[Active] Xp Hangs in normal mode no internet in safe mode with networking

darkpix · 27th December 2008

Hi
A couple weeks ago I got hit with Vundo trojans I used superantispyware and malware bytes to clean it over and over but it kept coming back.
Today, my computer stopped working in normal mode. It would freeze while loading apps. I went into safe mode and disabled everything non windows but still no luck. It wont load.

Also. In safe mode with networking, I have no internet. If I click on ie or firefox, nothing happens but it uses up 100% of the processor, but it never starts.

I am using xp pro with sp3

I just ran combofix - it removed a bunch of malaware and everything seems to be working again.

Darkpix

**noahdfear** · 28th December 2008

Welcome to WindowsBBS darkpix

Please post the contents of C:\ComboFix.txt for review. There may be more goodies left to remove.

darkpix · 3rd January 2009

hi noahdfear, thanks. I had missed your reply,

I ran combofix again just now and created a new log
I have not had any more issues but I appreciate you a deeper look

thanks in advance
dp

((((((((((((((((((((((((( Files Created from 2008-12-03 to 2009-01-03 )))))))))))))))))))))))))))))))
.

2009-01-02 22:54 . 2001-08-17 13:48 12,160 --a------ c:\windows\system32\drivers\mouhid.sys
2009-01-02 22:54 . 2001-08-17 13:48 12,160 --a--c--- c:\windows\system32\dllcache\mouhid.sys
2009-01-02 22:54 . 2008-04-14 00:15 10,368 --a------ c:\windows\system32\drivers\hidusb.sys
2009-01-02 22:54 . 2008-04-14 00:15 10,368 --a--c--- c:\windows\system32\dllcache\hidusb.sys
2008-12-28 15:04 . 2008-12-28 15:04 <DIR> d-------- c:\program files\MagicDisc
2008-12-28 15:04 . 2008-07-28 17:19 116,736 --a------ c:\windows\system32\drivers\mcdbus.sys
2008-12-27 02:07 . 2008-10-16 13:38 6,066,176 -----c--- c:\windows\system32\dllcache\ieframe.dll
2008-12-27 02:07 . 2007-04-17 02:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat
2008-12-27 02:07 . 2007-03-07 22:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui
2008-12-27 02:07 . 2008-10-16 13:38 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll
2008-12-27 02:07 . 2008-10-16 13:38 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll
2008-12-27 02:07 . 2008-10-16 13:38 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll
2008-12-27 02:07 . 2008-10-16 13:38 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll
2008-12-27 02:07 . 2008-10-16 13:38 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll
2008-12-27 02:07 . 2008-10-16 06:11 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe
2008-12-27 01:05 . 2008-12-27 01:05 <DIR> d-------- c:\windows\system32\URTTEMP
2008-12-27 00:47 . 2008-10-24 04:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-12-27 00:46 . 2008-08-14 03:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-27 00:46 . 2008-08-14 03:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-27 00:46 . 2008-08-14 02:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-27 00:46 . 2008-08-14 02:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-27 00:43 . 2008-06-13 04:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-12-27 00:37 . 2008-12-27 00:37 <DIR> d-------- c:\program files\Avira
2008-12-27 00:37 . 2008-12-27 00:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-12-27 00:25 . 2008-10-16 14:09 43,544 --a------ c:\windows\system32\wups2.dll
2008-12-26 22:52 . 2008-12-26 22:52 265 --a------ c:\windows\SysMech6.INI
2008-12-26 22:23 . 2008-12-26 22:23 4,096 --a------ C:\Volume{52C8E4FE-B853-42c1-9528-92978438BBF3}_Backup
2008-12-26 22:23 . 2008-12-27 00:31 4,096 --a------ C:\Volume{52C8E4FE-B853-42c1-9528-92978438BBF3}
2008-12-26 22:23 . 2008-12-26 22:23 4,096 --a------ C:\00007E00-D260D260_Backup
2008-12-26 22:23 . 2008-12-27 00:31 4,096 --a------ C:\00007E00-D260D260
2008-12-26 21:46 . 2008-12-26 21:46 406 --a------ c:\windows\system32\ioloBootDefrag.cfg
2008-12-26 21:43 . 2008-12-27 00:25 <DIR> d-------- c:\program files\Kaspersky Lab
2008-12-26 21:43 . 2008-12-27 00:32 <DIR> d-------- c:\program files\iolo
2008-12-26 21:43 . 2002-08-09 08:00 1,731,584 --a------ c:\windows\system32\XercesLib.dll
2008-12-26 21:43 . 2002-08-09 08:00 1,500,160 --a------ c:\windows\system32\CC3260MT.DLL
2008-12-26 21:43 . 2002-08-09 08:00 325,120 --a------ c:\windows\system32\xercesxmldom.dll
2008-12-26 19:23 . 2003-09-12 14:32 3,162,278 --a------ c:\windows\{00000002-00000000-0000000D-00001102-00000004-00531102}.CDF
2008-12-26 19:09 . 2008-04-13 20:39 13,463,552 --a--c--- c:\windows\system32\dllcache\hwxjpn.dll
2008-12-26 19:08 . 2001-08-23 05:00 10,096,640 --a--c--- c:\windows\system32\dllcache\hwxcht.dll
2008-12-26 19:07 . 2004-05-13 00:39 876,653 --a--c--- c:\windows\system32\dllcache\fp4awel.dll
2008-12-26 19:06 . 2008-12-26 19:06 749 -rah----- c:\windows\WindowsShell.Manifest
2008-12-26 19:06 . 2008-12-26 19:06 749 -rah----- c:\windows\system32\wuaucpl.cpl.manifest
2008-12-26 19:06 . 2008-12-26 19:06 749 -rah----- c:\windows\system32\sapi.cpl.manifest
2008-12-26 19:06 . 2008-12-26 19:06 749 -rah----- c:\windows\system32\nwc.cpl.manifest
2008-12-26 19:06 . 2008-12-26 19:06 749 -rah----- c:\windows\system32\ncpa.cpl.manifest
2008-12-26 19:06 . 2008-12-26 19:06 488 -rah----- c:\windows\system32\logonui.exe.manifest
2008-12-26 17:10 . 2008-12-26 17:10 1,871 --a------ c:\windows\setupapi.old
2008-12-23 17:57 . 2008-12-23 17:57 <DIR> d-------- c:\program files\Xvid
2008-12-23 17:57 . 2008-12-23 18:03 <DIR> d-------- c:\documents and settings\dmb\Application Data\AVI ReComp
2008-12-23 17:57 . 2007-06-28 18:55 77,824 --a------ c:\windows\system32\xvid.ax
2008-12-23 17:55 . 2008-12-23 17:57 <DIR> d-------- c:\program files\AVI ReComp
2008-12-23 17:51 . 2008-12-29 03:08 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-23 17:51 . 2008-12-23 17:51 1,409 --a------ c:\windows\QTFont.for
2008-12-22 02:10 . 2008-12-22 21:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\_comodo_
2008-12-22 01:31 . 2008-12-27 22:24 <DIR> d-------- c:\program files\COMODO
2008-12-21 17:21 . 2008-12-21 17:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-21 17:20 . 2008-12-26 13:14 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-21 17:20 . 2008-12-21 17:20 <DIR> d-------- c:\documents and settings\dmb\Application Data\SUPERAntiSpyware.com
2008-12-21 16:32 . 2008-12-21 16:32 <DIR> d-------- c:\documents and settings\dmb\Application Data\Media Player Classic
2008-12-21 14:52 . 2008-12-21 14:51 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-21 12:59 . 2008-12-21 12:59 <DIR> d-------- c:\program files\K-Lite Codec Pack
2008-12-21 12:34 . 2008-12-21 13:04 <DIR> d-------- c:\documents and settings\dmb\Application Data\Dr. DivX 2.0 OSS
2008-12-21 12:25 . 2008-12-21 12:25 <DIR> d-------- C:\divx
2008-12-21 12:23 . 2008-12-21 12:23 <DIR> d-------- c:\documents and settings\dmb\Application Data\DivX
2008-12-21 12:20 . 2008-12-21 13:03 <DIR> d-------- c:\program files\DivX
2008-12-20 23:42 . 2007-12-17 13:53 159,458 --a------ c:\windows\system32\nvapps.nvb
2008-12-20 23:35 . 2008-12-20 23:35 4,444 --a------ c:\windows\system32\pid.PNF
2008-12-20 23:34 . 2008-04-13 22:40 1,296,669 -ra------ c:\windows\SET8B.tmp
2008-12-20 23:34 . 2008-04-13 22:34 1,088,840 -ra------ c:\windows\SET8E.tmp
2008-12-20 23:34 . 2008-04-13 22:34 16,535 -ra------ c:\windows\SET9A.tmp
2008-12-20 22:14 . 2008-04-13 17:12 221,696 --a--c--- c:\windows\system32\dllcache\seo.dll
