|
|
|
New Member
Group: Forum Members
Last Login: 8/19/2009 5:57 PM
Posts: 16,
Visits: 0
|
|
I am having literally constant warnings from Avira about a file:
C:\WINDOWS\system32\wvtspn.dll
which Avira is calling a "TR/Pincav.uye Trojan"
It has rendered my machine unusable as the pop-ups appear dead center of the screen and steal focus and none of the possible solutions (Deny Access, delete, etc.) fix the problem. I suspect there may be other issues as well.
Thanks for the help.
Here is my SAS log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 03/20/2010 at 10:43 PM
Application Version : 4.27.1002
Core Rules Database Version : 4702
Trace Rules Database Version: 2514
Scan type : Complete Scan
Total Scan Time : 01:42:32
Memory items scanned : 239
Memory threats detected : 0
Registry items scanned : 5640
Registry threats detected : 3
File items scanned : 29698
File threats detected : 2
Adware.180solutions/Search Assistant
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MediaGatewayX.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MediaGatewayX.dll#.Owner
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MediaGatewayX.dll#{8FCDF9D9-A28B-480F-8C3D-581F119A8AB8}
Trojan.Agent/Gen
C:\WINDOWS\system32\lowsec
Adware.Director
C:\PROGRAM FILES\WEBHOST\WEBHOST-V2.EXE
And my HijackThis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:28:45 PM, on 3/20/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\system32\wltray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\WINDOWS\PixArt\PAC207\Monitor.exe
C:\Program Files\Everything\Everything.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\John Cary McNamara\My Documents\downloads\Desktops\Desktops.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\SetPoint\LU\LULnchr.exe
C:\Program Files\Logitech\SetPoint\LU\LogitechUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: Shell=Explorer.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\system32\wltray.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [Everything] "C:\Program Files\Everything\Everything.exe" -startup
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [gebxxysys] rundll32.exe "wvtspn.dll",DllRegisterServer
O4 - HKLM\..\Run: [Rsevixuqot] rundll32.exe "C:\WINDOWS\olafowacehezusuq.dll",Startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Sysinternals Desktops] C:\Documents and Settings\John Cary McNamara\My Documents\downloads\Desktops\Desktops.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [khgeccsys] rundll32.exe "wvtspn.dll",DllRegisterServer (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [khgeccsys] rundll32.exe "wvtspn.dll",DllRegisterServer (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {AEF76437-F960-4EBC-97EA-7BBB4230CF38} (OcarptMain Class) - https://oca.microsoft.com/en/secure/ocarpt.CAB
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
--
End of file - 10306 bytes
|
|
|
|
|
Senior Forum Moderator
Group: Moderators
Last Login: 8/9/2008 10:14 AM
Posts: 33,730,
Visits: 54,734
|
|
Welcome jcmack13 
First disable Spybot S&D’s protection,or it will interfere.
You can enable it after you're clean.
Open Spybot and click on 'Mode' and check 'Advanced Mode'.
Click on 'Tools' in bottom left hand corner.
Click on the 'System Startup' icon.
Uncheck 'Teatimer' box and/or uncheck 'Resident'.
Click the 'Allow Change' box.
Then, check next to the computer clock to see if the icon for Spybot is still there.
If it is, right click it and choose 'exit Spybot-S&D Resident'.
Restart the computer.
If you find you're experiencing problems disabling Spybot's Tea-Timer,follow the info in the link below:
http://www.russelltexas.com/malware/teatimer.htm
Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
F2 - REG:system.ini: Shell=Explorer.exe
O4 - HKLM\..\Run: [gebxxysys] rundll32.exe "wvtspn.dll",DllRegisterServer
O4 - HKLM\..\Run: [Rsevixuqot] rundll32.exe "C:\WINDOWS\olafowacehezusuq.dll",Startup
O4 - HKUS\S-1-5-18\..\Run: [khgeccsys] rundll32.exe "wvtspn.dll",DllRegisterServer (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [khgeccsys] rundll32.exe "wvtspn.dll",DllRegisterServer (User 'Default user')
Please disable CD Emulation,see Why we request you disable CD Emulation when receiving Malware Removal Advice.
Download DeFogger by jpshortstuff and save it to your desktop.
* Double click DeFogger to run the tool
* The application window will appear
* Click the Disable button to disable your CD Emulation drivers
* Click Yes to continue
* A Finished! message will appear
* Click OK
* DeFogger will now ask to reboot the machine - click OK
**IMPORTANT!**
If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.
Do not re-enable these drivers until otherwise instructed.
* Please download TDSSKiller.zip and save it to your desktop.
* Extract the zip file to your desktop (Very important its located there!).
* Click on Start > Run copy and paste the following bold text into the "Open:" space, then press Enter
"%userprofile%\desktop\tdsskiller.exe" -l report.txt
* When its finished press any key to continue.
* If needed reboot the computer.
It will produce a text file (report.txt) on your desktop.
Post the entire contents of that file into your next reply.
Please download Stealth MBR rootkit detector by Gmer and save it to your root directory, usually C:\ <- (This is Important!).
* Click on Start/Run,type CMD into the 'Open:' space,then press OK
* At the command prompt type,or copy and paste, c:\mbr.exe >>"C:\mbr.log" then press Enter
* Wait then close Command Prompt manually.
* A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
* Copy and paste the entire contents of the mbr.log into your next reply.
**Warning to anyone else other than this topic starter should read the following**
You should not be using Combofix unless instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert", NOT for general public or personal use. Combofix was never meant to be used as a general purpose malware scanner like SuperAntispyware or Malwarebytes' Anti-Malware. Using this tool incorrectly could lead to serious issues within your operating system.
Please read ALL of the following before making a start.
Download ComboFix from HERE to your Desktop,by following the steps below.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
1.If you are using Firefox, make sure that your download settings are as follows:
* Click on Tools->Options->"Main" tab
* Set to "Always ask me where to Save the files".
2.During the download,rename Combofix to Combo-Fix as follows:
3.It is important you rename Combofix during the download, but not after.
4.Please do not rename Combofix to other names, but only to the one indicated.
5.Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
* Click Here to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
* Close any open browsers.
* WARNING: Combofix will disconnect your machine from the Internet as soon as it starts.
* Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
* If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
6.Double click on Combo-Fix.exe & follow the prompts,if you're running Windows Vista\Windows 7 right click on Combo-Fix.exe and click on "Run as Administrator".
7.When finished, it will produce a report for you.
