Jump to content

Possible Trojan


Recommended Posts

Hello,

First, an explanation of what happened and what the symptoms are: Today my avast scanner caught something while I was browsing online, so I quickly exited all internet browsers, etc. Then a (fake, I believe) message popped up which said my hard drives had failed and that I should run a diagnostics scan or something of the sort.

This seemed very fishy to me, so I tried to start task manager to see what was running. However, I received an error message that "Administrator has blocked task manager" or something similar. At this point I knew something was wrong, so I ran Malwarebytes and it removed 4 files and rebooted. I will post the log from that instance of Malwarebytes as well as the most recent one so that you can see what it removed - I hope that this is okay.

I was able to get task manager back, so the only visible symptom that I am aware of right now (after running Malwarebytes) is that whatever infected my computer appears to have removed all of my programs and files (the recycle bin, my antivirus and Malwarebytes, and my internet browsing history are the only things I can access at the moment). The strange thing is that when I run the scans on my computer, it goes through all of names of the files that were on my computer before this trojan happened. I really hope that this means that we can somehow retrieve the files and programs.

Due to losing nearly all of my programs, I no longer have the option to zip a file. Since I don't want to download anything I am not supposed to, I will post the logs that I have right now and wait for your instructions on going about zipping the other logs.

Here is the first Malwarebytes log, from when the trojan was found:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6046

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

3/14/2011 7:42:28 AM

mbam-log-2011-03-14 (07-42-28).txt

Scan type: Quick scan

Objects scanned: 156043

Time elapsed: 18 minute(s), 22 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

c:\documents and settings\all users\application data\eaguearwrdloopp.exe (Trojan.FakeAlert) -> 512 -> Unloaded process successfully.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EAGueaRwrDlOoPP (Trojan.FakeAlert) -> Value: EAGueaRwrDlOoPP -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\documents and settings\all users\application data\eaguearwrdloopp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\documents and settings\Kendall\local settings\Temp\tmpC3.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Here is the most recent Malwarebytes log:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6046

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

3/14/2011 8:02:15 AM

mbam-log-2011-03-14 (08-02-15).txt

Scan type: Quick scan

Objects scanned: 152907

Time elapsed: 15 minute(s), 36 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Here is the DDS file:

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by Kendall at 9:06:50.92 on Mon 03/14/2011

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.570 [GMT -4:00]

.

AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\devldr32.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\kmw_run.exe

C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Lexmark 9300 Series\ezprint.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Alwil Software\Avast5\avastUI.exe

C:\WINDOWS\system32\KMW_SHOW.EXE

C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\Kendall\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\lxcqcoms.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Kendall\Desktop\dds.scr

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: CPub Object: {c86ae9c0-0909-4ddc-b661-c1afb9f5ae53} - c:\program files\firetrust\sitehound\SiteHound.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: SiteHound: {73f7f495-a325-4c52-be48-5f97fa511e89} - c:\program files\firetrust\sitehound\SiteHound.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [sansaDispatch] c:\documents and settings\kendall\application data\sandisk\sansa updater\SansaDispatch.exe

mRun: [kmw_run.exe] kmw_run.exe

mRun: [MSWheel]

mRun: [DIAGENT] c:\program files\creative\sblive\creative diagnostics 2.0\DIAGENT.EXE startup

mRun: [updReg] c:\windows\Updreg.exe

mRun: [AHQInit] c:\program files\creative\sblive\program\AHQInit.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [PC Pitstop Optimize Reminder] c:\program files\pcpitstop\optimize2\Reminder.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [lxcqmon.exe] "c:\program files\lexmark 9300 series\lxcqmon.exe"

mRun: [Lexmark 9300 Series Fax Server] "c:\program files\lexmark 9300 series\fm3032.exe" /s

mRun: [EzPrint] "c:\program files\lexmark 9300 series\ezprint.exe"

mRun: [WrtMon.exe] c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [LXCQCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCQtime.dll,_RunDLLEntry@16

mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui

StartupFolder: c:\documents and settings\kendall\start menu\programs\startup\PowerReg Scheduler.exe

StartupFolder: c:\docume~1\kendall\startm~1\programs\startup\roller~1.lnk - c:\documents and settings\kendall\local settings\temp\{d09816e5-6c5e-447e-ab06-239d95d5ab33}\{907b4640-266b-4a21-92fb-cd1a86cd0f63}\ATR1.exe

StartupFolder: c:\docume~1\kendall\startm~1\programs\startup\seagat~1.lnk - c:\documents and settings\kendall\application data\leadertech\powerregister\Seagate 2GH2PM4N Product Registration.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{f3c1de9e-5e16-4ba9-b854-7b53a45e3579}\Icon3E5562ED7.ico

uPolicies-explorer: <NO NAME> =

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {11316B13-33F0-4C9F-BD55-09994CCFA8EB} - {73F7F495-A325-4C52-BE48-5F97FA511E89} - c:\program files\firetrust\sitehound\SiteHound.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

Trusted Zone: darrenhayes.com\www

Trusted Zone: pandasecurity.com\www

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/E/3/9/E39C664F-A8E3-4F69-A109-1AE9849204EE/OGAControl.cab

DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://utilities.pcpitstop.com/da/PCPitStop.CAB

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab

DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} - hxxp://download.microsoft.com/download/7/4/9/749b0dc5-2175-4d5b-a6dd-9c4bc923683e/Selfhelpcontrol.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217322802077

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1217323398937

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab

DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab

DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab

DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} - hxxp://asp.mathxl.com/books/_Players/MathPlayer.cab

DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

.

============= SERVICES / DRIVERS ===============

.