2008-12-20 22:14 . 2008-04-13 17:12 189,440 --a--c--- c:\windows\system32\dllcache\smtpadm.dll
2008-12-20 22:14 . 2008-04-13 17:12 10,752 --a------ c:\windows\system32\smtpapi.dll
2008-12-20 22:14 . 2008-04-13 17:12 10,752 --a--c--- c:\windows\system32\dllcache\smtpapi.dll
2008-12-20 22:14 . 2008-04-13 17:12 9,728 --a------ c:\windows\system32\rwnh.dll
2008-12-20 22:14 . 2008-04-13 17:12 9,728 --a--c--- c:\windows\system32\dllcache\rwnh.dll
2008-12-20 17:25 . 2008-12-28 15:10 268 --ah----- C:\sqmdata19.sqm
2008-12-20 17:05 . 2008-12-20 17:05 <DIR> d-------- c:\program files\Windows Resource Kits
2008-12-20 16:07 . 2008-12-22 22:00 268 --ah----- C:\sqmdata18.sqm
2008-12-20 12:40 . 2008-12-22 21:43 268 --ah----- C:\sqmdata17.sqm
2008-12-20 12:11 . 2008-12-22 21:32 268 --ah----- C:\sqmdata16.sqm
2008-12-20 12:11 . 2008-12-22 21:32 244 --ah----- C:\sqmnoopt18.sqm
2008-12-20 11:57 . 2008-12-22 21:03 268 --ah----- C:\sqmdata15.sqm
2008-12-20 11:57 . 2008-12-22 21:03 244 --ah----- C:\sqmnoopt17.sqm
2008-12-19 19:14 . 2008-12-22 20:26 268 --ah----- C:\sqmdata14.sqm
2008-12-19 19:14 . 2008-12-22 20:26 244 --ah----- C:\sqmnoopt16.sqm
2008-12-19 18:59 . 2008-12-22 19:37 268 --ah----- C:\sqmdata13.sqm
2008-12-19 18:59 . 2008-12-22 19:37 244 --ah----- C:\sqmnoopt15.sqm
2008-12-19 18:53 . 2008-12-22 11:42 268 --ah----- C:\sqmdata12.sqm
2008-12-19 18:53 . 2008-12-22 11:42 244 --ah----- C:\sqmnoopt14.sqm
2008-12-19 18:47 . 2008-12-26 13:56 <DIR> d-------- c:\documents and settings\dmb\Application Data\Online Solutions
2008-12-19 11:52 . 2008-12-19 11:52 <DIR> d-------- c:\program files\Online Solutions
2008-12-19 11:52 . 2008-12-19 11:52 <DIR> d-------- c:\program files\Common Files\Online Solutions Shared
2008-12-19 09:19 . 2008-12-22 11:15 268 --ah----- C:\sqmdata11.sqm
2008-12-19 09:19 . 2008-12-22 11:15 244 --ah----- C:\sqmnoopt13.sqm
2008-12-19 01:38 . 2008-12-22 01:08 268 --ah----- C:\sqmdata10.sqm
2008-12-19 01:38 . 2008-12-22 01:08 244 --ah----- C:\sqmnoopt12.sqm
2008-12-18 23:57 . 2008-12-21 17:19 268 --ah----- C:\sqmdata09.sqm
2008-12-18 23:57 . 2008-12-21 17:19 244 --ah----- C:\sqmnoopt11.sqm
2008-12-17 11:45 . 2008-12-21 16:46 268 --ah----- C:\sqmdata08.sqm
2008-12-17 11:45 . 2008-12-21 16:46 244 --ah----- C:\sqmnoopt10.sqm
2008-12-17 10:41 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-12-17 10:33 . 2008-12-21 11:31 268 --ah----- C:\sqmdata07.sqm
2008-12-17 10:33 . 2008-12-21 11:31 244 --ah----- C:\sqmnoopt09.sqm
2008-12-17 00:50 . 2008-12-21 05:12 268 --ah----- C:\sqmdata06.sqm
2008-12-17 00:50 . 2008-12-21 05:12 244 --ah----- C:\sqmnoopt08.sqm
2008-12-16 18:29 . 2008-12-16 18:29 70,144 --a------ c:\windows\system32\wvUKBRHw.dll
2008-12-15 19:10 . 2008-12-15 19:10 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-12-15 19:10 . 2008-12-15 19:10 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-12-07 18:21 . 2008-12-07 18:21 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Roxio
2008-12-07 18:21 . 2008-12-12 01:44 156 --a------ c:\windows\Twunk001.MTX
2008-12-07 18:21 . 2008-12-12 01:44 2 --a------ c:\windows\Twain001.Mtx
2008-12-07 18:21 . 2008-12-07 18:21 0 --a------ c:\windows\Twunk002.MTX
2008-12-07 17:55 . 2008-12-07 17:55 <DIR> d-------- c:\documents and settings\dmb\Application Data\Roxio
2008-12-07 17:09 . 2008-12-07 17:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sonic
2008-12-07 17:09 . 2008-12-07 17:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\InstallShield
2008-12-07 17:05 . 2008-12-22 20:38 <DIR> d-------- c:\program files\Common Files\Roxio Shared
2008-12-07 17:05 . 2008-12-22 20:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Roxio
2008-12-07 16:56 . 2008-12-07 16:56 <DIR> d-------- c:\program files\Research In Motion
2008-12-07 16:38 . 2008-12-07 16:38 256 --a------ c:\documents and settings\dmb\pool.bin
2008-12-07 14:37 . 2008-12-22 20:22 256 --a------ c:\windows\system32\pool.bin
2008-12-07 14:25 . 2007-01-18 10:24 26,496 -ra------ c:\windows\system32\drivers\RimSerial.sys
2008-12-07 14:20 . 2008-12-22 20:25 <DIR> d-------- c:\program files\Common Files\Research In Motion
2008-12-07 08:39 . 2008-12-07 08:39 <DIR> d-------- c:\documents and settings\dmb\Application Data\Red Kawa
2008-12-07 08:30 . 2008-12-07 08:30 <DIR> d-------- c:\windows\system32\LogFiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-03 05:45 --------- d-----w c:\documents and settings\dmb\Application Data\uTorrent
2009-01-02 00:15 43,698 ----a-w c:\windows\system32\xvid-uninstall.exe
2009-01-02 00:15 --------- d-----w c:\program files\AviSynth 2.5
2009-01-02 00:15 --------- d-----w c:\program files\AutoGK
2009-01-01 00:54 --------- d-----w c:\program files\FlashFXP
2008-12-28 22:48 --------- d-----w c:\program files\Common Files\Adobe
2008-12-27 03:56 --------- d-----w c:\program files\MagicISO
2008-12-27 01:32 --------- d-----w c:\program files\Winamp
2008-12-22 12:04 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-22 00:19 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-21 21:51 --------- d-----w c:\program files\Java
2008-12-21 08:36 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-16 15:49 --------- d-----w c:\documents and settings\dmb\Application Data\Skype
2008-12-16 08:49 --------- d-----w c:\documents and settings\dmb\Application Data\skypePM
2008-12-14 08:50 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-08 11:53 57,344 ----a-w c:\windows\system32\ff_vfw.dll
2008-12-08 00:10 --------- d-----w c:\documents and settings\dmb\Application Data\InstallShield
2008-12-08 00:05 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-03 07:23 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-11-29 11:41 2,294,291 ----a-w c:\windows\system32\x264vfw.dll
2008-11-23 21:24 --------- d-----w c:\documents and settings\dmb\Application Data\Nik Software
2008-11-21 21:47 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
2008-11-21 21:46 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-11-21 21:46 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-11-21 21:44 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 21:44 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
2008-11-17 06:21 --------- d-----w c:\documents and settings\NetworkService\Application Data\DivX
2008-11-13 05:22 --------- d-----w c:\program files\Allok Video to 3GP Converter
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 21:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 21:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 21:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 21:12 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 21:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 21:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 21:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 21:07 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-05-19 02:43 317,987 ----a-w c:\program files\setuplog.txt
2008-04-17 02:35 45,152 ----a-w c:\documents and settings\dmb\Application Data\GDIPFONTCACHEV1.DAT
2008-08-13 04:41 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-08-13 04:41 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-08-13 04:41 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-08-13 04:41 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-08-13 04:41 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-09-19 04:00 64,096 --sha-w c:\windows\system32\worajiju.dll
.

