skipd ad appears while browsing

Micro-star international Wind u100 10 ne...
February 27, 2010 at 17:32:50
Specs: Windows XP, 1.6gh/1gb
First I thought it was ad sponsored by the site admin itself for financial reason only to later realize it was actually sort of trojan thingy. Now the case is very frequently ad site appears with a skip option at the top right corner of the page and upon clicking the skip option the browsing page shows up again with the same repetitions.

My on access mcafee scan shows the continuous Generic.dx!oij and backdoor-dki.gen.ag trojan deleted message.

While typing this I already tried spyware doctor with the latest version followed by atf cleaner and now the superantispyware is running for the last one hour and fifteen minutes!

I will post the update of course but just wondering if you guys want to suggest something smart.

Many thanks in advance!


See More: skipd ad appears while browsing

Report •

#1
February 27, 2010 at 17:38:32
Let superantispyware finish then post the logs fron DDS, it may help determine what files are causing the problem.

Download DDS and save it to your desktop.
DDS.scr


Disable any script blocker if your Anti-Virus/Anti-Malware has it.
Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr to run the tool.
When done, the DDS.txt will open.
Click Yes at the next prompt for Optional Scan.

When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt

Save both reports to your desktop then post them please.


Report •

#2
February 27, 2010 at 18:31:37
Thanks jabuck!

After running the superantispyware for one and half hour, the result was it detected and deleted some trojans but again only for mcafee to show the same generic and backdoor things.

I already got two skip ad pages while typing this post already. Anyway here are the files as you suggested.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Administrator at 2:13:36.79 on Sun 02/28/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.512.95 [GMT 0:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
"C:\WINDOWS\system32\svchost.exe"
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\WINDOWS\system32\svchost.exe -k bthsvcs
C:\Program Files\Hummingbird\Connectivity\9.00\Exceed\HumDisplayServer.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\niSvcLoc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\Desktop Calendar\Desktop Calendar.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\administrator\My Documents\Downloads\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://flvdirect.iamwired.net/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Shareaza Web Download Hook: {0eedb912-c5fa-486f-8334-57288578c627} - c:\program files\shareaza\razawebhook32.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [VeohPlugin] "c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe"
uRun: [Desktop Calendar] c:\program files\desktop calendar\Desktop Calendar.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [pdfFactory Pro ??? v3] "c:\windows\system32\spool\drivers\w32x86\3\fppdis3a.exe" /source=HKLM
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [msnappau] "c:\program files\msn apps\updater\01.02.3000.1001\en-gb\msnappau.exe"
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [none] c:\AUTOEXEC.BAT
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
dRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
dRunOnce: [IETI] c:\program files\skype\phone\ieplugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
uPolicies-explorer: DisallowRun = 1 (0x1)
uPolicies-disallowrun: 1 = firefox.exe
mPolicies-system: CompatibleRUPSecurity = 1 (0x1)
IE: Download with &Shareaza - c:\program files\shareaza\razawebhook32.dll/3000
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {05B2B786-9817-4F4C-8FE8-2ADD74D94F4B} - hxxps://ebank.bok.com.tw/eatm/BOKATM.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {272B8D21-5304-4529-BD3D-1CF392342F7D} - hxxps://netbank.megabank.com.tw/natm/ICBCNetATM.CAB
DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab
DPF: {2B1AA38D-2D12-11D5-AAD0-00C04FA03D78} - hxxps://muse.shef.ac.uk/nps/portal/gadgets/com.novell.nps.gadgets.shortcut.ShortcutGadget/LocalExec.CAB
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {55969220-62D5-4DD8-847C-E763CD3CA4C5} - hxxp://203.74.210.2/housecall/xscan61.cab
DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - hxxp://software-dl.real.com/1945674c578d009c6005/netzip/RdxIE601.cab
DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - hxxp://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1260048130244
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1260048264494
DPF: {7823A620-9DD9-11CF-A662-00AA00C066D2} - hxxp://www.nsc.com.tw/iemenu.cab
DPF: {88B8A9C7-10A1-4535-8EEB-0D875349E5B8} - hxxp://ekey.sinopac.com.tw/cab/axekey.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab
DPF: {8F566902-147A-450F-A492-357155B73836} - hxxp://ekey.sinopac.com.tw/cab/getdir.cab
DPF: {C01170CC-AF05-46C3-88BC-2C120DCEE288} - hxxp://www.im.tv/IMTVPlayer.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EF5BCADE-803F-45D5-A617-C6E64F044506} - hxxps://ibank.firstbank.com.tw/NetBank/cab/FB_SO.cab
DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: msosmhfp00.dll
SEH: THOOK: {27e1c1b0-7117-4582-8565-682e569810d2} - c:\windows\poor32.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 nwprovau
LSA: Notification Packages = scecli scecli scecli scecli
IFEO: 360safebox.exe - ntsd -d
IFEO: KPPMain.exe - ntsd -d
IFEO: RavMon.exe - ntsd -d
IFEO: safeboxTray.exe - ntsd -d
IFEO: ~OllyDBG.EXE - ntsd -d

