malware removed; still no Internet access

Dell / XPS
May 1, 2009 at 10:52:09
Specs: Windows XP MCE
Hello! My son called me at work on 4/28/09 from home to tell me that he was getting several popups on our home PC. He e-mailed me a screen shot and I saw that it was malware. While still at work I did some research (including this site) and printed out sheaves of instructions. I also downloaded several malware removers and Windows security updates, renamed them and burned them to a CD. I went home in the evening and spent several hours running malware removers and going through manual removal steps to make sure I got everything. (I used MBAM, HijackThis and SUPERAntiSpyware, and I went through a couple of different manual routines including Microsoft's. Microsoft's instructions included some suggestions for hardening my system, which I followed.) Then I ran a complete virus scan using my free Avira antivirus (last updated 4/27/09), which found nothing. I think the computer is clean.

But I'm still having three problems (that I know of):
1. No Internet access.
2. The BITS service won't start.
3. The Automatic Update service won't start. (error 0x80072772)

The PC is a Dell XPS running Windows XP Media Center Edition. It's the only PC with Internet access, and it's hooked up by cable into a DSL connection.

I have logs from MBAM, HijackThis and SUPERAntiSpyware if you'd like to see them. I ran them in that order. I also have ComboFix on the CD, but I haven't run it. (I did see a post from bigjeff80, who was apparently having the same problem as me. He said ComboFix solved it.)


See More: malware removed; still no Internet access

Report •


#1
May 2, 2009 at 14:28:38
yes mate i ran all the same programmes that you did but combofix was the only one that fixed it.... its supposed to be a last resort before formatting your hard drive but i figured it was worth a spin as my PC was useless without the internet!

just make sure you back up everything you need to keep before running it


Report •

#2
May 2, 2009 at 18:18:35
Please post your Hijack This log.

Report •

#3
May 2, 2009 at 19:39:10
Clean out your temp files using ATF.
http://www.softpedia.com/get/Securi...
http://www.atribune.org/
Forum
http://www.atribune.org/forums/

Start > Control Panel > Network Connections. Right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up. Left click on Properties, double click on the Internet Protocol (TCP/IP) item and select the radio button that says > Obtain DNS servers automatically. Click OK twice and restart your computer.
Also,
Right click Local Area Connection > Repair.


Report •

Related Solutions

#4
May 2, 2009 at 19:42:35
Opp's sorry jabuck, got interrupted whilst halfway through finishing the post.

Report •

#5
May 4, 2009 at 09:14:19
My HJT log is listed below. I'll plan to follow Johnw's suggestions when I get home tonight, and to let you know what happens. Thanks!

---------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:33:54 PM, on 4/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Internet Content Filter\SafeEyes.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
k:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.myafo.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.afo.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://localhost:4451/Maya7.0PLE/en...
O2 - BHO: (no name) - {B2BA40A2-74F0-42BD-F434-12345A2C8953} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Safe &Eyes Toolbar - {430DDB4F-38CC-4E91-AF33-4157334EC937} - C:\Program Files\Internet Content Filter\setoolbar.dll
O3 - Toolbar: RefresherBand Class - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\PROGRA~1\YREFRE~1\YREFRE~1.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ICF] "C:\Program Files\Internet Content Filter\SafeEyes.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [] C:\WINDOWS\TEMP\x38hcmfo1.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows Resurections] C:\WINDOWS\TEMP\x38hcmfo1.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\x38hcmfo1.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Broken Internet access because of LSP provider 'c:\windows\temp\ntdll64.dll' missing
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - https://netcomply.safesystems.com/inc/kaxRemote.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/g...
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: getPlusĀ® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Maya 7 PLE Documentation Server (mple7docserver) - Unknown owner - C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 10705 bytes


Report •

#6
May 4, 2009 at 09:16:52
BTW, you may notice a reference to the Safe Eyes Internet filter in the log above. I should point out that this has now been completely uninstalled, and is therefore not related to my computer's inability to access the Web.

Report •

#7
May 4, 2009 at 09:55:15

Download the following two programs to a cd, usb stick or floppy and run them on the infected computer. Run LSPFix first then run WinsockXPfix second.

Download WinsockXPfix from the following link:

WinsockXPfix

A malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it.


1. Please download LSPFix from the following link:

LSPFix

.
2. Run the LSPFix.exe that you have just finished downloading.
3. Check the I know what I'm doing box.
In the Keep box you should see one or more instances of ntdll64.dll.
4. Select every instance of ntdll64.dll and move each one to the Remove box by clicking the >> button.
5. When you are done click Finish>>.

Post your progress as there will be more to do.


Report •

#8
May 4, 2009 at 12:05:28
I'll plan to post the results this evening.

Do I still need to run ATF as recommended by Johnw above?

Also, FYI, I had to download WinsockXPfix from snapfiles. When I tried the link above my firewall said, "This request is blocked by the SonicWALL Gateway Anti-Virus Service. Name: Suspicious#PKLITE32 (Trojan)."


Report •

#9
May 4, 2009 at 12:48:09
No need to run the clean-up tool yet.

