View Full Version : Can't get rid of kagevizu.dll
After an infection a few weeks ago that eventually lead to a new Windows install, I'm now hyper-paranoid.
I keep finding an instance of kagevizu.dll in \Windows\System32
I have run SUPERAntiSpyware Professional a few times, it finds the dll, I choose to delete it, reboot and it's there again on the next scan..
Here is my HiJackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:29:24 PM, on 5/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
F:\NOD32\nod32krn.exe
D:\WINDOWS\system32\nvsvc32.exe
F:\Sygate\smc.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\TUProgSt.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
D:\WINDOWS\system32\RUNDLL32.EXE
F:\NOD32\nod32kui.exe
F:\Adobe\Acrobat\Distillr\Acrotray.exe
D:\WINDOWS\system32\DeltaIITray.exe
F:\Open VPN\bin\openvpn-gui.exe
D:\Program Files\Microsoft Hardware\Mouse\point32.exe
D:\WINDOWS\vsnpstd3.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Messenger\msmsgs.exe
F:\Atomic Alarm Clock\AtomicAlarmClock.exe
F:\SuperAnitSpyware\SUPERAntiSpyware.exe
D:\WINDOWS\DvzCommon\DvzMsgr.exe
F:\Palm\Palm Desktop\HOTSYNC.EXE
D:\Program Files\Windows Live\Messenger\msnmsgr.exe
D:\Program Files\Windows Live\Contacts\wlcomm.exe
F:\Firefox\firefox.exe
F:\HiJackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - F:\Snag-It\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9ce66458-0e88-4668-8bfd-fed718e3cdd1} - D:\WINDOWS\system32\begujuru.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - F:\Snag-It\SnagItIEAddin.dll
O4 - HKLM\..\Run: [NVMixerTray] "D:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "F:\NOD32\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SmcService] F:\Sygate\smc.exe -startgui
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "F:\Adobe\Acrobat\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] D:\WINDOWS\System32\DeltaIITray.exe
O4 - HKLM\..\Run: [DeltaIITaskbarApp] D:\WINDOWS\system32\DeltaIITray.exe
O4 - HKLM\..\Run: [openvpn-gui] F:\Open VPN\bin\openvpn-gui.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [snpstd3] D:\WINDOWS\vsnpstd3.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SkinClock] F:\Atomic Alarm Clock\AtomicAlarmClock.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] F:\SuperAnitSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - Startup: HotSync Manager.lnk = F:\Palm\Palm Desktop\HOTSYNC.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: DataViz Messenger.lnk = D:\WINDOWS\DvzCommon\DvzMsgr.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: D:\WINDOWS\system32\wosuyuwi.dll d:\windows\system32\kagevizu.dll
O20 - Winlogon Notify: !SASWinLogon - F:\SuperAnitSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - F:\NOD32\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - F:\Open VPN\bin\openvpnserv.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - F:\Sygate\smc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - D:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - D:\WINDOWS\System32\TUProgSt.exe
--
End of file - 7412 bytes
pskelley
2009-05-12, 14:56
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
1) Please DO NOT ENABLE Spybot S&D TeaTimer while we work together.
2) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use
Download ComboFix from here:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
3) Post also an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg
Thanks
pskelley
2009-05-19, 01:02
Due to the lack of feedback this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.
Everyone else please begin a New Topic.
Some updates:
SUPERAnitspyware is still seeing kagevizu.dll
Here is my ComboFix log:
ComboFix 09-05-18.02 - Reggie 05/19/2009 2:43.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.655 [GMT -4:00]
Running from: d:\documents and settings\Reggie\Desktop\ComboFix.exe
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: Sygate Personal Firewall Pro *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
* Resident AV is active
.
((((((((((((((((((((((((( Files Created from 2009-04-19 to 2009-05-19 )))))))))))))))))))))))))))))))
.
2009-05-11 17:43 . 2009-05-12 00:06 -------- d-----w d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-11 16:30 . 2008-04-14 05:42 1033728 ----a-w d:\windows\explorer.exe
2009-05-11 16:04 . 2009-05-11 16:04 -------- d--h--w d:\windows\PIF
2009-05-11 15:46 . 2009-05-11 15:46 -------- d-----w d:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-11 15:46 . 2009-05-11 15:46 -------- d-----w d:\documents and settings\Reggie\Application Data\SUPERAntiSpyware.com
2009-05-11 15:23 . 2009-05-11 15:23 -------- d-----w d:\windows\ERUNT
2009-05-11 15:20 . 2009-05-11 15:30 -------- d-----w D:\SDFix
2009-05-11 03:33 . 2009-05-11 03:33 -------- d-----w d:\program files\MSXML 4.0
2009-05-10 19:34 . 2009-05-10 19:34 2975 ----a-w d:\windows\system32\SpoonUninstall-dBpoweramp FLAC Codec.dat
2009-05-10 19:31 . 2009-05-10 19:31 1845 ----a-w d:\windows\system32\SpoonUninstall-dBpowerAMP Update ID Tag.dat
2009-05-10 19:31 . 2009-05-10 19:31 2059 ----a-w d:\windows\system32\SpoonUninstall-dBpowerAMP Tag From Filename.dat
2009-05-10 19:29 . 2009-05-10 19:29 36579 ----a-w d:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
2009-05-10 19:29 . 2009-05-10 19:34 515760 ----a-w d:\windows\system32\SpoonUninstall.exe
2009-05-10 19:04 . 2009-05-10 19:04 -------- d-----w d:\documents and settings\Reggie\Application Data\Nero
2009-05-10 18:56 . 2009-05-10 18:56 -------- d-----w d:\program files\Windows Sidebar
2009-05-10 18:52 . 2009-05-10 18:53 -------- d-----w d:\documents and settings\All Users\Application Data\Nero
2009-05-10 18:52 . 2009-05-10 19:00 -------- d-----w d:\program files\Common Files\Nero
2009-05-10 00:40 . 2008-04-14 04:09 5504 -c--a-w d:\windows\system32\dllcache\mstee.sys
2009-05-10 00:40 . 2008-04-14 04:09 5504 ----a-w d:\windows\system32\drivers\MSTEE.sys
2009-05-10 00:40 . 2008-04-14 04:16 10880 -c--a-w d:\windows\system32\dllcache\ndisip.sys
2009-05-10 00:40 . 2008-04-14 04:16 10880 ----a-w d:\windows\system32\drivers\NdisIP.sys
2009-05-10 00:40 . 2008-04-14 04:16 15232 -c--a-w d:\windows\system32\dllcache\streamip.sys
2009-05-10 00:40 . 2008-04-14 04:16 15232 ----a-w d:\windows\system32\drivers\StreamIP.sys
2009-05-10 00:39 . 2008-04-14 04:16 11136 -c--a-w d:\windows\system32\dllcache\slip.sys
2009-05-10 00:39 . 2008-04-14 04:16 11136 ----a-w d:\windows\system32\drivers\SLIP.sys
2009-05-10 00:39 . 2008-04-14 04:16 17024 -c--a-w d:\windows\system32\dllcache\ccdecode.sys
2009-05-10 00:39 . 2008-04-14 04:16 17024 ----a-w d:\windows\system32\drivers\CCDECODE.sys
2009-05-10 00:39 . 2008-04-14 04:16 19200 -c--a-w d:\windows\system32\dllcache\wstcodec.sys
2009-05-10 00:39 . 2008-04-14 04:16 19200 ----a-w d:\windows\system32\drivers\WSTCODEC.SYS
2009-05-10 00:39 . 2008-04-14 04:16 85248 -c--a-w d:\windows\system32\dllcache\nabtsfec.sys
2009-05-10 00:39 . 2008-04-14 04:16 85248 ----a-w d:\windows\system32\drivers\NABTSFEC.sys
2009-05-10 00:39 . 2008-04-14 04:15 60032 -c--a-w d:\windows\system32\dllcache\usbaudio.sys
2009-05-10 00:39 . 2008-04-14 04:15 60032 ----a-w d:\windows\system32\drivers\USBAUDIO.sys
2009-05-10 00:39 . 2008-04-14 09:42 53760 -c--a-w d:\windows\system32\dllcache\vfwwdm32.dll
2009-05-10 00:39 . 2008-04-14 09:42 53760 ----a-w d:\windows\system32\vfwwdm32.dll
2009-05-10 00:35 . 2006-09-19 13:07 827392 ----a-w d:\windows\vsnpstd3.exe
2009-05-10 00:35 . 2006-02-07 00:19 8410880 ----a-w d:\windows\system32\drivers\snpstd3.sys
2009-05-10 00:35 . 2005-12-23 21:17 53248 ----a-w d:\windows\vsnpstd3.dll
2009-05-10 00:35 . 2006-01-10 21:02 147456 ----a-w d:\windows\system32\rsnpstd3.dll
2009-05-10 00:35 . 2005-11-23 17:55 53248 ----a-w d:\windows\system32\csnpstd3.dll
2009-05-10 00:35 . 2004-12-08 22:40 20480 ----a-w d:\windows\usnpstd3.exe
2009-05-10 00:35 . 2009-05-10 00:35 -------- d-----w d:\program files\Common Files\snpstd3