Note: multiple IFEO entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\u7ep68vi.default\
FF - prefs.js: browser.search.defaulturl - hxxp://flvdirect.iamwired.net/websearch.php?src=tops&search=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://uk.yahoo.com/?p=us
FF - prefs.js: keyword.URL - hxxp://flvdirect.iamwired.net/websearch.php?src=tops&search=
FF - component: c:\program files\mozilla firefox\extensions\{544ca2cb-1099-706d-4d5a-47240835c75c}\components\c0ryDL.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\u7ep68vi.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\windows\system32\cult3d\NPMCult3DP.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: LoudMo Contextual Ad Assistant: No Registry Reference - c:\program files\mozilla firefox\extensions\{544ca2cb-1099-706d-4d5a-47240835c75c}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
FF - user.js: google.toolbar.linkdoctor.enabled - false
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-02-28 00:03:36 0 d-----w- c:\docume~1\alluse~1.win\applic~1\SUPERAntiSpyware.com
2010-02-28 00:03:02 0 d-----w- c:\program files\SUPERAntiSpyware
2010-02-28 00:03:02 0 d-----w- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2010-02-28 00:02:29 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-02-27 21:24:01 767952 ----a-w- c:\windows\BDTSupport.dll0201.old
2010-02-27 21:24:01 767952 ----a-w- c:\windows\BDTSupport.dll.old
2010-02-27 21:24:01 767952 ----a-w- c:\windows\BDTSupport.dll
2010-02-27 21:24:00 882 ----a-w- c:\windows\RegSDImport.xml
2010-02-27 21:24:00 879 ----a-w- c:\windows\RegISSImport.xml
2010-02-27 21:24:00 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-02-27 21:24:00 1640400 ----a-w- c:\windows\PCTBDCore.dll.old
2010-02-27 21:24:00 1636304 ----a-w- c:\windows\PCTBDCore.dll0201.old
2010-02-27 21:24:00 149456 ----a-w- c:\windows\SGDetectionTool.dll0201.old
2010-02-27 21:24:00 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-02-27 21:24:00 131 ----a-w- c:\windows\IDB.zip
2010-02-27 21:24:00 1152444 ----a-w- c:\windows\UDB.zip
2010-02-27 21:23:59 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-02-27 21:21:51 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-02-27 21:21:51 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-02-27 21:21:38 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-02-27 21:21:38 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-02-27 21:21:38 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-02-27 21:21:38 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-02-27 21:21:06 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-02-27 21:21:06 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-02-27 21:19:50 0 d-----w- c:\program files\common files\PC Tools
2010-02-27 21:19:49 0 d-----w- c:\program files\Spyware Doctor
2010-02-27 21:19:49 0 d-----w- c:\docume~1\alluse~1.win\applic~1\PC Tools
2010-02-27 21:19:49 0 d-----w- c:\docume~1\admini~1\applic~1\PC Tools
2010-02-27 19:42:51 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-02-27 19:42:51 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-02-27 19:42:50 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-02-27 19:42:50 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-02-27 19:42:50 153088 ----a-w- c:\windows\system32\unrar3.dll
2010-02-27 19:42:42 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Simply Super Software
2010-02-27 19:42:42 0 d-----w- c:\docume~1\admini~1\applic~1\Simply Super Software
2010-02-27 14:44:35 0 d-----w- c:\program files\MSECache
2010-02-27 12:01:40 26112 ----a-w- c:\windows\system32\stu2.exe
2010-02-21 21:46:26 0 d-----w- c:\docume~1\alluse~1.win\applic~1\TVU Networks
2010-02-21 21:46:07 0 d-----w- c:\documents and settings\administrator\LocalLow
2010-02-21 21:45:49 0 d-----w- c:\program files\TVUPlayer
2010-02-13 22:30:29 118260 ----a-w- c:\windows\system32\x_8lI9Ab6M.exe
2010-02-13 22:30:11 0 d-----w- c:\program files\FLV Direct Player

==================== Find3M ====================

2010-02-27 12:01:30 31232 ----a-w- c:\windows\system32\userinit.exe
2010-02-09 21:24:34 194352 ----a-w- c:\windows\fonts\SutonnyBanglaOMJ.ttf
2010-01-05 10:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-11 21:49:22 249656 ----a-w- c:\windows\fonts\solaiman-lipi.ttf
2004-04-21 13:58:57 480 -c--a-w- c:\program files\SolidWorksswxJRNL.BAK
2003-11-20 16:50:42 0 -c--a-w- c:\program files\write.lok
2003-10-01 16:17:16 811 -c--a-w- c:\program files\INSTALL.LOG
2002-10-10 14:10:02 266 --sh--w- c:\program files\desktop.ini
2002-10-10 14:10:02 11079 -c-ha-w- c:\program files\folder.htt
2001-11-23 04:08:20 712704 -c--a-w- c:\windows\inf\other\AUDIO3D.DLL

============= FINISH: 2:17:45.56 ===============

DDS had instruction to attach the second one as zip but I am overruling that for you (no attachment option anyway here).


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 11/5/2007 10:54:35
System Uptime: 2/28/2010 01:49:33 (1 hours ago)

Motherboard: ASUSTeK Computer INC. | | P4S8X
Processor: Intel(R) Pentium(R) 4 CPU 1.80GHz | PGA 478 | 1817/100mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 57 GiB total, 23.356 GiB free.
D: is Removable
E: is CDROM ()
F: is CDROM (UDF)
G: is Removable

==== Disabled Device Manager Items =============

Class GUID:
Description: RAID Controller
Device ID: PCI\VEN_105A&DEV_3376&SUBSYS_809E1043&REV_02\3&61AAA01&0&70
Manufacturer:
Name: RAID Controller
PNP Device ID: PCI\VEN_105A&DEV_3376&SUBSYS_809E1043&REV_02\3&61AAA01&0&70
Service:

