1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Inactive Help! av_md.exe, essledv.exe & siszyd32.exe

Discussion in 'Malware and Virus Removal Archive' started by Vasha, 2009/12/11.

Page 1 of 2
  1. 2009/12/11
    Vasha

    Vasha Inactive Thread Starter

    Joined:
    2009/12/11
    Messages:
    12
    Likes Received:
    0
    [Inactive] Help! av_md.exe, essledv.exe & siszyd32.exe

    Hi,

    I believe my laptop was infected by a site. I kept getting a popup stating that I was sending out emails. I don't currently use outlook so I knew it was a bit fishy.

    Anyways, I ran Processware and found the following:
    av_md.exe
    essledv.exe
    siszyd32.exe

    When I googled "av_md.exe ", I found your thread:
    http://www.windowsbbs.com/malware-virus-removal/89241-active-help-my-computer-infected.html

    I started following the directions (not knowing how your site works) and all seemed really well until I hit ComboFix in the instructions. I think I really messed up. I had tried to install the Recovery Console and there was an error but I think I kept scanning. The laptop froze a few times and I think it rebooted. I tried ComboFix a few more times but I kept getting the error "Boot Partition cannot be enumerated correctly "

    Now, when I re-start the computer (thankfully it starts :), I get the following popup:

    Error loading C:\windows\uhedabexobedite.dll
    the specified module could not be found.

    Every once in a while, the NT AUTHORITY SYSTEM reboot comes up but the laptop doesn't reboot.

    I hope this is enough backup information.

    Please note: If it's too difficult to fix, I don't mind just erasing everything and starting over. I just wanted to know if it's safe to remove some files into a flash drive or portable hard drive. I don't want to infect my other computer. (yikes, that would be disaster!).

    Any advice would be super appreciated. Thanks in advance for your help!

    ~Vasha


    Following is my DDS & Attach info. (I also have the other files from the previous thread. ie. gmer, hijackthis, etc. If you want me to post those too, please let me know.



    DDS (Ver_09-12-01.01) - NTFSx86
    Run by Jennifer at 20:31:39.76 on Fri 12/11/2009
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.294 [GMT -5:00]


    ============== Running Processes ===============

    C:\windows\system32\svchost -k DcomLaunch
    svchost.exe
    C:\windows\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\windows\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\windows\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\Tablet.exe
    C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
    C:\windows\Explorer.EXE
    C:\windows\system32\rundll32.exe
    C:\windows\system32\wscntfy.exe
    C:\Program Files\Trend Micro\Antivirus\PCClient.exe
    C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe
    C:\WINDOWS\SM1BG.EXE
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\windows\system32\wuauclt.exe
    C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
    C:\Program Files\HDD Thermometer\HDD Thermometer.exe
    C:\Program Files\RocketDock\RocketDock.exe
    C:\Program Files\WordWeb\wweb32.exe
    C:\Documents and Settings\Jennifer\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: pdfforge Toolbar: {b922d405-6d13-4a2b-ae89-08a030da4402} - c:\program files\pdfforge toolbar\pdfforgeToolbarIE.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    TB: pdfforge Toolbar: {b922d405-6d13-4a2b-ae89-08a030da4402} - c:\program files\pdfforge toolbar\pdfforgeToolbarIE.dll
    uRun: [RSD_HDDThermo] c:\program files\hdd thermometer\HDD Thermometer.exe
    uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe "
    uRun: [TransBar] c:\documents and settings\jennifer\local settings\application data\aksoftware\transbar\TransBar.exe /s
    mRun: [pccguide.exe] "c:\program files\trend micro\antivirus\pccguide.exe "
    mRun: [PCClient.exe] "c:\program files\trend micro\antivirus\PCClient.exe "
    mRun: [TM Outbreak Agent] "c:\program files\trend micro\antivirus\TMOAgent.exe" /run
    mRun: [SM1BG] c:\windows\SM1BG.EXE
    mRun: [eTrustPPAP] "c:\program files\ca\etrust pestpatrol\PPActiveDetection.exe "
    mRun: [ClamWin] "c:\program files\clamwin\bin\ClamTray.exe" --logon
    mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
    mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
    mRun: [DNS7reminder] "c:\program files\nuance\naturallyspeaking10\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\nuance\naturallyspeaking10\Ereg.ini
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [Szocovotu] rundll32.exe "c:\windows\uhedabexobedite.dll ",Startup
    dRunOnce: [RunNarrator] Narrator.exe
    StartupFolder: c:\docume~1\jennifer\startm~1\programs\startup\wordweb.lnk - c:\program files\wordweb\wweb32.exe
    IE: &WordWeb... - c:\windows\wweb32.dll/lookup.html
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\progra~1\yahoo!\messen~1\YPager.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0\bin\npjpi150.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
    DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162170748697
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
    DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} - hxxp://gameadvisor.futuremark.com/global/msc37.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
    Notify: igfxcui - igfxsrvc.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\jennifer\applic~1\mozilla\firefox\profiles\43a6qfc5.default\
    FF - prefs.js: browser.startup.homepage - hxxp://popurls.com/
    FF - component: c:\documents and settings\jennifer\application data\mozilla\firefox\profiles\43a6qfc5.default\extensions\{9eb64fa9-57c4-4a41-9940-e12e0418b693}\components\FFExternalAlert.dll
    FF - component: c:\documents and settings\jennifer\application data\mozilla\firefox\profiles\43a6qfc5.default\extensions\support@lastpass.com\platform\winnt_x86-msvc\components\lpxpcom.dll
    FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
    FF - component: c:\program files\mozilla firefox\extensions\{b922d405-6d13-4a2b-ae89-08a030da4402}\components\pdfforgeToolbarFF.dll
    FF - component: c:\program files\mozilla firefox\extensions\search@searchsettings.com\components\SearchSettingsFF.dll
    FF - plugin: c:\documents and settings\jennifer\application data\mozilla\firefox\profiles\43a6qfc5.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
    FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
    FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava11.dll
    FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava12.dll
    FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava13.dll
    FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava14.dll
    FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava32.dll
    FF - plugin: c:\program files\java\jre1.5.0\bin\NPJPI150.dll
    FF - plugin: c:\program files\java\jre1.5.0\bin\NPOJI610.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: XULRunner: {705AAA17-5FFA-4BB8-BDB5-321B4FF4A989} - c:\documents and settings\jennifer\local settings\application data\{705AAA17-5FFA-4BB8-BDB5-321B4FF4A989}

    ============= SERVICES / DRIVERS ===============

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-17 64160]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-23 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 74480]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-2-26 93320]
    R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\TmXPFlt.sys [2004-3-5 205328]
    R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2004-3-5 36368]
    R2 tmproxy;Trend Micro Proxy Service;c:\program files\trend micro\antivirus\tmproxy.exe [2004-2-17 204873]
    S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 1028432]
    S2 Tmntsrv;Trend NT Realtime Service;c:\program files\trend micro\antivirus\Tmntsrv.exe [2004-2-17 241737]
    S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 7408]
    S4 Tmpwsetbnrsh;Tmpwsetbnrsh; [x]

    =============== Created Last 30 ================

    2009-12-11 10:15:53 98816 ----a-w- c:\windows\sed.exe
    2009-12-11 10:15:53 77312 ----a-w- c:\windows\MBR.exe
    2009-12-11 10:15:53 261632 ----a-w- c:\windows\PEV.exe
    2009-12-11 10:15:53 161792 ----a-w- c:\windows\SWREG.exe
    2009-12-11 01:02:38 0 d-----w- c:\docume~1\jennifer\applic~1\Malwarebytes
    2009-12-11 01:02:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-12-11 01:02:31 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2009-12-11 01:02:30 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-12-11 01:02:30 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2009-12-10 01:35:22 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
    2009-12-10 01:33:08 0 d-----w- c:\program files\SUPERAntiSpyware
    2009-12-10 01:33:08 0 d-----w- c:\docume~1\jennifer\applic~1\SUPERAntiSpyware.com
    2009-12-10 00:26:15 116 ----a-w- c:\windows\system32\fjhdyfhsn.bat
    2009-12-09 06:53:08 0 ----a-w- c:\windows\Fyejotadoqe.bin
    2009-12-09 06:53:07 120 ----a-w- c:\windows\Shahoruke.dat
    2009-12-09 06:49:05 148768 ----a-w- c:\windows\system32\dllcache\atapi.sys
    2009-12-09 06:47:46 24 ----a-w- c:\docume~1\jennifer\applic~1\fvgqad.dat
    2009-12-09 06:46:58 4 ----a-w- c:\docume~1\jennifer\applic~1\avdrn.dat
    2009-12-08 08:31:33 54156 ---ha-w- c:\windows\QTFont.qfn
    2009-12-08 08:31:33 1409 ----a-w- c:\windows\QTFont.for
    2009-12-05 19:17:47 0 d-----w- c:\program files\Market Samurai
    2009-12-04 04:28:52 0 d-----w- C:\wamp
    2009-11-25 03:58:37 29 ----a-w- c:\windows\DEBUGSM.INI
    2009-11-22 22:55:38 0 d-sh--w- c:\documents and settings\jennifer\IECompatCache

    ==================== Find3M ====================

    2009-12-11 01:04:53 148768 ----a-w- c:\windows\system32\drivers\atapi.sys
    2009-11-21 17:53:13 2234 ----a-w- c:\docume~1\jennifer\applic~1\SAS7_000.DAT
    2009-10-28 14:40:47 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
    2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
    2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
    2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
    2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
    2009-10-20 16:20:16 265728 ----a-w- c:\windows\system32\drivers\http.sys
    2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys
    2009-10-16 07:20:50 15688 ----a-w- c:\windows\system32\lsdelete.exe
    2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
    2009-10-13 10:30:16 270336 ------w- c:\windows\system32\dllcache\oakley.dll
    2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
    2009-10-12 13:38:19 149504 ------w- c:\windows\system32\dllcache\rastls.dll
    2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
    2009-10-12 13:38:18 79872 ------w- c:\windows\system32\dllcache\raschap.dll
    2003-08-27 22:19:18 36963 ----a-r- c:\program files\common files\SM1updtr.dll
    2008-11-08 01:03:24 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008110720081108\index.dat

    ============= FINISH: 20:33:03.71 ===============
     
    Vasha,
    #1
  2. 2009/12/11
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi Vasha
    Welcome to WindowsBBS

    Please do the following.

    Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

    ComboFix /Uninstall

    Now please follow these instructions.

    Download ComboFix from Here to your Desktop.

    It's best to disable realtime protection applications as they sometimes interfere with the tool.
    Check this link for any applicable programs you may have.
    • Close all open programs and windows
    • Double click combofix.exe and follow the prompts.
    • Vista users right click Combofix.exe and select Run As Administrator.
    • When finished, it shall produce a log for you. Post the Combofix log
    Note: Do not mouse click combofix's window while its running. That may cause it to stall

    If you are prompted to install the Recovery Console, Please do so.

    Thanks
    Geri
     
    Geri,
    #2


  3. to hide this advert.

  4. 2009/12/12
    Vasha

    Vasha Inactive Thread Starter

    Joined:
    2009/12/11
    Messages:
    12
    Likes Received:
    0
    Hi Geri, thanks for your help!

    I uninstalled and re-installed ComboFix on my desktop and unfortunately when I try to install the Recovery Console, I'm getting the same error before "Boot Partition cannot be enumerated correctly" . I tried it 4-5 times just in case.

    Also, when I uninstalled ComboFix I had the error:
    Windows cannot find 'NRCMD'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click search.

    (All protection applications were disabled).
     
    Vasha,
    #3
  5. 2009/12/12
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi
    OK for now don't install the RC. just let combofix run through the cleaning and post it's log.

    Geri
     
    Geri,
    #4
  6. 2009/12/12
    Vasha

    Vasha Inactive Thread Starter

    Joined:
    2009/12/11
    Messages:
    12
    Likes Received:
    0
    Oh hey! I got a log this time :) Here it is:

    ComboFix 09-12-11.05 - Jennifer 12/12/2009 14:33:17.2.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.223 [GMT -5:00]
    Running from: c:\documents and settings\Jennifer\Desktop\ComboFix.exe

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    ---- Previous Run -------
    .
    c:\docume~1\Jennifer\LOCALS~1\Temp\tmp1.tmp
    c:\docume~1\Jennifer\LOCALS~1\Temp\tmp2.tmp
    c:\program files\pdfforge Toolbar\SearchSettings.dll
    c:\windows\system32\config\systemprofile\oashdihasidhasuidhiasdhiashdiuasdhasd
    c:\windows\uhedabexobedite.dll

    .
    ((((((((((((((((((((((((( Files Created from 2009-11-12 to 2009-12-12 )))))))))))))))))))))))))))))))
    .

    2009-12-11 01:02 . 2009-12-11 01:02 -------- d-----w- c:\documents and settings\Jennifer\Application Data\Malwarebytes
    2009-12-11 01:02 . 2009-12-03 21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-12-11 01:02 . 2009-12-11 01:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-12-11 01:02 . 2009-12-11 01:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2009-12-11 01:02 . 2009-12-03 21:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-12-10 01:35 . 2009-12-10 01:35 117760 ----a-w- c:\documents and settings\Jennifer\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2009-12-10 01:35 . 2009-12-10 01:35 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2009-12-10 01:33 . 2009-12-10 01:33 -------- d-----w- c:\program files\SUPERAntiSpyware
    2009-12-10 01:33 . 2009-12-10 01:33 -------- d-----w- c:\documents and settings\Jennifer\Application Data\SUPERAntiSpyware.com
    2009-12-10 00:26 . 2009-12-11 01:04 116 ----a-w- c:\windows\system32\fjhdyfhsn.bat
    2009-12-09 06:53 . 2009-12-11 01:01 0 ----a-w- c:\windows\Fyejotadoqe.bin
    2009-12-09 06:53 . 2009-12-09 06:53 120 ----a-w- c:\windows\Shahoruke.dat
    2009-12-09 06:53 . 2009-12-09 06:53 -------- d-----w- c:\documents and settings\Jennifer\Local Settings\Application Data\{705AAA17-5FFA-4BB8-BDB5-321B4FF4A989}
    2009-12-09 06:49 . 2009-12-11 01:04 148768 ----a-w- c:\windows\system32\dllcache\atapi.sys
    2009-12-05 19:17 . 2009-12-05 19:17 -------- d-----w- c:\program files\Market Samurai
    2009-12-04 04:28 . 2009-12-04 04:29 -------- d-----w- C:\wamp
    2009-12-03 23:57 . 2009-12-03 23:57 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
    2009-11-25 03:58 . 2009-11-25 03:58 -------- d-----w- c:\documents and settings\Jennifer\Application Data\EPSON
    2009-11-24 00:59 . 2009-11-23 20:27 52224 ----a-w- c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\43a6qfc5.default\extensions\{9eb64fa9-57c4-4a41-9940-e12e0418b693}\components\FFExternalAlert.dll
    2009-11-24 00:59 . 2009-11-23 20:27 114688 ----a-w- c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\43a6qfc5.default\extensions\{9eb64fa9-57c4-4a41-9940-e12e0418b693}\components\npmozax.dll
    2009-11-22 22:55 . 2009-11-22 22:55 -------- d-sh--w- c:\documents and settings\Jennifer\IECompatCache

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-12-12 19:26 . 2006-08-09 18:59 -------- d-----w- c:\documents and settings\All Users\Application Data\HDD Thermometer
    2009-12-12 19:25 . 2006-01-31 18:59 314 ----a-w- c:\windows\system32\tablet.dat
    2009-12-11 10:31 . 2009-08-29 21:17 -------- d-----w- c:\program files\pdfforge Toolbar
    2009-12-11 01:04 . 2004-08-04 00:59 148768 ----a-w- c:\windows\system32\drivers\atapi.sys
    2009-12-11 01:03 . 2009-12-11 01:03 24 ----a-w- c:\documents and settings\LocalService\Application Data\fvgqad.dat
    2009-12-10 01:28 . 2009-08-22 08:05 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2009-12-10 01:28 . 2009-08-08 21:01 -------- d-----w- c:\documents and settings\Jennifer\Application Data\Dropbox
    2009-12-10 00:23 . 2009-09-10 22:40 295752 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    2009-12-09 06:47 . 2009-12-09 06:47 24 ----a-w- c:\documents and settings\Jennifer\Application Data\fvgqad.dat
    2009-12-09 06:46 . 2009-12-09 06:46 4 ----a-w- c:\documents and settings\Jennifer\Application Data\avdrn.dat
    2009-12-06 18:22 . 2009-02-04 00:05 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2009-12-03 23:44 . 2009-02-26 06:37 -------- d-----w- c:\program files\McAfee
    2009-12-02 00:50 . 2007-05-26 23:22 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
    2009-11-27 08:18 . 2009-10-16 07:20 3695616 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
    2009-11-27 07:12 . 2009-08-21 00:35 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2009-11-27 07:11 . 2008-10-08 16:14 38208 ----a-w- c:\documents and settings\Jennifer\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
    2009-11-21 17:53 . 2009-09-21 01:01 2234 ----a-w- c:\documents and settings\Jennifer\Application Data\SAS7_000.DAT
    2009-11-21 17:49 . 2009-09-20 23:25 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2009-11-13 04:14 . 2009-08-23 06:52 -------- d-----w- c:\program files\Ultimate Keyword Theme Extractor
    2009-11-07 04:09 . 2009-07-30 05:33 -------- d-----w- c:\program files\GreenLife Emerald Viewer
    2009-10-30 05:44 . 2009-10-29 05:24 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
    2009-10-29 07:45 . 2004-08-04 08:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2009-10-29 02:35 . 2009-10-29 05:18 576000 ----a-w- c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\43a6qfc5.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll
    2009-10-26 21:09 . 2009-08-29 07:58 89962 ----a-w- c:\documents and settings\Jennifer\Application Data\Dropbox\bin\Uninstall.exe
    2009-10-21 05:38 . 2004-08-04 08:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
    2009-10-21 05:38 . 2004-08-04 08:00 25088 ----a-w- c:\windows\system32\httpapi.dll
    2009-10-20 16:20 . 2004-08-04 08:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
    2009-10-15 01:47 . 2009-10-15 01:47 -------- d-----w- c:\program files\HandBrake
    2009-10-13 10:30 . 2004-08-04 08:00 270336 ----a-w- c:\windows\system32\oakley.dll
    2009-10-12 13:38 . 2004-08-04 08:00 149504 ----a-w- c:\windows\system32\rastls.dll
    2009-10-12 13:38 . 2004-08-04 08:00 79872 ----a-w- c:\windows\system32\raschap.dll
    2009-10-09 01:18 . 2009-10-09 01:18 26805255 ----a-w- c:\documents and settings\Jennifer\Application Data\Dropbox\bin\Dropbox.exe
    2009-09-23 20:37 . 2009-10-29 05:23 34112 ----a-w- c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\43a6qfc5.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg_bootstrap.exe
    2009-09-23 20:37 . 2009-10-29 05:23 32448 ----a-w- c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\43a6qfc5.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
    2009-09-23 20:37 . 2009-10-29 05:23 22352 ----a-w- c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\43a6qfc5.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
    2003-08-27 22:19 . 2005-12-29 11:44 36963 ----a-r- c:\program files\Common Files\SM1updtr.dll
    .

