Hijacked, new log - Stan M
Logfile of HijackThis v1.99.1
Scan saved at 11:50:24 AM, on 9/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\explorer.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
D:\Program Files\Spyware Terminator\sp_rsser.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
D:\Program Files\GIGABYTE\GBTUpd\RunUpd.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\WINDOWS\RTHDCPL.EXE
D:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
D:\Program Files\Razer\Diamondback\razerhid.exe
D:\Program Files\Windows Defender\MSASCui.exe
D:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Curse\CurseClient.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Logitech\Logitech Vid\vid.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
D:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
D:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe
D:\Program Files\SpywareGuard\sgmain.exe
D:\Program Files\SpywareGuard\sgbhp.exe
D:\Program Files\Razer\Diamondback\razertra.exe
D:\Program Files\Razer\Diamondback\razerofa.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\PROGRA~1\Crawler\Toolbar\CToolbar.exe
D:\Program Files\Hijackthis\HijackThis.exe
D:\Program Files\World of Warcraft\Launcher.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60347
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60347
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60347
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60347
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60347
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - D:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - D:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - D:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [ISUSPM Startup] D:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [GBTUpd] D:\Program Files\GIGABYTE\GBTUpd\PreRun.exe
O4 - HKLM\..\Run: [AVP] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [StartCCC] "D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [OSSelectorReinstall] D:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "D:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
O4 - HKLM\..\Run: [Diamondback] D:\Program Files\Razer\Diamondback\razerhid.exe
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SpywareTerminator] "D:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [ter8m] RUNDLL32.EXE D:\WINDOWS\system32\msxm192z.dll,w
O4 - HKCU\..\Run: [CurseClient] D:\Program Files\Curse\CurseClient.exe -silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Logitech Vid] "D:\Program Files\Logitech\Logitech Vid\vid.exe" -bootmode
O4 - HKCU\..\Run: [SpywareTerminatorUpdate] "D:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe"
O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://D:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: d:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1250644229062
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - D:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: klogon - D:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Bonjour Service - Apple Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - D:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - D:\Program Files\Java\jre6\bin\jqs.exe" -service -config "D:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - D:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - D:\Program Files\Spyware Terminator\sp_rsser.exe
Scan saved at 11:50:24 AM, on 9/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\explorer.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
D:\Program Files\Spyware Terminator\sp_rsser.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
D:\Program Files\GIGABYTE\GBTUpd\RunUpd.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\WINDOWS\RTHDCPL.EXE
D:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
D:\Program Files\Razer\Diamondback\razerhid.exe
D:\Program Files\Windows Defender\MSASCui.exe
D:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Curse\CurseClient.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Logitech\Logitech Vid\vid.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
D:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
D:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe
D:\Program Files\SpywareGuard\sgmain.exe
D:\Program Files\SpywareGuard\sgbhp.exe
D:\Program Files\Razer\Diamondback\razertra.exe
D:\Program Files\Razer\Diamondback\razerofa.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\PROGRA~1\Crawler\Toolbar\CToolbar.exe
D:\Program Files\Hijackthis\HijackThis.exe
D:\Program Files\World of Warcraft\Launcher.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60347
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60347
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60347
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60347
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60347
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - D:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - D:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - D:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [ISUSPM Startup] D:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [GBTUpd] D:\Program Files\GIGABYTE\GBTUpd\PreRun.exe
O4 - HKLM\..\Run: [AVP] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [StartCCC] "D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [OSSelectorReinstall] D:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "D:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
O4 - HKLM\..\Run: [Diamondback] D:\Program Files\Razer\Diamondback\razerhid.exe
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SpywareTerminator] "D:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [ter8m] RUNDLL32.EXE D:\WINDOWS\system32\msxm192z.dll,w
O4 - HKCU\..\Run: [CurseClient] D:\Program Files\Curse\CurseClient.exe -silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Logitech Vid] "D:\Program Files\Logitech\Logitech Vid\vid.exe" -bootmode
O4 - HKCU\..\Run: [SpywareTerminatorUpdate] "D:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe"
O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://D:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: d:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1250644229062
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - D:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: klogon - D:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Bonjour Service - Apple Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - D:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - D:\Program Files\Java\jre6\bin\jqs.exe" -service -config "D:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - D:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - D:\Program Files\Spyware Terminator\sp_rsser.exe
0
Comments
And a Malwarebytes log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:58:43 AM, on 9/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Curse\CurseClient.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [GEST] m‘|\ü
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [CurseClient] C:\Program Files\Curse\CurseClient.exe -silent
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1252142271625
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
--
End of file - 5251 bytes
Malwarebytes' Anti-Malware 1.40
Database version: 2770
Windows 5.1.2600 Service Pack 3
9/10/2009 12:13:29 PM
mbam-log-2009-09-10 (12-13-29).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 145737
Time elapsed: 21 minute(s), 31 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\tajf83ikdmf.dll.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B24AE546-19BD-4F14-9604-F43582FCF3ED}\RP24\A0009903.exe (Spyware.Banker) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rotscxkbsdulkd.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\rotscxlovmttiv.dat (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\rotscxrpprxtfh.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\rotscxvepmpeqj.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\rotscxvseuijpy.dat (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\drivers\rotscxqpxmsttr.sys (Rootkit.TDSS) -> Delete on reboot.
Please run HijackThis and place a tick by the following entries:
O4 - HKLM\..\Run: [GEST] m‘|\ü
Close all other windows except HijackThis and press "Fix Checked". Then close HijackThis and restart the computer.