==== System Restore Points ===================

RP498: 11/23/2009 12:33:53 - Removed Sony Ericsson Image Editor
RP499: 12/5/2009 21:25:14 - Software Distribution Service 3.0
RP500: 12/5/2009 23:56:05 - Software Distribution Service 3.0
RP501: 12/6/2009 04:45:08 - Software Distribution Service 3.0
RP502: 12/6/2009 06:04:16 - Software Distribution Service 3.0
RP503: 12/6/2009 06:20:50 - Software Distribution Service 3.0
RP504: 12/6/2009 11:06:55 - Printer Driver Microsoft XPS Document Writer Installed
RP505: 12/6/2009 13:18:26 - Software Distribution Service 3.0
RP506: 12/6/2009 20:40:32 - Software Distribution Service 3.0
RP507: 12/8/2009 10:32:37 - System Checkpoint
RP508: 12/9/2009 22:23:02 - System Checkpoint
RP509: 12/10/2009 19:51:40 - Software Distribution Service 3.0
RP510: 12/13/2009 16:40:49 - System Checkpoint
RP511: 12/20/2009 12:41:47 - System Checkpoint
RP512: 12/22/2009 21:55:36 - System Checkpoint
RP513: 12/25/2009 19:40:56 - System Checkpoint
RP514: 12/28/2009 08:57:59 - System Checkpoint
RP515: 12/30/2009 15:48:13 - System Checkpoint
RP516: 1/3/2010 16:25:39 - System Checkpoint
RP517: 1/5/2010 22:33:46 - System Checkpoint
RP518: 1/7/2010 09:46:36 - System Checkpoint
RP519: 1/8/2010 14:59:15 - System Checkpoint
RP520: 1/12/2010 14:15:00 - System Checkpoint
RP521: 1/13/2010 21:52:08 - Software Distribution Service 3.0
RP522: 1/14/2010 10:48:00 - Software Distribution Service 3.0
RP523: 1/15/2010 16:04:23 - System Checkpoint
RP524: 1/18/2010 14:49:18 - System Checkpoint
RP525: 1/19/2010 15:08:46 - System Checkpoint
RP526: 1/20/2010 17:50:05 - System Checkpoint
RP527: 1/23/2010 03:22:25 - Software Distribution Service 3.0
RP528: 1/25/2010 10:31:55 - Software Distribution Service 3.0
RP529: 1/26/2010 16:51:01 - System Checkpoint
RP530: 1/30/2010 11:37:18 - System Checkpoint
RP531: 2/3/2010 16:27:45 - System Checkpoint
RP532: 2/5/2010 15:47:42 - System Checkpoint
RP533: 2/8/2010 14:25:36 - System Checkpoint
RP534: 2/10/2010 15:32:55 - System Checkpoint
RP535: 2/11/2010 10:28:28 - Software Distribution Service 3.0
RP536: 2/12/2010 18:33:37 - System Checkpoint
RP537: 2/15/2010 11:27:59 - System Checkpoint
RP538: 2/16/2010 22:17:20 - System Checkpoint
RP539: 2/23/2010 23:32:40 - System Checkpoint
RP540: 2/25/2010 11:22:09 - Software Distribution Service 3.0
RP541: 2/26/2010 17:31:33 - System Checkpoint
RP542: 2/27/2010 14:44:58 - Installed Compatibility Pack for the 2007 Office system
RP543: 2/28/2010 00:02:59 - Installed SUPERAntiSpyware Free Edition

==== Image File Execution Options =============

IFEO: 360safebox.exe - ntsd -d
IFEO: KPPMain.exe - ntsd -d
IFEO: RavMon.exe - ntsd -d
IFEO: safeboxTray.exe - ntsd -d
IFEO: ~OllyDBG.EXE - ntsd -d
IFEO: ~OllyICE.EXE - ntsd -d

==== Installed Programs ======================

7-Zip 4.65
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 7.0.7 - Chinese Traditional
Applian FLV Player
ATI Display Driver
Attune 2.3.2
AutoUpdate
Browser Defender 2.0.6.15
C-Media Audio
C-Media WDM Audio Driver
CCleaner
Compatibility Pack for the 2007 Office system
CorelDRAW 10
Desktop Calendar 0.43b
DivX
DivX Player
EndNote
FLV Direct Player
FTN95 Service Pack 4.91
Google SketchUp 6
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hummingbird Exceed 3D V9.0
Hummingbird Exceed V9.0
LoudMo Contextual Ad Assistant
Macromedia Dreamweaver MX
Macromedia Extension Manager
Macromedia Shockwave Player
McAfee AntiSpyware Enterprise Module
McAfee VirusScan Enterprise
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Windows Journal Viewer
MiKTeX 2.8
Mozilla Firefox (3.6)
MSVC80_x86
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
NAG Fortran Library Manual, Mark 20
NAG Fortran Library, Mark 20 for Salford FTN77/FTN95
National Instruments Software
Nero
NI Distribution Information - FDS English
NI Example Finder 2.0
NI Instrument IO Assistant for LabVIEW 7.1
NI LabVIEW 7.1 Core Essentials
NI LabVIEW 7.1.1
NI LabVIEW Advanced Analysis 7.1
NI LabVIEW Full 7.1
NI LabVIEW Picture Control and CIN Tools 7.1
NI LabVIEW Run-Time Engine 7.1.1
NI LabVIEW Service Locator 1.0
NI LVBroker
NI LVBrokerAux71
NI Uninstaller
OGA Notifier 2.0.0048.0
PC Suite
PL-2303 USB-to-Serial
Plaxo Toolbar for Outlook and Outlook Express
PTC ProDESKTOP 2000i2
RealPlayer
Rynga
Salford FTN95
Salford FTN95 Win32
Salford Software FTN95
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Segoe UI
Shareaza 2.5.1.0
Shockwave
SiS 900 PCI Fast Ethernet Adapter Driver
Skype™ 4.1
SmartCamera Ver 2.1
SmartCard Driver
SolidWorks 2004 SP0
Sony Ericsson Capability Manager
Sony Ericsson Image Editor
Sony Ericsson Mobile Phone Monitor
Sony Ericsson OCS
Spyware Doctor 7.0
SUPERAntiSpyware Free Edition
TeXnicCenter Version 1.0 Stable RC1
TVUPlayer 2.5.2.1
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Veoh Web Player
VLC media player 0.9.2
WebFldrs XP
WinDjView 1.0.3
Windows Driver Package - Nokia Modem (02/15/2007 3.1)
Windows Driver Package - Nokia Modem (05/22/2008 3.8)
Windows Driver Package - Nokia Modem (11/03/2006 6.82.0.1)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Connect
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows XP Service Pack 3

==== End Of File ===========================

Many thanks once again!


Report •

#3
February 27, 2010 at 19:31:02
Please download Combofix with internet explorer instead of another browser if possible.

Remember..your McAfee antivirus and Spyware Doctor must be turned off or disabled before running ComboFix. The clickable link "This Link" in the ComboFix tutorial will help you get them disabled.

