Symantec AntiVirus Notifications

**Selrahc** · December 19th, 2009, 07:23 AM

Ok. That will ave to wait until Monday unfortunately.

**Broni** · December 19th, 2009, 01:19 PM

No problem

**Selrahc** · December 22nd, 2009, 09:53 AM

Running from: c:\documents and settings\criddle\Desktop\KittyFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\EventSystem.log
.
---- Previous Run -------
.
c:\windows\AegisP.inf
c:\windows\EventSystem.log
c:\windows\system32\st325602.dll

.
((((((((((((((((((((((((( Files Created from 2009-11-18 to 2009-12-18 )))))))))))))))))))))))))))))))
.

2009-12-18 15:09 . 2009-12-18 15:10 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2009-12-16 19:21 . 2009-12-16 19:21 -------- d-----w- c:\program files\Trend Micro
2009-12-15 16:44 . 2009-12-15 16:44 117760 ----a-w- c:\documents and settings\criddle\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-15 16:44 . 2009-12-15 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-15 16:43 . 2009-12-15 16:44 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-15 16:43 . 2009-12-15 16:43 -------- d-----w- c:\documents and settings\criddle\Application Data\SUPERAntiSpyware.com
2009-12-14 20:20 . 2009-12-14 20:20 -------- d-----w- c:\documents and settings\criddle\Application Data\Apple Computer
2009-12-14 19:28 . 2009-06-08 20:08 38200 ----a-w- c:\documents and settings\criddle\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\airapp...pinstaller.exe
2009-12-09 19:55 . 2009-12-09 19:55 4844296 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-09 19:55 . 2009-12-09 19:55 -------- d-----w- c:\documents and settings\criddle\Application Data\Malwarebytes
2009-12-09 19:55 . 2009-12-03 21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-09 19:55 . 2009-12-09 19:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-09 19:55 . 2009-12-09 19:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-09 19:55 . 2009-12-03 21:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-09 19:54 . 2009-12-09 19:54 -------- d-----w- C:\Malwarebytes
2009-12-04 20:09 . 2009-12-09 20:07 -------- d-----w- c:\windows\LMIED.tmp
2009-12-03 22:11 . 2009-12-03 22:11 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-18 17:00 . 2009-04-21 11:54 -------- d-----w- c:\program files\Mozilla Firefox 3.1 Beta 3
2009-12-18 14:33 . 2008-05-07 16:58 -------- d-----w- c:\program files\Symantec AntiVirus
2009-12-18 14:19 . 2008-05-07 18:22 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-15 16:43 . 2008-05-07 17:22 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-14 19:58 . 2009-05-28 18:44 -------- d-----w- c:\program files\GRETECH
2009-12-14 19:42 . 2009-04-13 19:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-11 12:52 . 2009-04-13 12:56 -------- d-----w- c:\program files\DYMO Label
2009-12-03 22:11 . 2009-06-09 19:13 -------- d-----w- c:\program files\Google
2009-11-25 19:43 . 2009-04-08 17:12 261161 ----a-w- c:\windows\system32\nvModes.dat
2009-11-17 17:10 . 2009-11-17 17:10 105984 ----a-w- c:\windows\system32\MSDShellIcon.dll
2009-11-17 17:10 . 2008-05-07 17:21 -------- d-----w- c:\program files\Cobian Backup 9
2009-11-10 15:40 . 2009-07-17 18:10 -------- d-----w- c:\program files\Yahoo!
2009-11-10 15:33 . 2009-11-10 15:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\Yahoo!
2009-11-10 15:14 . 2009-11-10 15:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Desktop Search
2009-11-10 09:00 . 2009-11-11 17:21 259440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ed403.vdb\ECMSVR32.DLL
2009-11-05 20:06 . 2009-11-05 20:01 -------- d-----w- c:\program files\FLIR Systems
2009-11-05 20:02 . 2009-11-05 20:02 -------- d-----w- c:\documents and settings\criddle\Application Data\ThermaCAM Connect 3
2009-11-05 20:01 . 2009-11-05 20:01 -------- d-----w- c:\program files\Bonjour
2009-11-05 20:00 . 2009-11-05 20:00 -------- d-----w- c:\program files\ffdshow
2009-11-04 19:21 . 2008-05-07 17:24 -------- d-----w- c:\program files\Java
2009-11-04 19:20 . 2009-11-04 19:20 152576 ----a-w- c:\documents and settings\criddle\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-10-28 15:06 . 2009-09-02 15:25 -------- d-----w- c:\program files\Sensormatic
2009-10-23 15:38 . 2008-05-07 17:14 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-11 09:17 . 2009-04-20 15:25 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-27 08:00 . 2009-09-28 20:56 259440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e7602.vdb\ECMSVR32.DLL
.

