RootAlyzer found some invisible keys

**ciglioverde** · 2012-10-24, 17:14

here's a link to my first post ..

http://forums.spybot.info/showthread...474#post432474

Here's the DDS log ..

DDS (Ver_2012-10-19.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.9.2
Run by JVizoso at 15:49:06 on 2012-10-24
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1410 [GMT 1:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ================
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
N:\Program Files\SASCORE.EXE
F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
H:\Program Files\iRacing\iRacingService.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Microsoft Security Client\MsMpEng.exe
F:\Program Files\IObit\Game Booster 3\gbtray.exe
F:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - f:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned>
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Six Engine] "c:\program files\asus\six engine\SixEngine.exe" -r
mRun: [DiskeeperSystray] "f:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [DAEMON Tools-1033] "l:\program files\d-tools\daemon.exe" -lang 1033
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Start WingMan Profiler] c:\program files\logitech\gaming software\LWEMon.exe /noui
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - f:\program files\spybot - search & destroy\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1278938489859
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{4610591C-7190-44DF-B5D8-39628228BC1E} : DHCPNameServer = 192.168.1.254
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - n:\program files\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\jvizoso\application data\mozilla\firefox\profiles\nqrfh3ir.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxps://members.iracing.com/membersite/login.jsp
FF - component: f:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\jvizoso\application data\mozilla\firefox\profiles\nqrfh3ir.default\extensions\devicedetection@logitech.com\plugins\npLogitechDeviceDetection.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprpplugin.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1166636.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1167637.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_402_287.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - plugin: f:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: f:\program files\adobe\reader 10.0\reader\browser\nppdf32.dll
FF - plugin: f:\program files\mozilla firefox\plugins\nprpplugin.dll
FF - plugin: f:\program files\real alternative\browser\plugins\nppl3260.dll
FF - plugin: f:\program files\real alternative\browser\plugins\nprpjplug.dll
FF - plugin: f:\program files\videolan\vlc\npvlc.dll
FF - ExtSQL: !HIDDEN! 2010-07-13 11:47; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [2011-2-22 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [2011-2-22 5248]
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 193552]
R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [2010-7-12 150568]
R1 SASDIFSV;SASDIFSV;n:\program files\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;n:\program files\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;n:\program files\SASCORE.EXE [2011-8-12 116608]
R2 iRacingService;iRacing.com Helper Service;h:\program files\iracing\iRacingService.exe [2010-7-12 521896]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [2010-8-12 10448]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SkypeUpdate;Skype Updater;f:\program files\skype\updater\Updater.exe [2012-7-13 160944]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-7-1 250808]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-24 115168]
S3 WinRing0_1_2_0;WinRing0_1_2_0;f:\program files\iobit\game booster 3\driver\WinRing0.sys [2012-5-12 14416]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-10-24 07:09:38 6918632 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{976ff948-428a-42bd-98d1-8a2fafe24e1c}\mpengine.dll
2012-10-22 22:25:01 6918632 ------w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-10-17 05:01:47 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-10-01 03:59:06 -------- d-----w- c:\documents and settings\all users\application data\HitmanPro
.
==================== Find3M ====================
.
2012-10-11 01:20:28 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-11 01:20:28 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-09-29 18:54:26 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-19 13:23:27 499712 ----a-w- c:\windows\system32\msvcp71.dll
2012-09-19 13:23:27 348160 ----a-w- c:\windows\system32\msvcr71.dll
2012-09-02 09:11:53 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-09-02 09:11:53 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-30 21:03:50 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-08-28 15:14:53 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14:53 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14:52 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07:15 385024 ----a-w- c:\windows\system32\html.iec
2012-08-24 13:53:22 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-08-21 13:33:26 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-21 12:58:09 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-08-15 16:29:09 9826504 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2007-12-17 12:43:00 27648 --sh--w- c:\windows\system32\Smab0.dll
.
============= FINISH: 15:49:31.26 ===============