((((((((((((((((((((((((((((( snapshot_2008-12-27_17.27.54.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-30 05:51:12 351,744 ----a-w c:\windows\system32\avisynth.dll
+ 2006-12-31 02:16:36 313,344 ----a-w c:\windows\system32\avisynth.dll
- 2008-12-27 02:17:04 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-28 07:38:26 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-27 02:17:04 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-28 07:38:26 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-12-27 02:17:04 49,152 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-28 07:38:26 49,152 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2004-05-26 13:37:34 719,872 ----a-w c:\windows\system32\devil.dll
+ 2004-05-26 12:37:34 719,872 ----a-w c:\windows\system32\devil.dll
- 2008-12-27 10:37:26 1,801,880 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-01-03 05:52:06 1,801,880 ----a-w c:\windows\system32\FNTCACHE.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-13 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2007-11-20 731136]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"Auto EPSON Stylus Photo R300 Series on XBOX (from TK)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 99840]
"EPSON Stylus Photo R300 Series on XBOX (from TK)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 99840]
"EPSON Stylus Photo R300 Series (from EDITONE)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 99840]
"Auto EPSON Stylus Photo R300 Series on WII (from EDITONE)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 99840]
"nwiz"="nwiz.exe" [2007-12-05 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 44544]

c:\documents and settings\dmb\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2008-12-28 575488]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explor er]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.CDVC"= cdvccodc.dll
"msacm.l3fhg"= mp3fhg.acm
"msacm.divxa32"= divxa32.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2008-01-11 18:54 623992 c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2008-11-15 11:37 2356088 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]
--a------ 2007-03-20 15:40 1884160 c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-06-27 18:03 152872 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 20:42 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IBP]
--a------ 2007-08-13 00:33 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
--a------ 2007-08-30 10:50 205480 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 11:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-12-05 01:41 8523776 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-12-05 01:41 81920 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 22:37 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 20:24 32768 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-12-21 14:51 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-08-13 00:33 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--a------ 2006-10-18 19:05 204288 c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2006-08-11 13:56 17920 c:\windows\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
--a------ 2006-08-11 13:56 18944 c:\windows\system32\CTXFIHLP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"usnjsvc"=3 (0x3)
"StarWindServiceAE"=2 (0x2)
"SSScsiSV"=3 (0x3)
"SPTISRV"=3 (0x3)
"SonicStage Back-End Service"=3 (0x3)
"ScsiAccess"=2 (0x2)
"RoxLiveShare9"=2 (0x2)
"PACSPTISVR"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NVSvc"=2 (0x2)
"NMIndexingService"=3 (0x3)
"Nexus Server"=2 (0x2)
"MSCSPTISRV"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"LiveUpdate"=3 (0x3)
"LicCtrlService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"gusvc"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"EPSON_PM_RPCV2_01"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Adobe Version Cue CS3"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Adobe\\Adobe Contribute CS3\\Contribute.exe"=
"c:\\Program Files\\IBP 9\\IBP.exe"=
"c:\\Program Files\\Brother\\BRAdmin Professional\\BRAdmPro.exe"=
"c:\\Program Files\\Adobe\\Adobe Premiere Pro CS3\\Adobe Premiere Pro.exe"=
"c:\\Program Files\\Adobe\\Adobe Soundbooth CS3\\Adobe Soundbooth CS3.exe"=
"c:\\Program Files\\Adobe\\Adobe Encore CS3\\Adobe Encore.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Windows Media Player\\wmpnscfg.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\logon.scr"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-04 55024]
S2 securentm;securentm;\??\c:\windows\system32\drivers\securentm.sys []
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]
S4 LicCtrlService;LicCtrl Service;c:\windows\runservice.exe [2008-02-04 2560]
S4 Nexus Server;Nexus Server (Carbon Coder);c:\program files\Common Files\Rhozet\Carbon Coder\Kernel\PNXSERVR.exe []
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-10-18 24652]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{081fe5a7-4b5b-11dc-a57f-000c6e3e120a}]
\Shell\AutoRun\command - L:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-01-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2009-01-03 c:\windows\Tasks\kaxnfrcg.job
- c:\windows\system32\rundll32.exe [2008-04-13 20:42]

2009-01-03 c:\windows\Tasks\uxgezwnm.job
- c:\windows\system32\rundll32.exe [2008-04-13 20:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = 71.140.173.217:2601
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\dmb\Application Data\Mozilla\Firefox\Profiles\bizeiw87.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}\components\Contribute.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-02 23:05:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-02 23:16:48
ComboFix-quarantined-files.txt 2009-01-03 06:16:33
ComboFix2.txt 2009-01-03 03:06:17
ComboFix3.txt 2008-12-28 00:29:57
ComboFix4.txt 2008-12-27 07:21:03

Pre-Run: 32,259,432,448 bytes free
Post-Run: 32,241,848,320 bytes free

**noahdfear** · 4th January 2009

Little bit of cleanup yet to do. Once again, disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

File::
c:\windows\system32\wvUKBRHw.dll
c:\windows\system32\worajiju.dll
c:\windows\Tasks\kaxnfrcg.job
c:\windows\Tasks\uxgezwnm.job

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - Allow ComboFix to update if prompted.

darkpix · 6th January 2009

thank you noahdfear, I truly appreciate your time and expertise.

I will run the script when I get home tonight and will post the new log.

Sincerely
darkpix

darkpix · 6th January 2009

hi

Here is the lastest Log

Running from: c:\documents and settings\dmb\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\dmb\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\worajiju.dll
c:\windows\system32\wvUKBRHw.dll
c:\windows\Tasks\kaxnfrcg.job
c:\windows\Tasks\uxgezwnm.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\worajiju.dll
c:\windows\system32\wvUKBRHw.dll
c:\windows\Tasks\kaxnfrcg.job
c:\windows\Tasks\uxgezwnm.job

.
((((((((((((((((((((((((( Files Created from 2008-12-06 to 2009-01-06 )))))))))))))))))))))))))))))))
.

