spyware taken over ftp

Gateway Lx6810-01 desktop
January 2, 2010 at 23:14:38
Specs: Windows XP, pentium 4
Hi guys, this is a weird one. I think this is alingering virus left over from one that you guys helped me get rid of before. I am a web developer and I noticed tonight that my files were uploading through fireftp real slow. After determining my internet connection was fine i realized my computer in general was running real slow. I ran malware, spybot and cwshredder (i saw the dreaded coolwwwsearch in spybot). So i continued to work and I couldnt get a simple script to work on the site im working on so when i went into it i realized everytime i upload a file through ftp instead of replacing the one on my server its actually just coubling it. For instance if the file have one line of code on it after uploading it again it would duplicate that line and so on. Now my site is showing hundreds of layers of the same pages and I need to go live monday. Any idea what could be causing this??

See More: spyware taken over ftp

Report •

#1
January 3, 2010 at 08:53:34
We can take a look.

Please run RSIT.exe by random/random and post its logs.

Download random's system information tool (RSIT) by random/random from the following link and save it to your desktop.

RSIT.exe

1. Double click on RSIT.exe to launch program.
2.(Vista Users Only) Right click on the RSIT.exe icon and select "Run as Administrator" to run the program.
3. Click Continue at the disclaimer screen.
4. Your firewall may alert you that RSIT is requesting Internet access. Please allow it.
5.Once it has finished, two logs will open: log.txt<-- this will be maximized and info.txt<-- this will be minimized. Both logs will be located at C:\RSIT.exe.


Report •

#2
January 3, 2010 at 12:24:37
Thanks for the response. Here is the first log and i will post the second in another post because it wont let me post the whole thing.
log.txt

Logfile of random's system information tool 1.06 (written by random/random)
Run by Scott at 2010-01-03 15:18:05
Microsoft Windows XP Professional Service Pack 3
System drive C: has 48 GB (64%) free of 75 GB
Total RAM: 1014 MB (27% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:18:46 PM, on 1/3/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\WLTRAY.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Adobe Dreamweaver CS3\Dreamweaver.exe
C:\Documents and Settings\Scott\My Documents\Downloads\RSIT.exe
C:\Program Files\trend micro\Scott.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=m...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F3 - REG:win.ini: run=C:\WINDOWS\system32\msxroh.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\System32\WLTRAY.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - S-1-5-18 Startup: scandisk.lnk = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: scandisk.lnk = ? (User 'Default user')
O4 - Startup: scandisk.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: wwuyrc.dll,C:\DOCUME~1\Scott\LOCALS~1\Temp\12596390957mxx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 10093 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\McDefragTask.job
C:\WINDOWS\tasks\McQcTask.job
C:\WINDOWS\tasks\trghgjgs.job
C:\WINDOWS\tasks\Updater.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}]
McAfee SiteAdvisor BHO - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2009-11-23 204048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2007-05-10 321120]
{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - McAfee SiteAdvisor Toolbar - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2009-11-23 204048]
{0BF43445-2F28-4351-9252-17FE6E806AA0}

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"=C:\WINDOWS\System32\WLTRAY.exe [2007-03-16 1392640]
"mcagent_exe"=C:\Program Files\McAfee.com\Agent\mcagent.exe [2009-10-29 1218008]
"Dell QuickSet"=C:\Program Files\Dell\QuickSet\quickset.exe [2007-05-14 1191936]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2007-09-11 141848]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2007-09-11 166424]
"Persistence"=C:\WINDOWS\system32\igfxpers.exe [2007-09-11 137752]
"SigmatelSysTrayApp"=C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe [2007-05-10 405504]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2006-03-08 761947]
"Acrobat Assistant 8.0"=C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe [2008-01-11 623992]
"Adobe_ID0EYTHM"=C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE [2007-03-20 1884160]
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2009-08-13 177440]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-09-05 417792]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-09-21 305440]
"ISTray"=C:\Program Files\Spyware Doctor\pctsTray.exe []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]
"Aim6"= []
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"Yahoo! Pager"=C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [2007-08-30 4670704]
"AdobeUpdater"=C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe [2007-02-28 2321600]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2009-12-18 2002160]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE

C:\Documents and Settings\Scott\Start Menu\Programs\Startup
scandisk.lnk - C:\WINDOWS\system32\rundll32.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"=" wwuyrc.dll,C:\DOCUME~1\Scott\LOCALS~1\Temp\12596390957mxx.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2009-09-03 548352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2007-08-24 208896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableLUA"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\AIM6\aim6.exe"="C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe"="C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe:*:Enabled:Adobe Version Cue CS3 Server"
"C:\WINDOWS\system32\winlogon.exe"="C:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe"="C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ccda28d1-5f6d-11dd-bff2-0016ce1b357c}]
shell\AutoRun\command - E:\LaunchU3.exe -a


======File associations======

.js - open - "C:\Program Files\Adobe\Adobe Dreamweaver CS3\Dreamweaver.exe","%1"

======List of files/folders created in the last 1 months======

2010-01-03 15:18:06 ----D---- C:\Program Files\trend micro
2010-01-03 15:18:05 ----D---- C:\rsit
2010-01-03 12:03:04 ----D---- C:\Documents and Settings\All Users\Application Data\95684526
2010-01-03 12:03:04 ----D---- C:\Documents and Settings\All Users\Application Data\15674534
2009-12-09 10:02:51 ----HDC---- C:\WINDOWS\$NtUninstallKB970430$
2009-12-09 10:02:41 ----HDC---- C:\WINDOWS\$NtUninstallKB974318$
2009-12-09 10:01:56 ----HDC---- C:\WINDOWS\$NtUninstallKB973904$
2009-12-09 10:01:47 ----HDC---- C:\WINDOWS\$NtUninstallKB974392$
2009-12-09 10:01:30 ----HDC---- C:\WINDOWS\$NtUninstallKB971737$

======List of files/folders modified in the last 1 months======

2010-01-03 15:18:19 ----D---- C:\WINDOWS\Prefetch
2010-01-03 15:18:12 ----D---- C:\WINDOWS\Temp
2010-01-03 15:18:06 ----RD---- C:\Program Files
2010-01-03 15:05:10 ----D---- C:\Program Files\Mozilla Firefox
2010-01-03 15:02:57 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-03 15:01:01 ----D---- C:\WINDOWS
2010-01-03 14:59:04 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-01-03 12:53:52 ----D---- C:\WINDOWS\system32\CatRoot2
2010-01-03 12:50:40 ----A---- C:\ComboFix.txt
2010-01-03 12:43:55 ----D---- C:\WINDOWS\system32
2010-01-03 12:09:25 ----D---- C:\Program Files\Spybot - Search & Destroy
2010-01-03 12:04:06 ----D---- C:\WINDOWS\system32\config
2010-01-03 12:03:40 ----D---- C:\WINDOWS\system32\wbem
2010-01-03 12:03:38 ----D---- C:\WINDOWS\Registration
2010-01-03 12:03:07 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-01-03 12:03:06 ----D---- C:\WINDOWS\system32\drivers
2010-01-03 01:04:08 ----HDC---- C:\WINDOWS\$NtUninstallKB951072-v2$
2010-01-02 14:10:50 ----D---- C:\Documents and Settings\Scott\Application Data\Adobe
2009-12-18 07:19:05 ----D---- C:\Program Files\SUPERAntiSpyware
2009-12-17 11:05:34 ----HD---- C:\WINDOWS\inf
2009-12-09 14:03:53 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-12-09 10:02:56 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-12-09 10:02:48 ----A---- C:\WINDOWS\imsins.BAK
2009-12-09 10:02:28 ----D---- C:\Program Files\Internet Explorer
2009-12-09 10:02:16 ----D---- C:\WINDOWS\ie8updates
2009-12-09 10:02:09 ----HD---- C:\WINDOWS\$hf_mig$