Please download ComboFix to the desktop from one of the following links:

ComboFix

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to to Combo-Fix> click save.
Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop.
If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".

Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on Combo-Fix.exe & follow the prompts.
Install the recovery console when asked.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" .
Note: Do not mouseclick combo-fix's window while it's running. That may cause it to hang.


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.


Report •

Related Solutions

#4
February 28, 2010 at 05:49:30
Here is the combofix log. I hope it resolved the skipped ad page issue. I would update in time.

Many thanks!

ComboFix 10-02-27.04 - Administrator 02/28/2010 11:14:51.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.512.301 [GMT 0:00]
Running from: c:\documents and settings\administrator\Desktop\Combo-Fix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users.WINDOWS\Application Data\BaiDu
c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Media Player\sqmnoopt01.sqm
c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Media Player\sqmnoopt02.sqm
C:\Logo.sys
c:\program files\cnnic
c:\program files\INSTALL.LOG
c:\program files\OCINS
c:\program files\OCINS\ocinfo.dat
c:\recycler\S-1-5-21-117609710-706699826-682003330-1003
c:\windows\command
c:\windows\Explorer.ini
c:\windows\ocinfo.dat
c:\windows\patch.exe
c:\windows\system32\A8EE8DDC.dat
c:\windows\system32\Config.ini
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\messageservices.exe
c:\windows\system32\mstacim.sig
c:\windows\system32\sdra64.exe
c:\windows\system32\tmp.reg
c:\windows\system32\wbem\YFMUEMUCJQYGN.MDA

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CNPROV
-------\Legacy_LOCALSERVICES
-------\Legacy_PARTMSG
-------\Legacy_PARTNER
-------\Service_LocalServices
-------\Service_PartMsg
-------\Service_Partner


((((((((((((((((((((((((( Files Created from 2010-01-28 to 2010-02-28 )))))))))))))))))))))))))))))))
.

2010-02-28 00:04 . 2010-02-28 00:04 52224 ----a-w- c:\documents and settings\administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-28 00:04 . 2010-02-28 00:04 117760 ----a-w- c:\documents and settings\administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-28 00:03 . 2010-02-28 00:03 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2010-02-28 00:03 . 2010-02-28 01:57 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-28 00:03 . 2010-02-28 00:03 -------- d-----w- c:\documents and settings\administrator\Application Data\SUPERAntiSpyware.com
2010-02-28 00:02 . 2010-02-28 00:02 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-27 21:28 . 2010-02-27 21:28 -------- d-----w- c:\documents and settings\administrator\Local Settings\Application Data\Threat Expert
2010-02-27 21:24 . 2010-01-21 23:21 767952 ----a-w- c:\windows\BDTSupport.dll
2010-02-27 21:24 . 2010-01-21 23:21 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-02-27 21:24 . 2010-01-21 23:21 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-02-27 21:24 . 2009-10-28 01:36 1152444 ----a-w- c:\windows\UDB.zip
2010-02-27 21:24 . 2008-11-26 12:08 131 ----a-w- c:\windows\IDB.zip
2010-02-27 21:23 . 2010-01-21 23:21 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-02-27 21:21 . 2009-10-30 11:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-02-27 21:21 . 2009-11-09 11:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-02-27 21:21 . 2009-10-06 16:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-02-27 21:21 . 2009-09-03 09:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-02-27 21:19 . 2010-02-27 21:24 -------- d-----w- c:\program files\Common Files\PC Tools
2010-02-27 21:19 . 2010-02-28 10:57 -------- d-----w- c:\program files\Spyware Doctor
2010-02-27 21:19 . 2010-02-27 21:19 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\PC Tools
2010-02-27 21:19 . 2010-02-27 21:19 -------- d-----w- c:\documents and settings\administrator\Application Data\PC Tools
2010-02-27 19:53 . 2010-02-28 11:34 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2010-02-27 19:42 . 2006-05-25 15:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-02-27 19:42 . 2005-08-26 01:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-02-27 19:42 . 2006-06-19 13:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-02-27 19:42 . 2003-02-02 20:06 153088 ----a-w- c:\windows\system32\unrar3.dll
2010-02-27 19:42 . 2002-03-06 01:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-02-27 19:42 . 2010-02-27 19:43 -------- d-----w- c:\documents and settings\administrator\Application Data\Simply Super Software
2010-02-27 19:42 . 2010-02-27 19:42 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Simply Super Software
2010-02-27 15:45 . 2010-02-27 15:45 -------- d-----w- c:\documents and settings\administrator\Local Settings\Application Data\Help
2010-02-27 14:44 . 2010-02-27 14:44 -------- d-----w- c:\program files\MSECache
2010-02-27 12:01 . 2008-04-14 00:12 26112 ----a-w- c:\windows\system32\stu2.exe
2010-02-21 21:46 . 2010-02-21 21:46 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\TVU Networks
2010-02-21 21:46 . 2010-02-21 21:46 -------- d-----w- c:\documents and settings\administrator\Local Settings\Application Data\TVU Networks
2010-02-21 21:46 . 2010-02-21 21:46 -------- d-----w- c:\documents and settings\administrator\LocalLow
2010-02-21 21:45 . 2010-02-21 21:46 -------- d-----w- c:\program files\TVUPlayer
2010-02-13 22:30 . 2010-02-13 22:30 118260 ----a-w- c:\windows\system32\x_8lI9Ab6M.exe
2010-02-13 22:30 . 2010-02-13 22:30 -------- d-----w- c:\program files\FLV Direct Player
2010-02-11 10:09 . 2010-02-11 10:09 2627384 ----a-w- c:\documents and settings\administrator\Application Data\Mozilla\Firefox\Profiles\u7ep68vi.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
2010-01-29 20:52 . 2010-01-29 20:52 -------- d-----w- c:\program files\7-Zip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-27 22:47 . 2005-06-25 13:44 -------- d-sh--w- c:\documents and settings\All Users.WINDOWS\Application Data\BAIDU8
2010-02-27 19:37 . 2007-07-04 15:18 -------- d-----w- c:\program files\CCleaner
2010-02-27 12:01 . 2004-08-04 12:00 31232 ----a-w- c:\windows\system32\userinit.exe
2010-02-21 21:46 . 2009-10-17 12:17 100872 ----a-w- c:\documents and settings\administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-03 22:24 . 2009-12-05 22:06 -------- d-----w- c:\documents and settings\administrator\Application Data\Skype
2010-02-03 21:09 . 2009-12-05 22:08 -------- d-----w- c:\documents and settings\administrator\Application Data\skypePM
2010-01-26 12:07 . 2010-01-26 12:07 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Office Genuine Advantage
2010-01-16 20:56 . 2010-01-16 20:55 -------- d-----w- c:\program files\TeXnicCenter
2010-01-16 20:36 . 2010-01-16 20:36 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\MiKTeX
2010-01-16 20:34 . 2010-01-16 20:29 -------- d-----w- c:\program files\MiKTeX 2.8
2010-01-05 10:00 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-16 18:43 . 2004-09-09 09:53 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-06 14:02 . 2003-11-20 14:41 86327 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-12-05 22:08 . 2009-12-05 22:08 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-12-04 18:22 . 2004-08-04 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2004-04-21 13:58 . 2004-03-01 11:37 480 -c--a-w- c:\program files\SolidWorksswxJRNL.BAK
2003-11-20 16:50 . 2003-11-20 16:50 0 -c--a-w- c:\program files\write.lok
2002-10-10 14:10 . 2002-10-10 14:10 11079 -c-ha-w- c:\program files\folder.htt
2004-11-04 21:13 . 2004-11-04 21:13 114688 ----a-w- c:\program files\internet explorer\plugins\LV71ActiveXControl.dll
.