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-7-29 294608]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-5-28 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-5-28 55024]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-7-29 17744]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-2-1 40384]

R2 lxcq_device;lxcq_device;c:\windows\system32\lxcqcoms.exe -service --> c:\windows\system32\lxcqcoms.exe -service [?]

S3 o1394bul;o1394bul;c:\docume~1\kendall\locals~1\temp\o1394bul.sys [2001-10-2 31744]

S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-5-28 7408]

S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952]

.

=============== File Associations ===============

.

regfile=regedit.exe "%1" %*

.

=============== Created Last 30 ================

.

.

==================== Find3M ====================

.

2011-03-14 11:45:11 7304 ----a-w- c:\windows\TMP0001.TMP

2011-02-09 13:53:52 270848 ------w- c:\windows\system32\sbe.dll

2011-02-09 13:53:52 186880 ------w- c:\windows\system32\encdec.dll

2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-13 08:47:35 38848 ----a-w- c:\windows\avastSS.scr

2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys

2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll

2010-12-20 23:08:45 832512 ----a-w- c:\windows\system32\wininet.dll

2010-12-20 23:08:45 78336 ------w- c:\windows\system32\ieencode.dll

2010-12-20 23:08:45 1830912 ----a-w- c:\windows\system32\inetcpl.cpl

2010-12-20 23:08:45 17408 ----a-w- c:\windows\system32\corpol.dll

2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll

2010-12-20 12:55:25 389120 ------w- c:\windows\system32\html.iec

.

============= FINISH: 9:08:07.56 ===============

As I mentioned above, I am still unable to zip without installing something, so I will await your instructions. I apologize for not having the other two logs to attach, but I wanted to make sure I didn't download anything I wasn't supposed to.

Thank you so much for your time and assistance in this matter - I really appreciate it!

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Hello screen317,

Here are the logs you requested:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6071

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

3/15/2011 8:23:37 PM

mbam-log-2011-03-15 (20-23-37).txt

Scan type: Quick scan

Objects scanned: 153577

Time elapsed: 25 minute(s), 0 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

ComboFix 11-03-15.02 - Kendall 03/15/2011 20:37:45.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.584 [GMT -4:00]

Running from: c:\documents and settings\Kendall\Desktop\ComboFix.exe

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

.

((((((((((((((((((((((((( Files Created from 2011-02-16 to 2011-03-16 )))))))))))))))))))))))))))))))

.

.

No new files created in this timespan

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-03-14 13:23 . 2008-07-29 08:48 7304 ----a-w- c:\windows\TMP0001.TMP

2011-02-09 13:53 . 2008-07-29 09:40 270848 ------w- c:\windows\system32\sbe.dll

2011-02-09 13:53 . 2008-07-29 09:40 186880 ------w- c:\windows\system32\encdec.dll

2011-02-02 07:58 . 2008-07-29 09:40 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57 . 2008-07-29 09:40 677888 ----a-w- c:\windows\system32\mstsc.exe

2011-01-21 14:44 . 2008-07-29 09:41 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-13 08:47 . 2011-02-01 22:11 38848 ----a-w- c:\windows\avastSS.scr

2011-01-13 08:47 . 2008-07-29 13:16 188216 ----a-w- c:\windows\system32\aswBoot.exe

2011-01-13 08:41 . 2008-07-29 13:16 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys

2011-01-13 08:40 . 2008-07-29 13:16 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2011-01-13 08:40 . 2008-07-29 13:16 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2011-01-13 08:39 . 2008-07-29 13:16 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys

2011-01-13 08:37 . 2008-07-29 13:16 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2011-01-13 08:37 . 2008-07-29 13:16 29392 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2011-01-13 08:37 . 2008-07-29 13:16 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2011-01-07 14:09 . 2001-08-18 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:10 . 2001-08-18 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys

2010-12-22 12:34 . 2005-06-15 17:50 301568 ----a-w- c:\windows\system32\kerberos.dll

2010-12-20 23:09 . 2008-07-29 15:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-20 23:08 . 2008-07-29 10:40 78336 ------w- c:\windows\system32\ieencode.dll

2010-12-20 23:08 . 2008-07-29 09:38 1830912 ----a-w- c:\windows\system32\inetcpl.cpl

2010-12-20 23:08 . 2006-06-23 15:33 832512 ----a-w- c:\windows\system32\wininet.dll

2010-12-20 23:08 . 2001-08-18 12:00 17408 ----a-w- c:\windows\system32\corpol.dll

2010-12-20 23:08 . 2008-07-29 15:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-12-20 17:26 . 2001-08-18 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll

2010-12-20 12:55 . 2008-07-29 10:40 389120 ------w- c:\windows\system32\html.iec

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SansaDispatch"="c:\documents and settings\Kendall\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2011-01-22 79872]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"kmw_run.exe"="kmw_run.exe" [2005-09-01 118784]

"DIAGENT"="c:\program files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE" [2001-08-30 172122]

"UpdReg"="c:\windows\Updreg.exe" [2000-05-11 90112]

"AHQInit"="c:\program files\Creative\SBLive\Program\AHQInit.exe" [2001-03-28 102400]

"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]

"nwiz"="nwiz.exe" [2003-10-06 741376]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-13 185872]

"lxcqmon.exe"="c:\program files\Lexmark 9300 Series\lxcqmon.exe" [2007-01-11 291760]

"Lexmark 9300 Series Fax Server"="c:\program files\Lexmark 9300 Series\fm3032.exe" [2006-12-05 304048]

"EzPrint"="c:\program files\Lexmark 9300 Series\ezprint.exe" [2006-12-05 82864]