Report •

#10
May 4, 2009 at 18:46:27
LSPfix completed. (The one instance of ntdll64.dll found was already in the remove box, so I just clicked "Finish.") The summary said, "Repairs complete. 0 NameSpace provider entries removed. 0 NameSpace provider entries renumbered. 2 Protocol provider entries removed. 32 Protocal provider entries renumbered."

WinsockXPfix ran successfully as well. Should I go ahead and try Internet access, or do we need to do something else first?


Report •

#11
May 4, 2009 at 19:03:32
Try to get on the internet and if you were successful do the following:

Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to toolb.exe> click save.

Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

In your case to run Combofix do the following:
1. Go offline turn off your AntiVir antivirus, and any antispyware that you may have.
2. Run Combofix by double clicking the toolb.exe icon on your desktop and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.


Remember to re-enable the protection again afterwards before connecting to the Internet.


Report •

#12
May 4, 2009 at 20:24:48
I checked, and I do have Internet access again! Also, the BITS and Automatic Updates services are running again.

After checking those things, I followed the ComboFix instructions, including installation of Recovery Console. ComboFix proceeded as expected. Last time I looked at the screen, it was on Stage 50. The next thing I knew the PC was restarting. (I hadn't expected this.)

My Windows login screen appeared & I logged in. Then four things happened:
1. My Documents window opened.
2. A system tray icon appeared with a balloon that said, "Your computer is infected! It is recommended to start spyware cleaner tool." (This made me think the malware is back, or perhaps was never gone.)
3. Avira AntiVir started up.
4. ComboFix warned me that I needed to disable Avira before clicking OK.

I closed My Documents, disabled Avira and clicked OK for ComboFix to continue. Soon the malware balloon and icon disappeared, and ComboFix finished. I'm about to post the log.


Report •

#13
May 4, 2009 at 20:34:28
When I returned to the problem PC to copy the log, I found that IE had opened on its own. Anyway, here's the log:

------------------------------------------------------------

ComboFix 09-04-28.02 - Franklins 05/04/2009 22:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1021.671 [GMT -5:00]
Running from: c:\documents and settings\Franklins\Desktop\toolb.exe.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\afnoinkdsfe.dll
c:\windows\system32\ak1.exe
c:\windows\system32\bszip.dll
c:\windows\system32\p2hhr.bat
c:\windows\system32\uniq.tll
c:\windows\Temp\1029524367.exe
c:\windows\Temp\944680617.exe
c:\windows\Temp\945149367.exe

.
((((((((((((((((((((((((( Files Created from 2009-06-05 to 2009-5-5 )))))))))))))))))))))))))))))))
.

2009-05-05 03:05 . 2009-05-05 03:05 104960 ----a-w c:\windows\system32\ntdll64.exe
2009-05-05 03:05 . 2009-05-05 03:05 23040 ----a-w c:\windows\system32\frmwrk32.exe
2009-05-05 03:05 . 2009-05-05 03:05 23040 ----a-w c:\windows\system32\loader49.exe
2009-04-29 02:28 . 2009-04-29 02:28 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-29 02:28 . 2009-04-29 02:28 -------- d-----w c:\documents and settings\Franklins\Application Data\SUPERAntiSpyware.com
2009-04-29 02:27 . 2009-04-29 02:27 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-29 00:44 . 2009-04-29 00:44 -------- d--h--w c:\windows\system32\GroupPolicy
2009-04-29 00:08 . 2009-04-29 00:08 -------- d-----w c:\documents and settings\Franklins\Application Data\Malwarebytes
2009-04-29 00:08 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-29 00:08 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-29 00:08 . 2009-04-29 00:08 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-27 13:11 . 2009-04-27 13:11 24064 ----a-w c:\windows\system32\loader266.exe
2009-04-16 23:56 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-16 23:56 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-16 23:56 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 23:56 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-16 23:56 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 23:56 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 23:56 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 23:56 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 23:56 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 23:56 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 23:45 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 23:45 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-13 20:28 . 2009-04-13 20:28 -------- d-----w c:\program files\NOS
2009-04-13 20:28 . 2009-04-13 20:28 -------- d-----w c:\documents and settings\All Users\Application Data\NOS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-05 03:03 . 2006-02-21 14:54 384 ----a-w c:\windows\system32\DVCStateBkp-{00000003-00000000-00000003-00001102-00000004-20061102}.dat
2009-05-05 03:03 . 2006-02-21 14:54 384 ----a-w c:\windows\system32\DVCState-{00000003-00000000-00000003-00001102-00000004-20061102}.dat
2009-05-05 01:09 . 2006-03-11 03:09 44798 ----a-w c:\documents and settings\Franklins\Application Data\wklnhst.dat
2009-04-19 02:17 . 2006-04-04 00:24 3558 --sha-w c:\windows\system32\KGyGaAvL.sys
2009-04-19 02:17 . 2006-04-04 00:24 56 --sh--r c:\windows\system32\2B361A2084.sys
2009-04-14 23:40 . 2006-04-09 01:58 -------- d-----w c:\program files\QUICKENW
2009-04-04 18:28 . 2009-04-04 18:28 0 ----a-w c:\windows\nsreg.dat
2009-04-01 22:24 . 2006-02-21 14:50 -------- d-----w c:\program files\Java
2009-03-27 19:16 . 2009-01-01 07:25 -------- d-----w c:\program files\Warcraft III
2009-03-14 23:59 . 2009-03-14 23:59 -------- d-----w c:\program files\Yontoo Layers Client for Internet Explorer
2009-03-09 10:19 . 2008-12-18 05:48 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2005-08-16 10:18 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-05 21:58 . 2008-12-27 22:50 284376 ----a-w c:\windows\sediag.exe
2009-03-05 21:58 . 2008-12-27 22:50 276184 ----a-w c:\windows\system32\seinst.dll
2009-03-03 00:18 . 2005-08-16 10:18 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2005-08-16 10:18 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2005-08-16 10:18 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2005-08-16 10:18 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2005-08-16 10:18 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2005-08-16 10:18 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2005-08-16 10:18 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2005-08-16 10:18 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2005-08-16 10:18 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2005-08-16 10:18 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-04 04:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2006-03-11 03:30 . 2006-03-11 03:30 251 ----a-w c:\program files\wt3d.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{F2CF5485-4E02-4F68-819C-B92DE9277049}"= "c:\windows\system32\ieframe.dll" [2009-02-20 6066176]