------- Sigcheck -------

[-] 2010-02-27 12:01 . 7B877E27B6CBCD45FA619D0ED1074C26 . 31232 . . [1.0.6.4] . . c:\windows\SYSTEM32\userinit.exe
[7] 2008-04-14 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\userinit.exe
[7] 2004-08-04 . 39B1FFB03C2296323832ACBAE50D2AFF . 24576 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-11-20 2590456]
"Desktop Calendar"="c:\program files\Desktop Calendar\Desktop Calendar.exe" [2009-06-23 442368]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-28 2012912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pdfFactory Pro ??? v3"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [?]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"msnappau"="c:\program files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe" [2004-08-13 86016]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2003-04-08 44032]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-14 185896]
"none"="c:\AUTOEXEC.BAT" [2010-02-28 57]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\mep05cy\Start Menu\Programs\Startup\
Shortcut to maxmem.exe.lnk - c:\program files\MaxMem\maxmem.exe [2007-4-6 75780]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\National Instruments\\LabVIEW 7.1\\LabVIEW.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Shareaza\\Shareaza.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Rynga.com\\Rynga\\Rynga.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=

R?2 uogq;Windows uogq RunThem;c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 12:00 14336]
R0 mdhcw;mdhcw;c:\windows\SYSTEM32\DRIVERS\mdhcw.sys [9/9/2004 09:53 12724]
R0 PCTCore;PCTools KDS;c:\windows\SYSTEM32\DRIVERS\PCTCore.sys [2/27/2010 21:21 207792]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [1/5/2010 07:56 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 07:56 66632]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [2/27/2010 21:24 112592]
R2 HumDisplayServer;Hummingbird Exceed Display Management;c:\program files\Hummingbird\Connectivity\9.00\Exceed\HumDisplayServer.exe [7/23/2003 21:19 53248]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 07:56 12872]
S3 Alcorscd;Alcorscd;c:\windows\SYSTEM32\DRIVERS\Alcorscd.sys [12/8/2001 15:30 18772]
S3 ayvwtq;ayvwtq;\??\c:\windows\system32\ayvwtq --> c:\windows\system32\ayvwtq [?]
S3 EZUSB;EZUSB PC/SC Smart Card Reader;c:\windows\SYSTEM32\DRIVERS\ezusb.sys [9/11/2007 06:49 57356]
S3 RapFile;RapFile;c:\windows\SYSTEM32\DRIVERS\RapFile.sys [7/13/2004 10:18 36548]
S3 RapNet;RapNet;c:\windows\SYSTEM32\DRIVERS\RapNet.sys [7/13/2004 10:18 24344]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2/27/2010 21:20 359624]
S3 USB-100;Realtek RTL8150 USB 10/100 Fast Ethernet Adapter;c:\windows\SYSTEM32\DRIVERS\RTL8150.SYS [11/16/2006 18:56 27519]
S4 A8EE8DDC;A8EE8DDC;c:\windows\system32\AFEEEE78.EXE -g --> c:\windows\system32\AFEEEE78.EXE -g [?]
S4 QDOYX;QDOYX;c:\docume~1\mep05cy\LOCALS~1\Temp\QDOYX.exe --> c:\docume~1\mep05cy\LOCALS~1\Temp\QDOYX.exe [?]
S4 XDVTX;XDVTX;c:\docume~1\mep05cy\LOCALS~1\Temp\XDVTX.exe --> c:\docume~1\mep05cy\LOCALS~1\Temp\XDVTX.exe [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://flvdirect.iamwired.net/
IE: Download with &Shareaza - c:\program files\shareaza\razawebhook32.dll/3000
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {05B2B786-9817-4F4C-8FE8-2ADD74D94F4B} - hxxps://ebank.bok.com.tw/eatm/BOKATM.cab
DPF: {272B8D21-5304-4529-BD3D-1CF392342F7D} - hxxps://netbank.megabank.com.tw/natm/ICBCNetATM.CAB
DPF: {2B1AA38D-2D12-11D5-AAD0-00C04FA03D78} - hxxps://muse.shef.ac.uk/nps/portal/gadgets/com.novell.nps.gadgets.shortcut.ShortcutGadget/LocalExec.CAB
DPF: {55969220-62D5-4DD8-847C-E763CD3CA4C5} - hxxp://203.74.210.2/housecall/xscan61.cab
DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - hxxp://software-dl.real.com/1945674c578d009c6005/netzip/RdxIE601.cab
DPF: {7823A620-9DD9-11CF-A662-00AA00C066D2} - hxxp://www.nsc.com.tw/iemenu.cab
DPF: {88B8A9C7-10A1-4535-8EEB-0D875349E5B8} - hxxp://ekey.sinopac.com.tw/cab/axekey.cab
DPF: {8F566902-147A-450F-A492-357155B73836} - hxxp://ekey.sinopac.com.tw/cab/getdir.cab
DPF: {C01170CC-AF05-46C3-88BC-2C120DCEE288} - hxxp://www.im.tv/IMTVPlayer.ocx
DPF: {EF5BCADE-803F-45D5-A617-C6E64F044506} - hxxps://ibank.firstbank.com.tw/NetBank/cab/FB_SO.cab
FF - ProfilePath - c:\documents and settings\administrator\Application Data\Mozilla\Firefox\Profiles\u7ep68vi.default\
FF - prefs.js: browser.search.defaulturl - hxxp://flvdirect.iamwired.net/websearch.php?src=tops&search=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://uk.yahoo.com/?p=us
FF - prefs.js: keyword.URL - hxxp://flvdirect.iamwired.net/websearch.php?src=tops&search=
FF - component: c:\program files\Mozilla Firefox\extensions\{544ca2cb-1099-706d-4d5a-47240835c75c}\components\c0ryDL.dll
FF - plugin: c:\documents and settings\administrator\Application Data\Mozilla\Firefox\Profiles\u7ep68vi.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\windows\SYSTEM32\Cult3D\NPMCult3DP.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-PHIME2002ASync - c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
HKLM-Run-PHIME2002A - c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
HKLM-Run-MSPY2002 - c:\windows\system32\IME\PINTLGNT\ImScInst.exe
HKLM-Run-Cmaudio - cmicnfg.cpl
HKU-Default-Run-msnmsgr - c:\program files\MSN Messenger\msnmsgr.exe
HKU-Default-RunOnce-IETI - c:\program files\Skype\Phone\IEPlugin\unins000.exe
ShellExecuteHooks-{27E1C1B0-7117-4582-8565-682E569810D2} - c:\windows\poor32.dll
AddRemove-CorelDRAW 10 - c:\windows\Corel\uninst32.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-28 11:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ayvwtq]
"ImagePath"="\??\c:\windows\system32\ayvwtq"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(724)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1188)
c:\windows\system32\WININET.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\Ink\SKCHUI.DLL
c:\windows\system32\IEFRAME.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\SCardSvr.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\system32\niSvcLoc.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RunDll32.exe
c:\program files\McAfee\Common Framework\McTray.exe
.
**************************************************************************
.
Completion time: 2010-02-28 11:49:04 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-28 11:48