2009-05-08 22:37 . 2009-05-08 23:33 -------- d-----w d:\documents and settings\Reggie\Local Settings\Application Data\Paint.NET
2009-05-08 03:28 . 2009-05-08 03:28 -------- d-sh--w d:\documents and settings\Reggie\IECompatCache
2009-05-08 03:26 . 2009-05-08 03:26 -------- d-sh--w d:\documents and settings\Reggie\PrivacIE
2009-05-06 21:15 . 2009-05-06 21:15 -------- d-sh--w d:\documents and settings\Reggie\IETldCache
2009-05-06 21:05 . 2009-05-06 21:05 -------- d-----w d:\windows\ie8updates
2009-05-06 21:05 . 2009-02-28 04:55 105984 -c----w d:\windows\system32\dllcache\iecompat.dll
2009-05-06 21:05 . 2009-05-06 21:05 -------- dc-h--w d:\windows\ie8
2009-05-06 20:55 . 2009-05-06 21:12 -------- d-----w d:\windows\SxsCaPendDel
2009-05-06 15:42 . 2009-05-06 15:43 -------- d-----w d:\documents and settings\Reggie\Application Data\YouSendIt
2009-05-05 04:10 . 2009-05-05 04:10 -------- d-----w d:\documents and settings\Reggie\Local Settings\Application Data\WMTools Downloaded Files
2009-05-03 04:45 . 2009-05-03 04:45 -------- d-----w d:\documents and settings\All Users\Application Data\TechSmith
2009-05-03 01:40 . 2001-12-27 14:59 57552 ----a-w d:\windows\system32\WKDOS.EXE
2009-05-03 01:40 . 2001-12-27 14:59 29696 ----a-w d:\windows\system32\drivers\Wibukey2.sys
2009-05-03 01:40 . 2001-12-27 14:59 67072 ----a-w d:\windows\system32\drivers\Wibukey.sys
2009-05-03 01:40 . 2001-12-27 14:59 139264 ----a-w d:\windows\system32\WkWin32.dll
2009-05-03 01:40 . 2001-12-27 14:59 52736 ----a-w d:\windows\system\WkWin.dll
2009-05-03 01:40 . 2009-05-03 01:40 -------- d-----w d:\program files\WIBU-SYSTEMS
2009-05-03 01:40 . 2009-05-03 01:40 -------- d-----w d:\program files\WIBUKEY
2009-05-03 01:40 . 2004-03-01 22:53 37760 ----a-w d:\windows\system32\drivers\P2k.sys
2009-05-03 01:40 . 2004-03-08 14:18 77895 ----a-w d:\windows\system32\unibus_tcutil.dll
2009-05-03 01:40 . 2009-05-08 05:40 -------- d-----w d:\program files\Motorola
2009-05-03 01:06 . 2008-04-14 04:15 32128 -c--a-w d:\windows\system32\dllcache\usbccgp.sys
2009-05-03 01:06 . 2008-04-14 04:15 32128 ----a-w d:\windows\system32\drivers\usbccgp.sys
2009-05-02 23:46 . 2009-05-02 23:46 -------- d-----w d:\program files\MSBuild
2009-05-02 23:46 . 2009-05-06 20:55 -------- d-----w d:\windows\system32\XPSViewer
2009-05-02 23:46 . 2009-05-02 23:46 -------- d-----w d:\program files\Reference Assemblies
2009-05-02 23:45 . 2006-06-29 17:07 14048 ------w d:\windows\system32\spmsg2.dll
2009-05-02 17:20 . 2008-04-14 04:15 26112 -c--a-w d:\windows\system32\dllcache\usbser.sys
2009-05-02 17:20 . 2008-04-14 04:15 26112 ----a-w d:\windows\system32\drivers\usbser.sys
2009-05-02 17:20 . 2007-10-10 20:41 42112 ----a-w d:\windows\system32\drivers\motodrv.sys
2009-05-02 16:50 . 2009-05-02 16:50 -------- d-----w d:\documents and settings\Reggie\Local Settings\Application Data\BVRP Software
2009-05-02 16:42 . 2009-05-02 17:13 -------- d-----w d:\program files\Avanquest update
2009-05-02 16:41 . 2007-06-18 18:18 23680 ----a-w d:\windows\system32\drivers\motmodem.sys
2009-05-02 16:41 . 2006-11-13 18:45 1419232 ----a-w d:\windows\system32\wdfcoinstaller01005.dll
2009-05-02 16:41 . 2009-05-08 05:41 -------- dc----w d:\windows\system32\DRVSTORE
2009-05-02 16:40 . 2009-05-08 05:47 -------- d-----w d:\program files\Common Files\Motorola Shared
2009-05-02 16:40 . 2009-05-02 17:09 -------- d-----w d:\documents and settings\All Users\Application Data\BVRP Software
2009-05-01 02:58 . 2009-05-01 02:58 -------- d-----w d:\documents and settings\Reggie\WINDOWS
2009-04-30 21:12 . 2009-04-30 21:12 -------- d-----w d:\windows\system32\NtmsData
2009-04-30 21:11 . 2008-04-14 04:15 26368 -c--a-w d:\windows\system32\dllcache\usbstor.sys
2009-04-28 04:50 . 2009-04-28 04:50 -------- d-----w d:\program files\Microsoft Hardware
2009-04-27 23:57 . 2009-04-27 23:57 -------- d-----w d:\documents and settings\Reggie\Application Data\LEAPS
2009-04-27 23:45 . 2001-08-18 02:36 5632 ----a-w d:\windows\system32\ptpusb.dll
2009-04-27 23:45 . 2008-04-14 09:42 159232 ----a-w d:\windows\system32\ptpusd.dll
2009-04-27 23:45 . 2008-04-14 04:15 15104 -c--a-w d:\windows\system32\dllcache\usbscan.sys
2009-04-27 23:45 . 2008-04-14 04:15 15104 ----a-w d:\windows\system32\drivers\usbscan.sys
2009-04-27 23:32 . 2009-04-27 23:32 -------- d-----w d:\documents and settings\Reggie\Application Data\Pegasys Inc
2009-04-27 19:59 . 2009-04-27 19:59 -------- d-----w d:\documents and settings\Reggie\.spss
2009-04-27 14:54 . 2008-10-16 18:06 208744 ----a-w d:\windows\system32\muweb.dll
2009-04-27 14:54 . 2008-10-16 18:06 268648 ----a-w d:\windows\system32\mucltui.dll
2009-04-27 07:21 . 2009-04-27 07:21 -------- d-----w d:\documents and settings\Reggie\Local Settings\Application Data\Help
2009-04-27 07:04 . 2003-03-16 04:15 90112 ----a-w d:\windows\unvise32.exe
2009-04-27 06:57 . 2009-04-27 06:57 2328704 ----a-w d:\windows\system32\TUKernel.exe
2009-04-27 06:20 . 2008-11-24 11:19 27904 ----a-w d:\windows\system32\uxtuneup.dll
2009-04-27 06:20 . 2009-04-27 06:20 362240 ----a-w d:\windows\system32\TuneUpDefragService.exe
2009-04-27 06:17 . 2009-04-27 06:20 603904 ----a-w d:\windows\system32\TUProgSt.exe
2009-04-27 06:17 . 2009-04-27 06:17 -------- d-----w d:\documents and settings\Reggie\Application Data\TuneUp Software
2009-04-27 06:17 . 2009-04-27 06:17 -------- d-----w d:\documents and settings\All Users\Application Data\TuneUp Software
2009-04-27 06:17 . 2009-04-27 06:20 -------- d-----w d:\program files\TuneUp Utilities 2009
2009-04-27 06:10 . 2009-04-27 06:10 -------- d-sh--w d:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2009-04-27 05:53 . 2009-05-06 15:42 -------- d-----w d:\windows\Downloaded Installations
2009-04-27 03:45 . 2009-04-27 03:45 -------- d-----w d:\windows\system32\LogFiles
2009-04-27 03:11 . 2002-07-27 02:24 790528 ------w d:\windows\system32\FreeImageX.dll
2009-04-27 03:11 . 1999-01-04 20:32 10752 ------w d:\windows\system32\xtimers.dll
2009-04-27 03:11 . 1996-01-31 04:00 92160 ------w d:\windows\system32\MSO5ENU.DLL
2009-04-27 03:11 . 2003-03-26 16:22 196608 ------w d:\windows\system32\PitchPC.exe
2009-04-27 03:11 . 2002-05-20 16:50 26624 ------w d:\windows\system32\WebRequest.exe
2009-04-27 03:11 . 2003-05-15 19:59 49152 ------w d:\windows\system32\qsheetc.dll
2009-04-27 02:44 . 2007-12-24 17:47 7680 ----a-w d:\windows\system32\ff_vfw.dll
2009-04-27 02:44 . 2007-11-29 16:52 60273 ----a-w d:\windows\system32\pthreadGC2.dll
2009-04-27 02:38 . 2009-04-27 02:38 -------- d-----w d:\windows\DvzCommon
2009-04-27 02:30 . 2009-04-27 02:31 -------- d-----w d:\documents and settings\Reggie\Application Data\EndNote
2009-04-27 02:23 . 2008-03-03 17:13 12296 ----a-w d:\windows\system32\deltaIICoIn.dll
2009-04-27 02:23 . 2008-03-03 17:13 236040 ----a-w d:\windows\system32\DeltaIITray.exe
2009-04-27 02:23 . 2008-03-03 17:13 739848 ----a-w d:\windows\system32\DeltaIICpl.exe
2009-04-27 02:23 . 2008-03-03 17:13 302728 ----a-w d:\windows\system32\drivers\deltaII.sys
2009-04-27 02:23 . 2008-03-03 17:13 21000 ----a-w d:\windows\system32\DeltaIIpnl.dll
2009-04-27 02:23 . 2008-03-03 17:13 25096 ----a-w d:\windows\system32\deltaIIasio.dll
2009-04-27 02:23 . 2008-03-03 17:13 2513432 ----a-w d:\windows\system32\pcifmdio.dll
2009-04-27 02:19 . 2009-04-27 02:19 -------- d-----w d:\program files\M-Audio
2009-04-27 02:19 . 2009-04-27 02:19 -------- d-----w d:\documents and settings\Reggie\Application Data\InstallShield
2009-04-27 02:09 . 2000-03-29 14:17 5824 ----a-w d:\windows\system32\drivers\ASUSHWIO.SYS
2009-04-27 01:57 . 2009-04-27 01:57 -------- d-----w d:\documents and settings\Reggie\Application Data\AdobeUM
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-18 02:45 . 2009-04-26 17:24 21480 ----a-w d:\documents and settings\Reggie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-11 16:26 . 2009-04-26 18:06 -------- d-----w d:\program files\Common Files\PC Tools
2009-05-11 15:46 . 2009-04-26 17:51 -------- d-----w d:\program files\Common Files\Wise Installation Wizard
