Jump to content

wdm.exe, conhost.exe, svchost problems


Matt11
 Share

Recommended Posts

Recently, zone alarm started to ask if a file called wdm.exe could have access to the internet. Then Avg identified it as a virus. I ran malwarebytes and it found 9 infections. After a restart the whole thing started over again. No matter how many times I ask Malewarebytes to delete the files, wdm.exe tries to access the internet again. This also changed all of my settings to a proxy server. Here is the info that was requested in the instructions.

Thank you for your help, and especially your time. Could you alos tell me how serious this is, do I need to go through all of my passwords and change them?

Malwarebytes' Anti-Malware 1.50

www.malwarebytes.org

Database version: 5244

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

12/4/2010 2:16:32 PM

mbam-log-2010-12-04 (14-16-32).txt

Scan type: Quick scan

Objects scanned: 133152

Time elapsed: 7 minute(s), 7 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

c:\documents and settings\HOME\application data\microsoft\conhost.exe (Spyware.Passwords.XGen) -> 1108 -> Unloaded process successfully.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost (Spyware.Passwords.XGen) -> Value: svchost -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\documents and settings\HOME\application data\microsoft\conhost.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

Attach.zip

Link to post
Share on other sites

I am sorry I left that off. In the mean time, I was able to up date avg and scan with it, combined with malwarebytes and super antispyware. Avg and Super antispyware were able to find the virus and I am no longer experiencing any problems. However, I would like to still talk with you to ensure that this problem is truly gone.

Here is the file you requested.

DDS (Ver_10-11-27.01) - NTFSx86

Run by HOME at 14:29:47.84 on Sat 12/04/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1420 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\Explorer.EXE

C:\Documents and Settings\HOME\Application Data\dwm.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\WINDOWS\system32\devldr32.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

F:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\NETGEAR\WPN111\wpn111.exe

C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Documents and Settings\HOME\Desktop\suggested\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uInternet Settings,ProxyOverride = *.local

uInternet Settings,ProxyServer = http=127.0.0.1:52237

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

uWinlogon: Shell=explorer.exe,c:\documents and settings\home\application data\dwm.exe

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [WINDVDPatch] CTHELPER.EXE

mRun: [updReg] c:\windows\UpdReg.EXE

mRun: [Jet Detection] "c:\program files\creative\sblive\program\ADGJDet.exe"

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe

mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"

mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "f:\program files\itunes\iTunesHelper.exe"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wpn111\wpn111.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} - hxxp://intel-drv-cdn.systemrequirementslab.com/wired/bin/sysreqlab_srlx.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1248984215296

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Notify: !SASWinLogon - f:\program files\spyware\SASWINLO.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: avgrsstarter - avgrsstx.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - f:\program files\spyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-9-18 64160]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-31 216400]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-7-31 29584]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-7-31 243024]

R1 SASDIFSV;SASDIFSV;f:\program files\spyware\sasdifsv.sys [2009-1-15 8944]

R1 SASKUTIL;SASKUTIL;f:\program files\spyware\SASKUTIL.SYS [2009-1-15 55024]

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-7-31 532224]

R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-8-25 308136]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 1029456]

R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2009-7-31 17149]

R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [2009-8-20 362944]

S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2003-7-16 14336]

S3 SASENUM;SASENUM;f:\program files\spyware\SASENUM.SYS [2009-1-15 7408]

=============== Created Last 30 ================

2010-12-04 03:17:15 134656 ----a-w- c:\docume~1\home\applic~1\dwm.exe

2010-11-25 15:39:21 -------- d-----w- c:\program files\iPod

2010-11-25 15:36:53 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll

2010-11-25 15:36:53 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll

2010-11-25 15:36:53 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll

2010-11-25 15:36:53 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll

2010-11-25 15:36:53 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll

2010-11-25 15:36:53 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll

2010-11-25 15:36:53 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll

2010-11-25 15:34:05 -------- d-----w- c:\program files\Bonjour

==================== Find3M ====================

2010-10-07 18:23:02 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-10-07 18:23:02 75040 ----a-w- c:\windows\system32\jdns_sd.dll

2010-10-07 18:23:02 197920 ----a-w- c:\windows\system32\dnssdX.dll

2010-10-07 18:23:02 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-09-28 21:44:52 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll

2010-09-18 22:40:44 15688 ----a-w- c:\windows\system32\lsdelete.exe

2010-09-18 19:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-09-08 17:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2010-09-08 17:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts

============= FINISH: 14:31:25.21 ===============

Link to post
Share on other sites

Matt11:

I see just a few things that still need attention. Please do this:

icon11.gif Download ComboFix from one of the following locations:

Link 1

Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - ComboFix will not run until AVG is uninstalled. This is because AVG falsely detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first. You may do this through Control Panel > Add/Remove Programs or you can use this tool for a more complete removal:

Download AppRemover from here saving it to your desktop.