------- Sigcheck -------

[7] 2008-10-16 . E654B78D2F1D791B30D0ED9A8195EC22 . 51224 . . [7.2.6001.788] . . c:\windows\system32\dllcache\wuauclt.exe
[7] 2008-04-14 . ED7262E52C31CF1625B65039102BC16C . 111104 . . [5.4.3790.5512] . . c:\windows\ServicePackFiles\i386\wuauclt.exe
[7] 2004-08-04 . 4126D27CECE4471E00E425411F7306B5 . 111104 . . [5.4.3790.2180] . . c:\windows\$NtServicePackUninstall$\wuauclt.exe

c:\windows\System32\wuauclt.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MSDOverlayIcon]
@="{EFE100B8-AA75-44AF-A7C8-C9E4B1EE4976}"
[HKEY_CLASSES_ROOT\CLSID\{EFE100B8-AA75-44AF-A7C8-C9E4B1EE4976}]
2009-11-17 17:10 105984 ----a-w- c:\windows\system32\MSDShellIcon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MSDOverlayIconLnk]
@="{E56571FC-D775-4768-AEB1-569A6179E5DD}"
[HKEY_CLASSES_ROOT\CLSID\{E56571FC-D775-4768-AEB1-569A6179E5DD}]
2009-11-17 17:10 105984 ----a-w- c:\windows\system32\MSDShellIcon.dll

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2025429265-1202660629-682003330-4400\Scripts\Logon\0\0]
"Script"=defuser.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2025429265-1202660629-682003330-4400\Scripts\Logon\0\1]
"Script"=IE70Blocker.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2025429265-1202660629-682003330-9845\Scripts\Logon\0\0]
"Script"=defuser.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2025429265-1202660629-682003330-9845\Scripts\Logon\0\1]
"Script"=IE70Blocker.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Printer Status Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Printer Status Monitor.lnk
backup=c:\windows\pss\Printer Status Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2009-10-03 03:32 640376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2009-10-03 08:08 38768 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-09-04 16:08 935288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 08:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-07-02 17:29 159744 ----a-w- c:\program files\DellTPad\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2005-04-08 19:52 48752 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cobian Backup 9 interface]
2009-01-22 16:38 2749952 ----a-w- c:\program files\Cobian Backup 9\cbInterface.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 09:42 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-05-16 20:50 162584 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpbdfawep]
2006-07-12 15:45 626688 ----a-w- c:\program files\HP\Dfawep\bin\hpbdfawep.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-05-16 20:50 138008 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
2007-10-08 18:13 1101824 ----a-w- c:\program files\Intel\Wireless\Bin\iFrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
2007-10-08 18:18 995328 ----a-w- c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-11-22 02:07 13594624 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-11-22 02:07 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2008-11-22 02:07 1657376 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2007-09-17 15:56 124200 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-05-16 20:50 138008 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-05-10 14:22 405504 ----a-w- c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 09:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-09-02 18:44 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
2005-04-17 16:30 85184 ----a-w- c:\progra~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebrootClientUI]
2008-07-16 15:19 435616 ----a-w- c:\program files\Webroot\Client\SpySweeperUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WebrootCommAgentService"=2 (0x2)
"WebrootSpySweeperService"=3 (0x3)
"Symantec AntiVirus"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"SNDSrvc"=3 (0x3)
"gusvc"=2 (0x2)
"gupdate1ca2bfda2bb6012"=2 (0x2)
"DefWatch"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"Bonjour Service"=2 (0x2)
"wscsvc"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NtlxSrvMgr"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"SQLWriter"=2 (0x2)
"SQLBrowser"=2 (0x2)
"SavRoam"=2 (0x2)
"NVSvc"=2 (0x2)
"MSSQL$MSSMLBIZ"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"CryptSvc"=3 (0x3)
"CobianBackupAmanita"=2 (0x2)
"Alerter"=2 (0x2)
"PEVSystemStart"=2 (0x2)
"WZCSVC"=2 (0x2)
"WudfSvc"=3 (0x3)
"wuauserv"=2 (0x2)
"W32Time"=2 (0x2)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"upnphost"=3 (0x3)
"TrkWks"=2 (0x2)
"Themes"=2 (0x2)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"stisvc"=2 (0x2)
"STacSV"=2 (0x2)
"SSDPSRV"=3 (0x3)
"srservice"=2 (0x2)
"Spooler"=2 (0x2)
"ShellHWDetection"=2 (0x2)
"SENS"=2 (0x2)
"seclogon"=2 (0x2)
"Schedule"=2 (0x2)
"SCardSvr"=2 (0x2)
"SamSs"=2 (0x2)
"S24EventMonitor"=2 (0x2)
"RSVP"=3 (0x3)
"RemoteRegistry"=2 (0x2)
"RegSrvc"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"ProtectedStorage"=2 (0x2)
"PolicyAgent"=2 (0x2)
"Pml Driver HPZ12"=2 (0x2)
"PlugPlay"=2 (0x2)
"NtmsSvc"=3 (0x3)
"napagent"=3 (0x3)
"MSIServer"=3 (0x3)
"MSDTC"=3 (0x3)
"mnmsrvc"=3 (0x3)
"ImapiService"=3 (0x3)
"HTTPFilter"=3 (0x3)
"hkmsvc"=3 (0x3)
"HidServ"=2 (0x2)
"helpsvc"=2 (0x2)
"getPlus(R) Helper"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"EvtEng"=2 (0x2)
"EventSystem"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"EapHost"=3 (0x3)
"dmserver"=3 (0x3)
"dmadmin"=3 (0x3)
"COMSysApp"=3 (0x3)
"clr_optimization_v2.0.50727_32"=3 (0x3)
"ClipSrv"=3 (0x3)
"CiSvc"=3 (0x3)
"BITS"=3 (0x3)
"AudioSrv"=2 (0x2)
"aspnet_state"=3 (0x3)
"AppMgmt"=3 (0x3)
"ALG"=3 (0x3)
"SharedAccess"=2 (0x2)
"LmHosts"=2 (0x2)
"TermService"=3 (0x3)
"winmgmt"=2 (0x2)
"WSearch"=2 (0x2)
"lanmanworkstation"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SHARP\\Printer Status Monitor\\Smon.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 8:43 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 74480]
R3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\covpndrv.sys [5/14/2009 5:19 PM 33920]
S3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [6/14/2009 8:20 AM 10752]
S3 mysdrive;Secure Drive Mini-Filter Driver;\??\c:\documents and settings\All Users\Application Data\mysdrive.sys --> c:\documents and settings\All Users\Application Data\mysdrive.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 7408]
S4 CobianBackupAmanita;Cobian Backup 9 service;c:\program files\Cobian Backup 9\cbService.exe [4/16/2009 7:39 AM 583168]
S4 gupdate1ca2bfda2bb6012;Google Update Service (gupdate1ca2bfda2bb6012);c:\program files\Google\Update\GoogleUpdate.exe [9/2/2009 1:46 PM 133104]
S4 NtlxSrvMgr;Intellex Service Manager;c:\program files\Sensormatic\NetworkClient\bin\NtlxSrvMgr.exe --> c:\program files\Sensormatic\NetworkClient\bin\NtlxSrvMgr.exe [?]
S4 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [4/17/2005 11:30 AM 124608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
------- Supplementary Scan -------
.
uStart Page = hxxp://winnersedge.winnco.com
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: {6B68CDBA-8AFE-4CAC-80FB-727B9F946957} - hxxp://helpstar/helpstar/hsActiveX/HPluginI.cab
FF - ProfilePath - c:\documents and settings\criddle\Application Data\Mozilla\Firefox\Profiles\z7n93lja.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\criddle\Application Data\Mozilla\Firefox\Profiles\z7n93lja.default\extensions\{DBBB3167-6E81-400f-BBFD-BD8921726F52}\plugins\NPuroamHost.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1698.5652\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-HP LaserJet P3005-P3004 Install - D:\setup.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-18 12:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\docume~1\criddle\LOCALS~1\Temp\Perflib_Perfdata_10c.dat 16384 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1288)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\documents and settings\criddle\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
c:\windows\system32\WRLogonNtf.DLL