2009-05-10 00:34 . 2009-04-26 17:31 -------- d--h--w d:\program files\InstallShield Installation Information
2009-05-02 17:09 . 2009-05-02 17:09 0 ---ha-w d:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2009-05-02 17:09 . 2009-05-02 17:09 0 ---ha-w d:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-04-26 21:51 . 2009-04-26 17:33 -------- d-----w d:\program files\Common Files\Adobe
2009-04-26 21:42 . 2008-04-14 12:42 218624 ----a-w d:\windows\system32\uxtheme.dll
2009-04-26 19:58 . 2009-04-26 19:58 -------- d-----w d:\program files\microsoft frontpage
2009-04-26 19:55 . 2009-04-26 19:55 21640 ----a-w d:\windows\system32\emptyregdb.dat
2009-04-26 19:55 . 2009-04-26 19:55 -------- d-----w d:\program files\Windows Media Connect 2
2009-04-26 18:33 . 2009-04-26 18:33 -------- d-----w d:\program files\Common Files\i4j_jres
2009-04-26 18:27 . 2009-04-26 18:27 0 ----a-w d:\windows\nsreg.dat
2009-04-26 17:46 . 2009-04-26 17:47 512096 ----a-w d:\windows\system32\drivers\amon.sys
2009-04-26 17:46 . 2009-04-26 17:47 298104 ----a-w d:\windows\system32\imon.dll
2009-04-26 17:46 . 2009-04-26 17:47 15424 ----a-w d:\windows\system32\drivers\nod32drv.sys
2009-04-26 17:31 . 2009-04-26 17:31 -------- d-----w d:\program files\NVIDIA Corporation
2009-04-26 17:31 . 2009-04-26 17:31 -------- d-----w d:\program files\Common Files\NVIDIA Shared
2009-04-26 17:23 . 2009-04-26 17:23 8 ----a-w d:\windows\system32\nvModes.dat
2009-03-17 01:42 . 2009-03-17 01:42 524288 ----a-w d:\windows\opuc.dll
2009-03-08 08:34 . 2009-01-12 02:43 914944 ----a-w d:\windows\system32\wininet.dll
2009-03-08 08:34 . 2009-01-12 02:43 43008 ----a-w d:\windows\system32\licmgr10.dll
2009-03-08 08:33 . 2009-01-12 02:43 18944 ----a-w d:\windows\system32\corpol.dll
2009-03-08 08:33 . 2008-04-14 12:42 420352 ----a-w d:\windows\system32\vbscript.dll
2009-03-08 08:32 . 2009-01-12 02:43 72704 ----a-w d:\windows\system32\admparse.dll
2009-03-08 08:32 . 2009-01-12 02:43 71680 ----a-w d:\windows\system32\iesetup.dll
2009-03-08 08:31 . 2009-01-12 02:43 34816 ----a-w d:\windows\system32\imgutil.dll
2009-03-08 08:31 . 2009-01-12 02:43 48128 ----a-w d:\windows\system32\mshtmler.dll
2009-03-08 08:31 . 2009-01-12 02:43 45568 ----a-w d:\windows\system32\mshta.exe
2009-03-08 08:22 . 2009-01-12 02:43 156160 ----a-w d:\windows\system32\msls31.dll
2009-03-06 14:22 . 2008-04-14 12:42 284160 ----a-w d:\windows\system32\pdh.dll
.
------- Sigcheck -------
[-] 2009-01-12 02:44 1614848 362BC5AF8EAF712832C58CC13AE05750 d:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="d:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SkinClock"="f:\atomic alarm clock\AtomicAlarmClock.exe" [2008-09-24 527360]
"SUPERAntiSpyware"="f:\superanitspyware\SUPERAntiSpyware.exe" [2009-05-11 1830128]
"SpybotSD TeaTimer"="f:\spybot - search & destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="d:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-21 131072]
"NvCplDaemon"="d:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"NvMediaCenter"="d:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"nod32kui"="f:\nod32\nod32kui.exe" [2009-04-26 949376]
"SmcService"="f:\sygate\smc.exe" [2005-09-27 2635472]
"Acrobat Assistant 7.0"="f:\adobe\Acrobat\Distillr\Acrotray.exe" [2004-12-14 483328]
"M-Audio Taskbar Icon"="d:\windows\System32\DeltaIITray.exe" [2008-03-03 236040]
"DeltaIITaskbarApp"="d:\windows\system32\DeltaIITray.exe" [2008-03-03 236040]
"openvpn-gui"="f:\open vpn\bin\openvpn-gui.exe" [2005-08-18 99328]
"snpstd3"="d:\windows\vsnpstd3.exe" [2006-09-19 827392]
"nwiz"="nwiz.exe" - d:\windows\system32\nwiz.exe [2007-12-05 1626112]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_2"="shell32" [X]
d:\documents and settings\Reggie\Start Menu\Programs\Startup\
HotSync Manager.lnk - f:\palm\Palm Desktop\HOTSYNC.EXE [2004-4-13 299008]
d:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - d:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2009-4-26 25214]
DataViz Messenger.lnk - d:\windows\DvzCommon\DvzMsgr.exe [2009-4-26 24576]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "f:\superanitspyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="d:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w f:\superanitspyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"CPM033a0027"=Rundll32.exe "d:\windows\system32\kagevizu.dll",a
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"f:\\SPSS16\\spss.exe"=
"f:\\SPSS16\\spss.com"=
"f:\\SPSS16\\SPSSWinWrapIDE.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;d:\windows\system32\drivers\SI3112r.sys [4/21/2003 9:49 AM 85333]
R0 SiWinAcc;SiWinAcc;d:\windows\system32\drivers\SiWinAcc.sys [2/25/2003 6:08 AM 9600]
R1 nod32drv;nod32drv;d:\windows\system32\drivers\nod32drv.sys [4/26/2009 1:47 PM 15424]
R1 SASDIFSV;SASDIFSV;f:\superanitspyware\sasdifsv.sys [4/28/2009 11:33 AM 9968]
R1 SASKUTIL;SASKUTIL;f:\superanitspyware\SASKUTIL.SYS [4/28/2009 11:33 AM 72944]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;d:\windows\system32\TUProgSt.exe [4/27/2009 2:17 AM 603904]
R3 DELTAII;Service for M-Audio Delta Driver (WDM);d:\windows\system32\drivers\deltaII.sys [4/26/2009 10:23 PM 302728]
R3 SASENUM;SASENUM;f:\superanitspyware\SASENUM.SYS [4/28/2009 11:33 AM 7408]
R3 tap0801;TAP-Win32 Adapter V8;d:\windows\system32\drivers\tap0801.sys [6/23/2004 10:54 PM 23552]
S0 TfFsMon;TfFsMon;d:\windows\system32\drivers\TfFsMon.sys --> d:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;d:\windows\system32\drivers\TfSysMon.sys --> d:\windows\system32\drivers\TfSysMon.sys [?]
S3 MotDev;Motorola Inc. USB Device;d:\windows\system32\drivers\motodrv.sys [5/2/2009 1:20 PM 42112]
S3 TfNetMon;TfNetMon;\??\d:\windows\system32\drivers\TfNetMon.sys --> d:\windows\system32\drivers\TfNetMon.sys [?]
S4 pctplsg;pctplsg;\??\d:\windows\system32\drivers\pctplsg.sys --> d:\windows\system32\drivers\pctplsg.sys [?]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"d:\windows\system32\rundll32.exe" "d:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-05-19 d:\windows\Tasks\1-Click Maintenance.job
- d:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-12-04 14:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
IE: Convert link target to Adobe PDF - f:\adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - f:\adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - f:\adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - f:\adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - f:\adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - f:\adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - f:\adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - f:\adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - f:\micros~1\OFFICE11\EXCEL.EXE/3000
LSP: d:\windows\system32\imon.dll
FF - ProfilePath - d:\documents and settings\Reggie\Application Data\Mozilla\Firefox\Profiles\an0b03se.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca
FF - plugin: f:\adobe\Acrobat\Acrobat\browser\nppdf32.dll
---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-19 02:44
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\InprocServer32]
@DACL=(02 0000)
@="d:\\WINDOWS\\SYSTEM32\\KAGEVIZU.DLL"
"ThreadingModel"="Both"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1036)
f:\superanitspyware\SASWINLO.dll
d:\documents and settings\Reggie\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
- - - - - - - > 'lsass.exe'(1116)
d:\windows\system32\imon.dll
- - - - - - - > 'explorer.exe'(2540)
d:\windows\system32\webcheck.dll
d:\windows\system32\IEFRAME.dll
d:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
d:\windows\system32\msi.dll
d:\windows\system32\SSSensor.dll
f:\atomic alarm clock\Clock.dll
d:\windows\system32\msls31.dll
d:\windows\system32\OneX.DLL
d:\windows\system32\eappprxy.dll
d:\windows\system32\wpdshserviceobj.dll
d:\windows\system32\portabledevicetypes.dll
d:\windows\system32\portabledeviceapi.dll
.