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 APPDRV;APPDRV; C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS [2005-08-12 16128]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 mfehidk;McAfee Inc. mfehidk; C:\WINDOWS\system32\drivers\mfehidk.sys [2009-09-16 214664]
R1 MPFP;MPFP; C:\WINDOWS\System32\Drivers\Mpfp.sys [2009-07-16 120136]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2004-03-17 13059]
R2 rimmptsk;rimmptsk; C:\WINDOWS\system32\DRIVERS\rimmptsk.sys [2007-08-08 45568]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 BCM43XX;Dell Wireless WLAN Card Driver; C:\WINDOWS\System32\DRIVERS\bcmwl5.sys [2007-03-16 604928]
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys [2006-11-21 45568]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\System32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2009-05-18 26600]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys [2005-07-22 1035008]
R3 HSFHWAZL;HSFHWAZL; C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys [2005-07-22 201600]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2007-08-24 5776928]
R3 mfeavfk;McAfee Inc. mfeavfk; C:\WINDOWS\system32\drivers\mfeavfk.sys [2009-09-16 79816]
R3 mfebopk;McAfee Inc. mfebopk; C:\WINDOWS\system32\drivers\mfebopk.sys [2009-09-16 35272]
R3 mfesmfk;McAfee Inc. mfesmfk; C:\WINDOWS\system32\drivers\mfesmfk.sys [2009-09-16 40552]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2007-05-10 1222840]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2006-03-08 191872]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2005-07-22 717952]
S3 b57w2k;BCM5701 Gigabit Ethernet; C:\WINDOWS\System32\DRIVERS\b57xp32.sys [2001-08-17 96640]
S3 mferkdk;McAfee Inc. mferkdk; C:\WINDOWS\system32\drivers\mferkdk.sys [2009-09-16 34248]
S3 sdbus;sdbus; C:\WINDOWS\System32\DRIVERS\sdbus.sys [2008-04-13 79232]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-06-05 144712]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service; C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [2009-12-08 93320]
R2 mcmscsvc;McAfee Services; C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [2009-07-09 865832]
R2 McNASvc;McAfee Network Agent; c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe [2009-07-07 2482848]
R2 McProxy;McAfee Proxy Service; c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [2009-07-08 359952]
R2 McShield;McAfee Real-time Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [2009-09-16 144704]
R2 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R2 wltrysvc;Dell Wireless WLAN Tray Service; C:\WINDOWS\System32\WLTRYSVC.EXE [2007-03-16 20480]
R3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2008-07-12 654848]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-09-21 545568]
R3 McSysmon;McAfee SystemGuards; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [2009-09-16 606736]
R3 MpfService;McAfee Personal Firewall Service; C:\Program Files\McAfee\MPF\MPFSrv.exe [2009-10-27 895696]
S2 6to4;6to4; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2008-05-08 68096]
S3 Adobe Version Cue CS3;Adobe Version Cue CS3; C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe [2007-03-20 153792]
S3 Macromedia Licensing Service;Macromedia Licensing Service; C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe [2008-05-08 68096]
S3 McODS;McAfee Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [2009-09-16 365072]

-----------------EOF-----------------



Report •

#3
January 3, 2010 at 12:25:28
info.txt


info.txt logfile of random's system information tool 1.06 2010-01-03 15:18:52

======Uninstall list======

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DD4F051C-1A2B-4A91-B187-B093C597418C}\SETUP.EXE" -l0x9 anything
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Add or Remove Adobe Creative Suite 3 Design Premium-->C:\Program Files\Common Files\Adobe\Installers\c14ac4070fd9614ffe63f4bb533db2c\Setup.exe
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)-->MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Anchor Service CS3-->MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3-->MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3-->MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting-->MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe BridgeTalk Plugin CS3-->MsiExec.exe /I{B7F560B3-6EFF-4026-A982-843895A41149}
Adobe Camera Raw 4.0-->MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps-->MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific-->MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Color Common Settings-->MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}
Adobe Color EU Extra Settings-->MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings-->MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings-->MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Creative Suite 3 Design Premium-->MsiExec.exe /I{D1C18EDD-571A-4BDD-BE7B-1DD86027D7FF}
Adobe Default Language CS3-->MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3-->MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe Dreamweaver CS3-->MsiExec.exe /I{7C10F5C7-F00F-4BD3-A110-C7D240D2DD25}
Adobe ExtendScript Toolkit 2-->C:\Program Files\Common Files\Adobe\Installers\3e054d2218e7aa282c2369d939e58ff\Setup.exe
Adobe ExtendScript Toolkit 2-->MsiExec.exe /I{24D7346D-D4B4-45E8-98EA-75EC14B42DD8}
Adobe Extension Manager CS3-->MsiExec.exe /I{BE5F3842-8309-4754-92D5-83E02E6077A3}
Adobe Flash CS3-->MsiExec.exe /I{6B52140A-F189-4945-BFFC-DB3F00B8C589}
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Player 9 ActiveX-->MsiExec.exe /X{BC4F8E84-5E29-49EC-B4E7-E6F9CB50986C}
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Video Encoder-->MsiExec.exe /I{2EFFFC71-1E66-454E-A6E6-CEEC800B96D2}
Adobe Fonts All-->MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3-->MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Illustrator CS3-->MsiExec.exe /I{F08E8D2E-F132-4742-9C87-D5FF223A016A}
Adobe InDesign CS3 Icon Handler-->MsiExec.exe /I{EA7B3CC4-366D-4CF6-8350-FD7A7034116E}
Adobe InDesign CS3-->MsiExec.exe /I{CB3F8375-B600-4B9F-83C9-238ED1E583FD}
Adobe Linguistics CS3-->MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe MotionPicture Color Files-->MsiExec.exe /I{6B708481-748A-4EB4-97C1-CD386244FF77}
Adobe PDF Library Files-->MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS3-->MsiExec.exe /I{0046FA01-C5B9-4985-BACB-398DC480FC05}
Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Setup-->MsiExec.exe /I{09E2111C-16B1-4DDF-BF0D-F994C9A12350}
Adobe Setup-->MsiExec.exe /I{B3C02EC1-A7B0-4987-9A43-8789426AAA7D}
Adobe SING CS3-->MsiExec.exe /I{B671CBFD-4109-4D35-9252-3062D3CCB7B2}
Adobe Stock Photos CS3-->MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support-->MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3-->MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client-->MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe Version Cue CS3 Server-->MsiExec.exe /I{1D58229F-C505-45CA-8223-F35F3A34B963}
Adobe WAS CS3-->MsiExec.exe /I{C5BD220A-EFE8-48A5-B70E-9503D535FACE}
Adobe WinSoft Linguistics Plugin-->MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP Panels CS3-->MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}
AHV content for Acrobat and Flash-->MsiExec.exe /I{6BBAA81D-6A7E-43AD-8889-2F002DCAAFDD}
AIM 6-->C:\Program Files\AIM6\uninst.exe
Apple Application Support-->MsiExec.exe /I{0C34B801-6AEC-4667-B053-03A67E2D0415}
Apple Mobile Device Support-->MsiExec.exe /I{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
Broadcom 440x 10/100 Integrated Controller-->MsiExec.exe /X{612B9183-67A9-4B44-9877-2F059E35B86A}
Broadcom Management Programs-->MsiExec.exe /I{C99C0593-3B48-41D9-B42F-6E035B320449}
Conexant HDA D110 MDC V.92 Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3\HXFSETUP.EXE -U -Idel1028k.inf
Dell Wireless WLAN Card-->"C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwlu00.exe" verbose /rootkey="Software\Broadcom\802.11\UninstallInfo" /rootdir="C:\Program Files\Dell\Dell Wireless WLAN Card"
docXConverter 3.1.0-->"C:\Program Files\docXConverter3\unins000.exe"
High Definition Audio Driver Package - KB835221-->C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB970653-v3)-->"C:\WINDOWS\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB976098-v2)-->"C:\WINDOWS\$NtUninstallKB976098-v2$\spuninst\spuninst.exe"
Intel(R) Graphics Media Accelerator Driver-->C:\WINDOWS\system32\igxpun.exe -uninstall
iTunes-->MsiExec.exe /I{DA34FE93-5DC5-48E0-ACC8-A5389E05BB51}
Java DB 10.4.1.3-->MsiExec.exe /X{998D6972-F58E-479D-9248-8F179E55AE38}
Java(TM) SE Development Kit 6 Update 11-->MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0160110}
LimeWire 4.16.7-->"C:\Program Files\LimeWire\uninstall.exe"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
McAfee SecurityCenter-->C:\Program Files\McAfee\MSC\mcuninst.exe
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office XP Professional with FrontPage-->MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
MobileMe Control Panel-->MsiExec.exe /I{3AC54383-31D1-4907-961B-B12CBB1D0AE8}
Mozilla Firefox (3.5.6)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
NetBeans IDE 6.5-->"C:\Program Files\NetBeans 6.5\uninstall.exe"
OpenOffice.org Installer 1.0-->MsiExec.exe /X{0D499481-22C6-4B25-8AC2-6D3F6C885FB9}
PDF Settings-->MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
QuickSet-->C:\Program Files\InstallShield Installation Information\{C5074CC4-0E26-4716-A307-960272A90040}\setup.exe -runfromtemp -l0x0009 APPDRVNT4 -removeonly
QuickTime-->MsiExec.exe /I{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.52.02-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{59F6A514-9813-47A3-948C-8A155460CC2A}\setup.exe" -l0x9 anything
Safari-->MsiExec.exe /I{E56D39F8-2A9F-44B4-B068-A72E45A073E6}
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB969897)-->"C:\WINDOWS\ie7updates\KB969897-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB972260)-->"C:\WINDOWS\ie7updates\KB972260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB971961)-->"C:\WINDOWS\ie8updates\KB971961-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB972260)-->"C:\WINDOWS\ie8updates\KB972260-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB974455)-->"C:\WINDOWS\ie8updates\KB974455-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB976325)-->"C:\WINDOWS\ie8updates\KB976325-IE8\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB954155)-->"C:\WINDOWS\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB968816)-->"C:\WINDOWS\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958869)-->"C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969059)-->"C:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969947)-->"C:\WINDOWS\$NtUninstallKB969947$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970430)-->"C:\WINDOWS\$NtUninstallKB970430$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971486)-->"C:\WINDOWS\$NtUninstallKB971486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973525)-->"C:\WINDOWS\$NtUninstallKB973525$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973904)-->"C:\WINDOWS\$NtUninstallKB973904$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974112)-->"C:\WINDOWS\$NtUninstallKB974112$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974318)-->"C:\WINDOWS\$NtUninstallKB974318$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974392)-->"C:\WINDOWS\$NtUninstallKB974392$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974571)-->"C:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975025)-->"C:\WINDOWS\$NtUninstallKB975025$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975467)-->"C:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe"
SigmaTel Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Synaptics Pointing Device Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Unity Web Player-->C:\Program Files\Unity\WebPlayer\Uninstall.exe
Update for Windows Internet Explorer 8 (KB976749)-->"C:\WINDOWS\ie8updates\KB976749-IE8\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update for Windows XP (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"
Update for Windows XP (KB971737)-->"C:\WINDOWS\$NtUninstallKB971737$\spuninst\spuninst.exe"
Update for Windows XP (KB973687)-->"C:\WINDOWS\$NtUninstallKB973687$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
Viewpoint Media Player-->C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
WebEx-->C:\PROGRA~1\MOZILL~1\plugins\atcliun.exe
Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
Yahoo! Messenger-->C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG

======Hosts File======

127.0.0.1 localhost

======Security center information======

AV: McAfee VirusScan
FW: McAfee Personal Firewall

======System event log======

Computer Name: SCOTT-AFK9XABPA
Event Code: 59
Message: Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_39049d00\MFC80U.DLL.
Reference error message: The operation completed successfully.
.

Record Number: 45402
Source Name: SideBySide
Time Written: 20091222120854.000000-300
Event Type: error
User:

Computer Name: SCOTT-AFK9XABPA
Event Code: 59
Message: Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC.
Reference error message: The referenced assembly is not installed on your system.
.

Record Number: 45401
Source Name: SideBySide
Time Written: 20091222120854.000000-300
Event Type: error
User:

Computer Name: SCOTT-AFK9XABPA
Event Code: 32
Message: Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last Error was The referenced assembly is not installed on your system.


Record Number: 45400
Source Name: SideBySide
Time Written: 20091222120854.000000-300
Event Type: error
User:

Computer Name: SCOTT-AFK9XABPA
Event Code: 59
Message: Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_39049d00\MFC80U.DLL.
Reference error message: The operation completed successfully.
.

Record Number: 45399
Source Name: SideBySide
Time Written: 20091222120850.000000-300
Event Type: error
User:

Computer Name: SCOTT-AFK9XABPA
Event Code: 59
Message: Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC.
Reference error message: The referenced assembly is not installed on your system.
.

Record Number: 45398
Source Name: SideBySide
Time Written: 20091222120850.000000-300
Event Type: error
User:

=====Application event log=====

Computer Name: SCOTT-AFK9XABPA
Event Code: 1517
Message: Windows saved user SCOTT-AFK9XABPA\Scott registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 6738
Source Name: Userenv
Time Written: 20091108021032.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: SCOTT-AFK9XABPA
Event Code: 8
Message: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.


Record Number: 6726
Source Name: crypt32
Time Written: 20091107212947.000000-300
Event Type: error
User:

Computer Name: SCOTT-AFK9XABPA
Event Code: 8
Message: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.


Record Number: 6725
Source Name: crypt32
Time Written: 20091107212947.000000-300
Event Type: error
User:

Computer Name: SCOTT-AFK9XABPA
Event Code: 8
Message: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.


Record Number: 6724
Source Name: crypt32
Time Written: 20091107212946.000000-300
Event Type: error
User:

Computer Name: SCOTT-AFK9XABPA
Event Code: 8
Message: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The server name or address could not be resolved


Record Number: 6723
Source Name: crypt32
Time Written: 20091107212946.000000-300
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 14 Stepping 8, GenuineIntel
"PROCESSOR_REVISION"=0e08
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO
"CLASSPATH"=.;C:\Program Files\Java\jdk1.6.0_11\jre\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jdk1.6.0_11\jre\lib\ext\QTJava.zip

-----------------EOF-----------------


Not sure if this is helpful but my son plays a disney online game called Club Penguin and a while back he clicked on a banner which opened internet explorer and thats when this started. I was able to get rid of everything i thought but it periodically comes back and the other day i had to open IE to cross browser check a site im developing and things just started going crazy s i know IE is infected.

Thanks for your help


Report •

Related Solutions

#4
January 3, 2010 at 12:43:27
Download Combofix with internet explorer instead of FireFox please.

Remember..your McAfee antivirus and Spybot's TeaTimer must be turned off or disabled before running ComboFix. The clickable link "This Link" in the ComboFix tutorial will help you get them disabled.

Please download ComboFix to the desktop from one of the following links:

Link1
Link 2
Link 3
Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to to Combo-Fix> click save.
Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop.
If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".

Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on Combo-Fix.exe & follow the prompts.
Install the recovery console when asked.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" .
Note: Do not mouseclick combo-fix's window while it's running. That may cause it to hang.


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

Your java is out of date and may have been exploited.
Download the latest version of java from this link Java
Click on the JRE 6 Update 17 download button.
Check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.
Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed
Then from your desktop double-click on jre-6u17-windows-i586-p.exe to install the newest version.


Report •

#5
January 3, 2010 at 14:42:59
Alright, first thanks for your time. Second, I went through and did everything you said. I think it worked because it removed several things that were not detected by spybots. Heres a few things I am trying to figure out.

one remaining issue is that when i o to the top right of firefox there is a search toolbar that is naturally there with firefox. You can choose from a drop down where to conduct a search from enter the text and it brings you there with results. Since my IE was inaded no matter what I choose it brings me to 'http://search.liveinfopro.com' with results and I cannot help but think this is some sort of malware. Have you heard of it?

Second, I uninstalled Mcafee. What should I have running basically I have the following on my desktop and./ or running.

Spybot
Super Anti Spyware
Malware
Mcafee
Combofix
ATF clearner

Do i need all these?

Last, I will update one more time. I have lost 2 days and have until the end of the week to get the final part of this social network developed so tonight i will truly know if it is fixed. By the way, why was this making it so when I ftp'ed files to my server instead of overwriting the existing ones it would just double then triple then quadrouple the code on it? Have you ever heard of this?

Thanks again.


Report •

#6
January 3, 2010 at 14:48:14
Well, you didn't post the requested log so I can't say just what happened or if you are still infected.

Report •

#7
January 3, 2010 at 16:57:51
Sorry, I didnt see that you wanted me to post it. Here it is.

ComboFix 10-01-02.05 - Scott 01/03/2010 16:30:25.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.674 [GMT -5:00]
Running from: c:\documents and settings\Scott\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\95684526.ini
c:\documents and settings\Scott\Application Data\Messenger
c:\documents and settings\Scott\Start Menu\Programs\Startup\scandisk.lnk
c:\windows\Fonts\mlog
c:\windows\Install.txt
c:\windows\run.log
c:\windows\system32\drivers\1028_DELL_XPS_MP061 .MRK
c:\windows\system32\drivers\DELL_XPS_MP061 .MRK
c:\windows\system32\UAClwudemttavhailwga.db
c:\windows\system32\uactmp.db

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_PCMSTUB
-------\Service_6to4


((((((((((((((((((((((((( Files Created from 2009-12-03 to 2010-01-03 )))))))))))))))))))))))))))))))
.