"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-24 149280]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"LXCQCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCQtime.dll" [2006-11-21 106496]

"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-01-13 3396624]

.

c:\documents and settings\Kendall\Start Menu\Programs\Startup\

PowerReg Scheduler.exe [2008-8-29 256000]

RollerCoaster Tycoon 3 Registration.lnk - c:\documents and settings\Kendall\Local Settings\Temp\{D09816E5-6C5E-447E-AB06-239D95D5AB33}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe [N/A]

Seagate 2GH2PM4N Product Registration.lnk - c:\documents and settings\Kendall\Application Data\Leadertech\PowerRegister\Seagate 2GH2PM4N Product Registration.exe [2010-5-15 1731736]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

VPN Client.lnk - c:\windows\Installer\{F3C1DE9E-5E16-4BA9-B854-7B53A45E3579}\Icon3E5562ED7.ico [2009-5-22 6144]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2007-04-19 17:41 294912 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

"c:\\Program Files\\Hasbro Interactive\\Classic Games\\ClassicCard.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\WINDOWS\\system32\\lxcqcoms.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"135:TCP"= 135:TCP:TCP Port 135

"5000:TCP"= 5000:TCP:TCP Port 5000

"5001:TCP"= 5001:TCP:TCP Port 5001

"5002:TCP"= 5002:TCP:TCP Port 5002

"5003:TCP"= 5003:TCP:TCP Port 5003

"5004:TCP"= 5004:TCP:TCP Port 5004

"5005:TCP"= 5005:TCP:TCP Port 5005

"5006:TCP"= 5006:TCP:TCP Port 5006

"5007:TCP"= 5007:TCP:TCP Port 5007

"5008:TCP"= 5008:TCP:TCP Port 5008

"5009:TCP"= 5009:TCP:TCP Port 5009

"5010:TCP"= 5010:TCP:TCP Port 5010

"5011:TCP"= 5011:TCP:TCP Port 5011

"5012:TCP"= 5012:TCP:TCP Port 5012

"5013:TCP"= 5013:TCP:TCP Port 5013

"5014:TCP"= 5014:TCP:TCP Port 5014

"5015:TCP"= 5015:TCP:TCP Port 5015

"5016:TCP"= 5016:TCP:TCP Port 5016

"5017:TCP"= 5017:TCP:TCP Port 5017

"5018:TCP"= 5018:TCP:TCP Port 5018

"5019:TCP"= 5019:TCP:TCP Port 5019

"5020:TCP"= 5020:TCP:TCP Port 5020

.

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/29/2008 9:16 AM 294608]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/28/2008 10:33 AM 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/28/2008 10:33 AM 55024]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/29/2008 9:16 AM 17744]

R2 lxcq_device;lxcq_device;c:\windows\system32\lxcqcoms.exe -service --> c:\windows\system32\lxcqcoms.exe -service [?]

S3 o1394bul;o1394bul;\??\c:\docume~1\Kendall\LOCALS~1\Temp\o1394bul.sys --> c:\docume~1\Kendall\LOCALS~1\Temp\o1394bul.sys [?]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/28/2008 10:33 AM 7408]

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - kwpcqkog

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

Trusted Zone: darrenhayes.com\www

Trusted Zone: pandasecurity.com\www

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

- - - - ORPHANS REMOVED - - - -

.

HKLM-Run-MSWheel - (no file)

HKLM-Run-PC Pitstop Optimize Reminder - c:\program files\PCPitstop\Optimize2\Reminder.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-03-15 20:50

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

LXCQCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCQtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

SansaDispatch = c:\documents and settings\Kendall\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe?platform=&is-debug=&rom-version=&part-number=&product-name=&content-class=common_content&?%

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(736)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\WININET.dll

.

- - - - - - - > 'explorer.exe'(368)

c:\windows\system32\WININET.dll

c:\windows\system32\kmw_dll.dll

c:\windows\system32\WOW32.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2011-03-15 20:55:13

ComboFix-quarantined-files.txt 2011-03-16 00:54

.

Pre-Run: 14,367,174,656 bytes free

Post-Run: 15,770,906,624 bytes free

.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect

.

- - End Of File - - A879A8BFDF3EBE0D90A8632F8F9F4ACB

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by Kendall at 20:24:04.01 on Tue 03/15/2011

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.172 [GMT -4:00]

.

AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\devldr32.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\kmw_run.exe

C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE

C:\Program Files\Lexmark 9300 Series\ezprint.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\KMW_SHOW.EXE

C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe

C:\Program Files\Alwil Software\Avast5\avastUI.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\Kendall\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\lxcqcoms.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Documents and Settings\Kendall\Desktop\dds.scr

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: CPub Object: {c86ae9c0-0909-4ddc-b661-c1afb9f5ae53} - c:\program files\firetrust\sitehound\SiteHound.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: SiteHound: {73f7f495-a325-4c52-be48-5f97fa511e89} - c:\program files\firetrust\sitehound\SiteHound.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [sansaDispatch] c:\documents and settings\kendall\application data\sandisk\sansa updater\SansaDispatch.exe

mRun: [kmw_run.exe] kmw_run.exe

mRun: [MSWheel]

mRun: [DIAGENT] c:\program files\creative\sblive\creative diagnostics 2.0\DIAGENT.EXE startup

mRun: [updReg] c:\windows\Updreg.exe

mRun: [AHQInit] c:\program files\creative\sblive\program\AHQInit.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [PC Pitstop Optimize Reminder] c:\program files\pcpitstop\optimize2\Reminder.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [lxcqmon.exe] "c:\program files\lexmark 9300 series\lxcqmon.exe"

mRun: [Lexmark 9300 Series Fax Server] "c:\program files\lexmark 9300 series\fm3032.exe" /s

mRun: [EzPrint] "c:\program files\lexmark 9300 series\ezprint.exe"

mRun: [WrtMon.exe] c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [LXCQCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCQtime.dll,_RunDLLEntry@16

mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui

StartupFolder: c:\documents and settings\kendall\start menu\programs\startup\PowerReg Scheduler.exe