  • Double click to run AppRemover
  • Follow the prompts to remove AVG
  • Reboot

Once you've removed AVG with this tool please continue with these instructions

  • Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

  • Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please include the following in your next post:

  • ComboFix log

Link to post
Share on other sites

Thank you very much for your help. Here is the results of combo fix.

ComboFix 10-12-04.02 - HOME 12/05/2010 16:11:42.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1597 [GMT -6:00]

Running from: c:\documents and settings\HOME\Desktop\ComboFix.exe

FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\TEMP\logishrd\LVPrcInj02.dll

.

((((((((((((((((((((((((( Files Created from 2010-11-05 to 2010-12-05 )))))))))))))))))))))))))))))))

.

2010-12-04 21:42 . 2010-12-04 21:42 -------- d-----w- c:\documents and settings\HOME\Application Data\AVG10

2010-12-04 21:40 . 2010-12-04 21:40 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files

2010-12-04 21:35 . 2010-12-05 21:38 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10

2010-12-04 21:25 . 2010-12-04 21:30 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData

2010-11-25 15:39 . 2010-11-25 15:39 -------- d-----w- c:\program files\iPod

2010-11-25 15:36 . 2010-11-25 15:36 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll

2010-11-25 15:36 . 2010-11-25 15:36 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll

2010-11-25 15:36 . 2010-11-25 15:36 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll

2010-11-25 15:36 . 2010-11-25 15:36 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll

2010-11-25 15:36 . 2010-11-25 15:36 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll

2010-11-25 15:36 . 2010-11-25 15:36 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll

2010-11-25 15:36 . 2010-11-25 15:36 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll

2010-11-25 15:36 . 2010-11-25 15:36 -------- d-----w- c:\program files\QuickTime

2010-11-25 15:34 . 2010-11-25 15:34 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer

2010-11-25 15:34 . 2010-11-25 15:34 -------- d-----w- c:\program files\Bonjour

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-11-29 23:42 . 2010-09-19 01:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-11-29 23:42 . 2010-09-19 01:33 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-10-07 18:23 . 2010-10-07 18:23 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-10-07 18:23 . 2010-10-07 18:23 75040 ----a-w- c:\windows\system32\jdns_sd.dll

2010-10-07 18:23 . 2010-10-07 18:23 197920 ----a-w- c:\windows\system32\dnssdX.dll

2010-10-07 18:23 . 2010-10-07 18:23 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-09-28 21:44 . 2010-08-25 21:09 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2010-09-28 21:44 . 2010-08-25 21:09 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll

2010-09-18 22:40 . 2010-09-19 00:04 15688 ----a-w- c:\windows\system32\lsdelete.exe

2010-09-18 22:40 . 2010-09-18 22:41 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-09-18 22:18 . 2010-09-18 22:18 65024 ----a-r- c:\documents and settings\HOME\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe

2010-09-18 22:18 . 2010-09-18 22:18 18944 ----a-r- c:\documents and settings\HOME\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe

2010-09-18 19:23 . 2003-07-16 16:28 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2003-07-16 16:28 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2003-07-16 16:28 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2003-07-16 16:28 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-10 05:58 . 2003-07-16 16:45 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58 . 2003-07-16 16:26 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-10 05:58 . 2003-07-16 16:24 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-09-08 17:17 . 2010-09-08 17:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2010-09-08 17:17 . 2010-09-08 17:17 69632 ----a-w- c:\windows\system32\QuickTime.qts

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

2009-06-17 00:22 1144712 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-06-17 1144712]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-06-17 1144712]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-05-08 2780432]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-04-28 61440]

"WINDVDPatch"="CTHELPER.EXE" [2002-07-03 24576]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]

"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-09-18 524632]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]

"iTunesHelper"="f:\program files\iTunes\iTunesHelper.exe" [2010-11-18 421160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

NETGEAR WPN111 Smart Wizard.lnk - c:\program files\NETGEAR\WPN111\wpn111.exe [2009-8-20 884838]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "f:\program files\spyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"f:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/18/2010 4:41 PM 64160]

R1 SASDIFSV;SASDIFSV;f:\program files\spyware\sasdifsv.sys [1/15/2009 5:17 PM 8944]

R1 SASKUTIL;SASKUTIL;f:\program files\spyware\SASKUTIL.SYS [1/15/2009 5:17 PM 55024]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 3:34 PM 1029456]

R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [7/31/2009 11:06 AM 17149]

R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [8/20/2009 11:32 PM 362944]

S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [7/16/2003 10:41 AM 14336]

S3 SASENUM;SASENUM;f:\program files\spyware\SASENUM.SYS [1/15/2009 5:17 PM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper

.

