Solved Need help with XP machine that won't run in normal mode

BillB · 2010/09/17

[Resolved] Need help with XP machine that won't run in normal mode

This must be the week for sick PC's. A co-worker asked me for help with their pc. It's a WinXP machine with SP2 installed, when you boot to normal mode, the desktop loads then flickers, then it goes to a black screen, like a BSOD but now messages or anything, powering off is the only way out. It will boot to safe mode however. I have loaded and run Malwarebytes and Superantispyware and both cleaned up a lot of stuff. I have the DDS logs but had to run it in safe mode since I can't get a normal boot.

DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Owner at 12:52:42.87 on Fri 09/17/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447.257 [GMT -4:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://home.mywebsearch.com/index.jhtml?n=77C09F4F&ptnrS=ZUxdm08018US&ptb=wDSZwWpJnj3GeQqM92HrGQ
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
uInternet Settings,ProxyOverride = localhost;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: DefaultSearchHook Class: {c94e154b-1459-4a47-966b-4b843befc7db} - c:\program files\asksearch\bin\DefaultSearch.dll
uURLSearchHooks: ToggleEN Toolbar: {038cb5c7-48ea-4af9-94e0-a1646542e62b} - c:\program files\toggleen\tbTogg.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,,c:\program files\itunes\ituneshelpersrv.exe,c:\program files\microsoft\desktoplayer.exe,c:\program files\itunes\ituneshelpersrvsrv.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: ToggleEN Toolbar: {038cb5c7-48ea-4af9-94e0-a1646542e62b} - c:\program files\toggleen\tbTogg.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
{28f22877-cede-48d3-ad20-accc2add9046}
BHO: Verizon Broadband Toolbar: {a057a204-bacc-4d26-8398-26fadcf27386} - c:\progra~1\verizo~1\VERIZO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - Google Toolbar Notifier BHO
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Verizon Broadband Toolbar: {a057a204-bacc-4d26-8398-26fadcf27386} - c:\progra~1\verizo~1\VERIZO~1.DLL
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: ToggleEN Toolbar: {038cb5c7-48ea-4af9-94e0-a1646542e62b} - c:\program files\toggleen\tbTogg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
mRun: [Verizon_McciTrayApp] "c:\program files\verizon\McciTrayApp.exe "
mRun: [VerizonServicepoint.exe] "c:\program files\verizon\vsp\VerizonServicepoint.exe" /AUTORUN
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Twoseguwivi] rundll32.exe "c:\windows\eqelaxufosiziwa.dll ",Startup
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
uPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
uPolicies-system: Wallpaper =
IE: &AIM Search - c:\program files\aim toolbar\AIMBar.dll/aimsearch.htm
IE: &Search
IE: Add To Compaq Organize... - c:\progra~1\hewlet~1\compaq~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
Trusted Zone: aol.com\free
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {971127BB-259F-48C2-BD75-5F97A3331551} - hxxps://wcac.magellanhealth.com/+CSCO+0075676763663A2F2F2E637968747661662E++/rdp/-CSCO-3h--msrdp.cab
DPF: {B8E73359-3422-4384-8D27-4EA1B4C01232} - hxxps://wcac.magellanhealth.com/+CSCOL+/cscopf.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: FM2ddm - FM2ddm.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\508\G2AWinLogon.dll
Notify: igfxcui - igfxsrvc.dll
Notify: nnnmnol - nnnmnol.dll
Notify: pmnmjgh - pmnmjgh.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 89.149.193.137 www.google.com
Hosts: 89.149.193.137 us.search.yahoo.com
Hosts: 89.149.193.137 uk.search.yahoo.com
Hosts: 89.149.193.137 search.yahoo.com
Hosts: 89.149.193.137 www.google.com.br

Note: multiple HOSTS entries found. Please refer to Attach.txt

============= SERVICES / DRIVERS ===============

R1 NEOFLTR_510_10575;Juniper Networks TDI Filter Driver (NEOFLTR_510_10575);c:\windows\system32\drivers\NEOFLTR_510_10575.sys [2006-4-18 57063]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-9-17 165456]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-9-17 17744]
S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-17 40384]
S2 mrtRate;mrtRate; [x]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-10 24652]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [2004-9-11 20160]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-17 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-17 40384]

=============== Created Last 30 ================

2010-09-17 16:45:05 38848 ----a-w- c:\windows\avastSS.scr
2010-09-17 16:44:59 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-09-17 15:22:25 0 d-----w- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2010-09-17 15:22:25 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-09-17 15:22:15 0 d-----w- c:\program files\SUPERAntiSpyware
2010-09-17 14:38:46 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-09-17 14:38:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-17 14:38:36 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-09-17 14:38:35 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-17 14:38:35 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-17 14:36:31 0 d-----w- C:\tmp
2010-09-17 14:30:17 0 d-----w- C:\log
2010-09-17 14:27:55 120 ----a-w- c:\windows\Rcuheriyovu.dat
2010-09-17 14:27:55 0 ----a-w- c:\windows\Byivofibu.bin
2010-09-17 14:26:02 0 d-----w- c:\program files\sys32
2010-09-17 14:26:00 0 d-----w- c:\program files\riv87
2010-08-23 21:20:38 0 d-----w- c:\program files\ssns

==================== Find3M ====================

2010-09-17 00:10:17 99908 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-09-17 00:10:17 1148960 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-09-17 00:10:13 324764 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-09-17 00:10:12 24607776 --sha-w- c:\windows\system32\drivers\fidbox.dat
2007-04-15 17:39:00 1368324 -csh--w- c:\windows\system\vsrpc.bak1
2007-06-08 01:01:24 1808325 -csh--w- c:\windows\system\vsrpc.bak2
2007-06-19 02:47:19 1487321 -csh--w- c:\windows\system\vsrpc.ini2
2007-12-30 15:49:50 393639 -csh--w- c:\windows\system32\nqstv.ini2

============= FINISH: 12:53:11.20 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 9/9/2004 8:29:05 PM
System Uptime: 9/17/2010 12:48:28 PM (0 hours ago)

Motherboard: ASUSTek Computer INC. | | Kelut
Processor: AMD Athlon(tm) XP 3000+ | Socket A | 2100/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 145 GiB total, 132.212 GiB free.
D: is FIXED (FAT32) - 4 GiB total, 0.563 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is Removable
H: is Removable
I: is Removable
J: is Removable
K: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Hosts File Hijack ======================

Hosts: 89.149.193.137 www.google.com
Hosts: 89.149.193.137 us.search.yahoo.com
Hosts: 89.149.193.137 uk.search.yahoo.com
Hosts: 89.149.193.137 search.yahoo.com
Hosts: 89.149.193.137 www.google.com.br
Hosts: 89.149.193.137 www.google.it
Hosts: 89.149.193.137 www.google.es
Hosts: 89.149.193.137 www.google.co.jp
Hosts: 89.149.193.137 www.google.com.mx
Hosts: 89.149.193.137 www.google.ca
Hosts: 89.149.193.137 www.google.com.au
Hosts: 89.149.193.137 www.google.nl
Hosts: 89.149.193.137 www.google.co.za
Hosts: 89.149.193.137 www.google.be
Hosts: 89.149.193.137 www.google.gr
Hosts: 89.149.193.137 www.google.at
Hosts: 89.149.193.137 www.google.se
Hosts: 89.149.193.137 www.google.ch
Hosts: 89.149.193.137 www.google.pt
Hosts: 89.149.193.137 www.google.dk
Hosts: 89.149.193.137 www.google.fi
Hosts: 89.149.193.137 www.google.ie
Hosts: 89.149.193.137 www.google.no
Hosts: 89.149.193.137 www.google.de
Hosts: 89.149.193.137 www.google.fr
Hosts: 89.149.193.137 www.google.co.uk
Hosts: 89.149.193.137 www.bing.com

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 6.0.1
Agere Systems PCI Soft Modem
America Online (Choose which version to remove)
Apple Mobile Device Support
Apple Software Update
ArcSoft Software Suite
Ask Toolbar
AudibleManager
avast! Free Antivirus
Blasterball 2 from Compaq (remove only)
Bonjour
Bounce Symphony from Compaq (remove only)
BufferChm
Cache Cleaner 5.1.0
Compaq Connections
Compaq Instant Support
Compaq Organize
CP_AtenaShokunin1Config
CP_CalendarTemplates1
cp_LightScribeConfig
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Panorama1Config
cp_PosterPrintConfig
cp_PrintOnCDConfig
cp_UpdateProjectsConfig
Creative Mass Storage Drivers
Creative MediaSource
Creative System Information
Creative Zen Nano Plus
Crystal Maze from Compaq (remove only)
CueTour
CustomerResearchQFolder
D6100_D7100_D7300_Help
D7300
DeviceManagementQFolder
Easy Internet Sign-up
eSupportQFolder
Five Card Frenzy from Compaq (remove only)
FullDPAppQFolder
Google Earth
Google Toolbar for Internet Explorer
GoToAssist 8.0.0.508
Hotfix for Windows XP (KB918997)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Customer Participation Program 7.0
HP Imaging Device Functions 7.0
HP Photosmart and Deskjet 7.0 Software
HP Photosmart Premier Software 6.5
HP Software Update
HP Solution Center 7.0
hph_ProductContext
hph_readme
hph_software
hph_software_req
HPPhotoSmartExpress
HPProductAssistant
HpSdpAppCoreApp
InfraRecorder
InstantShareDevices
InstantShareDevicesMFC
IntelliMover Data Transfer Demo
InterVideo WinDVD Creator 2
InterVideo WinDVD Player
iTunes
Java 2 Runtime Environment, SE v1.4.2_03
Juniper Networks Host Checker
Juniper Terminal Services Client
KBD
Kodak EasyShare software
Learn2 Player (Uninstall Only)
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
MarketResearch
MetaFrame Presentation Server Web Client for Win32
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft Office 2003 Web Components
Microsoft Office Standard Edition 2003
Microsoft Plus! Digital Media Edition
Microsoft Works 7.0
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
Nikon Message Center
OptionalContentQFolder
Orbital from Compaq (remove only)
OTtBP
Otto from Compaq (remove only)
Overball from Compaq (remove only)
PanoStandAlone
Philips Firmware Manager
PhotoGallery
PictureProject
Polar Bowler from Compaq (remove only)
Polar Golfer Pineapple Cup from Compaq (remove only)
Python 2.2 combined Win32 extensions
Quicken 2004
QuickTime
RandMap
RealPlayer
RPS CRT
S3 S3Display
S3 S3Gamma2
S3 S3Info2
S3 S3Overlay
Secure Application Manager
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981350)
Security Update for Windows XP (KB982381)
SkinsHP1
SlideShow
SlideShowMusic
Slyder from Compaq (remove only)
SolutionCenter
Sonic_PrimoSDK
Status
SUPERAntiSpyware
ToggleEN Toolbar
Toolbox
Tradewinds from Compaq (remove only)
TrayApp
Unload
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB953356)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Update for Windows XP (KB978207)
Update for Windows XP (KB980182)
Verizon Broadband Toolbar (IE only)
Verizon Help and Support Tool
Verizon Servicepoint 1.5.24
VIA Rhine-Family Fast Ethernet Adapter
VIA/S3G Display Driver
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Vz In Home Agent
WebFldrs XP
WebReg
WildTangent Web Driver
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
Word Symphony from Compaq (remove only)
Yahoo! Software Update
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

9/17/2010 12:52:25 PM, error: SideBySide [59] - Generate Activation Context failed for C:\PROGRA~1\ALWILS~1\Avast5\1033\Base.dll. Reference error message: The operation completed successfully. .
9/17/2010 12:50:29 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 AmdK7 aswSP aswTdi Fips SASDIFSV SASKUTIL
9/17/2010 12:47:08 PM, error: Service Control Manager [7000] - The avast! Antivirus service failed to start due to the following error: This application has failed to start because the application configuration is incorrect. Reinstalling the application may fix this problem.
9/17/2010 12:47:02 PM, error: SideBySide [59] - Generate Activation Context failed for C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe. Reference error message: The operation completed successfully. .
9/17/2010 12:46:59 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Alwil Software\Avast5\AvastSvc.exe. Reference error message: The operation completed successfully. .
9/17/2010 12:46:06 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Alwil Software\Avast5\AvastUI.exe. Reference error message: The operation completed successfully. .
9/17/2010 12:45:20 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Alwil Software\Avast5\avastUI.exe. Reference error message: The operation completed successfully. .
9/17/2010 12:45:17 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Alwil Software\Avast5\defs\10071200\aswCmnBS.dll. Reference error message: The operation completed successfully. .
9/17/2010 12:45:16 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Alwil Software\Avast5\ashBase.dll. Reference error message: The operation completed successfully. .
9/17/2010 12:45:09 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error message: The referenced assembly is not installed on your system. .
9/17/2010 12:45:09 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Alwil Software\Avast5\defs\10071200\aswScan.dll. Reference error message: The operation completed successfully. .
9/17/2010 12:45:09 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
9/17/2010 12:45:09 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments " " in order to run the server: {000C101C-0000-0000-C000-000000000046}
9/17/2010 12:34:10 PM, error: Service Control Manager [7000] - The SASDIFSV service failed to start due to the following error: Cannot create a file when that file already exists.
9/17/2010 12:33:21 PM, error: Service Control Manager [7000] - The Security Services Driver (x86) service failed to start due to the following error: The system cannot find the file specified.
9/17/2010 12:33:21 PM, error: Service Control Manager [7000] - The mrtRate service failed to start due to the following error: The system cannot find the file specified.
9/17/2010 12:33:20 PM, error: Print [19] - Sharing printer failed + 1722, Printer Microsoft Office Document Image Writer share name Printer.
9/17/2010 12:32:28 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
9/17/2010 12:32:08 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service LiveUpdate with arguments " " in order to run the server: {03E0E6C2-363B-11D3-B536-00902771A435}
9/17/2010 12:31:52 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments " " in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
9/17/2010 12:27:06 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdK7 Fips SASDIFSV SASKUTIL
9/17/2010 12:18:48 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
9/17/2010 12:18:48 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
9/17/2010 12:14:01 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments " " in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
9/17/2010 11:21:21 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdK7 Fips
9/17/2010 11:17:13 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: fasttx2k IntelIde SISAGP
9/17/2010 11:17:10 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the SPService service to connect.
9/17/2010 11:17:10 AM, error: Service Control Manager [7000] - The SPService service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
9/17/2010 10:27:37 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdK7 Fips KLIF

==== End Of File ===========================

broni · 2010/09/17

All programs listed below can be run in Safe Mode....

Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
Do NOT use the computer while GMER is running!
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

==============================================================

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
Enter N to exit.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

==============================================================

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

[color= "Blue"]**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**[/color]

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on [color= "Red"]this link[/color] to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

Close any open browsers.

[color= "Red"]WARNING:[/color] Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

BillB · 2010/09/18

Here are the logs you requested. GMER seemed to just stop running after a while, so I just did a save where it was. It's a rather big file so I am going to just attach it instead of pasting it here. Combofix couldn't download the recovery console since I was in safe mode only, but it did run. After the reboot, it came back up in normal mode. There is a constant pop-up from something called security tool saying the pc is infected and wants to run a cleanup. I'm assuming that it is some kind of rogue software.