Next let's have you download ComboFix.exe. Please visit this webpage for downloading and instructions for running the tool:
Go here ======> A guide and tutorial on using ComboFix <====== Go here
Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use the download meant for SP2.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should get a prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
(1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
(2) Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include C:\ComboFix.txt as well as a new HijackThis log for further review, so that we may continue cleansing the system.
here is the latest hijack this log.
Scan saved at 2:59:54 AM, on 9/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Curse\CurseClient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [CurseClient] C:\Program Files\Curse\CurseClient.exe -silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6796.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1252142271625
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
--
End of file - 6360 bytes
ComboFix 09-09-12.A0 - Stanley 09/13/2009 11:11.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2362 [GMT -4:00]
Running from: C:\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Anti-Virus *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
((((((((((((((((((((((((( Files Created from 2009-08-13 to 2009-09-13 )))))))))))))))))))))))))))))))
.
2009-09-13 15:05 . 2009-09-13 15:10 3316036 ----a-r- C:\ComboFix.exe
2009-09-12 17:07 . 2009-09-12 17:07
d
w- c:\program files\iPod
2009-09-12 17:06 . 2009-09-12 17:07
d
w- c:\program files\iTunes
2009-09-12 17:06 . 2009-09-12 17:07
d
w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-12 17:04 . 2009-09-12 17:05
d
w- c:\program files\QuickTime
2009-09-12 17:03 . 2009-09-12 17:07
d
w- c:\windows\LastGood
2009-09-12 12:29 . 2009-09-12 12:29
d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-09-12 12:29 . 2009-09-12 12:29
d
w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-09-11 06:41 . 2009-09-11 06:41
d
w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-11 06:41 . 2009-09-11 06:41
d
w- c:\program files\SUPERAntiSpyware
2009-09-11 06:41 . 2009-09-11 06:41
d
w- c:\documents and settings\Stanley\Application Data\SUPERAntiSpyware.com
2009-09-11 06:19 . 2009-09-11 06:21 109614 ----a-w- C:\MGlogs.zip
2009-09-11 06:19 . 2009-09-11 06:21
d
w- C:\MGtools
2009-09-11 06:19 . 2009-09-11 06:19 2381322 ----a-w- C:\MGtools.exe
2009-09-11 00:11 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-09-10 23:58 . 2009-09-10 23:59
d
w- c:\program files\Windows Live Safety Center
2009-09-10 23:34 . 2009-09-10 23:43
d
w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-10 23:34 . 2009-09-10 23:39
d
w- c:\program files\Spybot - Search & Destroy
2009-09-10 23:32 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-10 23:32 . 2009-09-10 23:32
dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-10 23:32 . 2009-09-10 23:32
d
w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-09-10 23:32 . 2009-09-10 23:32
d
w- c:\program files\Lavasoft
2009-09-10 16:05 . 2009-09-10 16:05
d
w- c:\program files\Common Files\Adobe
2009-09-10 16:05 . 2009-09-10 16:05
d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-10 07:38 . 2009-09-10 07:38
d
w- c:\documents and settings\Stanley\Application Data\Windows Search
2009-09-10 07:32 . 2009-09-10 07:33 18432 ----a-w- C:\cjej.exe
2009-09-10 06:23 . 2009-09-10 07:16
d
w- c:\documents and settings\Stanley\Application Data\LimeWire
2009-09-10 06:22 . 2009-07-25 09:23 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-10 06:21 . 2009-09-10 16:25
d
w- c:\program files\Java
2009-09-08 23:55 . 2009-09-08 23:56
d
w- c:\documents and settings\Stanley\Application Data\Ventrilo
2009-09-08 23:54 . 2009-09-08 23:54
d
w- c:\program files\Ventrilo
2009-09-08 23:54 . 2009-09-11 06:40
d
w- c:\program files\Common Files\Wise Installation Wizard
2009-09-08 20:22 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-08 17:49 . 2009-09-08 17:49
d
w- c:\program files\Uniblue
2009-09-08 17:23 . 2009-09-08 17:23 13104 ----a-w- c:\documents and settings\Stanley\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-08 17:23 . 2009-09-08 17:23
d
w- c:\program files\Windows Defender
2009-09-07 21:41 . 2009-09-07 21:41
d
w- c:\documents and settings\Stanley\Local Settings\Application Data\Blizzard Entertainment
2009-09-06 10:40 . 2009-09-11 06:21
d
w- c:\documents and settings\Stanley\Local Settings\Application Data\ApplicationHistory
2009-09-05 22:18 . 2009-09-13 14:18
d
w- c:\documents and settings\Stanley\Local Settings\Application Data\CurseClient
2009-09-05 22:17 . 2009-09-05 22:18
d
w- c:\program files\Curse
2009-09-05 12:27 . 2009-09-10 06:40
d
w- C:\World of Warcraft
2009-09-05 12:00 . 2009-09-05 12:00
d
w- c:\windows\system32\XPSViewer
2009-09-05 12:00 . 2009-09-05 12:00
d
w- c:\program files\MSBuild
2009-09-05 11:59 . 2009-09-05 11:59
d
w- c:\program files\Reference Assemblies
2009-09-05 11:59 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-09-05 11:59 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-09-05 11:59 . 2008-07-06 12:06 575488
w- c:\windows\system32\xpsshhdr.dll
2009-09-05 11:59 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-09-05 11:59 . 2008-07-06 12:06 1676288
w- c:\windows\system32\xpssvcs.dll
2009-09-05 11:59 . 2008-07-06 12:06 117760
w- c:\windows\system32\prntvpt.dll
2009-09-05 11:59 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-09-05 11:56 . 2009-09-05 11:56
d
w- c:\documents and settings\Stanley\Local Settings\Application Data\Identities