Here's the aswMBR log

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-10-24 15:51:12
-----------------------------
15:51:12.796 OS Version: Windows 5.1.2600 Service Pack 3
15:51:12.796 Number of processors: 2 586 0xF0B
15:51:12.796 ComputerName: INTEL-JV UserName: JVizoso
15:51:13.062 Initialize success
15:52:23.828 AVAST engine defs: 12102400
15:52:37.078 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
15:52:37.078 Disk 0 Vendor: WDC_WD1200AAJS-00VTA0 01.01B01 Size: 114473MB BusType: 3
15:52:37.078 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Scsi\mv61xx1Port4Path0Target0Lun0
15:52:37.078 Disk 1 Vendor: Maxtor_6 Size: 78167MB BusType: 1
15:52:37.078 Disk 2 \Device\Harddisk2\DR2 -> \Device\Scsi\mv61xx1Port4Path0Target1Lun0
15:52:37.078 Disk 2 Vendor: Maxtor_6 Size: 78167MB BusType: 1
15:52:37.093 Disk 1 MBR read successfully
15:52:37.093 Disk 1 MBR scan
15:52:37.140 Disk 1 Windows XP default MBR code
15:52:37.140 Disk 1 Partition 1 80 (A) 07 HPFS/NTFS NTFS 19445 MB offset 63
15:52:37.140 Disk 1 Partition - 00 0F Extended LBA 58706 MB offset 39825135
15:52:37.156 Disk 1 Partition 2 00 07 HPFS/NTFS NTFS 14001 MB offset 39825198
15:52:37.171 Disk 1 Partition - 00 05 Extended 22701 MB offset 68501160
15:52:37.187 Disk 1 Partition 3 00 07 HPFS/NTFS NTFS 22701 MB offset 68501223
15:52:37.203 Disk 1 Partition - 00 05 Extended 22003 MB offset 143669295
15:52:37.218 Disk 1 Partition 4 00 07 HPFS/NTFS NTFS 22003 MB offset 114993333
15:52:37.218 Disk 1 scanning sectors +160055595
15:52:37.296 Disk 1 scanning C:\WINDOWS\system32\drivers
15:52:52.125 Service scanning
15:53:05.187 Service MpKslf632823d C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{976FF948-428A-42BD-98D1-8A2FAFE24E1C}\MpKslf632823d.sys **LOCKED** 32
15:53:17.968 Modules scanning
15:53:23.015 Disk 1 trace - called modules:
15:53:23.031 ntkrnlpa.exe CLASSPNP.SYS disk.sys SCSIPORT.SYS hal.dll >>UNKNOWN [0x8a61d918]<<
15:53:23.031 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0x8a676030]
15:53:23.046 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\Scsi\mv61xx1Port4Path0Target0Lun0[0x8a707a38]
15:53:23.156 AVAST engine scan C:\WINDOWS
15:53:37.984 AVAST engine scan C:\WINDOWS\system32
15:56:32.609 AVAST engine scan C:\WINDOWS\system32\drivers
15:56:48.203 AVAST engine scan C:\Documents and Settings\JVizoso
15:59:05.937 AVAST engine scan C:\Documents and Settings\All Users
15:59:38.593 Scan finished successfully
15:59:46.812 Disk 1 MBR has been saved successfully to "C:\Documents and Settings\JVizoso\Desktop\MBR.dat"
15:59:46.812 The log file has been saved successfully to "C:\Documents and Settings\JVizoso\Desktop\aswMBR.txt"

Hope I did this OK ...

**Blade81** · 2012-10-30, 10:55

Hi,

Please post fresh dds logs.

