Solved Hard drive 'grinds' when trying to open email

pilotgal8 · 2009/08/03

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/03/2009 at 03:43 PM

Application Version : 4.27.1000

Core Rules Database Version : 4034
Trace Rules Database Version: 1974

Scan type : Quick Scan
Total Scan Time : 00:40:20

Memory items scanned : 246
Memory threats detected : 0
Registry items scanned : 430
Registry threats detected : 0
File items scanned : 78675
File threats detected : 1

Rogue.AntiVirus XP 2008
C:\RECYCLER\S-1-5-21-2726549489-327112301-1289512280-500\DC2\RHCLT7J0E58E.EXE

pilotgal8 · 2009/08/03

Malware log

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

8/3/2009 5:26:22 PM
mbam-log-2009-08-03 (17-26-22).txt

Scan type: Full Scan (C:\|)
Objects scanned: 227295
Time elapsed: 48 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 13
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\rhclt7j0e58e (Rogue.AntiVirusXP2008) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\LocalService\Application Data\wsnpoem (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\wsnpoem (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\administrator.AOS-MAIN\Application Data\rhclt7j0e58e (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\administrator.AOS-MAIN\Application Data\rhclt7j0e58e\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\administrator.AOS-MAIN\Application Data\rhclt7j0e58e\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\administrator.AOS-MAIN\Application Data\rhclt7j0e58e\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\administrator.AOS-MAIN\Application Data\rhclt7j0e58e\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\administrator.AOS-MAIN\Application Data\rhclt7j0e58e\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\administrator.AOS-MAIN\Application Data\rhclt7j0e58e\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\administrator.AOS-MAIN\Application Data\rhclt7j0e58e\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\administrator.AOS-MAIN\Application Data\rhclt7j0e58e\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\administrator.AOS-MAIN\Application Data\rhclt7j0e58e\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\administrator.AOS-MAIN\Application Data\rhclt7j0e58e\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\LocalService\Application Data\wsnpoem\audio.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\wsnpoem\audio.dll (Trojan.Agent) -> Quarantined and deleted successfully.

pilotgal8 · 2009/08/03

When trying to download GMER a GMER screen was presented with warning
WARNING!!!!!
Warning GMER has found system modifications cused by ROOTKIT.

Could neither click OK on the message, or close the GMER box with the X.
Used Task Mgr to force it off.

Second try at download worked. log will be posted here.

pilotgal8 · 2009/08/03

I left the GMER scan running, will post the results in the morning.

broni · 2009/08/03

No problem

pilotgal8 · 2009/08/04

GMER.log

GMER 1.0.15.15011 [rjuwmnjj[1].exe] - http://www.gmer.net
Rootkit scan 2009-08-04 08:45:12
Windows 5.1.2600 Service Pack 3

---- Kernel code sections - GMER 1.0.15 ----

? saodz.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[2712] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2712] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E351F8F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2712] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E351F10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2712] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E351F54 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2712] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E351E9C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2712] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E351ED6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2712] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E351FCA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2712] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E2017EA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2712] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E35218C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)
AttachedDevice \FileSystem\Fastfat \Fat TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{48418982-249C-E344-B1C048196FA2EDFD}\{A41EB0B4-3EE0-E472-B7C2AAEB5A9566C4}\{DB4C8A45-FEFF-6FD9-65B4662880A15182}
Reg HKLM\SOFTWARE\Classes\CLSID\{48418982-249C-E344-B1C048196FA2EDFD}\{A41EB0B4-3EE0-E472-B7C2AAEB5A9566C4}\{DB4C8A45-FEFF-6FD9-65B4662880A15182}@{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1 0x01 0x00 0x01 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EC7A25C-208B-259B-D0F10B7D70121E6A}\{B30129B8-8481-85C6-1CF8CC8FAFB9C5A4}\{9F5D8B19-EFCA-EE59-2A819F5112EEBB2A}
Reg HKLM\SOFTWARE\Classes\CLSID\{7EC7A25C-208B-259B-D0F10B7D70121E6A}\{B30129B8-8481-85C6-1CF8CC8FAFB9C5A4}\{9F5D8B19-EFCA-EE59-2A819F5112EEBB2A}@63AUOURV1X6YIYB2ELIFO4LTRC1 0x01 0x00 0x01 0x00 ...