2009-09-05 11:56 . 2009-09-05 11:56
d
w- c:\documents and settings\Stanley\Application Data\Windows Desktop Search
2009-09-05 11:56 . 2009-09-05 11:56
d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-09-05 11:56 . 2009-09-06 10:44
d
w- c:\program files\Windows Desktop Search
2009-09-05 11:56 . 2009-09-05 11:56
d
w- c:\windows\system32\GroupPolicy
2009-09-05 11:55 . 2008-03-07 17:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2009-09-05 11:55 . 2008-03-07 17:02 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2009-09-05 11:55 . 2008-03-07 17:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2009-09-05 11:53 . 2009-09-05 11:53
d
w- c:\program files\Windows Media Connect 2
2009-09-05 11:52 . 2009-09-05 11:52
d
w- c:\windows\system32\drivers\UMDF
2009-09-05 11:50 . 2009-09-05 11:50
d
w- c:\windows\system32\URTTemp
2009-09-05 11:46 . 2009-09-05 11:46
d-sh--w- c:\documents and settings\Stanley\IECompatCache
2009-09-05 11:45 . 2009-09-05 11:45
d-sh--w- c:\documents and settings\Stanley\PrivacIE
2009-09-05 11:31 . 2009-09-05 11:31
d-sh--w- c:\documents and settings\Stanley\IETldCache
2009-09-05 11:29 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-09-05 11:29 . 2009-09-08 20:38
d
w- c:\windows\ie8updates
2009-09-05 11:29 . 2009-07-19 22:48 11067392 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-09-05 11:29 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-09-05 11:29 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-09-05 11:29 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-09-05 11:29 . 2009-07-03 17:09 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-09-05 11:29 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-09-05 11:25 . 2009-09-05 11:25
dc-h--w- c:\windows\ie8
2009-09-05 11:14 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-09-05 11:13 . 2009-06-25 08:25 730112 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-09-05 11:13 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-09-05 11:13 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-09-05 11:13 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-09-05 11:13 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-09-05 11:13 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-09-05 11:13 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-09-05 11:13 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-09-05 11:13 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-09-05 11:13 . 2009-02-06 11:08 2189056 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-09-05 11:13 . 2009-02-06 11:06 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-09-05 11:13 . 2009-02-06 10:32 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-09-05 11:12 . 2008-05-03 11:55 2560
w- c:\windows\system32\xpsp4res.dll
2009-09-05 11:12 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-09-05 11:12 . 2008-12-11 10:57 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2009-09-05 11:12 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-09-05 11:11 . 2008-09-04 17:15 1106944 -c----w- c:\windows\system32\dllcache\msxml3.dll
2009-09-05 11:11 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2009-09-05 11:11 . 2008-05-01 14:33 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2009-09-05 11:11 . 2008-04-11 19:04 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2009-09-05 11:11 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-09-05 11:11 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2009-09-05 10:51 . 2009-09-05 10:51
d
w- c:\windows\system32\scripting
2009-09-05 10:51 . 2009-09-05 10:51
d
w- c:\windows\l2schemas
2009-09-05 10:51 . 2009-09-05 10:51
d
w- c:\windows\system32\en
2009-09-05 10:51 . 2009-09-05 10:51
d
w- c:\windows\system32\bits
2009-09-05 10:49 . 2009-09-05 10:49
d
w- c:\windows\ServicePackFiles
2009-09-05 10:35 . 2004-08-04 02:29 73216
w- c:\windows\system32\drivers\atintuxx.sys
2009-09-05 09:32 . 2008-04-13 18:39 5504 ----a-w- c:\windows\system32\drivers\mstee.sys
2009-09-05 09:32 . 2008-04-13 18:46 10880 ----a-w- c:\windows\system32\drivers\ndisip.sys
2009-09-05 09:32 . 2008-04-13 18:46 15232 ----a-w- c:\windows\system32\drivers\streamip.sys
2009-09-05 09:32 . 2008-04-13 18:46 11136 ----a-w- c:\windows\system32\drivers\slip.sys
2009-09-05 09:32 . 2008-04-13 18:46 19200 ----a-w- c:\windows\system32\drivers\wstcodec.sys
2009-09-05 09:32 . 2008-04-13 18:46 85248 ----a-w- c:\windows\system32\drivers\nabtsfec.sys
2009-09-05 09:32 . 2008-04-13 18:46 17024 ----a-w- c:\windows\system32\drivers\ccdecode.sys
2009-09-05 09:25 . 2009-09-05 09:25
d
w- c:\program files\Logitech
2009-09-05 09:22 . 2009-09-08 20:39
d--h--w- c:\windows\$hf_mig$
2009-09-05 09:19 . 2008-10-16 18:09 43544 ----a-w- c:\windows\system32\wups2.dll
2009-09-05 09:17 . 2009-09-05 09:17
d-sh--w- c:\documents and settings\Stanley\UserData
2009-09-05 08:48 . 2009-09-05 08:48
d
w- c:\program files\Western Digital
2009-09-05 08:33 . 2009-09-05 08:34
d
w- c:\documents and settings\All Users\Application Data\WinZip
2009-09-05 08:31 . 2009-09-05 08:31
d
w- C:\Temp
2009-09-05 08:29 . 2009-09-05 08:29
d
w- c:\windows\Cache
2009-09-05 08:24 . 2009-09-05 08:24
d
w- c:\program files\Trend Micro
2009-09-05 08:22 . 2009-09-05 08:22 0 ----a-w- c:\windows\ativpsrm.bin
2009-09-05 08:17 . 2009-09-05 08:17 0 ----a-w- c:\windows\nsreg.dat
2009-09-05 08:17 . 2009-09-05 08:17
d
w- c:\documents and settings\Stanley\Local Settings\Application Data\Mozilla
2009-09-05 08:13 . 2009-09-05 08:13
d
w- c:\documents and settings\Stanley\Application Data\Malwarebytes
2009-09-05 08:13 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-05 08:13 . 2009-09-11 09:05