Contents of the 'Scheduled Tasks' folder

2010-12-04 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 22:40]

2010-11-24 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]

2010-12-05 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job

- c:\program files\Ask.com\UpdateTask.exe [2009-06-17 00:22]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uInternet Settings,ProxyOverride = *.local

uInternet Settings,ProxyServer = http=127.0.0.1:52237

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-12-05 16:18

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]

@DACL=(02 0000)

@="Wireless"

"ProcessGroupPolicy"="ProcessWIRELESSPolicy"

"DllName"=expand:"gptext.dll"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]

@DACL=(02 0000)

@="Folder Redirection"

"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"

"DllName"=expand:"fdeploy.dll"

"NoMachinePolicy"=dword:00000001

"NoSlowLink"=dword:00000001

"PerUserLocalSettings"=dword:00000001

"NoGPOListChanges"=dword:00000000

"NoBackgroundPolicy"=dword:00000000

"GenerateGroupPolicy"="GenerateGroupPolicy"

"EventSources"=multi:"(Folder Redirection,Application)\00\00"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]

@DACL=(02 0000)

@="Microsoft Disk Quota"

"NoMachinePolicy"=dword:00000000

"NoUserPolicy"=dword:00000001

"NoSlowLink"=dword:00000001

"NoBackgroundPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"PerUserLocalSettings"=dword:00000000

"RequiresSuccessfulRegistry"=dword:00000001

"EnableAsynchronousProcessing"=dword:00000000

"DllName"=expand:"dskquota.dll"

"ProcessGroupPolicy"="ProcessGroupPolicy"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]

@DACL=(02 0000)

@="QoS Packet Scheduler"

"ProcessGroupPolicy"="ProcessPSCHEDPolicy"

"DllName"=expand:"gptext.dll"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}]

@DACL=(02 0000)

@="Scripts"

"ProcessGroupPolicy"="ProcessScriptsGroupPolicy"

"ProcessGroupPolicyEx"="ProcessScriptsGroupPolicyEx"

"GenerateGroupPolicy"="GenerateScriptsGroupPolicy"

"DllName"=expand:"gptext.dll"

"NoSlowLink"=dword:00000001

"NoGPOListChanges"=dword:00000001

"NotifyLinkTransition"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]

@DACL=(02 0000)

@="Internet Explorer Zonemapping"

"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"

"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"

"NoGPOListChanges"=dword:00000001

"RequiresSucessfulRegistry"=dword:00000001

"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"

"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]

@DACL=(02 0000)

@="Internet Explorer User Accelerators"

"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"

"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"

"NoGPOListChanges"=dword:00000001

"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"

"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"

"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]

@DACL=(02 0000)

"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"

"GenerateGroupPolicy"="SceGenerateGroupPolicy"

"ExtensionRsopPlanningDebugLevel"=dword:00000001

"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"

"ExtensionDebugLevel"=dword:00000001

"DllName"=expand:"scecli.dll"

@="Security"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"EnableAsynchronousProcessing"=dword:00000001

"MaxNoGPOListChangesInterval"=dword:000003c0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]

@DACL=(02 0000)

"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"

"GenerateGroupPolicy"="GenerateGroupPolicy"

"ProcessGroupPolicy"="ProcessGroupPolicy"

"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"

@="Internet Explorer Branding"

"NoSlowLink"=dword:00000001

"NoBackgroundPolicy"=dword:00000000

"NoGPOListChanges"=dword:00000001

"NoMachinePolicy"=dword:00000001

"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3014"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]

@DACL=(02 0000)

"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"

"DllName"=expand:"scecli.dll"

@="EFS recovery"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]

@DACL=(02 0000)

@="802.3 Group Policy"

"DisplayName"=expand:"@dot3gpclnt.dll,-100"

"ProcessGroupPolicyEx"="ProcessLANPolicyEx"

"GenerateGroupPolicy"="GenerateLANPolicy"

"DllName"=expand:"dot3gpclnt.dll"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]

@DACL=(02 0000)

@="Microsoft Offline Files"