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 2 (build 2600)
Logical Drives Mask: 0x000007bc

Kernel Drivers (total 70):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EC000 \WINDOWS\system32\hal.dll
0xF7A69000 \WINDOWS\system32\KDCOM.DLL
0xF7979000 \WINDOWS\system32\BOOTVID.dll
0xF751A000 ACPI.sys
0xF7A6B000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
0xF7509000 pci.sys
0xF7569000 isapnp.sys
0xF7579000 ohci1394.sys
0xF7589000 \WINDOWS\System32\DRIVERS\1394BUS.SYS
0xF7B31000 pciide.sys
0xF77E9000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
0xF7A6D000 viaide.sys
0xF7A6F000 intelide.sys
0xF7599000 MountMgr.sys
0xF74EA000 ftdisk.sys
0xF77F1000 PartMgr.sys
0xF75A9000 VolSnap.sys
0xF74D2000 atapi.sys
0xF74AF000 fasttx2k.sys
0xF7497000 \WINDOWS\System32\DRIVERS\SCSIPORT.SYS
0xF75B9000 disk.sys
0xF75C9000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xF7477000 fltmgr.sys
0xF7465000 sr.sys
0xF75D9000 PxHelp20.sys
0xF744E000 KSecDD.sys
0xF73C1000 Ntfs.sys
0xF7394000 NDIS.sys
0xF77F9000 viaagp1.sys
0xF75E9000 SISAGPX.sys
0xF7379000 Mup.sys
0xF7619000 \SystemRoot\System32\DRIVERS\imapi.sys
0xF79ED000 \SystemRoot\system32\drivers\pfc.sys
0xF78E9000 \SystemRoot\system32\drivers\iviaspi.sys
0xF7629000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xF7639000 \SystemRoot\System32\DRIVERS\redbook.sys
0xF7336000 \SystemRoot\System32\DRIVERS\ks.sys
0xF79F9000 \SystemRoot\SYSTEM32\DRIVERS\GEARAspiWDM.sys
0xF7939000 \SystemRoot\System32\DRIVERS\usbuhci.sys
0xF72EB000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xF7969000 \SystemRoot\System32\DRIVERS\usbehci.sys
0xF7649000 \SystemRoot\System32\DRIVERS\i8042prt.sys
0xF7839000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xF7849000 \SystemRoot\System32\DRIVERS\PS2.sys
0xF7859000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xF7659000 \SystemRoot\System32\DRIVERS\termdd.sys
0xF7A7F000 \SystemRoot\System32\DRIVERS\swenum.sys
0xF72B7000 \SystemRoot\System32\DRIVERS\update.sys
0xF7A11000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xF7669000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xF7A83000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xF7A87000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7B46000 \SystemRoot\System32\Drivers\Null.SYS
0xF7A8B000 \SystemRoot\System32\Drivers\Beep.SYS
0xF78C1000 \SystemRoot\System32\drivers\vga.sys
0xF72A3000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0xF78E1000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF78F9000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF7238000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xF7881000 \SystemRoot\System32\DRIVERS\USBSTOR.SYS
0xF7220000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7A9B000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF7312000 \SystemRoot\System32\drivers\Dxapi.sys
0xF7889000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7BD7000 \SystemRoot\System32\drivers\dxgthk.sys
0xBFF50000 \SystemRoot\System32\framebuf.dll
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 18):
0 System Idle Process
4 System
136 C:\WINDOWS\system32\smss.exe
200 csrss.exe
224 C:\WINDOWS\system32\winlogon.exe
272 C:\WINDOWS\system32\services.exe
284 C:\WINDOWS\system32\savedump.exe
292 C:\WINDOWS\system32\lsass.exe
436 C:\WINDOWS\system32\svchost.exe
496 svchost.exe
556 C:\WINDOWS\system32\svchost.exe
852 C:\WINDOWS\explorer.exe
872 C:\Program Files\Internet Explorer\iexplore.exe
876 C:\Program Files\Internet Explorer\iexplore.exe
880 C:\Program Files\Internet Explorer\iexplore.exe
884 C:\Program Files\Internet Explorer\iexplore.exe
868 C:\Program Files\Internet Explorer\iexplore.exe
1132 C:\Documents and Settings\Owner\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000001`052ac000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (FAT32)

PhysicalDrive0 Model Number: SAMSUNGSP1604N, Rev: TM100-24

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: EC5B6F4B08268D5344F30BFF61C8B587F034795B

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

ComboFix 10-09-17.04 - Owner 09/18/2010 15:35:59.1.1 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447.265 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server
c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server\server.dat
c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server\uses32.dat
c:\documents and settings\Owner\Application Data\Aror
c:\documents and settings\Owner\Application Data\Aror\ynvu.exe
c:\documents and settings\Owner\Application Data\Xozeca
c:\documents and settings\Owner\Application Data\Xozeca\weqos.siv
c:\documents and settings\Owner\Application Data\Zuupm
c:\documents and settings\Owner\Application Data\Zuupm\pyreo.fay
c:\documents and settings\Owner\Application Data\Zuupm\pyreo.tmp
c:\documents and settings\Owner\err.log
c:\documents and settings\Owner\GoToAssistDownloadHelper.exe
c:\documents and settings\Owner\Local Settings\Application Data\{AD8F4C54-47AE-4292-B6D8-8F576F3F8B0F}
c:\documents and settings\Owner\Local Settings\Application Data\{AD8F4C54-47AE-4292-B6D8-8F576F3F8B0F}\chrome.manifest
c:\documents and settings\Owner\Local Settings\Application Data\{AD8F4C54-47AE-4292-B6D8-8F576F3F8B0F}\chrome\content\_cfg.js
c:\documents and settings\Owner\Local Settings\Application Data\{AD8F4C54-47AE-4292-B6D8-8F576F3F8B0F}\chrome\content\overlay.xul
c:\documents and settings\Owner\Local Settings\Application Data\{AD8F4C54-47AE-4292-B6D8-8F576F3F8B0F}\install.rdf
c:\documents and settings\Owner\Local Settings\Application Data\Windows Server
c:\documents and settings\Owner\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\Owner\Local Settings\Application Data\Windows Server\server.dat
c:\documents and settings\Owner\Local Settings\Application Data\Windows Server\uses32.dat
c:\program files\AskSearch\bin\DeFAultsearch.dll
c:\program files\Common Files\smbols~1
c:\program files\curity~1
c:\program files\Internet Explorer\complete.dat
c:\program files\Internet Explorer\dmlconf.dat
c:\program files\Microsoft\DesktopLayer.exe
c:\program files\Microsoft\DesktopLayerSrv.exe
c:\program files\riva\l_acc0037.1280835110.exe
c:\program files\sstem3~1
c:\program files\stem32~1
c:\windows\ayxbbc.ini
c:\windows\bdddgh.ini
c:\windows\beefgh.ini
c:\windows\cs_cache.ini
c:\windows\dgjkmp.ini
c:\windows\eeeddd.ini
c:\windows\eqelaxufosiziwa.dll
c:\windows\fnts~1
c:\windows\IA
c:\windows\jllmoq.ini
c:\windows\lmooqr.ini
c:\windows\mshelp.bat
c:\windows\srruwa.ini
c:\windows\system\mcrh.tmp
c:\windows\system\vsrpc.bak1
c:\windows\system\vsrpc.bak2
c:\windows\system\vsrpc.ini
c:\windows\system\vsrpc.ini2
c:\windows\system\vsrpc.tmp
c:\windows\system32\aqtyxyfx.ini
c:\windows\system32\config\systemprofile\application data\.rdr.ini
c:\windows\system32\cuauhvlb.ini
c:\windows\system32\demxosfo.ini
c:\windows\system32\dgexxyvt.ini
c:\windows\system32\dobe~1
c:\windows\system32\dobe~1\?dobe\ctxad-572.0000
c:\windows\system32\dobe~1\?dobe\ctxad-572.0001
c:\windows\system32\dobe~1\?dobe\ctxad-572.0002
c:\windows\system32\dobe~1\?dobe\ctxad-572.0003
c:\windows\system32\dobe~1\?dobe\ctxad-572.0004
c:\windows\system32\f10WtR
c:\windows\system32\fdkbijrl.ini
c:\windows\system32\ggxnypqp.ini
c:\windows\system32\gmemlbfs.ini
c:\windows\system32\gwlhbfvg.ini
c:\windows\system32\hqtgbobm.ini
c:\windows\system32\iworrklu.ini
c:\windows\system32\jcqqstah.ini
c:\windows\system32\kcjoncxk.ini
c:\windows\system32\kupbkssj.ini
c:\windows\system32\lbqigptu.ini
c:\windows\system32\lijjfbrx.ini
c:\windows\system32\nportqgt.ini
c:\windows\system32\nqstv.ini2
c:\windows\system32\nqstv.tmp
c:\windows\system32\nukvrdww.ini
c:\windows\system32\okkvfvku.ini
c:\windows\system32\omeiugdl.ini
c:\windows\system32\oxeylxgg.ini
c:\windows\system32\qsgawuvs.ini
c:\windows\system32\qvhdijoy.ini
c:\windows\system32\rtjjnfjh.ini
c:\windows\system32\rttjpqoy.ini
c:\windows\system32\sfrulerp.ini
c:\windows\system32\srmtrrsq.ini
c:\windows\system32\system
c:\windows\system32\tyudwakx.ini
c:\windows\system32\ulrogbot.ini
c:\windows\system32\uovsmacw.ini
c:\windows\system32\vhicsoys.ini
c:\windows\system32\win
c:\windows\system32\wjuewnpo.ini
c:\windows\system32\X1
c:\windows\system32\X11
c:\windows\system32\X3
c:\windows\system32\X7
c:\windows\system32\ystem3~1
D:\Autorun.inf
c:\program files\Microsoft\DesktopLayer.exe . . . .

Infected copy of c:\program files\internet explorer\iexplore.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\iexplore.exe

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

Infected copy of c:\program files\internet explorer\iexplore.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\iexplore.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_IAS
-------\Legacy_MYWEBSEARCHSERVICE

((((((((((((((((((((((((( Files Created from 2010-08-18 to 2010-09-18 )))))))))))))))))))))))))))))))
.

2010-09-18 19:48 . 2010-09-18 19:48 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{372D890C-3D1D-4F2D-8444-4EA676200919}
2010-09-18 19:46 . 2010-09-18 19:46 1148928 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\3349463.exe
2010-09-18 19:46 . 2010-09-18 19:46 50704 ----a-w- c:\windows\system32\drivers\npf.sys
2010-09-18 19:46 . 2010-09-18 19:46 281104 ----a-w- c:\windows\system32\wpcap.dll
2010-09-18 19:46 . 2010-09-18 19:46 100880 ----a-w- c:\windows\system32\Packet.dll
2010-09-18 19:45 . 2010-09-18 19:45 45568 ----a-w- c:\windows\system32\rundll32Srv.exe
2010-09-17 16:45 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-09-17 16:45 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-17 16:45 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-17 16:45 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-17 16:45 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-09-17 16:45 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-09-17 16:45 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-09-17 16:45 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-09-17 16:45 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-17 16:44 . 2010-09-17 16:44 -------- d-----w- c:\program files\Alwil Software
2010-09-17 16:44 . 2010-09-17 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-09-17 15:22 . 2010-09-17 16:15 157696 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-09-17 15:22 . 2010-09-17 16:15 146432 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-09-17 15:22 . 2010-09-17 16:15 211968 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-17 15:22 . 2010-09-17 15:22 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2010-09-17 15:22 . 2010-09-17 15:22 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-09-17 15:22 . 2010-09-17 16:34 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-09-17 14:38 . 2010-09-17 14:38 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-09-17 14:38 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-17 14:38 . 2010-09-17 14:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-17 14:38 . 2010-09-17 14:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-17 14:38 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-17 14:36 . 2010-09-17 14:38 -------- d-----w- C:\tmp
2010-09-17 14:30 . 2010-09-17 14:30 -------- d-----w- C:\log
2010-09-17 14:27 . 2010-09-18 19:48 120 ----a-w- c:\windows\Rcuheriyovu.dat
2010-09-17 14:27 . 2010-09-18 19:48 0 ----a-w- c:\windows\Byivofibu.bin
2010-09-17 14:26 . 2010-09-18 19:45 -------- d-----w- c:\program files\sys32
2010-09-17 14:26 . 2010-09-18 19:45 -------- d-----w- c:\program files\riv87
2010-08-23 21:20 . 2010-09-17 15:15 -------- d-----w- c:\program files\ssns

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 19:45 . 2004-08-29 14:22 -------- d-----w- c:\documents and settings\Owner\Application Data\Iret
2010-09-18 19:45 . 2010-07-19 20:04 -------- d-----w- c:\program files\Microsoft
2010-09-18 19:41 . 2010-07-19 20:04 -------- d-----w- c:\program files\riva
2010-09-17 16:38 . 2010-08-01 21:02 452104 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.12\setup.exe
2010-09-17 16:37 . 2004-04-03 08:05 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-09-17 16:30 . 2004-09-18 04:42 -------- d-----w- c:\program files\AIM
2010-09-17 16:23 . 2004-09-12 19:53 -------- d-----w- c:\program files\Common Files\AOL
2010-09-17 16:11 . 2008-06-07 21:49 -------- d-----w- c:\program files\iTunes
2010-09-17 16:10 . 2008-01-02 21:41 -------- d-----w- c:\documents and settings\Owner\Application Data\Tosa
2010-09-17 16:10 . 2004-12-10 10:06 -------- d-----w- c:\documents and settings\Owner\Application Data\Cytuis
2010-09-17 15:17 . 2009-05-27 17:42 -------- d-----w- c:\program files\Verizon
2010-09-17 15:17 . 2008-06-07 21:47 -------- d-----w- c:\program files\QuickTime
2010-09-17 15:15 . 2010-08-05 15:45 -------- d-----w- c:\documents and settings\Owner\Application Data\Wemux
2010-09-17 15:15 . 2009-03-17 03:20 -------- d-----w- c:\documents and settings\Owner\Application Data\Vyyq
2010-09-17 15:15 . 2009-09-10 13:42 -------- d-----w- c:\documents and settings\Owner\Application Data\Suan
2010-09-17 14:30 . 2009-05-27 19:28 -------- d-----w- c:\documents and settings\Owner\Application Data\Verizon
2010-09-17 14:30 . 2009-05-27 19:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Verizon
2010-09-17 14:26 . 2006-05-08 04:02 -------- d-----w- c:\documents and settings\Owner\Application Data\Aznel
2010-09-17 00:10 . 2009-05-27 20:19 99908 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-09-17 00:10 . 2009-05-27 20:19 1148960 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-09-17 00:10 . 2009-05-27 20:19 324764 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-09-17 00:10 . 2009-05-27 20:19 24607776 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-08-28 21:42 . 2009-03-29 07:41 -------- d-----w- c:\documents and settings\Owner\Application Data\Etiqm
2010-08-24 00:46 . 2010-08-09 13:49 -------- d-----w- c:\program files\riv
2010-08-15 19:09 . 2010-08-15 19:08 -------- d-----w- c:\program files\rivi
2010-08-14 17:46 . 2010-04-01 14:59 92160 ----a-w- c:\documents and settings\Owner\Application Data\Verizon\VSP\downloads\VerizonVasDetectionScripts.v6.41.zip.dir\resources\McAfeeSecurityScanIcon.v2-1-119-2.exe
2010-08-09 23:28 . 2009-05-27 17:51 -------- d-----w- c:\program files\Common Files\Motive
2010-08-06 20:35 . 2004-07-02 03:54 -------- d-----w- c:\documents and settings\Owner\Application Data\Ylmeca
2010-08-04 00:33 . 2004-04-03 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive
2010-08-01 09:23 . 2008-06-07 21:47 -------- d-----w- c:\program files\Apple Software Update
2010-07-26 20:48 . 2006-03-23 23:06 -------- d-----w- c:\program files\Google
2010-07-26 00:22 . 2008-02-06 01:49 -------- d-----w- c:\documents and settings\Owner\Application Data\AdobeUM
2010-07-25 14:48 . 2010-07-21 21:39 -------- d-----w- c:\program files\RMNetwork
2010-07-21 21:39 . 2010-07-21 21:39 -------- d-----w- c:\program files\getfire
2010-07-19 20:10 . 2009-03-04 19:32 115712 -c--a-w- c:\documents and settings\Owner\Application Data\Verizon\VSP\downloads\Verizon_VISS_Mac_Promotion_Campaign.18467.zip.dir\en\tools\RpsInstallerFinder.exe
2010-07-19 20:10 . 2007-12-30 17:53 159744 -c--a-w- c:\documents and settings\Owner\Application Data\U3\temp\cleanup.exe
2010-07-19 20:10 . 2007-02-07 17:45 3526656 -c--a-w- c:\documents and settings\Owner\Application Data\U3\0F607961415068C6\Launchpad.exe
2010-07-19 20:10 . 2006-11-29 21:42 1699840 -c--a-w- c:\documents and settings\Owner\Application Data\U3\0F607961415068C6\LPSecurityExtension.dll
2010-07-19 20:10 . 2006-11-05 14:44 1212416 -c--a-w- c:\documents and settings\Owner\Application Data\U3\0F607961415068C6\u3dapi10.dll
2010-07-19 20:10 . 2006-10-12 21:38 98304 -c--a-w- c:\documents and settings\Owner\Application Data\U3\0F607961415068C6\U3AccessGrant.exe
2010-07-19 20:10 . 2006-08-15 15:15 159744 -c--a-w- c:\documents and settings\Owner\Application Data\U3\0F607961415068C6\cleanup.exe
2010-07-19 20:09 . 2006-04-18 08:15 221184 -c--a-w- c:\documents and settings\Owner\Application Data\Juniper Networks\Host Checker\EPCheck.dll
2010-07-19 20:09 . 2008-06-07 19:42 585728 -c--a-w- c:\documents and settings\Owner\Application Data\Creative\Media Database\JetFileBackup\Msado15.dll
2010-07-19 20:09 . 2008-06-07 19:42 249856 -c--a-w- c:\documents and settings\Owner\Application Data\Creative\Media Database\JetFileBackup\Msadox.dll
2010-07-19 20:09 . 2008-06-07 19:42 151552 -c--a-w- c:\documents and settings\Owner\Application Data\Creative\Media Database\JetFileBackup\Msjro.dll
2010-07-19 20:06 . 2004-09-15 01:23 393216 -c--a-w- c:\documents and settings\All Users\Application Data\PopCap\PopCapLoader\Shockwave\insaniquarium\Insaniquarium.dll
2010-07-19 20:06 . 2005-03-19 21:24 450560 -c--a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_3f1_9bd5a28\EasyShrx.Dll
2010-07-19 20:04 . 2005-03-20 19:45 57856 -c--a-w- c:\documents and settings\All Users\Application Data\AOL\C_America Online 9.0\OptScan.exe
2010-07-19 20:04 . 2006-06-21 23:06 61440 -c--a-w- c:\documents and settings\All Users\Application Data\AOL\C_America Online 9.0\OptClean.exe
2010-07-19 20:04 . 2007-12-29 16:02 159744 -c--a-w- c:\documents and settings\Administrator\Application Data\U3\temp\cleanup.exe
2010-07-19 20:04 . 2006-11-05 14:44 1212416 -c--a-w- c:\documents and settings\Administrator\Application Data\U3\0F607961415068C6\u3dapi10.dll
2010-07-19 20:04 . 2006-10-12 21:38 98304 -c--a-w- c:\documents and settings\Administrator\Application Data\U3\0F607961415068C6\U3AccessGrant.exe
2010-07-19 20:04 . 2006-11-29 21:42 1699840 -c--a-w- c:\documents and settings\Administrator\Application Data\U3\0F607961415068C6\LPSecurityExtension.dll
2010-07-19 20:04 . 2007-02-07 17:45 3526656 -c--a-w- c:\documents and settings\Administrator\Application Data\U3\0F607961415068C6\Launchpad.exe
2010-07-19 20:04 . 2006-08-15 15:15 159744 -c--a-w- c:\documents and settings\Administrator\Application Data\U3\0F607961415068C6\cleanup.exe
2010-07-02 00:39 . 2010-05-12 23:28 439816 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.10\setup.exe
2006-01-31 13:10 . 2006-01-31 13:10 410709 -csh--w- c:\windows\system32\klkkj.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{038cb5c7-48ea-4af9-94e0-a1646542e62b} "= "c:\program files\ToggleEN\tbTogg.dll" [2009-07-02 2215960]

