Printable View
I have a couple of trojans I need help getting off my computer. I have scanned with Superantispyware, but it does not find them, however, my Avira does find them. This one pops up at startup TR/crypt.zpack and then there is one that is TR/dropper.gen.
I have deleted all cookies/temp files/history etc. The second one is a .exe file and the first is a dll file, but I cannot find where they are to remove them.
Any help please? Thanks.
Then this route is what you want to do.
http://discussions.virtualdr.com/sho...d.php?t=197917
But post the logs in this thread please.
Thanks Train. I will start the process tonight after work and will post the log tomorrow or Saturday.
I treid to scan with the superantispyware and the cpu would freeze up and stop scanning. Whatever is on the cpu has disabled the Avira and has our printer where it will not work. I enabled the Avira again and will try to scan again later tonight. Does the superantispyware have to be the first scan? Thanks.
In this case, use Malwarebytes' Anti-Malware first.
Agreed.
Thanks guys. Lots of files especially gmer. I am not sure if I posted the files correctly. Please let me know if I need to change it.
Posting on this thread as requested.
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 08/14/2009 at 08:26 PM
Application Version : 4.27.1002
Core Rules Database Version : 4057
Trace Rules Database Version: 1997
Scan type : Complete Scan
Total Scan Time : 00:45:09
Memory items scanned : 209
Memory threats detected : 0
Registry items scanned : 7109
Registry threats detected : 1
File items scanned : 69766
File threats detected : 12
Adware.Tracking Cookie
C:\Documents and Settings\Home User\Cookies\home_user@atdmt[1].txt
C:\Documents and Settings\Home User\Cookies\[email protected][1].txt
C:\Documents and Settings\Home User\Cookies\[email protected][2].txt
C:\Documents and Settings\Home User\Cookies\home_user@adecn[1].txt
C:\Documents and Settings\Home User\Cookies\home_user@questionmarket[1].txt
C:\Documents and Settings\Home User\Cookies\home_user@adbrite[1].txt
C:\Documents and Settings\Home User\Cookies\home_user@imrworldwide[2].txt
C:\Documents and Settings\Home User\Cookies\home_user@apmebf[1].txt
C:\Documents and Settings\Home User\Cookies\[email protected][1].txt
C:\Documents and Settings\Home User\Cookies\home_user@doubleclick[2].txt
C:\Documents and Settings\Home User\Cookies\home_user@2o7[2].txt
C:\Documents and Settings\Home User\Cookies\home_user@fastclick[1].txt
Adware.MyWebSearch/FunWebProducts
HKU\S-1-5-21-2052111302-1004336348-839522115-1003\SOFTWARE\FunWebProducts
Malwarebytes' Anti-Malware 1.40
Database version: 2630
Windows 5.1.2600 Service Pack 3
8/15/2009 3:57:58 PM
mbam-log-2009-08-15 (15-57-58).txt
Scan type: Full Scan (C:\|)
Objects scanned: 172833
Time elapsed: 50 minute(s), 40 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\Winhrt32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\Winhrt32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
Gmer
SSDT F7C5ADA4 ZwCreateThread
SSDT F7C5AD90 ZwOpenProcess
SSDT F7C5AD95 ZwOpenThread
SSDT F7C5AD9F ZwTerminateProcess
SSDT F7C5AD9A ZwWriteVirtualMemory
---- Kernel code sections - GMER 1.0.15 ----
? hlbnqcau.sys The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Microsoft Hardware\Mouse\point32.exe[208] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 00F23E44 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\Microsoft Hardware\Mouse\point32.exe[208] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F23304 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\Microsoft Hardware\Mouse\point32.exe[208] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 00F23574 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\Microsoft Hardware\Mouse\point32.exe[208] ntdll.dll!NtSetInformationFile 7C90DC5E 5 Bytes JMP 00F237E4 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\Microsoft Hardware\Mouse\point32.exe[208] kernel32.dll!GetQueuedCompletionStatus 7C80A7BD 5 Bytes JMP 00F424D4 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\Microsoft Hardware\Mouse\point32.exe[208] Secur32.dll!EncryptMessage 77FEA641 5 Bytes JMP 00F46744 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\Microsoft Hardware\Mouse\point32.exe[208] Secur32.dll!DecryptMessage 77FEA690 5 Bytes JMP 00F42684 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\Microsoft Hardware\Mouse\point32.exe[208] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 00F18FE4 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\Microsoft Hardware\Mouse\point32.exe[208] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00F18EE4 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\Microsoft Hardware\Mouse\point32.exe[208] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00F47044 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\Microsoft Hardware\Mouse\point32.exe[208] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 00F42B44 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\Microsoft Hardware\Mouse\point32.exe[208] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00F46994 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\Microsoft Hardware\Mouse\point32.exe[208] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00F48D84 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\Microsoft Hardware\Mouse\point32.exe[208] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00F46D84 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\Microsoft Hardware\Mouse\point32.exe[208] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00F478E4 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\Microsoft Hardware\Mouse\point32.exe[208] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 00F46B44 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\Microsoft Hardware\Mouse\point32.exe[208] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00F472F4 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\Microsoft Hardware\Mouse\point32.exe[208] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00F47654 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\Microsoft Hardware\Mouse\point32.exe[208] WS2_32.dll!listen 71AB8CD3 5 Bytes JMP 00F42D24 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\Microsoft Hardware\Mouse\point32.exe[208] WS2_32.dll!gethostbyaddr 71ABE491 5 Bytes JMP 00F46A54 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\Microsoft Hardware\Mouse\point32.exe[208] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 00F43084 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\Microsoft Hardware\Mouse\point32.exe[208] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 00F42F74 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\Microsoft Hardware\Mouse\point32.exe[208] WS2_32.dll!WSAGetOverlappedResult 71AC0D1B 5 Bytes JMP 00F42EC4 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe[240] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 01223E44 