Completion time: 2009-05-19 2:45
ComboFix-quarantined-files.txt 2009-05-19 06:45
ComboFix2.txt 2009-05-19 06:35
Pre-Run: 14,321,766,400 bytes free
Post-Run: 14,311,112,704 bytes free
313 --- E O F --- 2009-05-11 03:33
and the HijackThis Unistall list:
Adobe Acrobat 7.0 Professional
Adobe Acrobat 7.0.1 and Reader 7.0.1 Update
Adobe Flash Player 10 Plugin
Atomic Alarm Clock 5.85
Avanquest update
BitPim 1.0.3
Choice Guard
Critical Update for Windows Media Player 11 (KB959772)
dBpoweramp FLAC Codec
dBpowerAMP Music Converter
dBpowerAMP Tag From Filename
dBpowerAMP Update ID Tag
Delta
Documents To Go
DVDFab Ghosthunter release 5.2.3.2
Dynex Webcam
EndNote X.0.2 Volume License Edition
ERUNT 1.1j
ffdshow [rev 1723] [2007-12-24]
FLAC 1.2.1b (remove only)
Flash&Backup
GoldWave v5.14
Guitar Pro 5.2
Handmark® Tetris Classic(TM) Game Pak for Palm OS
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Image Resizer Powertoy for Windows XP
ISI ResearchSoft - Export Helper
Java Adapter for Mobile
KeySuite (TM)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 Redistributable
Motorola Driver Installation 3.7.0
Motorola Phone Tools
Motorola PST
Motorola Software Update
Mozilla Firefox (3.0.10)
MSVCRT
MSXML 4.0 SP2 (KB954430)
Nero 9
neroxml
NOD32 antivirus system
NVIDIA Drivers
NvMixer
OpenVPN 2.0.5-gui-1.0.3
Paint.NET v3.36
Palm Desktop
Quickoffice
RadioComm v11.0.3
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Segoe UI
SnagIt 8
SPSS 16.0 for Windows
Spybot - Search & Destroy
SUPERAntiSpyware Professional
Sygate Personal Firewall Pro
TMPGEnc 4.0 XPress
TuneUp Utilities 2009
UltraUXThemePatcher
Update for Windows Internet Explorer 8 (KB968220)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Vuze
WIBU-KEY Setup (WIBU-KEY Remove)
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
WinRAR archiver
WinZip
YouSendIt Express
pskelley
2009-05-19, 17:33
SUPERAnitspyware is still seeing kagevizu.dll
I do not use SUPERAnitspyware and know little about it. You might ask questions about that program at one of these:
http://www.google.com/search?hl=en&ei=zM0SSo7ZIqCm8QS-1M2KBA&sa=X&oi=spell&resnum=1&ct=result&cd=1&q=SUPERAntispyware+free+forum&spell=1
Just exactly where does SAS say the file is located? You said you knew it was in the C:\Windows\System32\ folder and I said you could delete it??
What does ESET NOD32 antivirus system say when you scan with it, I would trust those results.
Looking at the uninstall list first
Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.
Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested:
http://secunia.com/vulnerability_scanning/personal/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.
Installed programs are a bit wierd.
Adobe Acrobat 7.0.1 and Reader 7.0.1 Update <<< i have not seen this before, but I have this information about Adobe Reader:
http://news.cnet.com/8301-1009_3-10081618-83.html?tag=nl.e433
http://blogs.adobe.com/psirt/2009/04/update_on_adobe_reader_issue.html
http://www.filehippo.com/download_adobe_reader/
(if you want a smaller program, look at this one)
Foxit Reader 2.3 for Windows (make sure to uncheck any toolbars)
http://www.foxitsoftware.com/pdf/rd_intro.php
Adobe Flash Player 10 Plugin <<< I am trying to understand why you would have a Plugin and no Adobe Flash Player:
Adobe recommends all users of Adobe Flash Player 10.0.12.36 and earlier versions upgrade to the newest version 10.0.22.87
http://www.adobe.com/support/security/bulletins/apsb09-01.html
In order to proceed I need the HJT log I requested.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
SAS says the file is located in Windows\System32
However, I don't see it in there.
It may be time to uninstall Acrobat and try something else, I don't have Reader listed anywhere that I can run it from.
The flash player, I'm not sure about. I use firefox as my default browser so I assume that's where the plugin is from. I will download the new player.
A new HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:22:52 PM, on 5/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
F:\NOD32\nod32krn.exe
D:\WINDOWS\system32\nvsvc32.exe
F:\Sygate\smc.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\TUProgSt.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
D:\WINDOWS\system32\RUNDLL32.EXE
F:\Adobe\Acrobat\Distillr\Acrotray.exe
D:\WINDOWS\System32\DeltaIITray.exe
F:\Open VPN\bin\openvpn-gui.exe
D:\WINDOWS\vsnpstd3.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Messenger\msmsgs.exe
F:\Atomic Alarm Clock\AtomicAlarmClock.exe
D:\WINDOWS\DvzCommon\DvzMsgr.exe
F:\Palm\Palm Desktop\HOTSYNC.EXE
D:\Program Files\Windows Live\Messenger\msnmsgr.exe
D:\Program Files\Windows Live\Contacts\wlcomm.exe
F:\HiJackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - F:\Snag-It\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9ce66458-0e88-4668-8bfd-fed718e3cdd1} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - F:\Snag-It\SnagItIEAddin.dll
O4 - HKLM\..\Run: [NVMixerTray] "D:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "F:\NOD32\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SmcService] F:\Sygate\smc.exe -startgui
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "F:\Adobe\Acrobat\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] D:\WINDOWS\System32\DeltaIITray.exe
O4 - HKLM\..\Run: [DeltaIITaskbarApp] D:\WINDOWS\system32\DeltaIITray.exe
O4 - HKLM\..\Run: [openvpn-gui] F:\Open VPN\bin\openvpn-gui.exe
O4 - HKLM\..\Run: [snpstd3] D:\WINDOWS\vsnpstd3.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SkinClock] F:\Atomic Alarm Clock\AtomicAlarmClock.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] F:\SuperAnitSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - Startup: HotSync Manager.lnk = F:\Palm\Palm Desktop\HOTSYNC.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: DataViz Messenger.lnk = D:\WINDOWS\DvzCommon\DvzMsgr.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - F:\SuperAnitSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - F:\NOD32\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - F:\Open VPN\bin\openvpnserv.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - F:\Sygate\smc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - D:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - D:\WINDOWS\System32\TUProgSt.exe
--
End of file - 7123 bytes
pskelley
2009-05-20, 01:05
Follow the directions carefully and in the numbered order.
1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
3) Open notepad and copy/paste the text in the codebox below into it:
File::
d:\windows\system32\kagevizu.dll
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"CPM033a0027"=-
Folder::
D:\SDFix
Save this as CFScript
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Referring to the picture above, drag CFScript into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)
4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: (no name) - {9ce66458-0e88-4668-8bfd-fed718e3cdd1} - (no file)
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default
Close all programs but HJT and all browser windows, then click on "Fix Checked"
5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html
6) Download Malwarebytes' Anti-Malware to your Desktop
http://www.malwarebytes.org/
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript, the log fram MBAM and a new HJT log.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html
How is the computer running?
Thanks
Here are the requested logs:
CFScript:
ComboFix 09-05-19.08 - Reggie 05/19/2009 21:15.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.678 [GMT -4:00]
Running from: d:\documents and settings\Reggie\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\Reggie\Desktop\CFScript.txt
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: Sygate Personal Firewall Pro *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
* Resident AV is active
FILE ::
d:\windows\system32\kagevizu.dll
.
((((((((((((((((((((((((( Files Created from 2009-04-20 to 2009-05-20 )))))))))))))))))))))))))))))))
.