"DllName"=expand:"%SystemRoot%\\System32\\cscui.dll"

"EnableAsynchronousProcessing"=dword:00000000

"NoBackgroundPolicy"=dword:00000000

"NoGPOListChanges"=dword:00000000

"NoMachinePolicy"=dword:00000000

"NoSlowLink"=dword:00000000

"NoUserPolicy"=dword:00000001

"PerUserLocalSettings"=dword:00000000

"ProcessGroupPolicy"="ProcessGroupPolicy"

"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]

@DACL=(02 0000)

@="Software Installation"

"DllName"=expand:"appmgmts.dll"

"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"

"GenerateGroupPolicy"="GenerateGroupPolicy"

"NoBackgroundPolicy"=dword:00000000

"RequiresSucessfulRegistry"=dword:00000000

"NoSlowLink"=dword:00000001

"PerUserLocalSettings"=dword:00000001

"EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]

@DACL=(02 0000)

@="Internet Explorer Machine Accelerators"

"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"

"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"

"NoGPOListChanges"=dword:00000001

"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"

"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"

"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]

@DACL=(02 0000)

@="IP Security"

"ProcessGroupPolicy"="ProcessIPSECPolicy"

"DllName"=expand:"gptext.dll"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]

@DACL=(02 0000)

"DllName"="f:\\Program Files\\spyware\\SASWINLO.dll"

"Logon"="SABWINLOLogon"

"Logoff"="SABWINLOLogoff"

"Startup"="SABWINLOStartup"

"Shutdown"="SABWINLOShutdown"

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]

@DACL=(02 0000)

"DLLName"="Ati2evxx.dll"

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000001

"Lock"="AtiLockEvent"

"Logoff"="AtiLogoffEvent"

"Logon"="AtiLogonEvent"

"Disconnect"="AtiDisConnectEvent"

"Reconnect"="AtiReConnectEvent"

"Safe"=dword:00000000

"Shutdown"="AtiShutdownEvent"

"StartScreenSaver"="AtiStartScreenSaverEvent"

"StartShell"="AtiStartShellEvent"

"Startup"="AtiStartupEvent"

"StopScreenSaver"="AtiStopScreenSaverEvent"

"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=expand:"crypt32.dll"

"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=expand:"cryptnet.dll"

"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

@DACL=(02 0000)

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]

@DACL=(02 0000)

"Asynchronous"=dword:00000001

"DllName"=expand:"%SystemRoot%\\System32\\dimsntfy.dll"

"Startup"="WlDimsStartup"

"Shutdown"="WlDimsShutdown"

"Logon"="WlDimsLogon"

"Logoff"="WlDimsLogoff"

"StartShell"="WlDimsStartShell"

"Lock"="WlDimsLock"

"Unlock"="WlDimsUnlock"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]

@DACL=(02 0000)

"DLLName"="wlnotify.dll"

"Logon"="SCardStartCertProp"

"Logoff"="SCardStopCertProp"

"Lock"="SCardSuspendCertProp"

"Unlock"="SCardResumeCertProp"

"Enabled"=dword:00000001

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"DllName"=expand:"wlnotify.dll"

"Impersonate"=dword:00000000

"StartShell"="SchedStartShell"

"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

@DACL=(02 0000)

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=expand:"sclgntfy.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

@DACL=(02 0000)

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"PostShell"="SensPostShellEvent"

"Disconnect"="SensDisconnectEvent"

"Reconnect"="SensReconnectEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"DllName"=expand:"wlnotify.dll"

"Impersonate"=dword:00000000

"Logoff"="TSEventLogoff"

"Logon"="TSEventLogon"

"PostShell"="TSEventPostShell"

"Shutdown"="TSEventShutdown"

"StartShell"="TSEventStartShell"

"Startup"="TSEventStartup"

"MaxWait"=dword:00000258

"Reconnect"="TSEventReconnect"

"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]

@DACL=(02 0000)

"Logon"="WLEventLogon"

"Logoff"="WLEventLogoff"

"Startup"="WLEventStartup"

"Shutdown"="WLEventShutdown"

"StartScreenSaver"="WLEventStartScreenSaver"

"StopScreenSaver"="WLEventStopScreenSaver"

"Lock"="WLEventLock"

"Unlock"="WLEventUnlock"

"StartShell"="WLEventStartShell"

"PostShell"="WLEventPostShell"

"Disconnect"="WLEventDisconnect"

"Reconnect"="WLEventReconnect"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000000

"SafeMode"=dword:00000001

"MaxWait"=dword:ffffffff

"DllName"=expand:"WgaLogon.dll"