2010-01-03 20:18 . 2010-01-03 20:18 -------- d-----w- c:\program files\trend micro
2010-01-03 20:18 . 2010-01-03 20:18 -------- d-----w- C:\rsit
2010-01-03 17:03 . 2010-01-03 17:03 -------- d-----w- c:\windows\system32\wbem\Repository
2010-01-03 17:03 . 2010-01-03 17:03 -------- d-----w- c:\documents and settings\All Users\Application Data\95684526
2010-01-03 17:03 . 2010-01-03 17:03 -------- d-----w- c:\documents and settings\All Users\Application Data\15674534

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-03 20:02 . 2008-12-22 04:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-03 17:09 . 2008-12-22 04:36 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-03 17:03 . 2008-12-21 00:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-28 21:24 . 2009-12-18 12:20 52224 ----a-w- c:\documents and settings\Scott\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-28 21:24 . 2009-11-20 17:30 117760 ----a-w- c:\documents and settings\Scott\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-18 12:19 . 2009-11-20 17:29 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-30 15:55 . 2008-05-05 03:06 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-11-20 18:07 . 2009-11-20 18:07 61440 ----a-w- c:\windows\system32\drivers\dhgol.sys
2009-11-20 17:29 . 2009-11-20 17:29 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-20 17:29 . 2009-11-20 17:29 -------- d-----w- c:\documents and settings\Scott\Application Data\SUPERAntiSpyware.com
2009-11-20 17:21 . 2009-11-20 17:21 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-20 16:36 . 2009-11-20 16:36 61440 ----a-w- c:\windows\system32\drivers\roei.sys
2009-11-20 16:36 . 2009-11-20 16:36 300 ----a-w- c:\program files\jhdiry.txt
2009-11-20 16:23 . 2009-11-20 16:23 61440 ----a-w- c:\windows\system32\drivers\udeoe.sys
2009-11-20 16:23 . 2009-11-20 16:23 432 ----a-w- c:\program files\sIkiy.txt
2009-11-20 16:13 . 2009-11-20 16:13 61440 ----a-w- c:\windows\system32\drivers\eybeov.sys
2009-11-20 16:13 . 2009-11-20 16:13 552 ----a-w- c:\program files\mvcuybxa.txt
2009-11-20 14:40 . 2009-11-20 14:40 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Update
2009-11-19 17:56 . 2009-07-11 03:05 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-19 16:20 . 2009-11-19 16:20 45293 ----a-w- c:\windows\system32\config\systemprofile\Application Data\Update\seupd.exe
2009-10-29 07:45 . 2003-03-31 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 06:00 265728 ------w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2003-03-31 12:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 14:32 . 2009-10-12 14:32 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
2009-10-12 13:38 . 2003-03-31 12:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2003-03-31 12:00 79872 ----a-w- c:\windows\system32\raschap.dll
2008-08-14 01:26 . 2008-08-14 01:26 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-08-14 01:26 . 2008-08-14 01:26 125848 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-18 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\System32\WLTRAY.exe" [2007-03-17 1392640]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-11 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-11 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-11 137752]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/11/2009 10:44 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/11/2009 10:44 AM 74480]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/20/2008 11:18 PM 93320]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/6/2008 9:26 PM 24652]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/11/2009 10:44 AM 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-12-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-12-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-05-05 16:22]

2010-01-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-05-05 16:22]

2010-01-03 c:\windows\Tasks\Updater.job
- c:\windows\system32\config\systemprofile\Application Data\Update\seupd.exe [2009-11-19 16:20]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Scott\Application Data\Mozilla\Firefox\Profiles\eb4ka4b1.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.liveinfopro.com/?s=
FF - component: c:\documents and settings\Scott\Application Data\Mozilla\Firefox\Profiles\eb4ka4b1.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - component: c:\documents and settings\Scott\Application Data\Mozilla\Firefox\Profiles\eb4ka4b1.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.liveinfopro.com/?s=.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
HKLM-Run-ISTray - c:\program files\Spyware Doctor\pctsTray.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-03 16:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(884)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3364)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\igfxsrvc.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\McAfee\MPF\MPFSrv.exe
.
**************************************************************************
.
Completion time: 2010-01-03 16:51:01 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-03 21:50
ComboFix2.txt 2010-01-03 17:50

Pre-Run: 50,076,258,304 bytes free
Post-Run: 49,770,729,472 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /fastdetect

Current=8 Default=8 Failed=7 LastKnownGood=4 Sets=1,2,3,4,5,7,8
- - End Of File - - 6FC639906A159AE7B976F3A029FB153F


Report •

#8
January 3, 2010 at 17:25:53
You are still infected.

Follow the previous guidelines for running Combofix.Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
C:\WINDOWS\tasks\trghgjgs.job

Folder::
c:\documents and settings\All Users\Application Data\95684526
c:\documents and settings\All Users\Application Data\15674534

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.

Please go to Virus Total and upload the following files one at the time for analysis:


c:\windows\system32\drivers\dhgol.sys
c:\windows\system32\drivers\roei.sys
c:\program files\jhdiry.txt
c:\windows\system32\drivers\udeoe.sys
c:\program files\sIkiy.txt
c:\windows\system32\drivers\eybeov.sys
c:\program files\mvcuybxa.txt

Use the browse button at the site to find the file, once you find the file double click it and it should appear in the empty space to the left of the browse button> click "send file".

Post the results in your reply.


Report •

#9
January 3, 2010 at 18:36:37
Here is the log, I am uplading the files now and will post that in a few

ComboFix 10-01-03.03 - Scott 01/03/2010 21:20:47.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.626 [GMT -5:00]
Running from: c:\documents and settings\Scott\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Scott\Desktop\CFScript.txt

FILE ::
"c:\windows\tasks\trghgjgs.job"
.

((((((((((((((((((((((((( Files Created from 2009-12-04 to 2010-01-04 )))))))))))))))))))))))))))))))
.

2010-01-04 01:50 . 2010-01-04 02:00 -------- d-----w- C:\Combo-Fix
2010-01-03 22:38 . 2010-01-03 22:38 -------- d-----w- c:\program files\Sun
2010-01-03 20:18 . 2010-01-03 20:18 -------- d-----w- c:\program files\trend micro
2010-01-03 20:18 . 2010-01-03 20:18 -------- d-----w- C:\rsit
2010-01-03 17:03 . 2010-01-03 17:03 -------- d-----w- c:\windows\system32\wbem\Repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-03 22:37 . 2008-12-21 15:07 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-03 22:37 . 2008-05-06 00:13 -------- d-----w- c:\program files\Java
2010-01-03 22:22 . 2008-05-05 01:43 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-01-03 22:21 . 2008-05-05 03:02 -------- d-----w- c:\program files\McAfee
2010-01-03 22:11 . 2009-05-20 01:02 -------- d-----w- c:\program files\Citrix
2010-01-03 20:02 . 2008-12-22 04:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-03 17:09 . 2008-12-22 04:36 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-03 17:03 . 2008-12-21 00:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-28 21:24 . 2009-12-18 12:20 52224 ----a-w- c:\documents and settings\Scott\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-28 21:24 . 2009-11-20 17:30 117760 ----a-w- c:\documents and settings\Scott\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-18 12:19 . 2009-11-20 17:29 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-30 15:55 . 2008-05-05 03:06 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-11-20 18:07 . 2009-11-20 18:07 61440 ----a-w- c:\windows\system32\drivers\dhgol.sys
2009-11-20 17:29 . 2009-11-20 17:29 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-20 17:29 . 2009-11-20 17:29 -------- d-----w- c:\documents and settings\Scott\Application Data\SUPERAntiSpyware.com
2009-11-20 17:21 . 2009-11-20 17:21 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-20 16:36 . 2009-11-20 16:36 61440 ----a-w- c:\windows\system32\drivers\roei.sys
2009-11-20 16:36 . 2009-11-20 16:36 300 ----a-w- c:\program files\jhdiry.txt
2009-11-20 16:23 . 2009-11-20 16:23 61440 ----a-w- c:\windows\system32\drivers\udeoe.sys
2009-11-20 16:23 . 2009-11-20 16:23 432 ----a-w- c:\program files\sIkiy.txt
2009-11-20 16:13 . 2009-11-20 16:13 61440 ----a-w- c:\windows\system32\drivers\eybeov.sys
2009-11-20 16:13 . 2009-11-20 16:13 552 ----a-w- c:\program files\mvcuybxa.txt
2009-11-20 14:40 . 2009-11-20 14:40 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Update
2009-11-19 17:56 . 2009-07-11 03:05 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-19 16:20 . 2009-11-19 16:20 45293 ----a-w- c:\windows\system32\config\systemprofile\Application Data\Update\seupd.exe
2009-10-29 07:45 . 2003-03-31 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 06:00 265728 ------w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2003-03-31 12:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 14:32 . 2009-10-12 14:32 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
2009-10-12 13:38 . 2003-03-31 12:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2003-03-31 12:00 79872 ----a-w- c:\windows\system32\raschap.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-18 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\System32\WLTRAY.exe" [2007-03-17 1392640]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-11 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-11 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-11 137752]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-03 149280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/11/2009 10:44 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/11/2009 10:44 AM 74480]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/6/2008 9:26 PM 24652]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/11/2009 10:44 AM 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-12-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-01-04 c:\windows\Tasks\Updater.job
- c:\windows\system32\config\systemprofile\Application Data\Update\seupd.exe [2009-11-19 16:20]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Scott\Application Data\Mozilla\Firefox\Profiles\eb4ka4b1.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.liveinfopro.com/?s=
FF - component: c:\documents and settings\Scott\Application Data\Mozilla\Firefox\Profiles\eb4ka4b1.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - component: c:\documents and settings\Scott\Application Data\Mozilla\Firefox\Profiles\eb4ka4b1.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.liveinfopro.com/?s=.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-03 21:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(872)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3848)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-01-03 21:32:47 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-04 02:32
ComboFix2.txt 2010-01-04 02:15
ComboFix3.txt 2010-01-04 02:00
ComboFix4.txt 2010-01-03 21:51
ComboFix5.txt 2010-01-04 02:20