2009-01-04 02:12 . 2009-01-04 02:12 <DIR> d-------- c:\program files\mkv2vob
2009-01-03 14:49 . 2009-01-03 23:00 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-03 14:49 . 2009-01-03 14:49 <DIR> d-------- c:\documents and settings\dmb\Application Data\SUPERAntiSpyware.com
2009-01-03 14:49 . 2009-01-03 14:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-02 22:54 . 2001-08-17 13:48 12,160 --a------ c:\windows\system32\drivers\mouhid.sys
2009-01-02 22:54 . 2001-08-17 13:48 12,160 --a--c--- c:\windows\system32\dllcache\mouhid.sys
2009-01-02 22:54 . 2008-04-14 00:15 10,368 --a------ c:\windows\system32\drivers\hidusb.sys
2009-01-02 22:54 . 2008-04-14 00:15 10,368 --a--c--- c:\windows\system32\dllcache\hidusb.sys
2008-12-28 15:04 . 2008-12-28 15:04 <DIR> d-------- c:\program files\MagicDisc
2008-12-28 15:04 . 2008-07-28 17:19 116,736 --a------ c:\windows\system32\drivers\mcdbus.sys
2008-12-27 02:07 . 2008-10-16 13:38 6,066,176 -----c--- c:\windows\system32\dllcache\ieframe.dll
2008-12-27 02:07 . 2007-04-17 02:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat
2008-12-27 02:07 . 2007-03-07 22:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui
2008-12-27 02:07 . 2008-10-16 13:38 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll
2008-12-27 02:07 . 2008-10-16 13:38 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll
2008-12-27 02:07 . 2008-10-16 13:38 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll
2008-12-27 02:07 . 2008-10-16 13:38 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll
2008-12-27 02:07 . 2008-10-16 13:38 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll
2008-12-27 02:07 . 2008-10-16 06:11 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe
2008-12-27 01:05 . 2008-12-27 01:05 <DIR> d-------- c:\windows\system32\URTTEMP
2008-12-27 00:47 . 2008-10-24 04:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-12-27 00:46 . 2008-08-14 03:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-27 00:46 . 2008-08-14 03:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-27 00:46 . 2008-08-14 02:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-27 00:46 . 2008-08-14 02:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-27 00:43 . 2008-06-13 04:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-12-27 00:37 . 2008-12-27 00:37 <DIR> d-------- c:\program files\Avira
2008-12-27 00:37 . 2008-12-27 00:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-12-27 00:25 . 2008-10-16 14:09 43,544 --a------ c:\windows\system32\wups2.dll
2008-12-26 22:52 . 2008-12-26 22:52 265 --a------ c:\windows\SysMech6.INI
2008-12-26 22:23 . 2008-12-26 22:23 4,096 --a------ C:\Volume{52C8E4FE-B853-42c1-9528-92978438BBF3}_Backup
2008-12-26 22:23 . 2008-12-27 00:31 4,096 --a------ C:\Volume{52C8E4FE-B853-42c1-9528-92978438BBF3}
2008-12-26 22:23 . 2008-12-26 22:23 4,096 --a------ C:\00007E00-D260D260_Backup
2008-12-26 22:23 . 2008-12-27 00:31 4,096 --a------ C:\00007E00-D260D260
2008-12-26 21:46 . 2008-12-26 21:46 406 --a------ c:\windows\system32\ioloBootDefrag.cfg
2008-12-26 21:43 . 2008-12-27 00:25 <DIR> d-------- c:\program files\Kaspersky Lab
2008-12-26 21:43 . 2008-12-27 00:32 <DIR> d-------- c:\program files\iolo
2008-12-26 21:43 . 2002-08-09 08:00 1,731,584 --a------ c:\windows\system32\XercesLib.dll
2008-12-26 21:43 . 2002-08-09 08:00 1,500,160 --a------ c:\windows\system32\CC3260MT.DLL
2008-12-26 21:43 . 2002-08-09 08:00 325,120 --a------ c:\windows\system32\xercesxmldom.dll
2008-12-26 19:23 . 2003-09-12 14:32 3,162,278 --a------ c:\windows\{00000002-00000000-0000000D-00001102-00000004-00531102}.CDF
2008-12-26 19:09 . 2008-04-13 20:39 13,463,552 --a--c--- c:\windows\system32\dllcache\hwxjpn.dll
2008-12-26 19:08 . 2001-08-23 05:00 10,096,640 --a--c--- c:\windows\system32\dllcache\hwxcht.dll
2008-12-26 19:07 . 2004-05-13 00:39 876,653 --a--c--- c:\windows\system32\dllcache\fp4awel.dll
2008-12-26 19:06 . 2008-12-26 19:06 749 -rah----- c:\windows\WindowsShell.Manifest
2008-12-26 19:06 . 2008-12-26 19:06 749 -rah----- c:\windows\system32\wuaucpl.cpl.manifest
2008-12-26 19:06 . 2008-12-26 19:06 749 -rah----- c:\windows\system32\sapi.cpl.manifest
2008-12-26 19:06 . 2008-12-26 19:06 749 -rah----- c:\windows\system32\nwc.cpl.manifest
2008-12-26 19:06 . 2008-12-26 19:06 749 -rah----- c:\windows\system32\ncpa.cpl.manifest
2008-12-26 19:06 . 2008-12-26 19:06 488 -rah----- c:\windows\system32\logonui.exe.manifest
2008-12-26 17:10 . 2008-12-26 17:10 1,871 --a------ c:\windows\setupapi.old
2008-12-23 17:57 . 2008-12-23 17:57 <DIR> d-------- c:\program files\Xvid
2008-12-23 17:57 . 2008-12-23 18:03 <DIR> d-------- c:\documents and settings\dmb\Application Data\AVI ReComp
2008-12-23 17:57 . 2007-06-28 18:55 77,824 --a------ c:\windows\system32\xvid.ax
2008-12-23 17:55 . 2008-12-23 17:57 <DIR> d-------- c:\program files\AVI ReComp
2008-12-23 17:51 . 2008-12-29 03:08 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-23 17:51 . 2008-12-23 17:51 1,409 --a------ c:\windows\QTFont.for
2008-12-22 02:10 . 2008-12-22 21:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\_comodo_
2008-12-22 01:31 . 2008-12-27 22:24 <DIR> d-------- c:\program files\COMODO
2008-12-21 16:32 . 2008-12-21 16:32 <DIR> d-------- c:\documents and settings\dmb\Application Data\Media Player Classic
2008-12-21 14:52 . 2008-12-21 14:51 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-21 12:59 . 2008-12-21 12:59 <DIR> d-------- c:\program files\K-Lite Codec Pack
2008-12-21 12:34 . 2008-12-21 13:04 <DIR> d-------- c:\documents and settings\dmb\Application Data\Dr. DivX 2.0 OSS
2008-12-21 12:25 . 2008-12-21 12:25 <DIR> d-------- C:\divx
2008-12-21 12:23 . 2008-12-21 12:23 <DIR> d-------- c:\documents and settings\dmb\Application Data\DivX
2008-12-21 12:20 . 2008-12-21 13:03 <DIR> d-------- c:\program files\DivX
2008-12-20 23:42 . 2007-12-17 13:53 159,458 --a------ c:\windows\system32\nvapps.nvb
2008-12-20 23:35 . 2008-12-20 23:35 4,444 --a------ c:\windows\system32\pid.PNF
2008-12-20 23:34 . 2008-04-13 22:40 1,296,669 -ra------ c:\windows\SET8B.tmp
2008-12-20 23:34 . 2008-04-13 22:34 1,088,840 -ra------ c:\windows\SET8E.tmp
2008-12-20 23:34 . 2008-04-13 22:34 16,535 -ra------ c:\windows\SET9A.tmp
2008-12-20 22:14 . 2008-04-13 17:12 221,696 --a--c--- c:\windows\system32\dllcache\seo.dll
2008-12-20 22:14 . 2008-04-13 17:12 189,440 --a--c--- c:\windows\system32\dllcache\smtpadm.dll
2008-12-20 22:14 . 2008-04-13 17:12 10,752 --a------ c:\windows\system32\smtpapi.dll
2008-12-20 22:14 . 2008-04-13 17:12 10,752 --a--c--- c:\windows\system32\dllcache\smtpapi.dll
2008-12-20 22:14 . 2008-04-13 17:12 9,728 --a------ c:\windows\system32\rwnh.dll
2008-12-20 22:14 . 2008-04-13 17:12 9,728 --a--c--- c:\windows\system32\dllcache\rwnh.dll
2008-12-20 17:25 . 2008-12-28 15:10 268 --ah----- C:\sqmdata19.sqm
2008-12-20 17:05 . 2008-12-20 17:05 <DIR> d-------- c:\program files\Windows Resource Kits
2008-12-20 16:07 . 2008-12-22 22:00 268 --ah----- C:\sqmdata18.sqm
2008-12-20 12:40 . 2008-12-22 21:43 268 --ah----- C:\sqmdata17.sqm
2008-12-20 12:11 . 2008-12-22 21:32 268 --ah----- C:\sqmdata16.sqm
2008-12-20 12:11 . 2008-12-22 21:32 244 --ah----- C:\sqmnoopt18.sqm
2008-12-20 11:57 . 2008-12-22 21:03 268 --ah----- C:\sqmdata15.sqm
2008-12-20 11:57 . 2008-12-22 21:03 244 --ah----- C:\sqmnoopt17.sqm
2008-12-19 19:14 . 2008-12-22 20:26 268 --ah----- C:\sqmdata14.sqm
2008-12-19 19:14 . 2008-12-22 20:26 244 --ah----- C:\sqmnoopt16.sqm
2008-12-19 18:59 . 2008-12-22 19:37 268 --ah----- C:\sqmdata13.sqm
2008-12-19 18:59 . 2008-12-22 19:37 244 --ah----- C:\sqmnoopt15.sqm
2008-12-19 18:53 . 2008-12-22 11:42 268 --ah----- C:\sqmdata12.sqm
2008-12-19 18:53 . 2008-12-22 11:42 244 --ah----- C:\sqmnoopt14.sqm
2008-12-19 18:47 . 2008-12-26 13:56 <DIR> d-------- c:\documents and settings\dmb\Application Data\Online Solutions
2008-12-19 11:52 . 2008-12-19 11:52 <DIR> d-------- c:\program files\Online Solutions
2008-12-19 11:52 . 2008-12-19 11:52 <DIR> d-------- c:\program files\Common Files\Online Solutions Shared
2008-12-19 09:19 . 2008-12-22 11:15 268 --ah----- C:\sqmdata11.sqm
2008-12-19 09:19 . 2008-12-22 11:15 244 --ah----- C:\sqmnoopt13.sqm
2008-12-19 01:38 . 2008-12-22 01:08 268 --ah----- C:\sqmdata10.sqm
2008-12-19 01:38 . 2008-12-22 01:08 244 --ah----- C:\sqmnoopt12.sqm
2008-12-18 23:57 . 2008-12-21 17:19 268 --ah----- C:\sqmdata09.sqm
