Fossilk1
2008-12-15, 22:37
Well i have one of these virus's which to seem to be a pain to remove, and i have found the file which seems to be detected by SuperAntispyware but it will not delete in Safe mode. Nor that file can not be found in the directory it is in =(
Their is only one detection in which spybot found, and i have ran out of solutions to fix this. Any help would be greatly appreciated. I need my computer up and running for a term paper which i need!!
Who ever helps me, Thank You So MUCH!
Here is my hijack log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:20:28 AM, on 12/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\rpcnet.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kuk-bot.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase6662.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {700EF03F-A472-4D26-8ACB-300F4D04FD96} (Recovery ActiveX Control Module) - https://www.lojackforlaptops.com/ctmweb/testoc.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/Driver...aSmartScan.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: eczvuw.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 7471 bytes
-------------------------------
Previous topic closed: http://forums.spybot.info/showthread.php?p=267514#post267514
Please can anyone help me?
-----------------------------------
Edit.
Posting additional comments or logs before a volunteer responds, can push you back instead of forward, because your thread ends up with a newer date. Also, helpers may think you are already being assisted because of the post count.
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)
Fossilk1
2008-12-18, 00:26
ComboFix 08-12-14.05 - Foss 2008-12-17 18:20:17.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3262.2745 [GMT -5:00]
Running from: c:\documents and settings\Foss\Desktop\ComboFix.exe
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\agfjdrdw.dll
c:\windows\system32\BReWErS.dll
c:\windows\system32\digeste.dll
c:\windows\system32\uuddc32.dll
c:\windows\wiaserviv.log
.
((((((((((((((((((((((((( Files Created from 2008-11-17 to 2008-12-17 )))))))))))))))))))))))))))))))
.
2008-12-15 12:08 . 2008-12-15 12:12 <DIR> d-------- c:\program files\EsetOnlineScanner
2008-12-15 11:20 . 2008-12-15 11:20 <DIR> d-------- c:\program files\Trend Micro
2008-12-15 01:06 . 2008-12-15 01:08 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-12-14 22:25 . 2008-12-14 22:25 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-12-14 22:18 . 2008-12-14 22:18 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-14 22:18 . 2008-12-14 22:18 <DIR> d-------- c:\documents and settings\Foss\Application Data\SUPERAntiSpyware.com
2008-12-14 22:18 . 2008-12-14 22:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-14 22:06 . 2008-12-14 22:06 <DIR> d-------- C:\VundoFix Backups
2008-12-14 21:44 . 2008-12-14 21:44 95 --a------ c:\windows\wininit.ini
2008-12-14 21:20 . 2008-12-14 22:22 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-14 21:20 . 2008-12-14 21:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-14 20:34 . 2008-12-14 20:34 <DIR> d-------- c:\program files\Lavasoft
2008-12-14 20:34 . 2008-12-14 20:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-14 20:33 . 2008-12-14 22:17 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-14 19:27 . 2008-12-14 19:27 <DIR> d-------- c:\program files\Rockstar Games
2008-12-14 11:54 . 2008-12-14 11:54 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-14 11:54 . 2008-12-14 11:54 1,409 --a------ c:\windows\QTFont.for
2008-12-13 19:15 . 2008-12-13 19:15 <DIR> d-------- c:\windows\San Andreas Mod Installer
2008-12-12 21:43 . 2008-12-13 16:13 34,308 --a------ C:\BASSMOD.DLL
2008-12-11 22:50 . 2008-12-11 22:50 <DIR> d-------- c:\documents and settings\Foss\Application Data\acccore
2008-12-11 22:49 . 2008-12-11 22:49 <DIR> d-------- c:\program files\Viewpoint
2008-12-11 22:49 . 2008-12-11 22:49 <DIR> d-------- c:\program files\Common Files\AOL
2008-12-11 22:49 . 2008-12-11 22:50 <DIR> d-------- c:\program files\AIM6
2008-12-11 22:49 . 2008-12-11 22:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Viewpoint
2008-12-11 22:49 . 2008-12-11 22:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\AOL OCP
2008-12-11 22:49 . 2008-12-11 22:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\AOL