[HKEY_CLASSES_ROOT\clsid\{f2cf5485-4e02-4f68-819c-b92de9277049}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-10 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-09 7110656]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-02-21 169472]
"avgnt"="c:\program files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-19 266497]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"SetDefPrt"="c:\program files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 864256]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-12-11 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CTHELPER.EXE [2004-03-11 28672]

c:\documents and settings\Franklins\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2006-3-13 221295]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-2-21 24576]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "k:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WebCheck"= {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - c:\windows\system32\webcheck.dll [2009-02-20 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w k:\program files\SUPERAntiSpyware\SASWINLO.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Franklins\\Desktop\\Games\\AoE2\\AoE2\\age2_x1.exe"=

R3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-03-03 33176]
R3 jnv4_mib;jnv4_mib; [x]
R3 SASENUM;SASENUM;k:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
S1 SASDIFSV;SASDIFSV;k:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;k:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 mple7docserver;Maya 7 PLE Documentation Server;c:\program files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe [2004-07-17 126976]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{C2BA40A1-74F3-42BD-F434-12345A2C8953} - c:\windows\system32\afnoinkdsfe.dll
HKLM-Run-CTSysVol - c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
SharedTaskScheduler-{C2BA40A1-74F3-42BD-F434-12345A2C8953} - c:\windows\system32\afnoinkdsfe.dll
SSODL-CDBurn-{fbeb8a05-beee-4442-804e-409d6c4515e9} - %SystemRoot%\system32\SHELL32.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://webmail.afo.net/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://localhost:4451/Maya7.0PLE/en_US/index.html?tutorials
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
IE: {{e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {{FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\Messenger\msmsgs.exe
Handler: http\[u]0[/u]x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: http\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: https\[u]0[/u]x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: https\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: ipp\[u]0[/u]x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: msdaipp\[u]0[/u]x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: msdaipp\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
FF - ProfilePath - c:\documents and settings\Franklins\Application Data\Mozilla\Firefox\Profiles\d008i5z8.default\
FF - prefs.js: browser.startup.homepage - hxxp://webmail.afo.net/
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-04 22:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\drivers\ovfsthxxilhrvri.sys 81408 bytes executable
c:\windows\system32\ovfsthxejoapjhh.dll 59904 bytes executable
c:\windows\system32\ovfsthxilcylfmc.dat 43 bytes
c:\windows\system32\ovfsthxjgruxkjo.dat 445040 bytes
c:\windows\system32\ovfsthxmscyokcb.dll 18432 bytes executable
c:\windows\system32\ovfsthxucfnerkk.dll 18432 bytes executable

scan completed successfully
hidden files: 6

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(572)
k:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(2044)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\AntiVir PersonalEdition Classic\sched.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\CTSVCCDA.EXE
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Alias\Maya 7.0 Personal Learning Edition\docs\jre\bin\java.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\frmwrk32.exe
c:\windows\system32\wscntfy.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
.
**************************************************************************
.
Completion time: 2009-05-05 22:10 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-05 03:10

Pre-Run: 109,903,917,056 bytes free
Post-Run: 112,298,078,208 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

233 --- E O F --- 2009-04-27 08:00


Report •

#14
May 4, 2009 at 21:11:25
FYI, the malware symptoms have reappeared. Also, the My Documents folder keeps opening.

Report •

#15
May 4, 2009 at 21:28:47
FYI, the malware symptoms have reappeared. Also, the My Documents folder keeps opening.

Report •

#16
May 11, 2009 at 14:18:03
No response in a week; does that mean I'm on my own now?

I haven't touched the PC since my last post.

Thanks,
Dave

P.S. - Sorry about the duplicate post above. I refreshed the page later and it resubmitted the form data.


Report •

#17
May 11, 2009 at 14:38:27
Sorry, somehow we missed you.

Please post, in order, a Malwarebytes, Hijack This and Combofix log following the previous directions. Be sure to update Malwarebytes.