**ciglioverde** · 2012-10-30, 13:22

Hello Blade .. here's the fresh logs

DDS (Ver_2012-10-19.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.9.2
Run by JVizoso at 12:14:35 on 2012-10-30
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1072 [GMT 0:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ================
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
N:\Program Files\SASCORE.EXE
F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Microsoft Security Client\msseces.exe
H:\Program Files\iRacing\iRacingService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre7\bin\jqs.exe
F:\Program Files\IObit\Game Booster 3\gbtray.exe
G:\Program Files\Steam\steam.exe
F:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\RTHDCPL.exe
C:\Program Files\ASUS\Six Engine\SixEngine.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Real\RealPlayer\Update\realsched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k LocalService
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - f:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned>
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Six Engine] "c:\program files\asus\six engine\SixEngine.exe" -r
mRun: [DiskeeperSystray] "f:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [DAEMON Tools-1033] "l:\program files\d-tools\daemon.exe" -lang 1033
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Start WingMan Profiler] c:\program files\logitech\gaming software\LWEMon.exe /noui
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - f:\program files\spybot - search & destroy\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1278938489859
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{4610591C-7190-44DF-B5D8-39628228BC1E} : DHCPNameServer = 192.168.1.254
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - n:\program files\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\jvizoso\application data\mozilla\firefox\profiles\nqrfh3ir.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxps://members.iracing.com/membersite/login.jsp
FF - component: f:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\jvizoso\application data\mozilla\firefox\profiles\nqrfh3ir.default\extensions\devicedetection@logitech.com\plugins\npLogitechDeviceDetection.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprpplugin.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1166636.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1167637.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_402_287.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - plugin: f:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: f:\program files\adobe\reader 10.0\reader\browser\nppdf32.dll
FF - plugin: f:\program files\mozilla firefox\plugins\nprpplugin.dll
FF - plugin: f:\program files\real alternative\browser\plugins\nppl3260.dll
FF - plugin: f:\program files\real alternative\browser\plugins\nprpjplug.dll
FF - plugin: f:\program files\videolan\vlc\npvlc.dll
FF - ExtSQL: !HIDDEN! 2010-07-13 11:47; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [2011-2-22 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [2011-2-22 5248]
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 193552]
R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [2010-7-12 150568]
R1 SASDIFSV;SASDIFSV;n:\program files\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;n:\program files\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;n:\program files\SASCORE.EXE [2011-8-11 116608]
R2 iRacingService;iRacing.com Helper Service;h:\program files\iracing\iRacingService.exe [2010-7-12 521896]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [2010-8-12 10448]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SkypeUpdate;Skype Updater;f:\program files\skype\updater\Updater.exe [2012-7-13 160944]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-7-1 250808]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-24 115168]
S3 WinRing0_1_2_0;WinRing0_1_2_0;f:\program files\iobit\game booster 3\driver\WinRing0.sys [2012-5-12 14416]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-10-30 08:45:22 6918632 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f920ed97-1da2-48ef-8161-d39cf2e04306}\mpengine.dll
2012-10-28 10:25:25 6918632 ------w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-10-17 05:01:47 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-10-01 03:59:06 -------- d-----w- c:\documents and settings\all users\application data\HitmanPro
.
==================== Find3M ====================
.
2012-10-11 01:20:28 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-11 01:20:28 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-09-29 18:54:26 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-19 13:23:27 499712 ----a-w- c:\windows\system32\msvcp71.dll
2012-09-19 13:23:27 348160 ----a-w- c:\windows\system32\msvcr71.dll
2012-09-02 09:11:53 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-09-02 09:11:53 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-30 21:03:50 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-08-28 15:14:53 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14:53 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14:52 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07:15 385024 ----a-w- c:\windows\system32\html.iec
2012-08-24 13:53:22 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-08-21 13:33:26 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-21 12:58:09 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-08-15 16:29:09 9826504 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2007-12-17 12:43:00 27648 --sh--w- c:\windows\system32\Smab0.dll
.
============= FINISH: 12:15:11.15 ===============