Pre-Run: 49,575,276,544 bytes free
Post-Run: 49,539,751,936 bytes free

Current=8 Default=8 Failed=7 LastKnownGood=4 Sets=1,2,3,4,5,7,8
- - End Of File - - FF090364DF0088FCB3926A18D00F8893


Report •

#10
January 3, 2010 at 18:52:41
Here is the list of files and what they returned. I seperated each section with equal signs.

c:\windows\system32\drivers\dhgol.sys

Antivirus Version Last Update Result
a-squared 4.5.0.46 2010.01.04 -
AhnLab-V3 5.0.0.2 2010.01.02 Win-Trojan/Avenger.61440
AntiVir 7.9.1.122 2009.12.31 -
Antiy-AVL 2.0.3.7 2009.12.31 Hoax/Win32.Agent.gen
Authentium 5.2.0.5 2010.01.03 -
Avast 4.8.1351.0 2010.01.03 -
AVG 8.5.0.430 2010.01.03 -
BitDefender 7.2 2010.01.04 -
CAT-QuickHeal 10.00 2010.01.02 Trojan.Agent.ATV
ClamAV 0.94.1 2010.01.03 -
Comodo 3460 2010.01.04 -
DrWeb 5.0.1.12222 2010.01.04 -
eSafe 7.0.17.0 2010.01.03 Win32.Banker
eTrust-Vet 35.1.7210 2010.01.01 -
F-Prot 4.5.1.85 2010.01.03 -
F-Secure 9.0.15370.0 2010.01.03 -
Fortinet 4.0.14.0 2010.01.02 -
GData 19 2010.01.04 -
Ikarus T3.1.1.79.0 2009.12.31 -
Jiangmin 13.0.900 2010.01.03 Hoax.Agent.f
K7AntiVirus 7.10.936 2010.01.02 Trojan.Win32.Malware.1
Kaspersky 7.0.0.125 2010.01.04 -
McAfee 5850 2010.01.03 -
McAfee+Artemis 5850 2010.01.03 -
McAfee-GW-Edition 6.8.5 2010.01.04 -
Microsoft 1.5302 2010.01.04 -
NOD32 4740 2010.01.03 -
Norman 6.04.03 2009.12.31 W32/Agent.HHSF
nProtect 2009.1.8.0 2010.01.03 Trojan/W32.Agent.61440.JQ
Panda 10.0.2.2 2010.01.03 Rootkit/Agent.LNB
PCTools 7.0.3.5 2010.01.03 -
Prevx 3.0 2010.01.04 -
Rising 22.29.00.01 2010.01.04 -
Sophos 4.49.0 2010.01.04 -
Sunbelt 3.2.1858.2 2010.01.03 -
TheHacker 6.5.0.3.130 2010.01.04 -
TrendMicro 9.120.0.1004 2010.01.03 -
VBA32 3.12.12.1 2010.01.01 -
ViRobot 2009.12.31.2118 2009.12.31 Hoax..Agent.61440
VirusBuster 5.0.21.0 2010.01.03 -
Additional information
File size: 61440 bytes
MD5...: 589312a3b46721c5a751e4d5222a89be
SHA1..: 3a497d3968a4f6e3c648d196da38e5f98e75ec30
SHA256: 03cbe6df7f5605a3659ffe27a1184a8d9066436a17d7bac9cceb122de74f69ae
ssdeep: 768:UzNrXvTHr4DU6K5H5VLvDcLugwoMcq5+x7J1uQ9VP:QTG2VrOuN+lJpP
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xd394
timedatestamp.....: 0x476b398b (Fri Dec 21 03:56:59 2007)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x400 0xd756 0xd780 5.52 e0dc8fff10e3a7c6343455cd02a67954
.rdata 0xdb80 0x10e 0x180 3.44 d2fd0bc28e070ccc67879e04b7cd5302
.data 0xdd00 0xc0 0x100 0.04 66a415a49d751cb335895306ecfb3389
INIT 0xde00 0x376 0x380 5.17 79cc3d62ef3ba8053786e08dc9b6cddc
.reloc 0xe180 0xe2c 0xe80 6.60 4f845320301140370066cbceee4c5e4c

( 1 imports )
> ntoskrnl.exe: ZwWriteFile, wcslen, RtlUpcaseUnicodeChar, ZwClose, ZwCreateFile, RtlInitUnicodeString, wcscat, wcscpy, _wcsicmp, ZwQueryValueKey, ZwOpenKey, ZwDeleteKey, swprintf, ZwEnumerateKey, ExFreePoolWithTag, DbgPrint, ExAllocatePoolWithTag, RtlPrefixUnicodeString, RtlDeleteRegistryValue, ZwSetValueKey, RtlWriteRegistryValue, ZwEnumerateValueKey, ZwOpenFile, ZwSetInformationFile, KeTickCount, ZwQueryInformationFile, KeBugCheck, MmGetSystemRoutineAddress, ZwFlushKey, PsTerminateSystemThread, KeSetPriorityThread, KeGetCurrentThread, RtlCheckRegistryKey, KeDelayExecutionThread, ZwReadFile, PsCreateSystemThread, PsGetVersion

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
trid..: Clipper DOS Executable (33.3%)
Generic Win/DOS Executable (33.0%)
DOS Executable Generic (33.0%)
VXD Driver (0.5%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)

==========================================================================================

c:\windows\system32\drivers\roei.sys

Antivirus Version Last Update Result
a-squared 4.5.0.46 2010.01.04 -
AhnLab-V3 5.0.0.2 2010.01.02 Win-Trojan/Avenger.61440
AntiVir 7.9.1.122 2009.12.31 -
Antiy-AVL 2.0.3.7 2009.12.31 Hoax/Win32.Agent.gen
Authentium 5.2.0.5 2010.01.03 -
Avast 4.8.1351.0 2010.01.03 -
AVG 8.5.0.430 2010.01.03 -
BitDefender 7.2 2010.01.04 -
CAT-QuickHeal 10.00 2010.01.02 Trojan.Agent.ATV
ClamAV 0.94.1 2010.01.03 -
Comodo 3460 2010.01.04 -
DrWeb 5.0.1.12222 2010.01.04 -
eSafe 7.0.17.0 2010.01.03 Win32.Banker
eTrust-Vet 35.1.7210 2010.01.01 -
F-Prot 4.5.1.85 2010.01.03 -
F-Secure 9.0.15370.0 2010.01.03 -
Fortinet 4.0.14.0 2010.01.02 -
GData 19 2010.01.04 -
Ikarus T3.1.1.79.0 2009.12.31 -
Jiangmin 13.0.900 2010.01.03 Hoax.Agent.f
K7AntiVirus 7.10.936 2010.01.02 Trojan.Win32.Malware.1
Kaspersky 7.0.0.125 2010.01.04 -
McAfee 5850 2010.01.03 -
McAfee+Artemis 5850 2010.01.03 -
McAfee-GW-Edition 6.8.5 2010.01.04 -
Microsoft 1.5302 2010.01.04 -
NOD32 4740 2010.01.03 -
Norman 6.04.03 2009.12.31 W32/Agent.HHSF
nProtect 2009.1.8.0 2010.01.03 Trojan/W32.Agent.61440.JQ
Panda 10.0.2.2 2010.01.03 Rootkit/Agent.LNB
PCTools 7.0.3.5 2010.01.03 -
Prevx 3.0 2010.01.04 -
Rising 22.29.00.01 2010.01.04 -
Sophos 4.49.0 2010.01.04 -
Sunbelt 3.2.1858.2 2010.01.03 -
TheHacker 6.5.0.3.130 2010.01.04 -
TrendMicro 9.120.0.1004 2010.01.03 -
VBA32 3.12.12.1 2010.01.01 -
ViRobot 2009.12.31.2118 2009.12.31 Hoax..Agent.61440
VirusBuster 5.0.21.0 2010.01.03 -
Additional information
File size: 61440 bytes
MD5...: 589312a3b46721c5a751e4d5222a89be
SHA1..: 3a497d3968a4f6e3c648d196da38e5f98e75ec30
SHA256: 03cbe6df7f5605a3659ffe27a1184a8d9066436a17d7bac9cceb122de74f69ae
ssdeep: 768:UzNrXvTHr4DU6K5H5VLvDcLugwoMcq5+x7J1uQ9VP:QTG2VrOuN+lJpP
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xd394
timedatestamp.....: 0x476b398b (Fri Dec 21 03:56:59 2007)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x400 0xd756 0xd780 5.52 e0dc8fff10e3a7c6343455cd02a67954
.rdata 0xdb80 0x10e 0x180 3.44 d2fd0bc28e070ccc67879e04b7cd5302
.data 0xdd00 0xc0 0x100 0.04 66a415a49d751cb335895306ecfb3389
INIT 0xde00 0x376 0x380 5.17 79cc3d62ef3ba8053786e08dc9b6cddc
.reloc 0xe180 0xe2c 0xe80 6.60 4f845320301140370066cbceee4c5e4c