2008-12-11 22:49 . 2008-12-11 22:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2008-12-11 22:49 . 2008-12-11 22:50 368 --ah----- C:\IPH.PH
2008-12-10 15:12 . 2008-12-10 15:12 122 --a------ c:\windows\WA.INI
2008-12-08 11:15 . 2008-12-08 11:15 1,594,540 --a------ c:\windows\WANEUninstaller.exe
2008-12-08 11:07 . 2008-12-08 11:07 <DIR> d-------- C:\Games
2008-12-08 01:37 . 2008-12-08 01:37 <DIR> d-------- c:\documents and settings\Foss\Application Data\Roxio
2008-12-04 23:47 . 2008-10-10 04:52 4,379,984 --a------ c:\windows\system32\D3DX9_40.dll
2008-12-04 23:47 . 2008-10-10 04:52 2,036,576 --a------ c:\windows\system32\D3DCompiler_40.dll
2008-12-04 23:47 . 2008-10-10 04:52 452,440 --a------ c:\windows\system32\d3dx10_40.dll
2008-12-04 23:46 . 2008-07-10 11:00 3,851,784 --a------ c:\windows\system32\D3DX9_39.dll
2008-12-04 23:46 . 2008-07-10 11:00 1,493,528 --a------ c:\windows\system32\D3DCompiler_39.dll
2008-12-04 23:46 . 2008-10-27 10:04 514,384 --a------ c:\windows\system32\XAudio2_3.dll
2008-12-04 23:46 . 2008-07-30 06:20 509,448 --a------ c:\windows\system32\XAudio2_2.dll
2008-12-04 23:46 . 2008-07-10 11:01 467,984 --a------ c:\windows\system32\d3dx10_39.dll
2008-12-04 23:46 . 2008-07-30 06:20 238,088 --a------ c:\windows\system32\xactengine3_2.dll
2008-12-04 23:46 . 2008-10-27 10:04 235,856 --a------ c:\windows\system32\xactengine3_3.dll
2008-12-04 23:46 . 2008-10-27 10:04 70,992 --a------ c:\windows\system32\XAPOFX1_2.dll
2008-12-04 23:46 . 2008-07-30 06:20 68,616 --a------ c:\windows\system32\XAPOFX1_1.dll
2008-12-04 23:46 . 2008-10-27 10:04 23,376 --a------ c:\windows\system32\X3DAudio1_5.dll
2008-11-28 22:07 . 2008-11-28 22:07 40 --a------ c:\documents and settings\Foss\language.dat
2008-11-28 22:03 . 2008-11-28 22:03 122 --a------ c:\windows\kaillera.ini
2008-11-24 11:17 . 2008-11-24 11:30 <DIR> d-------- c:\program files\Cheat Engine
2008-11-24 11:17 . 2007-12-26 17:30 1,970,176 --a------ c:\windows\system32\d3dx9.dll
2008-11-24 11:17 . 2007-12-26 17:30 679,936 --a------ c:\windows\system32\D3DX81ab.dll
2008-11-23 18:47 . 2008-12-14 20:22 <DIR> d-------- c:\program files\Steam
2008-11-22 22:19 . 2008-11-22 22:19 <DIR> d-------- c:\program files\America's Army
2008-11-22 21:45 . 2008-11-26 12:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\America's Army Deploy Client
2008-11-19 16:29 . 2008-11-19 16:29 0 --a------ c:\windows\nsreg.dat
2008-11-18 17:13 . 2008-11-18 17:13 <DIR> d-------- c:\program files\BayGenie
2008-11-18 16:37 . 2008-11-18 16:37 <DIR> d-------- c:\program files\myibay
2008-11-18 16:37 . 2008-11-18 16:37 <DIR> d-------- c:\documents and settings\Foss\Application Data\.myibay
2008-11-18 09:50 . 2008-11-18 09:50 <DIR> d-------- c:\program files\uTorrent
2008-11-18 09:50 . 2008-12-14 20:30 <DIR> d-------- c:\documents and settings\Foss\Application Data\uTorrent
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-15 05:25 --------- d-----w c:\program files\RegVac Registry Cleaner
2008-12-14 20:51 --------- d-----w c:\program files\Diablo II
2008-12-13 02:16 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-08 15:52 --------- d-----w c:\program files\SlySoft
2008-11-16 06:39 --------- d-----w c:\program files\Starcraft
2008-11-12 17:32 --------- d-----w c:\program files\Mass Effect
2008-11-12 17:26 --------- d-----w c:\program files\Common Files\BioWare
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-04-03 01:30 74 -csh--r c:\windows\CT4CET.bin
2008-05-11 18:53 1,860,128 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-05-11 18:53 8,480 --sha-w c:\windows\system32\drivers\fidbox2.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-04 1809648]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2007-12-21 1443072]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-07-02 13529088]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-03 14:56 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=eczvuw.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Matrix Screen Locker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Matrix Screen Locker.lnk
backup=c:\windows\pss\Matrix Screen Locker.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Foss^Start Menu^Programs^Startup^RegVac.lnk]
path=c:\documents and settings\Foss\Start Menu\Programs\Startup\RegVac.lnk
backup=c:\windows\pss\RegVac.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a--c--- 2007-05-11 03:06 40048 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