2008-12-18 23:57 . 2008-12-21 17:19 244 --ah----- C:\sqmnoopt11.sqm
2008-12-17 11:45 . 2008-12-21 16:46 268 --ah----- C:\sqmdata08.sqm
2008-12-17 11:45 . 2008-12-21 16:46 244 --ah----- C:\sqmnoopt10.sqm
2008-12-17 10:41 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-12-17 10:33 . 2008-12-21 11:31 268 --ah----- C:\sqmdata07.sqm
2008-12-17 10:33 . 2008-12-21 11:31 244 --ah----- C:\sqmnoopt09.sqm
2008-12-17 00:50 . 2008-12-21 05:12 268 --ah----- C:\sqmdata06.sqm
2008-12-17 00:50 . 2008-12-21 05:12 244 --ah----- C:\sqmnoopt08.sqm
2008-12-15 19:10 . 2008-12-15 19:10 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-12-15 19:10 . 2008-12-15 19:10 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-12-07 18:21 . 2008-12-07 18:21 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Roxio
2008-12-07 18:21 . 2008-12-12 01:44 156 --a------ c:\windows\Twunk001.MTX
2008-12-07 18:21 . 2008-12-12 01:44 2 --a------ c:\windows\Twain001.Mtx
2008-12-07 18:21 . 2008-12-07 18:21 0 --a------ c:\windows\Twunk002.MTX
2008-12-07 17:55 . 2008-12-07 17:55 <DIR> d-------- c:\documents and settings\dmb\Application Data\Roxio
2008-12-07 17:09 . 2008-12-07 17:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sonic
2008-12-07 17:09 . 2008-12-07 17:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\InstallShield
2008-12-07 17:05 . 2008-12-22 20:38 <DIR> d-------- c:\program files\Common Files\Roxio Shared
2008-12-07 17:05 . 2008-12-22 20:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Roxio
2008-12-07 16:56 . 2008-12-07 16:56 <DIR> d-------- c:\program files\Research In Motion
2008-12-07 16:38 . 2008-12-07 16:38 256 --a------ c:\documents and settings\dmb\pool.bin
2008-12-07 14:37 . 2008-12-22 20:22 256 --a------ c:\windows\system32\pool.bin
2008-12-07 14:25 . 2007-01-18 10:24 26,496 -ra------ c:\windows\system32\drivers\RimSerial.sys
2008-12-07 14:20 . 2008-12-22 20:25 <DIR> d-------- c:\program files\Common Files\Research In Motion
2008-12-07 08:39 . 2008-12-07 08:39 <DIR> d-------- c:\documents and settings\dmb\Application Data\Red Kawa
2008-12-07 08:30 . 2008-12-07 08:30 <DIR> d-------- c:\windows\system32\LogFiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-06 08:14 --------- d-----w c:\documents and settings\dmb\Application Data\uTorrent
2009-01-04 09:11 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-02 00:15 43,698 ----a-w c:\windows\system32\xvid-uninstall.exe
2009-01-02 00:15 --------- d-----w c:\program files\AviSynth 2.5
2009-01-02 00:15 --------- d-----w c:\program files\AutoGK
2009-01-01 00:54 --------- d-----w c:\program files\FlashFXP
2008-12-28 22:48 --------- d-----w c:\program files\Common Files\Adobe
2008-12-27 07:22 --------- d-----w c:\program files\Smarty Uninstaller Pro
2008-12-27 03:56 --------- d-----w c:\program files\MagicISO
2008-12-27 01:32 --------- d-----w c:\program files\Winamp
2008-12-23 03:45 --------- d-----w c:\program files\Symantec
2008-12-23 03:32 --------- d-----w c:\program files\Symantec AntiVirus
2008-12-23 03:29 --------- d-----w c:\program files\PeerGuardian2
2008-12-22 12:04 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-21 21:51 --------- d-----w c:\program files\Java
2008-12-21 08:36 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-20 19:43 --------- d-----w c:\documents and settings\dmb\Application Data\Twain
2008-12-18 01:49 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-18 01:49 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-12-18 01:27 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2008-12-18 01:27 60,800 ----a-w c:\windows\system32\S32EVNT1.DLL
2008-12-18 01:27 123,952 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-18 01:27 10,671 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2008-12-16 15:49 --------- d-----w c:\documents and settings\dmb\Application Data\Skype
2008-12-16 08:49 --------- d-----w c:\documents and settings\dmb\Application Data\skypePM
2008-12-14 08:50 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-08 11:53 57,344 ----a-w c:\windows\system32\ff_vfw.dll
2008-12-08 00:10 --------- d-----w c:\documents and settings\dmb\Application Data\InstallShield
2008-12-08 00:05 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-05 19:53 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-05 18:20 --------- d-----w c:\documents and settings\dmb\Application Data\Malwarebytes
2008-12-05 18:20 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-05 08:59 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-04 11:58 --------- d-----w c:\program files\Lavasoft
2008-12-04 11:02 --------- d-----w c:\program files\a-squared Anti-Malware
2008-12-03 16:46 --------- d-----w c:\program files\Vertus Fluid Mask 3
2008-12-03 07:23 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-12-03 07:00 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-11-29 11:41 2,294,291 ----a-w c:\windows\system32\x264vfw.dll
2008-11-23 21:24 --------- d-----w c:\documents and settings\dmb\Application Data\Nik Software
2008-11-21 21:47 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
2008-11-21 21:46 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-11-21 21:46 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-11-21 21:44 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 21:44 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
2008-11-17 06:21 --------- d-----w c:\documents and settings\NetworkService\Application Data\DivX
2008-11-13 05:22 --------- d-----w c:\program files\Allok Video to 3GP Converter
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 21:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 21:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 21:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 21:12 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 21:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 21:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 21:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 21:07 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-05-19 02:43 317,987 ----a-w c:\program files\setuplog.txt
2008-04-17 02:35 45,152 ----a-w c:\documents and settings\dmb\Application Data\GDIPFONTCACHEV1.DAT
2008-08-13 04:41 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-08-13 04:41 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-08-13 04:41 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-08-13 04:41 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-08-13 04:41 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( snapshot_2008-12-27_17.27.54.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-22 00:20:24 34,304 ----a-r c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF1.exe
+ 2009-01-03 21:49:20 34,304 ----a-r c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF1.exe
- 2008-08-30 05:51:12 351,744 ----a-w c:\windows\system32\avisynth.dll
+ 2006-12-31 02:16:36 313,344 ----a-w c:\windows\system32\avisynth.dll
- 2008-12-27 02:17:04 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-28 07:38:26 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-27 02:17:04 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-28 07:38:26 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-12-27 02:17:04 49,152 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-28 07:38:26 49,152 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2004-05-26 13:37:34 719,872 ----a-w c:\windows\system32\devil.dll
+ 2004-05-26 12:37:34 719,872 ----a-w c:\windows\system32\devil.dll
- 2008-12-27 10:37:26 1,801,880 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-01-03 05:52:06 1,801,880 ----a-w c:\windows\system32\FNTCACHE.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-13 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2007-11-20 731136]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"Auto EPSON Stylus Photo R300 Series on XBOX (from TK)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 99840]
"EPSON Stylus Photo R300 Series on XBOX (from TK)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 99840]
"EPSON Stylus Photo R300 Series (from EDITONE)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 99840]
"Auto EPSON Stylus Photo R300 Series on WII (from EDITONE)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 99840]
"nwiz"="nwiz.exe" [2007-12-05 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 44544]