[HKEY_CLASSES_ROOT\clsid\{038cb5c7-48ea-4af9-94e0-a1646542e62b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{038cb5c7-48ea-4af9-94e0-a1646542e62b}]
2009-07-02 14:18 2215960 ----a-w- c:\program files\ToggleEN\tbTogg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-09-09 02:08 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98} "= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-09 279944]
"{038cb5c7-48ea-4af9-94e0-a1646542e62b} "= "c:\program files\ToggleEN\tbTogg.dll" [2009-07-02 2215960]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CLASSES_ROOT\clsid\{038cb5c7-48ea-4af9-94e0-a1646542e62b}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98} "= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-09 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\WebAgent]
@= "{D540B3B0-7DA0-4AA5-B548-236124A56CD0} "
[HKEY_CLASSES_ROOT\CLSID\{D540B3B0-7DA0-4AA5-B548-236124A56CD0}]
2010-07-21 21:39 161792 ----a-w- c:\program files\RMNetwork\webagent.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware "= "c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-09-17 2424560]
"{69C84E31-F646-65FF-E015-44F40CC23564} "= "c:\documents and settings\Owner\Application Data\Igynva\syny.exe" [2005-05-09 108032]
"Vzeyogoyineba "= "c:\windows\cabaxmur.dll" [2007-03-08 78336]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"3349463 "= "c:\docume~1\Owner\LOCALS~1\APPLIC~1\3349463.exe" [2010-09-18 1148928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2010-08-01 462848]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"Verizon_McciTrayApp "= "c:\program files\Verizon\McciTrayApp.exe" [2010-08-01 1612800]
"VerizonServicepoint.exe "= "c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2009-03-12 2303216]
"TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-11-20 180269]
"Twoseguwivi "= "c:\windows\ilulesolasiwit.dll" [2007-03-08 196096]
"sniffer "= "c:\windows\Temp\_ex-08.exe" [2010-09-18 246784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2010-09-17 126976]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit "= "c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2010-09-17 15:40 595456 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-01-19 16:45 10536 ----a-w- c:\program files\Citrix\GoToAssist\508\g2awinlogon.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^autorun.exe]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
backup=c:\windows\pss\Compaq Connections.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
backup=c:\windows\pss\NkbMonitor.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^findfast.exe]

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^TA_Start.lnk]
backup=c:\windows\pss\TA_Start.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Think-Adz.lnk]
backup=c:\windows\pss\Think-Adz.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ycaqxmq]
c:\program files\??stem32\?hkntfs.exe [?]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\clkhost
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dnse
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dumprep
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\medepace
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBInstall
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Notn
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Printer
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spoolsv
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\svhost
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uwas7cw
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAntiSpyware 2007 Free
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAVX
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows installer
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zgdtjfaA
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{10-03-37-7B-ZN}

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2005-03-04 16:01 88209 -c--a-w- c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
2004-09-07 18:47 57344 -c--a-w- c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
2010-07-19 20:21 151552 ----a-w- c:\program files\Creative\MediaSource\Detector\CTDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2010-07-19 20:24 98304 -c--a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
1998-05-08 00:04 52736 -c--a-w- c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-03-30 14:36 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
2010-07-19 20:13 110592 -c--a-w- c:\hp\KBD\kbd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
2003-06-19 03:00 200704 -c--a-w- c:\program files\Microsoft Money\System\mnyexpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-08-01 22:25 462848 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2004-04-02 08:49 32881 -c--a-w- c:\program files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2005-11-20 00:02 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\WINDOWS\\wt\\webdriver\\4.1.1\\wthost.exe "=
"c:\\Program Files\\America Online 9.0\\waol.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13066:TCP "= 13066:TCP:spport
"23208:TCP "= 23208:TCP:spport
"14064:TCP "= 14064:TCP:spport
"5688:TCP "= 5688:TCP:spport
"26854:TCP "= 26854:TCP:spport
"19089:TCP "= 19089:TCP:spport
"24565:TCP "= 24565:TCP:spport
"29918:TCP "= 29918:TCP:spport
"27867:TCP "= 27867:TCP:spport
"17731:TCP "= 17731:TCP:spport
"18641:TCP "= 18641:TCP:spport
"24206:TCP "= 24206:TCP:spport
"9883:TCP "= 9883:TCP:spport
"19177:TCP "= 19177:TCP:spport
"15239:TCP "= 15239:TCP:spport

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [9/17/2010 12:45 PM 165456]
R1 NEOFLTR_510_10575;Juniper Networks TDI Filter Driver (NEOFLTR_510_10575);c:\windows\system32\drivers\NEOFLTR_510_10575.sys [4/18/2006 4:08 AM 57063]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/17/2010 12:45 PM 17744]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 7:43 PM 24652]
R3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [9/18/2010 3:46 PM 50704]
S2 mrtRate;mrtRate; [x]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [9/11/2004 7:21 PM 20160]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NPF
.
Contents of the 'Scheduled Tasks' folder

2010-08-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://home.mywebsearch.com/index.jhtml?n=77C09F4F&ptnrS=ZUxdm08018US&ptb=wDSZwWpJnj3GeQqM92HrGQ
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
uInternet Settings,ProxyOverride = localhost;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: Add To Compaq Organize... - c:\progra~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: aol.com\free
TCP: {AD002166-C4CA-44BD-B7A4-3913E4D88727} = 93.188.162.81,93.188.161.221
DPF: {B8E73359-3422-4384-8D27-4EA1B4C01232} - hxxps://wcac.magellanhealth.com/+CSCOL+/cscopf.cab
.
- - - - ORPHANS REMOVED - - - -

BHO-{28f22877-cede-48d3-ad20-accc2add9046} - (no file)
Notify-cprsv - (no file)
Notify-FM2ddm - FM2ddm.dll
Notify-nnnmnol - nnnmnol.dll
Notify-pmnmjgh - pmnmjgh.dll
MSConfigStartUp-60c103d4 - c:\windows\system32\wcamsvou.dll
MSConfigStartUp-Aim6 - c:\program files\AIM6\aim6.exe
MSConfigStartUp-smgr - mgrs.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
AddRemove-Python 2.2 combined Win32 extensions - c:\python22\Lib\SITE-P~1\UNWISE~1.EXE

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-18 15:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x84DF8EC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf75edfc3
\Driver\ACPI -> ACPI.sys @ 0xf7540cb8
\Driver\atapi -> atapi.sys @ 0xf74f87b4
IoDeviceObjectType -> ParseProcedure -> ntoskrnl.exe @ 0x8056f26d
\Device\Harddisk0\DR0 -> ParseProcedure -> ntoskrnl.exe @ 0x8056f26d
NDIS: VIA Rhine II Fast Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf73c9ba0
PacketIndicateHandler -> NDIS.sys @ 0xf73d6b21
SendHandler -> NDIS.sys @ 0xf73b487b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\program files\Citrix\GoToAssist\508\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(3688)
c:\program files\RMNetwork\webagent.dll
c:\windows\cabaxmur.dll
c:\windows\ilulesolasiwit.dll
c:\program files\Neoteris\Secure Application Manager\samnsp.dll
c:\program files\Bonjour\mdnsNSP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\progra~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.EXE
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wdfmgr.exe
c:\windows\wanmpsvc.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\System32\rundll32.exe
.
**************************************************************************
.
Completion time: 2010-09-18 15:56:59 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-18 19:56

Pre-Run: 141,665,800,192 bytes free
Post-Run: 141,639,614,464 bytes free

- - End Of File - - BC1082E50432BCEAEAAEA332F6

broni · 2010/09/18

Wow!
We definitely have some work to be done here

Let's start with infected MBR.
I also want you to see, if it'll start in normal mode now.

Please download NTBR by noahdfear and save it to your Desktop.
File size: 2.44 MB (2,565,432 bytes)

Place a blank CD in your CD drive.

Double click on NTBR_CD.exe file and a folder of the same name will appear.

Open the folder and double click on BurnItCD.cmd file. If your CD drive will open, simply close it back.

Follow the prompts to burn the CD.

Now you will need to set the CD-Rom as first boot device if it isn't already (if you don't know how to do it, see HERE)

If you have any questions about this step, ask before you proceed. If you enter the BIOS and are unsure if you have carried out the step correctly, there should be an option to exit without keeping changes, so you won't do any harm.

Insert the newly created CD into your infected PC and reboot your computer.

Once you have rebooted please press Enter when prompted to continue booting from CD - you have a whole 15 seconds to do this!

Read the warning and then continue as prompted.

You first need to select your keyboard layout - press Enter for English.

Next you want to select the appropriate tool. Enter 1 to choose 1. MBRWORK

On the following screen enter 5 to select Install Standard MBR code.

Enter 1 to overwrite the infected MBR Code with the Standard MBR code.

When asked to confirm please do so.

Afterwards, please enter E to leave MBRWORK, then 6 to leave the bootable CD.

Eject the disc and then press ctrl+alt+del to reboot the PC.

Once rebooted, run MBRCheck again and post its log.

BillB · 2010/09/18

The PC does boot into normal mode, but I could not run mbrcheck there, that security tool app that keeps popping up stopped it from executing. I had to boot into safe mode for it to run. I had a feeling this machine was in bad shape. Here is the log;

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 2 (build 2600)
Logical Drives Mask: 0x000007bc

Kernel Drivers (total 96):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EC000 \WINDOWS\system32\hal.dll
0xF7A69000 \WINDOWS\system32\KDCOM.DLL
0xF7979000 \WINDOWS\system32\BOOTVID.dll
0xF751A000 ACPI.sys
0xF7A6B000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
0xF7509000 pci.sys
0xF7569000 isapnp.sys
0xF7579000 ohci1394.sys
0xF7589000 \WINDOWS\System32\DRIVERS\1394BUS.SYS
0xF7B31000 pciide.sys
0xF77E9000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
0xF7A6D000 viaide.sys
0xF7A6F000 intelide.sys
0xF7599000 MountMgr.sys
0xF74EA000 ftdisk.sys
0xF77F1000 PartMgr.sys
0xF75A9000 VolSnap.sys
0xF74D2000 atapi.sys
0xF74AF000 fasttx2k.sys
0xF7497000 \WINDOWS\System32\DRIVERS\SCSIPORT.SYS
0xF75B9000 disk.sys
0xF75C9000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xF7477000 fltmgr.sys
0xF7465000 sr.sys
0xF75D9000 PxHelp20.sys
0xF744E000 KSecDD.sys
0xF73C1000 Ntfs.sys
0xF7394000 NDIS.sys
0xF77F9000 viaagp1.sys
0xF75E9000 SISAGPX.sys
0xF7379000 Mup.sys
0xF7619000 \SystemRoot\System32\DRIVERS\imapi.sys
0xF79ED000 \SystemRoot\system32\drivers\pfc.sys
0xF7831000 \SystemRoot\system32\drivers\iviaspi.sys
0xF7629000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xF7639000 \SystemRoot\System32\DRIVERS\redbook.sys
0xF7336000 \SystemRoot\System32\DRIVERS\ks.sys
0xF79F9000 \SystemRoot\SYSTEM32\DRIVERS\GEARAspiWDM.sys
0xF7849000 \SystemRoot\System32\DRIVERS\usbuhci.sys
0xF72EB000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xF7851000 \SystemRoot\System32\DRIVERS\usbehci.sys
0xF7649000 \SystemRoot\system32\DRIVERS\fetnd5bv.sys
0xF7659000 \SystemRoot\System32\DRIVERS\i8042prt.sys
0xF7859000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xF7869000 \SystemRoot\System32\DRIVERS\PS2.sys
0xF7871000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xF7669000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xF7A0D000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xF72D4000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xF7679000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xF7689000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xF7891000 \SystemRoot\System32\DRIVERS\TDI.SYS
0xF72C3000 \SystemRoot\System32\DRIVERS\psched.sys
0xF7699000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xF78A1000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xF78B1000 \SystemRoot\System32\DRIVERS\raspti.sys
0xF78B9000 \SystemRoot\system32\DRIVERS\wanatw4.sys
0xF76A9000 \SystemRoot\System32\DRIVERS\termdd.sys
0xF7A75000 \SystemRoot\System32\DRIVERS\swenum.sys
0xF71EF000 \SystemRoot\System32\DRIVERS\update.sys
0xF7A21000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xF76B9000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF76C9000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xF7A7B000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xF7A7F000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7C1F000 \SystemRoot\System32\Drivers\Null.SYS
0xF7A83000 \SystemRoot\System32\Drivers\Beep.SYS
0xF78D9000 \SystemRoot\System32\drivers\vga.sys
0xF71B3000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0xF7A87000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF78E9000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF78F9000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF7A5D000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xF7180000 \SystemRoot\System32\DRIVERS\ipsec.sys
0xF7128000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xF7107000 \SystemRoot\System32\DRIVERS\ipnat.sys
0xF76E9000 \??\C:\WINDOWS\system32\Drivers\NEOFLTR_510_10575.SYS
0xF70DF000 \SystemRoot\System32\DRIVERS\netbt.sys
0xF70BD000 \SystemRoot\System32\drivers\afd.sys
0xF76F9000 \SystemRoot\System32\DRIVERS\netbios.sys
0xF7092000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xF7023000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xF6FD8000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xF7929000 \SystemRoot\System32\DRIVERS\USBSTOR.SYS
0xF6FC0000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7A8D000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF7A09000 \SystemRoot\System32\drivers\Dxapi.sys
0xF7949000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7B89000 \SystemRoot\System32\drivers\dxgthk.sys
0xBFF50000 \SystemRoot\System32\framebuf.dll
0xF6DC0000 \SystemRoot\System32\DRIVERS\ndisuio.sys
0xF6AD1000 \SystemRoot\System32\DRIVERS\srv.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 17):
0 System Idle Process
4 System
488 C:\WINDOWS\system32\smss.exe
556 csrss.exe
580 C:\WINDOWS\system32\winlogon.exe
624 C:\WINDOWS\system32\services.exe
636 C:\WINDOWS\system32\lsass.exe
784 C:\WINDOWS\system32\svchost.exe
832 svchost.exe
972 C:\WINDOWS\system32\svchost.exe
1012 svchost.exe
1148 svchost.exe
1464 C:\WINDOWS\explorer.exe
1492 C:\Program Files\Internet Explorer\iexplore.exe
1488 C:\Program Files\Internet Explorer\iexplore.exe
1988 wmiprvse.exe
288 C:\Documents and Settings\Owner\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000001`052ac000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (FAT32)

PhysicalDrive0 Model Number: SAMSUNGSP1604N, Rev: TM100-24

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Done!

broni · 2010/09/18

MBR looks fine

Download TDSSKiller and save it to your desktop.