( 1 imports )
> ntoskrnl.exe: ZwWriteFile, wcslen, RtlUpcaseUnicodeChar, ZwClose, ZwCreateFile, RtlInitUnicodeString, wcscat, wcscpy, _wcsicmp, ZwQueryValueKey, ZwOpenKey, ZwDeleteKey, swprintf, ZwEnumerateKey, ExFreePoolWithTag, DbgPrint, ExAllocatePoolWithTag, RtlPrefixUnicodeString, RtlDeleteRegistryValue, ZwSetValueKey, RtlWriteRegistryValue, ZwEnumerateValueKey, ZwOpenFile, ZwSetInformationFile, KeTickCount, ZwQueryInformationFile, KeBugCheck, MmGetSystemRoutineAddress, ZwFlushKey, PsTerminateSystemThread, KeSetPriorityThread, KeGetCurrentThread, RtlCheckRegistryKey, KeDelayExecutionThread, ZwReadFile, PsCreateSystemThread, PsGetVersion

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Clipper DOS Executable (33.3%)
Generic Win/DOS Executable (33.0%)
DOS Executable Generic (33.0%)
VXD Driver (0.5%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

================================================================================

c:\program files\jhdiry.txt

Antivirus Version Last Update Result
a-squared 4.5.0.46 2010.01.04 -
AhnLab-V3 5.0.0.2 2010.01.02 -
AntiVir 7.9.1.122 2009.12.31 -
Antiy-AVL 2.0.3.7 2009.12.31 -
Authentium 5.2.0.5 2010.01.03 -
Avast 4.8.1351.0 2010.01.03 -
AVG 8.5.0.430 2010.01.03 -
BitDefender 7.2 2010.01.04 -
CAT-QuickHeal 10.00 2010.01.04 -
ClamAV 0.94.1 2010.01.03 -
Comodo 3460 2010.01.04 -
DrWeb 5.0.1.12222 2010.01.04 -
eSafe 7.0.17.0 2010.01.03 -
eTrust-Vet 35.1.7210 2010.01.01 -
F-Prot 4.5.1.85 2010.01.03 -
F-Secure 9.0.15370.0 2010.01.03 -
Fortinet 4.0.14.0 2010.01.02 -
GData 19 2010.01.04 -
Ikarus T3.1.1.79.0 2009.12.31 -
Jiangmin 13.0.900 2010.01.03 -
K7AntiVirus 7.10.936 2010.01.02 -
Kaspersky 7.0.0.125 2010.01.04 -
McAfee 5850 2010.01.03 -
McAfee+Artemis 5850 2010.01.03 -
McAfee-GW-Edition 6.8.5 2010.01.04 -
Microsoft 1.5302 2010.01.04 -
NOD32 4740 2010.01.03 -
Norman 6.04.03 2009.12.31 -
nProtect 2009.1.8.0 2010.01.03 -
Panda 10.0.2.2 2010.01.03 -
PCTools 7.0.3.5 2010.01.03 -
Prevx 3.0 2010.01.04 -
Rising 22.29.00.01 2010.01.04 -
Sophos 4.49.0 2010.01.04 -
Sunbelt 3.2.1858.2 2010.01.03 -
TheHacker 6.5.0.3.130 2010.01.04 -
TrendMicro 9.120.0.1004 2010.01.03 -
VBA32 3.12.12.1 2010.01.01 -
ViRobot 2009.12.31.2118 2009.12.31 -
VirusBuster 5.0.21.0 2010.01.03 -
Additional information
File size: 300 bytes
MD5...: f67473aa75348591c02c4ef1934c65d9
SHA1..: 5dabe8bb5f5bba13e4d9ec79ca322b0d55cee2e3
SHA256: 1e6894da3f051006cb9e5a4f261ced5e613b4022fe7e01084ad70667a93d4b52
ssdeep: 6:qgpAlA8GDGNED2BQVuXx2lJk3FmnKhGDGNED2BQVuXx2lJk3FmnKe:qhlLMi+2
Blxik3vhMi+2Blxik3ve
PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set
-
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
pdfid.: -
trid..: Lumena CEL bitmap (100.0%)


=============================================================================

c:\windows\system32\drivers\udeoe.sys

Antivirus Version Last Update Result
a-squared 4.5.0.46 2010.01.04 -
AhnLab-V3 5.0.0.2 2010.01.02 Win-Trojan/Avenger.61440
AntiVir 7.9.1.122 2009.12.31 -
Antiy-AVL 2.0.3.7 2009.12.31 Hoax/Win32.Agent.gen
Authentium 5.2.0.5 2010.01.03 -
Avast 4.8.1351.0 2010.01.03 -
AVG 8.5.0.430 2010.01.03 -
BitDefender 7.2 2010.01.04 -
CAT-QuickHeal 10.00 2010.01.02 Trojan.Agent.ATV
ClamAV 0.94.1 2010.01.03 -
Comodo 3460 2010.01.04 -
DrWeb 5.0.1.12222 2010.01.04 -
eSafe 7.0.17.0 2010.01.03 Win32.Banker
eTrust-Vet 35.1.7210 2010.01.01 -
F-Prot 4.5.1.85 2010.01.03 -
F-Secure 9.0.15370.0 2010.01.03 -
Fortinet 4.0.14.0 2010.01.02 -
GData 19 2010.01.04 -
Ikarus T3.1.1.79.0 2009.12.31 -
Jiangmin 13.0.900 2010.01.03 Hoax.Agent.f
K7AntiVirus 7.10.936 2010.01.02 Trojan.Win32.Malware.1
Kaspersky 7.0.0.125 2010.01.04 -
McAfee 5850 2010.01.03 -
McAfee+Artemis 5850 2010.01.03 -
McAfee-GW-Edition 6.8.5 2010.01.04 -
Microsoft 1.5302 2010.01.04 -
NOD32 4740 2010.01.03 -
Norman 6.04.03 2009.12.31 W32/Agent.HHSF
nProtect 2009.1.8.0 2010.01.03 Trojan/W32.Agent.61440.JQ
Panda 10.0.2.2 2010.01.03 Rootkit/Agent.LNB
PCTools 7.0.3.5 2010.01.03 -
Prevx 3.0 2010.01.04 -
Rising 22.29.00.01 2010.01.04 -
Sophos 4.49.0 2010.01.04 -
Sunbelt 3.2.1858.2 2010.01.03 -
TheHacker 6.5.0.3.130 2010.01.04 -
TrendMicro 9.120.0.1004 2010.01.03 -
VBA32 3.12.12.1 2010.01.01 -
ViRobot 2009.12.31.2118 2009.12.31 Hoax..Agent.61440
VirusBuster 5.0.21.0 2010.01.03 -
Additional information
File size: 61440 bytes
MD5...: 589312a3b46721c5a751e4d5222a89be
SHA1..: 3a497d3968a4f6e3c648d196da38e5f98e75ec30
SHA256: 03cbe6df7f5605a3659ffe27a1184a8d9066436a17d7bac9cceb122de74f69ae
ssdeep: 768:UzNrXvTHr4DU6K5H5VLvDcLugwoMcq5+x7J1uQ9VP:QTG2VrOuN+lJpP
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xd394
timedatestamp.....: 0x476b398b (Fri Dec 21 03:56:59 2007)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x400 0xd756 0xd780 5.52 e0dc8fff10e3a7c6343455cd02a67954
.rdata 0xdb80 0x10e 0x180 3.44 d2fd0bc28e070ccc67879e04b7cd5302
.data 0xdd00 0xc0 0x100 0.04 66a415a49d751cb335895306ecfb3389
INIT 0xde00 0x376 0x380 5.17 79cc3d62ef3ba8053786e08dc9b6cddc
.reloc 0xe180 0xe2c 0xe80 6.60 4f845320301140370066cbceee4c5e4c