2009-05-20 00:55 . 2009-05-20 00:55 -------- d-----w d:\documents and settings\Reggie\Application Data\Malwarebytes
2009-05-20 00:55 . 2009-04-06 19:32 15504 ----a-w d:\windows\system32\drivers\mbam.sys
2009-05-20 00:55 . 2009-04-06 19:32 38496 ----a-w d:\windows\system32\drivers\mbamswissarmy.sys
2009-05-20 00:55 . 2009-05-20 00:55 -------- d-----w d:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-11 17:43 . 2009-05-12 00:06 -------- d-----w d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-11 16:30 . 2008-04-14 05:42 1033728 ----a-w d:\windows\explorer.exe
2009-05-11 16:04 . 2009-05-11 16:04 -------- d--h--w d:\windows\PIF
2009-05-11 15:46 . 2009-05-11 15:46 -------- d-----w d:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-11 15:46 . 2009-05-11 15:46 -------- d-----w d:\documents and settings\Reggie\Application Data\SUPERAntiSpyware.com
2009-05-11 15:23 . 2009-05-11 15:23 -------- d-----w d:\windows\ERUNT
2009-05-11 03:33 . 2009-05-11 03:33 -------- d-----w d:\program files\MSXML 4.0
2009-05-10 19:34 . 2009-05-10 19:34 2975 ----a-w d:\windows\system32\SpoonUninstall-dBpoweramp FLAC Codec.dat
2009-05-10 19:31 . 2009-05-10 19:31 1845 ----a-w d:\windows\system32\SpoonUninstall-dBpowerAMP Update ID Tag.dat
2009-05-10 19:31 . 2009-05-10 19:31 2059 ----a-w d:\windows\system32\SpoonUninstall-dBpowerAMP Tag From Filename.dat
2009-05-10 19:29 . 2009-05-10 19:29 36579 ----a-w d:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
2009-05-10 19:29 . 2009-05-10 19:34 515760 ----a-w d:\windows\system32\SpoonUninstall.exe
2009-05-10 19:04 . 2009-05-10 19:04 -------- d-----w d:\documents and settings\Reggie\Application Data\Nero
2009-05-10 18:56 . 2009-05-10 18:56 -------- d-----w d:\program files\Windows Sidebar
2009-05-10 18:52 . 2009-05-10 18:53 -------- d-----w d:\documents and settings\All Users\Application Data\Nero
2009-05-10 18:52 . 2009-05-10 19:00 -------- d-----w d:\program files\Common Files\Nero
2009-05-10 00:40 . 2008-04-14 04:09 5504 -c--a-w d:\windows\system32\dllcache\mstee.sys
2009-05-10 00:40 . 2008-04-14 04:09 5504 ----a-w d:\windows\system32\drivers\MSTEE.sys
2009-05-10 00:40 . 2008-04-14 04:16 10880 -c--a-w d:\windows\system32\dllcache\ndisip.sys
2009-05-10 00:40 . 2008-04-14 04:16 10880 ----a-w d:\windows\system32\drivers\NdisIP.sys
2009-05-10 00:40 . 2008-04-14 04:16 15232 -c--a-w d:\windows\system32\dllcache\streamip.sys
2009-05-10 00:40 . 2008-04-14 04:16 15232 ----a-w d:\windows\system32\drivers\StreamIP.sys
2009-05-10 00:39 . 2008-04-14 04:16 11136 -c--a-w d:\windows\system32\dllcache\slip.sys
2009-05-10 00:39 . 2008-04-14 04:16 11136 ----a-w d:\windows\system32\drivers\SLIP.sys
2009-05-10 00:39 . 2008-04-14 04:16 17024 -c--a-w d:\windows\system32\dllcache\ccdecode.sys
2009-05-10 00:39 . 2008-04-14 04:16 17024 ----a-w d:\windows\system32\drivers\CCDECODE.sys
2009-05-10 00:39 . 2008-04-14 04:16 19200 -c--a-w d:\windows\system32\dllcache\wstcodec.sys
2009-05-10 00:39 . 2008-04-14 04:16 19200 ----a-w d:\windows\system32\drivers\WSTCODEC.SYS
2009-05-10 00:39 . 2008-04-14 04:16 85248 -c--a-w d:\windows\system32\dllcache\nabtsfec.sys
2009-05-10 00:39 . 2008-04-14 04:16 85248 ----a-w d:\windows\system32\drivers\NABTSFEC.sys
2009-05-10 00:39 . 2008-04-14 04:15 60032 -c--a-w d:\windows\system32\dllcache\usbaudio.sys
2009-05-10 00:39 . 2008-04-14 04:15 60032 ----a-w d:\windows\system32\drivers\USBAUDIO.sys
2009-05-10 00:39 . 2008-04-14 09:42 53760 -c--a-w d:\windows\system32\dllcache\vfwwdm32.dll
2009-05-10 00:39 . 2008-04-14 09:42 53760 ----a-w d:\windows\system32\vfwwdm32.dll
2009-05-10 00:35 . 2006-09-19 13:07 827392 ----a-w d:\windows\vsnpstd3.exe
2009-05-10 00:35 . 2006-02-07 00:19 8410880 ----a-w d:\windows\system32\drivers\snpstd3.sys
2009-05-10 00:35 . 2005-12-23 21:17 53248 ----a-w d:\windows\vsnpstd3.dll
2009-05-10 00:35 . 2006-01-10 21:02 147456 ----a-w d:\windows\system32\rsnpstd3.dll
2009-05-10 00:35 . 2005-11-23 17:55 53248 ----a-w d:\windows\system32\csnpstd3.dll
2009-05-10 00:35 . 2004-12-08 22:40 20480 ----a-w d:\windows\usnpstd3.exe
2009-05-10 00:35 . 2009-05-10 00:35 -------- d-----w d:\program files\Common Files\snpstd3
2009-05-08 22:37 . 2009-05-08 23:33 -------- d-----w d:\documents and settings\Reggie\Local Settings\Application Data\Paint.NET
2009-05-08 03:28 . 2009-05-08 03:28 -------- d-sh--w d:\documents and settings\Reggie\IECompatCache
2009-05-08 03:26 . 2009-05-08 03:26 -------- d-sh--w d:\documents and settings\Reggie\PrivacIE
2009-05-06 21:15 . 2009-05-06 21:15 -------- d-sh--w d:\documents and settings\Reggie\IETldCache
2009-05-06 21:05 . 2009-05-06 21:05 -------- d-----w d:\windows\ie8updates
2009-05-06 21:05 . 2009-02-28 04:55 105984 -c----w d:\windows\system32\dllcache\iecompat.dll
2009-05-06 21:05 . 2009-05-06 21:05 -------- dc-h--w d:\windows\ie8
2009-05-06 20:55 . 2009-05-06 21:12 -------- d-----w d:\windows\SxsCaPendDel
2009-05-06 15:42 . 2009-05-06 15:43 -------- d-----w d:\documents and settings\Reggie\Application Data\YouSendIt
2009-05-05 04:10 . 2009-05-05 04:10 -------- d-----w d:\documents and settings\Reggie\Local Settings\Application Data\WMTools Downloaded Files
2009-05-03 04:45 . 2009-05-03 04:45 -------- d-----w d:\documents and settings\All Users\Application Data\TechSmith
2009-05-03 01:40 . 2001-12-27 14:59 57552 ----a-w d:\windows\system32\WKDOS.EXE
2009-05-03 01:40 . 2001-12-27 14:59 29696 ----a-w d:\windows\system32\drivers\Wibukey2.sys
2009-05-03 01:40 . 2001-12-27 14:59 67072 ----a-w d:\windows\system32\drivers\Wibukey.sys
2009-05-03 01:40 . 2001-12-27 14:59 139264 ----a-w d:\windows\system32\WkWin32.dll
2009-05-03 01:40 . 2001-12-27 14:59 52736 ----a-w d:\windows\system\WkWin.dll
2009-05-03 01:40 . 2009-05-03 01:40 -------- d-----w d:\program files\WIBU-SYSTEMS
2009-05-03 01:40 . 2009-05-03 01:40 -------- d-----w d:\program files\WIBUKEY
2009-05-03 01:40 . 2004-03-01 22:53 37760 ----a-w d:\windows\system32\drivers\P2k.sys
2009-05-03 01:40 . 2004-03-08 14:18 77895 ----a-w d:\windows\system32\unibus_tcutil.dll
2009-05-03 01:40 . 2009-05-08 05:40 -------- d-----w d:\program files\Motorola
2009-05-03 01:06 . 2008-04-14 04:15 32128 -c--a-w d:\windows\system32\dllcache\usbccgp.sys
2009-05-03 01:06 . 2008-04-14 04:15 32128 ----a-w d:\windows\system32\drivers\usbccgp.sys
2009-05-02 23:46 . 2009-05-02 23:46 -------- d-----w d:\program files\MSBuild
2009-05-02 23:46 . 2009-05-06 20:55 -------- d-----w d:\windows\system32\XPSViewer
2009-05-02 23:46 . 2009-05-02 23:46 -------- d-----w d:\program files\Reference Assemblies
2009-05-02 23:45 . 2006-06-29 17:07 14048 ------w d:\windows\system32\spmsg2.dll
2009-05-02 17:20 . 2008-04-14 04:15 26112 -c--a-w d:\windows\system32\dllcache\usbser.sys
2009-05-02 17:20 . 2008-04-14 04:15 26112 ----a-w d:\windows\system32\drivers\usbser.sys
2009-05-02 17:20 . 2007-10-10 20:41 42112 ----a-w d:\windows\system32\drivers\motodrv.sys
2009-05-02 16:50 . 2009-05-02 16:50 -------- d-----w d:\documents and settings\Reggie\Local Settings\Application Data\BVRP Software
2009-05-02 16:42 . 2009-05-02 17:13 -------- d-----w d:\program files\Avanquest update
2009-05-02 16:41 . 2007-06-18 18:18 23680 ----a-w d:\windows\system32\drivers\motmodem.sys
2009-05-02 16:41 . 2006-11-13 18:45 1419232 ----a-w d:\windows\system32\wdfcoinstaller01005.dll
2009-05-02 16:41 . 2009-05-08 05:41 -------- dc----w d:\windows\system32\DRVSTORE
2009-05-02 16:40 . 2009-05-08 05:47 -------- d-----w d:\program files\Common Files\Motorola Shared
2009-05-02 16:40 . 2009-05-02 17:09 -------- d-----w d:\documents and settings\All Users\Application Data\BVRP Software
2009-05-01 02:58 . 2009-05-01 02:58 -------- d-----w d:\documents and settings\Reggie\WINDOWS
2009-04-30 21:12 . 2009-04-30 21:12 -------- d-----w d:\windows\system32\NtmsData
2009-04-30 21:11 . 2008-04-14 04:15 26368 -c--a-w d:\windows\system32\dllcache\usbstor.sys
2009-04-28 04:50 . 2009-04-28 04:50 -------- d-----w d:\program files\Microsoft Hardware
2009-04-27 23:57 . 2009-04-27 23:57 -------- d-----w d:\documents and settings\Reggie\Application Data\LEAPS
2009-04-27 23:45 . 2001-08-18 02:36 5632 ----a-w d:\windows\system32\ptpusb.dll
2009-04-27 23:45 . 2008-04-14 09:42 159232 ----a-w d:\windows\system32\ptpusd.dll
2009-04-27 23:45 . 2008-04-14 04:15 15104 -c--a-w d:\windows\system32\dllcache\usbscan.sys
2009-04-27 23:45 . 2008-04-14 04:15 15104 ----a-w d:\windows\system32\drivers\usbscan.sys
2009-04-27 23:32 . 2009-04-27 23:32 -------- d-----w d:\documents and settings\Reggie\Application Data\Pegasys Inc
2009-04-27 19:59 . 2009-04-27 19:59 -------- d-----w d:\documents and settings\Reggie\.spss