    ------- Sigcheck -------

    [-] 2009-12-11 01:04 . A63D0D7159B8A2A72DF794DF3F53AD0A . 148768 . . [------] . . c:\windows\system32\dllcache\atapi.sys
    [-] 2009-12-11 01:04 . A63D0D7159B8A2A72DF794DF3F53AD0A . 148768 . . [------] . . c:\windows\system32\drivers\atapi.sys
    [7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
    [7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
    [7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0009\DriverFiles\i386\atapi.sys
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B922D405-6D13-4A2B-AE89-08A030DA4402}]
    2009-07-31 06:00 698880 ----a-w- c:\program files\pdfforge Toolbar\pdfforgeToolbarIE.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{B922D405-6D13-4A2B-AE89-08A030DA4402} "= "c:\program files\pdfforge Toolbar\pdfforgeToolbarIE.dll" [2009-07-31 698880]

    [HKEY_CLASSES_ROOT\clsid\{b922d405-6d13-4a2b-ae89-08a030da4402}]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @= "{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} "
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2009-06-27 03:02 77824 ----a-w- c:\documents and settings\Jennifer\Application Data\Dropbox\bin\DropboxExt.3.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @= "{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} "
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2009-06-27 03:02 77824 ----a-w- c:\documents and settings\Jennifer\Application Data\Dropbox\bin\DropboxExt.3.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @= "{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} "
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2009-06-27 03:02 77824 ----a-w- c:\documents and settings\Jennifer\Application Data\Dropbox\bin\DropboxExt.3.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RSD_HDDThermo "= "c:\program files\HDD Thermometer\HDD Thermometer.exe" [2005-04-01 215040]
    "RocketDock "= "c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
    "TransBar "= "c:\documents and settings\Jennifer\Local Settings\Application Data\AKSoftware\TransBar\TransBar.exe" [2005-06-01 65536]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "pccguide.exe "= "c:\program files\Trend Micro\Antivirus\pccguide.exe" [2004-02-17 950337]
    "PCClient.exe "= "c:\program files\Trend Micro\Antivirus\PCClient.exe" [2004-02-17 634949]
    "TM Outbreak Agent "= "c:\program files\Trend Micro\Antivirus\TMOAgent.exe" [2004-02-17 290816]
    "SM1BG "= "c:\windows\SM1BG.EXE" [2003-08-27 94208]
    "eTrustPPAP "= "c:\program files\CA\eTrust PestPatrol\PPActiveDetection.exe" [2006-02-16 131072]
    "ClamWin "= "c:\program files\ClamWin\bin\ClamTray.exe" [2009-06-12 86016]
    "Ad-Watch "= "c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-10-16 520024]
    "SynTPLpr "= "c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]
    "SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 688218]
    "IgfxTray "= "c:\windows\system32\igfxtray.exe" [2005-01-22 155648]
    "HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2005-01-22 126976]
    "eabconfg.cpl "= "c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
    "DNS7reminder "= "c:\program files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" [2008-09-10 0]
    "QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator "= "Narrator.exe" [2008-04-14 53760]

    c:\documents and settings\Jennifer\Start Menu\Programs\Startup\
    WordWeb.lnk - c:\program files\WordWeb\wweb32.exe [2006-1-6 19968]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @= "Service "

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
    backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TabUserW.exe.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TabUserW.exe.lnk
    backup=c:\windows\pss\TabUserW.exe.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^Jennifer^Start Menu^Programs^Startup^Yahoo! Widget Engine.lnk]
    path=c:\documents and settings\Jennifer\Start Menu\Programs\Startup\Yahoo! Widget Engine.lnk
    backup=c:\windows\pss\Yahoo! Widget Engine.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2005-02-17 06:11 49152 ----a-w- c:\program files\Hp\HP Software Update\hpwuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
    2005-01-21 20:40 790528 ----a-w- c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
    2008-09-10 00:23 0 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    2008-09-10 00:24 0 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2008-02-19 17:10 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
    2004-10-14 21:54 253952 ----a-w- c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2008-02-01 03:13 385024 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
    2004-04-13 22:36 1470464 ----a-w- c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchSettings]
    2009-07-29 19:52 1024512 ----a-w- c:\program files\pdfforge Toolbar\SearchSettings.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    2006-12-19 01:32 25365032 ----a-w- c:\program files\Skype\Phone\Skype.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
    2008-09-10 00:27 0 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2006-02-21 08:53 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    2007-06-07 18:08 4670968 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "iPodService "=3 (0x3)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "c:\\Program Files\\Google\\Google Talk\\googletalk.exe "=
    "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
    "c:\\Program Files\\SmartFTP\\SmartFTP.exe "=
    "c:\\Program Files\\NeverwinterNights\\NWN\\nwmain.exe "=
    "c:\\Program Files\\NeverwinterNights\\NWN\\nwupdate.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "c:\\Program Files\\SecondLife\\SecondLife.exe "=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
    "c:\\Program Files\\SecondLife\\SLVoice.exe "=
    "c:\\Program Files\\SecondLifeReleaseCandidate\\SLVoice.exe "=
    "c:\\Program Files\\iTunes\\iTunes.exe "=
    "c:\\Program Files\\Texture Preview for Second Life\\TexturePreview.exe "=
    "c:\\Program Files\\OpenLife R15-1\\SLVoice.exe "=
    "c:\\Program Files\\OpenSimKV\\OpenSim.exe "=
    "c:\\Program Files\\Hippo_OpenSim_Viewer\\SLVoice.exe "=
    "c:\\Program Files\\Snowglobe\\SLVoice.exe "=
    "c:\\Program Files\\GreenLife Emerald Viewer\\SLVoice.exe "=
    "c:\\wamp\\bin\\apache\\Apache2.2.11\\bin\\httpd.exe "=

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/17/2009 2:18 AM 64160]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 8:43 AM 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 74480]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2/26/2009 1:38 AM 93320]
    R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\TmXPFlt.sys [3/5/2004 2:53 PM 205328]
    R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [3/5/2004 2:53 PM 36368]
    R2 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Antivirus\tmproxy.exe [2/17/2004 5:58 PM 204873]
    S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 4:34 PM 1028432]
    S2 Tmntsrv;Trend NT Realtime Service;c:\program files\Trend Micro\Antivirus\Tmntsrv.exe [2/17/2004 5:57 PM 241737]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 7408]
    S4 Tmpwsetbnrsh;Tmpwsetbnrsh; [x]
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    IE: &WordWeb... - c:\windows\wweb32.dll/lookup.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\43a6qfc5.default\
    FF - prefs.js: browser.startup.homepage - hxxp://popurls.com/
    FF - component: c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\43a6qfc5.default\extensions\{9eb64fa9-57c4-4a41-9940-e12e0418b693}\components\FFExternalAlert.dll
    FF - component: c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\43a6qfc5.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll
    FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
    FF - component: c:\program files\Mozilla Firefox\extensions\{B922D405-6D13-4A2B-AE89-08A030DA4402}\components\pdfforgeToolbarFF.dll
    FF - component: c:\program files\Mozilla Firefox\extensions\search@searchsettings.com\components\SearchSettingsFF.dll
    FF - plugin: c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\43a6qfc5.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
    FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
    FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava11.dll
    FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava12.dll
    FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava13.dll
    FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava14.dll
    FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava32.dll
    FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJPI150.dll
    FF - plugin: c:\program files\Java\jre1.5.0\bin\NPOJI610.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    FF - HiddenExtension: XULRunner: {705AAA17-5FFA-4BB8-BDB5-321B4FF4A989} - c:\documents and settings\Jennifer\Local Settings\Application Data\{705AAA17-5FFA-4BB8-BDB5-321B4FF4A989}
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-Szocovotu - c:\windows\uhedabexobedite.dll
    MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-12-12 14:44
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
    @DACL=(02 0000)
    "Installed "= "1 "

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
    @DACL=(02 0000)
    "Installed "= "1 "
    "NoChange "= "1 "

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
    @DACL=(02 0000)
    "Installed "= "1 "
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(752)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll
    c:\windows\system32\WININET.dll

    - - - - - - - > 'explorer.exe'(15704)
    c:\windows\system32\WININET.dll
    c:\progra~1\mcafee\SITEAD~1\saHook.dll
    c:\documents and settings\Jennifer\Application Data\Dropbox\bin\DropboxExt.3.dll
    c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2009-12-12 14:51:15
    ComboFix-quarantined-files.txt 2009-12-12 19:51

    Pre-Run: 16,811,065,344 bytes free
    Post-Run: 16,777,707,520 bytes free

    - - End Of File - - D005C24E14E911165E7EC1286D9BA168
     
    Vasha,
    #5
  7. 2009/12/12
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi
    Please do the following.