8.Please post the contents of "C:\Combo-Fix.txt" along with a new HijackThis log into your next reply.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**
-----------------------------------------------------------
**VERY IMPORTANT**
* As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
* Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures**
Once the Microsoft Windows Recovery Console is installed using ComboFix,you should see the following message:
Post the following in your next reply:
The contents of report.txt from the TDSSKiller scan.
The contents of the MBR.log
The contents of C:\ComboFix.txt
A new HijackThis log.
_______________________________________________________________
ASAP & UNITE member since 2006
|
|
|
|
|
New Member
Group: Forum Members
Last Login: 8/19/2009 5:57 PM
Posts: 16,
Visits: 0
|
|
Thanks Richie!
Here is report.txt from TDSSKiller
11:47:19:265 2312 TDSS rootkit removing tool 2.2.8 Mar 10 2010 15:53:20
11:47:19:265 2312 ================================================================================
11:47:19:265 2312 SystemInfo:
11:47:19:265 2312 OS Version: 5.1.2600 ServicePack: 3.0
11:47:19:265 2312 Product type: Workstation
11:47:19:265 2312 ComputerName: JOHNSDESKTOP
11:47:19:265 2312 UserName: John Cary McNamara
11:47:19:265 2312 Windows directory: C:\WINDOWS
11:47:19:265 2312 Processor architecture: Intel x86
11:47:19:265 2312 Number of processors: 2
11:47:19:265 2312 Page size: 0x1000
11:47:19:265 2312 Boot type: Normal boot
11:47:19:265 2312 ================================================================================
11:47:19:265 2312 UnloadDriverW: NtUnloadDriver error 2
11:47:19:265 2312 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
11:47:19:312 2312 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
11:47:19:312 2312 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
11:47:19:312 2312 wfopen_ex: Trying to KLMD file open
11:47:19:312 2312 wfopen_ex: File opened ok (Flags 2)
11:47:19:312 2312 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
11:47:19:312 2312 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
11:47:19:312 2312 wfopen_ex: Trying to KLMD file open
11:47:19:312 2312 wfopen_ex: File opened ok (Flags 2)
11:47:19:312 2312 Initialize success
11:47:19:312 2312
11:47:19:312 2312 Scanning Services ...
11:47:19:906 2312 GetAdvancedServicesInfo: Raw services enum returned 400 services
11:47:19:906 2312
11:47:19:906 2312 Scanning Kernel memory ...
11:47:19:906 2312 Devices to scan: 4
11:47:19:906 2312
11:47:19:906 2312 Driver Name: Disk
11:47:19:906 2312 IRP_MJ_CREATE : F763DBB0
11:47:19:906 2312 IRP_MJ_CREATE_NAMED_PIPE : 804F9739
11:47:19:906 2312 IRP_MJ_CLOSE : F763DBB0
11:47:19:906 2312 IRP_MJ_READ : F7637D1F
11:47:19:906 2312 IRP_MJ_WRITE : F7637D1F
11:47:19:906 2312 IRP_MJ_QUERY_INFORMATION : 804F9739
11:47:19:906 2312 IRP_MJ_SET_INFORMATION : 804F9739
11:47:19:906 2312 IRP_MJ_QUERY_EA : 804F9739
11:47:19:906 2312 IRP_MJ_SET_EA : 804F9739
11:47:19:906 2312 IRP_MJ_FLUSH_BUFFERS : F76382E2
11:47:19:906 2312 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9739
11:47:19:906 2312 IRP_MJ_SET_VOLUME_INFORMATION : 804F9739
11:47:19:906 2312 IRP_MJ_DIRECTORY_CONTROL : 804F9739
11:47:19:906 2312 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9739
11:47:19:906 2312 IRP_MJ_DEVICE_CONTROL : F76383BB
11:47:19:906 2312 IRP_MJ_INTERNAL_DEVICE_CONTROL : F763BF28
11:47:19:906 2312 IRP_MJ_SHUTDOWN : F76382E2
11:47:19:906 2312 IRP_MJ_LOCK_CONTROL : 804F9739
11:47:19:906 2312 IRP_MJ_CLEANUP : 804F9739
11:47:19:906 2312 IRP_MJ_CREATE_MAILSLOT : 804F9739
11:47:19:906 2312 IRP_MJ_QUERY_SECURITY : 804F9739
11:47:19:906 2312 IRP_MJ_SET_SECURITY : 804F9739
11:47:19:906 2312 IRP_MJ_POWER : F7639C82
11:47:19:906 2312 IRP_MJ_SYSTEM_CONTROL : F763E99E
11:47:19:906 2312 IRP_MJ_DEVICE_CHANGE : 804F9739
11:47:19:906 2312 IRP_MJ_QUERY_QUOTA : 804F9739
11:47:19:906 2312 IRP_MJ_SET_QUOTA : 804F9739
11:47:19:937 2312 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
11:47:19:937 2312
11:47:19:937 2312 Driver Name: Disk
11:47:19:937 2312 IRP_MJ_CREATE : F763DBB0
11:47:19:937 2312 IRP_MJ_CREATE_NAMED_PIPE : 804F9739
11:47:19:937 2312 IRP_MJ_CLOSE : F763DBB0
11:47:19:937 2312 IRP_MJ_READ : F7637D1F
11:47:19:937 2312 IRP_MJ_WRITE : F7637D1F
11:47:19:937 2312 IRP_MJ_QUERY_INFORMATION : 804F9739
11:47:19:937 2312 IRP_MJ_SET_INFORMATION : 804F9739
11:47:19:953 2312 IRP_MJ_QUERY_EA : 804F9739
11:47:19:953 2312 IRP_MJ_SET_EA : 804F9739
11:47:19:953 2312 IRP_MJ_FLUSH_BUFFERS : F76382E2