Extract (unzip) its contents to your desktop.

Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

If an infected file is detected, the default action will be Cure, click on Continue.

If a suspicious file is detected, the default action will be Skip, click on Continue.

It may ask you to reboot the computer to complete the process. Click on Reboot Now.

If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.

If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

BillB · 2010/09/18

2010/09/18 18:49:11.0890 TDSS rootkit removing tool 2.4.2.1 Sep 7 2010 14:43:44
2010/09/18 18:49:11.0890 ================================================================================
2010/09/18 18:49:11.0890 SystemInfo:
2010/09/18 18:49:11.0890
2010/09/18 18:49:11.0890 OS Version: 5.1.2600 ServicePack: 2.0
2010/09/18 18:49:11.0890 Product type: Workstation
2010/09/18 18:49:11.0890 ComputerName: YOUR-C8BH3JAGLT
2010/09/18 18:49:11.0890 UserName: Owner
2010/09/18 18:49:11.0890 Windows directory: C:\WINDOWS
2010/09/18 18:49:11.0890 System windows directory: C:\WINDOWS
2010/09/18 18:49:11.0890 Processor architecture: Intel x86
2010/09/18 18:49:11.0890 Number of processors: 1
2010/09/18 18:49:11.0890 Page size: 0x1000
2010/09/18 18:49:11.0890 Boot type: Safe boot with network
2010/09/18 18:49:11.0890 ================================================================================
2010/09/18 18:49:12.0312 Initialize success
2010/09/18 18:49:26.0843 ================================================================================
2010/09/18 18:49:26.0843 Scan started
2010/09/18 18:49:26.0843 Mode: Manual;
2010/09/18 18:49:26.0843 ================================================================================
2010/09/18 18:49:29.0109 Aavmker4 (467f062f76e07512ecc1f5f60aab2988) C:\WINDOWS\system32\drivers\Aavmker4.sys
2010/09/18 18:49:29.0500 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/09/18 18:49:29.0671 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/09/18 18:49:29.0859 ADM8511 (b05f2367f62552a2de7e3c352b7b9885) C:\WINDOWS\system32\DRIVERS\ADM8511.SYS
2010/09/18 18:49:30.0093 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
2010/09/18 18:49:30.0281 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
2010/09/18 18:49:30.0515 AgereSoftModem (029e01cb2938bec5af31bf47b6af0159) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
2010/09/18 18:49:31.0000 ALCXSENS (fbbcb95f677cbaa924140b6ea2d9a97b) C:\WINDOWS\system32\drivers\ALCXSENS.SYS
2010/09/18 18:49:31.0281 ALCXWDM (8d6c30e515717248e0e52b85fd7ac466) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2010/09/18 18:49:31.0703 AmdK7 (343e7850d01afc66dc57837e793d9187) C:\WINDOWS\system32\DRIVERS\amdk7.sys
2010/09/18 18:49:31.0734 AmdK7 - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/09/18 18:49:32.0109 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/09/18 18:49:33.0015 aswFsBlk (0c0b08847f2f24baa7bd43d8f2c6c8b0) C:\WINDOWS\system32\drivers\aswFsBlk.sys
2010/09/18 18:49:33.0156 aswMon2 (aa504fa592c9ed79174cb06b8ae340aa) C:\WINDOWS\system32\drivers\aswMon2.sys
2010/09/18 18:49:33.0281 aswRdr (f385ffd39165453fda96736aa3edfd9d) C:\WINDOWS\system32\drivers\aswRdr.sys
2010/09/18 18:49:33.0437 aswSP (45adea26bf613a54fed64ecdd12e58a7) C:\WINDOWS\system32\drivers\aswSP.sys
2010/09/18 18:49:33.0609 aswTdi (c4ee975c87176f1900662d2874233c7f) C:\WINDOWS\system32\drivers\aswTdi.sys
2010/09/18 18:49:33.0750 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/09/18 18:49:33.0906 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/09/18 18:49:34.0187 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/09/18 18:49:34.0375 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/09/18 18:49:34.0578 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/09/18 18:49:34.0906 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/09/18 18:49:35.0187 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/09/18 18:49:35.0312 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/09/18 18:49:35.0484 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/09/18 18:49:36.0312 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/09/18 18:49:36.0515 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2010/09/18 18:49:36.0671 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
2010/09/18 18:49:36.0843 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/09/18 18:49:37.0015 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2010/09/18 18:49:37.0296 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/09/18 18:49:37.0515 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/09/18 18:49:37.0687 fasttx2k (1e580770bdece924494b368ac980749e) C:\WINDOWS\system32\DRIVERS\fasttx2k.sys
2010/09/18 18:49:37.0843 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/09/18 18:49:37.0984 FETND5BV (cfc4cc73c903152a23e1db28eaba1f03) C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys
2010/09/18 18:49:38.0140 FETNDISB (b7186b33b6cf3a23841015531e6e7d68) C:\WINDOWS\system32\DRIVERS\fetnd5b.sys
2010/09/18 18:49:38.0312 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2010/09/18 18:49:38.0437 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/09/18 18:49:38.0625 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/09/18 18:49:38.0796 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/09/18 18:49:38.0921 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/09/18 18:49:39.0109 GEARAspiWDM (5dc17164f66380cbfefd895c18467773) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2010/09/18 18:49:39.0312 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/09/18 18:49:39.0531 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/09/18 18:49:39.0843 HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2010/09/18 18:49:40.0031 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2010/09/18 18:49:40.0171 HPZius12 (7ac43c38ca8fd7ed0b0a4466f753e06e) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2010/09/18 18:49:40.0343 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/09/18 18:49:40.0765 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/09/18 18:49:41.0062 ialm (da58a8be6a445835f603720c4bc8837e) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2010/09/18 18:49:41.0281 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/09/18 18:49:41.0968 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/09/18 18:49:42.0109 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/09/18 18:49:42.0312 ip6fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/09/18 18:49:42.0437 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/09/18 18:49:42.0640 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/09/18 18:49:42.0843 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/09/18 18:49:43.0000 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/09/18 18:49:43.0250 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/09/18 18:49:43.0515 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/09/18 18:49:43.0656 Iviaspi (f59c3569a2f2c464bb78cb1bdcdca55e) C:\WINDOWS\system32\drivers\iviaspi.sys
2010/09/18 18:49:43.0828 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/09/18 18:49:43.0968 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/09/18 18:49:44.0109 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
2010/09/18 18:49:44.0296 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/09/18 18:49:44.0781 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/09/18 18:49:44.0968 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2010/09/18 18:49:45.0156 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/09/18 18:49:45.0296 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/09/18 18:49:45.0484 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/09/18 18:49:45.0796 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
2010/09/18 18:49:46.0187 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
2010/09/18 18:49:46.0640 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/09/18 18:49:46.0953 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/09/18 18:49:47.0265 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2010/09/18 18:49:47.0437 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/09/18 18:49:47.0625 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/09/18 18:49:47.0750 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/09/18 18:49:47.0984 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/09/18 18:49:48.0125 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2010/09/18 18:49:48.0296 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2010/09/18 18:49:48.0500 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/09/18 18:49:48.0734 Ndisuio (8d3ce6b579cde8d37acc690b67dc2106) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/09/18 18:49:48.0921 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/09/18 18:49:49.0125 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/09/18 18:49:49.0312 NEOFLTR_510_10575 (4bf6c47ec72cdcb85f1c0ddf861b4a8a) C:\WINDOWS\system32\Drivers\NEOFLTR_510_10575.SYS
2010/09/18 18:49:49.0453 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/09/18 18:49:49.0625 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/09/18 18:49:49.0890 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/09/18 18:49:50.0171 NPF (b9730495e0cf674680121e34bd95a73b) C:\WINDOWS\system32\drivers\NPF.sys
2010/09/18 18:49:50.0406 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2010/09/18 18:49:50.0718 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/09/18 18:49:50.0984 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
2010/09/18 18:49:51.0156 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/09/18 18:49:51.0312 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/09/18 18:49:51.0484 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/09/18 18:49:51.0640 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/09/18 18:49:51.0859 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/09/18 18:49:52.0078 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/09/18 18:49:52.0234 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/09/18 18:49:52.0390 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/09/18 18:49:52.0609 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/09/18 18:49:52.0781 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/09/18 18:49:53.0593 Pfc (444f122e68db44c0589227781f3c8b3f) C:\WINDOWS\system32\drivers\pfc.sys
2010/09/18 18:49:53.0796 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/09/18 18:49:53.0953 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/09/18 18:49:54.0218 Ps2 (9b793a1ffd480155fe9ee5261153f21b) C:\WINDOWS\system32\DRIVERS\PS2.sys
2010/09/18 18:49:54.0453 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/09/18 18:49:54.0578 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/09/18 18:49:54.0734 PxHelp20 (0457e25bb122b854e267cf552dcdc370) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys
2010/09/18 18:49:55.0343 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/09/18 18:49:55.0531 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/09/18 18:49:55.0687 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/09/18 18:49:55.0937 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/09/18 18:49:56.0093 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/09/18 18:49:56.0281 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/09/18 18:49:56.0437 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/09/18 18:49:56.0609 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/09/18 18:49:57.0000 rtl8139 (2ef9c0dc26b30b2318b1fc3faa1f0ae7) C:\WINDOWS\system32\DRIVERS\R8139n51.SYS
2010/09/18 18:49:57.0156 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2010/09/18 18:49:57.0218 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2010/09/18 18:49:57.0437 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/09/18 18:49:57.0671 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/09/18 18:49:57.0875 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/09/18 18:49:58.0203 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/09/18 18:49:58.0625 SiS315 (94f6eea8a688a37f71bf9c9aeaa42666) C:\WINDOWS\system32\DRIVERS\sisgrp.sys
2010/09/18 18:49:58.0781 SISAGP (61ca562def09a782d26b3e7edec5369a) C:\WINDOWS\system32\DRIVERS\SISAGPX.sys
2010/09/18 18:49:58.0984 SiSkp (837d26f79a1647066d75c5c811887475) C:\WINDOWS\system32\DRIVERS\srvkp.sys
2010/09/18 18:49:59.0250 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
2010/09/18 18:49:59.0453 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/09/18 18:49:59.0703 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/09/18 18:49:59.0906 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/09/18 18:50:00.0031 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2010/09/18 18:50:00.0593 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/09/18 18:50:00.0828 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/09/18 18:50:01.0015 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/09/18 18:50:01.0140 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/09/18 18:50:01.0250 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/09/18 18:50:01.0640 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2010/09/18 18:50:01.0953 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
2010/09/18 18:50:02.0171 USBAAPL (f340199e8cb097e1acd58a967c665919) C:\WINDOWS\system32\Drivers\usbaapl.sys
2010/09/18 18:50:02.0359 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/09/18 18:50:02.0484 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/09/18 18:50:02.0656 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/09/18 18:50:02.0812 usbohci (bdfe799a8531bad8a5a985821fe78760) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2010/09/18 18:50:02.0984 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/09/18 18:50:03.0140 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/09/18 18:50:03.0296 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/09/18 18:50:03.0468 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/09/18 18:50:03.0656 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2010/09/18 18:50:03.0781 viaagp1 (4b039bbd037b01f5db5a144c837f283a) C:\WINDOWS\system32\DRIVERS\viaagp1.sys
2010/09/18 18:50:03.0906 viagfx (45489356501ec6cbb789dece991d393f) C:\WINDOWS\system32\DRIVERS\vtmini.sys
2010/09/18 18:50:04.0093 ViaIde (59cb1338ad3654417bea49636457f65d) C:\WINDOWS\system32\DRIVERS\viaide.sys
2010/09/18 18:50:04.0328 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/09/18 18:50:04.0500 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/09/18 18:50:04.0687 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
2010/09/18 18:50:04.0906 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2010/09/18 18:50:05.0218 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/09/18 18:50:05.0515 WpdUsb (1385e5aa9c9821790d33a9563b8d2dd0) C:\WINDOWS\system32\Drivers\wpdusb.sys
2010/09/18 18:50:05.0734 ================================================================================
2010/09/18 18:50:05.0734 Scan finished
2010/09/18 18:50:05.0734 ================================================================================
2010/09/18 18:50:05.0781 Detected object count: 1
2010/09/18 18:51:59.0546 AmdK7 (343e7850d01afc66dc57837e793d9187) C:\WINDOWS\system32\DRIVERS\amdk7.sys
2010/09/18 18:52:03.0046 Backup copy found, using it..
2010/09/18 18:52:03.0062 C:\WINDOWS\system32\DRIVERS\amdk7.sys - will be cured after reboot
2010/09/18 18:52:03.0062 Rootkit.Win32.TDSS.tdl3(AmdK7) - User select action: Cure
2010/09/18 18:52:28.0828 Deinitialize success

broni · 2010/09/18

Good

Delete your Combofix file, download fresh one and post new log.

BillB · 2010/09/18

Here's the new combofix log;

ComboFix 10-09-17.04 - Owner 09/18/2010 19:35:54.2.1 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447.235 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\Igynva
c:\documents and settings\Owner\Application Data\Igynva\syny.exe
c:\documents and settings\Owner\Local Settings\Application Data\{372D890C-3D1D-4F2D-8444-4EA676200919}
c:\documents and settings\Owner\Local Settings\Application Data\{372D890C-3D1D-4F2D-8444-4EA676200919}\chrome.manifest
c:\documents and settings\Owner\Local Settings\Application Data\{372D890C-3D1D-4F2D-8444-4EA676200919}\chrome\content\_cfg.js
c:\documents and settings\Owner\Local Settings\Application Data\{372D890C-3D1D-4F2D-8444-4EA676200919}\chrome\content\overlay.xul
c:\documents and settings\Owner\Local Settings\Application Data\{372D890C-3D1D-4F2D-8444-4EA676200919}\install.rdf
c:\documents and settings\Owner\Local Settings\Application Data\3349463.exe
c:\documents and settings\Owner\Start Menu\Programs\Security Tool.lnk
c:\program files\Internet Explorer\complete.dat
c:\program files\Internet Explorer\dmlconf.dat
c:\program files\Microsoft\DesktopLayer.exe
c:\program files\Microsoft\DesktopLayerSrv.exe
c:\windows\cabaxmur.dll
c:\windows\ExplorerSrv.exe
c:\windows\ilulesolasiwit.dll
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\wpcap.dll
c:\windows\Temp\_ex-08.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF

((((((((((((((((((((((((( Files Created from 2010-08-18 to 2010-09-18 )))))))))))))))))))))))))))))))
.