---- EOF - GMER 1.0.15 ----

pilotgal8 · 2009/08/04

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:49:43 AM, on 8/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\FSRremoS.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Extensis\Portfolio 8.5\Portfolio Express.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\OfficeScan Client\PCCNTMON.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe "
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Portfolio Express 8.5.lnk = C:\Program Files\Extensis\Portfolio 8.5\Portfolio Express.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1101156915875
O16 - DPF: {8E66A776-A350-4D69-8783-906DB0E6DF14} (Jaunt Class) - http://download.jaunt.com/public/jaunt.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = AOS-MAIN.local
O17 - HKLM\Software\..\Telephony: DomainName = AOS-MAIN.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = AOS-MAIN.local
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: karina.dat??z?5.1
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - (no file)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

--
End of file - 8219 bytes

broni · 2009/08/04

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

pilotgal8 · 2009/08/05

ComboFix 09-08-04.04 - scanner 08/05/2009 17:22.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1548 [GMT -4:00]
Running from: c:\documents and settings\scanner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\scanner\LOCALS~1\Temp\catchme.dll
c:\documents and settings\scanner\Local Settings\Temp\catchme.dll
c:\windows\Installer\2b3c5.msp
c:\windows\Installer\eec7.msi
c:\windows\Installer\eeeb.msi
c:\windows\Installer\f38d9.msp
c:\windows\Installer\fe611.msp
c:\windows\system32\config\systemprofile\Application Data\rhclt7j0e58e
c:\windows\system32\pwdmon.dll

.
((((((((((((((((((((((((( Files Created from 2009-07-05 to 2009-08-05 )))))))))))))))))))))))))))))))
.

2009-08-05 20:52 . 2009-08-05 20:52 0 ----a-w- c:\windows\nsreg.dat
2009-08-05 20:51 . 2009-08-05 20:51 -------- d-----w- c:\documents and settings\scanner\Local Settings\Application Data\Mozilla
2009-08-03 20:00 . 2009-08-03 20:00 -------- d-----w- c:\documents and settings\scanner\Application Data\Malwarebytes
2009-08-03 20:00 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 20:00 . 2009-08-03 20:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-03 20:00 . 2009-08-03 20:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-03 20:00 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-03 18:46 . 2009-08-03 19:55 117760 ----a-w- c:\documents and settings\scanner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-03 18:45 . 2009-08-03 18:45 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-03 18:45 . 2009-08-03 18:45 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-03 18:45 . 2009-08-03 18:45 -------- d-----w- c:\documents and settings\scanner\Application Data\SUPERAntiSpyware.com
2009-08-03 18:44 . 2009-08-03 18:44 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-02 18:51 . 2009-08-02 18:51 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-08-01 16:56 . 2009-08-01 16:56 -------- d-----w- c:\documents and settings\scanner\Application Data\Uniblue
2009-07-18 20:26 . 2009-07-18 20:26 -------- d-sh--w- C:\INCINERATE
2009-07-18 20:08 . 2009-07-18 20:08 -------- d-----w- c:\documents and settings\scanner\Local Settings\Application Data\Google
2009-07-18 15:26 . 2009-07-18 20:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-07-18 13:41 . 2009-08-01 17:04 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-18 13:41 . 2009-08-01 17:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-18 13:41 . 2005-12-16 20:15 1212416 ----a-w- c:\windows\system32\Incinerator.dll
2009-07-18 13:41 . 2005-09-13 00:20 25264 ----a-w- c:\windows\system32\smrgdf.exe
2009-07-18 13:41 . 2009-08-02 19:10 -------- d-----w- c:\program files\iolo
2009-07-18 13:40 . 2009-07-18 13:40 -------- d-----w- c:\program files\ToniArts
2009-07-18 13:38 . 2009-07-18 13:38 -------- d-----w- c:\documents and settings\scanner\Application Data\Ipswitch
2009-07-18 13:37 . 2009-08-02 19:53 -------- d-----w- c:\documents and settings\scanner\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-05 13:31 . 2004-11-29 15:55 -------- d-----w- c:\documents and settings\Jim\Application Data\AdobeUM
2009-08-04 21:00 . 2004-11-23 18:34 2241 ----a-w- c:\windows\panose.bin
2009-08-02 18:52 . 2008-07-31 16:37 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-02 18:52 . 2004-10-05 20:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-02 18:52 . 2009-07-18 13:36 -------- d-----w- c:\documents and settings\scanner\Application Data\Symantec
2009-08-01 17:36 . 2008-07-31 16:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Avg8
2009-08-01 17:00 . 2004-10-05 19:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-18 20:14 . 2008-08-06 13:01 -------- d-----w- c:\program files\Trend Micro
2009-07-18 14:58 . 2007-06-08 19:58 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-06-29 16:12 . 2005-10-21 17:51 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 1980-01-01 08:00 17408 ------w- c:\windows\system32\corpol.dll
2009-06-16 14:36 . 1980-01-01 08:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 1980-01-01 08:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:09 . 2003-05-30 17:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2002-09-11 14:26 . 2007-09-13 20:13 63730 ----a-w- c:\program files\viewsonicinstruct_xp.pdf
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-28 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IBMPRC "= "c:\ibmtools\UTILS\ibmprc.exe" [2004-03-19 90112]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"DLA "= "c:\windows\System32\DLA\DLACTRLW.EXE" [2006-02-02 122940]
"ISUSPM Startup "= "c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler "= "c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Acrobat Assistant 8.0 "= "c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-12 623992]
"igfxtray "= "c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd "= "c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers "= "c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"OfficeScanNT Monitor "= "c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2003-11-07 303104]
"BluetoothAuthenticationAgent "= "irprops.cpl" - c:\windows\system32\irprops.cpl [2008-04-14 380416]
"Mouse Suite 98 Daemon "= "ICO.EXE" - c:\windows\system32\ico.exe [2003-11-20 57344]