Report •

#18
May 13, 2009 at 21:19:08
OK, I followed instructions. Here's what I did:

* Turned on PC for first time in over a week.
* Plugged in DSL cable & updated MalwareBytes.
* Avira AntiVir auto-updated during this time.
* Unplugged DSL.
* Ran MalwareBytes - full scan of all hard drives.
* Removed all problem files found & saved log.
* MalwareBytes rebooted the PC.
* Ran HijackThis & saved log, but didn't fix anything.
* Hooked up DSL cable & downloaded latest ComboFix (as toolb.exe).
* Disconnected DSL & turned off AntiVir & Windows firewall.
* Ran ComboFix.
* After 25 minutes it told me rootkit activity had been detected.
* It said it needed to reboot and asked me to make a note of the following 6 files:
C:\WINDOWS\system32\drivers\ovfsthxxilhrvri.sys
C:\WINDOWS\system32\ovfsthxejoapjhh.dll
C:\WINDOWS\system32\ovfsthxjgruxkjo.dat
C:\WINDOWS\system32\ovfsthxucfnerkk.dll
C:\WINDOWS\system32\ovfsthxmscyokcb.dll
C:\WINDOWS\system32\ovfsthxilcylfmc.dat
* I clicked the OK button expecting ComboFix to reboot the PC. It didn't.

38 minutes have now passed with no disk activity. ComboFix's DOS window is still on my screen saying "scanning for infected files" and telling me how long to expect the scan to take. The screen is otherwise blank. Obviously, I had to go to another PC to post this, and I don't have access to the MalwareBytes and HJT logs.

Should I cycle power on the PC at this point?

Thanks,
Dave


Report •

#19
May 14, 2009 at 03:34:52
Yes, restart the computer.

Report •

#20
May 14, 2009 at 05:06:51
* I cycled power on the PC & logged in to Windows.
* AntiVir started up & found something in the toolb (combofix) folder. I said to ignore it.
* ComboFix deleted the 6 files mentioned above & proceeded with stages 1-50.
* ComboFix deleted one other file & auto-rebooted.
* As Windows was being rebooted, one update was installed automatically.
* When the PC came back up, I logged in.
* ComboFix told me to turn off AntiVir, which I did.
* ComboFix created log & ended.

I'm about to turn on AnitVir & firewall, go online on the problem PC & post 3 logs.


Report •

#21
May 14, 2009 at 05:12:04
Malwarebytes' Anti-Malware 1.36
Database version: 2128
Windows 5.1.2600 Service Pack 3

5/13/2009 9:33:23 PM
mbam-log-2009-05-13 (21-33-23).txt

Scan type: Full Scan (C:\|I:\|J:\|K:\|L:\|M:\|N:\|)
Objects scanned: 186675
Time elapsed: 31 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\afnoinkdsfe.dll.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ak1.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\Temp\1029524367.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\Temp\944680617.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\Temp\945149367.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\loader266.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ntdll64.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\warning.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ahtn.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\frmwrk32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\win32hlp.cnf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\loader49.exe (Trojan.Downloader) -> Quarantined and deleted successfully.


Report •

#22
May 14, 2009 at 05:13:05
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:37:08 PM, on 5/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\jre\bin\java.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
K:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.afo.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://localhost:4451/Maya7.0PLE/en...
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: RefresherBand Class - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\PROGRA~1\YREFRE~1\YREFRE~1.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - https://netcomply.safesystems.com/inc/kaxRemote.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/g...
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - K:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Maya 7 PLE Documentation Server (mple7docserver) - Unknown owner - C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 10213 bytes


Report •

#23
May 14, 2009 at 05:14:04
ComboFix 09-05-13.02 - Franklins 05/14/2009 6:48.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1021.667 [GMT -5:00]
Running from: c:\documents and settings\Franklins\Desktop\toolb.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\ovfsthxxilhrvri.sys
c:\windows\system32\ovfsthxejoapjhh.dll
c:\windows\system32\ovfsthxilcylfmc.dat
c:\windows\system32\ovfsthxjgruxkjo.dat
c:\windows\system32\ovfsthxmscyokcb.dll
c:\windows\system32\ovfsthxucfnerkk.dll
c:\windows\TEMP\mpengine.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthxceqlcnjd


((((((((((((((((((((((((( Files Created from 2009-04-14 to 2009-05-14 )))))))))))))))))))))))))))))))
.