Pre-Run: 25,005,563,904 bytes free
Post-Run: 25,822,314,496 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /noexecute=optin

- - End Of File - - DA69AE4C20730BCAA3465935F8ECF413


Report •

#5
February 28, 2010 at 06:34:39
Still Mcafee on access scan msg showing the same sets of generic and bacdoor villains are deleted thingy.

Thanks for your helb jabuck.


Report •

#6
February 28, 2010 at 07:56:38
Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
FCopy::
c:\windows\ServicePackFiles\i386\userinit.exe | c:\windows\SYSTEM32\userinit.exe

File::
c:\windows\system32\stu2.exe
c:\windows\system32\AFEEEE78.exe
c:\docume~1\mep05cy\Lcoal Settings\Temp\QDOYX.exe
c:\docume~1\mep05cy\Lpcal Settings\Temp\XDVTX.exe

Driver::
ayvwtq
QDOYX
A8EE8DDC
XDVTX

Folder::
c:\windows\system32\ayvwtq

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.


Report •

#7
February 28, 2010 at 08:16:54
.......and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.....


^^ the instruction was somewhat confusing to. Did you mean the followin?

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
KILLALL:: FCopy:: File:: Driver:: Folder::

c:\windows\ServicePackFiles\i386\userinit.exe | c:\windows\SYSTEM32\userinit.exe

c:\windows\system32\stu2.exe
c:\windows\system32\AFEEEE78.exe
c:\docume~1\mep05cy\Lcoal Settings\Temp\QDOYX.exe
c:\docume~1\mep05cy\Lpcal Settings\Temp\XDVTX.exe

ayvwtq
QDOYX
A8EE8DDC
XDVTX

c:\windows\system32\ayvwtq


xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

OR

Just copy/paste as it is?

Regards!


Report •

#8
February 28, 2010 at 08:19:41
Do not copy the X"s, everything between the X's.

Report •

#9
February 28, 2010 at 12:14:51
Here is the second Combo-Fix log. Just as a side note, the skip ad page is still stalking me.

ComboFix 10-02-27.04 - Administrator 02/28/2010 16:52:32.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.512.230 [GMT 0:00]
Running from: c:\documents and settings\administrator\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\administrator\Desktop\CFScript.txt

FILE ::
"c:\docume~1\mep05cy\Lcoal Settings\Temp\QDOYX.exe"
"c:\docume~1\mep05cy\Lpcal Settings\Temp\XDVTX.exe"
"c:\windows\system32\AFEEEE78.exe"
"c:\windows\system32\stu2.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\sdra64.exe
c:\windows\system32\stu2.exe

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\userinit.exe --> c:\windows\SYSTEM32\userinit.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_A8EE8DDC
-------\Legacy_AYVWTQ
-------\Legacy_QDOYX
-------\Legacy_XDVTX
-------\Service_A8EE8DDC
-------\Service_ayvwtq
-------\Service_QDOYX
-------\Service_XDVTX


((((((((((((((((((((((((( Files Created from 2010-01-28 to 2010-02-28 )))))))))))))))))))))))))))))))
.