c:\documents and settings\dmb\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2008-12-28 575488]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explor er]
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\Shell ExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.CDVC"= cdvccodc.dll
"msacm.l3fhg"= mp3fhg.acm
"msacm.divxa32"= divxa32.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2008-01-11 18:54 623992 c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2008-11-15 11:37 2356088 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]
--a------ 2007-03-20 15:40 1884160 c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-06-27 18:03 152872 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 20:42 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IBP]
--a------ 2007-08-13 00:33 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
--a------ 2007-08-30 10:50 205480 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 11:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-12-05 01:41 8523776 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-12-05 01:41 81920 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 22:37 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 20:24 32768 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-12-21 14:51 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-08-13 00:33 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--a------ 2006-10-18 19:05 204288 c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2006-08-11 13:56 17920 c:\windows\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
--a------ 2006-08-11 13:56 18944 c:\windows\system32\CTXFIHLP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"usnjsvc"=3 (0x3)
"StarWindServiceAE"=2 (0x2)
"SSScsiSV"=3 (0x3)
"SPTISRV"=3 (0x3)
"SonicStage Back-End Service"=3 (0x3)
"ScsiAccess"=2 (0x2)
"RoxLiveShare9"=2 (0x2)
"PACSPTISVR"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NVSvc"=2 (0x2)
"NMIndexingService"=3 (0x3)
"Nexus Server"=2 (0x2)
"MSCSPTISRV"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"LiveUpdate"=3 (0x3)
"LicCtrlService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"gusvc"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"EPSON_PM_RPCV2_01"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Adobe Version Cue CS3"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Adobe\\Adobe Contribute CS3\\Contribute.exe"=
"c:\\Program Files\\IBP 9\\IBP.exe"=
"c:\\Program Files\\Brother\\BRAdmin Professional\\BRAdmPro.exe"=
"c:\\Program Files\\Adobe\\Adobe Premiere Pro CS3\\Adobe Premiere Pro.exe"=
"c:\\Program Files\\Adobe\\Adobe Soundbooth CS3\\Adobe Soundbooth CS3.exe"=
"c:\\Program Files\\Adobe\\Adobe Encore CS3\\Adobe Encore.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Windows Media Player\\wmpnscfg.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\logon.scr"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-04 55024]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]
S4 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2008-02-04 2560]
S4 Nexus Server;Nexus Server (Carbon Coder);c:\program files\Common Files\Rhozet\Carbon Coder\Kernel\PNXSERVR.exe --> c:\program files\Common Files\Rhozet\Carbon Coder\Kernel\PNXSERVR.exe [?]
S4 securentm;securentm;\??\c:\windows\system32\drivers\securentm.sys --> c:\windows\system32\drivers\securentm.sys [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-10-18 24652]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SASENUM
*NewlyCreated* - SASKUTIL