11:47:19:953 2312 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9739
11:47:19:953 2312 IRP_MJ_SET_VOLUME_INFORMATION : 804F9739
11:47:19:953 2312 IRP_MJ_DIRECTORY_CONTROL : 804F9739
11:47:19:953 2312 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9739
11:47:19:953 2312 IRP_MJ_DEVICE_CONTROL : F76383BB
11:47:19:953 2312 IRP_MJ_INTERNAL_DEVICE_CONTROL : F763BF28
11:47:19:953 2312 IRP_MJ_SHUTDOWN : F76382E2
11:47:19:953 2312 IRP_MJ_LOCK_CONTROL : 804F9739
11:47:19:953 2312 IRP_MJ_CLEANUP : 804F9739
11:47:19:953 2312 IRP_MJ_CREATE_MAILSLOT : 804F9739
11:47:19:953 2312 IRP_MJ_QUERY_SECURITY : 804F9739
11:47:19:953 2312 IRP_MJ_SET_SECURITY : 804F9739
11:47:19:953 2312 IRP_MJ_POWER : F7639C82
11:47:19:953 2312 IRP_MJ_SYSTEM_CONTROL : F763E99E
11:47:19:953 2312 IRP_MJ_DEVICE_CHANGE : 804F9739
11:47:19:953 2312 IRP_MJ_QUERY_QUOTA : 804F9739
11:47:19:953 2312 IRP_MJ_SET_QUOTA : 804F9739
11:47:19:953 2312 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
11:47:19:953 2312
11:47:19:953 2312 Driver Name: Disk
11:47:19:953 2312 IRP_MJ_CREATE : F763DBB0
11:47:19:953 2312 IRP_MJ_CREATE_NAMED_PIPE : 804F9739
11:47:19:953 2312 IRP_MJ_CLOSE : F763DBB0
11:47:19:953 2312 IRP_MJ_READ : F7637D1F
11:47:19:953 2312 IRP_MJ_WRITE : F7637D1F
11:47:19:953 2312 IRP_MJ_QUERY_INFORMATION : 804F9739
11:47:19:953 2312 IRP_MJ_SET_INFORMATION : 804F9739
11:47:19:953 2312 IRP_MJ_QUERY_EA : 804F9739
11:47:19:953 2312 IRP_MJ_SET_EA : 804F9739
11:47:19:953 2312 IRP_MJ_FLUSH_BUFFERS : F76382E2
11:47:19:953 2312 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9739
11:47:19:953 2312 IRP_MJ_SET_VOLUME_INFORMATION : 804F9739
11:47:19:953 2312 IRP_MJ_DIRECTORY_CONTROL : 804F9739
11:47:19:953 2312 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9739
11:47:19:953 2312 IRP_MJ_DEVICE_CONTROL : F76383BB
11:47:19:953 2312 IRP_MJ_INTERNAL_DEVICE_CONTROL : F763BF28
11:47:19:953 2312 IRP_MJ_SHUTDOWN : F76382E2
11:47:19:953 2312 IRP_MJ_LOCK_CONTROL : 804F9739
11:47:19:953 2312 IRP_MJ_CLEANUP : 804F9739
11:47:19:953 2312 IRP_MJ_CREATE_MAILSLOT : 804F9739
11:47:19:953 2312 IRP_MJ_QUERY_SECURITY : 804F9739
11:47:19:953 2312 IRP_MJ_SET_SECURITY : 804F9739
11:47:19:953 2312 IRP_MJ_POWER : F7639C82
11:47:19:953 2312 IRP_MJ_SYSTEM_CONTROL : F763E99E
11:47:19:953 2312 IRP_MJ_DEVICE_CHANGE : 804F9739
11:47:19:953 2312 IRP_MJ_QUERY_QUOTA : 804F9739
11:47:19:953 2312 IRP_MJ_SET_QUOTA : 804F9739
11:47:19:953 2312 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
11:47:19:953 2312
11:47:19:953 2312 Driver Name: atapi
11:47:19:953 2312 IRP_MJ_CREATE : 8A874856
11:47:19:953 2312 IRP_MJ_CREATE_NAMED_PIPE : 8A874856
11:47:19:953 2312 IRP_MJ_CLOSE : 8A874856
11:47:19:953 2312 IRP_MJ_READ : 8A874856
11:47:19:953 2312 IRP_MJ_WRITE : 8A874856
11:47:19:953 2312 IRP_MJ_QUERY_INFORMATION : 8A874856
11:47:19:953 2312 IRP_MJ_SET_INFORMATION : 8A874856
11:47:19:953 2312 IRP_MJ_QUERY_EA : 8A874856
11:47:19:953 2312 IRP_MJ_SET_EA : 8A874856
11:47:19:953 2312 IRP_MJ_FLUSH_BUFFERS : 8A874856
11:47:19:953 2312 IRP_MJ_QUERY_VOLUME_INFORMATION : 8A874856
11:47:19:953 2312 IRP_MJ_SET_VOLUME_INFORMATION : 8A874856
11:47:19:953 2312 IRP_MJ_DIRECTORY_CONTROL : 8A874856
11:47:19:953 2312 IRP_MJ_FILE_SYSTEM_CONTROL : 8A874856
11:47:19:953 2312 IRP_MJ_DEVICE_CONTROL : 8A874856
11:47:19:953 2312 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8A874856
11:47:19:953 2312 IRP_MJ_SHUTDOWN : 8A874856
11:47:19:953 2312 IRP_MJ_LOCK_CONTROL : 8A874856
11:47:19:953 2312 IRP_MJ_CLEANUP : 8A874856
11:47:19:953 2312 IRP_MJ_CREATE_MAILSLOT : 8A874856
11:47:19:953 2312 IRP_MJ_QUERY_SECURITY : 8A874856
11:47:19:953 2312 IRP_MJ_SET_SECURITY : 8A874856
11:47:19:953 2312 IRP_MJ_POWER : 8A874856
11:47:19:953 2312 IRP_MJ_SYSTEM_CONTROL : 8A874856
11:47:19:953 2312 IRP_MJ_DEVICE_CHANGE : 8A874856
11:47:19:953 2312 IRP_MJ_QUERY_QUOTA : 8A874856
11:47:19:953 2312 IRP_MJ_SET_QUOTA : 8A874856
11:47:19:953 2312 Driver "atapi" infected by TDSS rootkit!
11:47:19:953 2312 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
11:47:19:953 2312 File "C:\WINDOWS\system32\DRIVERS\atapi.sys" infected by TDSS rootkit ... 11:47:19:953 2312 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
11:47:19:953 2312 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
11:47:20:203 2312 vfvi6
11:47:20:265 2312 !dsvbh1
11:47:22:328 2312 dsvbh2
11:47:22:328 2312 fdfb2
11:47:22:328 2312 Backup copy found, using it..
11:47:22:359 2312 will be cured on next reboot
11:47:22:359 2312 Reboot required for cure complete..