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe[240] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01223304 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe[240] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 01223574 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe[240] ntdll.dll!NtSetInformationFile 7C90DC5E 5 Bytes JMP 012237E4 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe[240] kernel32.dll!GetQueuedCompletionStatus 7C80A7BD 5 Bytes JMP 012424D4 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe[240] Secur32.dll!EncryptMessage 77FEA641 5 Bytes JMP 01246744 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe[240] Secur32.dll!DecryptMessage 77FEA690 5 Bytes JMP 01242684 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe[240] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 01218FE4 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe[240] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 01218EE4 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe[240] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 01247044 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe[240] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 01242B44 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe[240] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01246994 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe[240] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 01248D84 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe[240] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01246D84 C:\WINDOWS\system32\caburnet.dll
Gmer cont'd
.text C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe[240] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 012478E4 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe[240] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 01246B44 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe[240] WS2_32.dll!recv 71AB676F 5 Bytes JMP 012472F4 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe[240] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01247654 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe[240] WS2_32.dll!listen 71AB8CD3 5 Bytes JMP 01242D24 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe[240] WS2_32.dll!gethostbyaddr 71ABE491 5 Bytes JMP 01246A54 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe[240] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 01243084 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe[240] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 01242F74 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe[240] WS2_32.dll!WSAGetOverlappedResult 71AC0D1B 5 Bytes JMP 01242EC4 C:\WINDOWS\system32\caburnet.dll
.text C:\WINDOWS\system32\ctfmon.exe[256] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10043E44 C:\WINDOWS\system32\caburnet.dll
.text C:\WINDOWS\system32\ctfmon.exe[256] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 10043304 C:\WINDOWS\system32\caburnet.dll
.text C:\WINDOWS\system32\ctfmon.exe[256] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 10043574 C:\WINDOWS\system32\caburnet.dll
.text C:\WINDOWS\system32\ctfmon.exe[256] ntdll.dll!NtSetInformationFile 7C90DC5E 5 Bytes JMP 100437E4 C:\WINDOWS\system32\caburnet.dll
.text C:\WINDOWS\system32\ctfmon.exe[256] kernel32.dll!GetQueuedCompletionStatus 7C80A7BD 5 Bytes JMP 100624D4 C:\WINDOWS\system32\caburnet.dll
.text C:\WINDOWS\system32\ctfmon.exe[256] Secur32.dll!EncryptMessage 77FEA641 5 Bytes JMP 10066744 C:\WINDOWS\system32\caburnet.dll
.text C:\WINDOWS\system32\ctfmon.exe[256] Secur32.dll!DecryptMessage 77FEA690 5 Bytes JMP 10062684 C:\WINDOWS\system32\caburnet.dll
.text C:\WINDOWS\system32\ctfmon.exe[256] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10038FE4 C:\WINDOWS\system32\caburnet.dll
.text C:\WINDOWS\system32\ctfmon.exe[256] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 10038EE4 C:\WINDOWS\system32\caburnet.dll
.text C:\WINDOWS\system32\ctfmon.exe[256] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 10067044 C:\WINDOWS\system32\caburnet.dll
.text C:\WINDOWS\system32\ctfmon.exe[256] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 10062B44 C:\WINDOWS\system32\caburnet.dll
.text C:\WINDOWS\system32\ctfmon.exe[256] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 10066994 C:\WINDOWS\system32\caburnet.dll
.text C:\WINDOWS\system32\ctfmon.exe[256] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10068D84 C:\WINDOWS\system32\caburnet.dll
.text C:\WINDOWS\system32\ctfmon.exe[256] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10066D84 C:\WINDOWS\system32\caburnet.dll
.text C:\WINDOWS\system32\ctfmon.exe[256] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100678E4 C:\WINDOWS\system32\caburnet.dll
.text C:\WINDOWS\system32\ctfmon.exe[256] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 10066B44 C:\WINDOWS\system32\caburnet.dll
.text C:\WINDOWS\system32\ctfmon.exe[256] WS2_32.dll!recv 71AB676F 5 Bytes JMP 100672F4 C:\WINDOWS\system32\caburnet.dll
.text C:\WINDOWS\system32\ctfmon.exe[256] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10067654 C:\WINDOWS\system32\caburnet.dll
.text C:\WINDOWS\system32\ctfmon.exe[256] WS2_32.dll!listen 71AB8CD3 5 Bytes JMP 10062D24 C:\WINDOWS\system32\caburnet.dll
.text C:\WINDOWS\system32\ctfmon.exe[256] WS2_32.dll!gethostbyaddr 71ABE491 5 Bytes JMP 10066A54 C:\WINDOWS\system32\caburnet.dll
.text C:\WINDOWS\system32\ctfmon.exe[256] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 10063084 C:\WINDOWS\system32\caburnet.dll
.text C:\WINDOWS\system32\ctfmon.exe[256] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 10062F74 C:\WINDOWS\system32\caburnet.dll
.text C:\WINDOWS\system32\ctfmon.exe[256] WS2_32.dll!WSAGetOverlappedResult 71AC0D1B 5 Bytes JMP 10062EC4 C:\WINDOWS\system32\caburnet.dll
.text C:\WINDOWS\Explorer.EXE[1948] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 02C73E44 C:\WINDOWS\system32\caburnet.dll
.text C:\WINDOWS\Explorer.EXE[1948] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 02C73304 C:\WINDOWS\system32\caburnet.dll
.text C:\WINDOWS\Explorer.EXE[1948] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 02C73574 C:\WINDOWS\system32\caburnet.dll
.text C:\WINDOWS\Explorer.EXE[1948] ntdll.dll!NtSetInformationFile 7C90DC5E 5 Bytes JMP 02C737E4 C:\WINDOWS\system32\caburnet.dll
.text C:\WINDOWS\Explorer.EXE[1948] kernel32.dll!GetQueuedCompletionStatus 7C80A7BD 5 Bytes JMP 02C924D4 C:\WINDOWS\system32\caburnet.dll
.text C:\WINDOWS\Explorer.EXE[1948] Secur32.dll!EncryptMessage 77FEA641 5 Bytes JMP 02C96744 C:\WINDOWS\system32\caburnet.dll
.text C:\WINDOWS\Explorer.EXE[1948] Secur32.dll!DecryptMessage 77FEA690 5 Bytes JMP 02C92684 C:\WINDOWS\system32\caburnet.dll
.text C:\WINDOWS\Explorer.EXE[1948] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 02C68FE4 C:\WINDOWS\system32\caburnet.dll
.text C:\WINDOWS\Explorer.EXE[1948] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 02C68EE4 C:\WINDOWS\system32\caburnet.dll
More Gmer.
