d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)

2010-05-27 13:35:59 0 d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)

2010-05-27 13:35:58 0 d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)

2010-05-27 13:35:55 0 d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)

2010-05-27 13:32:01 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2010-05-27 13:31:53 0 d-----w- c:\program files\Spybot - Search & Destroy

2010-05-24 00:33:15 0 d-----w- c:\program files\BackStreet Browser 3.1

==================== Find3M ====================

2010-06-21 17:50:41 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs

2010-06-21 17:50:39 0 ----a-w- c:\windows\system32\drivers\logiflt.iad

2010-06-02 00:07:44 108620 ----a-w- c:\windows\fonts\BEAUTYSC.TTF

2010-06-02 00:07:33 28940 ----a-w- c:\windows\fonts\UNDERGRO.TTF

2010-06-02 00:07:19 3930 ----a-w- c:\windows\fonts\PlatinumHubCapsSolid.txt

2010-06-02 00:07:19 37732 ----a-w- c:\windows\fonts\PlatinumHubCapsSolid.ttf

2010-06-02 00:06:59 136136 ----a-w- c:\windows\fonts\OLDGATEL.TTF

2010-05-28 00:07:36 19996 ----a-w- c:\windows\fonts\Tallys_15.otf

2010-05-27 14:17:09 114688 ----a-w- c:\windows\system32\OpenAL32.dll

2010-05-06 17:36:38 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-05-04 17:20:39 832512 ----a-w- c:\windows\system32\wininet.dll

2010-05-04 17:20:34 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-05-04 17:20:32 17408 ----a-w- c:\windows\system32\corpol.dll

2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-05-01 16:12:37 188048 ---ha-w- c:\windows\system32\mlfcache.dat

2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-13 00:29:19 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-04-10 15:11:27 16384 ----a-w- c:\windows\system32\lgfwunis.exe

2010-04-10 14:58:56 29480 ----a-w- c:\windows\system32\msxml3a.dll

2010-04-10 14:58:55 505128 ----a-w- c:\windows\system32\msvcp71.dll

2010-04-10 14:58:55 353576 ----a-w- c:\windows\system32\msvcr71.dll

2010-04-08 20:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-04-08 20:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe

============= FINISH: 10:58:37.70 ===============

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4221

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

6/21/2010 11:07:43 AM

mbam-log-2010-06-21 (11-07-43).txt

Scan type: Quick scan

Objects scanned: 127959

Time elapsed: 8 minute(s), 5 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Hi,

Let's make a few more things before closing steps :welcome:

Open notepad and copy/paste the text in the quotebox below into it:

DeQuarantine::
c:\qoobox\quarantine\c\windows\system32\VB6KO.DLL.vir
Quit::

Save this as

CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

CFScriptB-4.gif

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe

Then post the resultant log.

Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here. Post back its report.

Link to post
Share on other sites

Here we go:

c:\qoobox\quarantine\c\windows\system32\VB6KO.DLL.vir -> c:\windows\system32\VB6KO.DLL ( 102160 bytes )

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Tuesday, June 22, 2010

Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Wednesday, June 23, 2010 00:28:31

Records in database: 4312183

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

C:\

D:\

F:\

G:\

Scan statistics:

Objects scanned: 120105

Threats found: 0

Infected objects found: 0

Suspicious objects found: 0

Scan duration: 02:16:25

No threats found. Scanned area is clean.

Selected area has been scanned.

Link to post
Share on other sites

Looks good. Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.

THESE STEPS ARE VERY IMPORTANT

Let's reset system restore

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

Check Turn off System Restore.

Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

UN-Check *Turn off System Restore*.

Click Apply, and then click OK.

NOTE: only do this ONCE,NOT on a regular basis

Now lets uninstall ComboFix:

  • Click START then RUN
  • Now copy-paste Combofix /uninstall in the runbox and click OK

Please download OTC and save it to desktop.

  • Double-click OTC.exe.
  • Click the CleanUp! button.
  • Select Yes when the
    Begin cleanup Process?
    prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

Make your Internet Explorer more secure

This can be done by following these simple instructions:

From within Internet Explorer click on the Tools menu and then click on Options.

Click once on the Security tab

Click once on the Internet icon so it becomes highlighted.

Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

  • hosts file:
    • Every version of windows has a hosts file as part of them.
    • In a very basic sense, they are used to locate webpages.
    • We can customize a hosts file so that it blocks certain webpages.
    • However, it can slow down certain computers.
    • This is why using a hosts file is optional!!

    Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here

    If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:



    1. Click the start button (at the lower left hand corner of your screen)
    2. Click run
    3. In the dialog box, type services.msc
    4. hit enter, then locate dns client
    5. Highlight it, then double-click it.
    6. On the dropdown box, change the setting from automatic to manual.
    7. Click ok

    [*]Run Secunia vulnerability check here and fix its findings.

    [*]Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this webpage out.

    If you don't have a 3rd party firewall or a router behind NAT then I recommend getting one. I recommend either Online Armor Free or Comodo Firewall Pro (If you choose Comodo: Uncheck during installation Install Comodo HopSurf.., Make Comodo my default search provider and Make Comodo Search my homepage and install firewall ONLY!). Both providers have support forums that help with configuration related questions.

Just a final reminder for you. I am trying to stress these two points.

UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.

Make sure all of your security programs are up to date.

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,

Blade :welcome:

Link to post
Share on other sites

No, I haven't noticed any of the problems I was having before. It does seem to have cleared the problem.

As for your suggestions... I use Window Firewall, but I'll add another on top of that. I do frequently update via Microsoft's website. I do NOT use Internet Explorer, but I do allow any patches for it that come from Microsoft.

Again, thanks so much for your help!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.