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{081fe5a7-4b5b-11dc-a57f-000c6e3e120a}]
\Shell\AutoRun\command - L:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-01-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = 71.140.173.217:2601
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-06 01:44:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*NULL*Version]
"Version"=hex:30,42,7e,40,00,e2,27,08,8d,e4,70,0d,16,66,df,56,f3,ac,ca,6f,7 5,\
c7,f6,e0,c2,2f,98,3e,b1,ae,af,30,62,ff,71,6b,2b,51,c0,86,4f,3c,82,18,a4,07, \
ce,33,1b,ed,f3,54,49,fe,14,fc,2e,71,5e,94,5b,7e,4f,01,c3,c0,9d,22,a0,12,36, \
02,77,c9,fe,02,03,69,54,e4,2f,3b,c5,7c,a1,2f,43,c6,cc,be,0f,a7,1b,0a,94,85, \
a8,73,2a,22,e4,c5,a8,63,9b,24,0e,8f,ab,4e,a3,47,f1,77,5c,e9,48,5b,fd,63,5c, \
f3,05,c9,ac,cf,cb,66,a2,fb,0f,5a,49,88,2e,61,09,5d,c4,f7,57,4e,7c,b2,69,4a, \
ac,a2,8d,91,77,45,3f,89,ac,e2,00,ca,9a,d5,18,89,7e,40,cb,ea,30,f4,7f,90,78, \
0f,91,f4,d8,d6,67,33,42,00,49,7a,9d,de,09,d4,10,d8,73,6f,8f,22,d7,95,b4,46, \
44,d0,3d,9e,b2,01,48,50,3b,40,70,94,08,68,24,54,89,fa,46,d7,c1,fc,1a,24,59, \
4f,e4,cf,32,87,05,d9,06,70,fd,3c,83,79,b8,be,81,fa,89,78,62,db,82,eb,38,d4, \
6f,38,e0,14,f1,0d,0e,b0,d0,be,88,01,3c,3d