.text C:\WINDOWS\Explorer.EXE[1948] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 02C97044 C:\WINDOWS\system32\caburnet.dll
.text C:\WINDOWS\Explorer.EXE[1948] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 02C92B44 C:\WINDOWS\system32\caburnet.dll
.text C:\WINDOWS\Explorer.EXE[1948] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 02C96994 C:\WINDOWS\system32\caburnet.dll
.text C:\WINDOWS\Explorer.EXE[1948] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 02C98D84 C:\WINDOWS\system32\caburnet.dll
.text C:\WINDOWS\Explorer.EXE[1948] WS2_32.dll!send 71AB4C27 5 Bytes JMP 02C96D84 C:\WINDOWS\system32\caburnet.dll
.text C:\WINDOWS\Explorer.EXE[1948] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 02C978E4 C:\WINDOWS\system32\caburnet.dll
.text C:\WINDOWS\Explorer.EXE[1948] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 02C96B44 C:\WINDOWS\system32\caburnet.dll
.text C:\WINDOWS\Explorer.EXE[1948] WS2_32.dll!recv 71AB676F 5 Bytes JMP 02C972F4 C:\WINDOWS\system32\caburnet.dll
.text C:\WINDOWS\Explorer.EXE[1948] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 02C97654 C:\WINDOWS\system32\caburnet.dll
.text C:\WINDOWS\Explorer.EXE[1948] WS2_32.dll!listen 71AB8CD3 5 Bytes JMP 02C92D24 C:\WINDOWS\system32\caburnet.dll
.text C:\WINDOWS\Explorer.EXE[1948] WS2_32.dll!gethostbyaddr 71ABE491 5 Bytes JMP 02C96A54 C:\WINDOWS\system32\caburnet.dll
.text C:\WINDOWS\Explorer.EXE[1948] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 02C93084 C:\WINDOWS\system32\caburnet.dll
.text C:\WINDOWS\Explorer.EXE[1948] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 02C92F74 C:\WINDOWS\system32\caburnet.dll
.text C:\WINDOWS\Explorer.EXE[1948] WS2_32.dll!WSAGetOverlappedResult 71AC0D1B 5 Bytes JMP 02C92EC4 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2912] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10043E44 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2912] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 10043304 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2912] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 10043574 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2912] ntdll.dll!NtSetInformationFile 7C90DC5E 5 Bytes JMP 100437E4 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2912] kernel32.dll!GetQueuedCompletionStatus 7C80A7BD 5 Bytes JMP 100624D4 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2912] Secur32.dll!EncryptMessage 77FEA641 5 Bytes JMP 10066744 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2912] Secur32.dll!DecryptMessage 77FEA690 5 Bytes JMP 10062684 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2912] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2912] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E351F8F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2912] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E351F10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2912] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E351F54 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2912] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E351E9C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2912] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E351ED6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2912] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E351FCA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2912] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E2017EA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2912] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10038FE4 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2912] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 10038EE4 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2912] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E35218C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2912] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 10067044 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2912] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 10062B44 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2912] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 10066994 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2912] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10068D84 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2912] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10066D84 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2912] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100678E4 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2912] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 10066B44 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2912] WS2_32.dll!recv 71AB676F 5 Bytes JMP 100672F4 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2912] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10067654 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2912] WS2_32.dll!listen 71AB8CD3 5 Bytes JMP 10062D24 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2912] WS2_32.dll!gethostbyaddr 71ABE491 5 Bytes JMP 10066A54 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2912] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 10063084 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2912] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 10062F74 C:\WINDOWS\system32\caburnet.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2912] WS2_32.dll!WSAGetOverlappedResult 71AC0D1B 5 Bytes JMP 10062EC4 C:\WINDOWS\system32\caburnet.dll
.text C:\Documents and Settings\Home User\Local Settings\Temporary Internet Files\Content.IE5\WULT5P7H\v0i901gy[1].exe[3436] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10043E44 C:\WINDOWS\system32\caburnet.dll
.text C:\Documents and Settings\Home User\Local Settings\Temporary Internet Files\Content.IE5\WULT5P7H\v0i901gy[1].exe[3436] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 10043304 C:\WINDOWS\system32\caburnet.dll
.text C:\Documents and Settings\Home User\Local Settings\Temporary Internet Files\Content.IE5\WULT5P7H\v0i901gy[1].exe[3436] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 10043574 C:\WINDOWS\system32\caburnet.dll
.text C:\Documents and Settings\Home User\Local Settings\Temporary Internet Files\Content.IE5\WULT5P7H\v0i901gy[1].exe[3436] ntdll.dll!NtSetInformationFile 7C90DC5E 5 Bytes JMP 100437E4 C:\WINDOWS\system32\caburnet.dll
.text C:\Documents and Settings\Home User\Local Settings\Temporary Internet Files\Content.IE5\WULT5P7H\v0i901gy[1].exe[3436] kernel32.dll!GetQueuedCompletionStatus 7C80A7BD 5 Bytes JMP 100624D4 C:\WINDOWS\system32\caburnet.dll
.text C:\Documents and Settings\Home User\Local Settings\Temporary Internet Files\Content.IE5\WULT5P7H\v0i901gy[1].exe[3436] Secur32.dll!EncryptMessage 77FEA641 5 Bytes JMP 10066744 C:\WINDOWS\system32\caburnet.dll