11:47:22:375 2312 Cure on reboot scheduled successfully
11:47:22:375 2312
11:47:22:375 2312 Completed
11:47:22:375 2312
11:47:22:375 2312 Results:
11:47:22:375 2312 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
11:47:22:375 2312 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
11:47:22:375 2312 File objects infected / cured / cured on reboot: 1 / 0 / 1
11:47:22:375 2312
11:47:22:375 2312 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
11:47:22:375 2312 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
11:47:22:375 2312 UnloadDriverW: NtUnloadDriver error 1
11:47:22:375 2312 KLMD_Unload: UnloadDriverW(klmd21) error 1
11:47:22:375 2312 KLMD(ARK) unloaded successfully
Here is mbr.log
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
Here is Combofix.txt
ComboFix 10-03-20.06 - John Cary McNamara 03/21/2010 12:12:03.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1446 [GMT -4:00]
Running from: c:\documents and settings\John Cary McNamara\Desktop\Combo-Fix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\John Cary McNamara\Start Menu\Programs\Startup\MagicDisc.lnk
c:\windows\eSellerateEngine.dll
c:\windows\olafowacehezusuq.dll
c:\windows\system32\Thumbs.db
.
((((((((((((((((((((((((( Files Created from 2010-02-21 to 2010-03-21 )))))))))))))))))))))))))))))))
.
2010-03-21 16:02 . 2010-03-21 16:02 77312 ----a-w- C:\mbr.exe
2010-03-21 00:44 . 2010-03-21 00:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-03-21 00:44 . 2010-03-21 03:20 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-21 00:44 . 2010-03-21 00:44 -------- d-----w- c:\documents and settings\John Cary McNamara\Application Data\SUPERAntiSpyware.com
2010-03-21 00:43 . 2010-03-21 00:43 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-20 20:38 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-03-19 01:28 . 2010-03-21 04:28 0 ----a-w- c:\windows\Knatoh.bin
2010-03-19 01:28 . 2010-03-21 15:19 120 ----a-w- c:\windows\Dbifimoxih.dat
2010-03-19 01:28 . 2010-03-19 01:28 -------- d-----w- c:\documents and settings\John Cary McNamara\Local Settings\Application Data\{740538BF-6133-4148-BBAB-31F430AD8274}
2010-03-04 00:08 . 2010-03-19 06:49 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-03 18:58 . 2010-03-03 18:58 -------- d-----w- c:\documents and settings\postgres\Local Settings\Application Data\Adobe
2010-03-02 13:49 . 2010-03-21 04:27 91648 ----a-w- c:\windows\system32\wvtspn.dll
2010-03-02 13:49 . 2010-03-19 07:01 91648 ----a-w- c:\windows\system32\wvtspn.VIR
2010-03-01 19:20 . 2010-03-19 04:18 -------- d-----w- c:\documents and settings\John Cary McNamara\Local Settings\Application Data\mtg
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-21 16:32 . 2010-03-21 16:32 98816 ---ha-w- c:\windows\system32\fccbcd.dll
2010-03-21 15:48 . 2004-08-04 03:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-21 04:00 . 2009-03-27 15:51 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd
2010-03-21 04:00 . 2009-03-27 15:47 -------- d-----w- c:\program files\Common Files\Logishrd
2010-03-21 03:37 . 2009-03-22 22:18 -------- d-----w- c:\program files\Everything
2010-03-21 03:06 . 2005-10-24 05:11 -------- d-----w- c:\program files\WebHost
2010-03-21 00:52 . 2005-09-15 21:35 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-04 01:23 . 2005-09-15 21:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-04 00:08 . 2009-10-03 01:28 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-03 04:26 . 2006-08-13 03:54 -------- d-----w- c:\program files\Full Tilt Poker
2010-03-02 15:24 . 2009-08-21 15:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-02 00:29 . 2010-03-02 00:29 4407296 ----a-w- c:\documents and settings\postgres\ntuser.tmp
2010-03-01 04:19 . 2009-03-04 16:43 -------- d-----w- c:\program files\Digsby
2010-01-07 21:07 . 2009-08-21 15:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-08-21 15:43 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 10:00 . 2004-08-10 17:51 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-10 17:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-10 17:50 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2005-08-26 20:17 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-24 05:48 . 2009-08-21 17:46 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2007-02-16 00:30 . 2007-02-16 00:31 774144 ----a-w- c:\program files\RngInterstitial.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sysinternals Desktops"="c:\documents and settings\John Cary McNamara\My Documents\downloads\Desktops\Desktops.exe" [2009-08-23 118824]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-03-21 2012912]
"nnmnlmdrv"="fccbcd.dll" [2010-03-21 98816]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"P17Helper"="P17.dll" [2004-06-10 60928]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"IntelliType"="c:\program files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-22 94208]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"wltray.exe"="c:\windows\system32\wltray.exe" [2005-06-08 778318]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-06-16 568096]
"UltraMon"="c:\program files\UltraMon\UltraMon.exe" [2006-10-13 304640]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"Everything"="c:\program files\Everything\Everything.exe" [2009-03-13 602624]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"dddddcsys"="wvtspn.dll" [2010-03-21 91648]
"ljklmjdrv"="fccbcd.dll" [2010-03-21 98816]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"kheffdsys"="wvtspn.dll" [2010-03-21 91648]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-3-27 813584]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Post-itr Software Notes Lite.lnk - c:\program files\3M\PSNLite\PsnLite.exe [2004-6-2 1622016]
Wireless Configuration Utility HW.51.lnk - c:\program files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe [2004-12-14 454656]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2010-03-21 03:20 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 16:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2007-05-25 19:22 63040 ----a-w- c:\windows\system32\LMIinit.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvtspn.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2004-07-11 01:10 339968 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
2003-09-17 15:43 57344 ----a-w- c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-09-20 14:32 77824 ----a-w- c:\windows\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-09-20 14:35 94208 ----a-w- c:\windows\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
2003-09-04 01:12 221184 ----a-w- c:\program files\Intel\Modem Event Monitor\IntelMEM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 21:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 21:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-21 20:36 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 05:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Gaim\\gaim.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Digsby\\lib\\digsby-app.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [8/5/2009 4:06 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 66632]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/21/2009 1:46 PM 108289]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [3/17/2008 3:47 AM 77824]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [9/24/2006 10:22 PM 11776]
R3 PAC207;Basic Webcam;c:\windows\system32\drivers\PFC027.SYS [11/20/2006 9:48 AM 506112]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 12872]
R3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\UltraMonMirror.sys [9/24/2006 10:23 PM 3584]
S1 Ter_pci;Ter_pci;\??\c:\windows\system32\drivers\geapinip.sys --> c:\windows\system32\drivers\geapinip.sys [?]
S2 eqgkuqsxphlcoq;\??\c:\windows;\??\c:\windows\TEMP\netfiojad.sys --> c:\windows\TEMP\netfiojad.sys [?]