2010-09-18 23:44 . 2010-09-18 23:44 50704 ----a-w- c:\windows\system32\drivers\npf.sys
2010-09-18 20:17 . 2010-09-18 20:17 45568 ----a-w- c:\windows\system32\wscntfySrv.exe
2010-09-18 19:45 . 2010-09-18 23:42 45568 ----a-w- c:\windows\system32\rundll32Srv.exe
2010-09-17 16:45 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-09-17 16:45 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-17 16:45 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-17 16:45 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-17 16:45 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-09-17 16:45 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-09-17 16:45 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-09-17 16:45 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-09-17 16:45 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-17 16:44 . 2010-09-17 16:44 -------- d-----w- c:\program files\Alwil Software
2010-09-17 16:44 . 2010-09-17 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-09-17 15:22 . 2010-09-17 16:15 157696 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-09-17 15:22 . 2010-09-17 16:15 146432 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-09-17 15:22 . 2010-09-17 16:15 211968 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-17 15:22 . 2010-09-17 15:22 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2010-09-17 15:22 . 2010-09-17 15:22 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-09-17 15:22 . 2010-09-17 16:34 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-09-17 14:38 . 2010-09-17 14:38 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-09-17 14:38 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-17 14:38 . 2010-09-17 14:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-17 14:38 . 2010-09-17 14:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-17 14:38 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-17 14:36 . 2010-09-17 14:38 -------- d-----w- C:\tmp
2010-09-17 14:30 . 2010-09-17 14:30 -------- d-----w- C:\log
2010-09-17 14:27 . 2010-09-18 19:48 120 ----a-w- c:\windows\Rcuheriyovu.dat
2010-09-17 14:27 . 2010-09-18 19:48 0 ----a-w- c:\windows\Byivofibu.bin
2010-09-17 14:26 . 2010-09-18 23:42 -------- d-----w- c:\program files\sys32
2010-09-17 14:26 . 2010-09-18 23:42 -------- d-----w- c:\program files\riv87
2010-08-23 21:20 . 2010-09-17 15:15 -------- d-----w- c:\program files\ssns

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 23:44 . 2010-09-18 23:44 1130496 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\539410.exe
2010-09-18 23:44 . 2010-09-18 23:44 281104 ----a-w- c:\windows\system32\wpcap.dll
2010-09-18 23:44 . 2010-09-18 23:44 100880 ----a-w- c:\windows\system32\Packet.dll
2010-09-18 23:42 . 2009-12-08 01:59 -------- d-----w- c:\documents and settings\Owner\Application Data\Edcuiv
2010-09-18 23:42 . 2010-07-19 20:04 -------- d-----w- c:\program files\Microsoft
2010-09-18 22:53 . 2009-05-27 17:42 -------- d-----w- c:\program files\Verizon
2010-09-18 22:52 . 2002-08-29 08:05 37376 ----a-w- c:\windows\system32\drivers\amdk7.sys
2010-09-18 20:17 . 2008-06-07 21:47 -------- d-----w- c:\program files\QuickTime
2010-09-18 19:45 . 2004-08-29 14:22 -------- d-----w- c:\documents and settings\Owner\Application Data\Iret
2010-09-18 19:41 . 2010-07-19 20:04 -------- d-----w- c:\program files\riva
2010-09-17 16:38 . 2010-08-01 21:02 452104 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.12\setup.exe
2010-09-17 16:37 . 2004-04-03 08:05 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-09-17 16:30 . 2004-09-18 04:42 -------- d-----w- c:\program files\AIM
2010-09-17 16:23 . 2004-09-12 19:53 -------- d-----w- c:\program files\Common Files\AOL
2010-09-17 16:11 . 2008-06-07 21:49 -------- d-----w- c:\program files\iTunes
2010-09-17 16:10 . 2008-01-02 21:41 -------- d-----w- c:\documents and settings\Owner\Application Data\Tosa
2010-09-17 16:10 . 2004-12-10 10:06 -------- d-----w- c:\documents and settings\Owner\Application Data\Cytuis
2010-09-17 15:15 . 2010-08-05 15:45 -------- d-----w- c:\documents and settings\Owner\Application Data\Wemux
2010-09-17 15:15 . 2009-03-17 03:20 -------- d-----w- c:\documents and settings\Owner\Application Data\Vyyq
2010-09-17 15:15 . 2009-09-10 13:42 -------- d-----w- c:\documents and settings\Owner\Application Data\Suan
2010-09-17 14:30 . 2009-05-27 19:28 -------- d-----w- c:\documents and settings\Owner\Application Data\Verizon
2010-09-17 14:30 . 2009-05-27 19:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Verizon
2010-09-17 14:26 . 2006-05-08 04:02 -------- d-----w- c:\documents and settings\Owner\Application Data\Aznel
2010-09-17 00:10 . 2009-05-27 20:19 99908 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-09-17 00:10 . 2009-05-27 20:19 1148960 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-09-17 00:10 . 2009-05-27 20:19 324764 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-09-17 00:10 . 2009-05-27 20:19 24607776 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-08-28 21:42 . 2009-03-29 07:41 -------- d-----w- c:\documents and settings\Owner\Application Data\Etiqm
2010-08-24 00:46 . 2010-08-09 13:49 -------- d-----w- c:\program files\riv
2010-08-15 19:09 . 2010-08-15 19:08 -------- d-----w- c:\program files\rivi
2010-08-14 17:46 . 2010-04-01 14:59 92160 ----a-w- c:\documents and settings\Owner\Application Data\Verizon\VSP\downloads\VerizonVasDetectionScripts.v6.41.zip.dir\resources\McAfeeSecurityScanIcon.v2-1-119-2.exe
2010-08-09 23:28 . 2009-05-27 17:51 -------- d-----w- c:\program files\Common Files\Motive
2010-08-06 20:35 . 2004-07-02 03:54 -------- d-----w- c:\documents and settings\Owner\Application Data\Ylmeca
2010-08-04 00:33 . 2004-04-03 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive
2010-08-01 09:23 . 2008-06-07 21:47 -------- d-----w- c:\program files\Apple Software Update
2010-07-26 20:48 . 2006-03-23 23:06 -------- d-----w- c:\program files\Google
2010-07-26 00:22 . 2008-02-06 01:49 -------- d-----w- c:\documents and settings\Owner\Application Data\AdobeUM
2010-07-25 14:48 . 2010-07-21 21:39 -------- d-----w- c:\program files\RMNetwork
2010-07-21 21:39 . 2010-07-21 21:39 -------- d-----w- c:\program files\getfire
2010-07-19 20:10 . 2009-03-04 19:32 115712 -c--a-w- c:\documents and settings\Owner\Application Data\Verizon\VSP\downloads\Verizon_VISS_Mac_Promotion_Campaign.18467.zip.dir\en\tools\RpsInstallerFinder.exe
2010-07-19 20:10 . 2007-12-30 17:53 159744 -c--a-w- c:\documents and settings\Owner\Application Data\U3\temp\cleanup.exe
2010-07-19 20:10 . 2007-02-07 17:45 3526656 -c--a-w- c:\documents and settings\Owner\Application Data\U3\0F607961415068C6\Launchpad.exe
2010-07-19 20:10 . 2006-11-29 21:42 1699840 -c--a-w- c:\documents and settings\Owner\Application Data\U3\0F607961415068C6\LPSecurityExtension.dll
2010-07-19 20:10 . 2006-11-05 14:44 1212416 -c--a-w- c:\documents and settings\Owner\Application Data\U3\0F607961415068C6\u3dapi10.dll
2010-07-19 20:10 . 2006-10-12 21:38 98304 -c--a-w- c:\documents and settings\Owner\Application Data\U3\0F607961415068C6\U3AccessGrant.exe
2010-07-19 20:10 . 2006-08-15 15:15 159744 -c--a-w- c:\documents and settings\Owner\Application Data\U3\0F607961415068C6\cleanup.exe
2010-07-19 20:09 . 2006-04-18 08:15 221184 -c--a-w- c:\documents and settings\Owner\Application Data\Juniper Networks\Host Checker\EPCheck.dll
2010-07-19 20:09 . 2008-06-07 19:42 585728 -c--a-w- c:\documents and settings\Owner\Application Data\Creative\Media Database\JetFileBackup\Msado15.dll
2010-07-19 20:09 . 2008-06-07 19:42 249856 -c--a-w- c:\documents and settings\Owner\Application Data\Creative\Media Database\JetFileBackup\Msadox.dll
2010-07-19 20:09 . 2008-06-07 19:42 151552 -c--a-w- c:\documents and settings\Owner\Application Data\Creative\Media Database\JetFileBackup\Msjro.dll
2010-07-19 20:06 . 2004-09-15 01:23 393216 -c--a-w- c:\documents and settings\All Users\Application Data\PopCap\PopCapLoader\Shockwave\insaniquarium\Insaniquarium.dll
2010-07-19 20:06 . 2005-03-19 21:24 450560 -c--a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_3f1_9bd5a28\EasyShrx.Dll
2010-07-19 20:04 . 2005-03-20 19:45 57856 -c--a-w- c:\documents and settings\All Users\Application Data\AOL\C_America Online 9.0\OptScan.exe
2010-07-19 20:04 . 2006-06-21 23:06 61440 -c--a-w- c:\documents and settings\All Users\Application Data\AOL\C_America Online 9.0\OptClean.exe
2010-07-19 20:04 . 2007-12-29 16:02 159744 -c--a-w- c:\documents and settings\Administrator\Application Data\U3\temp\cleanup.exe
2010-07-19 20:04 . 2006-11-05 14:44 1212416 -c--a-w- c:\documents and settings\Administrator\Application Data\U3\0F607961415068C6\u3dapi10.dll
2010-07-19 20:04 . 2006-10-12 21:38 98304 -c--a-w- c:\documents and settings\Administrator\Application Data\U3\0F607961415068C6\U3AccessGrant.exe
2010-07-19 20:04 . 2006-11-29 21:42 1699840 -c--a-w- c:\documents and settings\Administrator\Application Data\U3\0F607961415068C6\LPSecurityExtension.dll
2010-07-19 20:04 . 2007-02-07 17:45 3526656 -c--a-w- c:\documents and settings\Administrator\Application Data\U3\0F607961415068C6\Launchpad.exe
2010-07-19 20:04 . 2006-08-15 15:15 159744 -c--a-w- c:\documents and settings\Administrator\Application Data\U3\0F607961415068C6\cleanup.exe
2010-07-02 00:39 . 2010-05-12 23:28 439816 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.10\setup.exe
2006-01-31 13:10 . 2006-01-31 13:10 410709 -csh--w- c:\windows\system32\klkkj.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{038cb5c7-48ea-4af9-94e0-a1646542e62b} "= "c:\program files\ToggleEN\tbTogg.dll" [2009-07-02 2215960]

[HKEY_CLASSES_ROOT\clsid\{038cb5c7-48ea-4af9-94e0-a1646542e62b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{038cb5c7-48ea-4af9-94e0-a1646542e62b}]
2009-07-02 14:18 2215960 ----a-w- c:\program files\ToggleEN\tbTogg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-09-09 02:08 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98} "= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-09 279944]
"{038cb5c7-48ea-4af9-94e0-a1646542e62b} "= "c:\program files\ToggleEN\tbTogg.dll" [2009-07-02 2215960]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CLASSES_ROOT\clsid\{038cb5c7-48ea-4af9-94e0-a1646542e62b}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98} "= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-09 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\WebAgent]
@= "{D540B3B0-7DA0-4AA5-B548-236124A56CD0} "
[HKEY_CLASSES_ROOT\CLSID\{D540B3B0-7DA0-4AA5-B548-236124A56CD0}]
2010-07-21 21:39 161792 ----a-w- c:\program files\RMNetwork\webagent.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware "= "c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-09-17 2424560]
"{69C84E31-F646-65FF-E015-44F40CC23564} "= "c:\documents and settings\Owner\Application Data\Ciirlo\paesa.exe" [2009-03-25 108032]
"Vzeyogoyineba "= "c:\windows\cabaxmur.dll" [2007-03-08 78336]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"539410 "= "c:\docume~1\Owner\LOCALS~1\APPLIC~1\539410.exe" [2010-09-18 1130496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2010-08-01 462848]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"Verizon_McciTrayApp "= "c:\program files\Verizon\McciTrayApp.exe" [2010-08-01 1612800]
"VerizonServicepoint.exe "= "c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2009-03-12 2303216]
"TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-11-20 180269]
"sniffer "= "c:\windows\Temp\_ex-08.exe" [2010-09-18 246784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2010-09-17 126976]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit "= "c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2010-09-17 15:40 595456 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-01-19 16:45 10536 ----a-w- c:\program files\Citrix\GoToAssist\508\g2awinlogon.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^autorun.exe]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
backup=c:\windows\pss\Compaq Connections.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
backup=c:\windows\pss\NkbMonitor.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^findfast.exe]

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^TA_Start.lnk]
backup=c:\windows\pss\TA_Start.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Think-Adz.lnk]
backup=c:\windows\pss\Think-Adz.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ycaqxmq]
c:\program files\??stem32\?hkntfs.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2005-03-04 16:01 88209 -c--a-w- c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
2004-09-07 18:47 57344 -c--a-w- c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
2010-07-19 20:21 151552 ----a-w- c:\program files\Creative\MediaSource\Detector\CTDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2010-07-19 20:24 98304 -c--a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
1998-05-08 00:04 52736 -c--a-w- c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-03-30 14:36 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
2010-07-19 20:13 110592 -c--a-w- c:\hp\KBD\kbd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
2003-06-19 03:00 200704 -c--a-w- c:\program files\Microsoft Money\System\mnyexpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-08-01 22:25 462848 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2004-04-02 08:49 32881 -c--a-w- c:\program files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2005-11-20 00:02 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\WINDOWS\\wt\\webdriver\\4.1.1\\wthost.exe "=
"c:\\Program Files\\America Online 9.0\\waol.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13066:TCP "= 13066:TCP:spport
"23208:TCP "= 23208:TCP:spport
"14064:TCP "= 14064:TCP:spport
"5688:TCP "= 5688:TCP:spport
"26854:TCP "= 26854:TCP:spport
"19089:TCP "= 19089:TCP:spport
"24565:TCP "= 24565:TCP:spport
"29918:TCP "= 29918:TCP:spport
"27867:TCP "= 27867:TCP:spport
"17731:TCP "= 17731:TCP:spport
"18641:TCP "= 18641:TCP:spport
"24206:TCP "= 24206:TCP:spport
"9883:TCP "= 9883:TCP:spport
"19177:TCP "= 19177:TCP:spport
"15239:TCP "= 15239:TCP:spport

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [9/17/2010 12:45 PM 165456]
R1 NEOFLTR_510_10575;Juniper Networks TDI Filter Driver (NEOFLTR_510_10575);c:\windows\system32\drivers\NEOFLTR_510_10575.sys [4/18/2006 4:08 AM 57063]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/17/2010 12:45 PM 17744]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 7:43 PM 24652]
R3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [9/18/2010 7:44 PM 50704]
S2 mrtRate;mrtRate; [x]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [9/11/2004 7:21 PM 20160]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NPF
.
Contents of the 'Scheduled Tasks' folder

2010-08-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://home.mywebsearch.com/index.jhtml?n=77C09F4F&ptnrS=ZUxdm08018US&ptb=wDSZwWpJnj3GeQqM92HrGQ
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
uInternet Settings,ProxyOverride = localhost;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: Add To Compaq Organize... - c:\progra~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: aol.com\free
TCP: {AD002166-C4CA-44BD-B7A4-3913E4D88727} = 93.188.162.81,93.188.161.221
DPF: {B8E73359-3422-4384-8D27-4EA1B4C01232} - hxxps://wcac.magellanhealth.com/+CSCOL+/cscopf.cab
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Twoseguwivi - c:\windows\ilulesolasiwit.dll
SafeBoot-klmdb.sys

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-18 19:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\system32\wpcap.dll 281104 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\program files\Citrix\GoToAssist\508\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(3300)
c:\program files\RMNetwork\webagent.dll
c:\windows\cabaxmur.dll
c:\program files\Neoteris\Secure Application Manager\samnsp.dll
c:\program files\Bonjour\mdnsNSP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\progra~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\rundll32.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.EXE
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wdfmgr.exe
c:\windows\wanmpsvc.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2010-09-18 19:50:28 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-18 23:50
ComboFix2.txt 2010-09-18 19:57

Pre-Run: 142,056,919,040 bytes free
Post-Run: 141,631,369,216 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug= "do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS= "Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 72F5988A6F9822B4F0AB07A31D41ACA5

broni · 2010/09/18

Uninstall AskBarDis, known adware.

================================================================

Unless you installed Viewpoint Manager knowledgeably...
Go Start>Control Panel>Add\Remove (Programs and Features in Vista), and...
Uninstall any of the following programs associated with Viewpoint:
* Viewpoint Manager
* Viewpoint Media Player
* Viewpoint Toolbar
This program does not do anything bad such as deliver ads or spy on you, but it is considered foistware ( "drive-by-install ") as it is installed without your consent through programs like AOL, AIM, Compuserve, etc.

================================================================

1. Please open Notepad

Click Start , then Run

Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
File::
c:\windows\Rcuheriyovu.dat
c:\windows\Byivofibu.bin
c:\documents and settings\Owner\Local Settings\Application Data\539410.exe
c:\windows\system32\klkkj.tmp
c:\windows\Temp\_ex-08.exe
c:\windows\ALCXMNTR.EXE


DirLook::
C:\tmp
C:\log
c:\program files\sys32
c:\program files\riv87
c:\program files\ssns
c:\documents and settings\Owner\Application Data\Iret
c:\documents and settings\Owner\Application Data\Tosa
c:\documents and settings\Owner\Application Data\Cytuis
c:\documents and settings\Owner\Application Data\Wemux
c:\documents and settings\Owner\Application Data\Vyyq
c:\documents and settings\Owner\Application Data\Suan
c:\documents and settings\Owner\Application Data\Aznel
c:\program files\riv
c:\program files\rivi
c:\documents and settings\Owner\Application Data\Ylmeca

Folder::
c:\documents and settings\Owner\Application Data\Edcuiv
c:\program files\Common Files\Symantec Shared
c:\documents and settings\Owner\Application Data\Etiqm


DDS::
uStart Page = hxxp://home.mywebsearch.com/index.jhtml?n=77C09F4F&ptnrS=ZUxdm08018US&ptb=wDSZwWpJnj3GeQqM92HrGQ
uInternet Settings,ProxyOverride = localhost;*.local

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "sniffer "=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ycaqxmq]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
 "FirewallOverride "=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
 "DisableMonitoring "=-
3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

BillB · 2010/09/18

I can't get the CFScript file to open combofix. In normal mode, that security tool pop-up comes up and it won't let it start. In safe mode, it just doesn't do anything.

broni · 2010/09/18

Delete your Combofix file, download fresh one, but rename combofix.exe to broni.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.pif
* Rkill.exe

* Double-click on the Rkill desktop icon to run the tool.
* If using Vista or Windows 7 right-click on it and choose Run As Administrator.
* A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* If not, delete the file, then download and use the one provided in Link 2.
* If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
* Do not reboot until instructed.
* If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run then try to immediately run the following.