.text C:\Documents and Settings\Home User\Local Settings\Temporary Internet Files\Content.IE5\WULT5P7H\v0i901gy[1].exe[3436] Secur32.dll!DecryptMessage 77FEA690 5 Bytes JMP 10062684 C:\WINDOWS\system32\caburnet.dll
.text C:\Documents and Settings\Home User\Local Settings\Temporary Internet Files\Content.IE5\WULT5P7H\v0i901gy[1].exe[3436] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 10067044 C:\WINDOWS\system32\caburnet.dll
.text C:\Documents and Settings\Home User\Local Settings\Temporary Internet Files\Content.IE5\WULT5P7H\v0i901gy[1].exe[3436] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 10062B44 C:\WINDOWS\system32\caburnet.dll
.text C:\Documents and Settings\Home User\Local Settings\Temporary Internet Files\Content.IE5\WULT5P7H\v0i901gy[1].exe[3436] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 10066994 C:\WINDOWS\system32\caburnet.dll
.text C:\Documents and Settings\Home User\Local Settings\Temporary Internet Files\Content.IE5\WULT5P7H\v0i901gy[1].exe[3436] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10068D84 C:\WINDOWS\system32\caburnet.dll
.text C:\Documents and Settings\Home User\Local Settings\Temporary Internet Files\Content.IE5\WULT5P7H\v0i901gy[1].exe[3436] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10066D84 C:\WINDOWS\system32\caburnet.dll
.text C:\Documents and Settings\Home User\Local Settings\Temporary Internet Files\Content.IE5\WULT5P7H\v0i901gy[1].exe[3436] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100678E4 C:\WINDOWS\system32\caburnet.dll
.text C:\Documents and Settings\Home User\Local Settings\Temporary Internet Files\Content.IE5\WULT5P7H\v0i901gy[1].exe[3436] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 10066B44 C:\WINDOWS\system32\caburnet.dll
.text C:\Documents and Settings\Home User\Local Settings\Temporary Internet Files\Content.IE5\WULT5P7H\v0i901gy[1].exe[3436] WS2_32.dll!recv 71AB676F 5 Bytes JMP 100672F4 C:\WINDOWS\system32\caburnet.dll
.text C:\Documents and Settings\Home User\Local Settings\Temporary Internet Files\Content.IE5\WULT5P7H\v0i901gy[1].exe[3436] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10067654 C:\WINDOWS\system32\caburnet.dll
.text C:\Documents and Settings\Home User\Local Settings\Temporary Internet Files\Content.IE5\WULT5P7H\v0i901gy[1].exe[3436] WS2_32.dll!listen 71AB8CD3 5 Bytes JMP 10062D24 C:\WINDOWS\system32\caburnet.dll
.text C:\Documents and Settings\Home User\Local Settings\Temporary Internet Files\Content.IE5\WULT5P7H\v0i901gy[1].exe[3436] WS2_32.dll!gethostbyaddr 71ABE491 5 Bytes JMP 10066A54 C:\WINDOWS\system32\caburnet.dll
.text C:\Documents and Settings\Home User\Local Settings\Temporary Internet Files\Content.IE5\WULT5P7H\v0i901gy[1].exe[3436] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 10063084 C:\WINDOWS\system32\caburnet.dll
.text C:\Documents and Settings\Home User\Local Settings\Temporary Internet Files\Content.IE5\WULT5P7H\v0i901gy[1].exe[3436] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 10062F74 C:\WINDOWS\system32\caburnet.dll
.text C:\Documents and Settings\Home User\Local Settings\Temporary Internet Files\Content.IE5\WULT5P7H\v0i901gy[1].exe[3436] WS2_32.dll!WSAGetOverlappedResult 71AC0D1B 5 Bytes JMP 10062EC4 C:\WINDOWS\system32\caburnet.dll
.text C:\Documents and Settings\Home User\Local Settings\Temporary Internet Files\Content.IE5\WULT5P7H\v0i901gy[1].exe[3436] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10038FE4 C:\WINDOWS\system32\caburnet.dll
.text C:\Documents and Settings\Home User\Local Settings\Temporary Internet Files\Content.IE5\WULT5P7H\v0i901gy[1].exe[3436] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 10038EE4 C:\WINDOWS\system32\caburnet.dll
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Cdfs \Cdfs F4178400
---- EOF - GMER 1.0.15 ----
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:01:04 PM, on 8/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra 'Tools' menuitem: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Garmin Communicator Plug-In - https://my.garmin.com/static/m/cab/2...nAxControl.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697516} - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_aac.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: Srvalbio - {8E196E23-C0ED-472A-A5A2-D7AFE88673B3} - C:\WINDOWS\system32\artaxpol.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
--
End of file - 7930 bytes
HJT log looks pretty good, but let's double check. How are the issues anyway?
Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
- Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in pop-up window to allow scan.
- This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
- Once the short scan has finished, select Complete scan.
- Click the green arrow https://discussions.virtualdr.com/im.../2010/11/6.jpg at the right, and the scan will start.
- Click Yes to all if it asks if you want to cure/move the file.
- When the scan has finished, in the menu, click File and choose Save report list
- Save the report to your desktop. The report will be called DrWeb.csv
- Close Dr.Web Cureit.
- Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
- Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.
NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.
Post fresh HijackThis log as well.
Thanks Broni. Here is the Drweb file.
artaxpol.dll;c:\windows\system32;Probably WIN.MAIL.WORM.Virus;Incurable.Deleted.;
3DJongg.exe;C:\Moraff\Main;Trojan.MulDrop.origin;Incurable.Moved.;
ArcMenu.exe;C:\Moraff\Main;Trojan.MulDrop.origin;Incurable.Moved.;
CPinball.exe;C:\Moraff\Main;Trojan.MulDrop.origin;Incurable.Moved.;
CTris.exe;C:\Moraff\Main;Trojan.MulDrop.origin;Incurable.Moved.;
CybCheck.exe;C:\Moraff\Main;Trojan.MulDrop.origin;Incurable.Moved.;
CybrDice.exe;C:\Moraff\Main;Trojan.MulDrop.origin;Incurable.Moved.;
Escapade.exe;C:\Moraff\Main;Trojan.MulDrop.origin;Incurable.Moved.;
FJiggler.exe;C:\Moraff\Main;Trojan.MulDrop.origin;Incurable.Moved.;
Jiggle3D.exe;C:\Moraff\Main;Trojan.MulDrop.origin;Incurable.Moved.;
JigMenu.exe;C:\Moraff\Main;Trojan.MulDrop.origin;Incurable.Moved.;
JongMenu.exe;C:\Moraff\Main;Trojan.MulDrop.origin;Incurable.Moved.;
Memory.exe;C:\Moraff\Main;Trojan.MulDrop.origin;Incurable.Moved.;
Mind.exe;C:\Moraff\Main;Trojan.MulDrop.origin;Incurable.Moved.;
MindMenu.exe;C:\Moraff\Main;Trojan.MulDrop.origin;Incurable.Moved.;
MJiggler.exe;C:\Moraff\Main;Trojan.MulDrop.origin;Incurable.Moved.;
MoreJong.exe;C:\Moraff\Main;Trojan.MulDrop.origin;Incurable.Moved.;
OJiggler.exe;C:\Moraff\Main;Trojan.MulDrop.origin;Incurable.Moved.;
PhDetect.exe;C:\Moraff\Main;Trojan.MulDrop.origin;Incurable.Moved.;
Radiate.exe;C:\Moraff\Main;Trojan.MulDrop.origin;Incurable.Moved.;
RingJong.exe;C:\Moraff\Main;Trojan.MulDrop.origin;Incurable.Moved.;
SpheJong.exe;C:\Moraff\Main;Trojan.MulDrop.origin;Incurable.Moved.;
UltBlast.exe;C:\Moraff\Main;Trojan.MulDrop.origin;Incurable.Moved.;
Vorb.exe;C:\Moraff\Main;Trojan.MulDrop.origin;Incurable.Moved.;