2009-04-29 02:28 . 2009-04-29 02:28 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-29 02:28 . 2009-04-29 02:28 -------- d-----w c:\documents and settings\Franklins\Application Data\SUPERAntiSpyware.com
2009-04-29 02:27 . 2009-04-29 02:27 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-29 00:44 . 2009-04-29 00:44 -------- d--h--w c:\windows\system32\GroupPolicy
2009-04-29 00:08 . 2009-04-29 00:08 -------- d-----w c:\documents and settings\Franklins\Application Data\Malwarebytes
2009-04-29 00:08 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-29 00:08 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-29 00:08 . 2009-04-29 00:08 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-16 23:56 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-16 23:56 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-16 23:56 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 23:56 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-16 23:56 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 23:56 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 23:56 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 23:56 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 23:56 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 23:56 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 23:45 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 23:45 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-14 11:53 . 2006-02-21 14:54 384 ----a-w c:\windows\system32\DVCStateBkp-{00000003-00000000-00000003-00001102-00000004-20061102}.dat
2009-05-14 11:53 . 2006-02-21 14:54 384 ----a-w c:\windows\system32\DVCState-{00000003-00000000-00000003-00001102-00000004-20061102}.dat
2009-05-05 01:09 . 2006-03-11 03:09 44798 ----a-w c:\documents and settings\Franklins\Application Data\wklnhst.dat
2009-04-19 02:17 . 2006-04-04 00:24 3558 --sha-w c:\windows\system32\KGyGaAvL.sys
2009-04-19 02:17 . 2006-04-04 00:24 56 --sh--r c:\windows\system32\2B361A2084.sys
2009-04-14 23:40 . 2006-04-09 01:58 -------- d-----w c:\program files\QUICKENW
2009-04-13 20:28 . 2009-04-13 20:28 -------- d-----w c:\program files\NOS
2009-04-04 18:28 . 2009-04-04 18:28 0 ----a-w c:\windows\nsreg.dat
2009-04-01 22:24 . 2006-02-21 14:50 -------- d-----w c:\program files\Java
2009-03-27 19:16 . 2009-01-01 07:25 -------- d-----w c:\program files\Warcraft III
2009-03-09 10:19 . 2008-12-18 05:48 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2005-08-16 10:18 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-05 21:58 . 2008-12-27 22:50 284376 ----a-w c:\windows\sediag.exe
2009-03-05 21:58 . 2008-12-27 22:50 276184 ----a-w c:\windows\system32\seinst.dll
2009-03-03 00:18 . 2005-08-16 10:18 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2005-08-16 10:18 78336 ----a-w c:\windows\system32\ieencode.dll
2006-03-11 03:30 . 2006-03-11 03:30 251 ----a-w c:\program files\wt3d.ini
.

((((((((((((((((((((((((((((( SnapShot@2009-05-05_03.08.13 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-14 11:53 . 2009-05-14 11:53 16384 c:\windows\Temp\Perflib_Perfdata_6b8.dat
- 2006-03-08 22:53 . 2009-05-05 03:05 98304 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-03-08 22:53 . 2009-05-14 02:35 98304 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-04-27 17:54 . 2009-05-05 03:20 16384 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
- 2009-04-27 17:54 . 2009-05-05 02:46 16384 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
- 2006-03-08 22:53 . 2009-05-05 03:05 49152 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2006-03-08 22:53 . 2009-05-14 02:35 49152 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-01-17 02:04 . 2009-04-17 08:01 35088 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-01-17 02:04 . 2009-05-05 04:32 35088 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-01-17 02:04 . 2009-05-05 04:32 18704 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-01-17 02:04 . 2009-04-17 08:01 18704 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\mspicons.exe
+ 2008-01-17 02:04 . 2009-05-05 04:32 20240 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-01-17 02:04 . 2009-04-17 08:01 20240 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-01-17 02:04 . 2009-04-17 08:01 888080 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\wordicon.exe
+ 2008-01-17 02:04 . 2009-05-05 04:32 888080 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\wordicon.exe
+ 2008-01-17 02:04 . 2009-05-05 04:32 272648 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pubs.exe
- 2008-01-17 02:04 . 2009-04-17 08:01 272648 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pubs.exe
+ 2008-01-17 02:04 . 2009-05-05 04:32 922384 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pptico.exe
- 2008-01-17 02:04 . 2009-04-17 08:01 922384 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pptico.exe
+ 2008-01-17 02:04 . 2009-05-05 04:32 845584 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\outicon.exe
- 2008-01-17 02:04 . 2009-04-17 08:01 845584 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\outicon.exe
+ 2008-01-17 02:04 . 2009-05-05 04:32 217864 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\misc.exe
- 2008-01-17 02:04 . 2009-04-17 08:01 217864 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\misc.exe
- 2008-01-17 02:04 . 2009-04-17 08:01 1172240 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-01-17 02:04 . 2009-05-05 04:32 1172240 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\xlicons.exe
- 2008-01-17 02:04 . 2009-04-17 08:01 1165584 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\accicons.exe
+ 2008-01-17 02:04 . 2009-05-05 04:32 1165584 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\accicons.exe
+ 2006-03-18 05:56 . 2009-05-07 07:16 24699336 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-10 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-09 7110656]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-02-21 169472]
"avgnt"="c:\program files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-19 266497]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"SetDefPrt"="c:\program files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 864256]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-12-11 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CTHELPER.EXE [2004-03-11 28672]

c:\documents and settings\Franklins\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2006-3-13 221295]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-2-21 24576]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "k:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w k:\program files\SUPERAntiSpyware\SASWINLO.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Franklins\\Desktop\\Games\\AoE2\\AoE2\\age2_x1.exe"=