- - - - - - - > 'lsass.exe'(1348)
c:\program files\Bonjour\mdnsNSP.dll
.
Completion time: 2009-12-18 12:11:00
ComboFix-quarantined-files.txt 2009-12-18 17:10

Pre-Run: 48,121,856,000 bytes free
Post-Run: 48,085,852,160 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - B7702D9AC24C301724B9028042030915

**Selrahc** · December 22nd, 2009, 09:54 AM

here is the top of that log file. it was a bit too long to load in one post.
_____________________________________________________________

ComboFix 09-12-17.03 - criddle 12/18/2009 12:07:04.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3156 [GMT -5:00]
Running from: c:\documents and settings\criddle\Desktop\KittyFix.exe
.

**Broni** · December 22nd, 2009, 02:49 PM

Don't forget to include fresh HJT log, this time around.

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

File::
c:\windows\LMIED.tmp


Folder::

Driver::

Registry::

RegLockDel::

MIA::
c:\windows\System32\wuauclt.exe

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

**Selrahc** · December 22nd, 2009, 04:11 PM

The Combofix (or "Kittyfix" as you named it has disappeared from my desktop and computer.

**Broni** · December 22nd, 2009, 04:15 PM

Download fresh copy from Here or Here to your Desktop.

**Selrahc** · December 22nd, 2009, 04:49 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:41:04 PM, on 12/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://winnersedge.winnco.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://winnersedge.winnco.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} (F5 Networks CacheCleaner) - https://www.winnremote.com/vdesk/cac...2009,0514,2202
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} (F5 Networks VPN Manager) - https://www.winnremote.com/vdesk/ter...,2009,514,2217
O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} (Crystal Report Viewer Control 9) - http://yardi/voyager/activexviewer9.cab
O16 - DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} (F5 Networks Dynamic Application Tunnel Control) - https://www.winnremote.com/vdesk/ter...,2009,514,2213
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://www.winnremote.com/vdesk/ter...2009,0514,2216
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.4.8.cab
O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - https://www.winnremote.com/vdesk/ter...2009,0514,2204
O16 - DPF: {6B68CDBA-8AFE-4CAC-80FB-727B9F946957} (IObjSafety.UsrAudit) - http://helpstar/helpstar/hsActiveX/HPluginI.cab
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks Static Application Tunnel Control) - https://www.winnremote.com/vdesk/ter...2007,1001,2136
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1210174627660
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://www.winnremote.com/vdesk/ter...,2009,514,2210
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe...bat/nos/gp.cab
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://www.winnremote.com/vdesk/ter...,2009,514,2205
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = WINNCO.COM
O17 - HKLM\Software\..\Telephony: DomainName = WINNCO.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = WINNCO.COM
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

--
End of file - 5514 bytes

**Selrahc** · December 22nd, 2009, 04:50 PM

ComboFix 09-12-21.08 - criddle 12/22/2009 15:33:04.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3224 [GMT -5:00]
Running from: c:\documents and settings\criddle\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\criddle\Desktop\CFScript.txt

FILE ::
"c:\windows\LMIED.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\EventSystem.log

c:\windows\System32\wuauclt.exe was missing
Restored copy from - c:\windows\system32\dllcache\wuauclt.exe

.
((((((((((((((((((((((((( Files Created from 2009-11-22 to 2009-12-22 )))))))))))))))))))))))))))))))
.