YourJong.exe;C:\Moraff\Main;Trojan.MulDrop.origin;Incurable.Moved.;
A0270552.exe;C:\System Volume Information\_restore{EB55B478-2316-4748-A857-3DFA1C6D76B8}\RP1273;Trojan.MulDrop.origin;Incurable.Moved.;
A0270553.exe;C:\System Volume Information\_restore{EB55B478-2316-4748-A857-3DFA1C6D76B8}\RP1273;Trojan.MulDrop.origin;Incurable.Moved.;
A0270554.exe;C:\System Volume Information\_restore{EB55B478-2316-4748-A857-3DFA1C6D76B8}\RP1273;Trojan.MulDrop.origin;Incurable.Moved.;
A0270555.exe;C:\System Volume Information\_restore{EB55B478-2316-4748-A857-3DFA1C6D76B8}\RP1273;Trojan.MulDrop.origin;Incurable.Moved.;
A0270556.exe;C:\System Volume Information\_restore{EB55B478-2316-4748-A857-3DFA1C6D76B8}\RP1273;Trojan.MulDrop.origin;Incurable.Moved.;
A0270557.exe;C:\System Volume Information\_restore{EB55B478-2316-4748-A857-3DFA1C6D76B8}\RP1273;Trojan.MulDrop.origin;Incurable.Moved.;
A0270558.exe;C:\System Volume Information\_restore{EB55B478-2316-4748-A857-3DFA1C6D76B8}\RP1273;Trojan.MulDrop.origin;Incurable.Moved.;
A0270559.exe;C:\System Volume Information\_restore{EB55B478-2316-4748-A857-3DFA1C6D76B8}\RP1273;Trojan.MulDrop.origin;Incurable.Moved.;
A0270560.exe;C:\System Volume Information\_restore{EB55B478-2316-4748-A857-3DFA1C6D76B8}\RP1273;Trojan.MulDrop.origin;Incurable.Moved.;
A0270561.exe;C:\System Volume Information\_restore{EB55B478-2316-4748-A857-3DFA1C6D76B8}\RP1273;Trojan.MulDrop.origin;Incurable.Moved.;
A0270562.exe;C:\System Volume Information\_restore{EB55B478-2316-4748-A857-3DFA1C6D76B8}\RP1273;Trojan.MulDrop.origin;Incurable.Moved.;
A0270563.exe;C:\System Volume Information\_restore{EB55B478-2316-4748-A857-3DFA1C6D76B8}\RP1273;Trojan.MulDrop.origin;Incurable.Moved.;
A0270564.exe;C:\System Volume Information\_restore{EB55B478-2316-4748-A857-3DFA1C6D76B8}\RP1273;Trojan.MulDrop.origin;Incurable.Moved.;
A0270565.exe;C:\System Volume Information\_restore{EB55B478-2316-4748-A857-3DFA1C6D76B8}\RP1273;Trojan.MulDrop.origin;Incurable.Moved.;
A0270566.exe;C:\System Volume Information\_restore{EB55B478-2316-4748-A857-3DFA1C6D76B8}\RP1273;Trojan.MulDrop.origin;Incurable.Moved.;
A0270567.exe;C:\System Volume Information\_restore{EB55B478-2316-4748-A857-3DFA1C6D76B8}\RP1273;Trojan.MulDrop.origin;Incurable.Moved.;
A0270568.exe;C:\System Volume Information\_restore{EB55B478-2316-4748-A857-3DFA1C6D76B8}\RP1273;Trojan.MulDrop.origin;Incurable.Moved.;
A0270569.exe;C:\System Volume Information\_restore{EB55B478-2316-4748-A857-3DFA1C6D76B8}\RP1273;Trojan.MulDrop.origin;Incurable.Moved.;
A0270570.exe;C:\System Volume Information\_restore{EB55B478-2316-4748-A857-3DFA1C6D76B8}\RP1273;Trojan.MulDrop.origin;Incurable.Moved.;
A0270571.exe;C:\System Volume Information\_restore{EB55B478-2316-4748-A857-3DFA1C6D76B8}\RP1273;Trojan.MulDrop.origin;Incurable.Moved.;
A0270572.exe;C:\System Volume Information\_restore{EB55B478-2316-4748-A857-3DFA1C6D76B8}\RP1273;Trojan.MulDrop.origin;Incurable.Moved.;
A0270573.exe;C:\System Volume Information\_restore{EB55B478-2316-4748-A857-3DFA1C6D76B8}\RP1273;Trojan.MulDrop.origin;Incurable.Moved.;
A0270574.exe;C:\System Volume Information\_restore{EB55B478-2316-4748-A857-3DFA1C6D76B8}\RP1273;Trojan.MulDrop.origin;Incurable.Moved.;
A0270575.exe;C:\System Volume Information\_restore{EB55B478-2316-4748-A857-3DFA1C6D76B8}\RP1273;Trojan.MulDrop.origin;Incurable.Moved.;
artaxpol.dll;C:\WINDOWS\system32;Probably WIN.MAIL.WORM.Virus;Invalid path to file ;
new hijack this file
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:42:24 PM, on 8/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra 'Tools' menuitem: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Garmin Communicator Plug-In - https://my.garmin.com/static/m/cab/2...nAxControl.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697516} - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_aac.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
--
End of file - 7782 bytes
Your computer is clean https://discussions.virtualdr.com/
1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.
2. Turn off System Restore:
- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK
3. Restart computer.
4. Turn System Restore on.
5. Make sure, Windows Updates are current.
6. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!
7. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.
8. Run defrag at your convenience.
9. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
10. Please, let me know, how is your computer doing.
Thank you so much Broni!!
I will do the last steps tomorrow and have already changed bank account passwords.
You're very welcome :)
Ok I have finsihed the steps in your last post and starting defrag in a bit. Actually we had issues with Mozilla and this fix has resolved those as well.
Thank you so much the cpu help and this site. It is the first place I come to with problems I cannot handle.
You're very welcome :)
Ok the TR/Crpt.ZPACK is still on my computer. I just had an automatic scan with Avire and it found it. I have it in quarantine now but it is not clear.
What else can I do to get this off? Thanks
Please download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
- Please, never rename Combofix unless instructed.
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
NOTE. If Combofix asks you to install Recovery Console, please allow it.
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
- Double click on combofix.exe & follow the prompts.
- When finished, it will produce a report for you.
- Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
Make sure, you re-enable your security programs, when you're done with Combofix.
DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
ComboFix 09-08-10.06 - Home User 08/16/2009 16:15.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.647 [GMT -4:00]
Running from: c:\documents and settings\Home User\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\recycler\S-1-5-21-2052111302-1004336348-839522115-500
c:\windows\Installer\10bd948.msp
c:\windows\Installer\10bd95b.msp
c:\windows\Installer\10bd96e.msp
c:\windows\Installer\10bd982.msp
c:\windows\Installer\10bd995.msp
c:\windows\Installer\10bd9a9.msp
c:\windows\Installer\10bd9c5.msp
c:\windows\Installer\2d7036.msp
c:\windows\Installer\2d7049.msp
c:\windows\Installer\2d705c.msp
c:\windows\Installer\2d7070.msp
c:\windows\Installer\2d7084.msp
c:\windows\Installer\2d7098.msp
c:\windows\Installer\2f78c7.msp
c:\windows\Installer\2f78db.msp
c:\windows\Installer\470282.msi
c:\windows\Installer\4ac3c.msp
c:\windows\Installer\4ac50.msp
c:\windows\Installer\60509.msp
c:\windows\Installer\6050a.msp
c:\windows\Installer\6051e.msp
c:\windows\Installer\6b2f01.msp
c:\windows\Installer\85d3c.msi
c:\windows\Installer\984c4.msi
c:\windows\Installer\bf5f8e.msp
c:\windows\Installer\c053d6.msi
c:\windows\Installer\d2e958.msp
c:\windows\Installer\ed1677.msp
c:\windows\Installer\ed1692.msp
c:\windows\Installer\ed16a6.msp
c:\windows\Installer\ed16ba.msp
c:\windows\patch.exe
.