2009-04-27 14:54 . 2008-10-16 18:06 208744 ----a-w d:\windows\system32\muweb.dll
2009-04-27 14:54 . 2008-10-16 18:06 268648 ----a-w d:\windows\system32\mucltui.dll
2009-04-27 07:21 . 2009-04-27 07:21 -------- d-----w d:\documents and settings\Reggie\Local Settings\Application Data\Help
2009-04-27 07:04 . 2003-03-16 04:15 90112 ----a-w d:\windows\unvise32.exe
2009-04-27 06:57 . 2009-04-27 06:57 2328704 ----a-w d:\windows\system32\TUKernel.exe
2009-04-27 06:20 . 2008-11-24 11:19 27904 ----a-w d:\windows\system32\uxtuneup.dll
2009-04-27 06:20 . 2009-04-27 06:20 362240 ----a-w d:\windows\system32\TuneUpDefragService.exe
2009-04-27 06:17 . 2009-04-27 06:20 603904 ----a-w d:\windows\system32\TUProgSt.exe
2009-04-27 06:17 . 2009-04-27 06:17 -------- d-----w d:\documents and settings\Reggie\Application Data\TuneUp Software
2009-04-27 06:17 . 2009-04-27 06:17 -------- d-----w d:\documents and settings\All Users\Application Data\TuneUp Software
2009-04-27 06:17 . 2009-04-27 06:20 -------- d-----w d:\program files\TuneUp Utilities 2009
2009-04-27 06:10 . 2009-04-27 06:10 -------- d-sh--w d:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2009-04-27 05:53 . 2009-05-06 15:42 -------- d-----w d:\windows\Downloaded Installations
2009-04-27 03:45 . 2009-04-27 03:45 -------- d-----w d:\windows\system32\LogFiles
2009-04-27 03:11 . 2002-07-27 02:24 790528 ------w d:\windows\system32\FreeImageX.dll
2009-04-27 03:11 . 1999-01-04 20:32 10752 ------w d:\windows\system32\xtimers.dll
2009-04-27 03:11 . 1996-01-31 04:00 92160 ------w d:\windows\system32\MSO5ENU.DLL
2009-04-27 03:11 . 2003-03-26 16:22 196608 ------w d:\windows\system32\PitchPC.exe
2009-04-27 03:11 . 2002-05-20 16:50 26624 ------w d:\windows\system32\WebRequest.exe
2009-04-27 03:11 . 2003-05-15 19:59 49152 ------w d:\windows\system32\qsheetc.dll
2009-04-27 02:44 . 2007-12-24 17:47 7680 ----a-w d:\windows\system32\ff_vfw.dll
2009-04-27 02:44 . 2007-11-29 16:52 60273 ----a-w d:\windows\system32\pthreadGC2.dll
2009-04-27 02:38 . 2009-04-27 02:38 -------- d-----w d:\windows\DvzCommon
2009-04-27 02:30 . 2009-04-27 02:31 -------- d-----w d:\documents and settings\Reggie\Application Data\EndNote
2009-04-27 02:23 . 2008-03-03 17:13 12296 ----a-w d:\windows\system32\deltaIICoIn.dll
2009-04-27 02:23 . 2008-03-03 17:13 236040 ----a-w d:\windows\system32\DeltaIITray.exe
2009-04-27 02:23 . 2008-03-03 17:13 739848 ----a-w d:\windows\system32\DeltaIICpl.exe
2009-04-27 02:23 . 2008-03-03 17:13 302728 ----a-w d:\windows\system32\drivers\deltaII.sys
2009-04-27 02:23 . 2008-03-03 17:13 21000 ----a-w d:\windows\system32\DeltaIIpnl.dll
2009-04-27 02:23 . 2008-03-03 17:13 25096 ----a-w d:\windows\system32\deltaIIasio.dll
2009-04-27 02:23 . 2008-03-03 17:13 2513432 ----a-w d:\windows\system32\pcifmdio.dll
2009-04-27 02:19 . 2009-04-27 02:19 -------- d-----w d:\program files\M-Audio
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-18 02:45 . 2009-04-26 17:24 21480 ----a-w d:\documents and settings\Reggie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-11 16:26 . 2009-04-26 18:06 -------- d-----w d:\program files\Common Files\PC Tools
2009-05-11 15:46 . 2009-04-26 17:51 -------- d-----w d:\program files\Common Files\Wise Installation Wizard
2009-05-10 00:34 . 2009-04-26 17:31 -------- d--h--w d:\program files\InstallShield Installation Information
2009-05-02 17:09 . 2009-05-02 17:09 0 ---ha-w d:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2009-05-02 17:09 . 2009-05-02 17:09 0 ---ha-w d:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-04-26 21:51 . 2009-04-26 17:33 -------- d-----w d:\program files\Common Files\Adobe
2009-04-26 21:42 . 2008-04-14 12:42 218624 ----a-w d:\windows\system32\uxtheme.dll
2009-04-26 19:58 . 2009-04-26 19:58 -------- d-----w d:\program files\microsoft frontpage
2009-04-26 19:55 . 2009-04-26 19:55 21640 ----a-w d:\windows\system32\emptyregdb.dat
2009-04-26 19:55 . 2009-04-26 19:55 -------- d-----w d:\program files\Windows Media Connect 2
2009-04-26 18:33 . 2009-04-26 18:33 -------- d-----w d:\program files\Common Files\i4j_jres
2009-04-26 18:27 . 2009-04-26 18:27 0 ----a-w d:\windows\nsreg.dat
2009-04-26 17:46 . 2009-04-26 17:47 512096 ----a-w d:\windows\system32\drivers\amon.sys
2009-04-26 17:46 . 2009-04-26 17:47 298104 ----a-w d:\windows\system32\imon.dll
2009-04-26 17:46 . 2009-04-26 17:47 15424 ----a-w d:\windows\system32\drivers\nod32drv.sys
2009-04-26 17:31 . 2009-04-26 17:31 -------- d-----w d:\program files\NVIDIA Corporation
2009-04-26 17:31 . 2009-04-26 17:31 -------- d-----w d:\program files\Common Files\NVIDIA Shared
2009-04-26 17:23 . 2009-04-26 17:23 8 ----a-w d:\windows\system32\nvModes.dat
2009-03-17 01:42 . 2009-03-17 01:42 524288 ----a-w d:\windows\opuc.dll
2009-03-08 08:34 . 2009-01-12 02:43 914944 ----a-w d:\windows\system32\wininet.dll
2009-03-08 08:34 . 2009-01-12 02:43 43008 ----a-w d:\windows\system32\licmgr10.dll
2009-03-08 08:33 . 2009-01-12 02:43 18944 ----a-w d:\windows\system32\corpol.dll
2009-03-08 08:33 . 2008-04-14 12:42 420352 ----a-w d:\windows\system32\vbscript.dll
2009-03-08 08:32 . 2009-01-12 02:43 72704 ----a-w d:\windows\system32\admparse.dll
2009-03-08 08:32 . 2009-01-12 02:43 71680 ----a-w d:\windows\system32\iesetup.dll
2009-03-08 08:31 . 2009-01-12 02:43 34816 ----a-w d:\windows\system32\imgutil.dll
2009-03-08 08:31 . 2009-01-12 02:43 48128 ----a-w d:\windows\system32\mshtmler.dll
2009-03-08 08:31 . 2009-01-12 02:43 45568 ----a-w d:\windows\system32\mshta.exe
2009-03-08 08:22 . 2009-01-12 02:43 156160 ----a-w d:\windows\system32\msls31.dll
2009-03-06 14:22 . 2008-04-14 12:42 284160 ----a-w d:\windows\system32\pdh.dll
.
------- Sigcheck -------
[-] 2009-01-12 02:44 1614848 362BC5AF8EAF712832C58CC13AE05750 d:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="d:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SkinClock"="f:\atomic alarm clock\AtomicAlarmClock.exe" [2008-09-24 527360]
"SUPERAntiSpyware"="f:\superanitspyware\SUPERAntiSpyware.exe" [2009-05-11 1830128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="d:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-21 131072]
"NvCplDaemon"="d:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"NvMediaCenter"="d:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"nod32kui"="f:\nod32\nod32kui.exe" [2009-04-26 949376]
"SmcService"="f:\sygate\smc.exe" [2005-09-27 2635472]
"Acrobat Assistant 7.0"="f:\adobe\Acrobat\Distillr\Acrotray.exe" [2004-12-14 483328]
"M-Audio Taskbar Icon"="d:\windows\System32\DeltaIITray.exe" [2008-03-03 236040]
"DeltaIITaskbarApp"="d:\windows\system32\DeltaIITray.exe" [2008-03-03 236040]
"openvpn-gui"="f:\open vpn\bin\openvpn-gui.exe" [2005-08-18 99328]
"snpstd3"="d:\windows\vsnpstd3.exe" [2006-09-19 827392]
"nwiz"="nwiz.exe" - d:\windows\system32\nwiz.exe [2007-12-05 1626112]
d:\documents and settings\Reggie\Start Menu\Programs\Startup\
HotSync Manager.lnk - f:\palm\Palm Desktop\HOTSYNC.EXE [2004-4-13 299008]
d:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - d:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2009-4-26 25214]
DataViz Messenger.lnk - d:\windows\DvzCommon\DvzMsgr.exe [2009-4-26 24576]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "f:\superanitspyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="d:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w f:\superanitspyware\SASWINLO.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"f:\\SPSS16\\spss.exe"=
"f:\\SPSS16\\spss.com"=
"f:\\SPSS16\\SPSSWinWrapIDE.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;d:\windows\system32\drivers\SI3112r.sys [4/21/2003 9:49 AM 85333]
R0 SiWinAcc;SiWinAcc;d:\windows\system32\drivers\SiWinAcc.sys [2/25/2003 6:08 AM 9600]
R1 nod32drv;nod32drv;d:\windows\system32\drivers\nod32drv.sys [4/26/2009 1:47 PM 15424]
R1 SASDIFSV;SASDIFSV;f:\superanitspyware\sasdifsv.sys [4/28/2009 11:33 AM 9968]
R1 SASKUTIL;SASKUTIL;f:\superanitspyware\SASKUTIL.SYS [4/28/2009 11:33 AM 72944]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;d:\windows\system32\TUProgSt.exe [4/27/2009 2:17 AM 603904]
R3 DELTAII;Service for M-Audio Delta Driver (WDM);d:\windows\system32\drivers\deltaII.sys [4/26/2009 10:23 PM 302728]
R3 SASENUM;SASENUM;f:\superanitspyware\SASENUM.SYS [4/28/2009 11:33 AM 7408]
R3 tap0801;TAP-Win32 Adapter V8;d:\windows\system32\drivers\tap0801.sys [6/23/2004 10:54 PM 23552]
S0 TfFsMon;TfFsMon;d:\windows\system32\drivers\TfFsMon.sys --> d:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;d:\windows\system32\drivers\TfSysMon.sys --> d:\windows\system32\drivers\TfSysMon.sys [?]