    Highlight and copy the contents of the code box below and paste it into a blank Notepad, then save it to your desktop as;

    Filename: CFScript.txt
    Save As Type: All Files (*.*)

    Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
    Click here to see how to use CFScript.txt
    Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

    Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

    **NOTE - Allow ComboFix to update if prompted.
    Code:
    File::
c:\windows\system32\fjhdyfhsn.bat
c:\windows\Fyejotadoqe.bin
c:\windows\Shahoruke.dat
c:\documents and settings\LocalService\Application Data\fvgqad.dat
c:\documents and settings\Jennifer\Application Data\fvgqad.dat
c:\documents and settings\Jennifer\Application Data\avdrn.dat
Folder::
c:\documents and settings\Jennifer\Local Settings\Application Data\{705AAA17-5FFA-4BB8-BDB5-321B4FF4A989}
Driver::
Tmpwsetbnrsh
    Geri
     
    Geri,
    #6
  8. 2009/12/12
    Vasha

    Vasha Inactive Thread Starter

    Joined:
    2009/12/11
    Messages:
    12
    Likes Received:
    0
    Thanks Geri! Here's the new log:

    ComboFix 09-12-11.05 - Jennifer 12/12/2009 23:42:23.3.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.273 [GMT -5:00]
    Running from: c:\documents and settings\Jennifer\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Jennifer\Desktop\CFScript.txt

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

    FILE ::
    "c:\documents and settings\Jennifer\Application Data\avdrn.dat "
    "c:\documents and settings\Jennifer\Application Data\fvgqad.dat "
    "c:\documents and settings\LocalService\Application Data\fvgqad.dat "
    "c:\windows\Fyejotadoqe.bin "
    "c:\windows\Shahoruke.dat "
    "c:\windows\system32\fjhdyfhsn.bat "
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Jennifer\Application Data\avdrn.dat
    c:\documents and settings\Jennifer\Application Data\fvgqad.dat
    c:\documents and settings\Jennifer\Local Settings\Application Data\{705AAA17-5FFA-4BB8-BDB5-321B4FF4A989}
    c:\documents and settings\Jennifer\Local Settings\Application Data\{705AAA17-5FFA-4BB8-BDB5-321B4FF4A989}\chrome.manifest
    c:\documents and settings\Jennifer\Local Settings\Application Data\{705AAA17-5FFA-4BB8-BDB5-321B4FF4A989}\chrome\content\_cfg.js
    c:\documents and settings\Jennifer\Local Settings\Application Data\{705AAA17-5FFA-4BB8-BDB5-321B4FF4A989}\chrome\content\overlay.xul
    c:\documents and settings\Jennifer\Local Settings\Application Data\{705AAA17-5FFA-4BB8-BDB5-321B4FF4A989}\install.rdf
    c:\documents and settings\LocalService\Application Data\fvgqad.dat
    c:\windows\Fyejotadoqe.bin
    c:\windows\Shahoruke.dat
    c:\windows\system32\fjhdyfhsn.bat

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_Tmpwsetbnrsh


    ((((((((((((((((((((((((( Files Created from 2009-11-13 to 2009-12-13 )))))))))))))))))))))))))))))))
    .

    2009-12-11 01:02 . 2009-12-11 01:02 -------- d-----w- c:\documents and settings\Jennifer\Application Data\Malwarebytes
    2009-12-11 01:02 . 2009-12-03 21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-12-11 01:02 . 2009-12-11 01:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-12-11 01:02 . 2009-12-11 01:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2009-12-11 01:02 . 2009-12-03 21:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-12-10 01:35 . 2009-12-10 01:35 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2009-12-10 01:33 . 2009-12-10 01:33 -------- d-----w- c:\program files\SUPERAntiSpyware
    2009-12-10 01:33 . 2009-12-10 01:33 -------- d-----w- c:\documents and settings\Jennifer\Application Data\SUPERAntiSpyware.com
    2009-12-09 06:49 . 2009-12-11 01:04 148768 ----a-w- c:\windows\system32\dllcache\atapi.sys
    2009-12-05 19:17 . 2009-12-05 19:17 -------- d-----w- c:\program files\Market Samurai
    2009-12-04 04:28 . 2009-12-04 04:29 -------- d-----w- C:\wamp
    2009-12-03 23:57 . 2009-12-03 23:57 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
    2009-11-25 03:58 . 2009-11-25 03:58 -------- d-----w- c:\documents and settings\Jennifer\Application Data\EPSON
    2009-11-22 22:55 . 2009-11-22 22:55 -------- d-sh--w- c:\documents and settings\Jennifer\IECompatCache

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-12-13 04:57 . 2006-08-09 18:59 -------- d-----w- c:\documents and settings\All Users\Application Data\HDD Thermometer
    2009-12-13 04:54 . 2006-01-31 18:59 314 ----a-w- c:\windows\system32\tablet.dat
    2009-12-11 10:31 . 2009-08-29 21:17 -------- d-----w- c:\program files\pdfforge Toolbar
    2009-12-11 01:04 . 2004-08-04 00:59 148768 ----a-w- c:\windows\system32\drivers\atapi.sys
    2009-12-10 01:35 . 2009-12-10 01:35 117760 ----a-w- c:\documents and settings\Jennifer\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2009-12-10 01:28 . 2009-08-22 08:05 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2009-12-10 01:28 . 2009-08-08 21:01 -------- d-----w- c:\documents and settings\Jennifer\Application Data\Dropbox
    2009-12-10 00:23 . 2009-09-10 22:40 295752 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    2009-12-06 18:22 . 2009-02-04 00:05 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2009-12-03 23:44 . 2009-02-26 06:37 -------- d-----w- c:\program files\McAfee
    2009-12-02 00:50 . 2007-05-26 23:22 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
    2009-11-27 08:18 . 2009-10-16 07:20 3695616 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
    2009-11-27 07:12 . 2009-08-21 00:35 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2009-11-27 07:11 . 2008-10-08 16:14 38208 ----a-w- c:\documents and settings\Jennifer\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
    2009-11-23 20:27 . 2009-11-24 00:59 52224 ----a-w- c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\43a6qfc5.default\extensions\{9eb64fa9-57c4-4a41-9940-e12e0418b693}\components\FFExternalAlert.dll
    2009-11-23 20:27 . 2009-11-24 00:59 114688 ----a-w- c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\43a6qfc5.default\extensions\{9eb64fa9-57c4-4a41-9940-e12e0418b693}\components\npmozax.dll
    2009-11-21 17:53 . 2009-09-21 01:01 2234 ----a-w- c:\documents and settings\Jennifer\Application Data\SAS7_000.DAT
    2009-11-21 17:49 . 2009-09-20 23:25 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2009-11-13 04:14 . 2009-08-23 06:52 -------- d-----w- c:\program files\Ultimate Keyword Theme Extractor
    2009-11-07 04:09 . 2009-07-30 05:33 -------- d-----w- c:\program files\GreenLife Emerald Viewer
    2009-10-30 05:44 . 2009-10-29 05:24 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
    2009-10-29 07:45 . 2004-08-04 08:00 916480 ------w- c:\windows\system32\wininet.dll
    2009-10-29 02:35 . 2009-10-29 05:18 576000 ----a-w- c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\43a6qfc5.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll
    2009-10-26 21:09 . 2009-08-29 07:58 89962 ----a-w- c:\documents and settings\Jennifer\Application Data\Dropbox\bin\Uninstall.exe
    2009-10-21 05:38 . 2004-08-04 08:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
    2009-10-21 05:38 . 2004-08-04 08:00 25088 ----a-w- c:\windows\system32\httpapi.dll
    2009-10-20 16:20 . 2004-08-04 08:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
    2009-10-15 01:47 . 2009-10-15 01:47 -------- d-----w- c:\program files\HandBrake
    2009-10-13 10:30 . 2004-08-04 08:00 270336 ----a-w- c:\windows\system32\oakley.dll
    2009-10-12 13:38 . 2004-08-04 08:00 149504 ----a-w- c:\windows\system32\rastls.dll
    2009-10-12 13:38 . 2004-08-04 08:00 79872 ----a-w- c:\windows\system32\raschap.dll
    2009-10-09 01:18 . 2009-10-09 01:18 26805255 ----a-w- c:\documents and settings\Jennifer\Application Data\Dropbox\bin\Dropbox.exe
    2009-09-23 20:37 . 2009-10-29 05:23 34112 ----a-w- c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\43a6qfc5.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg_bootstrap.exe
    2009-09-23 20:37 . 2009-10-29 05:23 32448 ----a-w- c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\43a6qfc5.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
    2009-09-23 20:37 . 2009-10-29 05:23 22352 ----a-w- c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\43a6qfc5.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
    2003-08-27 22:19 . 2005-12-29 11:44 36963 ----a-r- c:\program files\Common Files\SM1updtr.dll
    .