--a------ 2004-02-19 07:23 61440 c:\dell\bldbubg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
--a------ 2006-09-28 14:21 57344 c:\program files\SlySoft\CloneCD\CloneCDTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 06:00 15360 c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2007-07-20 16:55 1228800 c:\program files\Dell\QuickSet\quickset.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DELL Webcam Manager]
--------- 2007-07-27 16:43 118784 c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
--a--c--- 2008-02-13 19:21 16384 c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
--a--c--- 2008-01-17 21:40 17920 c:\dell\E-Center\EULALauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a--c--- 2006-10-26 23:47 31016 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
--a------ 2007-07-25 16:30 974848 c:\program files\Intel\Wireless\Bin\iFrmewrk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
--a--c--- 2007-07-25 16:32 823296 c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2008-03-30 09:36 267048 c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KADxMain]
--a------ 2006-11-02 14:05 282624 c:\windows\system32\KADxMain.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch LCDMon]
-----c--- 2007-07-17 23:26 775952 c:\program files\Common Files\Logitech\LCD Manager\LCDMon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-07-02 21:33 13529088 c:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-07-02 21:33 86016 c:\windows\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OEM02Mon.exe]
--a------ 2007-08-28 15:54 36864 c:\windows\OEM02Mon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2007-11-01 15:39 189736 c:\program files\Dell\MediaDirect\PCMService.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 22:37 413696 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2007-07-17 23:09 851968 c:\program files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]
--a------ 2008-07-02 21:33 86016 c:\windows\system32\nvhotkey.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-07-02 21:33 1630208 c:\windows\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a--c--- 2007-07-17 09:12 405504 c:\windows\stsystra.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\ctmweb.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.325\\English\\setup.exe"=
"c:\\Program Files\\Mass Effect\\Binaries\\MassEffect.exe"=
"c:\\Program Files\\Mass Effect\\MassEffectLauncher.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"80:TCP"= 80:TCP:ComboFix
R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-04 55024]
R2 ekrn;Eset Service;"c:\program files\ESET\ESET Smart Security\ekrn.exe" [2007-12-21 468224]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-12-11 24652]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\DRIVERS\OEM02Dev.sys [2008-04-02 235520]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\DRIVERS\OEM02Vfx.sys [2008-04-02 7424]
R3 physX32;physX32;c:\windows\system32\DRIVERS\physX32.sys [2008-04-02 117888]
R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]
.
Contents of the 'Scheduled Tasks' folder
2008-12-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.kuk-bot.net/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1080403
uInternet Settings,ProxyServer = socks=
c:\windows\Downloaded Program Files\sysreqlab3.dll - O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E}
hxxp://www.srtest.com/srl_bin/sysreqlab3.cab
c:\windows\Downloaded Program Files\SysReqLab3.osd
FF - ProfilePath - c:\documents and settings\Foss\Application Data\Mozilla\Firefox\Profiles\fdcjyv9b.default\
FF - prefs.js: browser.startup.homepage - 1st-hacks.com
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-17 18:23:14
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\system32\autochk(3).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(4).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(5).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(6).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(9).exe:BAK 22528 bytes executable
scan completed successfully
hidden files: 5
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1296)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\rpcnet.exe
c:\windows\system32\stacsv.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
.
**************************************************************************
.