2009-12-18 15:09 . 2009-12-18 15:10 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2009-12-16 19:21 . 2009-12-16 19:21 -------- d-----w- c:\program files\Trend Micro
2009-12-15 16:44 . 2009-12-15 16:44 117760 ----a-w- c:\documents and settings\criddle\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-15 16:44 . 2009-12-15 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-15 16:43 . 2009-12-15 16:44 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-15 16:43 . 2009-12-15 16:43 -------- d-----w- c:\documents and settings\criddle\Application Data\SUPERAntiSpyware.com
2009-12-14 20:20 . 2009-12-14 20:20 -------- d-----w- c:\documents and settings\criddle\Application Data\Apple Computer
2009-12-14 19:28 . 2009-06-08 20:08 38200 ----a-w- c:\documents and settings\criddle\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\airapp...pinstaller.exe
2009-12-09 19:55 . 2009-12-09 19:55 4844296 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-09 19:55 . 2009-12-09 19:55 -------- d-----w- c:\documents and settings\criddle\Application Data\Malwarebytes
2009-12-09 19:55 . 2009-12-03 21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-09 19:55 . 2009-12-09 19:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-09 19:55 . 2009-12-09 19:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-09 19:55 . 2009-12-03 21:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-09 19:54 . 2009-12-09 19:54 -------- d-----w- C:\Malwarebytes
2009-12-04 20:09 . 2009-12-09 20:07 -------- d-----w- c:\windows\LMIED.tmp
2009-12-03 22:11 . 2009-12-03 22:11 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-22 20:09 . 2009-04-21 11:54 -------- d-----w- c:\program files\Mozilla Firefox 3.1 Beta 3
2009-12-22 19:18 . 2008-05-07 16:58 -------- d-----w- c:\program files\Symantec AntiVirus
2009-12-18 14:19 . 2008-05-07 18:22 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-15 16:43 . 2008-05-07 17:22 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-14 19:58 . 2009-05-28 18:44 -------- d-----w- c:\program files\GRETECH
2009-12-14 19:42 . 2009-04-13 19:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-11 12:52 . 2009-04-13 12:56 -------- d-----w- c:\program files\DYMO Label
2009-12-03 22:11 . 2009-06-09 19:13 -------- d-----w- c:\program files\Google
2009-11-25 19:43 . 2009-04-08 17:12 261161 ----a-w- c:\windows\system32\nvModes.dat
2009-11-17 17:10 . 2009-11-17 17:10 105984 ----a-w- c:\windows\system32\MSDShellIcon.dll
2009-11-17 17:10 . 2008-05-07 17:21 -------- d-----w- c:\program files\Cobian Backup 9
2009-11-10 15:40 . 2009-07-17 18:10 -------- d-----w- c:\program files\Yahoo!
2009-11-10 15:33 . 2009-11-10 15:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\Yahoo!
2009-11-10 15:14 . 2009-11-10 15:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Desktop Search
2009-11-10 09:00 . 2009-11-11 17:21 259440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ed403.vdb\ECMSVR32.DLL
2009-11-05 20:06 . 2009-11-05 20:01 -------- d-----w- c:\program files\FLIR Systems
2009-11-05 20:02 . 2009-11-05 20:02 -------- d-----w- c:\documents and settings\criddle\Application Data\ThermaCAM Connect 3
2009-11-05 20:01 . 2009-11-05 20:01 -------- d-----w- c:\program files\Bonjour
2009-11-05 20:00 . 2009-11-05 20:00 -------- d-----w- c:\program files\ffdshow
2009-11-04 19:21 . 2008-05-07 17:24 -------- d-----w- c:\program files\Java
2009-11-04 19:20 . 2009-11-04 19:20 152576 ----a-w- c:\documents and settings\criddle\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-10-28 15:06 . 2009-09-02 15:25 -------- d-----w- c:\program files\Sensormatic
2009-10-11 09:17 . 2009-04-20 15:25 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-27 08:00 . 2009-09-28 20:56 259440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e7602.vdb\ECMSVR32.DLL
.