    ------- Sigcheck -------

    [-] 2009-12-11 01:04 . A63D0D7159B8A2A72DF794DF3F53AD0A . 148768 . . [------] . . c:\windows\system32\dllcache\atapi.sys
    [-] 2009-12-11 01:04 . A63D0D7159B8A2A72DF794DF3F53AD0A . 148768 . . [------] . . c:\windows\system32\drivers\atapi.sys
    [7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
    [7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
    [7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0009\DriverFiles\i386\atapi.sys
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B922D405-6D13-4A2B-AE89-08A030DA4402}]
    2009-07-31 06:00 698880 ----a-w- c:\program files\pdfforge Toolbar\pdfforgeToolbarIE.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{B922D405-6D13-4A2B-AE89-08A030DA4402} "= "c:\program files\pdfforge Toolbar\pdfforgeToolbarIE.dll" [2009-07-31 698880]

    [HKEY_CLASSES_ROOT\clsid\{b922d405-6d13-4a2b-ae89-08a030da4402}]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @= "{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} "
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2009-06-27 03:02 77824 ----a-w- c:\documents and settings\Jennifer\Application Data\Dropbox\bin\DropboxExt.3.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @= "{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} "
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2009-06-27 03:02 77824 ----a-w- c:\documents and settings\Jennifer\Application Data\Dropbox\bin\DropboxExt.3.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @= "{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} "
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2009-06-27 03:02 77824 ----a-w- c:\documents and settings\Jennifer\Application Data\Dropbox\bin\DropboxExt.3.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RSD_HDDThermo "= "c:\program files\HDD Thermometer\HDD Thermometer.exe" [2005-04-01 215040]
    "RocketDock "= "c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
    "TransBar "= "c:\documents and settings\Jennifer\Local Settings\Application Data\AKSoftware\TransBar\TransBar.exe" [2005-06-01 65536]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "pccguide.exe "= "c:\program files\Trend Micro\Antivirus\pccguide.exe" [2004-02-17 950337]
    "PCClient.exe "= "c:\program files\Trend Micro\Antivirus\PCClient.exe" [2004-02-17 634949]
    "TM Outbreak Agent "= "c:\program files\Trend Micro\Antivirus\TMOAgent.exe" [2004-02-17 290816]
    "SM1BG "= "c:\windows\SM1BG.EXE" [2003-08-27 94208]
    "eTrustPPAP "= "c:\program files\CA\eTrust PestPatrol\PPActiveDetection.exe" [2006-02-16 131072]
    "ClamWin "= "c:\program files\ClamWin\bin\ClamTray.exe" [2009-06-12 86016]
    "Ad-Watch "= "c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-10-16 520024]
    "SynTPLpr "= "c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]
    "SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 688218]
    "IgfxTray "= "c:\windows\system32\igfxtray.exe" [2005-01-22 155648]
    "HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2005-01-22 126976]
    "eabconfg.cpl "= "c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
    "DNS7reminder "= "c:\program files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" [2008-09-10 0]
    "QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator "= "Narrator.exe" [2008-04-14 53760]

    c:\documents and settings\Jennifer\Start Menu\Programs\Startup\
    WordWeb.lnk - c:\program files\WordWeb\wweb32.exe [2006-1-6 19968]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @= "Service "

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
    backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TabUserW.exe.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TabUserW.exe.lnk
    backup=c:\windows\pss\TabUserW.exe.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^Jennifer^Start Menu^Programs^Startup^Yahoo! Widget Engine.lnk]
    path=c:\documents and settings\Jennifer\Start Menu\Programs\Startup\Yahoo! Widget Engine.lnk
    backup=c:\windows\pss\Yahoo! Widget Engine.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2005-02-17 06:11 49152 ----a-w- c:\program files\Hp\HP Software Update\hpwuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
    2005-01-21 20:40 790528 ----a-w- c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
    2008-09-10 00:23 0 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    2008-09-10 00:24 0 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2008-02-19 17:10 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
    2004-10-14 21:54 253952 ----a-w- c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2008-02-01 03:13 385024 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
    2004-04-13 22:36 1470464 ----a-w- c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchSettings]
    2009-07-29 19:52 1024512 ----a-w- c:\program files\pdfforge Toolbar\SearchSettings.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    2006-12-19 01:32 25365032 ----a-w- c:\program files\Skype\Phone\Skype.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
    2008-09-10 00:27 0 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2006-02-21 08:53 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    2007-06-07 18:08 4670968 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "iPodService "=3 (0x3)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "c:\\Program Files\\Google\\Google Talk\\googletalk.exe "=
    "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
    "c:\\Program Files\\SmartFTP\\SmartFTP.exe "=
    "c:\\Program Files\\NeverwinterNights\\NWN\\nwmain.exe "=
    "c:\\Program Files\\NeverwinterNights\\NWN\\nwupdate.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "c:\\Program Files\\SecondLife\\SecondLife.exe "=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
    "c:\\Program Files\\SecondLife\\SLVoice.exe "=
    "c:\\Program Files\\SecondLifeReleaseCandidate\\SLVoice.exe "=
    "c:\\Program Files\\iTunes\\iTunes.exe "=
    "c:\\Program Files\\Texture Preview for Second Life\\TexturePreview.exe "=
    "c:\\Program Files\\OpenLife R15-1\\SLVoice.exe "=
    "c:\\Program Files\\OpenSimKV\\OpenSim.exe "=
    "c:\\Program Files\\Hippo_OpenSim_Viewer\\SLVoice.exe "=
    "c:\\Program Files\\Snowglobe\\SLVoice.exe "=
    "c:\\Program Files\\GreenLife Emerald Viewer\\SLVoice.exe "=
    "c:\\wamp\\bin\\apache\\Apache2.2.11\\bin\\httpd.exe "=

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/17/2009 2:18 AM 64160]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 8:43 AM 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 74480]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 4:34 PM 1028432]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2/26/2009 1:38 AM 93320]
    R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\TmXPFlt.sys [3/5/2004 2:53 PM 205328]
    R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [3/5/2004 2:53 PM 36368]
    R2 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Antivirus\tmproxy.exe [2/17/2004 5:58 PM 204873]
    S2 Tmntsrv;Trend NT Realtime Service;c:\program files\Trend Micro\Antivirus\Tmntsrv.exe [2/17/2004 5:57 PM 241737]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 7408]
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    IE: &WordWeb... - c:\windows\wweb32.dll/lookup.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\43a6qfc5.default\
    FF - prefs.js: browser.startup.homepage - hxxp://popurls.com/
    FF - component: c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\43a6qfc5.default\extensions\{9eb64fa9-57c4-4a41-9940-e12e0418b693}\components\FFExternalAlert.dll
    FF - component: c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\43a6qfc5.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll
    FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
    FF - component: c:\program files\Mozilla Firefox\extensions\{B922D405-6D13-4A2B-AE89-08A030DA4402}\components\pdfforgeToolbarFF.dll
    FF - component: c:\program files\Mozilla Firefox\extensions\search@searchsettings.com\components\SearchSettingsFF.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-12-12 23:55
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
    @DACL=(02 0000)
    "Installed "= "1 "

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
    @DACL=(02 0000)
    "Installed "= "1 "
    "NoChange "= "1 "

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
    @DACL=(02 0000)
    "Installed "= "1 "
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(752)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll
    c:\windows\system32\WININET.dll

    - - - - - - - > 'explorer.exe'(2832)
    c:\windows\system32\WININET.dll
    c:\program files\RocketDock\RocketDock.dll
    c:\documents and settings\Jennifer\Application Data\Dropbox\bin\DropboxExt.3.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\Shellex.dll
    c:\program files\SmartFTP\smarthook.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\windows\system32\Tablet.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2009-12-13 00:08:28 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-12-13 05:08
    ComboFix2.txt 2009-12-12 19:51

    Pre-Run: 16,777,068,544 bytes free
    Post-Run: 16,656,125,952 bytes free

    - - End Of File - - A5C738DA958DAA4321E42D4BC9072AAD
     
    Vasha,
    #7
  9. 2009/12/13
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi

    OK, please do this.

    You need to download the installation package for the Setup Disks for Floppy Boot Install from Microsoft so that we can use it to install the Recovery Console on your computer. No validation required! Please select the download link below that's appropriate for your Operating System then download and save the setup package to your desktop. If necessary, change the language version to match your installation. Do NOT change the name of the downloaded file

    Jf you have SP3 installed, use the SP2 version.



    Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

    Please do not reboot your machine until we have reviewed the log.

    Geri
     
    Geri,
    #8
  10. 2009/12/13
    Vasha

    Vasha Inactive Thread Starter

    Joined:
    2009/12/11
    Messages:
    12
    Likes Received:
    0
    Ok, got it:

    ComboFix 09-12-11.05 - Jennifer 12/13/2009 4:52.4.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.291 [GMT -5:00]
    Running from: c:\documents and settings\Jennifer\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Jennifer\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd

    .
    ((((((((((((((((((((((((( Files Created from 2009-11-13 to 2009-12-13 )))))))))))))))))))))))))))))))
    .