c:\documents and settings\Jim\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-12-6 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-12-6 113664]
Portfolio Express 8.5.lnk - c:\program files\Extensis\Portfolio 8.5\Portfolio Express.exe [2008-3-25 3276800]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphcgt7j0e58e

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Ipswitch\\WS_FTP Home\\wsftpgui.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/28/2009 10:53 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/28/2009 10:53 AM 72944]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [3/19/2004 4:05 PM 63872]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [8/22/2003 4:17 PM 205328]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [8/22/2003 4:17 PM 36368]
R3 pelmouse;Mouse Suite Driver;c:\windows\system32\drivers\PELMOUSE.SYS [10/5/2004 4:20 PM 16384]
R3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\drivers\PELUSBLF.SYS [10/5/2004 4:20 PM 9216]
S3 Dmbdu2kt;Dmbdu2kt;c:\windows\system32\drivers\irenum.sys [2/19/2003 5:19 PM 11264]
S3 Ligstat;Ligstat; [x]
S3 Msardgon;Msardgon; [x]
S3 Msptfdbrswia;Msptfdbrswia; [x]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [7/28/2009 10:53 AM 7408]
S4 Pruntmonpcen;Pruntmonpcen; [x]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-ibmmessages - c:\program files\IBM\Messages By IBM\ibmmessages.exe
HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe

.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\scanner\Application Data\Mozilla\Firefox\Profiles\t6frrb8q.default\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-05 17:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{48418982-249C-E344-B1C048196FA2EDFD}\{A41EB0B4-3EE0-E472-B7C2AAEB5A9566C4}\{DB4C8A45-FEFF-6FD9-65B4662880A15182}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1 "=hex:01,00,01,00,0c,00,00,00,9b,e8,2b,
fb,a9,35,11,c2,97,b6,f4,66,f1,97,09,c0,35,3c,c0,18,e5,1b,af,df,c4,dd,8e,a4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EC7A25C-208B-259B-D0F10B7D70121E6A}\{B30129B8-8481-85C6-1CF8CC8FAFB9C5A4}\{9F5D8B19-EFCA-EE59-2A819F5112EEBB2A}*]
"63AUOURV1X6YIYB2ELIFO4LTRC1 "=hex:01,00,01,00,00,00,00,00,87,da,ad,38,2b,26,f8,
c3,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(732)
c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'explorer.exe'(2840)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\pelscrll.dll
c:\windows\system32\PELCOMM.dll
c:\windows\system32\PELHOOKS.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\EPSON\EBAPI\eEBSvc.exe
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\program files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Trend Micro\OfficeScan Client\NTRtScan.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Trend Micro\OfficeScan Client\TmListen.exe
c:\program files\Trend Micro\OfficeScan Client\OfcDog.exe
c:\windows\system32\PELMICED.EXE
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2009-08-05 17:33 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-05 21:33