R1 SASDIFSV;SASDIFSV;k:\program files\SUPERAntiSpyware\sasdifsv.sys [3/23/2009 2:07 PM 9968]
R1 SASKUTIL;SASKUTIL;k:\program files\SUPERAntiSpyware\SASKUTIL.SYS [3/23/2009 2:07 PM 72944]
R2 mple7docserver;Maya 7 PLE Documentation Server;c:\program files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe [7/16/2004 11:26 PM 126976]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [4/13/2009 3:28 PM 33176]
S3 jnv4_mib;jnv4_mib;\??\c:\docume~1\FRANKL~1\LOCALS~1\Temp\jnv4_mib.sys --> c:\docume~1\FRANKL~1\LOCALS~1\Temp\jnv4_mib.sys [?]
S3 SASENUM;SASENUM;k:\program files\SUPERAntiSpyware\SASENUM.SYS [3/23/2009 2:07 PM 7408]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://webmail.afo.net/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://localhost:4451/Maya7.0PLE/en_US/index.html?tutorials
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-14 06:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(584)
k:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3328)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\AntiVir PersonalEdition Classic\sched.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\CTSVCCDA.EXE
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Alias\Maya 7.0 Personal Learning Edition\docs\jre\bin\java.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-14 6:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-14 11:58
ComboFix2.txt 2009-05-05 03:10

Pre-Run: 112,245,084,160 bytes free
Post-Run: 112,180,903,936 bytes free

218 --- E O F --- 2009-05-14 11:52


Report •

#24
May 14, 2009 at 14:32:22
Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
c:\docume~1\FRANKL~1\LOCALS~1\Temp\jnv4_mib.sys

Driver::
jnv4_mib

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.

Please go to Virus Total and upload the following file for analysis:

c:\windows\system32\2B361A2084.sys

Use the browse button at the site to find the file, once you find the file double click it and it should appear in the empty space to the left of the browse button> click "send file".

Post the results in your reply.


Report •

#25
May 14, 2009 at 21:21:16
ComboFix 09-05-13.02 - Franklins 05/14/2009 22:57.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1021.643 [GMT -5:00]
Running from: c:\documents and settings\Franklins\Desktop\toolb.exe
Command switches used :: c:\documents and settings\Franklins\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
c:\docume~1\FRANKL~1\LOCALS~1\Temp\jnv4_mib.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_JNV4_MIB
-------\Service_jnv4_mib


((((((((((((((((((((((((( Files Created from 2009-04-15 to 2009-05-15 )))))))))))))))))))))))))))))))
.

2009-04-29 02:28 . 2009-04-29 02:28 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-29 02:28 . 2009-04-29 02:28 -------- d-----w c:\documents and settings\Franklins\Application Data\SUPERAntiSpyware.com
2009-04-29 02:27 . 2009-04-29 02:27 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-29 00:44 . 2009-04-29 00:44 -------- d--h--w c:\windows\system32\GroupPolicy
2009-04-29 00:08 . 2009-04-29 00:08 -------- d-----w c:\documents and settings\Franklins\Application Data\Malwarebytes
2009-04-29 00:08 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-29 00:08 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-29 00:08 . 2009-04-29 00:08 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-16 23:56 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-16 23:56 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-16 23:56 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 23:56 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-16 23:56 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 23:56 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 23:56 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 23:56 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 23:56 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 23:56 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 23:45 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 23:45 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-15 03:59 . 2006-02-21 14:54 384 ----a-w c:\windows\system32\DVCStateBkp-{00000003-00000000-00000003-00001102-00000004-20061102}.dat
2009-05-15 03:59 . 2006-02-21 14:54 384 ----a-w c:\windows\system32\DVCState-{00000003-00000000-00000003-00001102-00000004-20061102}.dat
2009-05-05 01:09 . 2006-03-11 03:09 44798 ----a-w c:\documents and settings\Franklins\Application Data\wklnhst.dat
2009-04-19 02:17 . 2006-04-04 00:24 3558 --sha-w c:\windows\system32\KGyGaAvL.sys
2009-04-19 02:17 . 2006-04-04 00:24 56 --sh--r c:\windows\system32\2B361A2084.sys
2009-04-14 23:40 . 2006-04-09 01:58 -------- d-----w c:\program files\QUICKENW
2009-04-13 20:28 . 2009-04-13 20:28 -------- d-----w c:\program files\NOS
2009-04-04 18:28 . 2009-04-04 18:28 0 ----a-w c:\windows\nsreg.dat
2009-04-01 22:24 . 2006-02-21 14:50 -------- d-----w c:\program files\Java
2009-03-27 19:16 . 2009-01-01 07:25 -------- d-----w c:\program files\Warcraft III
2009-03-09 10:19 . 2008-12-18 05:48 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2005-08-16 10:18 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-05 21:58 . 2008-12-27 22:50 284376 ----a-w c:\windows\sediag.exe
2009-03-05 21:58 . 2008-12-27 22:50 276184 ----a-w c:\windows\system32\seinst.dll
2009-03-03 00:18 . 2005-08-16 10:18 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2005-08-16 10:18 78336 ----a-w c:\windows\system32\ieencode.dll
2006-03-11 03:30 . 2006-03-11 03:30 251 ----a-w c:\program files\wt3d.ini
.