S2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [3/27/2009 11:50 AM 10384]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S3 lgatbus;LG USB Composite Device driver (WDM);c:\windows\system32\drivers\lgatbus.sys [5/27/2007 2:41 PM 43024]
S3 lgatmdm;LG CDMA USB Modem Drivers;c:\windows\system32\drivers\lgatmdm.sys [5/27/2007 2:42 PM 77104]
S3 lgatserd;LG CDMA USB Modem Diagnostic Serial Port Drivers (WDM);c:\windows\system32\drivers\lgatserd.sys [5/27/2007 2:54 PM 60816]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [8/21/2009 11:43 AM 38224]
S3 PRISM_USB;D-Link Air DWL-122 Wireless USB Adapter Driver;c:\windows\system32\drivers\PRISMUSB.sys [5/3/2006 6:53 PM 636416]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
DPF: ActiveGS.cab - hxxp://www.virtualapple.org/activegs.cab
FF - ProfilePath - c:\documents and settings\John Cary McNamara\Application Data\Mozilla\Firefox\Profiles\71cnais3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - plugin: c:\program files\Mozilla Firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npietab.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {740538BF-6133-4148-BBAB-31F430AD8274} - c:\documents and settings\John Cary McNamara\Local Settings\Application Data\{740538BF-6133-4148-BBAB-31F430AD8274}
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-Rsevixuqot - c:\windows\olafowacehezusuq.dll
SafeBoot-klmdb.sys
MSConfigStartUp-DellSupport - c:\program files\Dell Support\DSAgnt.exe
MSConfigStartUp-DMXLauncher - c:\program files\Dell\Media Experience\DMXLauncher.exe
MSConfigStartUp-DVDLauncher - c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
MSConfigStartUp-Google Update - c:\documents and settings\John Cary McNamara\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
MSConfigStartUp-LogMeIn GUI - c:\program files\LogMeIn\x86\LogMeInSystray.exe
MSConfigStartUp-Microsoft Windows DLL Services Configuration - windir32.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.5.0_04\bin\jusched.exe
MSConfigStartUp-TivoServer - c:\program files\TiVo\Desktop\TiVoServer.exe
MSConfigStartUp-TivoTransfer - c:\program files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe
AddRemove-ESET Online Scanner - c:\program files\ESET\ESET Online Scanner\OnlineScannerUninstaller.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-21 12:28
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\system32\fccbcd.dll 98816 bytes executable
scan completed successfully
hidden files: 1
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(812)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\windows\system32\LMIinit.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
c:\windows\System32\BCMLogon.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\windows\system32\fccbcd.dll
- - - - - - - > 'lsass.exe'(868)
c:\windows\system32\wvtspn.dll
c:\windows\system32\wininet.dll
c:\windows\System32\BCMLogon.dll
c:\windows\system32\LMIRfsClientNP.dll
- - - - - - - > 'explorer.exe'(3304)
c:\windows\system32\WININET.dll
c:\program files\UltraMon\RTSUltraMonHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\fccbcd.dll
c:\windows\system32\mshtml.dll
c:\program files\UltraMon\Resources\en\RTSUltraMonHookRes.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\wltrysvc.exe
c:\windows\System32\bcmwltry.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\windows\system32\Rundll32.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\progra~1\3M\PSNLite\PSNGive.exe
c:\windows\system32\rundll32.exe
c:\program files\UltraMon\UltraMonTaskbar.exe
.
**************************************************************************
.
Completion time: 2010-03-21 12:43:28 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-21 16:43
Pre-Run: 14,417,285,120 bytes free
Post-Run: 14,420,553,728 bytes free
- - End Of File - - 39B717D9C825F4FF2DEFA43E52DEEF30
Here is the new HijackThis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:01:43 PM, on 3/21/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\system32\wltray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\WINDOWS\PixArt\PAC207\Monitor.exe
C:\Program Files\Everything\Everything.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Documents and Settings\John Cary McNamara\My Documents\downloads\Desktops\Desktops.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\system32\wltray.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [Everything] "C:\Program Files\Everything\Everything.exe" -startup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [dddddcsys] rundll32.exe "wvtspn.dll",DllRegisterServer
O4 - HKLM\..\Run: [ljklmjdrv] rundll32.exe "fccbcd.dll",s
O4 - HKCU\..\Run: [Sysinternals Desktops] C:\Documents and Settings\John Cary McNamara\My Documents\downloads\Desktops\Desktops.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [nnmnlmdrv] rundll32.exe "fccbcd.dll",s
O4 - HKUS\S-1-5-18\..\Run: [kheffdsys] rundll32.exe "wvtspn.dll",DllRegisterServer (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [kheffdsys] rundll32.exe "wvtspn.dll",DllRegisterServer (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {AEF76437-F960-4EBC-97EA-7BBB4230CF38} (OcarptMain Class) - https://oca.microsoft.com/en/secure/ocarpt.CAB
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
--
End of file - 9778 bytes
|
|
|
|
|
Senior Forum Moderator
Group: Moderators
Last Login: 8/9/2008 10:14 AM
Posts: 33,730,
Visits: 54,734
|
|
|
|
|
|
New Member
Group: Forum Members
Last Login: 8/19/2009 5:57 PM
Posts: 16,
Visits: 0
|
|
Things seem to be significantly improving, thanks!
New ComboFix log
ComboFix 10-03-20.06 - John Cary McNamara 03/21/2010 13:43:08.5.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1376 [GMT -4:00]
Running from: c:\documents and settings\John Cary McNamara\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\John Cary McNamara\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FILE ::
"c:\windows\Dbifimoxih.dat"
"c:\windows\system32\drivers\geapinip.sys"
"c:\windows\system32\fccbcd.dll"
"c:\windows\system32\wvtspn.dll"
"c:\windows\system32\wvtspn.VIR"
"c:\windows\TEMP\netfiojad.sys"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\Dbifimoxih.dat
c:\windows\system32\fccbcd.dll
c:\windows\system32\wvtspn.dll
c:\windows\system32\wvtspn.VIR
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_EQGKUQSXPHLCOQ
-------\Legacy_TER_PCI
-------\Service_eqgkuqsxphlcoq
-------\Service_Ter_pci
((((((((((((((((((((((((( Files Created from 2010-02-21 to 2010-03-21 )))))))))))))))))))))))))))))))
.