Now download and run exeHelper.

* Please download exeHelper from Raktor to your desktop.
* Double-click on exeHelper.com to run the fix.
* A black window should pop up, press any key to close once the fix is completed.
* A log file named log.txt will be created in the directory where you ran exeHelper.com
* Attach the log.txt file to your next message.

Note: If the window shows a message that says "Error deleting file ", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Now, drag my script to broni.exe

BillB · 2010/09/19

Could not get any of the programs you mentioned to run in normal mode, they ran in safe mode but didn't appear to do anything. I did get the cfscript file to run in safe mode by renaming combofix to broni. Here is the log from that run;

ComboFix 10-09-17.04 - Owner 09/19/2010 0:53.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447.237 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\Broni.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

FILE ::
"c:\documents and settings\Owner\Local Settings\Application Data\539410.exe "
"c:\windows\ALCXMNTR.EXE "
"c:\windows\Byivofibu.bin "
"c:\windows\Rcuheriyovu.dat "
"c:\windows\system32\klkkj.tmp "
"c:\windows\Temp\_ex-08.exe "
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\Ciirlo\paesa.exe
c:\documents and settings\Owner\Application Data\Edcuiv
c:\documents and settings\Owner\Application Data\Edcuiv\hoasu.tmp
c:\documents and settings\Owner\Application Data\Etiqm
c:\documents and settings\Owner\Application Data\Etiqm\suho.olo
c:\documents and settings\Owner\Application Data\Etiqm\suho.tmp
c:\documents and settings\Owner\Local Settings\Application Data\539410.exe
c:\documents and settings\Owner\Start Menu\Programs\Security Tool.lnk
c:\program files\Common Files\Symantec Shared
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll
c:\program files\Internet Explorer\complete.dat
c:\program files\Internet Explorer\dmlconf.dat
c:\program files\Microsoft\DesktopLayer.exe
c:\windows\ALCXMNTR.EXE
c:\windows\Byivofibu.bin
c:\windows\cabaxmur.dll
c:\windows\Rcuheriyovu.dat
c:\windows\system32\drivers\npf.sys
c:\windows\system32\klkkj.tmp
c:\windows\system32\Packet.dll
c:\windows\system32\wpcap.dll
c:\windows\Temp\_ex-08.exe
c:\program files\Microsoft\DesktopLayer.exe . . . .

Infected copy of c:\windows\system32\DRIVERS\ohci1394.sys was found and disinfected
Restored copy from - Kitty had a snack
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF

((((((((((((((((((((((((( Files Created from 2010-08-19 to 2010-09-19 )))))))))))))))))))))))))))))))
.

2010-09-19 05:02 . 2010-09-19 05:02 50704 ----a-w- c:\windows\system32\drivers\npf.sys
2010-09-19 04:26 . 2004-08-04 06:10 61056 -c--a-w- c:\windows\system32\dllcache\ohci1394.sys
2010-09-19 04:26 . 2004-08-04 06:10 61056 ----a-w- c:\windows\system32\drivers\ohci1394.sys
2010-09-18 20:17 . 2010-09-18 20:17 45568 ----a-w- c:\windows\system32\wscntfySrv.exe
2010-09-18 19:45 . 2010-09-19 05:00 45568 ----a-w- c:\windows\system32\rundll32Srv.exe
2010-09-17 16:45 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-09-17 16:45 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-17 16:45 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-17 16:45 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-17 16:45 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-09-17 16:45 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-09-17 16:45 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-09-17 16:45 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-09-17 16:45 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-17 16:44 . 2010-09-17 16:44 -------- d-----w- c:\program files\Alwil Software
2010-09-17 16:44 . 2010-09-17 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-09-17 15:22 . 2010-09-17 16:15 157696 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-09-17 15:22 . 2010-09-17 16:15 146432 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-09-17 15:22 . 2010-09-17 16:15 211968 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-17 15:22 . 2010-09-17 15:22 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2010-09-17 15:22 . 2010-09-17 15:22 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-09-17 15:22 . 2010-09-17 16:34 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-09-17 14:38 . 2010-09-17 14:38 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-09-17 14:38 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-17 14:38 . 2010-09-17 14:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-17 14:38 . 2010-09-17 14:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-17 14:38 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-17 14:36 . 2010-09-17 14:38 -------- d-----w- C:\tmp
2010-09-17 14:30 . 2010-09-17 14:30 -------- d-----w- C:\log
2010-09-17 14:26 . 2010-09-19 05:00 -------- d-----w- c:\program files\sys32
2010-09-17 14:26 . 2010-09-19 05:00 -------- d-----w- c:\program files\riv87
2010-08-23 21:20 . 2010-09-17 15:15 -------- d-----w- c:\program files\ssns

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-19 05:02 . 2010-09-19 05:02 1144320 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\809440794.exe
2010-09-19 05:02 . 2010-09-19 05:02 281104 ----a-w- c:\windows\system32\wpcap.dll
2010-09-19 05:02 . 2010-09-19 05:02 100880 ----a-w- c:\windows\system32\Packet.dll
2010-09-19 05:00 . 2005-03-09 14:49 -------- d-----w- c:\documents and settings\Owner\Application Data\Siwyy
2010-09-19 05:00 . 2010-07-19 20:04 -------- d-----w- c:\program files\Microsoft
2010-09-19 04:58 . 2009-03-25 06:32 -------- d-----w- c:\documents and settings\Owner\Application Data\Ciirlo
2010-09-19 01:40 . 2004-09-12 19:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-09-18 22:53 . 2009-05-27 17:42 -------- d-----w- c:\program files\Verizon
2010-09-18 22:52 . 2002-08-29 08:05 37376 ----a-w- c:\windows\system32\drivers\amdk7.sys
2010-09-18 20:17 . 2008-06-07 21:47 -------- d-----w- c:\program files\QuickTime
2010-09-18 19:45 . 2004-08-29 14:22 -------- d-----w- c:\documents and settings\Owner\Application Data\Iret
2010-09-18 19:41 . 2010-07-19 20:04 -------- d-----w- c:\program files\riva
2010-09-17 16:38 . 2010-08-01 21:02 452104 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.12\setup.exe
2010-09-17 16:30 . 2004-09-18 04:42 -------- d-----w- c:\program files\AIM
2010-09-17 16:23 . 2004-09-12 19:53 -------- d-----w- c:\program files\Common Files\AOL
2010-09-17 16:11 . 2008-06-07 21:49 -------- d-----w- c:\program files\iTunes
2010-09-17 16:10 . 2008-01-02 21:41 -------- d-----w- c:\documents and settings\Owner\Application Data\Tosa
2010-09-17 16:10 . 2004-12-10 10:06 -------- d-----w- c:\documents and settings\Owner\Application Data\Cytuis
2010-09-17 15:15 . 2010-08-05 15:45 -------- d-----w- c:\documents and settings\Owner\Application Data\Wemux
2010-09-17 15:15 . 2009-03-17 03:20 -------- d-----w- c:\documents and settings\Owner\Application Data\Vyyq
2010-09-17 15:15 . 2009-09-10 13:42 -------- d-----w- c:\documents and settings\Owner\Application Data\Suan
2010-09-17 14:30 . 2009-05-27 19:28 -------- d-----w- c:\documents and settings\Owner\Application Data\Verizon
2010-09-17 14:30 . 2009-05-27 19:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Verizon
2010-09-17 14:26 . 2006-05-08 04:02 -------- d-----w- c:\documents and settings\Owner\Application Data\Aznel
2010-09-17 00:10 . 2009-05-27 20:19 99908 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-09-17 00:10 . 2009-05-27 20:19 1148960 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-09-17 00:10 . 2009-05-27 20:19 324764 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-09-17 00:10 . 2009-05-27 20:19 24607776 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-08-24 00:46 . 2010-08-09 13:49 -------- d-----w- c:\program files\riv
2010-08-15 19:09 . 2010-08-15 19:08 -------- d-----w- c:\program files\rivi
2010-08-14 17:46 . 2010-04-01 14:59 92160 ----a-w- c:\documents and settings\Owner\Application Data\Verizon\VSP\downloads\VerizonVasDetectionScripts.v6.41.zip.dir\resources\McAfeeSecurityScanIcon.v2-1-119-2.exe
2010-08-09 23:28 . 2009-05-27 17:51 -------- d-----w- c:\program files\Common Files\Motive
2010-08-06 20:35 . 2004-07-02 03:54 -------- d-----w- c:\documents and settings\Owner\Application Data\Ylmeca
2010-08-04 00:33 . 2004-04-03 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive
2010-08-01 09:23 . 2008-06-07 21:47 -------- d-----w- c:\program files\Apple Software Update
2010-07-26 20:48 . 2006-03-23 23:06 -------- d-----w- c:\program files\Google
2010-07-26 00:22 . 2008-02-06 01:49 -------- d-----w- c:\documents and settings\Owner\Application Data\AdobeUM
2010-07-25 14:48 . 2010-07-21 21:39 -------- d-----w- c:\program files\RMNetwork
2010-07-21 21:39 . 2010-07-21 21:39 -------- d-----w- c:\program files\getfire
2010-07-19 20:10 . 2009-03-04 19:32 115712 -c--a-w- c:\documents and settings\Owner\Application Data\Verizon\VSP\downloads\Verizon_VISS_Mac_Promotion_Campaign.18467.zip.dir\en\tools\RpsInstallerFinder.exe
2010-07-19 20:10 . 2007-12-30 17:53 159744 -c--a-w- c:\documents and settings\Owner\Application Data\U3\temp\cleanup.exe
2010-07-19 20:10 . 2007-02-07 17:45 3526656 -c--a-w- c:\documents and settings\Owner\Application Data\U3\0F607961415068C6\Launchpad.exe
2010-07-19 20:10 . 2006-11-29 21:42 1699840 -c--a-w- c:\documents and settings\Owner\Application Data\U3\0F607961415068C6\LPSecurityExtension.dll
2010-07-19 20:10 . 2006-11-05 14:44 1212416 -c--a-w- c:\documents and settings\Owner\Application Data\U3\0F607961415068C6\u3dapi10.dll
2010-07-19 20:10 . 2006-10-12 21:38 98304 -c--a-w- c:\documents and settings\Owner\Application Data\U3\0F607961415068C6\U3AccessGrant.exe
2010-07-19 20:10 . 2006-08-15 15:15 159744 -c--a-w- c:\documents and settings\Owner\Application Data\U3\0F607961415068C6\cleanup.exe
2010-07-19 20:09 . 2006-04-18 08:15 221184 -c--a-w- c:\documents and settings\Owner\Application Data\Juniper Networks\Host Checker\EPCheck.dll
2010-07-19 20:09 . 2008-06-07 19:42 585728 -c--a-w- c:\documents and settings\Owner\Application Data\Creative\Media Database\JetFileBackup\Msado15.dll
2010-07-19 20:09 . 2008-06-07 19:42 249856 -c--a-w- c:\documents and settings\Owner\Application Data\Creative\Media Database\JetFileBackup\Msadox.dll
2010-07-19 20:09 . 2008-06-07 19:42 151552 -c--a-w- c:\documents and settings\Owner\Application Data\Creative\Media Database\JetFileBackup\Msjro.dll
2010-07-19 20:06 . 2004-09-15 01:23 393216 -c--a-w- c:\documents and settings\All Users\Application Data\PopCap\PopCapLoader\Shockwave\insaniquarium\Insaniquarium.dll
2010-07-19 20:06 . 2005-03-19 21:24 450560 -c--a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_3f1_9bd5a28\EasyShrx.Dll
2010-07-19 20:04 . 2005-03-20 19:45 57856 -c--a-w- c:\documents and settings\All Users\Application Data\AOL\C_America Online 9.0\OptScan.exe
2010-07-19 20:04 . 2006-06-21 23:06 61440 -c--a-w- c:\documents and settings\All Users\Application Data\AOL\C_America Online 9.0\OptClean.exe
2010-07-19 20:04 . 2007-12-29 16:02 159744 -c--a-w- c:\documents and settings\Administrator\Application Data\U3\temp\cleanup.exe
2010-07-19 20:04 . 2006-11-05 14:44 1212416 -c--a-w- c:\documents and settings\Administrator\Application Data\U3\0F607961415068C6\u3dapi10.dll
2010-07-19 20:04 . 2006-10-12 21:38 98304 -c--a-w- c:\documents and settings\Administrator\Application Data\U3\0F607961415068C6\U3AccessGrant.exe
2010-07-19 20:04 . 2006-11-29 21:42 1699840 -c--a-w- c:\documents and settings\Administrator\Application Data\U3\0F607961415068C6\LPSecurityExtension.dll
2010-07-19 20:04 . 2007-02-07 17:45 3526656 -c--a-w- c:\documents and settings\Administrator\Application Data\U3\0F607961415068C6\Launchpad.exe
2010-07-19 20:04 . 2006-08-15 15:15 159744 -c--a-w- c:\documents and settings\Administrator\Application Data\U3\0F607961415068C6\cleanup.exe
2010-07-02 00:39 . 2010-05-12 23:28 439816 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.10\setup.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\Owner\Application Data\Aznel ----

2006-05-08 04:02 . 2010-09-17 14:26 335 ----a-w- c:\documents and settings\Owner\Application Data\Aznel\ehax.tmp
2006-05-08 04:02 . 2010-09-17 14:26 326 ----a-w- c:\documents and settings\Owner\Application Data\Aznel\ehax.yfk

---- Directory of c:\documents and settings\Owner\Application Data\Cytuis ----

---- Directory of c:\documents and settings\Owner\Application Data\Iret ----

2004-08-29 14:22 . 2010-09-18 19:45 335 ----a-w- c:\documents and settings\Owner\Application Data\Iret\odfeo.tmp

---- Directory of c:\documents and settings\Owner\Application Data\Suan ----

---- Directory of c:\documents and settings\Owner\Application Data\Tosa ----

---- Directory of c:\documents and settings\Owner\Application Data\Vyyq ----

---- Directory of c:\documents and settings\Owner\Application Data\Wemux ----

---- Directory of c:\documents and settings\Owner\Application Data\Ylmeca ----

2010-08-06 20:35 . 2010-08-23 21:35 38901 ----a-w- c:\documents and settings\Owner\Application Data\Ylmeca\dopuf.uqe
2010-08-06 14:45 . 2010-08-06 14:45 1654 ----a-w- c:\documents and settings\Owner\Application Data\Ylmeca\dopuf.tmp

---- Directory of C:\log ----

2010-09-17 14:30 . 2010-09-17 14:30 200 ----a-w- c:\log\InvisibleUtility_boot.log

---- Directory of c:\program files\riv ----

2010-08-24 00:46 . 2010-08-24 01:03 96768 ----a-w- c:\program files\riv\MIX.exe

---- Directory of c:\program files\riv87 ----

---- Directory of c:\program files\rivi ----

---- Directory of c:\program files\ssns ----

---- Directory of c:\program files\sys32 ----

2010-09-18 17:10 . 2010-09-18 23:42 92698 ----a-w- c:\program files\sys32\setup.exe