"Event"=dword:00000000

"InstallEvent"="1.9.0040.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

@DACL=(02 0000)

"DLLName"="wlnotify.dll"

"Logon"="RegisterTicketExpiredNotificationEvent"

"Logoff"="UnregisterTicketExpiredNotificationEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]

@DACL=(02 0000)

"HelpAssistant"=dword:00000000

"TsInternetUser"=dword:00000000

"SQLAgentCmdExec"=dword:00000000

"NetShowServices"=dword:00000000

"IWAM_"=dword:00010000

"IUSR_"=dword:00010000

"VUSR_"=dword:00010000

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2844)

c:\windows\system32\WININET.dll

c:\windows\TEMP\logishrd\LVPrcInj01.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\System32\Ati2evxx.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

c:\windows\system32\devldr32.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe

c:\windows\System32\wbem\unsecapp.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

.

**************************************************************************

.

Completion time: 2010-12-05 16:25:46 - machine was rebooted

ComboFix-quarantined-files.txt 2010-12-05 22:25

Pre-Run: 21,918,167,040 bytes free

Post-Run: 23,084,679,168 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

Current=1 Default=1 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5

- - End Of File - - 67DFE7C8580D116FAC62968F1914C435

Link to post
Share on other sites

Matt11:

icon11.gif Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above DDS::

DDS::
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:52237
FixCSet::

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

icon11.gif You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please include the following in your next post:

  • ComboFix log
  • MBAM log

Link to post
Share on other sites

Thank you for the quick reply. Here are the logs that you requested. Thank you again for yout time, help, and advice.

ComboFix 10-12-04.02 - HOME 12/05/2010 21:11:33.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1611 [GMT -6:00]

Running from: c:\documents and settings\HOME\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\HOME\Desktop\cfscript.txt

FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\TEMP\logishrd\LVPrcInj01.dll

.

((((((((((((((((((((((((( Files Created from 2010-11-06 to 2010-12-06 )))))))))))))))))))))))))))))))

.

2010-12-04 21:42 . 2010-12-04 21:42 -------- d-----w- c:\documents and settings\HOME\Application Data\AVG10

2010-12-04 21:40 . 2010-12-04 21:40 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files

2010-12-04 21:35 . 2010-12-05 21:38 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10

2010-12-04 21:25 . 2010-12-04 21:30 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData

2010-11-25 15:39 . 2010-11-25 15:39 -------- d-----w- c:\program files\iPod

2010-11-25 15:36 . 2010-11-25 15:36 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll

2010-11-25 15:36 . 2010-11-25 15:36 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll

2010-11-25 15:36 . 2010-11-25 15:36 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll

2010-11-25 15:36 . 2010-11-25 15:36 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll

2010-11-25 15:36 . 2010-11-25 15:36 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll

2010-11-25 15:36 . 2010-11-25 15:36 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll

2010-11-25 15:36 . 2010-11-25 15:36 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll

2010-11-25 15:36 . 2010-11-25 15:36 -------- d-----w- c:\program files\QuickTime

2010-11-25 15:34 . 2010-11-25 15:34 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer

2010-11-25 15:34 . 2010-11-25 15:34 -------- d-----w- c:\program files\Bonjour

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-11-29 23:42 . 2010-09-19 01:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-11-29 23:42 . 2010-09-19 01:33 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-10-07 18:23 . 2010-10-07 18:23 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-10-07 18:23 . 2010-10-07 18:23 75040 ----a-w- c:\windows\system32\jdns_sd.dll

2010-10-07 18:23 . 2010-10-07 18:23 197920 ----a-w- c:\windows\system32\dnssdX.dll

2010-10-07 18:23 . 2010-10-07 18:23 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-09-28 21:44 . 2010-08-25 21:09 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2010-09-28 21:44 . 2010-08-25 21:09 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll

2010-09-18 22:40 . 2010-09-19 00:04 15688 ----a-w- c:\windows\system32\lsdelete.exe

2010-09-18 22:40 . 2010-09-18 22:41 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-09-18 22:18 . 2010-09-18 22:18 65024 ----a-r- c:\documents and settings\HOME\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe

2010-09-18 22:18 . 2010-09-18 22:18 18944 ----a-r- c:\documents and settings\HOME\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe

2010-09-18 19:23 . 2003-07-16 16:28 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2003-07-16 16:28 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2003-07-16 16:28 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2003-07-16 16:28 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-10 05:58 . 2003-07-16 16:45 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58 . 2003-07-16 16:26 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-10 05:58 . 2003-07-16 16:24 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-09-08 17:17 . 2010-09-08 17:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2010-09-08 17:17 . 2010-09-08 17:17 69632 ----a-w- c:\windows\system32\QuickTime.qts