StartupFolder: c:\docume~1\kendall\startm~1\programs\startup\roller~1.lnk - c:\documents and settings\kendall\local settings\temp\{d09816e5-6c5e-447e-ab06-239d95d5ab33}\{907b4640-266b-4a21-92fb-cd1a86cd0f63}\ATR1.exe

StartupFolder: c:\docume~1\kendall\startm~1\programs\startup\seagat~1.lnk - c:\documents and settings\kendall\application data\leadertech\powerregister\Seagate 2GH2PM4N Product Registration.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{f3c1de9e-5e16-4ba9-b854-7b53a45e3579}\Icon3E5562ED7.ico

uPolicies-explorer: <NO NAME> =

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {11316B13-33F0-4C9F-BD55-09994CCFA8EB} - {73F7F495-A325-4C52-BE48-5F97FA511E89} - c:\program files\firetrust\sitehound\SiteHound.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

Trusted Zone: darrenhayes.com\www

Trusted Zone: pandasecurity.com\www

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/E/3/9/E39C664F-A8E3-4F69-A109-1AE9849204EE/OGAControl.cab

DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://utilities.pcpitstop.com/da/PCPitStop.CAB

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab

DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} - hxxp://download.microsoft.com/download/7/4/9/749b0dc5-2175-4d5b-a6dd-9c4bc923683e/Selfhelpcontrol.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217322802077

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1217323398937

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab

DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab

DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab

DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} - hxxp://asp.mathxl.com/books/_Players/MathPlayer.cab

DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

.

============= SERVICES / DRIVERS ===============

.

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-7-29 294608]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-5-28 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-5-28 55024]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-7-29 17744]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-2-1 40384]

R2 lxcq_device;lxcq_device;c:\windows\system32\lxcqcoms.exe -service --> c:\windows\system32\lxcqcoms.exe -service [?]

S3 o1394bul;o1394bul;c:\docume~1\kendall\locals~1\temp\o1394bul.sys [2001-10-2 31744]

S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-5-28 7408]

S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952]

.

=============== File Associations ===============

.

regfile=regedit.exe "%1" %*

.

=============== Created Last 30 ================

.

.

==================== Find3M ====================

.

2011-03-14 13:23:54 7304 ----a-w- c:\windows\TMP0001.TMP

2011-02-09 13:53:52 270848 ------w- c:\windows\system32\sbe.dll

2011-02-09 13:53:52 186880 ------w- c:\windows\system32\encdec.dll

2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-13 08:47:35 38848 ----a-w- c:\windows\avastSS.scr

2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys

2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll

2010-12-20 23:08:45 832512 ----a-w- c:\windows\system32\wininet.dll

2010-12-20 23:08:45 78336 ------w- c:\windows\system32\ieencode.dll

2010-12-20 23:08:45 1830912 ----a-w- c:\windows\system32\inetcpl.cpl

2010-12-20 23:08:45 17408 ----a-w- c:\windows\system32\corpol.dll

2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll

2010-12-20 12:55:25 389120 ------w- c:\windows\system32\html.iec

.

============= FINISH: 20:25:33.98 ===============

Thank you again for your time and assistance!

Link to post
Share on other sites

  • Staff

Hi,

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the box below into Notepad:

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"=-
"5000:TCP"=-
"5001:TCP"=-
"5002:TCP"=-
"5003:TCP"=-
"5004:TCP"=-
"5005:TCP"=-
"5006:TCP"=-
"5007:TCP"=-
"5008:TCP"=-
"5009:TCP"=-
"5010:TCP"=-
"5011:TCP"=-
"5012:TCP"=-
"5013:TCP"=-
"5014:TCP"=-
"5015:TCP"=-
"5016:TCP"=-
"5017:TCP"=-
"5018:TCP"=-
"5019:TCP"=-
"5020:TCP"=-
KILLALL::
Driver::
o1394bul

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

Here are the first two logs you requested. I will post the remaining logs once they are completed.

ComboFix 11-03-15.02 - Kendall 03/16/2011 0:02.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.551 [GMT -4:00]

Running from: c:\documents and settings\Kendall\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Kendall\Desktop\CFScript.txt

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_O1394BUL

-------\Service_o1394bul

.

.

((((((((((((((((((((((((( Files Created from 2011-02-16 to 2011-03-16 )))))))))))))))))))))))))))))))

.

.