2010-03-21 16:02 . 2010-03-21 16:02 77312 ----a-w- C:\mbr.exe
2010-03-21 00:44 . 2010-03-21 00:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-03-21 00:44 . 2010-03-21 03:20 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-21 00:44 . 2010-03-21 00:44 -------- d-----w- c:\documents and settings\John Cary McNamara\Application Data\SUPERAntiSpyware.com
2010-03-21 00:43 . 2010-03-21 00:43 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-20 20:38 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-03-19 01:28 . 2010-03-21 04:28 0 ----a-w- c:\windows\Knatoh.bin
2010-03-19 01:28 . 2010-03-19 01:28 -------- d-----w- c:\documents and settings\John Cary McNamara\Local Settings\Application Data\{740538BF-6133-4148-BBAB-31F430AD8274}
2010-03-04 00:08 . 2010-03-19 06:49 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-03 18:58 . 2010-03-03 18:58 -------- d-----w- c:\documents and settings\postgres\Local Settings\Application Data\Adobe
2010-03-01 19:20 . 2010-03-19 04:18 -------- d-----w- c:\documents and settings\John Cary McNamara\Local Settings\Application Data\mtg
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-21 17:39 . 2009-03-22 22:18 -------- d-----w- c:\program files\Everything
2010-03-21 15:48 . 2004-08-04 03:59 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-03-21 04:00 . 2009-03-27 15:51 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd
2010-03-21 04:00 . 2009-03-27 15:47 -------- d-----w- c:\program files\Common Files\Logishrd
2010-03-21 03:06 . 2005-10-24 05:11 -------- d-----w- c:\program files\WebHost
2010-03-21 00:52 . 2005-09-15 21:35 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-04 01:23 . 2005-09-15 21:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-04 00:08 . 2009-10-03 01:28 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-03 04:26 . 2006-08-13 03:54 -------- d-----w- c:\program files\Full Tilt Poker
2010-03-02 15:24 . 2009-08-21 15:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-02 00:29 . 2010-03-02 00:29 4407296 ----a-w- c:\documents and settings\postgres\ntuser.tmp
2010-03-01 04:19 . 2009-03-04 16:43 -------- d-----w- c:\program files\Digsby
2010-01-07 21:07 . 2009-08-21 15:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-08-21 15:43 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 10:00 . 2004-08-10 17:51 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-10 17:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-10 17:50 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2005-08-26 20:17 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-24 05:48 . 2009-08-21 17:46 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2007-02-16 00:30 . 2007-02-16 00:31 774144 ----a-w- c:\program files\RngInterstitial.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sysinternals Desktops"="c:\documents and settings\John Cary McNamara\My Documents\downloads\Desktops\Desktops.exe" [2009-08-23 118824]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-03-21 2012912]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"P17Helper"="P17.dll" [2004-06-10 60928]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"IntelliType"="c:\program files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-22 94208]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"wltray.exe"="c:\windows\system32\wltray.exe" [2005-06-08 778318]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-06-16 568096]
"UltraMon"="c:\program files\UltraMon\UltraMon.exe" [2006-10-13 304640]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"Everything"="c:\program files\Everything\Everything.exe" [2009-03-13 602624]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-3-27 813584]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Post-itr Software Notes Lite.lnk - c:\program files\3M\PSNLite\PsnLite.exe [2004-6-2 1622016]
Wireless Configuration Utility HW.51.lnk - c:\program files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe [2004-12-14 454656]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2010-03-21 03:20 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 16:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2007-05-25 19:22 63040 ----a-w- c:\windows\system32\LMIinit.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2004-07-11 01:10 339968 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
2003-09-17 15:43 57344 ----a-w- c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-09-20 14:32 77824 ----a-w- c:\windows\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-09-20 14:35 94208 ----a-w- c:\windows\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
2003-09-04 01:12 221184 ----a-w- c:\program files\Intel\Modem Event Monitor\IntelMEM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 21:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 21:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-21 20:36 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 05:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Gaim\\gaim.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Digsby\\lib\\digsby-app.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [8/5/2009 4:06 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 66632]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/21/2009 1:46 PM 108289]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [3/17/2008 3:47 AM 77824]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [9/24/2006 10:22 PM 11776]
R3 PAC207;Basic Webcam;c:\windows\system32\drivers\PFC027.SYS [11/20/2006 9:48 AM 506112]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 12872]
R3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\UltraMonMirror.sys [9/24/2006 10:23 PM 3584]
S2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [3/27/2009 11:50 AM 10384]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S3 lgatbus;LG USB Composite Device driver (WDM);c:\windows\system32\drivers\lgatbus.sys [5/27/2007 2:41 PM 43024]
S3 lgatmdm;LG CDMA USB Modem Drivers;c:\windows\system32\drivers\lgatmdm.sys [5/27/2007 2:42 PM 77104]
S3 lgatserd;LG CDMA USB Modem Diagnostic Serial Port Drivers (WDM);c:\windows\system32\drivers\lgatserd.sys [5/27/2007 2:54 PM 60816]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [8/21/2009 11:43 AM 38224]
S3 PRISM_USB;D-Link Air DWL-122 Wireless USB Adapter Driver;c:\windows\system32\drivers\PRISMUSB.sys [5/3/2006 6:53 PM 636416]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
DPF: ActiveGS.cab - hxxp://www.virtualapple.org/activegs.cab
FF - ProfilePath - c:\documents and settings\John Cary McNamara\Application Data\Mozilla\Firefox\Profiles\71cnais3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - plugin: c:\program files\Mozilla Firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npietab.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {740538BF-6133-4148-BBAB-31F430AD8274} - c:\documents and settings\John Cary McNamara\Local Settings\Application Data\{740538BF-6133-4148-BBAB-31F430AD8274}
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-mlkkhedrv - fccbcd.dll
HKLM-Run-iiijgesys - wvtspn.dll
HKU-Default-Run-nnonlmdrv - fccbcd.dll
HKU-Default-Run-hggeecsys - wvtspn.dll
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-21 13:59
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(816)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\windows\system32\LMIinit.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
c:\windows\System32\BCMLogon.dll
c:\windows\system32\LMIRfsClientNP.dll
- - - - - - - > 'lsass.exe'(872)
c:\windows\System32\BCMLogon.dll
c:\windows\system32\LMIRfsClientNP.dll
- - - - - - - > 'explorer.exe'(532)
c:\windows\system32\WININET.dll
c:\program files\UltraMon\RTSUltraMonHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\program files\UltraMon\Resources\en\RTSUltraMonHookRes.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\wltrysvc.exe
c:\windows\System32\bcmwltry.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\windows\system32\Rundll32.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\3M\PSNLite\PSNGive.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\UltraMon\UltraMonTaskbar.exe
.
**************************************************************************
.