d
w- c:\program files\Malwarebytes' Anti-Malware
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-12 17:07 . 2009-09-08 06:53
d
w- c:\program files\Common Files\Apple
2009-09-11 07:17 . 2009-09-05 07:49 16608 ----a-w- c:\windows\gdrv.sys
2009-09-11 07:17 . 2009-09-05 09:32 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-09-11 07:16 . 2009-09-05 08:03 30008 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-09-11 07:16 . 2009-09-05 08:03 48032 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-09-08 06:57 . 2009-09-08 06:57
d
w- c:\documents and settings\Stanley\Application Data\Apple Computer
2009-09-08 06:55 . 2009-09-08 06:55
d
w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-09-08 06:55 . 2009-09-08 06:54
d
w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-09-08 06:54 . 2009-09-08 06:54
d
w- c:\program files\Bonjour
2009-09-08 06:54 . 2009-09-08 06:54
d
w- c:\program files\Apple Software Update
2009-09-08 06:53 . 2009-09-08 06:53
d
w- c:\documents and settings\All Users\Application Data\Apple
2009-09-05 09:32 . 2009-09-05 09:25
d
w- c:\program files\Common Files\LogiShrd
2009-09-05 09:25 . 2009-09-05 09:25
d
w- c:\documents and settings\All Users\Application Data\Logitech
2009-09-05 09:25 . 2009-09-05 09:25
d
w- c:\documents and settings\All Users\Application Data\Logishrd
2009-09-05 08:48 . 2009-09-05 07:50
d--h--w- c:\program files\InstallShield Installation Information
2009-09-05 08:09 . 2009-09-05 07:50
d
w- c:\program files\Common Files\InstallShield
2009-09-05 07:56 . 2009-09-05 07:53
d
w- c:\program files\Realtek
2009-09-05 07:56 . 2009-09-05 07:56
d
w- c:\documents and settings\Stanley\Application Data\InstallShield
2009-09-05 07:53 . 2009-09-05 07:53 315392 ----a-w- c:\windows\HideWin.exe
2009-09-05 07:50 . 2009-09-05 07:50
d
w- c:\program files\Intel
2009-09-05 07:50 . 2009-09-05 07:50
d
w- c:\program files\GIGABYTE
2009-09-05 07:44 . 2009-09-05 07:44
d
w- c:\program files\microsoft frontpage
2009-09-05 07:40 . 2009-09-05 07:40 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:37 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-29 04:37 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-09 16:16 . 2009-09-08 06:53 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-07-09 16:16 . 2009-09-08 06:53 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-07-03 17:09 . 2004-08-04 12:00 915456
w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-04 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-04 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CurseClient"="c:\program files\Curse\CurseClient.exe" [2009-06-08 1934336]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-04 1994480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 2027792]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-09-10 420176]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-05-07 16862208]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\avp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/10/2009 7:32 PM 64160]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/4/2009 2:50 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/4/2009 2:49 PM 74480]
R2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [9/5/2009 3:50 AM 80392]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 10:49 AM 1029456]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [9/5/2009 4:13 AM 269648]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [9/5/2009 4:13 AM 19160]
R3 Razerlow;Razerlow USB Filter Driver;c:\windows\system32\drivers\Razerlow.sys [4/24/2005 10:43 PM 13225]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/4/2009 2:50 PM 7408]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - IPOD_SERVICE
*NewlyCreated* - MBAMPROTECTOR
*NewlyCreated* - MBAMSERVICE
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-09-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]
2009-09-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
2009-09-13 c:\windows\Tasks\Malwarebytes' Scheduled Scan for Stanley.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-09-05 18:53]
2009-09-13 c:\windows\Tasks\Malwarebytes' Scheduled Update for Stanley.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-09-05 18:53]
2009-09-13 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
2009-09-13 c:\windows\Tasks\User_Feed_Synchronization-{3A960414-1DBC-42C6-9340-0797151BA120}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.google.com
FF - ProfilePath - c:\documents and settings\Stanley\Application Data\Mozilla\Firefox\Profiles\a19plc8h.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.msn.com/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-13 11:17
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
? [13428]
? [34148]
? [34484]
? [24808]
? [26148]
? [60740]
? [21088]
? [39232]
? [38572]
? [38028]
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\WPAEvents]
@Denied: (Full) (LocalSystem)
"OOBETimer"=hex:ff,d5,71,d6,8b,6a,8d,6f,d5,33,93,fd
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(840)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\klogon.dll
- - - - - - - > 'explorer.exe'(497984)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-09-13 11:18
ComboFix-quarantined-files.txt 2009-09-13 15:18
ComboFix2.txt 2009-09-10 07:55
ComboFix3.txt 2009-09-10 07:49
Pre-Run: 455,500,808,192 bytes free
Post-Run: 455,470,284,800 bytes free
300 --- E O F --- 2009-09-08 20:40
It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open *notepad* and copy/paste the text in the codebox below into it:
Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.