2010-02-28 00:04 . 2010-02-28 00:04 52224 ----a-w- c:\documents and settings\administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-28 00:04 . 2010-02-28 00:04 117760 ----a-w- c:\documents and settings\administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-28 00:03 . 2010-02-28 00:03 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2010-02-28 00:03 . 2010-02-28 01:57 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-28 00:03 . 2010-02-28 00:03 -------- d-----w- c:\documents and settings\administrator\Application Data\SUPERAntiSpyware.com
2010-02-28 00:02 . 2010-02-28 00:02 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-27 21:28 . 2010-02-27 21:28 -------- d-----w- c:\documents and settings\administrator\Local Settings\Application Data\Threat Expert
2010-02-27 21:24 . 2010-01-21 23:21 767952 ----a-w- c:\windows\BDTSupport.dll
2010-02-27 21:24 . 2010-01-21 23:21 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-02-27 21:24 . 2010-01-21 23:21 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-02-27 21:24 . 2009-10-28 01:36 1152444 ----a-w- c:\windows\UDB.zip
2010-02-27 21:24 . 2008-11-26 12:08 131 ----a-w- c:\windows\IDB.zip
2010-02-27 21:23 . 2010-01-21 23:21 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-02-27 21:21 . 2009-10-30 11:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-02-27 21:21 . 2009-11-09 11:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-02-27 21:21 . 2009-10-06 16:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-02-27 21:21 . 2009-09-03 09:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-02-27 21:19 . 2010-02-27 21:24 -------- d-----w- c:\program files\Common Files\PC Tools
2010-02-27 21:19 . 2010-02-28 10:57 -------- d-----w- c:\program files\Spyware Doctor
2010-02-27 21:19 . 2010-02-27 21:19 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\PC Tools
2010-02-27 21:19 . 2010-02-27 21:19 -------- d-----w- c:\documents and settings\administrator\Application Data\PC Tools
2010-02-27 19:53 . 2010-02-28 17:07 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2010-02-27 19:42 . 2006-05-25 15:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-02-27 19:42 . 2005-08-26 01:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-02-27 19:42 . 2006-06-19 13:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-02-27 19:42 . 2003-02-02 20:06 153088 ----a-w- c:\windows\system32\unrar3.dll
2010-02-27 19:42 . 2002-03-06 01:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-02-27 19:42 . 2010-02-27 19:43 -------- d-----w- c:\documents and settings\administrator\Application Data\Simply Super Software
2010-02-27 19:42 . 2010-02-27 19:42 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Simply Super Software
2010-02-27 15:45 . 2010-02-27 15:45 -------- d-----w- c:\documents and settings\administrator\Local Settings\Application Data\Help
2010-02-27 14:44 . 2010-02-27 14:44 -------- d-----w- c:\program files\MSECache
2010-02-21 21:46 . 2010-02-21 21:46 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\TVU Networks
2010-02-21 21:46 . 2010-02-21 21:46 -------- d-----w- c:\documents and settings\administrator\Local Settings\Application Data\TVU Networks
2010-02-21 21:46 . 2010-02-21 21:46 -------- d-----w- c:\documents and settings\administrator\LocalLow
2010-02-21 21:45 . 2010-02-21 21:46 -------- d-----w- c:\program files\TVUPlayer
2010-02-13 22:30 . 2010-02-13 22:30 118260 ----a-w- c:\windows\system32\x_8lI9Ab6M.exe
2010-02-13 22:30 . 2010-02-13 22:30 -------- d-----w- c:\program files\FLV Direct Player
2010-02-11 10:09 . 2010-02-11 10:09 2627384 ----a-w- c:\documents and settings\administrator\Application Data\Mozilla\Firefox\Profiles\u7ep68vi.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
2010-01-29 20:52 . 2010-01-29 20:52 -------- d-----w- c:\program files\7-Zip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-27 22:47 . 2005-06-25 13:44 -------- d-sh--w- c:\documents and settings\All Users.WINDOWS\Application Data\BAIDU8
2010-02-27 19:37 . 2007-07-04 15:18 -------- d-----w- c:\program files\CCleaner
2010-02-21 21:46 . 2009-10-17 12:17 100872 ----a-w- c:\documents and settings\administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-03 22:24 . 2009-12-05 22:06 -------- d-----w- c:\documents and settings\administrator\Application Data\Skype
2010-02-03 21:09 . 2009-12-05 22:08 -------- d-----w- c:\documents and settings\administrator\Application Data\skypePM
2010-01-26 12:07 . 2010-01-26 12:07 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Office Genuine Advantage
2010-01-16 20:56 . 2010-01-16 20:55 -------- d-----w- c:\program files\TeXnicCenter
2010-01-16 20:36 . 2010-01-16 20:36 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\MiKTeX
2010-01-16 20:34 . 2010-01-16 20:29 -------- d-----w- c:\program files\MiKTeX 2.8
2010-01-05 10:00 . 2004-08-04 12:00 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-16 18:43 . 2004-09-09 09:53 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-06 14:02 . 2003-11-20 14:41 86327 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-12-05 22:08 . 2009-12-05 22:08 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-12-04 18:22 . 2004-08-04 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2004-04-21 13:58 . 2004-03-01 11:37 480 -c--a-w- c:\program files\SolidWorksswxJRNL.BAK
2003-11-20 16:50 . 2003-11-20 16:50 0 -c--a-w- c:\program files\write.lok
2002-10-10 14:10 . 2002-10-10 14:10 11079 -c-ha-w- c:\program files\folder.htt
2004-11-04 21:13 . 2004-11-04 21:13 114688 ----a-w- c:\program files\internet explorer\plugins\LV71ActiveXControl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-11-20 2590456]
"Desktop Calendar"="c:\program files\Desktop Calendar\Desktop Calendar.exe" [2009-06-23 442368]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-28 2012912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pdfFactory Pro ??? v3"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [?]
"msnappau"="c:\program files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe" [2004-08-13 86016]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2003-04-08 44032]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-14 185896]
"none"="c:\AUTOEXEC.BAT" [2010-02-28 57]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\mep05cy\Start Menu\Programs\Startup\
Shortcut to maxmem.exe.lnk - c:\program files\MaxMem\maxmem.exe [2007-4-6 75780]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\National Instruments\\LabVIEW 7.1\\LabVIEW.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Shareaza\\Shareaza.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Rynga.com\\Rynga\\Rynga.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=