Completion time: 2010-03-21 14:14:33 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-21 18:14
ComboFix2.txt 2010-03-21 16:43
Pre-Run: 14,353,985,536 bytes free
Post-Run: 14,307,831,808 bytes free
- - End Of File - - 944A4D7E3BDDF0F0E36C0E67C45A386F
New HijackThis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:33:20 PM, on 3/21/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\system32\wltray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\PixArt\PAC207\Monitor.exe
C:\Program Files\Everything\Everything.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Documents and Settings\John Cary McNamara\My Documents\downloads\Desktops\Desktops.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\system32\wltray.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [Everything] "C:\Program Files\Everything\Everything.exe" -startup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [Sysinternals Desktops] C:\Documents and Settings\John Cary McNamara\My Documents\downloads\Desktops\Desktops.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {AEF76437-F960-4EBC-97EA-7BBB4230CF38} (OcarptMain Class) - https://oca.microsoft.com/en/secure/ocarpt.CAB
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
--
End of file - 9332 bytes
|
|
|
|
|
Senior Forum Moderator
Group: Moderators
Last Login: 8/9/2008 10:14 AM
Posts: 33,730,
Visits: 54,734
|
|
Thats better,lets continue
Click on Start/Run,copy and paste ComboFix /uninstall into the 'Open:' space,then press OK [see image below]
This will uninstall Combofix,delete its related folders and files,reset your clock settings,hide file extensions,hide the system/hidden files and resets System Restore.
Download TFC by OldTimer to your Desktop.
* Please double-click TFC.exe to run it,if you're running Windows Vista right click on TFC.exe and click on "Run as Administrator".
* It will close all programs when run, so make sure you have saved all your work before you begin.
* Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Let it run uninterrupted until it's finished.
* Once it's finished it should reboot your machine.If it doesn't,please manually restart the pc to ensure a complete cleanup.
Download Security Check by screen317 and save it to your Desktop.
Double-click on SecurityCheck.exe and follow the on-screen instructions inside the black box.
Notepad should open a file named checkup.txt.
Copy and paste the entire contents of that file into your next reply.
Please download Dr.Web CureIt,save it to your desktop.
* Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in the pop-up window to allow the scan.
* This will scan the files currently running in memory and if something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
* Once the short scan has finished, select Complete scan.
* Click the green arrow at the right, and the scan will start.
* Click Yes to all if it asks if you want to cure/move the file.
* When the scan has finished, in the menu, click File and choose Save report list
* Save the report to your desktop. The report will be called DrWeb.csv
* Note:this report may need to be renamed to Dr.Web.txt in order to post it on the forum.
* Please post the Dr.Web.txt report into your next reply
* Close Dr.Web Cureit.
* Important!!! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
NOTE:
During the scan,a pop-up window will open asking for full version purchase.
Simply close the window by clicking on the X in the upper right corner.
Post the following in your next reply:
The contents of checkup.txt from the Security Check scan.
The contents of the Dr.Web report.
A new HijackThis log.
_______________________________________________________________
ASAP & UNITE member since 2006
|
|
|
|
|
New Member
Group: Forum Members
Last Login: 8/19/2009 5:57 PM
Posts: 16,
Visits: 0
|
|
checkup.txt
Results of screen317's Security Check version 0.99.1
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Avira AntiVir Personal - Free Antivirus
Avira updated!
``````````````````````````````
Anti-malware/Other Utilities Check:
[color=red]Out of date Spybot installed![/color]
Spybot - Search & Destroy 1.4
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
Windows Defender Signatures
HijackThis 2.0.2
CCleaner (remove only)
Java(TM) 6 Update 17
Adobe Flash Player 10
Adobe Reader 7.0.8
Adobe Reader 7.0.5 Language Support
[color=red]Out of date Adobe Reader installed![/color]
``````````````````````````````
Process Check:
objlist.exe by Laurent
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
``````````````````````````````
DNS Vulnerability Check:
[color=red]Unknown. This method cannot test your vulnerability to DNS cache poisoning.[/color]
`````````End of Log```````````
Dr. Web report
4a00ab7e.qua\data001;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED\4a00ab7e.qua;Trojan.Packed.19733;;
4a00ab7e.qua;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED;Container contains infected objects;Moved.;
4a30b036.qua\data001;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED\4a30b036.qua;Trojan.Packed.19733;;
4a30b036.qua;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED;Container contains infected objects;Moved.;
4a3281a6.qua\data001;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED\4a3281a6.qua;Trojan.Packed.19733;;
4a3281a6.qua;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED;Container contains infected objects;Moved.;
4b62eccd.qua\data001;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED\4b62eccd.qua;Trojan.Packed.19733;;
4b62eccd.qua;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED;Container contains infected objects;Moved.;
4bd0fb85.qua\data001;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED\4bd0fb85.qua;Trojan.Packed.19733;;
4bd0fb85.qua;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED;Container contains infected objects;Moved.;
4bd0fb86.qua\data001;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED\4bd0fb86.qua;Trojan.Packed.19733;;
4bd0fb86.qua;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED;Container contains infected objects;Moved.;
4bd0fb87.qua\data001;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED\4bd0fb87.qua;Trojan.Packed.19733;;
4bd0fb87.qua;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED;Container contains infected objects;Moved.;
4bd4fb41.qua\data001;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED\4bd4fb41.qua;Trojan.Packed.19733;;
4bd4fb41.qua;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED;Container contains infected objects;Moved.;
4bd5215c.qua\data001;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED\4bd5215c.qua;Trojan.Packed.19733;;
4bd5215c.qua;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED;Container contains infected objects;Moved.;
4bd5215d.qua\data001;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED\4bd5215d.qua;Trojan.Packed.19733;;
4bd5215d.qua;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED;Container contains infected objects;Moved.;
4be3fb62.qua\data001;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED\4be3fb62.qua;Trojan.Packed.19733;;
4be3fb62.qua;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED;Container contains infected objects;Moved.;
4be3fb63.qua\data001;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED\4be3fb63.qua;Trojan.Packed.19733;;
4be3fb63.qua;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED;Container contains infected objects;Moved.;
4be3fb64.qua\data001;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED\4be3fb64.qua;Trojan.Packed.19733;;
4be3fb64.qua;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED;Container contains infected objects;Moved.;
4bed5547.qua\data001;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED\4bed5547.qua;BackDoor.Tdss.based.3;;
4bed5547.qua;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED;Container contains infected objects;Moved.;
4c09fb83.qua\data001;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED\4c09fb83.qua;Trojan.Packed.19733;;
4c09fb83.qua;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED;Container contains infected objects;Moved.;