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

2009-06-17 00:22 1144712 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-06-17 1144712]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-06-17 1144712]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-05-08 2780432]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-04-28 61440]

"WINDVDPatch"="CTHELPER.EXE" [2002-07-03 24576]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]

"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-09-18 524632]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]

"iTunesHelper"="f:\program files\iTunes\iTunesHelper.exe" [2010-11-18 421160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

NETGEAR WPN111 Smart Wizard.lnk - c:\program files\NETGEAR\WPN111\wpn111.exe [2009-8-20 884838]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "f:\program files\spyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"f:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/18/2010 4:41 PM 64160]

R1 SASDIFSV;SASDIFSV;f:\program files\spyware\sasdifsv.sys [1/15/2009 5:17 PM 8944]

R1 SASKUTIL;SASKUTIL;f:\program files\spyware\SASKUTIL.SYS [1/15/2009 5:17 PM 55024]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 3:34 PM 1029456]

R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [7/31/2009 11:06 AM 17149]

R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [8/20/2009 11:32 PM 362944]

S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [7/16/2003 10:41 AM 14336]

S3 SASENUM;SASENUM;f:\program files\spyware\SASENUM.SYS [1/15/2009 5:17 PM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper

.

Contents of the 'Scheduled Tasks' folder

2010-12-04 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 22:40]

2010-11-24 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]

2010-12-06 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job

- c:\program files\Ask.com\UpdateTask.exe [2009-06-17 00:22]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-12-05 21:19

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]

@DACL=(02 0000)

@="Wireless"

"ProcessGroupPolicy"="ProcessWIRELESSPolicy"

"DllName"=expand:"gptext.dll"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]

@DACL=(02 0000)

@="Folder Redirection"

"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"

"DllName"=expand:"fdeploy.dll"

"NoMachinePolicy"=dword:00000001

"NoSlowLink"=dword:00000001

"PerUserLocalSettings"=dword:00000001

"NoGPOListChanges"=dword:00000000

"NoBackgroundPolicy"=dword:00000000

"GenerateGroupPolicy"="GenerateGroupPolicy"

"EventSources"=multi:"(Folder Redirection,Application)\00\00"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]

@DACL=(02 0000)

@="Microsoft Disk Quota"

"NoMachinePolicy"=dword:00000000

"NoUserPolicy"=dword:00000001

"NoSlowLink"=dword:00000001

"NoBackgroundPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"PerUserLocalSettings"=dword:00000000

"RequiresSuccessfulRegistry"=dword:00000001

"EnableAsynchronousProcessing"=dword:00000000

"DllName"=expand:"dskquota.dll"

"ProcessGroupPolicy"="ProcessGroupPolicy"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]

@DACL=(02 0000)

@="QoS Packet Scheduler"

"ProcessGroupPolicy"="ProcessPSCHEDPolicy"

"DllName"=expand:"gptext.dll"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}]

@DACL=(02 0000)

@="Scripts"

"ProcessGroupPolicy"="ProcessScriptsGroupPolicy"

"ProcessGroupPolicyEx"="ProcessScriptsGroupPolicyEx"

"GenerateGroupPolicy"="GenerateScriptsGroupPolicy"

"DllName"=expand:"gptext.dll"

"NoSlowLink"=dword:00000001

"NoGPOListChanges"=dword:00000001

"NotifyLinkTransition"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]

@DACL=(02 0000)

@="Internet Explorer Zonemapping"

"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"

"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"

"NoGPOListChanges"=dword:00000001

"RequiresSucessfulRegistry"=dword:00000001

"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"

"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]

@DACL=(02 0000)

@="Internet Explorer User Accelerators"

"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"

"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"

"NoGPOListChanges"=dword:00000001

"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"

"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"

"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]

@DACL=(02 0000)

"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"

"GenerateGroupPolicy"="SceGenerateGroupPolicy"

"ExtensionRsopPlanningDebugLevel"=dword:00000001

"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"

"ExtensionDebugLevel"=dword:00000001

"DllName"=expand:"scecli.dll"

@="Security"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"EnableAsynchronousProcessing"=dword:00000001

"MaxNoGPOListChangesInterval"=dword:000003c0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]

@DACL=(02 0000)

"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"

"GenerateGroupPolicy"="GenerateGroupPolicy"

"ProcessGroupPolicy"="ProcessGroupPolicy"