Refering to the picture above, drag CFScript.txt into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please copy and paste the ComboFix.txt in your reply later.
*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall. Altering this script in any way could damage your computer.*
=========================
Now let's have you go HERE to run Panda ActiveScan 2.0
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2456 [GMT -4:00]
Running from: C:\ComboFix.exe
Command switches used :: C:\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Anti-Virus *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FILE ::
"C:\cjej.exe"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\cjej.exe
.
((((((((((((((((((((((((( Files Created from 2009-08-13 to 2009-09-13 )))))))))))))))))))))))))))))))
.
2009-09-13 21:37 . 2009-09-13 21:37
d
w- c:\documents and settings\Stanley\Local Settings\Application Data\Happy Hour Code, LLC
2009-09-13 21:36 . 2009-09-13 21:36
d
w- c:\program files\iPodRip
2009-09-13 21:30 . 2009-09-13 21:30
d
w- c:\program files\Xilisoft
2009-09-13 21:15 . 2007-10-30 07:54 136448 ----a-r- c:\windows\system32\drivers\SaiH0728.sys
2009-09-13 15:05 . 2009-09-13 22:16 3314972 ----a-r- C:\ComboFix.exe
2009-09-12 17:07 . 2009-09-12 17:07
d
w- c:\program files\iPod
2009-09-12 17:06 . 2009-09-12 17:07
d
w- c:\program files\iTunes
2009-09-12 17:06 . 2009-09-12 17:07
d
w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-12 17:04 . 2009-09-12 17:05
d
w- c:\program files\QuickTime
2009-09-12 17:03 . 2009-09-13 21:16
d
w- c:\windows\LastGood
2009-09-12 12:29 . 2009-09-12 12:29
d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-09-12 12:29 . 2009-09-12 12:29
d
w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-09-11 06:41 . 2009-09-11 06:41 117760 ----a-w- c:\documents and settings\Stanley\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-09-11 06:41 . 2009-09-11 06:41
d
w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-11 06:41 . 2009-09-11 06:41
d
w- c:\program files\SUPERAntiSpyware
2009-09-11 06:41 . 2009-09-11 06:41
d
w- c:\documents and settings\Stanley\Application Data\SUPERAntiSpyware.com
2009-09-11 06:19 . 2009-09-11 06:21 109614 ----a-w- C:\MGlogs.zip
2009-09-11 06:19 . 2009-09-11 06:21
d
w- C:\MGtools
2009-09-11 06:19 . 2009-09-11 06:19 2381322 ----a-w- C:\MGtools.exe
2009-09-11 00:11 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-09-10 23:58 . 2009-09-10 23:59
d
w- c:\program files\Windows Live Safety Center
2009-09-10 23:34 . 2009-09-10 23:43
d
w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-10 23:34 . 2009-09-10 23:39
d
w- c:\program files\Spybot - Search & Destroy
2009-09-10 23:32 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-10 23:32 . 2009-09-10 23:32
dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-10 23:32 . 2009-09-10 23:32
d
w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-09-10 23:32 . 2009-09-10 23:32
d
w- c:\program files\Lavasoft
2009-09-10 16:24 . 2009-09-10 16:24 152576 ----a-w- c:\documents and settings\Stanley\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-09-10 16:05 . 2009-09-10 16:05
d
w- c:\program files\Common Files\Adobe
2009-09-10 16:05 . 2009-09-10 16:05
d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-10 07:38 . 2009-09-10 07:38
d
w- c:\documents and settings\Stanley\Application Data\Windows Search
2009-09-10 06:23 . 2009-09-10 07:16
d
w- c:\documents and settings\Stanley\Application Data\LimeWire
2009-09-10 06:22 . 2009-07-25 09:23 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-10 06:21 . 2009-09-10 16:25
d
w- c:\program files\Java
2009-09-10 06:21 . 2009-09-10 06:21 152576 ----a-w- c:\documents and settings\Stanley\Application Data\Sun\Java\jre1.6.0_11\lzma.dll
2009-09-08 23:55 . 2009-09-08 23:56
d
w- c:\documents and settings\Stanley\Application Data\Ventrilo
2009-09-08 23:54 . 2009-09-08 23:54
d
w- c:\program files\Ventrilo
2009-09-08 23:54 . 2009-09-11 06:40
d
w- c:\program files\Common Files\Wise Installation Wizard
2009-09-08 20:22 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-08 17:49 . 2009-09-08 17:49
d
w- c:\program files\Uniblue
2009-09-08 17:23 . 2009-09-08 17:23 13104 ----a-w- c:\documents and settings\Stanley\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-08 17:23 . 2009-09-08 17:23
d
w- c:\program files\Windows Defender
2009-09-08 06:57 . 2009-09-13 17:22
d
w- c:\documents and settings\Stanley\Application Data\Apple Computer
2009-09-08 06:55 . 2009-05-18 18:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-09-08 06:55 . 2008-04-17 17:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-09-08 06:55 . 2009-09-08 06:55
d
w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-09-08 06:54 . 2009-09-08 06:54
d
w- c:\program files\Bonjour
2009-09-08 06:54 . 2009-09-08 06:55
d
w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-09-08 06:54 . 2009-09-08 06:54
d
w- c:\documents and settings\Stanley\Local Settings\Application Data\Apple
2009-09-08 06:54 . 2009-09-08 06:54
d
w- c:\program files\Apple Software Update
2009-09-08 06:53 . 2009-08-28 23:42 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-09-08 06:53 . 2009-08-28 23:42 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-09-08 06:53 . 2009-09-12 17:07