Completion time: 2008-12-17 18:24:54 - machine was rebooted [Foss]
ComboFix-quarantined-files.txt 2008-12-17 23:24:52
Pre-Run: 81,675,767,808 bytes free
Post-Run: 81,588,682,752 bytes free
265 --- E O F --- 2008-12-12 01:17:17
Fossilk1
2008-12-18, 00:32
Moderator please delete the second post of my Combfix log, and add this new one.
ComboFix 08-12-14.05 - Foss 2008-12-17 18:29:00.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3262.2743 [GMT -5:00]
Running from: c:\documents and settings\Foss\Desktop\ComboFix.exe
* Resident AV is active
.
((((((((((((((((((((((((( Files Created from 2008-11-17 to 2008-12-17 )))))))))))))))))))))))))))))))
.
2008-12-15 12:08 . 2008-12-15 12:12 <DIR> d-------- c:\program files\EsetOnlineScanner
2008-12-15 11:20 . 2008-12-15 11:20 <DIR> d-------- c:\program files\Trend Micro
2008-12-15 01:06 . 2008-12-15 01:08 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-12-14 22:25 . 2008-12-14 22:25 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-12-14 22:18 . 2008-12-14 22:18 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-14 22:18 . 2008-12-14 22:18 <DIR> d-------- c:\documents and settings\Foss\Application Data\SUPERAntiSpyware.com
2008-12-14 22:18 . 2008-12-14 22:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-14 22:06 . 2008-12-14 22:06 <DIR> d-------- C:\VundoFix Backups
2008-12-14 21:44 . 2008-12-14 21:44 95 --a------ c:\windows\wininit.ini
2008-12-14 21:20 . 2008-12-14 22:22 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-14 21:20 . 2008-12-14 21:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-14 20:34 . 2008-12-14 20:34 <DIR> d-------- c:\program files\Lavasoft
2008-12-14 20:34 . 2008-12-14 20:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-14 20:33 . 2008-12-14 22:17 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-14 19:27 . 2008-12-14 19:27 <DIR> d-------- c:\program files\Rockstar Games
2008-12-14 11:54 . 2008-12-14 11:54 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-14 11:54 . 2008-12-14 11:54 1,409 --a------ c:\windows\QTFont.for
2008-12-13 19:15 . 2008-12-13 19:15 <DIR> d-------- c:\windows\San Andreas Mod Installer
2008-12-12 21:43 . 2008-12-13 16:13 34,308 --a------ C:\BASSMOD.DLL
2008-12-11 22:50 . 2008-12-11 22:50 <DIR> d-------- c:\documents and settings\Foss\Application Data\acccore
2008-12-11 22:49 . 2008-12-11 22:49 <DIR> d-------- c:\program files\Viewpoint
2008-12-11 22:49 . 2008-12-11 22:49 <DIR> d-------- c:\program files\Common Files\AOL
2008-12-11 22:49 . 2008-12-11 22:50 <DIR> d-------- c:\program files\AIM6
2008-12-11 22:49 . 2008-12-11 22:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Viewpoint
2008-12-11 22:49 . 2008-12-11 22:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\AOL OCP
2008-12-11 22:49 . 2008-12-11 22:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\AOL
2008-12-11 22:49 . 2008-12-11 22:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2008-12-11 22:49 . 2008-12-11 22:50 368 --ah----- C:\IPH.PH
2008-12-10 15:12 . 2008-12-10 15:12 122 --a------ c:\windows\WA.INI
2008-12-08 11:15 . 2008-12-08 11:15 1,594,540 --a------ c:\windows\WANEUninstaller.exe
2008-12-08 11:07 . 2008-12-08 11:07 <DIR> d-------- C:\Games
2008-12-08 01:37 . 2008-12-08 01:37 <DIR> d-------- c:\documents and settings\Foss\Application Data\Roxio
2008-12-04 23:47 . 2008-10-10 04:52 4,379,984 --a------ c:\windows\system32\D3DX9_40.dll
2008-12-04 23:47 . 2008-10-10 04:52 2,036,576 --a------ c:\windows\system32\D3DCompiler_40.dll
2008-12-04 23:47 . 2008-10-10 04:52 452,440 --a------ c:\windows\system32\d3dx10_40.dll
2008-12-04 23:46 . 2008-07-10 11:00 3,851,784 --a------ c:\windows\system32\D3DX9_39.dll