( 1 imports )
> ntoskrnl.exe: ZwWriteFile, wcslen, RtlUpcaseUnicodeChar, ZwClose, ZwCreateFile, RtlInitUnicodeString, wcscat, wcscpy, _wcsicmp, ZwQueryValueKey, ZwOpenKey, ZwDeleteKey, swprintf, ZwEnumerateKey, ExFreePoolWithTag, DbgPrint, ExAllocatePoolWithTag, RtlPrefixUnicodeString, RtlDeleteRegistryValue, ZwSetValueKey, RtlWriteRegistryValue, ZwEnumerateValueKey, ZwOpenFile, ZwSetInformationFile, KeTickCount, ZwQueryInformationFile, KeBugCheck, MmGetSystemRoutineAddress, ZwFlushKey, PsTerminateSystemThread, KeSetPriorityThread, KeGetCurrentThread, RtlCheckRegistryKey, KeDelayExecutionThread, ZwReadFile, PsCreateSystemThread, PsGetVersion

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Clipper DOS Executable (33.3%)
Generic Win/DOS Executable (33.0%)
DOS Executable Generic (33.0%)
VXD Driver (0.5%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

=============================================================================
c:\program files\sIkiy.txt

Antivirus Version Last Update Result
a-squared 4.5.0.46 2010.01.04 -
AhnLab-V3 5.0.0.2 2010.01.02 -
AntiVir 7.9.1.122 2009.12.31 -
Antiy-AVL 2.0.3.7 2009.12.31 -
Authentium 5.2.0.5 2010.01.03 -
Avast 4.8.1351.0 2010.01.03 -
AVG 8.5.0.430 2010.01.03 -
BitDefender 7.2 2010.01.04 -
CAT-QuickHeal 10.00 2010.01.04 -
ClamAV 0.94.1 2010.01.03 -
Comodo 3460 2010.01.04 -
DrWeb 5.0.1.12222 2010.01.04 -
eSafe 7.0.17.0 2010.01.03 -
eTrust-Vet 35.1.7210 2010.01.01 -
F-Prot 4.5.1.85 2010.01.03 -
F-Secure 9.0.15370.0 2010.01.03 -
Fortinet 4.0.14.0 2010.01.02 -
GData 19 2010.01.04 -
Ikarus T3.1.1.79.0 2009.12.31 -
Jiangmin 13.0.900 2010.01.03 -
K7AntiVirus 7.10.936 2010.01.02 -
Kaspersky 7.0.0.125 2010.01.04 -
McAfee 5850 2010.01.03 -
McAfee+Artemis 5850 2010.01.03 -
McAfee-GW-Edition 6.8.5 2010.01.04 -
Microsoft 1.5302 2010.01.04 -
NOD32 4740 2010.01.03 -
Norman 6.04.03 2009.12.31 -
nProtect 2009.1.8.0 2010.01.03 -
Panda 10.0.2.2 2010.01.03 -
PCTools 7.0.3.5 2010.01.03 -
Prevx 3.0 2010.01.04 -
Rising 22.29.00.01 2010.01.04 -
Sophos 4.49.0 2010.01.04 -
Sunbelt 3.2.1858.2 2010.01.03 -
TheHacker 6.5.0.3.131 2010.01.04 -
TrendMicro 9.120.0.1004 2010.01.03 -
VBA32 3.12.12.1 2010.01.01 -
ViRobot 2009.12.31.2118 2009.12.31 -
VirusBuster 5.0.21.0 2010.01.03 -
Additional information
File size: 432 bytes
MD5...: c16ce9ab0f680973d4df23d24f20e26d
SHA1..: 363dc281ff07d021ea6d84d4f08888c2260f350d
SHA256: a30425a0a7119ee397bbff866885bf4e3ed95bc7904e44493892e9630873eefa
ssdeep: 12:qhl7ef9+Mi+2Blxik3v5ef9+Mi+2Blxik3ve:m7ef9fyx53v5ef9fyx53ve
PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set
-
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
pdfid.: -
trid..: Lumena CEL bitmap (60.5%)
Corel Photo Paint (39.4%)

===============================================================================
c:\windows\system32\drivers\eybeov.sys

Antivirus Version Last Update Result
a-squared 4.5.0.46 2010.01.04 -
AhnLab-V3 5.0.0.2 2010.01.02 Win-Trojan/Avenger.61440
AntiVir 7.9.1.122 2009.12.31 -
Antiy-AVL 2.0.3.7 2009.12.31 Hoax/Win32.Agent.gen
Authentium 5.2.0.5 2010.01.03 -
Avast 4.8.1351.0 2010.01.03 -
AVG 8.5.0.430 2010.01.03 -
BitDefender 7.2 2010.01.04 -
CAT-QuickHeal 10.00 2010.01.02 Trojan.Agent.ATV
ClamAV 0.94.1 2010.01.03 -
Comodo 3460 2010.01.04 -
DrWeb 5.0.1.12222 2010.01.04 -
eSafe 7.0.17.0 2010.01.03 Win32.Banker
eTrust-Vet 35.1.7210 2010.01.01 -
F-Prot 4.5.1.85 2010.01.03 -
F-Secure 9.0.15370.0 2010.01.03 -
Fortinet 4.0.14.0 2010.01.02 -
GData 19 2010.01.04 -
Ikarus T3.1.1.79.0 2009.12.31 -
Jiangmin 13.0.900 2010.01.03 Hoax.Agent.f
K7AntiVirus 7.10.936 2010.01.02 Trojan.Win32.Malware.1
Kaspersky 7.0.0.125 2010.01.04 -
McAfee 5850 2010.01.03 -
McAfee+Artemis 5850 2010.01.03 -
McAfee-GW-Edition 6.8.5 2010.01.04 -
Microsoft 1.5302 2010.01.04 -
NOD32 4740 2010.01.03 -
Norman 6.04.03 2009.12.31 W32/Agent.HHSF
nProtect 2009.1.8.0 2010.01.03 Trojan/W32.Agent.61440.JQ
Panda 10.0.2.2 2010.01.03 Rootkit/Agent.LNB
PCTools 7.0.3.5 2010.01.03 -
Rising 22.29.00.01 2010.01.04 -
Sophos 4.49.0 2010.01.04 -
Sunbelt 3.2.1858.2 2010.01.03 -
TheHacker 6.5.0.3.130 2010.01.04 -
TrendMicro 9.120.0.1004 2010.01.03 -
VBA32 3.12.12.1 2010.01.01 -
ViRobot 2009.12.31.2118 2009.12.31 Hoax..Agent.61440
VirusBuster 5.0.21.0 2010.01.03 -
Additional information
File size: 61440 bytes
MD5...: 589312a3b46721c5a751e4d5222a89be
SHA1..: 3a497d3968a4f6e3c648d196da38e5f98e75ec30
SHA256: 03cbe6df7f5605a3659ffe27a1184a8d9066436a17d7bac9cceb122de74f69ae
ssdeep: 768:UzNrXvTHr4DU6K5H5VLvDcLugwoMcq5+x7J1uQ9VP:QTG2VrOuN+lJpP
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xd394
timedatestamp.....: 0x476b398b (Fri Dec 21 03:56:59 2007)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x400 0xd756 0xd780 5.52 e0dc8fff10e3a7c6343455cd02a67954
.rdata 0xdb80 0x10e 0x180 3.44 d2fd0bc28e070ccc67879e04b7cd5302
.data 0xdd00 0xc0 0x100 0.04 66a415a49d751cb335895306ecfb3389
INIT 0xde00 0x376 0x380 5.17 79cc3d62ef3ba8053786e08dc9b6cddc
.reloc 0xe180 0xe2c 0xe80 6.60 4f845320301140370066cbceee4c5e4c

( 1 imports )
> ntoskrnl.exe: ZwWriteFile, wcslen, RtlUpcaseUnicodeChar, ZwClose, ZwCreateFile, RtlInitUnicodeString, wcscat, wcscpy, _wcsicmp, ZwQueryValueKey, ZwOpenKey, ZwDeleteKey, swprintf, ZwEnumerateKey, ExFreePoolWithTag, DbgPrint, ExAllocatePoolWithTag, RtlPrefixUnicodeString, RtlDeleteRegistryValue, ZwSetValueKey, RtlWriteRegistryValue, ZwEnumerateValueKey, ZwOpenFile, ZwSetInformationFile, KeTickCount, ZwQueryInformationFile, KeBugCheck, MmGetSystemRoutineAddress, ZwFlushKey, PsTerminateSystemThread, KeSetPriorityThread, KeGetCurrentThread, RtlCheckRegistryKey, KeDelayExecutionThread, ZwReadFile, PsCreateSystemThread, PsGetVersion