R?2 uogq;Windows uogq RunThem;c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 12:00 14336]
R0 mdhcw;mdhcw;c:\windows\SYSTEM32\DRIVERS\mdhcw.sys [9/9/2004 09:53 12724]
R0 PCTCore;PCTools KDS;c:\windows\SYSTEM32\DRIVERS\PCTCore.sys [2/27/2010 21:21 207792]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [1/5/2010 07:56 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 07:56 66632]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [2/27/2010 21:24 112592]
R2 HumDisplayServer;Hummingbird Exceed Display Management;c:\program files\Hummingbird\Connectivity\9.00\Exceed\HumDisplayServer.exe [7/23/2003 21:19 53248]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 07:56 12872]
S3 Alcorscd;Alcorscd;c:\windows\SYSTEM32\DRIVERS\Alcorscd.sys [12/8/2001 15:30 18772]
S3 EZUSB;EZUSB PC/SC Smart Card Reader;c:\windows\SYSTEM32\DRIVERS\ezusb.sys [9/11/2007 06:49 57356]
S3 RapFile;RapFile;c:\windows\SYSTEM32\DRIVERS\RapFile.sys [7/13/2004 10:18 36548]
S3 RapNet;RapNet;c:\windows\SYSTEM32\DRIVERS\RapNet.sys [7/13/2004 10:18 24344]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2/27/2010 21:20 359624]
S3 USB-100;Realtek RTL8150 USB 10/100 Fast Ethernet Adapter;c:\windows\SYSTEM32\DRIVERS\RTL8150.SYS [11/16/2006 18:56 27519]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://flvdirect.iamwired.net/
IE: Download with &Shareaza - c:\program files\shareaza\razawebhook32.dll/3000
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {05B2B786-9817-4F4C-8FE8-2ADD74D94F4B} - hxxps://ebank.bok.com.tw/eatm/BOKATM.cab
DPF: {272B8D21-5304-4529-BD3D-1CF392342F7D} - hxxps://netbank.megabank.com.tw/natm/ICBCNetATM.CAB
DPF: {2B1AA38D-2D12-11D5-AAD0-00C04FA03D78} - hxxps://muse.shef.ac.uk/nps/portal/gadgets/com.novell.nps.gadgets.shortcut.ShortcutGadget/LocalExec.CAB
DPF: {55969220-62D5-4DD8-847C-E763CD3CA4C5} - hxxp://203.74.210.2/housecall/xscan61.cab
DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - hxxp://software-dl.real.com/1945674c578d009c6005/netzip/RdxIE601.cab
DPF: {7823A620-9DD9-11CF-A662-00AA00C066D2} - hxxp://www.nsc.com.tw/iemenu.cab
DPF: {88B8A9C7-10A1-4535-8EEB-0D875349E5B8} - hxxp://ekey.sinopac.com.tw/cab/axekey.cab
DPF: {8F566902-147A-450F-A492-357155B73836} - hxxp://ekey.sinopac.com.tw/cab/getdir.cab
DPF: {C01170CC-AF05-46C3-88BC-2C120DCEE288} - hxxp://www.im.tv/IMTVPlayer.ocx
DPF: {EF5BCADE-803F-45D5-A617-C6E64F044506} - hxxps://ibank.firstbank.com.tw/NetBank/cab/FB_SO.cab
FF - ProfilePath - c:\documents and settings\administrator\Application Data\Mozilla\Firefox\Profiles\u7ep68vi.default\
FF - prefs.js: browser.search.defaulturl - hxxp://flvdirect.iamwired.net/websearch.php?src=tops&search=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://uk.yahoo.com/?p=us
FF - prefs.js: keyword.URL - hxxp://flvdirect.iamwired.net/websearch.php?src=tops&search=
FF - component: c:\program files\Mozilla Firefox\extensions\{544ca2cb-1099-706d-4d5a-47240835c75c}\components\c0ryDL.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-28 20:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(6132)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\Ink\SKCHUI.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\niSvcLoc.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-02-28 20:10:51 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-28 20:10
ComboFix2.txt 2010-02-28 11:49

Pre-Run: 26,081,226,752 bytes free
Post-Run: 26,085,957,632 bytes free

- - End Of File - - F21701ED3D31C57E70F6C4D32B9C4187


Report •

#10
February 28, 2010 at 14:07:18
Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::

Driver::
uogq

Folder::
c:\documents and settings\mep05cy

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.

Set up the computer to view hidden files by going to start>control panel>folder options>view tab>tick the circle beside "show hidden files and folders" and untick the box beside "hide extensions of known file types" and "hide protected system operating files">apply>ok.

Please go to Virus Total and upload the following files one at the time for analysis:

c:\windows\SYSTEM32\DRIVERS\mdhcw.sys

c:\windows\system32\x_8lI9Ab6M.exe

Use the browse button at the site to find the file, once you find the file double click it and it should appear in the empty space to the left of the browse button> click "send file". If the file has already been analyzed click the reanalyze button to have it checked again.

Post the results in your reply.


Report •

#11
February 28, 2010 at 15:34:11
Dear jabuck thanks for all the efforts you are showing. I think the skip ad prob is solved though not sure. I removed mcafee and installed avg pro (30 days full functioning trial version with the option to switch to the free home edition thereafter). It detected the ugly backdoor and generic sob and cleaned them. Now if I encounter the same problems I would get back to your last instruction. I am hoping for the best. Thanks for being with me as my entire weekend got knocked out by the generic and bacdoor mofos!

God bless you! Keep your good work up!


Report •

#12
February 28, 2010 at 16:04:14
Thanks for the follow-up.

Report •

#13
March 6, 2010 at 05:42:43
The skip ad thing is persistant. is anybody out there who had the same prob?

Report •

Ask Question