No new files created in this timespan

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-03-16 04:14 . 2008-07-29 08:48 7304 ----a-w- c:\windows\TMP0001.TMP

2011-02-09 13:53 . 2008-07-29 09:40 270848 ------w- c:\windows\system32\sbe.dll

2011-02-09 13:53 . 2008-07-29 09:40 186880 ------w- c:\windows\system32\encdec.dll

2011-02-02 07:58 . 2008-07-29 09:40 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57 . 2008-07-29 09:40 677888 ----a-w- c:\windows\system32\mstsc.exe

2011-01-21 14:44 . 2008-07-29 09:41 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-13 08:47 . 2011-02-01 22:11 38848 ----a-w- c:\windows\avastSS.scr

2011-01-13 08:47 . 2008-07-29 13:16 188216 ----a-w- c:\windows\system32\aswBoot.exe

2011-01-13 08:41 . 2008-07-29 13:16 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys

2011-01-13 08:40 . 2008-07-29 13:16 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2011-01-13 08:40 . 2008-07-29 13:16 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2011-01-13 08:39 . 2008-07-29 13:16 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys

2011-01-13 08:37 . 2008-07-29 13:16 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2011-01-13 08:37 . 2008-07-29 13:16 29392 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2011-01-13 08:37 . 2008-07-29 13:16 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2011-01-07 14:09 . 2001-08-18 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:10 . 2001-08-18 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys

2010-12-22 12:34 . 2005-06-15 17:50 301568 ----a-w- c:\windows\system32\kerberos.dll

2010-12-20 23:09 . 2008-07-29 15:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-20 23:08 . 2008-07-29 10:40 78336 ------w- c:\windows\system32\ieencode.dll

2010-12-20 23:08 . 2008-07-29 09:38 1830912 ----a-w- c:\windows\system32\inetcpl.cpl

2010-12-20 23:08 . 2006-06-23 15:33 832512 ----a-w- c:\windows\system32\wininet.dll

2010-12-20 23:08 . 2001-08-18 12:00 17408 ----a-w- c:\windows\system32\corpol.dll

2010-12-20 23:08 . 2008-07-29 15:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-12-20 17:26 . 2001-08-18 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll

2010-12-20 12:55 . 2008-07-29 10:40 389120 ------w- c:\windows\system32\html.iec

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SansaDispatch"="c:\documents and settings\Kendall\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2011-01-22 79872]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"kmw_run.exe"="kmw_run.exe" [2005-09-01 118784]

"DIAGENT"="c:\program files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE" [2001-08-30 172122]

"UpdReg"="c:\windows\Updreg.exe" [2000-05-11 90112]

"AHQInit"="c:\program files\Creative\SBLive\Program\AHQInit.exe" [2001-03-28 102400]

"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]

"nwiz"="nwiz.exe" [2003-10-06 741376]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-13 185872]

"lxcqmon.exe"="c:\program files\Lexmark 9300 Series\lxcqmon.exe" [2007-01-11 291760]

"Lexmark 9300 Series Fax Server"="c:\program files\Lexmark 9300 Series\fm3032.exe" [2006-12-05 304048]

"EzPrint"="c:\program files\Lexmark 9300 Series\ezprint.exe" [2006-12-05 82864]

"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-24 149280]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-01-13 3396624]

"LXCQCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCQtime.dll" [2006-11-21 106496]

.

c:\documents and settings\Kendall\Start Menu\Programs\Startup\

PowerReg Scheduler.exe [2008-8-29 256000]

RollerCoaster Tycoon 3 Registration.lnk - c:\documents and settings\Kendall\Local Settings\Temp\{D09816E5-6C5E-447E-AB06-239D95D5AB33}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe [N/A]

Seagate 2GH2PM4N Product Registration.lnk - c:\documents and settings\Kendall\Application Data\Leadertech\PowerRegister\Seagate 2GH2PM4N Product Registration.exe [2010-5-15 1731736]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

VPN Client.lnk - c:\windows\Installer\{F3C1DE9E-5E16-4BA9-B854-7B53A45E3579}\Icon3E5562ED7.ico [2009-5-22 6144]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2007-04-19 17:41 294912 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

"c:\\Program Files\\Hasbro Interactive\\Classic Games\\ClassicCard.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\WINDOWS\\system32\\lxcqcoms.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

.

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/29/2008 9:16 AM 294608]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/28/2008 10:33 AM 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/28/2008 10:33 AM 55024]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/29/2008 9:16 AM 17744]

R2 lxcq_device;lxcq_device;c:\windows\system32\lxcqcoms.exe -service --> c:\windows\system32\lxcqcoms.exe -service [?]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/28/2008 10:33 AM 7408]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

Trusted Zone: darrenhayes.com\www

Trusted Zone: pandasecurity.com\www

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-03-16 00:16

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

LXCQCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCQtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

SansaDispatch = c:\documents and settings\Kendall\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe?platform=&is-debug=&rom-version=&part-number=&product-name=&content-class=common_content&?%

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(728)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\WININET.dll

.

- - - - - - - > 'explorer.exe'(2360)

c:\windows\system32\WININET.dll

c:\windows\system32\kmw_dll.dll

c:\windows\system32\WOW32.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\devldr32.exe

c:\program files\Alwil Software\Avast5\AvastSvc.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\System32\CTsvcCDA.EXE

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\lxcqcoms.exe

c:\windows\System32\nvsvc32.exe

c:\windows\System32\MsPMSPSv.exe

c:\windows\system32\kmw_run.exe

c:\windows\system32\KMW_SHOW.EXE

c:\windows\system32\spool\drivers\w32x86\3\WrtProc.exe

c:\windows\system32\wscntfy.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2011-03-16 00:24:46 - machine was rebooted

ComboFix-quarantined-files.txt 2011-03-16 04:24

ComboFix2.txt 2011-03-16 00:55

.

Pre-Run: 15,763,787,776 bytes free

Post-Run: 15,699,689,472 bytes free

.

- - End Of File - - 25308E5C34EAE07AB3DA9CDDF9DD016D

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by Kendall at 2:22:30.59 on Wed 03/16/2011

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.495 [GMT -4:00]

.

AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\devldr32.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\lxcqcoms.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\system32\kmw_run.exe

C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE

C:\WINDOWS\system32\KMW_SHOW.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Lexmark 9300 Series\ezprint.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\Alwil Software\Avast5\avastUI.exe

C:\Documents and Settings\Kendall\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\Program Files\internet explorer\iexplore.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Documents and Settings\Kendall\Desktop\dds.scr

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: CPub Object: {c86ae9c0-0909-4ddc-b661-c1afb9f5ae53} - c:\program files\firetrust\sitehound\SiteHound.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: SiteHound: {73f7f495-a325-4c52-be48-5f97fa511e89} - c:\program files\firetrust\sitehound\SiteHound.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [sansaDispatch] c:\documents and settings\kendall\application data\sandisk\sansa updater\SansaDispatch.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [kmw_run.exe] kmw_run.exe

mRun: [DIAGENT] c:\program files\creative\sblive\creative diagnostics 2.0\DIAGENT.EXE startup

mRun: [updReg] c:\windows\Updreg.exe

mRun: [AHQInit] c:\program files\creative\sblive\program\AHQInit.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [lxcqmon.exe] "c:\program files\lexmark 9300 series\lxcqmon.exe"

mRun: [Lexmark 9300 Series Fax Server] "c:\program files\lexmark 9300 series\fm3032.exe" /s

mRun: [EzPrint] "c:\program files\lexmark 9300 series\ezprint.exe"

mRun: [WrtMon.exe] c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui

mRun: [LXCQCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCQtime.dll,_RunDLLEntry@16

StartupFolder: c:\documents and settings\kendall\start menu\programs\startup\PowerReg Scheduler.exe

StartupFolder: c:\docume~1\kendall\startm~1\programs\startup\roller~1.lnk - c:\documents and settings\kendall\local settings\temp\{d09816e5-6c5e-447e-ab06-239d95d5ab33}\{907b4640-266b-4a21-92fb-cd1a86cd0f63}\ATR1.exe

StartupFolder: c:\docume~1\kendall\startm~1\programs\startup\seagat~1.lnk - c:\documents and settings\kendall\application data\leadertech\powerregister\Seagate 2GH2PM4N Product Registration.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{f3c1de9e-5e16-4ba9-b854-7b53a45e3579}\Icon3E5562ED7.ico

uPolicies-explorer: <NO NAME> =

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {11316B13-33F0-4C9F-BD55-09994CCFA8EB} - {73F7F495-A325-4C52-BE48-5F97FA511E89} - c:\program files\firetrust\sitehound\SiteHound.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

Trusted Zone: darrenhayes.com\www

Trusted Zone: pandasecurity.com\www

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/E/3/9/E39C664F-A8E3-4F69-A109-1AE9849204EE/OGAControl.cab

DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://utilities.pcpitstop.com/da/PCPitStop.CAB

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab

DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} - hxxp://download.microsoft.com/download/7/4/9/749b0dc5-2175-4d5b-a6dd-9c4bc923683e/Selfhelpcontrol.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217322802077

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1217323398937

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab

DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab

DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab

DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} - hxxp://asp.mathxl.com/books/_Players/MathPlayer.cab

DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

.

============= SERVICES / DRIVERS ===============

.

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-7-29 294608]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-5-28 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-5-28 55024]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-7-29 17744]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-2-1 40384]

R2 lxcq_device;lxcq_device;c:\windows\system32\lxcqcoms.exe -service --> c:\windows\system32\lxcqcoms.exe -service [?]

S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-5-28 7408]

S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952]

.

=============== Created Last 30 ================

.

2011-03-16 00:36:10 -------- d-sha-r- C:\cmdcons

2011-03-16 00:32:08 98816 ----a-w- c:\windows\sed.exe

2011-03-16 00:32:08 89088 ----a-w- c:\windows\MBR.exe

2011-03-16 00:32:08 256512 ----a-w- c:\windows\PEV.exe

2011-03-16 00:32:08 161792 ----a-w- c:\windows\SWREG.exe

.

==================== Find3M ====================

.

2011-03-16 04:14:02 7304 ----a-w- c:\windows\TMP0001.TMP

2011-02-09 13:53:52 270848 ------w- c:\windows\system32\sbe.dll

2011-02-09 13:53:52 186880 ------w- c:\windows\system32\encdec.dll

2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-13 08:47:35 38848 ----a-w- c:\windows\avastSS.scr

2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys

2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll

2010-12-20 23:08:45 832512 ----a-w- c:\windows\system32\wininet.dll

2010-12-20 23:08:45 78336 ------w- c:\windows\system32\ieencode.dll

2010-12-20 23:08:45 1830912 ----a-w- c:\windows\system32\inetcpl.cpl

2010-12-20 23:08:45 17408 ----a-w- c:\windows\system32\corpol.dll

2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll

2010-12-20 12:55:25 389120 ------w- c:\windows\system32\html.iec

.

============= FINISH: 2:23:23.10 ===============

Thank you for your time and assistance!

Link to post
Share on other sites

Here are the final two logs you requested:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=7.00.6000.17095 (vista_gdr.101217-1830)

# OnlineScanner.ocx=1.0.0.6425

# api_version=3.0.2

# EOSSerial=b23fb153c0293a4e8ebfa25285251a6c

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-03-16 08:15:42

# local_time=2011-03-16 04:15:42 (-0500, Eastern Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 81669680 81669680 0 0

# compatibility_mode=768 16777215 100 0 3575920 3575920 0 0

# compatibility_mode=6401 16777214 0 14 81776591 81776591 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=89651

# found=0

# cleaned=0

# scan_time=5666

Results of screen317's Security Check version 0.99.9

Windows XP Service Pack 3

Internet Explorer 7 Out of date!