d
w- c:\program files\Common Files\Apple
2009-09-08 06:53 . 2009-09-08 06:53
d
w- c:\documents and settings\All Users\Application Data\Apple
2009-09-08 06:53 . 2009-09-13 21:44
d
w- c:\documents and settings\Stanley\Local Settings\Application Data\Apple Computer
2009-09-07 21:41 . 2009-09-07 21:41
d
w- c:\documents and settings\Stanley\Local Settings\Application Data\Blizzard Entertainment
2009-09-06 10:40 . 2009-09-11 06:21
d
w- c:\documents and settings\Stanley\Local Settings\Application Data\ApplicationHistory
2009-09-05 22:18 . 2009-09-13 14:18
d
w- c:\documents and settings\Stanley\Local Settings\Application Data\CurseClient
2009-09-05 22:17 . 2009-09-05 22:18
d
w- c:\program files\Curse
2009-09-05 12:27 . 2009-09-10 06:40
d
w- C:\World of Warcraft
2009-09-05 12:00 . 2009-09-05 12:00
d
w- c:\windows\system32\XPSViewer
2009-09-05 12:00 . 2009-09-05 12:00
d
w- c:\program files\MSBuild
2009-09-05 11:59 . 2009-09-05 11:59
d
w- c:\program files\Reference Assemblies
2009-09-05 11:59 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-09-05 11:59 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-09-05 11:59 . 2008-07-06 12:06 575488
w- c:\windows\system32\xpsshhdr.dll
2009-09-05 11:59 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-09-05 11:59 . 2008-07-06 12:06 1676288
w- c:\windows\system32\xpssvcs.dll
2009-09-05 11:59 . 2008-07-06 12:06 117760
w- c:\windows\system32\prntvpt.dll
2009-09-05 11:59 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-09-05 11:56 . 2009-09-05 11:56
d
w- c:\documents and settings\Stanley\Local Settings\Application Data\Identities
2009-09-05 11:56 . 2009-09-05 11:56
d
w- c:\documents and settings\Stanley\Application Data\Windows Desktop Search
2009-09-05 11:56 . 2009-09-05 11:56
d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-09-05 11:56 . 2009-09-06 10:44
d
w- c:\program files\Windows Desktop Search
2009-09-05 11:56 . 2009-09-05 11:56
d
w- c:\windows\system32\GroupPolicy
2009-09-05 11:55 . 2008-03-07 17:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2009-09-05 11:55 . 2008-03-07 17:02 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2009-09-05 11:55 . 2008-03-07 17:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2009-09-05 11:53 . 2009-09-05 11:53
d
w- c:\program files\Windows Media Connect 2
2009-09-05 11:52 . 2009-09-05 11:52
d
w- c:\windows\system32\drivers\UMDF
2009-09-05 11:50 . 2009-09-05 11:50
d
w- c:\windows\system32\URTTemp
2009-09-05 11:46 . 2009-09-05 11:46
d-sh--w- c:\documents and settings\Stanley\IECompatCache
2009-09-05 11:45 . 2009-09-05 11:45
d-sh--w- c:\documents and settings\Stanley\PrivacIE
2009-09-05 11:31 . 2009-09-05 11:31
d-sh--w- c:\documents and settings\Stanley\IETldCache
2009-09-05 11:29 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-09-05 11:29 . 2009-09-08 20:38
d
w- c:\windows\ie8updates
2009-09-05 11:29 . 2009-07-19 22:48 11067392 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-09-05 11:29 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-09-05 11:29 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-09-05 11:29 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-09-05 11:29 . 2009-07-03 17:09 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-09-05 11:29 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-09-05 11:25 . 2009-09-05 11:25
dc-h--w- c:\windows\ie8
2009-09-05 11:14 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-09-05 11:13 . 2009-06-25 08:25 730112 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-09-05 11:13 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-09-05 11:13 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-09-05 11:13 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-09-05 11:13 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-09-05 11:13 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-09-05 11:13 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-09-05 11:13 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-09-05 11:13 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-09-05 11:13 . 2009-02-06 11:08 2189056 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-09-05 11:13 . 2009-02-06 11:06 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-09-05 11:13 . 2009-02-06 10:32 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-09-05 11:12 . 2008-05-03 11:55 2560
w- c:\windows\system32\xpsp4res.dll
2009-09-05 11:12 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-09-05 11:12 . 2008-12-11 10:57 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2009-09-05 11:12 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-09-05 11:11 . 2008-09-04 17:15 1106944 -c----w- c:\windows\system32\dllcache\msxml3.dll
2009-09-05 11:11 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2009-09-05 11:11 . 2008-05-01 14:33 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2009-09-05 11:11 . 2008-04-11 19:04 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2009-09-05 11:11 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-09-05 11:11 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2009-09-05 10:51 . 2009-09-05 10:51