Pre-Run: 14,826,123,264 bytes free
Post-Run: 14,891,966,464 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

183 --- E O F --- 2009-07-29 21:07

pilotgal8 · 2009/08/05

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:40:07 PM, on 8/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\Program Files\Trend Micro\OfficeScan Client\PCCNTMON.EXE
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\Pelmiced.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Extensis\Portfolio 8.5\Portfolio Express.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe "
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Portfolio Express 8.5.lnk = C:\Program Files\Extensis\Portfolio 8.5\Portfolio Express.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1101156915875
O16 - DPF: {8E66A776-A350-4D69-8783-906DB0E6DF14} (Jaunt Class) - http://download.jaunt.com/public/jaunt.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = AOS-MAIN.local
O17 - HKLM\Software\..\Telephony: DomainName = AOS-MAIN.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = AOS-MAIN.local
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - (no file)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

--
End of file - 8162 bytes

broni · 2009/08/05

*** Please, uninstall Uniblue RegistryBooster (if present). Registry programs are NOT recommended.

=============================================================================

1. Please open Notepad

Click Start , then Run

Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
File::

Folder::

Driver::
Ligstat
Msardgon
Msptfdbrswia
Pruntmonpcen


Registry::

RegLockDel::
3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

A new HijackThis log.

pilotgal8 · 2009/08/05

I'll have to do this tomorrow, as the office at which I volunteer is now closed.
Thanks for all your help so far.

Seems this has been a tough one.

broni · 2009/08/05

We're getting there

pilotgal8 · 2009/08/06

ComboFix 09-08-04.04 - scanner 08/06/2009 10:05.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1499 [GMT -4:00]
Running from: c:\documents and settings\scanner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\scanner\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LIGSTAT
-------\Legacy_MSARDGON
-------\Legacy_MSPTFDBRSWIA
-------\Service_Ligstat
-------\Service_Msardgon
-------\Service_Msptfdbrswia
-------\Service_Pruntmonpcen

((((((((((((((((((((((((( Files Created from 2009-07-06 to 2009-08-06 )))))))))))))))))))))))))))))))
.