((((((((((((((((((((((((( Files Created from 2009-07-16 to 2009-08-16 )))))))))))))))))))))))))))))))
.
2009-08-16 14:59 . 2009-08-16 14:59 -------- d-----w- c:\documents and settings\Home User\Local Settings\Application Data\Mozilla
2009-08-16 14:55 . 2009-08-16 14:55 -------- d-----w- c:\windows\LastGood
2009-08-16 14:53 . 2009-08-16 14:53 -------- d-----w- c:\program files\WOT
2009-08-15 22:26 . 2009-08-15 22:26 -------- d-----w- c:\documents and settings\Home User\DoctorWeb
2009-08-15 21:00 . 2009-08-15 21:00 -------- d-----w- c:\program files\Trend Micro
2009-08-15 18:57 . 2009-08-15 18:57 -------- d-----w- c:\documents and settings\Home User\Application Data\Malwarebytes
2009-08-14 22:25 . 2009-08-15 18:41 117760 ----a-w- c:\documents and settings\Home User\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-14 22:18 . 2009-08-14 22:18 -------- d-----w- c:\windows\system32\wbem\Repository
2009-08-14 21:31 . 2009-08-14 21:31 -------- d-----w- c:\program files\HP
2009-08-13 03:09 . 2009-08-14 21:31 -------- d-----w- c:\program files\HP(2)
2009-08-13 03:07 . 2003-08-20 20:59 6371 ----a-r- c:\windows\system32\hphmon05.dat
2009-08-13 03:06 . 2009-08-13 03:10 18282 ----a-w- c:\windows\HPHins01.dat
2009-08-13 03:06 . 2003-09-12 14:30 4284 ------w- c:\windows\hphmdl01.dat
2009-08-13 03:05 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-13 00:54 . 2009-08-13 00:54 -------- d-----w- c:\documents and settings\Home User\Application Data\Hewlett-Packard
2009-08-12 22:59 . 2009-08-14 21:32 -------- d-----w- c:\program files\Mozilla Firefox(2)
2009-08-12 22:40 . 2009-08-14 21:32 -------- d-----w- c:\program files\FirefoxPortable
2009-08-12 21:15 . 2009-08-12 21:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-08-12 21:13 . 2009-08-12 21:13 68840 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-12 20:56 . 2009-08-14 21:32 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft
2009-08-12 20:56 . 2009-08-14 21:32 -------- d-s---w- c:\documents and settings\Administrator
2009-08-12 00:30 . 2009-08-14 21:32 -------- d-----w- c:\program files\Unlocker
2009-08-11 22:04 . 2009-08-11 22:05 -------- d-----w- c:\documents and settings\Home User\Application Data\SUPERAntiSpyware.com
2009-08-11 22:04 . 2009-08-11 22:04 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-11 21:04 . 2009-08-11 21:04 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-11 21:03 . 2009-08-11 21:03 152576 ----a-w- c:\documents and settings\Home User\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-10 00:15 . 2009-08-10 00:15 1961720 ----a-w- c:\documents and settings\Home User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-08-10 00:13 . 2009-08-10 21:15 -------- d-----w- c:\program files\NOS
2009-08-10 00:13 . 2009-08-10 21:15 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-24 05:05 . 2009-07-24 05:05 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-07-24 02:37 . 2009-07-24 02:37 -------- d-----w- c:\program files\DIFX
2009-07-24 02:37 . 2009-07-24 02:37 -------- d-----w- c:\program files\Garmin
2009-07-24 02:37 . 2009-07-24 02:37 -------- dc----w- c:\windows\system32\DRVSTORE
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-16 14:49 . 2004-07-05 00:50 288 ----a-w- c:\windows\system32\DVCStateBkp-{00000000-00000000-0000000D-00001102-00000002-80661102}.dat
2009-08-16 14:49 . 2004-07-05 00:50 288 ----a-w- c:\windows\system32\DVCState-{00000000-00000000-0000000D-00001102-00000002-80661102}.dat
2009-08-16 00:31 . 2007-08-02 11:40 -------- d-----w- c:\documents and settings\All Users\Application Data\AntiVir PersonalEdition Classic
2009-08-15 18:57 . 2008-10-24 01:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-14 22:25 . 2008-09-02 20:32 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-14 21:31 . 2004-07-03 18:58 -------- d-----w- c:\program files\Hewlett-Packard
2009-08-11 21:03 . 2004-07-25 14:41 -------- d-----w- c:\program files\Java
2009-08-08 18:20 . 2004-07-02 20:26 -------- d-----w- c:\documents and settings\Home User\Application Data\Roxio
2009-08-05 09:01 . 2004-07-18 23:45 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 17:36 . 2008-09-02 21:32 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2008-09-02 21:32 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-24 05:05 . 2005-01-24 23:17 -------- d-----w- c:\program files\Picasa2
2009-07-18 03:06 . 2009-01-16 02:23 -------- d-----w- c:\documents and settings\All Users\Application Data\BVRP Software
2009-07-18 03:04 . 2009-07-18 03:04 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2009-07-18 03:04 . 2009-07-18 03:04 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-07-17 19:01 . 2003-03-31 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-09-22 23:46 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-29 16:12 . 2005-06-18 03:49 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2003-03-31 12:00 17408 ------w- c:\windows\system32\corpol.dll
2009-06-26 02:55 . 2009-06-26 02:55 -------- d-----w- c:\documents and settings\Home User\Application Data\GARMIN
2009-06-16 14:36 . 2003-03-31 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2003-03-31 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2003-03-31 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2003-03-31 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2003-03-31 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2004-07-02 01:18 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2003-03-31 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2003-05-30 13:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-28 01:51 . 2007-08-02 11:40 75096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2004-07-12 02:03 . 2004-07-12 02:02 16706160 ----a-w- c:\program files\AdbeRdr60_enu_full.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2004-03-24 46080]
"avgnt"="c:\program files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-18 266497]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-03-24 3309568]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 443968]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Organize Quick & Easy 5.0.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Organize Quick & Easy 5.0.lnk
backup=c:\windows\pss\Organize Quick & Easy 5.0.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Verizon Online Support Center.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Verizon Online Support Center.lnk
backup=c:\windows\pss\Verizon Online Support Center.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [7/1/2004 9:34 PM 77312]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 4:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]
S2 AvgCore;AVG6 Kernel;\??\c:\progra~1\Grisoft\AVG6\avgcore.sys --> c:\progra~1\Grisoft\AVG6\avgcore.sys [?]