d
w- c:\windows\system32\scripting
2009-09-05 10:51 . 2009-09-05 10:51
d
w- c:\windows\l2schemas
2009-09-05 10:51 . 2009-09-05 10:51
d
w- c:\windows\system32\en
2009-09-05 10:51 . 2009-09-05 10:51
d
w- c:\windows\system32\bits
2009-09-05 10:49 . 2009-09-05 10:49
d
w- c:\windows\ServicePackFiles
2009-09-05 10:35 . 2004-08-04 02:29 73216
w- c:\windows\system32\drivers\atintuxx.sys
2009-09-05 09:32 . 2008-04-13 18:39 5504 ----a-w- c:\windows\system32\drivers\mstee.sys
2009-09-05 09:32 . 2008-04-13 18:46 10880 ----a-w- c:\windows\system32\drivers\ndisip.sys
2009-09-05 09:32 . 2008-04-13 18:46 15232 ----a-w- c:\windows\system32\drivers\streamip.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-11 07:17 . 2009-09-05 07:49 16608 ----a-w- c:\windows\gdrv.sys
2009-09-11 07:17 . 2009-09-05 09:32 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-09-11 07:16 . 2009-09-05 08:03 30008 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-09-11 07:16 . 2009-09-05 08:03 48032 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-09-05 08:48 . 2009-09-05 07:50
d--h--w- c:\program files\InstallShield Installation Information
2009-09-05 08:09 . 2009-09-05 07:50
d
w- c:\program files\Common Files\InstallShield
2009-09-05 07:56 . 2009-09-05 07:53
d
w- c:\program files\Realtek
2009-09-05 07:56 . 2009-09-05 07:56
d
w- c:\documents and settings\Stanley\Application Data\InstallShield
2009-09-05 07:53 . 2009-09-05 07:53 315392 ----a-w- c:\windows\HideWin.exe
2009-09-05 07:50 . 2009-09-05 07:50
d
w- c:\program files\Intel
2009-09-05 07:50 . 2009-09-05 07:50
d
w- c:\program files\GIGABYTE
2009-09-05 07:44 . 2009-09-05 07:44
d
w- c:\program files\microsoft frontpage
2009-09-05 07:40 . 2009-09-05 07:40 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-08-19 08:34 . 2009-08-19 08:34 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-08-19 08:34 . 2009-08-19 08:34 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-08-19 08:34 . 2009-08-19 08:34 1060864 ----a-w- c:\windows\system32\MFC71.dll
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:37 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-29 04:37 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-04 12:00 915456
w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-04 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-04 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-09-13_15.17.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-13 21:16 . 2008-04-13 18:39 14592 c:\windows\system32\ReinstallBackups\0026\DriverFiles\i386\kbdhid.sys
+ 2009-09-13 21:16 . 2008-04-13 18:39 24576 c:\windows\system32\ReinstallBackups\0026\DriverFiles\i386\kbdclass.sys
+ 2009-09-13 21:16 . 2008-04-13 18:45 10368 c:\windows\system32\ReinstallBackups\0025\DriverFiles\i386\hidusb.sys
+ 2009-09-13 21:16 . 2008-04-13 18:45 24960 c:\windows\system32\ReinstallBackups\0025\DriverFiles\i386\hidparse.sys
+ 2009-09-13 21:16 . 2008-04-13 18:45 36864 c:\windows\system32\ReinstallBackups\0025\DriverFiles\i386\hidclass.sys
+ 2009-09-13 21:16 . 2008-04-14 00:11 20992 c:\windows\system32\ReinstallBackups\0025\DriverFiles\i386\hid.dll
+ 2009-09-13 21:15 . 2008-04-13 18:45 10368 c:\windows\system32\ReinstallBackups\0024\DriverFiles\i386\hidusb.sys
+ 2009-09-13 21:15 . 2008-04-13 18:45 24960 c:\windows\system32\ReinstallBackups\0024\DriverFiles\i386\hidparse.sys
+ 2009-09-13 21:15 . 2008-04-13 18:45 36864 c:\windows\system32\ReinstallBackups\0024\DriverFiles\i386\hidclass.sys
+ 2009-09-13 21:15 . 2008-04-14 00:11 20992 c:\windows\system32\ReinstallBackups\0024\DriverFiles\i386\hid.dll
+ 2009-09-13 21:15 . 2008-04-14 00:11 21504 c:\windows\system32\ReinstallBackups\0022\DriverFiles\i386\hidserv.dll
- 2004-08-04 12:00 . 2008-04-13 18:39 24576 c:\windows\system32\drivers\kbdclass.sys
+ 2004-08-04 12:00 . 2008-04-13 18:39 24576 c:\windows\system32\drivers\kbdclass.sys
+ 2004-08-04 12:00 . 2008-04-13 18:39 14592 c:\windows\system32\dllcache\kbdhid.sys
+ 2004-08-04 12:00 . 2008-04-13 18:39 24576 c:\windows\system32\dllcache\kbdclass.sys
+ 2009-09-13 21:15 . 2008-04-14 00:11 20992 c:\windows\LastGood\system32\hid.dll
+ 2009-09-13 17:22 . 2009-07-09 16:16 39424 c:\windows\LastGood\system32\DRIVERS\usbaapl.sys
+ 2009-09-13 21:16 . 2008-04-13 18:39 14592 c:\windows\LastGood\system32\DRIVERS\kbdhid.sys
+ 2009-09-13 21:16 . 2008-04-13 18:39 24576 c:\windows\LastGood\system32\DRIVERS\kbdclass.sys
+ 2009-09-13 21:15 . 2008-04-13 18:45 10368 c:\windows\LastGood\system32\DRIVERS\hidusb.sys
+ 2009-09-13 21:15 . 2008-04-13 18:45 24960 c:\windows\LastGood\system32\DRIVERS\hidparse.sys
+ 2009-09-13 21:15 . 2008-04-13 18:45 36864 c:\windows\LastGood\system32\DRIVERS\hidclass.sys
+ 2009-09-05 08:03 . 2009-09-13 22:23 345376 c:\windows\system32\drivers\fidbox2.dat
+ 2009-09-13 21:36 . 2009-09-13 21:36 464384 c:\windows\Installer\d5fffb6.msi
+ 2009-09-05 08:03 . 2009-09-13 22:23 3960352 c:\windows\system32\drivers\fidbox.dat