**Blade81** · 2012-10-30, 14:51

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

**ciglioverde** · 2012-10-30, 17:54

Here's the combo fix log

ComboFix 12-10-30.03 - JVizoso 30/10/2012 16:41:11.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1219 [GMT 0:00]
Running from: c:\documents and settings\JVizoso\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\daemon.dll
c:\windows\system32\dllcache\wmpvis.dll
c:\windows\system32\SET74.tmp
c:\windows\system32\SET79.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-09-28 to 2012-10-30 )))))))))))))))))))))))))))))))
.
.
2012-10-30 12:15 . 2012-10-30 12:15 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F920ED97-1DA2-48EF-8161-D39CF2E04306}\MpKsl8bd6fb9c.sys
2012-10-30 08:45 . 2012-10-12 05:56 6918632 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F920ED97-1DA2-48EF-8161-D39CF2E04306}\mpengine.dll
2012-10-28 10:25 . 2012-10-12 05:56 6918632 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-10-17 05:01 . 2012-09-24 22:16 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-10-01 03:59 . 2012-10-15 03:49 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-11 01:20 . 2012-07-01 21:30 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-11 01:20 . 2012-07-01 21:30 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-09-29 18:54 . 2011-12-24 23:35 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-19 13:23 . 2012-09-19 13:23 499712 ----a-w- c:\windows\system32\msvcp71.dll
2012-09-19 13:23 . 2012-09-19 13:23 348160 ----a-w- c:\windows\system32\msvcr71.dll
2012-09-02 09:11 . 2012-06-18 13:18 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-09-02 09:11 . 2010-07-23 11:42 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-30 21:03 . 2010-03-25 20:30 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-08-28 15:14 . 2002-08-29 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14 . 2002-08-29 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14 . 2002-08-29 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2012-08-24 13:53 . 2002-08-29 12:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-08-21 13:33 . 2002-08-29 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-21 12:58 . 2002-08-29 01:04 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-08-15 16:29 . 2012-08-04 10:29 9826504 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2006-05-03 09:06 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 31232 --sh--r- c:\windows\system32\msfDX.dll
2007-12-17 12:43 27648 --sh--w- c:\windows\system32\Smab0.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-03-26 16859136]
"Six Engine"="c:\program files\ASUS\Six Engine\SixEngine.exe" [2008-05-14 5958656]
"DiskeeperSystray"="f:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-10-04 163840]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-06-26 1311312]
"DAEMON Tools-1033"="l:\program files\D-Tools\daemon.exe" [2004-08-22 81920]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2010-06-14 153672]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-09-08 98304]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2012-09-19 296096]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "n:\program files\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"RGSC"=m:\program files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe /silent
"EasyDVDMon"=
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"g:\\Program Files\\Steam\\steamapps\\colliss\\team fortress 2\\hl2.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"f:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\FinalMediaPlayer\\FMPCheckForUpdates.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"f:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"g:\\Program Files\\Steam\\steamapps\\common\\team fortress 2 meet the medic\\smp.exe"=
"g:\\Program Files\\Steam\\steamapps\\common\\Meet the Pyro TF2\\smp.exe"=