2009-08-05 20:52 . 2009-08-05 20:52 0 ----a-w- c:\windows\nsreg.dat
2009-08-05 20:51 . 2009-08-05 20:51 -------- d-----w- c:\documents and settings\scanner\Local Settings\Application Data\Mozilla
2009-08-03 20:00 . 2009-08-03 20:00 -------- d-----w- c:\documents and settings\scanner\Application Data\Malwarebytes
2009-08-03 20:00 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 20:00 . 2009-08-03 20:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-03 20:00 . 2009-08-03 20:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-03 20:00 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-03 18:46 . 2009-08-03 19:55 117760 ----a-w- c:\documents and settings\scanner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-03 18:45 . 2009-08-03 18:45 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-03 18:45 . 2009-08-03 18:45 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-03 18:45 . 2009-08-03 18:45 -------- d-----w- c:\documents and settings\scanner\Application Data\SUPERAntiSpyware.com
2009-08-03 18:44 . 2009-08-03 18:44 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-02 18:51 . 2009-08-02 18:51 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-08-01 16:56 . 2009-08-01 16:56 -------- d-----w- c:\documents and settings\scanner\Application Data\Uniblue
2009-07-18 20:26 . 2009-07-18 20:26 -------- d-sh--w- C:\INCINERATE
2009-07-18 20:08 . 2009-07-18 20:08 -------- d-----w- c:\documents and settings\scanner\Local Settings\Application Data\Google
2009-07-18 15:26 . 2009-07-18 20:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-07-18 13:41 . 2009-08-01 17:04 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-18 13:41 . 2009-08-01 17:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-18 13:41 . 2005-12-16 20:15 1212416 ----a-w- c:\windows\system32\Incinerator.dll
2009-07-18 13:41 . 2005-09-13 00:20 25264 ----a-w- c:\windows\system32\smrgdf.exe
2009-07-18 13:41 . 2009-08-02 19:10 -------- d-----w- c:\program files\iolo
2009-07-18 13:40 . 2009-07-18 13:40 -------- d-----w- c:\program files\ToniArts
2009-07-18 13:38 . 2009-07-18 13:38 -------- d-----w- c:\documents and settings\scanner\Application Data\Ipswitch
2009-07-18 13:37 . 2009-08-02 19:53 -------- d-----w- c:\documents and settings\scanner\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-05 13:31 . 2004-11-29 15:55 -------- d-----w- c:\documents and settings\Jim\Application Data\AdobeUM
2009-08-04 21:00 . 2004-11-23 18:34 2241 ----a-w- c:\windows\panose.bin
2009-08-02 18:52 . 2008-07-31 16:37 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-02 18:52 . 2004-10-05 20:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-02 18:52 . 2009-07-18 13:36 -------- d-----w- c:\documents and settings\scanner\Application Data\Symantec
2009-08-01 17:36 . 2008-07-31 16:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Avg8
2009-08-01 17:00 . 2004-10-05 19:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-18 20:14 . 2008-08-06 13:01 -------- d-----w- c:\program files\Trend Micro
2009-07-18 14:58 . 2007-06-08 19:58 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-06-29 16:12 . 2005-10-21 17:51 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 1980-01-01 08:00 17408 ------w- c:\windows\system32\corpol.dll
2009-06-16 14:36 . 1980-01-01 08:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 1980-01-01 08:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:09 . 2003-05-30 17:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2002-09-11 14:26 . 2007-09-13 20:13 63730 ----a-w- c:\program files\viewsonicinstruct_xp.pdf
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-28 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IBMPRC "= "c:\ibmtools\UTILS\ibmprc.exe" [2004-03-19 90112]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"DLA "= "c:\windows\System32\DLA\DLACTRLW.EXE" [2006-02-02 122940]
"ISUSPM Startup "= "c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler "= "c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Acrobat Assistant 8.0 "= "c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-12 623992]
"igfxtray "= "c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd "= "c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers "= "c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"OfficeScanNT Monitor "= "c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2003-11-07 303104]
"BluetoothAuthenticationAgent "= "irprops.cpl" - c:\windows\system32\irprops.cpl [2008-04-14 380416]
"Mouse Suite 98 Daemon "= "ICO.EXE" - c:\windows\system32\ico.exe [2003-11-20 57344]