S2 AvgFsh;AVG6 Rezident Driver;\??\c:\progra~1\Grisoft\AVG6\avgfsh.sys --> c:\progra~1\Grisoft\AVG6\avgfsh.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 7408]
S4 AvgServ;AVG6 Service;c:\progra~1\Grisoft\AVG6\avgserv.exe --> c:\progra~1\Grisoft\AVG6\avgserv.exe [?]
.
Contents of the 'Scheduled Tasks' folder
2009-08-13 c:\windows\Tasks\HP DArC Task 2003-08-20 09:23ewlett-Packard76002003-08-20 18:57Y3BI310JXK3.job
- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2003-08-20 18:57]
2009-08-16 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\pexpress\hphped05.exe [2004-07-03 21:23]
.
Combo fix con't
ebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKLM-Run-POINTER - point32.exe
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: &Search -
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Trusted Zone: microsoft.com\download.windowsupdate
Trusted Zone: microsoft.com\update
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.6.4/GarminAxControl.CAB
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
FF - ProfilePath - c:\documents and settings\Home User\Application Data\Mozilla\Firefox\Profiles\klkt6pay.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - plugin: c:\program files\Picasa2\npPicasa3.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-16 16:18
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-2052111302-1004336348-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(732)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2009-08-16 16:20
ComboFix-quarantined-files.txt 2009-08-16 20:20
Pre-Run: 182,401,007,616 bytes free
Post-Run: 182,347,583,488 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
278 --- E O F --- 2009-08-15 04:11
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:27:14 PM, on 8/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra 'Tools' menuitem: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Garmin Communicator Plug-In - https://my.garmin.com/static/m/cab/2...nAxControl.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697516} - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_aac.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
--
End of file - 6904 bytes
1. Please open Notepad
- Click Start , then Run
- Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:File::
Folder::
c:\progra~1\Grisoft
Driver::
AvgCore
AvgFsh
AvgServ
Registry::
RegLockDel::
3. Save the above as CFScript.txt
4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
https://discussions.virtualdr.com/im.../2016/03/2.gif
5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
- Combofix.txt
- A new HijackThis log.
ComboFix 09-08-10.06 - Home User 08/16/2009 17:05.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.558 [GMT -4:00]
Running from: c:\documents and settings\Home User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Home User\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {00000000-0000-0000-0000-000000000000}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804FD0EC-FFA4-00C8-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804FD2B8-FFA4-00C8-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804FD2B8-FFA4-00EB-0D24-347CA8A3377C}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Home User\.exe
c:\progra~1\Grisoft
c:\progra~1\Grisoft\AVG6\avg60.GID
c:\progra~1\Grisoft\AVG6\avgse.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_AVGCORE
-------\Legacy_AVGFSH
-------\Legacy_AVGSERV
-------\Service_AvgCore
-------\Service_AvgFsh
-------\Service_AvgServ
((((((((((((((((((((((((( Files Created from 2009-07-16 to 2009-08-16 )))))))))))))))))))))))))))))))
.
2009-08-16 14:59 . 2009-08-16 14:59 -------- d-----w- c:\documents and settings\Home User\Local Settings\Application Data\Mozilla
2009-08-16 14:53 . 2009-08-16 14:53 -------- d-----w- c:\program files\WOT
2009-08-15 22:26 . 2009-08-15 22:26 -------- d-----w- c:\documents and settings\Home User\DoctorWeb
2009-08-15 21:00 . 2009-08-15 21:00 -------- d-----w- c:\program files\Trend Micro
2009-08-15 18:57 . 2009-08-15 18:57 -------- d-----w- c:\documents and settings\Home User\Application Data\Malwarebytes
2009-08-14 22:25 . 2009-08-15 18:41 117760 ----a-w- c:\documents and settings\Home User\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-14 22:18 . 2009-08-14 22:18 -------- d-----w- c:\windows\system32\wbem\Repository
2009-08-14 21:31 . 2009-08-14 21:31 -------- d-----w- c:\program files\HP
2009-08-13 03:09 . 2009-08-14 21:31 -------- d-----w- c:\program files\HP(2)
2009-08-13 03:07 . 2003-08-20 20:59 6371 ----a-r- c:\windows\system32\hphmon05.dat
2009-08-13 03:06 . 2009-08-13 03:10 18282 ----a-w- c:\windows\HPHins01.dat
2009-08-13 03:06 . 2003-09-12 14:30 4284 ------w- c:\windows\hphmdl01.dat
2009-08-13 03:05 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-13 00:54 . 2009-08-13 00:54 -------- d-----w- c:\documents and settings\Home User\Application Data\Hewlett-Packard
2009-08-12 22:59 . 2009-08-14 21:32 -------- d-----w- c:\program files\Mozilla Firefox(2)
2009-08-12 22:40 . 2009-08-14 21:32 -------- d-----w- c:\program files\FirefoxPortable
2009-08-12 21:15 . 2009-08-12 21:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-08-12 21:13 . 2009-08-12 21:13 68840 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-12 20:56 . 2009-08-14 21:32 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft
2009-08-12 20:56 . 2009-08-14 21:32 -------- d-s---w- c:\documents and settings\Administrator
2009-08-12 00:30 . 2009-08-14 21:32 -------- d-----w- c:\program files\Unlocker
2009-08-11 22:04 . 2009-08-11 22:05 -------- d-----w- c:\documents and settings\Home User\Application Data\SUPERAntiSpyware.com
2009-08-11 22:04 . 2009-08-11 22:04 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-11 21:04 . 2009-08-11 21:04 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-11 21:03 . 2009-08-11 21:03 152576 ----a-w- c:\documents and settings\Home User\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-10 00:15 . 2009-08-10 00:15 1961720 ----a-w- c:\documents and settings\Home User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-08-10 00:13 . 2009-08-10 21:15 -------- d-----w- c:\program files\NOS
2009-08-10 00:13 . 2009-08-10 21:15 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-24 05:05 . 2009-07-24 05:05 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-07-24 02:37 . 2009-07-24 02:37 -------- d-----w- c:\program files\DIFX
2009-07-24 02:37 . 2009-07-24 02:37 -------- d-----w- c:\program files\Garmin
2009-07-24 02:37 . 2009-07-24 02:37 -------- dc----w- c:\windows\system32\DRVSTORE
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-16 21:13 . 2004-07-05 00:50 288 ----a-w- c:\windows\system32\DVCStateBkp-{00000000-00000000-0000000D-00001102-00000002-80661102}.dat
2009-08-16 21:13 . 2004-07-05 00:50 288 ----a-w- c:\windows\system32\DVCState-{00000000-00000000-0000000D-00001102-00000002-80661102}.dat
2009-08-16 00:31 . 2007-08-02 11:40 -------- d-----w- c:\documents and settings\All Users\Application Data\AntiVir PersonalEdition Classic
2009-08-15 18:57 . 2008-10-24 01:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-14 22:25 . 2008-09-02 20:32 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-14 21:31 . 2004-07-03 18:58 -------- d-----w- c:\program files\Hewlett-Packard