"g:\\Program Files\\Steam\\steamapps\\common\\Team Fortress 2 Meet the Sniper\\smp.exe"=
"g:\\Program Files\\Steam\\steamapps\\common\\Team Fortress 2 Meet the Heavy\\smp.exe"=
"f:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [22/02/2011 16:18 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [22/02/2011 16:18 5248]
R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [12/07/2010 12:35 150568]
R1 MpKsl8bd6fb9c;MpKsl8bd6fb9c;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F920ED97-1DA2-48EF-8161-D39CF2E04306}\MpKsl8bd6fb9c.sys [30/10/2012 12:15 29904]
R1 SASDIFSV;SASDIFSV;n:\program files\sasdifsv.sys [22/07/2011 16:27 12880]
R1 SASKUTIL;SASKUTIL;n:\program files\SASKUTIL.SYS [12/07/2011 21:55 67664]
R2 !SASCORE;SAS Core Service;n:\program files\SASCORE.EXE [11/08/2011 23:38 116608]
R2 iRacingService;iRacing.com Helper Service;h:\program files\iRacing\iRacingService.exe [12/07/2010 16:59 521896]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [12/08/2010 12:08 10448]
S2 SkypeUpdate;Skype Updater;f:\program files\Skype\Updater\Updater.exe [13/07/2012 12:28 160944]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [01/07/2012 21:30 250808]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [24/04/2012 18:41 115168]
S3 WinRing0_1_2_0;WinRing0_1_2_0;f:\program files\IObit\Game Booster 3\Driver\WinRing0.sys [12/05/2012 20:06 14416]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL8BD6FB9C
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-30 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-01 01:20]
.
2012-10-30 c:\windows\Tasks\Final Media Player Update Checker.job
- c:\program files\FinalMediaPlayer\FMPCheckForUpdates.exe [2011-10-09 14:24]
.
2012-10-20 c:\windows\Tasks\Game_Booster_AutoUpdate.job
- f:\program files\IObit\Game Booster 3\AutoUpdate.exe [2012-05-12 16:57]
.
2012-10-29 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-09-12 16:25]
.
2012-08-27 c:\windows\Tasks\photostageDowngrade.job
- c:\program files\NCH Software\Photostage\photostage.exe [2011-04-17 10:28]
.
2012-09-05 c:\windows\Tasks\photostageShakeIcon.job
- c:\program files\NCH Software\PhotoStage\photostage.exe [2011-04-17 10:28]
.
2012-10-22 c:\windows\Tasks\PixillionDowngrade.job
- c:\program files\NCH Software\Pixillion\pixillion.exe [2012-08-27 23:34]
.
2012-10-14 c:\windows\Tasks\PixillionReminder.job
- c:\program files\NCH Software\Pixillion\pixillion.exe [2012-08-27 23:34]
.
2012-10-29 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1659004503-790525478-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-07-27 13:27]
.
2012-10-29 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1659004503-790525478-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-07-27 13:27]
.
2012-10-30 c:\windows\Tasks\videopadShakeIcon.job
- c:\program files\NCH Software\VideoPad\videopad.exe [2011-03-25 17:54]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 192.168.1.254
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\JVizoso\Application Data\Mozilla\Firefox\Profiles\nqrfh3ir.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxps://members.iracing.com/membersite/login.jsp
FF - ExtSQL: !HIDDEN! 2010-07-13 11:47; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
SafeBoot-37733666.sys
AddRemove-KB923789 - c:\windows\system32\MacroMed\Flash\genuinst.exe
AddRemove-Jimmie Johnson Spotter Pack v6.00 - c:\program files\iRacing\sound\spcc\Jimmie Johnson Spotter Pack v6.00\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-30 16:44
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(860)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
Completion time: 2012-10-30 16:46:50
ComboFix-quarantined-files.txt 2012-10-30 16:46
.
Pre-Run: 3,430,727,680 bytes free
Post-Run: 3,524,403,200 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 6406056FB3A3FCC20C3A480C094ABA9A