S3 MotDev;Motorola Inc. USB Device;d:\windows\system32\drivers\motodrv.sys [5/2/2009 1:20 PM 42112]
S3 TfNetMon;TfNetMon;\??\d:\windows\system32\drivers\TfNetMon.sys --> d:\windows\system32\drivers\TfNetMon.sys [?]
S4 pctplsg;pctplsg;\??\d:\windows\system32\drivers\pctplsg.sys --> d:\windows\system32\drivers\pctplsg.sys [?]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"d:\windows\system32\rundll32.exe" "d:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-05-20 d:\windows\Tasks\1-Click Maintenance.job
- d:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-12-04 14:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
IE: Convert link target to Adobe PDF - f:\adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - f:\adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - f:\adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - f:\adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - f:\adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - f:\adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - f:\adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - f:\adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - f:\micros~1\OFFICE11\EXCEL.EXE/3000
LSP: d:\windows\system32\imon.dll
FF - ProfilePath - d:\documents and settings\Reggie\Application Data\Mozilla\Firefox\Profiles\an0b03se.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca
FF - plugin: f:\adobe\Acrobat\Acrobat\browser\nppdf32.dll
---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-19 21:16
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\InprocServer32]
@DACL=(02 0000)
@="d:\\WINDOWS\\SYSTEM32\\KAGEVIZU.DLL"
"ThreadingModel"="Both"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1228)
f:\superanitspyware\SASWINLO.dll
d:\documents and settings\Reggie\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
- - - - - - - > 'lsass.exe'(1348)
d:\windows\system32\imon.dll
- - - - - - - > 'explorer.exe'(684)
d:\windows\system32\webcheck.dll
d:\windows\system32\IEFRAME.dll
d:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
d:\windows\system32\msi.dll
d:\windows\system32\SSSensor.dll
f:\atomic alarm clock\Clock.dll
d:\windows\system32\msls31.dll
d:\windows\system32\OneX.DLL
d:\windows\system32\eappprxy.dll
d:\windows\system32\wpdshserviceobj.dll
d:\windows\system32\portabledevicetypes.dll
d:\windows\system32\portabledeviceapi.dll
.
Completion time: 2009-05-20 21:17
ComboFix-quarantined-files.txt 2009-05-20 01:17
ComboFix2.txt 2009-05-20 00:47
ComboFix3.txt 2009-05-19 06:45
ComboFix4.txt 2009-05-19 06:35
Pre-Run: 14,271,344,640 bytes free
Post-Run: 14,259,154,944 bytes free
311 --- E O F --- 2009-05-11 03:33
MBAM:
Malwarebytes' Anti-Malware 1.36
Database version: 2156
Windows 5.1.2600 Service Pack 3
5/19/2009 9:30:00 PM
mbam-log-2009-05-19 (21-30-00).txt
Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 145868
Time elapsed: 7 minute(s), 31 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:09:34 PM, on 5/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
F:\NOD32\nod32krn.exe
D:\WINDOWS\system32\nvsvc32.exe
F:\Sygate\smc.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\TUProgSt.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
D:\WINDOWS\system32\RUNDLL32.EXE
F:\Adobe\Acrobat\Distillr\Acrotray.exe
D:\WINDOWS\system32\DeltaIITray.exe
F:\Open VPN\bin\openvpn-gui.exe
D:\WINDOWS\vsnpstd3.exe
D:\Program Files\Messenger\msmsgs.exe
F:\Atomic Alarm Clock\AtomicAlarmClock.exe
F:\Adobe\Acrobat\Acrobat\acrobat_sl.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\DvzCommon\DvzMsgr.exe
F:\Palm\Palm Desktop\HOTSYNC.EXE
D:\WINDOWS\system32\NOTEPAD.EXE
F:\HiJackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - F:\Snag-It\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - F:\Snag-It\SnagItIEAddin.dll
O4 - HKLM\..\Run: [NVMixerTray] "D:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "F:\NOD32\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SmcService] F:\Sygate\smc.exe -startgui
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "F:\Adobe\Acrobat\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] D:\WINDOWS\System32\DeltaIITray.exe
O4 - HKLM\..\Run: [DeltaIITaskbarApp] D:\WINDOWS\system32\DeltaIITray.exe
O4 - HKLM\..\Run: [openvpn-gui] F:\Open VPN\bin\openvpn-gui.exe
O4 - HKLM\..\Run: [snpstd3] D:\WINDOWS\vsnpstd3.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SkinClock] F:\Atomic Alarm Clock\AtomicAlarmClock.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] F:\SuperAnitSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: HotSync Manager.lnk = F:\Palm\Palm Desktop\HOTSYNC.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: DataViz Messenger.lnk = D:\WINDOWS\DvzCommon\DvzMsgr.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - F:\SuperAnitSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - F:\NOD32\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - F:\Open VPN\bin\openvpnserv.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - F:\Sygate\smc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - D:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - D:\WINDOWS\System32\TUProgSt.exe
--
End of file - 6870 bytes
The computer is running okay, but a little sluggish - nothing is showing up in Add/Remove programs within control panel (SUPERAntiSpyware is still seeing kagevizu so I thought I'd try uninstalling it and the others you flagged - but I cannot because the program list is blank now).
pskelley
2009-05-20, 22:10
SAS may now be seeing that file in the combofix quarantine, let's do this and see what happens. We will deal with any issues then.
Did you read this information:
*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html
After a few reboots, that sluggishness should go away, let me know if it does not.
Follow these directions carefully:
Remove combofix from the computer like this:
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Clean the System Restore files like this:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.
(MBAM is yours to keep if you wish, keep it updated and run it once a month or so)
Update NOD32 and scan the system, to be sure it is running right and scanning clean. If you have problems with the program, contact tech support for instructions.
If all is well at this point, let me know and I will close the topic.
(let me know now if you have any issues)
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
How hard are your passwords to crack?
http://www.microsoft.com/protect/yourself/password/checker.mspx
http://users.telenet.be/bluepatchy/miekiemoes/Links.html
http://www.microsoft.com/windows/ie/community/columns/protection.mspx
Improve the safety of your browsing and e-mail activities
http://www.microsoft.com/protect/computer/advanced/browsing.mspx
NOD32 found and removed a couple things (a.exe in the Firefox directory).
MBAM find a registry entry and although I have chosen to remove it and rebooted several times, it shows up with every scan. Here's the log:
Malwarebytes' Anti-Malware 1.36
Database version: 2156
Windows 5.1.2600 Service Pack 3
5/19/2009 9:30:00 PM
mbam-log-2009-05-19 (21-30-00).txt
Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 145868
Time elapsed: 7 minute(s), 31 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
After several reboots the computer is running better.
I also cannot use the Windows Update site. I get a message that required components are no longer registered or installed, I select to fix the problem but it is unable to repair.
Re-registering and rebooting a couple times has solved the windows update problem.
MBAM entry is still there
pskelley
2009-05-21, 13:26
Spybot - Search & Destroy <<< make sure you are up todate and fully immunized, then run Spybot and post the results like this.
check for updates, run a scan, fix any problems then:
on the toolbar menu select mode and switch to advanced, on the left select tools, view report, make sure all the options are selected near the bottom except:
Uncheck[ ] do not report disabled or known legitimate Items,
uncheck[ ] Include a list of services in report.
Uncheck[ ] Include uninstall list in report.
Now select near top-- view report, Press export, and save the log on your Desktop, post the saved log in your next reply.