"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"

@="Internet Explorer Branding"

"NoSlowLink"=dword:00000001

"NoBackgroundPolicy"=dword:00000000

"NoGPOListChanges"=dword:00000001

"NoMachinePolicy"=dword:00000001

"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3014"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]

@DACL=(02 0000)

"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"

"DllName"=expand:"scecli.dll"

@="EFS recovery"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]

@DACL=(02 0000)

@="802.3 Group Policy"

"DisplayName"=expand:"@dot3gpclnt.dll,-100"

"ProcessGroupPolicyEx"="ProcessLANPolicyEx"

"GenerateGroupPolicy"="GenerateLANPolicy"

"DllName"=expand:"dot3gpclnt.dll"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]

@DACL=(02 0000)

@="Microsoft Offline Files"

"DllName"=expand:"%SystemRoot%\\System32\\cscui.dll"

"EnableAsynchronousProcessing"=dword:00000000

"NoBackgroundPolicy"=dword:00000000

"NoGPOListChanges"=dword:00000000

"NoMachinePolicy"=dword:00000000

"NoSlowLink"=dword:00000000

"NoUserPolicy"=dword:00000001

"PerUserLocalSettings"=dword:00000000

"ProcessGroupPolicy"="ProcessGroupPolicy"

"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]

@DACL=(02 0000)

@="Software Installation"

"DllName"=expand:"appmgmts.dll"

"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"

"GenerateGroupPolicy"="GenerateGroupPolicy"

"NoBackgroundPolicy"=dword:00000000

"RequiresSucessfulRegistry"=dword:00000000

"NoSlowLink"=dword:00000001

"PerUserLocalSettings"=dword:00000001

"EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]

@DACL=(02 0000)

@="Internet Explorer Machine Accelerators"

"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"

"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"

"NoGPOListChanges"=dword:00000001

"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"

"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"

"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]

@DACL=(02 0000)

@="IP Security"

"ProcessGroupPolicy"="ProcessIPSECPolicy"

"DllName"=expand:"gptext.dll"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]

@DACL=(02 0000)

"DllName"="f:\\Program Files\\spyware\\SASWINLO.dll"

"Logon"="SABWINLOLogon"

"Logoff"="SABWINLOLogoff"

"Startup"="SABWINLOStartup"

"Shutdown"="SABWINLOShutdown"

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]

@DACL=(02 0000)

"DLLName"="Ati2evxx.dll"

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000001

"Lock"="AtiLockEvent"

"Logoff"="AtiLogoffEvent"

"Logon"="AtiLogonEvent"

"Disconnect"="AtiDisConnectEvent"

"Reconnect"="AtiReConnectEvent"

"Safe"=dword:00000000

"Shutdown"="AtiShutdownEvent"

"StartScreenSaver"="AtiStartScreenSaverEvent"

"StartShell"="AtiStartShellEvent"

"Startup"="AtiStartupEvent"

"StopScreenSaver"="AtiStopScreenSaverEvent"

"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=expand:"crypt32.dll"

"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=expand:"cryptnet.dll"

"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

@DACL=(02 0000)

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]

@DACL=(02 0000)

"Asynchronous"=dword:00000001

"DllName"=expand:"%SystemRoot%\\System32\\dimsntfy.dll"

"Startup"="WlDimsStartup"

"Shutdown"="WlDimsShutdown"

"Logon"="WlDimsLogon"

"Logoff"="WlDimsLogoff"

"StartShell"="WlDimsStartShell"

"Lock"="WlDimsLock"

"Unlock"="WlDimsUnlock"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]

@DACL=(02 0000)

"DLLName"="wlnotify.dll"

"Logon"="SCardStartCertProp"

"Logoff"="SCardStopCertProp"

"Lock"="SCardSuspendCertProp"

"Unlock"="SCardResumeCertProp"

"Enabled"=dword:00000001

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"DllName"=expand:"wlnotify.dll"

"Impersonate"=dword:00000000

"StartShell"="SchedStartShell"

"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

@DACL=(02 0000)

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=expand:"sclgntfy.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

@DACL=(02 0000)

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"PostShell"="SensPostShellEvent"

"Disconnect"="SensDisconnectEvent"

"Reconnect"="SensReconnectEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"DllName"=expand:"wlnotify.dll"

"Impersonate"=dword:00000000

"Logoff"="TSEventLogoff"

"Logon"="TSEventLogon"

"PostShell"="TSEventPostShell"

"Shutdown"="TSEventShutdown"

"StartShell"="TSEventStartShell"