c:\documents and settings\Jim\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-12-6 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-12-6 113664]
Portfolio Express 8.5.lnk - c:\program files\Extensis\Portfolio 8.5\Portfolio Express.exe [2008-3-25 3276800]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Ipswitch\\WS_FTP Home\\wsftpgui.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/28/2009 10:53 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/28/2009 10:53 AM 72944]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [3/19/2004 4:05 PM 63872]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [8/22/2003 4:17 PM 205328]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [8/22/2003 4:17 PM 36368]
R3 pelmouse;Mouse Suite Driver;c:\windows\system32\drivers\PELMOUSE.SYS [10/5/2004 4:20 PM 16384]
R3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\drivers\PELUSBLF.SYS [10/5/2004 4:20 PM 9216]
S3 Dmbdu2kt;Dmbdu2kt;c:\windows\system32\drivers\irenum.sys [2/19/2003 5:19 PM 11264]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [7/28/2009 10:53 AM 7408]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\scanner\Application Data\Mozilla\Firefox\Profiles\t6frrb8q.default\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-06 10:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{48418982-249C-E344-B1C048196FA2EDFD}\{A41EB0B4-3EE0-E472-B7C2AAEB5A9566C4}\{DB4C8A45-FEFF-6FD9-65B4662880A15182}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1 "=hex:01,00,01,00,0c,00,00,00,9b,e8,2b,
fb,a9,35,11,c2,97,b6,f4,66,f1,97,09,c0,35,3c,c0,18,e5,1b,af,df,c4,dd,8e,a4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EC7A25C-208B-259B-D0F10B7D70121E6A}\{B30129B8-8481-85C6-1CF8CC8FAFB9C5A4}\{9F5D8B19-EFCA-EE59-2A819F5112EEBB2A}*]
"63AUOURV1X6YIYB2ELIFO4LTRC1 "=hex:01,00,01,00,00,00,00,00,87,da,ad,38,2b,26,f8,
c3,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(732)
c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'explorer.exe'(3552)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\pelscrll.dll
c:\windows\system32\PELCOMM.dll
c:\windows\system32\PELHOOKS.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\EPSON\EBAPI\eEBSvc.exe
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\program files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Trend Micro\OfficeScan Client\NTRtScan.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Trend Micro\OfficeScan Client\TmListen.exe
c:\program files\Trend Micro\OfficeScan Client\OfcDog.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\FSRremoS.EXE
c:\windows\system32\PELMICED.EXE
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2009-08-06 10:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-06 14:17
ComboFix2.txt 2009-08-05 21:33

Pre-Run: 14,886,264,832 bytes free
Post-Run: 14,853,332,992 bytes free

172 --- E O F --- 2009-07-29 21:07

pilotgal8 · 2009/08/06

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:19:51 AM, on 8/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\Program Files\Trend Micro\OfficeScan Client\PCCNTMON.EXE
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\FSRremoS.EXE
C:\WINDOWS\system32\Pelmiced.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Extensis\Portfolio 8.5\Portfolio Express.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe "
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Portfolio Express 8.5.lnk = C:\Program Files\Extensis\Portfolio 8.5\Portfolio Express.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1101156915875
O16 - DPF: {8E66A776-A350-4D69-8783-906DB0E6DF14} (Jaunt Class) - http://download.jaunt.com/public/jaunt.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = AOS-MAIN.local
O17 - HKLM\Software\..\Telephony: DomainName = AOS-MAIN.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = AOS-MAIN.local
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - (no file)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

--
End of file - 8125 bytes

pilotgal8 · 2009/08/06

Right after posting these two logs, the user could not start Adobe PageMaker 7.0
the tool he uses for his primary function of editing a magazine. Clciking on the dektop icon opens the small window in which the logo and authors are displayed. The full screen is then painted with the PageMaker format & then the windows close & there is no remnant of running program.

It was working when he left the office Wed 8/5 at 4:30 pm

This is an emergency!!!!!!!1

broni · 2009/08/06

Uninstall Combofix:
Go Start > Run
Type in:
combofix /u
Note the space between the "combofix" and the "/u "
Restart computer.

================================================================

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in pop-up window to allow scan.

This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.

Once the short scan has finished, select Complete scan.

Click the green arrow at the right, and the scan will start.

Click Yes to all if it asks if you want to cure/move the file.

When the scan has finished, in the menu, click File and choose Save report list

Save the report to your desktop. The report will be called DrWeb.csv

Close Dr.Web Cureit.

Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.

NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

Post fresh HijackThis log as well.

pilotgal8 · 2009/08/07

The Adobe programs stopped working after creating the combofix log in post #34.
Is there some indication in that log of what crippled Adobe Photoshop and PageMaker, that could be set right without re-activating a virus or Trojan?
The user has switched to a different computer, but I'd still like to know if this can be remedied on his machine, once clean.

broni · 2009/08/07

To whoever has been following this thread.
We exchanged quite a few PMs about the situation, and my main points were:

Sometimes, with seriously infected computer, malwares build themselves deep into Windows structure.
When removal process is started, sometimes, some Windows modules (programs, some features, internet connection, etc.) may get crippled.
That's the price, which sometimes has to be paid for cleaning heavily infected computer.
With programs, which stopped working, probably the easiest solution would be to reinstall them, BUT ONLY, when the whole cleaning process is done, and the computer is declared clean.
Click to expand...