2008-12-04 23:46 . 2008-07-10 11:00 1,493,528 --a------ c:\windows\system32\D3DCompiler_39.dll
2008-12-04 23:46 . 2008-10-27 10:04 514,384 --a------ c:\windows\system32\XAudio2_3.dll
2008-12-04 23:46 . 2008-07-30 06:20 509,448 --a------ c:\windows\system32\XAudio2_2.dll
2008-12-04 23:46 . 2008-07-10 11:01 467,984 --a------ c:\windows\system32\d3dx10_39.dll
2008-12-04 23:46 . 2008-07-30 06:20 238,088 --a------ c:\windows\system32\xactengine3_2.dll
2008-12-04 23:46 . 2008-10-27 10:04 235,856 --a------ c:\windows\system32\xactengine3_3.dll
2008-12-04 23:46 . 2008-10-27 10:04 70,992 --a------ c:\windows\system32\XAPOFX1_2.dll
2008-12-04 23:46 . 2008-07-30 06:20 68,616 --a------ c:\windows\system32\XAPOFX1_1.dll
2008-12-04 23:46 . 2008-10-27 10:04 23,376 --a------ c:\windows\system32\X3DAudio1_5.dll
2008-11-28 22:07 . 2008-11-28 22:07 40 --a------ c:\documents and settings\Foss\language.dat
2008-11-28 22:03 . 2008-11-28 22:03 122 --a------ c:\windows\kaillera.ini
2008-11-24 11:17 . 2008-11-24 11:30 <DIR> d-------- c:\program files\Cheat Engine
2008-11-24 11:17 . 2007-12-26 17:30 1,970,176 --a------ c:\windows\system32\d3dx9.dll
2008-11-24 11:17 . 2007-12-26 17:30 679,936 --a------ c:\windows\system32\D3DX81ab.dll
2008-11-23 18:47 . 2008-12-14 20:22 <DIR> d-------- c:\program files\Steam
2008-11-22 22:19 . 2008-11-22 22:19 <DIR> d-------- c:\program files\America's Army
2008-11-22 21:45 . 2008-11-26 12:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\America's Army Deploy Client
2008-11-19 16:29 . 2008-11-19 16:29 0 --a------ c:\windows\nsreg.dat
2008-11-18 17:13 . 2008-11-18 17:13 <DIR> d-------- c:\program files\BayGenie
2008-11-18 16:37 . 2008-11-18 16:37 <DIR> d-------- c:\program files\myibay
2008-11-18 16:37 . 2008-11-18 16:37 <DIR> d-------- c:\documents and settings\Foss\Application Data\.myibay
2008-11-18 09:50 . 2008-11-18 09:50 <DIR> d-------- c:\program files\uTorrent
2008-11-18 09:50 . 2008-12-14 20:30 <DIR> d-------- c:\documents and settings\Foss\Application Data\uTorrent
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-17 23:23 47,104 ----a-w c:\windows\system32\rpcnet.dll
2008-12-17 23:23 17,408 ----a-w c:\windows\system32\rpcnetp.exe
2008-12-15 16:16 17,408 ----a-w c:\windows\system32\rpcnetp.dll
2008-12-15 05:25 --------- d-----w c:\program files\RegVac Registry Cleaner
2008-12-15 00:44 47,104 ----a-w c:\windows\system32\rpcnet.exe
2008-12-14 20:51 --------- d-----w c:\program files\Diablo II
2008-12-13 02:16 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-08 15:52 --------- d-----w c:\program files\SlySoft
2008-11-16 06:39 --------- d-----w c:\program files\Starcraft
2008-11-12 17:32 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-11-12 17:32 --------- d-----w c:\program files\Mass Effect
2008-11-12 17:26 --------- d-----w c:\program files\Common Files\BioWare
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 13:01 283,648 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-17 07:08 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 13:11 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 16:57 332,800 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 ------w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-10-03 10:15 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-03 10:15 247,326 ------w c:\windows\system32\dllcache\strmdll.dll
2008-10-02 22:36 32,256 ----a-w c:\windows\system32\identprv.dll
2008-04-03 01:30 74 -csh--r c:\windows\CT4CET.bin
2008-05-11 18:53 1,860,128 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-05-11 18:53 8,480 --sha-w c:\windows\system32\drivers\fidbox2.dat
.