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Clipper DOS Executable (33.3%)
Generic Win/DOS Executable (33.0%)
DOS Executable Generic (33.0%)
VXD Driver (0.5%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned


=============================================================================================

c:\program files\mvcuybxa.txt

Antivirus Version Last Update Result
a-squared 4.5.0.46 2010.01.04 -
AhnLab-V3 5.0.0.2 2010.01.02 -
AntiVir 7.9.1.122 2009.12.31 -
Antiy-AVL 2.0.3.7 2009.12.31 -
Authentium 5.2.0.5 2010.01.03 -
Avast 4.8.1351.0 2010.01.03 -
AVG 8.5.0.430 2010.01.03 -
BitDefender 7.2 2010.01.04 -
CAT-QuickHeal 10.00 2010.01.04 -
ClamAV 0.94.1 2010.01.03 -
Comodo 3460 2010.01.04 -
DrWeb 5.0.1.12222 2010.01.04 -
eSafe 7.0.17.0 2010.01.03 -
eTrust-Vet 35.1.7210 2010.01.01 -
F-Prot 4.5.1.85 2010.01.03 -
F-Secure 9.0.15370.0 2010.01.03 -
Fortinet 4.0.14.0 2010.01.02 -
GData 19 2010.01.04 -
Ikarus T3.1.1.79.0 2009.12.31 -
Jiangmin 13.0.900 2010.01.03 -
K7AntiVirus 7.10.936 2010.01.02 -
Kaspersky 7.0.0.125 2010.01.04 -
McAfee 5850 2010.01.03 -
McAfee+Artemis 5850 2010.01.03 -
McAfee-GW-Edition 6.8.5 2010.01.04 -
Microsoft 1.5302 2010.01.04 -
NOD32 4740 2010.01.03 -
Norman 6.04.03 2009.12.31 -
nProtect 2009.1.8.0 2010.01.03 -
Panda 10.0.2.2 2010.01.03 -
PCTools 7.0.3.5 2010.01.03 -
Prevx 3.0 2010.01.04 -
Rising 22.29.00.01 2010.01.04 -
Sophos 4.49.0 2010.01.04 -
Sunbelt 3.2.1858.2 2010.01.03 -
TheHacker 6.5.0.3.131 2010.01.04 -
TrendMicro 9.120.0.1004 2010.01.03 -
VBA32 3.12.12.1 2010.01.01 -
ViRobot 2009.12.31.2118 2009.12.31 -
VirusBuster 5.0.21.0 2010.01.03 -
Additional information
File size: 552 bytes
MD5...: 50cfb3db10f579c8d39307da61dab280
SHA1..: 91c5b0c0884e67bec6c9ff33e9624c10cfe5233e
SHA256: 2a2051d4cf57c50473bedcdf0dec8f6bfdf409c931e9977c52d3517c670d7d1b
ssdeep: 12:qhl7ef9+Mi+2Blxik3v5eEz3v5ef9+Mi+2Blxik3v5eEz3ve:m7ef9fyx53v5
e43v5ef9fyx53v5e43ve
PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Lumena CEL bitmap (60.5%)
Corel Photo Paint (39.4%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned


Report •

#11
January 5, 2010 at 18:54:53
Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
c:\windows\system32\drivers\dhgol.sys
c:\windows\system32\drivers\roei.sys
c:\program files\jhdiry.txt
c:\windows\system32\drivers\udeoe.sys
c:\program files\sIkiy.txt
c:\windows\system32\drivers\eybeov.sys
c:\program files\mvcuybxa.txt

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.


Report •

#12
January 5, 2010 at 22:17:07
aComboFix 10-01-03.03 - Scott 01/06/2010 0:51.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.727 [GMT -5:00]
Running from: c:\documents and settings\Scott\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Scott\Desktop\CFScript.txt

FILE ::
"c:\program files\jhdiry.txt"
"c:\program files\mvcuybxa.txt"
"c:\program files\sIkiy.txt"
"c:\windows\system32\drivers\dhgol.sys"
"c:\windows\system32\drivers\eybeov.sys"
"c:\windows\system32\drivers\roei.sys"
"c:\windows\system32\drivers\udeoe.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\jhdiry.txt
c:\program files\mvcuybxa.txt
c:\program files\sIkiy.txt
c:\windows\system32\drivers\dhgol.sys
c:\windows\system32\drivers\eybeov.sys
c:\windows\system32\drivers\roei.sys
c:\windows\system32\drivers\udeoe.sys

.
((((((((((((((((((((((((( Files Created from 2009-12-06 to 2010-01-06 )))))))))))))))))))))))))))))))
.

2010-01-04 01:50 . 2010-01-04 02:00 -------- d-----w- C:\Combo-Fix
2010-01-03 22:38 . 2010-01-03 22:38 -------- d-----w- c:\program files\Sun
2010-01-03 20:18 . 2010-01-03 20:18 -------- d-----w- c:\program files\trend micro
2010-01-03 20:18 . 2010-01-03 20:18 -------- d-----w- C:\rsit
2010-01-03 17:03 . 2010-01-03 17:03 -------- d-----w- c:\windows\system32\wbem\Repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-03 22:37 . 2008-12-21 15:07 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-03 22:37 . 2008-05-06 00:13 -------- d-----w- c:\program files\Java
2010-01-03 22:22 . 2008-05-05 01:43 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-01-03 22:21 . 2008-05-05 03:02 -------- d-----w- c:\program files\McAfee
2010-01-03 22:11 . 2009-05-20 01:02 -------- d-----w- c:\program files\Citrix
2010-01-03 20:02 . 2008-12-22 04:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-03 17:09 . 2008-12-22 04:36 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-03 17:03 . 2008-12-21 00:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-28 21:24 . 2009-12-18 12:20 52224 ----a-w- c:\documents and settings\Scott\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-28 21:24 . 2009-11-20 17:30 117760 ----a-w- c:\documents and settings\Scott\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-18 12:19 . 2009-11-20 17:29 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-30 15:55 . 2008-05-05 03:06 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-11-20 17:29 . 2009-11-20 17:29 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-20 17:29 . 2009-11-20 17:29 -------- d-----w- c:\documents and settings\Scott\Application Data\SUPERAntiSpyware.com
2009-11-20 17:21 . 2009-11-20 17:21 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-20 14:40 . 2009-11-20 14:40 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Update
2009-11-19 17:56 . 2009-07-11 03:05 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-19 16:20 . 2009-11-19 16:20 45293 ----a-w- c:\windows\system32\config\systemprofile\Application Data\Update\seupd.exe
2009-10-29 07:45 . 2003-03-31 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 06:00 265728 ------w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2003-03-31 12:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 14:32 . 2009-10-12 14:32 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
2009-10-12 13:38 . 2003-03-31 12:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2003-03-31 12:00 79872 ----a-w- c:\windows\system32\raschap.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-18 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\System32\WLTRAY.exe" [2007-03-17 1392640]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-11 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-11 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-11 137752]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-03 149280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/11/2009 10:44 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/11/2009 10:44 AM 74480]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/6/2008 9:26 PM 24652]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/11/2009 10:44 AM 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-12-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-01-06 c:\windows\Tasks\Updater.job
- c:\windows\system32\config\systemprofile\Application Data\Update\seupd.exe [2009-11-19 16:20]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Scott\Application Data\Mozilla\Firefox\Profiles\eb4ka4b1.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.liveinfopro.com/?s=
FF - component: c:\documents and settings\Scott\Application Data\Mozilla\Firefox\Profiles\eb4ka4b1.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - component: c:\documents and settings\Scott\Application Data\Mozilla\Firefox\Profiles\eb4ka4b1.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.liveinfopro.com/?s=.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-06 01:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(876)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(2244)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-01-06 01:09:43 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-06 06:09
ComboFix2.txt 2010-01-04 02:32
ComboFix3.txt 2010-01-04 02:15
ComboFix4.txt 2010-01-04 02:00
ComboFix5.txt 2010-01-06 05:50

Pre-Run: 49,438,806,016 bytes free
Post-Run: 49,402,060,800 bytes free

Current=8 Default=8 Failed=7 LastKnownGood=4 Sets=1,2,3,4,5,7,8
- - End Of File - - ED0DEB5CA1EA2F513FADA31BC23C939F


Report •

#13
January 6, 2010 at 20:35:19
How is the computer operating?

Please run the BitDefender online scan this link:
Bitdefender Online Scanner

Click I Agree to agree to the EULA.
Allow the ActiveX control to install when prompted.
Click Click here to scan to begin the scan.
Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
When the scan is finished, click on Click here to export the scan results.
Save the report to your desktop so you can post it in your next reply.


Report •

Ask Question