((((((((((((((((((((((((((((( SnapShot@2009-12-18_17.09.58 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-22 20:36 . 2008-10-16 18:09 51224 c:\windows\system32\wuauclt.exe
+ 2008-05-07 13:14 . 2009-12-22 13:44 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-05-07 13:14 . 2009-12-15 05:00 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-12-22 13:44 . 2009-12-22 13:44 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-05-07 13:14 . 2009-12-22 13:44 2670592 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-05-07 13:14 . 2009-12-15 05:00 2670592 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MSDOverlayIcon]
@="{EFE100B8-AA75-44AF-A7C8-C9E4B1EE4976}"
[HKEY_CLASSES_ROOT\CLSID\{EFE100B8-AA75-44AF-A7C8-C9E4B1EE4976}]
2009-11-17 17:10 105984 ----a-w- c:\windows\system32\MSDShellIcon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MSDOverlayIconLnk]
@="{E56571FC-D775-4768-AEB1-569A6179E5DD}"
[HKEY_CLASSES_ROOT\CLSID\{E56571FC-D775-4768-AEB1-569A6179E5DD}]
2009-11-17 17:10 105984 ----a-w- c:\windows\system32\MSDShellIcon.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-22 13594624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2025429265-1202660629-682003330-9845\Scripts\Logon\0\0]
"Script"=defuser.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2025429265-1202660629-682003330-9845\Scripts\Logon\0\1]
"Script"=IE70Blocker.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Printer Status Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Printer Status Monitor.lnk
backup=c:\windows\pss\Printer Status Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2009-10-03 03:32 640376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2009-10-03 08:08 38768 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-09-04 16:08 935288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 08:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-07-02 17:29 159744 ----a-w- c:\program files\DellTPad\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2005-04-08 19:52 48752 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cobian Backup 9 interface]
2009-01-22 16:38 2749952 ----a-w- c:\program files\Cobian Backup 9\cbInterface.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 09:42 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-05-16 20:50 162584 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpbdfawep]
2006-07-12 15:45 626688 ----a-w- c:\program files\HP\Dfawep\bin\hpbdfawep.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-05-16 20:50 138008 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
2007-10-08 18:13 1101824 ----a-w- c:\program files\Intel\Wireless\Bin\iFrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
2007-10-08 18:18 995328 ----a-w- c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-11-22 02:07 13594624 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-11-22 02:07 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2008-11-22 02:07 1657376 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2007-09-17 15:56 124200 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-05-16 20:50 138008 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-05-10 14:22 405504 ----a-w- c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 09:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-09-02 18:44 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
2005-04-17 16:30 85184 ----a-w- c:\progra~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebrootClientUI]
2008-07-16 15:19 435616 ----a-w- c:\program files\Webroot\Client\SpySweeperUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PEVSystemStart"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"SNDSrvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"DefWatch"=2 (0x2)
"Symantec AntiVirus"=2 (0x2)
"xmlprov"=3 (0x3)
"WZCSVC"=2 (0x2)
"WudfSvc"=3 (0x3)
"wuauserv"=2 (0x2)
"WSearch"=2 (0x2)
"wscsvc"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WmiApSrv"=3 (0x3)
"Wmi"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"WLANKEEPER"=2 (0x2)
"winmgmt"=2 (0x2)
"WebrootSpySweeperService"=3 (0x3)
"WebrootCommAgentService"=2 (0x2)
"WebClient"=2 (0x2)
"W32Time"=2 (0x2)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"upnphost"=3 (0x3)
"TrkWks"=2 (0x2)
"Themes"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"stisvc"=2 (0x2)
"STacSV"=2 (0x2)
"SSDPSRV"=3 (0x3)
"srservice"=2 (0x2)
"SQLWriter"=2 (0x2)
"SQLBrowser"=2 (0x2)
"Spooler"=2 (0x2)
"ShellHWDetection"=2 (0x2)
"SharedAccess"=2 (0x2)
"SENS"=2 (0x2)
"seclogon"=2 (0x2)
"Schedule"=2 (0x2)
"SCardSvr"=2 (0x2)
"SavRoam"=2 (0x2)
"SamSs"=2 (0x2)
"S24EventMonitor"=2 (0x2)
"RSVP"=3 (0x3)
"RemoteRegistry"=2 (0x2)
"RegSrvc"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"ProtectedStorage"=2 (0x2)
"PolicyAgent"=2 (0x2)
"Pml Driver HPZ12"=2 (0x2)
"PlugPlay"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NVSvc"=2 (0x2)
"NtmsSvc"=3 (0x3)
"NtlxSrvMgr"=2 (0x2)
"NtLmSsp"=2 (0x2)
"Nla"=3 (0x3)
"Netman"=3 (0x3)
"Netlogon"=2 (0x2)
"napagent"=3 (0x3)
"MSSQL$MSSMLBIZ"=2 (0x2)
"MSIServer"=3 (0x3)
"MSDTC"=3 (0x3)
"mnmsrvc"=3 (0x3)
"Messenger"=3 (0x3)
"LmHosts"=2 (0x2)
"lanmanworkstation"=2 (0x2)
"lanmanserver"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"ImapiService"=3 (0x3)
"HTTPFilter"=3 (0x3)
"hkmsvc"=3 (0x3)
"HidServ"=2 (0x2)
"helpsvc"=2 (0x2)
"gusvc"=2 (0x2)
"gupdate1ca2bfda2bb6012"=2 (0x2)
"getPlus(R) Helper"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"EvtEng"=2 (0x2)
"EventSystem"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"EapHost"=3 (0x3)
"Dot3svc"=3 (0x3)
"dmserver"=3 (0x3)
"dmadmin"=3 (0x3)
"Dhcp"=2 (0x2)
"CryptSvc"=3 (0x3)
"COMSysApp"=3 (0x3)
"CobianBackupAmanita"=2 (0x2)
"clr_optimization_v2.0.50727_32"=3 (0x3)
"ClipSrv"=3 (0x3)
"CiSvc"=3 (0x3)
"ccSetMgr"=2 (0x2)
"Browser"=2 (0x2)
"Bonjour Service"=2 (0x2)
"BITS"=3 (0x3)
"AudioSrv"=2 (0x2)
"aspnet_state"=3 (0x3)
"AppMgmt"=3 (0x3)
"ALG"=3 (0x3)
"Alerter"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SHARP\\Printer Status Monitor\\Smon.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 8:43 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 74480]
R3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\covpndrv.sys [5/14/2009 5:19 PM 33920]
S3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [6/14/2009 8:20 AM 10752]
S3 mysdrive;Secure Drive Mini-Filter Driver;\??\c:\documents and settings\All Users\Application Data\mysdrive.sys --> c:\documents and settings\All Users\Application Data\mysdrive.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 7408]
S4 CobianBackupAmanita;Cobian Backup 9 service;c:\program files\Cobian Backup 9\cbService.exe [4/16/2009 7:39 AM 583168]
S4 gupdate1ca2bfda2bb6012;Google Update Service (gupdate1ca2bfda2bb6012);c:\program files\Google\Update\GoogleUpdate.exe [9/2/2009 1:46 PM 133104]
S4 NtlxSrvMgr;Intellex Service Manager;c:\program files\Sensormatic\NetworkClient\bin\NtlxSrvMgr.exe --> c:\program files\Sensormatic\NetworkClient\bin\NtlxSrvMgr.exe [?]
S4 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [4/17/2005 11:30 AM 124608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
------- Supplementary Scan -------
.
uStart Page = hxxp://winnersedge.winnco.com
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: {6B68CDBA-8AFE-4CAC-80FB-727B9F946957} - hxxp://helpstar/helpstar/hsActiveX/HPluginI.cab
FF - ProfilePath - c:\documents and settings\criddle\Application Data\Mozilla\Firefox\Profiles\z7n93lja.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\criddle\Application Data\Mozilla\Firefox\Profiles\z7n93lja.default\extensions\{DBBB3167-6E81-400f-BBFD-BD8921726F52}\plugins\NPuroamHost.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1698.5652\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-22 15:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1288)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\documents and settings\criddle\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
c:\windows\system32\WRLogonNtf.DLL
.
Completion time: 2009-12-22 15:38:11
ComboFix-quarantined-files.txt 2009-12-22 20:38
ComboFix2.txt 2009-12-18 17:44
ComboFix3.txt 2009-12-18 17:11