((((((((((((((((((((((((((((( snapshot@2008-12-17_18.24.36.03 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-17 23:10:08 72,382 ----a-w c:\windows\system32\perfc009.dat
+ 2008-12-17 23:27:07 72,382 ----a-w c:\windows\system32\perfc009.dat
- 2008-12-17 23:10:08 443,534 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-17 23:27:07 443,534 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-04 1809648]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2007-12-21 1443072]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-07-02 13529088]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-03 14:56 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=eczvuw.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Matrix Screen Locker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Matrix Screen Locker.lnk
backup=c:\windows\pss\Matrix Screen Locker.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Foss^Start Menu^Programs^Startup^RegVac.lnk]
path=c:\documents and settings\Foss\Start Menu\Programs\Startup\RegVac.lnk
backup=c:\windows\pss\RegVac.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a--c--- 2007-05-11 03:06 40048 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
--a------ 2004-02-19 07:23 61440 c:\dell\bldbubg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
--a------ 2006-09-28 14:21 57344 c:\program files\SlySoft\CloneCD\CloneCDTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 06:00 15360 c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2007-07-20 16:55 1228800 c:\program files\Dell\QuickSet\quickset.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DELL Webcam Manager]
--------- 2007-07-27 16:43 118784 c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
--a--c--- 2008-02-13 19:21 16384 c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
--a--c--- 2008-01-17 21:40 17920 c:\dell\E-Center\EULALauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a--c--- 2006-10-26 23:47 31016 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
--a------ 2007-07-25 16:30 974848 c:\program files\Intel\Wireless\Bin\iFrmewrk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
--a--c--- 2007-07-25 16:32 823296 c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2008-03-30 09:36 267048 c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KADxMain]
--a------ 2006-11-02 14:05 282624 c:\windows\system32\KADxMain.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch LCDMon]
-----c--- 2007-07-17 23:26 775952 c:\program files\Common Files\Logitech\LCD Manager\LCDMon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-07-02 21:33 13529088 c:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-07-02 21:33 86016 c:\windows\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OEM02Mon.exe]
--a------ 2007-08-28 15:54 36864 c:\windows\OEM02Mon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2007-11-01 15:39 189736 c:\program files\Dell\MediaDirect\PCMService.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 22:37 413696 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2007-07-17 23:09 851968 c:\program files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]
--a------ 2008-07-02 21:33 86016 c:\windows\system32\nvhotkey.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-07-02 21:33 1630208 c:\windows\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a--c--- 2007-07-17 09:12 405504 c:\windows\stsystra.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\ctmweb.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.325\\English\\setup.exe"=
"c:\\Program Files\\Mass Effect\\Binaries\\MassEffect.exe"=
"c:\\Program Files\\Mass Effect\\MassEffectLauncher.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"80:TCP"= 80:TCP:ComboFix
R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-04 55024]
R2 ekrn;Eset Service;"c:\program files\ESET\ESET Smart Security\ekrn.exe" [2007-12-21 468224]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-12-11 24652]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\DRIVERS\OEM02Dev.sys [2008-04-02 235520]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\DRIVERS\OEM02Vfx.sys [2008-04-02 7424]
R3 physX32;physX32;c:\windows\system32\DRIVERS\physX32.sys [2008-04-02 117888]
R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
2008-12-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.kuk-bot.net/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1080403
uInternet Settings,ProxyServer = socks=
c:\windows\Downloaded Program Files\sysreqlab3.dll - O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E}
hxxp://www.srtest.com/srl_bin/sysreqlab3.cab
c:\windows\Downloaded Program Files\SysReqLab3.osd
FF - ProfilePath - c:\documents and settings\Foss\Application Data\Mozilla\Firefox\Profiles\fdcjyv9b.default\
FF - prefs.js: browser.startup.homepage - 1st-hacks.com
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-17 18:29:52
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\system32\autochk(3).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(4).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(5).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(6).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(9).exe:BAK 22528 bytes executable
scan completed successfully
hidden files: 5
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1296)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2008-12-17 18:30:25
ComboFix-quarantined-files.txt 2008-12-17 23:30:19
ComboFix2.txt 2008-12-17 23:24:55
Pre-Run: 81,577,783,296 bytes free
Post-Run: 81,561,849,856 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
282 --- E O F --- 2008-12-12 01:17:17