    2009-12-11 01:02 . 2009-12-11 01:02 -------- d-----w- c:\documents and settings\Jennifer\Application Data\Malwarebytes
    2009-12-11 01:02 . 2009-12-03 21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-12-11 01:02 . 2009-12-11 01:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-12-11 01:02 . 2009-12-11 01:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2009-12-11 01:02 . 2009-12-03 21:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-12-10 01:35 . 2009-12-10 01:35 117760 ----a-w- c:\documents and settings\Jennifer\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2009-12-10 01:35 . 2009-12-10 01:35 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2009-12-10 01:33 . 2009-12-10 01:33 -------- d-----w- c:\program files\SUPERAntiSpyware
    2009-12-10 01:33 . 2009-12-10 01:33 -------- d-----w- c:\documents and settings\Jennifer\Application Data\SUPERAntiSpyware.com
    2009-12-09 06:49 . 2009-12-13 09:40 148768 ----a-w- c:\windows\system32\dllcache\atapi.sys
    2009-12-05 19:17 . 2009-12-05 19:17 -------- d-----w- c:\program files\Market Samurai
    2009-12-04 04:28 . 2009-12-04 04:29 -------- d-----w- C:\wamp
    2009-12-03 23:57 . 2009-12-03 23:57 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
    2009-11-25 03:58 . 2009-11-25 03:58 -------- d-----w- c:\documents and settings\Jennifer\Application Data\EPSON
    2009-11-24 00:59 . 2009-11-23 20:27 52224 ----a-w- c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\43a6qfc5.default\extensions\{9eb64fa9-57c4-4a41-9940-e12e0418b693}\components\FFExternalAlert.dll
    2009-11-24 00:59 . 2009-11-23 20:27 114688 ----a-w- c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\43a6qfc5.default\extensions\{9eb64fa9-57c4-4a41-9940-e12e0418b693}\components\npmozax.dll
    2009-11-22 22:55 . 2009-11-22 22:55 -------- d-sh--w- c:\documents and settings\Jennifer\IECompatCache

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-12-13 09:40 . 2004-08-04 00:59 148768 ----a-w- c:\windows\system32\drivers\atapi.sys
    2009-12-13 09:39 . 2006-08-09 18:59 -------- d-----w- c:\documents and settings\All Users\Application Data\HDD Thermometer
    2009-12-13 09:37 . 2006-01-31 18:59 314 ----a-w- c:\windows\system32\tablet.dat
    2009-12-11 10:31 . 2009-08-29 21:17 -------- d-----w- c:\program files\pdfforge Toolbar
    2009-12-10 01:28 . 2009-08-22 08:05 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2009-12-10 01:28 . 2009-08-08 21:01 -------- d-----w- c:\documents and settings\Jennifer\Application Data\Dropbox
    2009-12-10 00:23 . 2009-09-10 22:40 295752 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    2009-12-06 18:22 . 2009-02-04 00:05 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2009-12-03 23:44 . 2009-02-26 06:37 -------- d-----w- c:\program files\McAfee
    2009-12-02 00:50 . 2007-05-26 23:22 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
    2009-11-27 08:18 . 2009-10-16 07:20 3695616 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
    2009-11-27 07:12 . 2009-08-21 00:35 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2009-11-27 07:11 . 2008-10-08 16:14 38208 ----a-w- c:\documents and settings\Jennifer\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
    2009-11-21 17:53 . 2009-09-21 01:01 2234 ----a-w- c:\documents and settings\Jennifer\Application Data\SAS7_000.DAT
    2009-11-21 17:49 . 2009-09-20 23:25 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2009-11-13 04:14 . 2009-08-23 06:52 -------- d-----w- c:\program files\Ultimate Keyword Theme Extractor
    2009-11-07 04:09 . 2009-07-30 05:33 -------- d-----w- c:\program files\GreenLife Emerald Viewer
    2009-10-30 05:44 . 2009-10-29 05:24 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
    2009-10-29 07:45 . 2004-08-04 08:00 916480 ------w- c:\windows\system32\wininet.dll
    2009-10-29 02:35 . 2009-10-29 05:18 576000 ----a-w- c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\43a6qfc5.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll
    2009-10-26 21:09 . 2009-08-29 07:58 89962 ----a-w- c:\documents and settings\Jennifer\Application Data\Dropbox\bin\Uninstall.exe
    2009-10-21 05:38 . 2004-08-04 08:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
    2009-10-21 05:38 . 2004-08-04 08:00 25088 ----a-w- c:\windows\system32\httpapi.dll
    2009-10-20 16:20 . 2004-08-04 08:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
    2009-10-15 01:47 . 2009-10-15 01:47 -------- d-----w- c:\program files\HandBrake
    2009-10-13 10:30 . 2004-08-04 08:00 270336 ----a-w- c:\windows\system32\oakley.dll
    2009-10-12 13:38 . 2004-08-04 08:00 149504 ----a-w- c:\windows\system32\rastls.dll
    2009-10-12 13:38 . 2004-08-04 08:00 79872 ----a-w- c:\windows\system32\raschap.dll
    2009-10-09 01:18 . 2009-10-09 01:18 26805255 ----a-w- c:\documents and settings\Jennifer\Application Data\Dropbox\bin\Dropbox.exe
    2009-09-23 20:37 . 2009-10-29 05:23 34112 ----a-w- c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\43a6qfc5.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg_bootstrap.exe
    2009-09-23 20:37 . 2009-10-29 05:23 32448 ----a-w- c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\43a6qfc5.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
    2009-09-23 20:37 . 2009-10-29 05:23 22352 ----a-w- c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\43a6qfc5.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
    2003-08-27 22:19 . 2005-12-29 11:44 36963 ----a-r- c:\program files\Common Files\SM1updtr.dll
    .

    ------- Sigcheck -------

    [-] 2009-12-13 09:40 . A63D0D7159B8A2A72DF794DF3F53AD0A . 148768 . . [------] . . c:\windows\system32\dllcache\atapi.sys
    [-] 2009-12-13 09:40 . A63D0D7159B8A2A72DF794DF3F53AD0A . 148768 . . [------] . . c:\windows\system32\drivers\atapi.sys
    [7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
    [7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
    [7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0009\DriverFiles\i386\atapi.sys
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B922D405-6D13-4A2B-AE89-08A030DA4402}]
    2009-07-31 06:00 698880 ----a-w- c:\program files\pdfforge Toolbar\pdfforgeToolbarIE.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{B922D405-6D13-4A2B-AE89-08A030DA4402} "= "c:\program files\pdfforge Toolbar\pdfforgeToolbarIE.dll" [2009-07-31 698880]

    [HKEY_CLASSES_ROOT\clsid\{b922d405-6d13-4a2b-ae89-08a030da4402}]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @= "{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} "
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2009-06-27 03:02 77824 ----a-w- c:\documents and settings\Jennifer\Application Data\Dropbox\bin\DropboxExt.3.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @= "{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} "
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2009-06-27 03:02 77824 ----a-w- c:\documents and settings\Jennifer\Application Data\Dropbox\bin\DropboxExt.3.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @= "{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} "
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2009-06-27 03:02 77824 ----a-w- c:\documents and settings\Jennifer\Application Data\Dropbox\bin\DropboxExt.3.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RSD_HDDThermo "= "c:\program files\HDD Thermometer\HDD Thermometer.exe" [2005-04-01 215040]
    "RocketDock "= "c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
    "TransBar "= "c:\documents and settings\Jennifer\Local Settings\Application Data\AKSoftware\TransBar\TransBar.exe" [2005-06-01 65536]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "pccguide.exe "= "c:\program files\Trend Micro\Antivirus\pccguide.exe" [2004-02-17 950337]
    "PCClient.exe "= "c:\program files\Trend Micro\Antivirus\PCClient.exe" [2004-02-17 634949]
    "TM Outbreak Agent "= "c:\program files\Trend Micro\Antivirus\TMOAgent.exe" [2004-02-17 290816]
    "SM1BG "= "c:\windows\SM1BG.EXE" [2003-08-27 94208]
    "eTrustPPAP "= "c:\program files\CA\eTrust PestPatrol\PPActiveDetection.exe" [2006-02-16 131072]
    "ClamWin "= "c:\program files\ClamWin\bin\ClamTray.exe" [2009-06-12 86016]
    "Ad-Watch "= "c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-10-16 520024]
    "SynTPLpr "= "c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]
    "SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 688218]
    "IgfxTray "= "c:\windows\system32\igfxtray.exe" [2005-01-22 155648]
    "HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2005-01-22 126976]
    "eabconfg.cpl "= "c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
    "DNS7reminder "= "c:\program files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" [2008-09-10 0]
    "QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator "= "Narrator.exe" [2008-04-14 53760]

    c:\documents and settings\Jennifer\Start Menu\Programs\Startup\
    WordWeb.lnk - c:\program files\WordWeb\wweb32.exe [2006-1-6 19968]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @= "Service "