Pre-Run: 48,094,990,336 bytes free
Post-Run: 48,067,260,416 bytes free

- - End Of File - - C767D20AF53326C8BBA027C4C695EA55

**Selrahc** · December 22nd, 2009, 04:50 PM

ComboFix 09-12-21.08 - criddle 12/22/2009 15:33:04.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3224 [GMT -5:00]
Running from: c:\documents and settings\criddle\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\criddle\Desktop\CFScript.txt

FILE ::
"c:\windows\LMIED.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\EventSystem.log

c:\windows\System32\wuauclt.exe was missing
Restored copy from - c:\windows\system32\dllcache\wuauclt.exe

.
((((((((((((((((((((((((( Files Created from 2009-11-22 to 2009-12-22 )))))))))))))))))))))))))))))))
.

2009-12-18 15:09 . 2009-12-18 15:10 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2009-12-16 19:21 . 2009-12-16 19:21 -------- d-----w- c:\program files\Trend Micro
2009-12-15 16:44 . 2009-12-15 16:44 117760 ----a-w- c:\documents and settings\criddle\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-15 16:44 . 2009-12-15 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-15 16:43 . 2009-12-15 16:44 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-15 16:43 . 2009-12-15 16:43 -------- d-----w- c:\documents and settings\criddle\Application Data\SUPERAntiSpyware.com
2009-12-14 20:20 . 2009-12-14 20:20 -------- d-----w- c:\documents and settings\criddle\Application Data\Apple Computer
2009-12-14 19:28 . 2009-06-08 20:08 38200 ----a-w- c:\documents and settings\criddle\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\airapp...pinstaller.exe
2009-12-09 19:55 . 2009-12-09 19:55 4844296 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-09 19:55 . 2009-12-09 19:55 -------- d-----w- c:\documents and settings\criddle\Application Data\Malwarebytes
2009-12-09 19:55 . 2009-12-03 21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-09 19:55 . 2009-12-09 19:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-09 19:55 . 2009-12-09 19:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-09 19:55 . 2009-12-03 21:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-09 19:54 . 2009-12-09 19:54 -------- d-----w- C:\Malwarebytes
2009-12-04 20:09 . 2009-12-09 20:07 -------- d-----w- c:\windows\LMIED.tmp
2009-12-03 22:11 . 2009-12-03 22:11 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-22 20:09 . 2009-04-21 11:54 -------- d-----w- c:\program files\Mozilla Firefox 3.1 Beta 3
2009-12-22 19:18 . 2008-05-07 16:58 -------- d-----w- c:\program files\Symantec AntiVirus
2009-12-18 14:19 . 2008-05-07 18:22 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-15 16:43 . 2008-05-07 17:22 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-14 19:58 . 2009-05-28 18:44 -------- d-----w- c:\program files\GRETECH
2009-12-14 19:42 . 2009-04-13 19:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-11 12:52 . 2009-04-13 12:56 -------- d-----w- c:\program files\DYMO Label
2009-12-03 22:11 . 2009-06-09 19:13 -------- d-----w- c:\program files\Google
2009-11-25 19:43 . 2009-04-08 17:12 261161 ----a-w- c:\windows\system32\nvModes.dat
2009-11-17 17:10 . 2009-11-17 17:10 105984 ----a-w- c:\windows\system32\MSDShellIcon.dll
2009-11-17 17:10 . 2008-05-07 17:21 -------- d-----w- c:\program files\Cobian Backup 9
2009-11-10 15:40 . 2009-07-17 18:10 -------- d-----w- c:\program files\Yahoo!
2009-11-10 15:33 . 2009-11-10 15:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\Yahoo!
2009-11-10 15:14 . 2009-11-10 15:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Desktop Search
2009-11-10 09:00 . 2009-11-11 17:21 259440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ed403.vdb\ECMSVR32.DLL
2009-11-05 20:06 . 2009-11-05 20:01 -------- d-----w- c:\program files\FLIR Systems
2009-11-05 20:02 . 2009-11-05 20:02 -------- d-----w- c:\documents and settings\criddle\Application Data\ThermaCAM Connect 3
2009-11-05 20:01 . 2009-11-05 20:01 -------- d-----w- c:\program files\Bonjour
2009-11-05 20:00 . 2009-11-05 20:00 -------- d-----w- c:\program files\ffdshow
2009-11-04 19:21 . 2008-05-07 17:24 -------- d-----w- c:\program files\Java
2009-11-04 19:20 . 2009-11-04 19:20 152576 ----a-w- c:\documents and settings\criddle\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-10-28 15:06 . 2009-09-02 15:25 -------- d-----w- c:\program files\Sensormatic
2009-10-11 09:17 . 2009-04-20 15:25 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-27 08:00 . 2009-09-28 20:56 259440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e7602.vdb\ECMSVR32.DLL
.