Unfortunately, I have no explanation, because I don't see anything in those steps, which could cause those programs to stop working.
Step #30 is a simple HJT log, and nothing has been removed there. It's just an information log.
In step #29 following files were removed:
c:\docume~1\scanner\LOCALS~1\Temp\catchme.dll
c:\documents and settings\scanner\Local Settings\Temp\catchme.dll
c:\windows\Installer\2b3c5.msp
c:\windows\Installer\eec7.msi
c:\windows\Installer\eeeb.msi
c:\windows\Installer\f38d9.msp
c:\windows\Installer\fe611.msp
c:\windows\system32\config\systemprofile\Application Data\rhclt7j0e58e
c:\windows\system32\pwdmon.dll

None of the above files have any connection to any Adobe programs, not even to any legit program, I'm aware of.
You have to remember, that it's not your, or mine fault, that particular computer was so badly infected.
If someone wants to have nicely working computer, one can't allow to have his/her computer going into such a bad shape.
Click to expand...

At this point, I see no other option, but continue with next steps, prescribed in my previous reply, and reinstall said programs, when the cleaning procedure is over.

pilotgal8 · 2009/08/09

Dr.Web CureIt found nothing.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:06:47 AM, on 8/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\rundll32.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\Pelmiced.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Extensis\Portfolio 8.5\Portfolio Express.exe
C:\WINDOWS\system32\spider.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroDist.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\Program Files\Trend Micro\OfficeScan Client\PCCNTMON.EXE
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe "
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Portfolio Express 8.5.lnk = C:\Program Files\Extensis\Portfolio 8.5\Portfolio Express.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1101156915875
O16 - DPF: {8E66A776-A350-4D69-8783-906DB0E6DF14} (Jaunt Class) - http://download.jaunt.com/public/jaunt.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = AOS-MAIN.local
O17 - HKLM\Software\..\Telephony: DomainName = AOS-MAIN.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = AOS-MAIN.local
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - (no file)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

--
End of file - 8266 bytes

Log in or Sign up

Solved Hard drive 'grinds' when trying to open email

pilotgal8 Well-Known Member Thread Starter

pilotgal8 Well-Known Member Thread Starter

pilotgal8 Well-Known Member Thread Starter

pilotgal8 Well-Known Member Thread Starter

broni Moderator Malware Analyst

pilotgal8 Well-Known Member Thread Starter

pilotgal8 Well-Known Member Thread Starter

broni Moderator Malware Analyst

pilotgal8 Well-Known Member Thread Starter

pilotgal8 Well-Known Member Thread Starter

broni Moderator Malware Analyst

pilotgal8 Well-Known Member Thread Starter

broni Moderator Malware Analyst

pilotgal8 Well-Known Member Thread Starter

pilotgal8 Well-Known Member Thread Starter

pilotgal8 Well-Known Member Thread Starter

broni Moderator Malware Analyst

pilotgal8 Well-Known Member Thread Starter

broni Moderator Malware Analyst

pilotgal8 Well-Known Member Thread Starter

Share This Page

Log in or Sign up

Solved Hard drive 'grinds' when trying to open email

pilotgal8 Well-Known Member Thread Starter

pilotgal8 Well-Known Member Thread Starter

pilotgal8 Well-Known Member Thread Starter

pilotgal8 Well-Known Member Thread Starter

broni Moderator Malware Analyst

pilotgal8 Well-Known Member Thread Starter

pilotgal8 Well-Known Member Thread Starter

broni Moderator Malware Analyst

pilotgal8 Well-Known Member Thread Starter

pilotgal8 Well-Known Member Thread Starter

broni Moderator Malware Analyst

pilotgal8 Well-Known Member Thread Starter

broni Moderator Malware Analyst

pilotgal8 Well-Known Member Thread Starter

pilotgal8 Well-Known Member Thread Starter

pilotgal8 Well-Known Member Thread Starter

broni Moderator Malware Analyst

pilotgal8 Well-Known Member Thread Starter

broni Moderator Malware Analyst

pilotgal8 Well-Known Member Thread Starter

Share This Page

Useful Searches