---- Directory of C:\tmp ----

2010-09-17 14:38 . 2010-09-10 19:08 9333808 ----a-w- c:\tmp\Super Antispyware\SUPERAntiSpyware.exe
2010-09-17 14:38 . 2005-06-03 11:52 1044168 ----a-w- c:\tmp\Spyware Blaster\VB6 runtime fix Win98_ME\vbrun60sp5.exe
2010-09-17 14:38 . 2005-06-03 11:52 746215 ----a-w- c:\tmp\Spyware Blaster\MSCOMCTL file fix\missingfilesetup.exe
2010-09-17 14:38 . 2004-12-23 23:28 419328 ----a-w- c:\tmp\Spyware Blaster\To Update Spyware Blaster.doc
2010-09-17 14:38 . 2005-03-11 22:49 19456 ----a-w- c:\tmp\Spyware Blaster\To update Spyware Blaster to V3_3.doc
2010-09-17 14:38 . 2010-09-10 19:40 3194296 ----a-w- c:\tmp\Spyware Blaster\spywareblastersetup44.exe
2010-09-17 14:38 . 2010-08-04 23:07 921512 ----a-w- c:\tmp\Norton Removal Tool\Norton_Removal_Tool.exe
2010-09-17 14:38 . 2008-08-23 15:42 623616 ----a-w- c:\tmp\MalwareBytes Antimalware\To update and scan with MalwareBytes AntiMalware.doc
2010-09-17 14:38 . 2010-09-10 19:08 6153352 ----a-w- c:\tmp\MalwareBytes Antimalware\mbam-setup-1.46.exe
2010-09-17 14:37 . 2010-09-16 21:32 50179528 ----a-w- c:\tmp\Comodo\Firewall\Win32\cfw_installer_x86.exe
2010-09-17 14:37 . 2010-09-16 21:35 51955656 ----a-w- c:\tmp\Comodo\Firewall\Win64\cfw_installer_x64.exe
2010-09-17 14:37 . 2010-09-16 21:38 50179528 ----a-w- c:\tmp\Comodo\Antivirus\Win32\cav_installer_x86.exe
2010-09-17 14:37 . 2010-09-16 21:41 51955656 ----a-w- c:\tmp\Comodo\Antivirus\Win64\cav_installer_x64.exe
2010-09-17 14:37 . 2010-09-16 21:44 50179528 ----a-w- c:\tmp\Comodo\Internet Security\Win32\cispremium_installer_x86.exe
2010-09-17 14:37 . 2010-09-16 21:45 51955656 ----a-w- c:\tmp\Comodo\Internet Security\Win64\cispremium_installer_x64.exe
2010-09-17 14:37 . 2009-12-24 14:04 40599312 ----a-w- c:\tmp\Comodo\CIS_Setup_3.13.121240.574_XP_Vista_x32.exe
2010-09-17 14:37 . 2010-04-05 17:02 520192 ----a-w- c:\tmp\Avast Antivirus\To update and scan with Avast Antivirus V5.doc
2010-09-17 14:37 . 2008-08-24 17:19 5435392 ----a-w- c:\tmp\Avast Antivirus\To update and scan with Avast Antivirus V4.doc
2010-09-17 14:37 . 2010-09-08 14:16 54835272 ----a-w- c:\tmp\Avast Antivirus\setup_av_free.exe
2010-09-17 14:37 . 2009-12-24 13:40 41839904 ----a-w- c:\tmp\Avast Antivirus\setupeng.exe
2010-09-17 14:37 . 2009-08-10 12:13 28 ----a-w- c:\tmp\Avast Antivirus\Avast license key.txt
2010-09-17 14:37 . 2009-03-13 14:52 986 ----a-w- c:\tmp\Avast Antivirus\Avast startup delay for performance boost.txt
2010-09-17 14:37 . 2010-09-17 15:45 493568 ----a-w- c:\tmp\TFC.exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{038cb5c7-48ea-4af9-94e0-a1646542e62b} "= "c:\program files\ToggleEN\tbTogg.dll" [2009-07-02 2215960]

[HKEY_CLASSES_ROOT\clsid\{038cb5c7-48ea-4af9-94e0-a1646542e62b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{038cb5c7-48ea-4af9-94e0-a1646542e62b}]
2009-07-02 14:18 2215960 ----a-w- c:\program files\ToggleEN\tbTogg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-09-09 02:08 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98} "= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-09 279944]
"{038cb5c7-48ea-4af9-94e0-a1646542e62b} "= "c:\program files\ToggleEN\tbTogg.dll" [2009-07-02 2215960]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CLASSES_ROOT\clsid\{038cb5c7-48ea-4af9-94e0-a1646542e62b}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98} "= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-09 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\WebAgent]
@= "{D540B3B0-7DA0-4AA5-B548-236124A56CD0} "
[HKEY_CLASSES_ROOT\CLSID\{D540B3B0-7DA0-4AA5-B548-236124A56CD0}]
2010-07-21 21:39 161792 ----a-w- c:\program files\RMNetwork\webagent.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware "= "c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-09-17 2424560]
"{69C84E31-F646-65FF-E015-44F40CC23564} "= "c:\documents and settings\Owner\Application Data\Edefaq\izuli.exe" [2006-12-08 108032]
"Vzeyogoyineba "= "c:\windows\cabaxmur.dll" [2007-03-08 78336]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"809440794 "= "c:\docume~1\Owner\LOCALS~1\APPLIC~1\809440794.exe" [2010-09-19 1144320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2010-08-01 462848]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"Verizon_McciTrayApp "= "c:\program files\Verizon\McciTrayApp.exe" [2010-08-01 1612800]
"VerizonServicepoint.exe "= "c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2009-03-12 2303216]
"TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-11-20 180269]
"sniffer "= "c:\windows\Temp\_ex-08.exe" [2010-09-19 246784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2010-09-17 126976]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit "= "c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2010-09-17 15:40 595456 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-01-19 16:45 10536 ----a-w- c:\program files\Citrix\GoToAssist\508\g2awinlogon.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^autorun.exe]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
backup=c:\windows\pss\Compaq Connections.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
backup=c:\windows\pss\NkbMonitor.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^findfast.exe]

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^TA_Start.lnk]
backup=c:\windows\pss\TA_Start.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Think-Adz.lnk]
backup=c:\windows\pss\Think-Adz.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2005-03-04 16:01 88209 -c--a-w- c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
2010-07-19 20:21 151552 ----a-w- c:\program files\Creative\MediaSource\Detector\CTDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2010-07-19 20:24 98304 -c--a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
1998-05-08 00:04 52736 -c--a-w- c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-03-30 14:36 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
2010-07-19 20:13 110592 -c--a-w- c:\hp\KBD\kbd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
2003-06-19 03:00 200704 -c--a-w- c:\program files\Microsoft Money\System\mnyexpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-08-01 22:25 462848 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2004-04-02 08:49 32881 -c--a-w- c:\program files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2005-11-20 00:02 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\WINDOWS\\wt\\webdriver\\4.1.1\\wthost.exe "=
"c:\\Program Files\\America Online 9.0\\waol.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13066:TCP "= 13066:TCP:spport
"23208:TCP "= 23208:TCP:spport
"14064:TCP "= 14064:TCP:spport
"5688:TCP "= 5688:TCP:spport
"26854:TCP "= 26854:TCP:spport
"19089:TCP "= 19089:TCP:spport
"24565:TCP "= 24565:TCP:spport
"29918:TCP "= 29918:TCP:spport
"27867:TCP "= 27867:TCP:spport
"17731:TCP "= 17731:TCP:spport
"18641:TCP "= 18641:TCP:spport
"24206:TCP "= 24206:TCP:spport
"9883:TCP "= 9883:TCP:spport
"19177:TCP "= 19177:TCP:spport
"15239:TCP "= 15239:TCP:spport

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [9/17/2010 12:45 PM 165456]
R1 NEOFLTR_510_10575;Juniper Networks TDI Filter Driver (NEOFLTR_510_10575);c:\windows\system32\drivers\NEOFLTR_510_10575.sys [4/18/2006 4:08 AM 57063]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/17/2010 12:45 PM 17744]
R3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [9/19/2010 1:02 AM 50704]
S2 mrtRate;mrtRate; [x]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [9/11/2004 7:21 PM 20160]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NPF
.
Contents of the 'Scheduled Tasks' folder

2010-08-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:57]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: Add To Compaq Organize... - c:\progra~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: aol.com\free
TCP: {AD002166-C4CA-44BD-B7A4-3913E4D88727} = 93.188.162.81,93.188.161.221
DPF: {B8E73359-3422-4384-8D27-4EA1B4C01232} - hxxps://wcac.magellanhealth.com/+CSCOL+/cscopf.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-19 01:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\system32\wpcap.dll 281104 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\program files\Citrix\GoToAssist\508\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(2720)
c:\program files\RMNetwork\webagent.dll
c:\windows\cabaxmur.dll
c:\program files\Neoteris\Secure Application Manager\samnsp.dll
c:\program files\Bonjour\mdnsNSP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\progra~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.EXE
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wdfmgr.exe
c:\windows\wanmpsvc.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-09-19 01:08:06 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-19 05:07
ComboFix2.txt 2010-09-18 23:50
ComboFix3.txt 2010-09-18 19:57

Pre-Run: 141,600,264,192 bytes free
Post-Run: 141,611,622,400 bytes free

- - End Of File - - DB59411AAF4E86125F3B039E01F9949F

broni · 2010/09/19

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

File::
c:\documents and settings\Owner\Local Settings\Application Data\809440794.exe
c:\documents and settings\Owner\Application Data\Edefaq\izuli.exe
c:\windows\cabaxmur.dll
c:\docume~1\Owner\LOCALS~1\APPLIC~1\809440794.exe
c:\windows\Temp\_ex-08.exe


Folder::
c:\documents and settings\Owner\Application Data\Aznel
c:\documents and settings\Owner\Application Data\Cytuis
c:\documents and settings\Owner\Application Data\Iret
c:\documents and settings\Owner\Application Data\Suan
c:\documents and settings\Owner\Application Data\Tosa
c:\documents and settings\Owner\Application Data\Vyyq
c:\documents and settings\Owner\Application Data\Wemux
c:\documents and settings\Owner\Application Data\Ylmeca
c:\program files\riv87
c:\program files\rivi
c:\program files\ssns
c:\program files\sys32
c:\documents and settings\Owner\Application Data\Siwyy
c:\documents and settings\Owner\Application Data\Ciirlo
c:\documents and settings\All Users\Application Data\Viewpoint


Driver::

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "{69C84E31-F646-65FF-E015-44F40CC23564} "=-
 "Vzeyogoyineba "=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
 "809440794 "=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "sniffer "=-

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

[IMG]

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

BillB · 2010/09/19

I forgot to mention in my last post (sorry, it was late when I posted), there was a message from combofix about a rootkit infection found. It said to make note of this;

C:\windows\system32\drivers\ohci1394.sys

Here is the new combofix log;

ComboFix 10-09-17.04 - Owner 09/19/2010 9:14.4.1 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447.275 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\Broni.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

FILE ::
"c:\docume~1\Owner\LOCALS~1\APPLIC~1\809440794.exe "
"c:\documents and settings\Owner\Application Data\Edefaq\izuli.exe "
"c:\documents and settings\Owner\Local Settings\Application Data\809440794.exe "
"c:\windows\cabaxmur.dll "
"c:\windows\Temp\_ex-08.exe "
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Owner\LOCALS~1\APPLIC~1\809440794.exe
c:\documents and settings\All Users\Application Data\Viewpoint
c:\documents and settings\Owner\Application Data\Aznel
c:\documents and settings\Owner\Application Data\Aznel\ehax.tmp
c:\documents and settings\Owner\Application Data\Aznel\ehax.yfk
c:\documents and settings\Owner\Application Data\Ciirlo
c:\documents and settings\Owner\Application Data\Cytuis
c:\documents and settings\Owner\Application Data\Edefaq
c:\documents and settings\Owner\Application Data\Edefaq\izuli.exe
c:\documents and settings\Owner\Application Data\Iret
c:\documents and settings\Owner\Application Data\Iret\odfeo.tmp
c:\documents and settings\Owner\Application Data\Siwyy
c:\documents and settings\Owner\Application Data\Siwyy\weyv.sau
c:\documents and settings\Owner\Application Data\Siwyy\weyv.tmp
c:\documents and settings\Owner\Application Data\Suan
c:\documents and settings\Owner\Application Data\Tosa
c:\documents and settings\Owner\Application Data\Vyyq
c:\documents and settings\Owner\Application Data\Wemux
c:\documents and settings\Owner\Application Data\Ylmeca
c:\documents and settings\Owner\Application Data\Ylmeca\dopuf.tmp
c:\documents and settings\Owner\Application Data\Ylmeca\dopuf.uqe
c:\documents and settings\Owner\Local Settings\Application Data\809440794.exe
c:\documents and settings\Owner\Start Menu\Programs\Security Tool.lnk
c:\program files\Internet Explorer\complete.dat
c:\program files\Internet Explorer\dmlconf.dat
c:\program files\Microsoft\DesktopLayer.exe
c:\program files\riv87
c:\program files\rivi
c:\program files\ssns
c:\program files\sys32
c:\program files\sys32\setup.exe
c:\windows\cabaxmur.dll
c:\windows\ExplorerSrv.exe
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\wpcap.dll
c:\windows\Temp\_ex-08.exe
c:\program files\Microsoft\DesktopLayer.exe . . . .

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF

((((((((((((((((((((((((( Files Created from 2010-08-19 to 2010-09-19 )))))))))))))))))))))))))))))))
.

2010-09-19 13:24 . 2010-09-19 13:24 1146368 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\637861217.exe
2010-09-19 13:23 . 2010-09-19 13:23 -------- d-----w- c:\program files\sys32
2010-09-19 13:23 . 2010-09-19 13:23 -------- d-----w- c:\program files\riv87
2010-09-19 04:26 . 2004-08-04 06:10 61056 -c--a-w- c:\windows\system32\dllcache\ohci1394.sys
2010-09-19 04:26 . 2004-08-04 06:10 61056 ----a-w- c:\windows\system32\drivers\ohci1394.sys
2010-09-19 00:53 . 2010-06-14 14:30 743936 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-09-18 20:17 . 2010-09-18 20:17 45568 ----a-w- c:\windows\system32\wscntfySrv.exe
2010-09-18 19:45 . 2010-09-19 13:23 45568 ----a-w- c:\windows\system32\rundll32Srv.exe
2010-09-17 16:45 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-09-17 16:45 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-17 16:45 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-17 16:45 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-17 16:45 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-09-17 16:45 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-09-17 16:45 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-09-17 16:45 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-09-17 16:45 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-17 16:44 . 2010-09-17 16:44 -------- d-----w- c:\program files\Alwil Software
2010-09-17 16:44 . 2010-09-17 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-09-17 15:22 . 2010-09-17 16:15 157696 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-09-17 15:22 . 2010-09-17 16:15 146432 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-09-17 15:22 . 2010-09-17 16:15 211968 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-17 15:22 . 2010-09-17 15:22 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2010-09-17 15:22 . 2010-09-17 15:22 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-09-17 15:22 . 2010-09-17 16:34 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-09-17 14:38 . 2010-09-17 14:38 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-09-17 14:38 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-17 14:38 . 2010-09-17 14:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-17 14:38 . 2010-09-17 14:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-17 14:38 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-17 14:36 . 2010-09-17 14:38 -------- d-----w- C:\tmp
2010-09-17 14:30 . 2010-09-17 14:30 -------- d-----w- C:\log