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
    backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TabUserW.exe.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TabUserW.exe.lnk
    backup=c:\windows\pss\TabUserW.exe.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^Jennifer^Start Menu^Programs^Startup^Yahoo! Widget Engine.lnk]
    path=c:\documents and settings\Jennifer\Start Menu\Programs\Startup\Yahoo! Widget Engine.lnk
    backup=c:\windows\pss\Yahoo! Widget Engine.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2005-02-17 06:11 49152 ----a-w- c:\program files\Hp\HP Software Update\hpwuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
    2005-01-21 20:40 790528 ----a-w- c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
    2008-09-10 00:23 0 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    2008-09-10 00:24 0 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2008-02-19 17:10 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
    2004-10-14 21:54 253952 ----a-w- c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2008-02-01 03:13 385024 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
    2004-04-13 22:36 1470464 ----a-w- c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchSettings]
    2009-07-29 19:52 1024512 ----a-w- c:\program files\pdfforge Toolbar\SearchSettings.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    2006-12-19 01:32 25365032 ----a-w- c:\program files\Skype\Phone\Skype.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
    2008-09-10 00:27 0 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2006-02-21 08:53 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    2007-06-07 18:08 4670968 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "iPodService "=3 (0x3)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "c:\\Program Files\\Google\\Google Talk\\googletalk.exe "=
    "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
    "c:\\Program Files\\SmartFTP\\SmartFTP.exe "=
    "c:\\Program Files\\NeverwinterNights\\NWN\\nwmain.exe "=
    "c:\\Program Files\\NeverwinterNights\\NWN\\nwupdate.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "c:\\Program Files\\SecondLife\\SecondLife.exe "=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
    "c:\\Program Files\\SecondLife\\SLVoice.exe "=
    "c:\\Program Files\\SecondLifeReleaseCandidate\\SLVoice.exe "=
    "c:\\Program Files\\iTunes\\iTunes.exe "=
    "c:\\Program Files\\Texture Preview for Second Life\\TexturePreview.exe "=
    "c:\\Program Files\\OpenLife R15-1\\SLVoice.exe "=
    "c:\\Program Files\\OpenSimKV\\OpenSim.exe "=
    "c:\\Program Files\\Hippo_OpenSim_Viewer\\SLVoice.exe "=
    "c:\\Program Files\\Snowglobe\\SLVoice.exe "=
    "c:\\Program Files\\GreenLife Emerald Viewer\\SLVoice.exe "=
    "c:\\wamp\\bin\\apache\\Apache2.2.11\\bin\\httpd.exe "=

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/17/2009 2:18 AM 64160]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 8:43 AM 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 74480]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2/26/2009 1:38 AM 93320]
    R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\TmXPFlt.sys [3/5/2004 2:53 PM 205328]
    R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [3/5/2004 2:53 PM 36368]
    R2 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Antivirus\tmproxy.exe [2/17/2004 5:58 PM 204873]
    S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 4:34 PM 1028432]
    S2 Tmntsrv;Trend NT Realtime Service;c:\program files\Trend Micro\Antivirus\Tmntsrv.exe [2/17/2004 5:57 PM 241737]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 7408]
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    IE: &WordWeb... - c:\windows\wweb32.dll/lookup.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\43a6qfc5.default\
    FF - prefs.js: browser.startup.homepage - hxxp://popurls.com/
    FF - component: c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\43a6qfc5.default\extensions\{9eb64fa9-57c4-4a41-9940-e12e0418b693}\components\FFExternalAlert.dll
    FF - component: c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\43a6qfc5.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll
    FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
    FF - component: c:\program files\Mozilla Firefox\extensions\{B922D405-6D13-4A2B-AE89-08A030DA4402}\components\pdfforgeToolbarFF.dll
    FF - component: c:\program files\Mozilla Firefox\extensions\search@searchsettings.com\components\SearchSettingsFF.dll
    FF - plugin: c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\43a6qfc5.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
    FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
    FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava11.dll
    FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava12.dll
    FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava13.dll
    FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava14.dll
    FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava32.dll
    FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJPI150.dll
    FF - plugin: c:\program files\Java\jre1.5.0\bin\NPOJI610.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-12-13 05:02
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
    @DACL=(02 0000)
    "Installed "= "1 "

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
    @DACL=(02 0000)
    "Installed "= "1 "
    "NoChange "= "1 "

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
    @DACL=(02 0000)
    "Installed "= "1 "
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(748)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll
    c:\windows\system32\WININET.dll
    .
    Completion time: 2009-12-13 05:06:03
    ComboFix-quarantined-files.txt 2009-12-13 10:05
    ComboFix2.txt 2009-12-13 05:08
    ComboFix3.txt 2009-12-12 19:51

    Pre-Run: 16,627,273,728 bytes free
    Post-Run: 16,591,773,696 bytes free

    - - End Of File - - C7D0669850A90908046CDCFFB27B110E
     
    Vasha,
    #9
  11. 2009/12/13
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi

    Are you running two Anti-Virus programs?
    c:\program files\trend micro\antivirus
    c:\program files\clamwin

    If so please remove one of them.

    Please download BootCheck.exe to your desktop.
    • Double click BootCheck.exe to run the check
    • When complete, a Notepad window will open with some text in it
    • Save the Notepad file to your desktop as BootCheck.txt
    • Copy the contents of BootCheck.txt and post it in your next reply

    Geri
     
    Geri,
    #10
  12. 2009/12/13
    Vasha

    Vasha Inactive Thread Starter

    Joined:
    2009/12/11
    Messages:
    12
    Likes Received:
    0
    Ooops, yes I have both. I went ahead and got rid of Clam.

    I downloaded bootcheck and for some reason I got the siteadvisor warning -- yellow.

    Here's the info:

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !

    Contents of boot.ini:

    Hmmm .. should I re-do?
     
    Vasha,
    #11
  13. 2009/12/13
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi
    I'm not sure what is stopping the installation?

    Please do this.

    Download ATF Cleaner by Atribune and save it to your Desktop.
    This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
    Double click ATF-Cleaner.exe to run the program.
    Check the boxes to the left of:

    Windows Temp
    Current User Temp
    All Users Temp
    Cookies
    Temporary Internet Files
    Prefetch
    Java Cache
    Recycle bin

    The rest are optional - if you want it to remove everything check "Select All ".
    Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

    Now this.

    Please do an online scan with Kaspersky WebScanner

    It's best to disable real time protection applications as they sometimes interfere with the scan.
    Check this link for any applicable programs you may have.

    Click on “Accept” If your pop –up blocker blocks any windows from opening.

    Read then Click Accept on the Information page.
    Windows Vista users you must open the web browser using the Run as Administrator command.
    • The program will launch and then begin downloading the latest definition files:
    • Under Scan on the left side, Click on My Computer
    • This will start the program and scan your system.
    • Click the “Scan Report” On the left side.
    • The scan will take a while so be patient and let it run.
    • Once the scan is complete it will display if your system has been infected.
      • Click the Save Report As button, and in the Browse dialog box, type a name for the scan report file that you want to create and select its type Text file. Click OK to save the file.:
    • Save the text file to your desktop.
    • Copy and paste that information in your next post.

    Please post the Kaspersky results.

    Thanks
    Geri
     
    Geri,
    #12
  14. 2009/12/14
    Vasha

    Vasha Inactive Thread Starter

    Joined:
    2009/12/11
    Messages:
    12
    Likes Received:
    0
    Sorry Geri, I'm not ignoring you.

    Kaspersky was off-line last night. I've been trying desperately (for a few hours now) to scan but it keeps closing my browser. Is there an alternative?

    Do you think it would be safe to just back up my folders in the computer w/o infecting my other computers? I think I just want to reformat at this point.
     
    Vasha,
    #13
  15. 2009/12/14
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi
    I believe so, Make sure that you run a Virus scan on them before you load them on your other computer.

    I believe your computer is mostly clean. We could try another on line scanner.
    If you want to try this one.

    Please go HERE to run Panda's ActiveScan
    • Once you are on the Panda site click the Scan your PC button
    • A new window will open...click the Check Now button
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
    • If it wants to install an ActiveX component allow it
    • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    • When download is complete, click on My Computer to start the scan
    • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

    Geri
     
    Geri,
    #14
  16. 2009/12/15
    Vasha

    Vasha Inactive Thread Starter

    Joined:
    2009/12/11
    Messages:
    12
    Likes Received:
    0
    Active scan worked. I think I still have some trojans. :(
    There doesn't seem to be a "see report" button. But they do have a export txt. I hope this shows everything:

    ;***********************************************************************************************************************************************************************************
    ANALYSIS: 2009-12-15 18:43:21
    PROTECTIONS: 0
    MALWARE: 17
    SUSPECTS: 36
    ;***********************************************************************************************************************************************************************************
    PROTECTIONS
    Description Version Active Updated
    ;===================================================================================================================================================================================
    ;===================================================================================================================================================================================
    MALWARE
    Id Description Type Active Severity Disinfectable Disinfected Location
    ;===================================================================================================================================================================================
    00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No c:\documents and settings\jennifer\application data\hippo_opensim_viewer\browser_profile\cookies.txt[.casalemedia.com/]
    00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\documents and settings\jennifer\application data\secondlife\browser_profile\cookies.txt[.doubleclick.net/]
    00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\documents and settings\jennifer\application data\secondlife\browser_profile\cookies.txt[.doubleclick.net/]
    00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\documents and settings\jennifer\application data\hippo_opensim_viewer\browser_profile\cookies.txt[.doubleclick.net/]
    00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No c:\documents and settings\jennifer\application data\secondlife\browser_profile\cookies.txt[.atdmt.com/]
    00145405 Cookie/RealMedia TrackingCookie No 0 Yes No c:\documents and settings\jennifer\application data\secondlife\browser_profile\cookies.txt[.247realmedia.com/]
    00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No c:\documents and settings\jennifer\application data\secondlife\browser_profile\cookies.txt[.mediaplex.com/]
    00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No c:\documents and settings\jennifer\application data\secondlife\browser_profile\cookies.txt[.mediaplex.com/]
    00167753 Cookie/Statcounter TrackingCookie No 0 Yes No c:\documents and settings\jennifer\application data\hippo_opensim_viewer\browser_profile\cookies.txt[.statcounter.com/]
    00167753 Cookie/Statcounter TrackingCookie No 0 Yes No c:\documents and settings\jennifer\application data\hippo_opensim_viewer\browser_profile\cookies.txt[.statcounter.com/]
    00168056 Cookie/YieldManager TrackingCookie No 0 Yes No c:\documents and settings\jennifer\application data\secondlife\browser_profile\cookies.txt[ad.yieldmanager.com/]
    00168056 Cookie/YieldManager TrackingCookie No 0 Yes No c:\documents and settings\jennifer\application data\hippo_opensim_viewer\browser_profile\cookies.txt[ad.yieldmanager.com/]
    00168061 Cookie/Apmebf TrackingCookie No 0 Yes No c:\documents and settings\jennifer\application data\secondlife\browser_profile\cookies.txt[.apmebf.com/]
    00169190 Cookie/Advertising TrackingCookie No 0 Yes No c:\documents and settings\jennifer\application data\secondlife\browser_profile\cookies.txt[.advertising.com/]
    00169190 Cookie/Advertising TrackingCookie No 0 Yes No c:\documents and settings\jennifer\application data\secondlife\browser_profile\cookies.txt[.advertising.com/]
    00169190 Cookie/Advertising TrackingCookie No 0 Yes No c:\documents and settings\jennifer\application data\secondlife\browser_profile\cookies.txt[.advertising.com/]
    00169190 Cookie/Advertising TrackingCookie No 0 Yes No c:\documents and settings\jennifer\application data\secondlife\browser_profile\cookies.txt[.advertising.com/]
    00170495 Cookie/PointRoll TrackingCookie No 0 Yes No c:\documents and settings\jennifer\application data\secondlife\browser_profile\cookies.txt[.ads.pointroll.com/]
    00170495 Cookie/PointRoll TrackingCookie No 0 Yes No c:\documents and settings\jennifer\application data\secondlife\browser_profile\cookies.txt[.ads.pointroll.com/]
    00170495 Cookie/PointRoll TrackingCookie No 0 Yes No c:\documents and settings\jennifer\application data\secondlife\browser_profile\cookies.txt[.ads.pointroll.com/]
    00170495 Cookie/PointRoll TrackingCookie No 0 Yes No c:\documents and settings\jennifer\application data\secondlife\browser_profile\cookies.txt[.ads.pointroll.com/]
    00170495 Cookie/PointRoll TrackingCookie No 0 Yes No c:\documents and settings\jennifer\application data\secondlife\browser_profile\cookies.txt[.ads.pointroll.com/]
    00170495 Cookie/PointRoll TrackingCookie No 0 Yes No c:\documents and settings\jennifer\application data\secondlife\browser_profile\cookies.txt[.ads.pointroll.com/]
    00170495 Cookie/PointRoll TrackingCookie No 0 Yes No c:\documents and settings\jennifer\application data\secondlife\browser_profile\cookies.txt[.ads.pointroll.com/]
    00170556 Cookie/RealMedia TrackingCookie No 0 Yes No c:\documents and settings\jennifer\application data\secondlife\browser_profile\cookies.txt[.realmedia.com/]
    00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No c:\documents and settings\jennifer\application data\secondlife\browser_profile\cookies.txt[.questionmarket.com/]
    00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No c:\documents and settings\jennifer\application data\secondlife\browser_profile\cookies.txt[.questionmarket.com/]
    00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No c:\documents and settings\jennifer\application data\hippo_opensim_viewer\browser_profile\cookies.txt[.adrevolver.com/]
    00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No c:\documents and settings\jennifer\application data\hippo_opensim_viewer\browser_profile\cookies.txt[.adrevolver.com/]
    01048936 Generic Malware Virus/Trojan No 0 Yes No c:\program files\gamespy arcade\services\_common\portraitloader.dll
    02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp628\a0108229.sys
    02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp626\a0104909.sys
    03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp625\a0103845.sys
    03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\windows\system32\drivers\atapi.sys
    03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp629\a0108371.sys
    03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp629\a0108372.sys
    03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\windows\system32\dllcache\atapi.sys
    03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp625\a0103844.sys
    03587590 Adware/Yassist Adware No 0 No No c:\documents and settings\jennifer\desktop\downloads\divxinstaller.exe[²Ã§Ã§\y_toolbar.exe][²Ã¨Ã§]
    ;===================================================================================================================================================================================
    SUSPECTS
    Sent Location
    ;===================================================================================================================================================================================
    No c:\documents and settings\jennifer\desktop\combofix.exe[32788r22fwjfw\pev.exe]
    No c:\documents and settings\jennifer\desktop\downloads\combofix.exe[32788r22fwjfw\pev.exe]
    No c:\swsetup\default\disk1\data1.cab[cpqsetver.exe]
    No c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp626\a0105968.exe
    No c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp626\a0105995.exe
    No c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp626\a0106047.exe
    No c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp626\a0106115.exe
    No c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp626\a0106135.exe[32788r22fwjfw\pev.exe]
    No c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp626\a0106183.exe
    No c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp626\a0106253.exe
    No c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp626\a0106321.exe
    No c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp626\a0106389.exe
    No c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp627\a0107441.exe
    No c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp627\a0107493.exe
    No c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp628\a0107574.exe
    No c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp628\a0107643.exe
    No c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp628\a0107671.exe
    No c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp628\a0107673.exe[32788r22fwjfw\pev.exe]
    No c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp628\a0107724.exe
    No c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp628\a0107792.exe
    No c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp628\a0107860.exe
    No c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp628\a0107928.exe
    No c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp628\a0108008.exe
    No c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp625\a0102859.sys
    No c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp625\a0102860.sys
    No c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp626\a0103869.sys
    No c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp628\a0108030.exe[32788r22fwjfw\pev.exe]
    No c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp626\a0103870.sys
    No c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp628\a0108078.exe
    No c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp628\a0108106.exe
    No c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp628\a0108169.exe
    No c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp628\a0108204.exe
    No c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp628\a0108345.exe
    No c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp629\a0108386.exe
    No c:\system volume information\_restore{d5341f9c-33f7-43cf-8bd2-1ae937c9ba1b}\rp629\a0108505.exe
    No c:\windows\pev.exe
    ;===================================================================================================================================================================================
    VULNERABILITIES
    Id Severity Description
    ;===================================================================================================================================================================================
    ;===================================================================================================================================================================================
     
    Vasha,
    #15
  17. 2009/12/15
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi
    OK these are what need to be removed.

    c:\program files\gamespy arcade\services\_common\portraitloader.dll
    c:\documents and settings\jennifer\desktop\downloads\divxinstaller.exe

    This one needs to be replaced.
    c:\windows\system32\drivers\atapi.sys

    Are you up to doing this? or do you still want to do a reinstall?

    Let me know.

    Geri
     
    Geri,
    #16
  18. 2009/12/15
    Vasha

    Vasha Inactive Thread Starter

    Joined:
    2009/12/11
    Messages:
    12
    Likes Received:
    0
    Sure, I might as well.
    Thanks Geri.
     
    Vasha,
    #17
  19. 2009/12/16
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi
    OK first please remove Combofix, there is a small problem with one of the releases so lets make sure you are safe.
    Please do this.

    This will uninstall ComboFix and remove the files/folders it created.
    This action will also reset the System Restore points, removing any infected files there as well.
    Please check and verify that C:\Qoobox and C:\ComboFix folders were removed, as well as the C:\ComboFix.txt file. If they weren't please delete them manually.

    Now lets do this manually.

    Using Windows Explorer (to get there right-click your Start button and go to "Explore "), please delete these files (if present):

    c:\program files\gamespy arcade\services\_common\portraitloader.dll
    c:\documents and settings\jennifer\desktop\downloads\divxinstaller.exe

    Now please do this.

    Go to this folder C:\WINDOWS\Service Pack Files

    Look for this file: atapi.sys

    Let me know if you find it there.

    Geri
     
    Geri,
    #18
  20. 2009/12/18
    Vasha

    Vasha Inactive Thread Starter

    Joined:
    2009/12/11
    Messages:
    12
    Likes Received:
    0
    Thanks Geri.
    I deleted everything.
    I could not find the atapi.sys file however.
    I haven't restarted yet. Is it safe to do so now?
     
    Vasha,
    #19
  21. 2009/12/18
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi
    No don't reboot yet.

    I'm sorry it would have been listed in this folder.

    C:\WINDOWS\Service Pack Files\i386

    If you can't find it,
    Please download FileFind from Atribune.
    Unzip the file and save it to your desktop.

    To run FileFind, please do the following:
    • Click on FileFind.exe
    • In the box labeled "File "
    • Enter the file atapi.sys
    • Now click on the "Search" button
    • Once the utility has found the files click on "Export "
    • A Notepad will open up. Please copy the entire contents of the Notepad and paste them here.
    • NOTE: The notepad is saved on your C:\ drive as "Export.txt "

    Thanks
    Geri
     
    Geri,
    #20
Page 1 of 2

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...