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

avast! Free Antivirus

ESET Online Scanner v3

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

HijackThis 2.0.2

Java 6 Update 17

Java 6 Update 7

Out of date Java installed!

Adobe Flash Player

Adobe Reader 9.3

Out of date Adobe Reader installed!

````````````````````````````````

Process Check:

objlist.exe by Laurent

Alwil Software Avast5 AvastSvc.exe

Alwil Software Avast5 avastUI.exe

``````````End of Log````````````

You asked how things are running and what issues remain: the system is running normally; I only noticed it actually acting up before I removed the files with Malwarebytes the first time (i.e. task manager was disabled, settings were changed, etc.).

The visible issue that remains is the fact that nearly all of the files and programs are still not able to be accessed. I did some reading and I noticed that my files may actually be hidden as a result of the malware. Should I proceed to "un-hide" the files? I've never had to do that before - is there much involved in that process?

Will setting the files to not be hidden anymore do anything to allow me to access the programs again? Currently, when I go to the Start menu and hover over "All Programs," it reads "(Empty)." I assume that the programs themselves were somehow "hidden" and I have to fix that as well.

Please let me know what you advise in terms of accessing the files once again.

Again, thank you for your continued time and assistance in this matter!

Link to post
Share on other sites

  • Staff

Hi,

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following programs (if present):

HijackThis 2.0.2

Java

Link to post
Share on other sites

Thank you for the reply. I will begin working on your instructions now.

Since I cannot access Paint (I cannot access the accessories tab), I am unsure of how to make a bitmap or other picture file out of the screencap to post it. I can attach a word document with the screencap in it - I hope that this is alright. You can see it towards the bottom of the image.

Thanks again!

screencap1.doc

Link to post
Share on other sites

I forgot to mention this yesterday, but when I made the Word document to save the screencap, I noticed that Word was acting up a bit. After I saved the document, I tried to close Word, but it asked if I wanted to "change the global template Normal," to which I always just say no. I don't recall this happening before the malware infection. Do you think I need to do something to fix that as well?

Thank you for your time.

Link to post
Share on other sites

  • Staff

Hi,

My apologies for the delay.

Looks like there's been a lot of corruption in general here. We may not be able to fix every glitch and it may be in your best interest to back up your data, format your hard drive, reinstall Windows, and start from scratch. It's not mandatory, but it may be worth considering.

You could try this HotFix from MS for the All Programs issue:

http://support.microsoft.com/kb/941248

Link to post
Share on other sites

No worries!

Is reformatting a suggestion to improve the security of the system, or just to prevent the odd glitches that keep popping up? I can live with the little issues here and there as long as I can recover my data. I plan on backing everything up once I know it's no longer infected - I don't want to risk backing up an infected file, if you know what I mean.

My goal with this machine is to have it secure enough to do online banking with and have it working well enough to assume it won't crash regularly. Would a reformat be necessary for either of those goals?

I will try the HotFix soon and I will let you know what happens with that.

What should the next course of action be? Should I try to recover the files from being "hidden"? I can see my old documents in a "hidden" state at the moment. I did not undo it yet for fear that it may do something undesireable to my system.

Thanks again for all of your time and assistance!

Link to post
Share on other sites

Hi,

My documents folder is more "faded-looking" (that's the only way I can think to describe it) than it should be, and when I look at the properties of the folder (I can't access the actual files since it's hidden), it lists basically all of my used hard drive space and nearly 8,000 files. I'm pretty sure everything is in there, since the scans went through all the file names when they were analyzed. The properties box has "hidden" checked - is that what you meant by being listed as hidden?

Due to a severe lack of time, I haven't had a chance to run the hotfix yet, but I did read up on it and it definitely applies to the issue I'm having with the programs. I should be able to run it tomorrow.

I'm thinking that the hidden files and program issues are a symptom that the malware caused so that I would think that the hard drive failed, like the "fake" message said. They were hoping I'd run the diagnostics tool. Was this any particular type of malware? Should I be concerned about vulnerabilities of any sort?

Link to post
Share on other sites

I tried to do the hotfix this morning, but I received this error message:

"Setup has detected that the Service Pack version of this system is newer than the update you are applying. There is no need to install this update." (Setup Error)

I had downloaded and unzipped the file they sent me and then ran it from its location in C.

Did I do something wrong? I'm not sure why I would still have this problem if my service pack would prevent it...

Thank you for your time!

Link to post
Share on other sites

Hi,

Finally, some good news! I was able to "unhide" all the files on my system - everything (as far as I can tell) is there once again.

Encouraged by this result, I went fishing through directories for a while and was able to get all of the programs back as well (even Accessories, quick launch, the ability to zip files, and my internet favorites!). Everything was set as read only and/or hidden by the virus, apparently.

So everything appears to be back to normal again - I am very pleased with this. Thank you so much for your time and assistance throughout this process! :)

I have just two more questions for you: should I now delete all of the DDS, GMER, etc. files and should I run any additional scans to be sure that "unhiding" the programs and files didn't disturb some latent malware?

Thanks again! I really appreciate it!

Link to post
Share on other sites

Here's the new log:

ComboFix 11-03-24.03 - Kendall 03/25/2011 5:14.3.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.447 [GMT -4:00]

Running from: c:\documents and settings\Kendall\Desktop\ComboFix.exe

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

.

((((((((((((((((((((((((( Files Created from 2011-02-25 to 2011-03-25 )))))))))))))))))))))))))))))))

.

.