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-19 13:23 . 2010-04-02 21:43 -------- d-----w- c:\documents and settings\Owner\Application Data\Soha
2010-09-19 13:23 . 2010-07-19 20:04 -------- d-----w- c:\program files\Microsoft
2010-09-18 22:53 . 2009-05-27 17:42 -------- d-----w- c:\program files\Verizon
2010-09-18 22:52 . 2002-08-29 08:05 37376 ----a-w- c:\windows\system32\drivers\amdk7.sys
2010-09-18 20:17 . 2008-06-07 21:47 -------- d-----w- c:\program files\QuickTime
2010-09-18 19:41 . 2010-07-19 20:04 -------- d-----w- c:\program files\riva
2010-09-17 16:38 . 2010-08-01 21:02 452104 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.12\setup.exe
2010-09-17 16:30 . 2004-09-18 04:42 -------- d-----w- c:\program files\AIM
2010-09-17 16:23 . 2004-09-12 19:53 -------- d-----w- c:\program files\Common Files\AOL
2010-09-17 16:11 . 2008-06-07 21:49 -------- d-----w- c:\program files\iTunes
2010-09-17 14:30 . 2009-05-27 19:28 -------- d-----w- c:\documents and settings\Owner\Application Data\Verizon
2010-09-17 14:30 . 2009-05-27 19:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Verizon
2010-09-17 00:10 . 2009-05-27 20:19 99908 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-09-17 00:10 . 2009-05-27 20:19 1148960 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-09-17 00:10 . 2009-05-27 20:19 324764 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-09-17 00:10 . 2009-05-27 20:19 24607776 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-08-24 00:46 . 2010-08-09 13:49 -------- d-----w- c:\program files\riv
2010-08-14 17:46 . 2010-04-01 14:59 92160 ----a-w- c:\documents and settings\Owner\Application Data\Verizon\VSP\downloads\VerizonVasDetectionScripts.v6.41.zip.dir\resources\McAfeeSecurityScanIcon.v2-1-119-2.exe
2010-08-09 23:28 . 2009-05-27 17:51 -------- d-----w- c:\program files\Common Files\Motive
2010-08-04 00:33 . 2004-04-03 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive
2010-08-01 09:23 . 2008-06-07 21:47 -------- d-----w- c:\program files\Apple Software Update
2010-07-26 20:48 . 2006-03-23 23:06 -------- d-----w- c:\program files\Google
2010-07-26 00:22 . 2008-02-06 01:49 -------- d-----w- c:\documents and settings\Owner\Application Data\AdobeUM
2010-07-25 14:48 . 2010-07-21 21:39 -------- d-----w- c:\program files\RMNetwork
2010-07-21 21:39 . 2010-07-21 21:39 -------- d-----w- c:\program files\getfire
2010-07-19 20:10 . 2009-03-04 19:32 115712 -c--a-w- c:\documents and settings\Owner\Application Data\Verizon\VSP\downloads\Verizon_VISS_Mac_Promotion_Campaign.18467.zip.dir\en\tools\RpsInstallerFinder.exe
2010-07-19 20:10 . 2007-12-30 17:53 159744 -c--a-w- c:\documents and settings\Owner\Application Data\U3\temp\cleanup.exe
2010-07-19 20:10 . 2007-02-07 17:45 3526656 -c--a-w- c:\documents and settings\Owner\Application Data\U3\0F607961415068C6\Launchpad.exe
2010-07-19 20:10 . 2006-11-29 21:42 1699840 -c--a-w- c:\documents and settings\Owner\Application Data\U3\0F607961415068C6\LPSecurityExtension.dll
2010-07-19 20:10 . 2006-11-05 14:44 1212416 -c--a-w- c:\documents and settings\Owner\Application Data\U3\0F607961415068C6\u3dapi10.dll
2010-07-19 20:10 . 2006-10-12 21:38 98304 -c--a-w- c:\documents and settings\Owner\Application Data\U3\0F607961415068C6\U3AccessGrant.exe
2010-07-19 20:10 . 2006-08-15 15:15 159744 -c--a-w- c:\documents and settings\Owner\Application Data\U3\0F607961415068C6\cleanup.exe
2010-07-19 20:09 . 2006-04-18 08:15 221184 -c--a-w- c:\documents and settings\Owner\Application Data\Juniper Networks\Host Checker\EPCheck.dll
2010-07-19 20:09 . 2008-06-07 19:42 585728 -c--a-w- c:\documents and settings\Owner\Application Data\Creative\Media Database\JetFileBackup\Msado15.dll
2010-07-19 20:09 . 2008-06-07 19:42 249856 -c--a-w- c:\documents and settings\Owner\Application Data\Creative\Media Database\JetFileBackup\Msadox.dll
2010-07-19 20:09 . 2008-06-07 19:42 151552 -c--a-w- c:\documents and settings\Owner\Application Data\Creative\Media Database\JetFileBackup\Msjro.dll
2010-07-19 20:06 . 2004-09-15 01:23 393216 -c--a-w- c:\documents and settings\All Users\Application Data\PopCap\PopCapLoader\Shockwave\insaniquarium\Insaniquarium.dll
2010-07-19 20:06 . 2005-03-19 21:24 450560 -c--a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_3f1_9bd5a28\EasyShrx.Dll
2010-07-19 20:04 . 2005-03-20 19:45 57856 -c--a-w- c:\documents and settings\All Users\Application Data\AOL\C_America Online 9.0\OptScan.exe
2010-07-19 20:04 . 2006-06-21 23:06 61440 -c--a-w- c:\documents and settings\All Users\Application Data\AOL\C_America Online 9.0\OptClean.exe
2010-07-19 20:04 . 2007-12-29 16:02 159744 -c--a-w- c:\documents and settings\Administrator\Application Data\U3\temp\cleanup.exe
2010-07-19 20:04 . 2006-11-05 14:44 1212416 -c--a-w- c:\documents and settings\Administrator\Application Data\U3\0F607961415068C6\u3dapi10.dll
2010-07-19 20:04 . 2006-10-12 21:38 98304 -c--a-w- c:\documents and settings\Administrator\Application Data\U3\0F607961415068C6\U3AccessGrant.exe
2010-07-19 20:04 . 2006-11-29 21:42 1699840 -c--a-w- c:\documents and settings\Administrator\Application Data\U3\0F607961415068C6\LPSecurityExtension.dll
2010-07-19 20:04 . 2007-02-07 17:45 3526656 -c--a-w- c:\documents and settings\Administrator\Application Data\U3\0F607961415068C6\Launchpad.exe
2010-07-19 20:04 . 2006-08-15 15:15 159744 -c--a-w- c:\documents and settings\Administrator\Application Data\U3\0F607961415068C6\cleanup.exe
2010-07-02 00:39 . 2010-05-12 23:28 439816 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.10\setup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{038cb5c7-48ea-4af9-94e0-a1646542e62b} "= "c:\program files\ToggleEN\tbTogg.dll" [2009-07-02 2215960]

[HKEY_CLASSES_ROOT\clsid\{038cb5c7-48ea-4af9-94e0-a1646542e62b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{038cb5c7-48ea-4af9-94e0-a1646542e62b}]
2009-07-02 14:18 2215960 ----a-w- c:\program files\ToggleEN\tbTogg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-09-09 02:08 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98} "= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-09 279944]
"{038cb5c7-48ea-4af9-94e0-a1646542e62b} "= "c:\program files\ToggleEN\tbTogg.dll" [2009-07-02 2215960]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CLASSES_ROOT\clsid\{038cb5c7-48ea-4af9-94e0-a1646542e62b}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98} "= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-09 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\WebAgent]
@= "{D540B3B0-7DA0-4AA5-B548-236124A56CD0} "
[HKEY_CLASSES_ROOT\CLSID\{D540B3B0-7DA0-4AA5-B548-236124A56CD0}]
2010-07-21 21:39 161792 ----a-w- c:\program files\RMNetwork\webagent.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware "= "c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-09-17 2424560]
"Vzeyogoyineba "= "c:\windows\cabaxmur.dll" [2007-03-08 78336]
"{69C84E31-F646-65FF-E015-44F40CC23564} "= "c:\documents and settings\Owner\Application Data\Fusia\cune.exe" [2009-01-30 108032]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"637861217 "= "c:\docume~1\Owner\LOCALS~1\APPLIC~1\637861217.exe" [2010-09-19 1146368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2010-08-01 462848]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"Verizon_McciTrayApp "= "c:\program files\Verizon\McciTrayApp.exe" [2010-08-01 1612800]
"VerizonServicepoint.exe "= "c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2009-03-12 2303216]
"TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-11-20 180269]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2010-09-17 126976]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit "= "c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2010-09-17 15:40 595456 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-01-19 16:45 10536 ----a-w- c:\program files\Citrix\GoToAssist\508\g2awinlogon.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^autorun.exe]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
backup=c:\windows\pss\Compaq Connections.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
backup=c:\windows\pss\NkbMonitor.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^findfast.exe]

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^TA_Start.lnk]
backup=c:\windows\pss\TA_Start.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Think-Adz.lnk]
backup=c:\windows\pss\Think-Adz.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2005-03-04 16:01 88209 -c--a-w- c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
2010-07-19 20:21 151552 ----a-w- c:\program files\Creative\MediaSource\Detector\CTDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2010-07-19 20:24 98304 -c--a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
1998-05-08 00:04 52736 -c--a-w- c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-03-30 14:36 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
2010-07-19 20:13 110592 -c--a-w- c:\hp\KBD\kbd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
2003-06-19 03:00 200704 -c--a-w- c:\program files\Microsoft Money\System\mnyexpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-08-01 22:25 462848 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2004-04-02 08:49 32881 -c--a-w- c:\program files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2005-11-20 00:02 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\WINDOWS\\wt\\webdriver\\4.1.1\\wthost.exe "=
"c:\\Program Files\\America Online 9.0\\waol.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13066:TCP "= 13066:TCP:spport
"23208:TCP "= 23208:TCP:spport
"14064:TCP "= 14064:TCP:spport
"5688:TCP "= 5688:TCP:spport
"26854:TCP "= 26854:TCP:spport
"19089:TCP "= 19089:TCP:spport
"24565:TCP "= 24565:TCP:spport
"29918:TCP "= 29918:TCP:spport
"27867:TCP "= 27867:TCP:spport
"17731:TCP "= 17731:TCP:spport
"18641:TCP "= 18641:TCP:spport
"24206:TCP "= 24206:TCP:spport
"9883:TCP "= 9883:TCP:spport
"19177:TCP "= 19177:TCP:spport
"15239:TCP "= 15239:TCP:spport

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [9/17/2010 12:45 PM 165456]
R1 NEOFLTR_510_10575;Juniper Networks TDI Filter Driver (NEOFLTR_510_10575);c:\windows\system32\drivers\NEOFLTR_510_10575.sys [4/18/2006 4:08 AM 57063]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/17/2010 12:45 PM 17744]
S2 mrtRate;mrtRate; [x]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [9/11/2004 7:21 PM 20160]
.
Contents of the 'Scheduled Tasks' folder

2010-08-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:57]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: Add To Compaq Organize... - c:\progra~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: aol.com\free
DPF: {B8E73359-3422-4384-8D27-4EA1B4C01232} - hxxps://wcac.magellanhealth.com/+CSCOL+/cscopf.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-19 09:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x84DFBEC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf75edfc3
\Driver\ACPI -> ACPI.sys @ 0xf7540cb8
\Driver\atapi -> atapi.sys @ 0xf74f87b4
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a18f6
ParseProcedure -> ntoskrnl.exe @ 0x8056f26d
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a18f6
ParseProcedure -> ntoskrnl.exe @ 0x8056f26d
NDIS: VIA Rhine II Fast Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf73c9ba0
PacketIndicateHandler -> NDIS.sys @ 0xf73d6b21
SendHandler -> NDIS.sys @ 0xf73b487b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\program files\Citrix\GoToAssist\508\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(3788)
c:\program files\RMNetwork\webagent.dll
c:\windows\cabaxmur.dll
c:\program files\Neoteris\Secure Application Manager\samnsp.dll
c:\program files\Bonjour\mdnsNSP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\progra~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.EXE
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wdfmgr.exe
c:\windows\wanmpsvc.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\wscntfy.exe
c:\docume~1\Owner\LOCALS~1\Temp\fa3387fhp387fb.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-09-19 09:31:15 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-19 13:31
ComboFix2.txt 2010-09-19 05:08
ComboFix3.txt 2010-09-18 23:50
ComboFix4.txt 2010-09-18 19:57

Pre-Run: 142,065,229,824 bytes free
Post-Run: 141,581,651,968 bytes free

- - End Of File - - 6CBB53A993D19AF6E075E7F1CFDA0A0F

broni · 2010/09/19

I forgot to mention in my last post (sorry, it was late when I posted), there was a message from combofix about a rootkit infection found. It said to make note of this;

C:\windows\system32\drivers\ohci1394.sys
Click to expand...

Thank you. It looks like that issue has been fixed on previous Combofix run, but we'll keep checking.

Something is still lurking here.

Update MBAM, run it and post fresh log.
Re-run TDSSKiller as well.

Are you able to operate in normal mode?

BillB · 2010/09/19

I'm running the Mbam scan now, have to run in safe mode. I can boot normally, but when I try to run anything, that security tool pop-up comes up saying that the program is malware and doesn't let it run. Not sure what that is, haven't been able to find it to remove it in add/remove programs. It has an icon in the system tray as well. I may not be able to run the TDS tool if it won't run in safe mode. I will post the mbam log when the scan is finished.

broni · 2010/09/19

When you're done with MBAM in safe mode, restart in normal mode and run rKill first.
Then, try to run MBAM.
Let me know, if it works.
If not, we'll find another way.

BillB · 2010/09/19

Here's the mbam log from the safe mode run, going to try your suggestion next.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4652

Windows 5.1.2600 Service Pack 2 (Safe Mode)
Internet Explorer 6.0.2900.2180

9/19/2010 12:43:04 PM
mbam-log-2010-09-19 (12-43-04).txt

Scan type: Full scan (C:\|)
Objects scanned: 211077
Time elapsed: 33 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 24

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe (Trojan.Downloader) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vzeyogoyineba (Trojan.Hiloti.Gen) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{69c84e31-f646-65ff-e015-44f40cc23564} (Trojan.Downloader) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\637861217 (Rogue.SecurityTool) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Malware.Packer) -> Data: c:\program files\microsoft\desktoplayer.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe,c:\program files\quicktime\qttasksrv.exe) Good: (userinit.exe) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\cabaxmur.dll (Trojan.Hiloti.Gen) -> No action taken.
C:\Documents and Settings\Owner\Application Data\Fusia\cune.exe (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Application Data\637861217.exe (Rogue.SecurityTool) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\temp\fa3387fhp387fb.exe (Trojan.Downloader) -> No action taken.
C:\Program Files\iTunes\iTunesHelperSrv.exe (Malware.Packer) -> No action taken.
C:\Program Files\iTunes\ituneshelpersrvSrv.exe (Malware.Packer) -> No action taken.
C:\Program Files\Microsoft\DesktopLayer.exe (Malware.Packer) -> No action taken.
C:\Program Files\Microsoft\desktoplayerSrv.exe (Backdoor.IRCBot) -> No action taken.
C:\Program Files\sys32\setup.exe (Trojan.Downloader) -> No action taken.
C:\Program Files\Verizon\McciTrayAppSrv.exe (Backdoor.IRCBot) -> No action taken.
C:\Program Files\Verizon\mccitrayappsrvSrv.exe (Malware.Packer) -> No action taken.
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Aror\ynvu.exe.vir (Trojan.Downloader) -> No action taken.
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Ciirlo\paesa.exe.vir (Trojan.Downloader) -> No action taken.
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Igynva\syny.exe.vir (Trojan.Downloader) -> No action taken.
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Local Settings\Application Data\3349463.exe.vir (Rogue.SecurityTool) -> No action taken.
C:\Qoobox\Quarantine\C\Program Files\Microsoft\DesktopLayer.exe.vir (Backdoor.IRCBot) -> No action taken.
C:\Qoobox\Quarantine\C\Program Files\Microsoft\desktoplayerSrv.exe.vir (Malware.Packer) -> No action taken.
C:\Qoobox\Quarantine\C\Program Files\sys32\setup.exe.vir (Trojan.Downloader) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\ExplorerSrv.exe.vir (Backdoor.IRCBot) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\ilulesolasiwit.dll.vir (Trojan.Hiloti) -> No action taken.
C:\WINDOWS\ExplorerSrv.exe (Backdoor.IRCBot) -> No action taken.
C:\WINDOWS\system32\rundll32Srv.exe (Backdoor.IRCBot) -> No action taken.
C:\WINDOWS\system32\wscntfySrv.exe (Backdoor.IRCBot) -> No action taken.
C:\Documents and Settings\Owner\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> No action taken.

BillB · 2010/09/19

Rebooted to normal mode, tried rkill, ran very quickly and said it didn't terminate anything, tried mbam and it won't open.

Log in or Sign up

Solved Need help with XP machine that won't run in normal mode

BillB Well-Known Member Thread Starter

broni Moderator Malware Analyst

BillB Well-Known Member Thread Starter

Attached Files:

gmerlog.txt

broni Moderator Malware Analyst

BillB Well-Known Member Thread Starter

broni Moderator Malware Analyst

BillB Well-Known Member Thread Starter

broni Moderator Malware Analyst

BillB Well-Known Member Thread Starter

broni Moderator Malware Analyst

BillB Well-Known Member Thread Starter

broni Moderator Malware Analyst

BillB Well-Known Member Thread Starter

broni Moderator Malware Analyst

BillB Well-Known Member Thread Starter

broni Moderator Malware Analyst

BillB Well-Known Member Thread Starter

broni Moderator Malware Analyst

BillB Well-Known Member Thread Starter

BillB Well-Known Member Thread Starter

Share This Page

Log in or Sign up

Solved Need help with XP machine that won't run in normal mode

BillB Well-Known Member Thread Starter

broni Moderator Malware Analyst

BillB Well-Known Member Thread Starter

Attached Files:

gmerlog.txt

broni Moderator Malware Analyst

BillB Well-Known Member Thread Starter

broni Moderator Malware Analyst

BillB Well-Known Member Thread Starter

broni Moderator Malware Analyst

BillB Well-Known Member Thread Starter

broni Moderator Malware Analyst

BillB Well-Known Member Thread Starter

broni Moderator Malware Analyst

BillB Well-Known Member Thread Starter

broni Moderator Malware Analyst

BillB Well-Known Member Thread Starter

broni Moderator Malware Analyst

BillB Well-Known Member Thread Starter

broni Moderator Malware Analyst

BillB Well-Known Member Thread Starter

BillB Well-Known Member Thread Starter

Share This Page

Useful Searches