+ 2009-09-13 17:22 . 2009-07-09 16:16 2060288 c:\windows\LastGood\system32\usbaaplrc.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CurseClient"="c:\program files\Curse\CurseClient.exe" [2009-06-08 1934336]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-04 1994480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 2027792]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-09-10 420176]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-05-07 16862208]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\avp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/10/2009 7:32 PM 64160]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/4/2009 2:50 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/4/2009 2:49 PM 74480]
R2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [9/5/2009 3:50 AM 80392]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [9/5/2009 4:13 AM 269648]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [9/5/2009 4:13 AM 19160]
R3 Razerlow;Razerlow USB Filter Driver;c:\windows\system32\drivers\Razerlow.sys [4/24/2005 10:43 PM 13225]
R3 SaiH0728;SaiH0728;c:\windows\system32\drivers\SaiH0728.sys [9/13/2009 5:15 PM 136448]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/4/2009 2:50 PM 7408]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 10:49 AM 1029456]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - IPOD_SERVICE
*NewlyCreated* - MBAMPROTECTOR
*NewlyCreated* - MBAMSERVICE
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-09-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]
2009-09-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
2009-09-13 c:\windows\Tasks\Malwarebytes' Scheduled Scan for Stanley.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-09-05 18:53]
2009-09-13 c:\windows\Tasks\Malwarebytes' Scheduled Update for Stanley.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-09-05 18:53]
2009-09-13 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
2009-09-13 c:\windows\Tasks\User_Feed_Synchronization-{3A960414-1DBC-42C6-9340-0797151BA120}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.google.com
FF - ProfilePath - c:\documents and settings\Stanley\Application Data\Mozilla\Firefox\Profiles\a19plc8h.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.msn.com/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-13 18:23
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
? [13428]
? [34148]
? [34484]
? [24808]
? [57668]
? [58364]
? [57068]
? [61204]
? [61124]
? [61248]
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\WPAEvents]
@Denied: (Full) (LocalSystem)
"OOBETimer"=hex:ff,d5,71,d6,8b,6a,8d,6f,d5,33,93,fd
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(840)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\klogon.dll
.
Completion time: 2009-09-13 18:25
ComboFix-quarantined-files.txt 2009-09-13 22:25
ComboFix2.txt 2009-09-13 15:18
ComboFix3.txt 2009-09-10 07:55
ComboFix4.txt 2009-09-10 07:49
Pre-Run: 454,509,047,808 bytes free
Post-Run: 454,474,256,384 bytes free
322 --- E O F --- 2009-09-08 20:40
;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-09-13 20:16:22
PROTECTIONS: 1
MALWARE: 2
SUSPECTS: 3
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Kaspersky Anti-Virus 6.0.2.621 No Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00590315 Rootkit/Agent.LNB HackTools No 0 Yes No C:\System Volume Information\_restore{B24AE546-19BD-4F14-9604-F43582FCF3ED}\RP24\A0010048.sys
00590315 Rootkit/Agent.LNB HackTools No 0 Yes No C:\System Volume Information\_restore{B24AE546-19BD-4F14-9604-F43582FCF3ED}\RP6\A0000180.sys
00933732 Trj/Downloader.MDW Virus/Trojan No 1 No No C:\System Volume Information\_restore{B24AE546-19BD-4F14-9604-F43582FCF3ED}\RP16\A0006590.exe[iexplorer.exe]
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
No C:\System Volume Information\_restore{B24AE546-19BD-4F14-9604-F43582FCF3ED}\RP15\A0006416.exe[WGASetup.exe]
No C:\System Volume Information\_restore{B24AE546-19BD-4F14-9604-F43582FCF3ED}\RP24\A0009762.exe
No C:\System Volume Information\_restore{B24AE546-19BD-4F14-9604-F43582FCF3ED}\RP27\A0010255.exe
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
;============================================================================================================================================================
It's time to remove ComboFix.
Go to to Start > Run
Type in box
combofix /u
Note: the space between the X and the /u
Press Enter.
This command will:
Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
Even if you have no more queries, I would appreciate if you can reply once more to this thread so that I will be able to have this archived. Thanks.
Thanks for all your help.
hopefully if i need to stop by it will be to say hello and not to have something fixed again.
Glad we could be of assistance! This topic is now closed.
If I have helped you, please consider making a personal donation (Paypal) to me at parasite[AT]parasitedb.com.
To support Icrontic, click here:
http://icrontic.com/support
Donations are entirely voluntary in nature and will have no bearing on the future help that you may receive.
If you wish to reopen your topic, please send a Private Message (PM) to Trogan or me with a link to your thread.
If you are not the user who started this thread, you must start your own Thread instead