((((((((((((((((((((((((((((( SnapShot@2009-05-05_03.08.13 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-15 04:00 . 2009-05-15 04:00 16384 c:\windows\temp\Perflib_Perfdata_6b4.dat
- 2006-03-08 22:53 . 2009-05-05 03:05 98304 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-03-08 22:53 . 2009-05-14 02:35 98304 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-04-27 17:54 . 2009-05-05 03:20 16384 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
- 2009-04-27 17:54 . 2009-05-05 02:46 16384 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
- 2006-03-08 22:53 . 2009-05-05 03:05 49152 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2006-03-08 22:53 . 2009-05-14 02:35 49152 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-01-17 02:04 . 2009-04-17 08:01 35088 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-01-17 02:04 . 2009-05-14 12:17 35088 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-01-17 02:04 . 2009-05-14 12:17 18704 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-01-17 02:04 . 2009-04-17 08:01 18704 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\mspicons.exe
+ 2008-01-17 02:04 . 2009-05-14 12:17 20240 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-01-17 02:04 . 2009-04-17 08:01 20240 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-01-17 02:04 . 2009-05-14 12:17 888080 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\wordicon.exe
- 2008-01-17 02:04 . 2009-04-17 08:01 888080 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\wordicon.exe
+ 2008-01-17 02:04 . 2009-05-14 12:17 272648 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pubs.exe
- 2008-01-17 02:04 . 2009-04-17 08:01 272648 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pubs.exe
+ 2008-01-17 02:04 . 2009-05-14 12:17 922384 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pptico.exe
- 2008-01-17 02:04 . 2009-04-17 08:01 922384 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pptico.exe
+ 2008-01-17 02:04 . 2009-05-14 12:17 845584 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\outicon.exe
- 2008-01-17 02:04 . 2009-04-17 08:01 845584 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\outicon.exe
- 2008-01-17 02:04 . 2009-04-17 08:01 217864 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\misc.exe
+ 2008-01-17 02:04 . 2009-05-14 12:17 217864 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\misc.exe
+ 2009-05-14 12:17 . 2009-05-14 12:17 350064 c:\windows\assembly\GAC\Microsoft.Office.Interop.PowerPoint\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.PowerPoint.dll
+ 2008-01-17 02:04 . 2009-05-14 12:17 1172240 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\xlicons.exe
- 2008-01-17 02:04 . 2009-04-17 08:01 1172240 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\xlicons.exe
- 2008-01-17 02:04 . 2009-04-17 08:01 1165584 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\accicons.exe
+ 2008-01-17 02:04 . 2009-05-14 12:17 1165584 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\accicons.exe
+ 2006-03-18 05:56 . 2009-05-07 07:16 24699336 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-10 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-09 7110656]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-02-21 169472]
"avgnt"="c:\program files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-19 266497]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"SetDefPrt"="c:\program files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 864256]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-12-11 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CTHELPER.EXE [2004-03-11 28672]

c:\documents and settings\Franklins\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2006-3-13 221295]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-2-21 24576]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "k:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w k:\program files\SUPERAntiSpyware\SASWINLO.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Franklins\\Desktop\\Games\\AoE2\\AoE2\\age2_x1.exe"=

R1 SASDIFSV;SASDIFSV;k:\program files\SUPERAntiSpyware\sasdifsv.sys [3/23/2009 2:07 PM 9968]
R1 SASKUTIL;SASKUTIL;k:\program files\SUPERAntiSpyware\SASKUTIL.SYS [3/23/2009 2:07 PM 72944]
R2 mple7docserver;Maya 7 PLE Documentation Server;c:\program files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe [7/16/2004 11:26 PM 126976]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [4/13/2009 3:28 PM 33176]
S3 SASENUM;SASENUM;k:\program files\SUPERAntiSpyware\SASENUM.SYS [3/23/2009 2:07 PM 7408]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://webmail.afo.net/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://localhost:4451/Maya7.0PLE/en_US/index.html?tutorials
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
FF - ProfilePath - c:\documents and settings\Franklins\Application Data\Mozilla\Firefox\Profiles\d008i5z8.default\
FF - prefs.js: browser.startup.homepage - hxxp://webmail.afo.net/
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-14 23:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(572)
k:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(2440)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\AntiVir PersonalEdition Classic\sched.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\CTSVCCDA.EXE
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Alias\Maya 7.0 Personal Learning Edition\docs\jre\bin\java.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-15 23:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-15 04:04
ComboFix2.txt 2009-05-14 11:58
ComboFix3.txt 2009-05-05 03:10

Pre-Run: 112,148,713,472 bytes free
Post-Run: 112,128,667,648 bytes free

217 --- E O F --- 2009-05-14 12:17


Report •

#26
May 14, 2009 at 21:26:44
The requested ComboFix log is shown in the post immediately preceding this one. But the file you've asked me to upload to Virus Total for analysis doesn't exist on my system. I looked for it in the specified location and I also searched all files and folders to no avail.

Thanks for staying with me on this, by the way.


Report •

#27
May 15, 2009 at 20:36:22
Unhide the hidden files then look again for the file to be checked at Virus Total.