2011-03-23 04:49 . 2007-08-28 08:30 3085192 ----a-w- C:\WindowsXP-KB941248-v3-x86-ENU.exe

2011-03-19 05:52 . 2011-03-19 05:52 -------- d-----w- c:\documents and settings\Kendall\Local Settings\Application Data\Temp

2011-03-18 01:19 . 2011-03-18 01:19 -------- d-----w- c:\program files\Common Files\Adobe AIR

2011-03-18 00:55 . 2011-03-18 00:54 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-03-18 00:55 . 2011-03-18 00:54 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-03-18 00:53 . 2011-03-18 00:53 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2011-03-17 03:45 . 2011-02-23 13:56 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-03-16 06:31 . 2011-03-16 06:31 -------- d-----w- c:\program files\ESET

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-03-20 07:06 . 2008-07-29 08:48 7304 ----a-w- c:\windows\TMP0001.TMP

2011-02-23 14:04 . 2011-02-01 22:11 40648 ----a-w- c:\windows\avastSS.scr

2011-02-23 14:04 . 2008-07-29 13:16 190016 ----a-w- c:\windows\system32\aswBoot.exe

2011-02-23 13:56 . 2008-07-29 13:16 301528 ----a-w- c:\windows\system32\drivers\aswSP.sys

2011-02-23 13:55 . 2008-07-29 13:16 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2011-02-23 13:55 . 2008-07-29 13:16 102232 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2011-02-23 13:55 . 2008-07-29 13:16 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys

2011-02-23 13:55 . 2008-07-29 13:16 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2011-02-23 13:54 . 2008-07-29 13:16 30680 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2011-02-23 13:54 . 2008-07-29 13:16 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2011-02-09 13:53 . 2008-07-29 09:40 270848 ------w- c:\windows\system32\sbe.dll

2011-02-09 13:53 . 2008-07-29 09:40 186880 ------w- c:\windows\system32\encdec.dll

2011-02-02 07:58 . 2008-07-29 09:40 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57 . 2008-07-29 09:40 677888 ----a-w- c:\windows\system32\mstsc.exe

2011-01-21 14:44 . 2008-07-29 09:41 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-07 14:09 . 2001-08-18 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:10 . 2001-08-18 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2011-02-23 14:04 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SansaDispatch"="c:\documents and settings\Kendall\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2011-01-22 79872]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"kmw_run.exe"="kmw_run.exe" [2005-09-01 118784]

"DIAGENT"="c:\program files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE" [2001-08-30 172122]

"UpdReg"="c:\windows\Updreg.exe" [2000-05-11 90112]

"AHQInit"="c:\program files\Creative\SBLive\Program\AHQInit.exe" [2001-03-28 102400]

"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]

"nwiz"="nwiz.exe" [2003-10-06 741376]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-13 185872]

"lxcqmon.exe"="c:\program files\Lexmark 9300 Series\lxcqmon.exe" [2007-01-11 291760]

"Lexmark 9300 Series Fax Server"="c:\program files\Lexmark 9300 Series\fm3032.exe" [2006-12-05 304048]

"EzPrint"="c:\program files\Lexmark 9300 Series\ezprint.exe" [2006-12-05 82864]

"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]

"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-02-23 3451496]

"LXCQCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCQtime.dll" [2006-11-21 106496]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]

.

c:\documents and settings\Kendall\Start Menu\Programs\Startup\

PowerReg Scheduler.exe [2008-8-29 256000]

RollerCoaster Tycoon 3 Registration.lnk - c:\documents and settings\Kendall\Local Settings\Temp\{D09816E5-6C5E-447E-AB06-239D95D5AB33}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe [N/A]

Seagate 2GH2PM4N Product Registration.lnk - c:\documents and settings\Kendall\Application Data\Leadertech\PowerRegister\Seagate 2GH2PM4N Product Registration.exe [2010-5-15 1731736]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

VPN Client.lnk - c:\windows\Installer\{F3C1DE9E-5E16-4BA9-B854-7B53A45E3579}\Icon3E5562ED7.ico [2009-5-22 6144]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2007-04-19 17:41 294912 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

"c:\\Program Files\\Hasbro Interactive\\Classic Games\\ClassicCard.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\WINDOWS\\system32\\lxcqcoms.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

.

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [3/16/2011 11:45 PM 371544]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/29/2008 9:16 AM 301528]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/28/2008 10:33 AM 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/28/2008 10:33 AM 55024]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/29/2008 9:16 AM 19544]

R2 lxcq_device;lxcq_device;c:\windows\system32\lxcqcoms.exe -service --> c:\windows\system32\lxcqcoms.exe -service [?]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/28/2008 10:33 AM 7408]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

Trusted Zone: darrenhayes.com\www

Trusted Zone: pandasecurity.com\www

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

- - - - ORPHANS REMOVED - - - -

.

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-03-25 05:31

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

LXCQCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCQtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

SansaDispatch = c:\documents and settings\Kendall\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe?platform=&is-debug=&rom-version=&part-number=&product-name=&content-class=common_content&?%

.

scanning hidden files ...

.

.

C:\## aswSnx private storage

.

scan completed successfully

hidden files: 1

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(768)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\WININET.dll

.

- - - - - - - > 'explorer.exe'(2152)

c:\windows\system32\WININET.dll

c:\windows\system32\kmw_dll.dll

c:\windows\system32\WOW32.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2011-03-25 05:38:30

ComboFix-quarantined-files.txt 2011-03-25 09:38

ComboFix2.txt 2011-03-16 04:24

.

Pre-Run: 20,135,985,152 bytes free

Post-Run: 20,568,674,304 bytes free

.

- - End Of File - - 9AE6A86311A22598D6B98BD74336D82B

Thanks again for all your help!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.