Here's the fresh dds log

DDS (Ver_2012-10-19.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.9.2
Run by JVizoso at 16:51:43 on 2012-10-30
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1180 [GMT 0:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ================
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
N:\Program Files\SASCORE.EXE
F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
H:\Program Files\iRacing\iRacingService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre7\bin\jqs.exe
F:\Program Files\IObit\Game Booster 3\gbtray.exe
G:\Program Files\Steam\steam.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\RTHDCPL.exe
C:\Program Files\ASUS\Six Engine\SixEngine.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Real\RealPlayer\Update\realsched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
F:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - f:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned>
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Six Engine] "c:\program files\asus\six engine\SixEngine.exe" -r
mRun: [DiskeeperSystray] "f:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [DAEMON Tools-1033] "l:\program files\d-tools\daemon.exe" -lang 1033
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Start WingMan Profiler] c:\program files\logitech\gaming software\LWEMon.exe /noui
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - f:\program files\spybot - search & destroy\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1278938489859
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{4610591C-7190-44DF-B5D8-39628228BC1E} : DHCPNameServer = 192.168.1.254
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - n:\program files\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\jvizoso\application data\mozilla\firefox\profiles\nqrfh3ir.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxps://members.iracing.com/membersite/login.jsp
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\jvizoso\application data\mozilla\firefox\profiles\nqrfh3ir.default\extensions\devicedetection@logitech.com\plugins\npLogitechDeviceDetection.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprpplugin.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1166636.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1167637.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_402_287.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - plugin: f:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: f:\program files\adobe\reader 10.0\reader\browser\nppdf32.dll
FF - plugin: f:\program files\mozilla firefox\plugins\nprpplugin.dll
FF - plugin: f:\program files\real alternative\browser\plugins\nppl3260.dll
FF - plugin: f:\program files\real alternative\browser\plugins\nprpjplug.dll
FF - plugin: f:\program files\videolan\vlc\npvlc.dll
FF - ExtSQL: !HIDDEN! 2010-07-13 11:47; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [2011-2-22 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [2011-2-22 5248]
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 193552]
R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [2010-7-12 150568]
R1 MpKsl8bd6fb9c;MpKsl8bd6fb9c;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f920ed97-1da2-48ef-8161-d39cf2e04306}\MpKsl8bd6fb9c.sys [2012-10-30 29904]
R1 SASDIFSV;SASDIFSV;n:\program files\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;n:\program files\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;n:\program files\SASCORE.EXE [2011-8-11 116608]
R2 iRacingService;iRacing.com Helper Service;h:\program files\iracing\iRacingService.exe [2010-7-12 521896]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [2010-8-12 10448]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SkypeUpdate;Skype Updater;f:\program files\skype\updater\Updater.exe [2012-7-13 160944]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-7-1 250808]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-24 115168]
S3 WinRing0_1_2_0;WinRing0_1_2_0;f:\program files\iobit\game booster 3\driver\WinRing0.sys [2012-5-12 14416]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-10-30 16:40:13 -------- d-sha-r- C:\cmdcons
2012-10-30 16:38:50 98816 ----a-w- c:\windows\sed.exe
2012-10-30 16:38:50 256000 ----a-w- c:\windows\PEV.exe
2012-10-30 16:38:50 208896 ----a-w- c:\windows\MBR.exe
2012-10-30 12:15:12 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f920ed97-1da2-48ef-8161-d39cf2e04306}\MpKsl8bd6fb9c.sys
2012-10-30 08:45:22 6918632 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f920ed97-1da2-48ef-8161-d39cf2e04306}\mpengine.dll
2012-10-28 10:25:25 6918632 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-10-17 05:01:47 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-10-01 03:59:06 -------- d-----w- c:\documents and settings\all users\application data\HitmanPro
.
==================== Find3M ====================
.
2012-10-11 01:20:28 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-11 01:20:28 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-09-29 18:54:26 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-19 13:23:27 499712 ----a-w- c:\windows\system32\msvcp71.dll
2012-09-19 13:23:27 348160 ----a-w- c:\windows\system32\msvcr71.dll
2012-09-02 09:11:53 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-09-02 09:11:53 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-30 21:03:50 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-08-28 15:14:53 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14:53 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14:52 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07:15 385024 ----a-w- c:\windows\system32\html.iec
2012-08-24 13:53:22 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-08-21 13:33:26 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-21 12:58:09 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-08-15 16:29:09 9826504 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2007-12-17 12:43:00 27648 --sh--w- c:\windows\system32\Smab0.dll
.
============= FINISH: 16:51:48.84 ===============

**ciglioverde** · 2012-10-30, 17:56

missed the attach log from dds :-)

**Blade81** · 2012-10-31, 07:10

Hi again,

Uninstall old Adobe Reader versions and get the latest one (Adobe Reader 11.0) here or get Foxit Reader here. Make sure you don't (unless you want to) install toolbar if choose Foxit Reader! You may also check free readers introduced here.

* Go here to run an online scanner from ESET.

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
Click Scan
Wait for the scan to finish.

Post back its report and fresh DDS logs.

**ciglioverde** · 2012-10-31, 11:27

Cheers .... I've removed the old Adobe Reader .. and installed foxit ..

But , since my Internet Explorer doesn't open, as I mention in my first post , I'm not sure what to do with the ESET scan ..
Is there a work around if IE is broken?

**ciglioverde** · 2012-10-31, 11:29

Shall I try using the ESET Smart Installer ?

**Blade81** · 2012-10-31, 13:28

Hi,

Try to run ESET scan with Firefox.

Thread: RootAlyzer found some invisible keys

Thread Tools

Display

RootAlyzer found some invisible keys

Posting Permissions