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*NULL*lkzs$i&#&y @^t! #^$ g9^$&pgb SDB36o \EC1A69D1C0948222]
"1"=hex:b0,cd,e0,26,42,20,9e,7c,08,f1,c1,23,e7,41,66,ec,04,7d,73,7b,41,5e,9 4,\
fd
"2"=hex:d7,7a,ea,31,a0,f7,22,dd,b6,43,6f,32,07,8b,4a,0a,e2,6f,a8,1b,53,71,0 d,\
78,d5,ad,68,1b,c8,4a,9b,03
"3"=hex:b0,cd,e0,26,42,20,9e,7c,08,f1,c1,23,e7,41,66,ec,aa,6b,6f,c8,5d,d1,d d,\
70,c8,0c,a2,71,14,a4,b5,05,7d,2c,84,8d,ff,2b,de,6d,f8,f2,70,94,19,43,ce,bd, \
ce,f1,75,fc,f7,96,07,41

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*NULL*lkzs$i&#&y @^t! #^$ g9^$&pgb SDB36o \EC1A69D1C0948222\48236A7EED3B8895E98434D6DCE253AC]
"1"=hex:08,26,de,b9,bd,1e,cc,2a,55,96,fd,b8,7e,1b,23,82,71,bb,5a,5f,e0,12,2 5,\
42,0c,3f,30,d4,d3,b8,cd,35,d5,a9,6f,e0,2c,05,4e,14
"2"=hex:68,72,c9,10,9a,ad,02,87
"3"=hex:81,20,8f,ab,28,6a,52,9c
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,5 5,\
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae, \
b4,c9,be,e5,6a,38,97,8e
"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f 4,\
51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20
"7"=hex:08,26,de,b9,bd,1e,cc,2a,55,96,fd,b8,7e,1b,23,82,71,bb,5a,5f,e0,12,2 5,\
42,0c,3f,30,d4,d3,b8,cd,35,e1,af,a1,62,ac,13,f7,4b,e6,59,dd,a2,d7,4f,7f,25
"8"=hex:e3,36,21,8b,47,07,6d,39,53,04,16,c8,0c,ba,71,42,07,af,eb,7e,87,75,7 c,\
c3,c0,c1,8e,2b,c9,d1,ea,67,cc,0e,20,f0,70,de,5d,ad,8e,89,15,6d,02,4b,37,11, \
62,1c,8f,d8,02,fb,45,95,48,31,8f,bb,3b,2e,04,7b,2b,f0,cd,db,e2,33,4a,43,74, \
04,4a,4f,c0,87,16,83,1b,dd,9d,bf,ba,6a,35,59
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:70,56,26,33,e3,20,f8,ab
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:81,20,8f,ab,28,6a,52,9c
"13"=hex:81,20,8f,ab,28,6a,52,9c
"14"=hex:81,20,8f,ab,28,6a,52,9c
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:81,20,8f,ab,28,6a,52,9c
"22"=hex:81,20,8f,ab,28,6a,52,9c

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*NULL*Version]
"Version"=hex:30,42,7e,40,00,e2,27,08,8d,e4,70,0d,16,66,df,56,f3,ac,ca,6f,7 5,\
c7,f6,e0,c2,2f,98,3e,b1,ae,af,30,62,ff,71,6b,2b,51,c0,86,4f,3c,82,18,a4,07, \
ce,33,1b,ed,f3,54,49,fe,14,fc,2e,71,5e,94,5b,7e,4f,01,c3,c0,9d,22,a0,12,36, \
02,77,c9,fe,02,03,69,54,e4,2f,3b,c5,7c,a1,2f,43,c6,cc,be,0f,a7,1b,0a,94,85, \
a8,73,2a,22,e4,c5,a8,63,9b,24,0e,8f,ab,4e,a3,47,f1,77,5c,e9,48,5b,fd,63,5c, \
f3,05,c9,ac,cf,cb,66,a2,fb,0f,5a,49,88,2e,61,09,5d,c4,f7,57,4e,7c,b2,69,4a, \
ac,a2,8d,91,77,45,3f,89,ac,e2,00,ca,9a,d5,18,89,7e,40,cb,ea,30,f4,7f,90,78, \
0f,91,f4,d8,d6,67,33,42,00,49,7a,9d,de,09,d4,10,d8,73,6f,8f,22,d7,95,b4,46, \
44,d0,3d,9e,b2,01,48,50,3b,40,70,94,08,68,24,54,89,fa,46,d7,c1,fc,1a,24,59, \
4f,e4,cf,32,87,05,d9,06,70,fd,3c,83,79,b8,be,81,fa,89,78,62,db,82,eb,38,d4, \
6f,38,e0,14,f1,0d,0e,b0,d0,be,88,01,3c,3d
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(2752)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-01-06 1:47:31
ComboFix-quarantined-files.txt 2009-01-06 08:46:16
ComboFix2.txt 2009-01-06 08:27:18
ComboFix3.txt 2009-01-03 06:16:54
ComboFix4.txt 2009-01-03 03:06:17
ComboFix5.txt 2009-01-06 08:40:16

Pre-Run: 81,030,127,616 bytes free
Post-Run: 81,016,643,584 bytes free

486

**noahdfear** · 7th January 2009

Looks good. Lets get an online scan to be sure we haven't missed something. Please do an online scan with Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click View scan report at the bottom.
Click the Save Report As... button.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Post the Kaspersky log here.