4c09fb84.qua\data001;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED\4c09fb84.qua;Trojan.Packed.19733;;
4c09fb84.qua;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED;Container contains infected objects;Moved.;
4c10fb86.qua\data001;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED\4c10fb86.qua;Probably Trojan.Packed.453;;
4c10fb86.qua;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED;Container contains infected objects;Moved.;
4c14fb7e.qua\data001;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED\4c14fb7e.qua;Trojan.PWS.Panda.278;;
4c14fb7e.qua;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED;Container contains infected objects;Moved.;
4c89f4e4.qua\data001;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED\4c89f4e4.qua;Trojan.Packed.19733;;
4c89f4e4.qua;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED;Container contains infected objects;Moved.;
4d0e0df7.qua\data001;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED\4d0e0df7.qua;Trojan.Packed.19733;;
4d0e0df7.qua;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED;Container contains infected objects;Moved.;
4de7d79f.qua\data001;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED\4de7d79f.qua;Probably Trojan.Packed.453;;
4de7d79f.qua;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED;Container contains infected objects;Moved.;
4fe589f6.qua\data001;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED\4fe589f6.qua;Trojan.Packed.19733;;
4fe589f6.qua;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED;Container contains infected objects;Moved.;
4ff9a8d6.qua\data001;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED\4ff9a8d6.qua;Trojan.Packed.19733;;
4ff9a8d6.qua;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED;Container contains infected objects;Moved.;
4ffa81be.qua\data001;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED\4ffa81be.qua;Trojan.Packed.19733;;
4ffa81be.qua;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED;Container contains infected objects;Moved.;
4ffd4b35.qua\data001;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED\4ffd4b35.qua;Trojan.Packed.19733;;
4ffd4b35.qua;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED;Container contains infected objects;Moved.;
4ffea09e.qua\data001;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED\4ffea09e.qua;Trojan.Packed.19733;;
4ffea09e.qua;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED;Container contains infected objects;Moved.;
4fff58a6.qua\data001;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED\4fff58a6.qua;Trojan.Packed.19733;;
4fff58a6.qua;C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED;Container contains infected objects;Moved.;
1bac29e0-5c722b8a\myf/y/AppletX.class;C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\32\1bac29e0-5c722b8a;Exploit.Java.8;;
1bac29e0-5c722b8a\myf/y/LoaderX.class;C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\32\1bac29e0-5c722b8a;Exploit.Java.8;;
1bac29e0-5c722b8a;C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\32;Archive contains infected objects;Moved.;
Hijack This log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:12:04 PM, on 3/21/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\system32\wltray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\WINDOWS\PixArt\PAC207\Monitor.exe
C:\Program Files\Everything\Everything.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Documents and Settings\John Cary McNamara\My Documents\downloads\Desktops\Desktops.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\John Cary McNamara\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\John Cary McNamara\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\system32\wltray.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [Everything] "C:\Program Files\Everything\Everything.exe" -startup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [Sysinternals Desktops] C:\Documents and Settings\John Cary McNamara\My Documents\downloads\Desktops\Desktops.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\John Cary McNamara\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {AEF76437-F960-4EBC-97EA-7BBB4230CF38} (OcarptMain Class) - https://oca.microsoft.com/en/secure/ocarpt.CAB
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
--
End of file - 9464 bytes
|
|
|
|
|
Senior Forum Moderator
Group: Moderators
Last Login: 8/9/2008 10:14 AM
Posts: 33,730,
Visits: 54,734
|
|
Your log is clean
Re-enable CD Emulation using DeFogger by following these steps:
* Double-click on the DeFogger icon to start the tool,if running Win 7 or Vista right click and select Run as Administrator.
* The application window will now appear. You should now click on the Enable button to enable your CD Emulation drivers
* When it prompts you whether or not you want to continue, please click on the Yes button to continue
* When the program has completed you will see a Finished! message. Click on the OK button to exit the program.
* If CD Emulation programs are present and have been enabled, DeFogger will now ask you to reboot the machine. Please allow it to do so by clicking on the OK button.
Out of date Adobe Reader installed!
Launch Adobe Reader,click on Help->Check for Updates...,to update to the latest version.
Out of date Spybot installed!
Download/install Spybot - Search & Destroy 1.6.2:
http://www.safer-networking.org/en/download/
You should now take the time to read and follow the information found in the links below,to help you prevent any possible future infections and stay safe and secure while online:
How to prevent malware by miekiemoes.
Further information and tips:
How did I get infected?, With steps so it does not happen again!
Simple and easy ways to keep your computer safe and secure on the Internet.
Best Practices - Internet Safety for 2008.
Your Guide To Staying Safe Online.
Securing Your Web Browser.
Staying Safe on Social Network Sites.
Avoiding Social Engineering and Phishing Attacks.
Hardening Windows Security - Part 1 & 2.
Your online accounts,computer files,and personal information are more secure when you use strong passwords to help protect them,you should check yours:
Strong passwords: How to create and use them.
Password Security.
Password checker.
Info that may help if your pc doesn't seem to be up to its usual speed:
Help! My computer is slow!
Ten ways to troubleshoot a slow PC.
Restore Your Computer's Performance with Windows XP.
You may want to consider the following:
If you have an external USB drive,or a spare hard disk drive, you may want to consider investing in/installing a disk imaging/restore software [see examples below].
If you don't have a spare hard disk drive or an external USB drive then again you should consider getting one,200 to 250GB should be just fine,the more space the better,the more images you can store.
While the pc is running well and is malware free you should create an image of your hard drive and save that image to your external USB drive,or spare hard disk drive.
Most popular disk imaging programs will give you the option of creating a bootable system recovery cd.
Booting your pc with that cd you can restore your operating system to its previous state which uses the saved disk image stored on your USB drive/spare hard drive.
To pay for options:
Acronis True Image.
Norton Ghost.
Free options:
Macrium Reflect FREE Edition.
Paragon Drive Backup Free Edition.
Keep safe and happy surfing 
_______________________________________________________________
ASAP & UNITE member since 2006
|
|
|
|
|
New Member
Group: Forum Members
Last Login: 8/19/2009 5:57 PM
Posts: 16,
Visits: 0
|
|
| Thanks Richie, you're awesome!
|
|
|
|
|
Senior Forum Moderator
Group: Moderators
Last Login: 8/9/2008 10:14 AM
Posts: 33,730,
Visits: 54,734
|
|
You're welcome,glad to help out jcmack13
_______________________________________________________________
ASAP & UNITE member since 2006
|
|
|
|
© 2009 Advanced PC Media LLC, all rights reserved. Tweaks.com is not affiliated with Microsoft.