2009-08-11 21:03 . 2004-07-25 14:41 -------- d-----w- c:\program files\Java
2009-08-08 18:20 . 2004-07-02 20:26 -------- d-----w- c:\documents and settings\Home User\Application Data\Roxio
2009-08-05 09:01 . 2004-07-18 23:45 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 17:36 . 2008-09-02 21:32 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2008-09-02 21:32 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-24 05:05 . 2005-01-24 23:17 -------- d-----w- c:\program files\Picasa2
2009-07-18 03:06 . 2009-01-16 02:23 -------- d-----w- c:\documents and settings\All Users\Application Data\BVRP Software
2009-07-18 03:04 . 2009-07-18 03:04 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2009-07-18 03:04 . 2009-07-18 03:04 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-07-17 19:01 . 2003-03-31 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-09-22 23:46 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-29 16:12 . 2005-06-18 03:49 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2003-03-31 12:00 17408 ------w- c:\windows\system32\corpol.dll
2009-06-26 02:55 . 2009-06-26 02:55 -------- d-----w- c:\documents and settings\Home User\Application Data\GARMIN
2009-06-16 14:36 . 2003-03-31 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2003-03-31 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2003-03-31 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2003-03-31 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2003-03-31 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2004-07-02 01:18 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2003-03-31 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2003-05-30 13:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-28 01:51 . 2007-08-02 11:40 75096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2004-07-12 02:03 . 2004-07-12 02:02 16706160 ----a-w- c:\program files\AdbeRdr60_enu_full.exe
.
(((((((((((((((((((((((((((( SnapShot@2009-08-16_20.18.55 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-16 21:14 . 2009-08-16 21:14 16384 c:\windows\Temp\Perflib_Perfdata_1cc.dat
+ 2009-08-16 21:13 . 2009-08-16 21:13 8192 c:\windows\ERDNT\subs\Users\00000004\UsrClass.dat
+ 2009-08-16 21:13 . 2009-08-16 21:13 8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
+ 2009-08-16 21:13 . 2009-08-16 21:13 176128 c:\windows\ERDNT\subs\Users\00000006\UsrClass.dat
+ 2009-08-16 21:13 . 2009-08-16 21:13 229376 c:\windows\ERDNT\subs\Users\00000003\NTUSER.DAT
+ 2009-08-16 21:13 . 2009-08-16 21:13 237568 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
+ 2009-08-16 21:13 . 2009-08-16 21:13 7237632 c:\windows\ERDNT\subs\Users\00000005\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2004-03-24 46080]
"avgnt"="c:\program files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-18 266497]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-03-24 3309568]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 443968]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Organize Quick & Easy 5.0.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Organize Quick & Easy 5.0.lnk
backup=c:\windows\pss\Organize Quick & Easy 5.0.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Verizon Online Support Center.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Verizon Online Support Center.lnk
backup=c:\windows\pss\Verizon Online Support Center.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [7/1/2004 9:34 PM 77312]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 4:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 7408]
.
Contents of the 'Scheduled Tasks' folder
2009-08-13 c:\windows\Tasks\HP DArC Task 2003-08-20 09:23ewlett-Packard76002003-08-20 18:57Y3BI310JXK3.job
- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2003-08-20 18:57]
2009-08-16 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\pexpress\hphped05.exe [2004-07-03 21:23]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: &Search -
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Trusted Zone: microsoft.com\download.windowsupdate
Trusted Zone: microsoft.com\update
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.6.4/GarminAxControl.CAB
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
FF - ProfilePath - c:\documents and settings\Home User\Application Data\Mozilla\Firefox\Profiles\klkt6pay.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - plugin: c:\program files\Picasa2\npPicasa3.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-16 17:14
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-2052111302-1004336348-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(732)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(3844)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Canon\CAL\CALMAIN.exe
.
**************************************************************************
.
Completion time: 2009-08-16 17:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-16 21:20
ComboFix2.txt 2009-08-16 20:20
Pre-Run: 182,362,595,328 bytes free
Post-Run: 182,226,419,712 bytes free
278 --- E O F --- 2009-08-15 04:11
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:32:20 PM, on 8/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra 'Tools' menuitem: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Garmin Communicator Plug-In - https://my.garmin.com/static/m/cab/2...nAxControl.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697516} - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_aac.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
--
End of file - 6879 bytes
Uninstall Combofix:
Go Start > Run
Type in:
combofix /u
Note the space between the "combofix" and the "/u"
Restart computer.
What does Avira say now?
I did the complete scan with Avira and nothing popped up.
Thanks Broni!!
Excellent :)
Broni - I have a couple small issues that started after we did all the scans. Maybe this question should be in another forum, but it started after the last couple scans.
The settings on the keyboard and the mouse wll not stay set, each time we log on we have to go to control panel and reset everything. Also the usb drive will not start automatically any longer, we have to manually start it.
How can I fix these so they keep the settings? Thanks.
To get more attention, it'll definitely be better to start new topic under Windows section.
Access to malware section is very limited.
Thanks Broni - I will post in the other section.
Sure thing :)
The Tr/Crypt.ZPACK is back!!
It popped up yesterday afternoon when we logged on. This was the first issue we have had since the cpu was cleaned last week. I have no idea where it is coming from.
Now what do we do? Thanks.
Could this TR be on our USB stick? If so would we just toss that one and get a new one?
clean the stick.
Thanks Train. Do I need to re-do all the scans to get the booger off the CPU again? It was found by Avira at boot up and the stick was not in use.
I don't mean to beat a dead horse here, but I searched on this hateful TR and it seems that Avira may be giving a false positive on this. Has anyone else found this to be true? I also read it on the Avira forum, but cannot find it now.
If it is a false positive sure would save a lot of hassles trying to find it.