((((((((((((((((((((((((((((( SnapShot@2009-12-18_17.09.58 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-22 20:36 . 2008-10-16 18:09 51224 c:\windows\system32\wuauclt.exe
+ 2008-05-07 13:14 . 2009-12-22 13:44 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-05-07 13:14 . 2009-12-15 05:00 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-12-22 13:44 . 2009-12-22 13:44 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-05-07 13:14 . 2009-12-22 13:44 2670592 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-05-07 13:14 . 2009-12-15 05:00 2670592 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MSDOverlayIcon]
@="{EFE100B8-AA75-44AF-A7C8-C9E4B1EE4976}"
[HKEY_CLASSES_ROOT\CLSID\{EFE100B8-AA75-44AF-A7C8-C9E4B1EE4976}]
2009-11-17 17:10 105984 ----a-w- c:\windows\system32\MSDShellIcon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MSDOverlayIconLnk]
@="{E56571FC-D775-4768-AEB1-569A6179E5DD}"
[HKEY_CLASSES_ROOT\CLSID\{E56571FC-D775-4768-AEB1-569A6179E5DD}]
2009-11-17 17:10 105984 ----a-w- c:\windows\system32\MSDShellIcon.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-22 13594624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2025429265-1202660629-682003330-9845\Scripts\Logon\0\0]
"Script"=defuser.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2025429265-1202660629-682003330-9845\Scripts\Logon\0\1]
"Script"=IE70Blocker.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Printer Status Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Printer Status Monitor.lnk
backup=c:\windows\pss\Printer Status Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2009-10-03 03:32 640376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2009-10-03 08:08 38768 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-09-04 16:08 935288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 08:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-07-02 17:29 159744 ----a-w- c:\program files\DellTPad\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2005-04-08 19:52 48752 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cobian Backup 9 interface]
2009-01-22 16:38 2749952 ----a-w- c:\program files\Cobian Backup 9\cbInterface.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 09:42 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-05-16 20:50 162584 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpbdfawep]
2006-07-12 15:45 626688 ----a-w- c:\program files\HP\Dfawep\bin\hpbdfawep.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-05-16 20:50 138008 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
2007-10-08 18:13 1101824 ----a-w- c:\program files\Intel\Wireless\Bin\iFrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
2007-10-08 18:18 995328 ----a-w- c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-11-22 02:07 13594624 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-11-22 02:07 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2008-11-22 02:07 1657376 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2007-09-17 15:56 124200 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-05-16 20:50 138008 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-05-10 14:22 405504 ----a-w- c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 09:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-09-02 18:44 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
2005-04-17 16:30 85184 ----a-w- c:\progra~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebrootClientUI]
2008-07-16 15:19 435616 ----a-w- c:\program files\Webroot\Client\SpySweeperUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PEVSystemStart"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"SNDSrvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"DefWatch"=2 (0x2)
"Symantec AntiVirus"=2 (0x2)
"xmlprov"=3 (0x3)
"WZCSVC"=2 (0x2)
"WudfSvc"=3 (0x3)
"wuauserv"=2 (0x2)
"WSearch"=2 (0x2)
"wscsvc"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WmiApSrv"=3 (0x3)
"Wmi"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"WLANKEEPER"=2 (0x2)
"winmgmt"=2 (0x2)
"WebrootSpySweeperService"=3 (0x3)
"WebrootCommAgentService"=2 (0x2)
"WebClient"=2 (0x2)
"W32Time"=2 (0x2)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"upnphost"=3 (0x3)
"TrkWks"=2 (0x2)
"Themes"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"stisvc"=2 (0x2)
"STacSV"=2 (0x2)
"SSDPSRV"=3 (0x3)
"srservice"=2 (0x2)
"SQLWriter"=2 (0x2)
"SQLBrowser"=2 (0x2)
"Spooler"=2 (0x2)
"ShellHWDetection"=2 (0x2)
"SharedAccess"=2 (0x2)
"SENS"=2 (0x2)
"seclogon"=2 (0x2)
"Schedule"=2 (0x2)
"SCardSvr"=2 (0x2)
"SavRoam"=2 (0x2)
"SamSs"=2 (0x2)
"S24EventMonitor"=2 (0x2)
"RSVP"=3 (0x3)
"RemoteRegistry"=2 (0x2)
"RegSrvc"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"ProtectedStorage"=2 (0x2)
"PolicyAgent"=2 (0x2)
"Pml Driver HPZ12"=2 (0x2)
"PlugPlay"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NVSvc"=2 (0x2)
"NtmsSvc"=3 (0x3)
"NtlxSrvMgr"=2 (0x2)
"NtLmSsp"=2 (0x2)
"Nla"=3 (0x3)
"Netman"=3 (0x3)
"Netlogon"=2 (0x2)
"napagent"=3 (0x3)
"MSSQL$MSSMLBIZ"=2 (0x2)
"MSIServer"=3 (0x3)
"MSDTC"=3 (0x3)
"mnmsrvc"=3 (0x3)
"Messenger"=3 (0x3)
"LmHosts"=2 (0x2)
"lanmanworkstation"=2 (0x2)
"lanmanserver"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"ImapiService"=3 (0x3)
"HTTPFilter"=3 (0x3)
"hkmsvc"=3 (0x3)
"HidServ"=2 (0x2)
"helpsvc"=2 (0x2)
"gusvc"=2 (0x2)
"gupdate1ca2bfda2bb6012"=2 (0x2)
"getPlus(R) Helper"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"EvtEng"=2 (0x2)
"EventSystem"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"EapHost"=3 (0x3)
"Dot3svc"=3 (0x3)
"dmserver"=3 (0x3)
"dmadmin"=3 (0x3)
"Dhcp"=2 (0x2)
"CryptSvc"=3 (0x3)
"COMSysApp"=3 (0x3)
"CobianBackupAmanita"=2 (0x2)
"clr_optimization_v2.0.50727_32"=3 (0x3)
"ClipSrv"=3 (0x3)
"CiSvc"=3 (0x3)
"ccSetMgr"=2 (0x2)
"Browser"=2 (0x2)
"Bonjour Service"=2 (0x2)
"BITS"=3 (0x3)
"AudioSrv"=2 (0x2)
"aspnet_state"=3 (0x3)
"AppMgmt"=3 (0x3)
"ALG"=3 (0x3)
"Alerter"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SHARP\\Printer Status Monitor\\Smon.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 8:43 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 74480]
R3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\covpndrv.sys [5/14/2009 5:19 PM 33920]
S3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [6/14/2009 8:20 AM 10752]
S3 mysdrive;Secure Drive Mini-Filter Driver;\??\c:\documents and settings\All Users\Application Data\mysdrive.sys --> c:\documents and settings\All Users\Application Data\mysdrive.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 7408]
S4 CobianBackupAmanita;Cobian Backup 9 service;c:\program files\Cobian Backup 9\cbService.exe [4/16/2009 7:39 AM 583168]
S4 gupdate1ca2bfda2bb6012;Google Update Service (gupdate1ca2bfda2bb6012);c:\program files\Google\Update\GoogleUpdate.exe [9/2/2009 1:46 PM 133104]
S4 NtlxSrvMgr;Intellex Service Manager;c:\program files\Sensormatic\NetworkClient\bin\NtlxSrvMgr.exe --> c:\program files\Sensormatic\NetworkClient\bin\NtlxSrvMgr.exe [?]
S4 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [4/17/2005 11:30 AM 124608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
------- Supplementary Scan -------
.
uStart Page = hxxp://winnersedge.winnco.com
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: {6B68CDBA-8AFE-4CAC-80FB-727B9F946957} - hxxp://helpstar/helpstar/hsActiveX/HPluginI.cab
FF - ProfilePath - c:\documents and settings\criddle\Application Data\Mozilla\Firefox\Profiles\z7n93lja.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\criddle\Application Data\Mozilla\Firefox\Profiles\z7n93lja.default\extensions\{DBBB3167-6E81-400f-BBFD-BD8921726F52}\plugins\NPuroamHost.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1698.5652\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-22 15:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**Selrahc** · December 22nd, 2009, 04:51 PM