"Startup"="TSEventStartup"

"MaxWait"=dword:00000258

"Reconnect"="TSEventReconnect"

"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]

@DACL=(02 0000)

"Logon"="WLEventLogon"

"Logoff"="WLEventLogoff"

"Startup"="WLEventStartup"

"Shutdown"="WLEventShutdown"

"StartScreenSaver"="WLEventStartScreenSaver"

"StopScreenSaver"="WLEventStopScreenSaver"

"Lock"="WLEventLock"

"Unlock"="WLEventUnlock"

"StartShell"="WLEventStartShell"

"PostShell"="WLEventPostShell"

"Disconnect"="WLEventDisconnect"

"Reconnect"="WLEventReconnect"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000000

"SafeMode"=dword:00000001

"MaxWait"=dword:ffffffff

"DllName"=expand:"WgaLogon.dll"

"Event"=dword:00000000

"InstallEvent"="1.9.0040.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

@DACL=(02 0000)

"DLLName"="wlnotify.dll"

"Logon"="RegisterTicketExpiredNotificationEvent"

"Logoff"="UnregisterTicketExpiredNotificationEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]

@DACL=(02 0000)

"HelpAssistant"=dword:00000000

"TsInternetUser"=dword:00000000

"SQLAgentCmdExec"=dword:00000000

"NetShowServices"=dword:00000000

"IWAM_"=dword:00010000

"IUSR_"=dword:00010000

"VUSR_"=dword:00010000

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1496)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\System32\Ati2evxx.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

c:\windows\system32\CTHELPER.EXE

c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

c:\windows\system32\devldr32.exe

c:\windows\System32\wbem\unsecapp.exe

c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

.

**************************************************************************

.

Completion time: 2010-12-05 21:25:54 - machine was rebooted

ComboFix-quarantined-files.txt 2010-12-06 03:25

ComboFix2.txt 2010-12-05 22:25

Pre-Run: 23,082,262,528 bytes free

Post-Run: 23,054,385,152 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5

- - End Of File - - 427D9C235201228A60C405C0E287187D

___________________________________________________________________

Malwarebytes' Anti-Malware 1.50

www.malwarebytes.org

Database version: 5253

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

12/5/2010 9:30:41 PM

mbam-log-2010-12-05 (21-30-41).txt

Scan type: Quick scan

Objects scanned: 131612

Time elapsed: 2 minute(s), 45 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Matt11:

How is your comptuter running now? Please do this next:

icon11.gif Please run ESET Online Scanner

  • Place a check mark in the box YES, I accept the Terms Of Use
  • Click the Start button.
  • Now click the Install button.
  • Click Start. The scanner engine will initialize and update.
  • Do Not place a check mark in the box beside Remove found threats.
  • Click the Scan button. The scan will now run, please be patient.
  • When the scan finishes click the Details tab.
  • Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.

Please include the following in your next post:

  • ESET log
  • How is your computer running?

Link to post
Share on other sites

I am no longer experiencing any of the symptoms that were occurring before. I also believe explorer is running faster. Thank you for your help. Here is a copy of the log your requested.

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6415

# api_version=3.0.2

# EOSSerial=0691b084d3a4254b8068b6f9028ab395

# end=finished

# remove_checked=false

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2010-12-07 01:20:11

# local_time=2010-12-06 07:20:11 (-0600, Central Standard Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1024 16777215 100 0 100283 100283 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# compatibility_mode=9217 16777214 75 70 0 14270182 0 0

# scanned=113293

# found=0

# cleaned=0

# scan_time=3507

Link to post
Share on other sites

Matt11:

Your logs look good! I have another update and some very important cleanup for you to take care of now:

icon11.gif Your Adobe reader needs to be updated. Please visit Adobe's site and grab the newest version.

icon11.gif Uninstall ComboFix

  • Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens and press OK:
    Combofix /Uninstall

Combofix_uninstall_image.jpg

icon11.gif Delete the following tools along with any other logs you saved from our work:

  • DDS
  • GMER

icon11.gif Download TFC to your desktop

  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean

icon11.gif Re-install an anti-virus program. Choose one, (but no more) reputable AV program. If you need help chosing one, this site has good information. Avast, Avira and Microsoft all offer free AV products.

icon11.gif Finally, I'd like to make a couple of suggestions to help you stay clean in the future:

  • Restart any anti-malware programs that we disabled while we were cleaning your machine.
  • Keep your antivirus application and MBAM current and updated. Scan with them at least weekly.
  • Please visit our General Computer Security Forum and review this post for some helpful information.

Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.