Set up the computer to view hidden files:
To show hidden files do the following:
Click Start > My Computer
On the Tools menu, click Folder Options.
Click the View tab.
Uncheck Hide file extensions for known file types.
Uncheck Hide protected operating system files.
Under the Hidden files folder, locate and check Show hidden files and folders.
If you see a warning message, click Yes.
Click Apply > OK.


Report •

#28
May 15, 2009 at 22:03:03
File 2B361A2084.sys received on 05.16.2009 06:57:40 (CET)
Current status: finished
Result: 0/39 (0%)
---------------------------------------------------------
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.16 -
AhnLab-V3 5.0.0.2 2009.05.15 -
AntiVir 7.9.0.168 2009.05.15 -
Antiy-AVL 2.0.3.1 2009.05.15 -
Authentium 5.1.2.4 2009.05.15 -
Avast 4.8.1335.0 2009.05.15 -
AVG 8.5.0.336 2009.05.15 -
BitDefender 7.2 2009.05.16 -
CAT-QuickHeal 10.00 2009.05.15 -
ClamAV 0.94.1 2009.05.15 -
Comodo 1157 2009.05.08 -
DrWeb 5.0.0.12182 2009.05.16 -
eSafe 7.0.17.0 2009.05.14 -
eTrust-Vet 31.6.6508 2009.05.16 -
F-Prot 4.4.4.56 2009.05.15 -
F-Secure 8.0.14470.0 2009.05.15 -
Fortinet 3.117.0.0 2009.05.16 -
GData 19 2009.05.16 -
Ikarus T3.1.1.49.0 2009.05.16 -
K7AntiVirus 7.10.735 2009.05.14 -
Kaspersky 7.0.0.125 2009.05.16 -
McAfee 5616 2009.05.15 -
McAfee+Artemis 5616 2009.05.15 -
McAfee-GW-Edition 6.7.6 2009.05.15 -
Microsoft 1.4602 2009.05.15 -
NOD32 4080 2009.05.15 -
Norman 6.01.05 2009.05.16 -
nProtect 2009.1.8.0 2009.05.16 -
Panda 10.0.0.14 2009.05.15 -
PCTools 4.4.2.0 2009.05.15 -
Prevx 3.0 2009.05.16 -
Rising 21.29.50.00 2009.05.16 -
Sophos 4.41.0 2009.05.16 -
Sunbelt 3.2.1858.2 2009.05.16 -
Symantec 1.4.4.12 2009.05.16 -
TheHacker 6.3.4.1.326 2009.05.15 -
TrendMicro 8.950.0.1092 2009.05.15 -
VBA32 3.12.10.5 2009.05.16 -
ViRobot 2009.5.15.1737 2009.05.15 -----------------------------------------------------
Additional information
File size: 56 bytes
MD5...: e2d11dd0de1f514c80da7876cc163c96
SHA1..: 27b4cf5812d8f3557eae21d7ff7dada0db719da6
SHA256: 73356e5816751419e7f11c8dbb135cd35e94e39c31f054394626f708512d9cc8
SHA512: 46c3055917ee54d00ab893d9f65d6cfe2e256cedaa082b62c76530c8ea7ce307
325b828816187419f588cfa8ab340e440bc5eae015825173851dfd91d3061cf8
ssdeep: 3:/lCC/Gn3n:QCen3n
PEiD..: -
TrID..: File type identification
MS Flight Simulator Aircraft Performance Info (100.0%)
PEInfo: -
PDFiD.: -
RDS...: NSRL Reference Data Set
-

Report •

#29
May 16, 2009 at 11:26:22
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.


Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
3.Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
4. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
5. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
6. Click View scan report at the bottom.
7. Click the Save Report As... button.
8. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**

To optimize scanning time and produce a more sensible report for review:
Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


Report •

#30
May 18, 2009 at 05:05:33
Hello. I'm on the road this week, but I'll plan to continue with this next weekend. Thanks.

Report •

#31
May 23, 2009 at 19:27:52
OK; sorry for the delay. Here's the report:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Saturday, May 23, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, May 24, 2009 00:08:47
Records in database: 2229003
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\
M:\
N:\
O:\

Scan statistics:
Files scanned: 92577
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 01:43:29


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthxucfnerkk.dll.vir Infected: Trojan.Win32.Tdss.acsz 1

The selected area was scanned.


Report •

#32
May 27, 2009 at 05:52:47
Should I try to delete this quarantined file?

Thanks,
David


Report •

#33
May 27, 2009 at 06:20:15
Hi David,

Jabuck hasn't been around for a bit, I hope he doesn't mind if I finish this off for him. Your PC now has a clean bill of health.

Qoobox quarantine belongs to Combofix.

Jabuck offers excellent follow up advice after a system disinfection. Follow his instructions Response #10 at the link below but ignore the sentence quoted below:

"NAvigate to and delete this file:

C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll"

http://www.computing.net/answers/se...

The instructions will take care of the Qoobox quarantine and remove unneeded programs used.


Report •

#34
May 27, 2009 at 20:13:12
Thanks very much for all of your help!

Regards,
Dave


Report •


Ask Question