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1288)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\documents and settings\criddle\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
c:\windows\system32\WRLogonNtf.DLL
.
Completion time: 2009-12-22 15:38:11
ComboFix-quarantined-files.txt 2009-12-22 20:38
ComboFix2.txt 2009-12-18 17:44
ComboFix3.txt 2009-12-18 17:11

Pre-Run: 48,094,990,336 bytes free
Post-Run: 48,067,260,416 bytes free

- - End Of File - - C767D20AF53326C8BBA027C4C695EA55

**Broni** · December 22nd, 2009, 04:53 PM

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Restart computer.

========================================================

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in pop-up window to allow scan.
This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, select Complete scan.
Click the green arrow at the right, and the scan will start.
Click Yes to all if it asks if you want to cure/move the file.
When the scan has finished, in the menu, click File and choose Save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.

NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

Post fresh HijackThis log as well.

**Selrahc** · December 22nd, 2009, 05:03 PM

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1288)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\documents and settings\criddle\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
c:\windows\system32\WRLogonNtf.DLL
.
Completion time: 2009-12-22 15:38:11
ComboFix-quarantined-files.txt 2009-12-22 20:38
ComboFix2.txt 2009-12-18 17:44
ComboFix3.txt 2009-12-18 17:11

Pre-Run: 48,094,990,336 bytes free
Post-Run: 48,067,260,416 bytes free

- - End Of File - - C767D20AF53326C8BBA027C4C695EA55

**Selrahc** · December 22nd, 2009, 05:06 PM

Sorry for that double post. I didn't think it had worked.

**Broni** · December 22nd, 2009, 05:15 PM

It's OK. Go ahead with Dr.Web.

Thread: Symantec AntiVirus Notifications

Thread Tools

Search Thread

Display

Combofix reloaded

Thread Information

Users Browsing this Thread

Posting Permissions