Here's the Spybot log:
--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-01-26 TeaTimer.exe (1.6.4.26)
2009-05-21 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-05-19 Includes\Adware.sbi
2009-05-19 Includes\AdwareC.sbi
2009-01-22 Includes\Cookies.sbi
2009-05-19 Includes\Dialer.sbi
2009-05-12 Includes\DialerC.sbi
2009-01-22 Includes\HeavyDuty.sbi
2009-04-21 Includes\Hijackers.sbi
2009-05-12 Includes\HijackersC.sbi
2009-05-06 Includes\Keyloggers.sbi
2009-05-19 Includes\KeyloggersC.sbi
2004-11-29 Includes\LSP.sbi
2009-05-12 Includes\Malware.sbi
2009-05-19 Includes\MalwareC.sbi
2009-03-25 Includes\PUPS.sbi
2009-05-12 Includes\PUPSC.sbi
2009-01-22 Includes\Revision.sbi
2009-01-13 Includes\Security.sbi
2009-05-12 Includes\SecurityC.sbi
2008-06-03 Includes\Spybots.sbi
2008-06-03 Includes\SpybotsC.sbi
2009-04-07 Includes\Spyware.sbi
2009-05-12 Includes\SpywareC.sbi
2009-04-07 Includes\Tracks.uti
2009-05-12 Includes\Trojans.sbi
2009-05-19 Includes\TrojansC.sbi
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
--- System information ---
Windows XP (Build: 2600) Service Pack 3 (5.1.2600)
/ MSXML4SP2: Security update for MSXML4 SP2 (KB954430)
/ Windows / SP1: Microsoft Internationalized Domain Names Mitigation APIs
/ Windows / SP1: Microsoft National Language Support Downlevel APIs
/ Windows Media Format 11 SDK: Hotfix for Windows Media Format 11 SDK (KB929399)
/ Windows Media Player: Security Update for Windows Media Player (KB952069)
/ Windows Media Player 11: Security Update for Windows Media Player 11 (KB936782)
/ Windows Media Player 11: Hotfix for Windows Media Player 11 (KB939683)
/ Windows Media Player 11: Security Update for Windows Media Player 11 (KB954154)
/ Windows Media Player 11: Critical Update for Windows Media Player 11 (KB959772)
/ Windows XP: Security Update for Windows XP (KB941569)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB938127-v2)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB963027)
/ Windows XP / SP0: Update for Windows Internet Explorer 8 (KB968220)
/ Windows XP / SP3: Update for Windows XP (KB898461)
/ Windows XP / SP4: Security Update for Windows XP (KB923561)
/ Windows XP / SP4: Security Update for Windows XP (KB938464-v2)
/ Windows XP / SP4: Hotfix for Windows XP (KB942288-v3)
/ Windows XP / SP4: Security Update for Windows XP (KB946648)
/ Windows XP / SP4: Security Update for Windows XP (KB950760)
/ Windows XP / SP4: Security Update for Windows XP (KB950762)
/ Windows XP / SP4: Security Update for Windows XP (KB950974)
/ Windows XP / SP4: Security Update for Windows XP (KB951066)
/ Windows XP / SP4: Security Update for Windows XP (KB951376-v2)
/ Windows XP / SP4: Security Update for Windows XP (KB951748)
/ Windows XP / SP4: Update for Windows XP (KB951978)
/ Windows XP / SP4: Security Update for Windows XP (KB952004)
/ Windows XP / SP4: Hotfix for Windows XP (KB952287)
/ Windows XP / SP4: Security Update for Windows XP (KB952954)
/ Windows XP / SP4: Security Update for Windows XP (KB954459)
/ Windows XP / SP4: Hotfix for Windows XP (KB954550-v5)
/ Windows XP / SP4: Security Update for Windows XP (KB954600)
/ Windows XP / SP4: Security Update for Windows XP (KB955069)
/ Windows XP / SP4: Update for Windows XP (KB955839)
/ Windows XP / SP4: Security Update for Windows XP (KB956572)
/ Windows XP / SP4: Security Update for Windows XP (KB956802)
/ Windows XP / SP4: Security Update for Windows XP (KB956803)
/ Windows XP / SP4: Security Update for Windows XP (KB957097)
/ Windows XP / SP4: Security Update for Windows XP (KB958644)
/ Windows XP / SP4: Security Update for Windows XP (KB958687)
/ Windows XP / SP4: Security Update for Windows XP (KB958690)
/ Windows XP / SP4: Security Update for Windows XP (KB959426)
/ Windows XP / SP4: Security Update for Windows XP (KB960225)
/ Windows XP / SP4: Security Update for Windows XP (KB960715)
/ Windows XP / SP4: Security Update for Windows XP (KB960803)
/ Windows XP / SP4: Hotfix for Windows XP (KB961118)
/ Windows XP / SP4: Security Update for Windows XP (KB961373)
/ Windows XP / SP4: Update for Windows XP (KB961503)
/ Windows XP / SP4: Update for Windows XP (KB967715)
/ XML Paper Specification Shared Components Pack 1.0: XML Paper Specification Shared Components Pack 1.0
--- Startup entries list ---
Located: HK_LM:Run, Acrobat Assistant 7.0
command: "F:\Adobe\Acrobat\Distillr\Acrotray.exe"
file: F:\Adobe\Acrobat\Distillr\Acrotray.exe
size: 483328
MD5: FBD06A45DB2D543EFD932768029EC5F2
Located: HK_LM:Run, DeltaIITaskbarApp
command: D:\WINDOWS\system32\DeltaIITray.exe
file: D:\WINDOWS\system32\DeltaIITray.exe
size: 236040
MD5: 63E35605AF4E9545799E238984E74638
Located: HK_LM:Run, M-Audio Taskbar Icon
command: D:\WINDOWS\System32\DeltaIITray.exe
file: D:\WINDOWS\System32\DeltaIITray.exe
size: 236040
MD5: 63E35605AF4E9545799E238984E74638
Located: HK_LM:Run, nod32kui
command: "F:\NOD32\nod32kui.exe" /WAITSERVICE
file: F:\NOD32\nod32kui.exe
size: 949376
MD5: DD855A1E52C391F52400CA4162A3BAFF
Located: HK_LM:Run, NvCplDaemon
command: RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
file: D:\WINDOWS\system32\NvCpl.dll
size: 8523776
MD5: B1CB9BFEE05D23F07AF6F4230092CC49
Located: HK_LM:Run, NvMediaCenter
command: RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
file: D:\WINDOWS\system32\NvMcTray.dll
size: 81920
MD5: EC979882A9BF2B9A74693F3BF6DB3EAA
Located: HK_LM:Run, NVMixerTray
command: "D:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
file: D:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
size: 131072
MD5: 37FFF683AEE7F09F5F7087138192BF02
Located: HK_LM:Run, nwiz
command: nwiz.exe /install
file: D:\WINDOWS\system32\nwiz.exe
size: 1626112
MD5: 9493BFFB9F82EFEC742F5C56A279BD5B
Located: HK_LM:Run, openvpn-gui
command: F:\Open VPN\bin\openvpn-gui.exe
file: F:\Open VPN\bin\openvpn-gui.exe
size: 99328
MD5: D5DE3333EA2BB10015F484134565DB92
Located: HK_LM:Run, SmcService
command: F:\Sygate\smc.exe -startgui
file: F:\Sygate\smc.exe
size: 2635472
MD5: 91AEE5D6DA89054987BCA6170C828E71
Located: HK_LM:Run, snpstd3
command: D:\WINDOWS\vsnpstd3.exe
file: D:\WINDOWS\vsnpstd3.exe
size: 827392
MD5: FB0C8699B87F7140BB6201BE7B4B6778
Located: HK_CU:Run, ctfmon.exe
where: S-1-5-21-746137067-329068152-682003330-1003...
command: D:\WINDOWS\system32\ctfmon.exe
file: D:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3
Located: HK_CU:Run, MSMSGS
where: S-1-5-21-746137067-329068152-682003330-1003...
command: "D:\Program Files\Messenger\msmsgs.exe" /background
file: D:\Program Files\Messenger\msmsgs.exe
size: 1695232
MD5: 3E930C641079443D4DE036167A69CAA2
Located: HK_CU:Run, P2kAutostart
where: S-1-5-21-746137067-329068152-682003330-1003...
command:
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:Run, SkinClock
where: S-1-5-21-746137067-329068152-682003330-1003...
command: F:\Atomic Alarm Clock\AtomicAlarmClock.exe
file: F:\Atomic Alarm Clock\AtomicAlarmClock.exe
size: 527360
MD5: 1A18737F95C9D111F206A2946157B62B
Located: HK_CU:Run, SpybotSD TeaTimer
where: S-1-5-21-746137067-329068152-682003330-1003...
command: F:\Spybot - Search & Destroy\TeaTimer.exe
file: F:\Spybot - Search & Destroy\TeaTimer.exe
size: 2144088
MD5: 896A1DB9A972AD2339C2E8569EC926D1
Located: HK_CU:RunOnce, _nltide_2
where: S-1-5-21-746137067-329068152-682003330-500...
command: regsvr32 /s /n /i:U shell32
file: regsvr32 /s /n /i:U shell32
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: Startup (common), Adobe Acrobat Speed Launcher.lnk
where: D:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: D:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe
file: D:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe
size: 25214
MD5: D6294D59171AC375CD142003566AA89E
Located: Startup (common), DataViz Messenger.lnk
where: D:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: D:\WINDOWS\DvzCommon\DvzMsgr.exe
file: D:\WINDOWS\DvzCommon\DvzMsgr.exe
size: 24576
MD5: D0322C668422DF021D8DAAEFC8D1ADA4
Located: Startup (user), HotSync Manager.lnk
where: D:\Documents and Settings\Reggie\Start Menu\Programs\Startup...
command: F:\Palm\Palm Desktop\HOTSYNC.EXE
file: F:\Palm\Palm Desktop\HOTSYNC.EXE
size: 299008
MD5: 7FB566C5816D8959C9F3AB918C00CD1F
Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, dimsntfy
command: %SystemRoot%\System32\dimsntfy.dll
file: %SystemRoot%\System32\dimsntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, WgaLogon
command: WgaLogon.dll
file: WgaLogon.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
--- Browser helper object list ---
{00C6482D-C502-44C8-8409-FCE54AD9C208} (HelperObject Class)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: HelperObject Class
description: SnagIt
classification: Legitimate
known filename: SnagItBHO.dll
info link: http://www.techsmith.com/products/snagit/default.asp
info source: TonyKlein
Path: F:\Snag-It\
Long name: SnagItBHO.dll
Short name: SNA335~1.DLL
Date (created): 6/20/2006 8:10:00 AM
Date (last access): 5/21/2009 6:44:02 AM
Date (last write): 6/20/2006 8:10:00 AM
Filesize: 61440
Attributes: archive
MD5: 5ADAA9E1FA01095D89B65D155B6145DC
CRC32: 7A7D2AA5
Version: 1.0.1.0
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: AcroIEHlprObj Class
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: F:\Adobe\Acrobat\ActiveX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 12/14/2004 4:56:50 AM
Date (last access): 5/21/2009 6:44:02 AM
Date (last write): 12/14/2004 4:56:50 AM
Filesize: 63136
Attributes: archive
MD5: 42729C3DE75A7A51FC6F9EF6546C9199
CRC32: 4D60BD07
Version: 7.0.0.1333
{53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Spybot-S&D IE Protection
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: F:\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 5/21/2009 3:21:14 AM
Date (last access): 5/21/2009 11:19:06 AM
Date (last write): 1/26/2009 3:31:02 PM
Filesize: 1879896
Attributes: archive
MD5: 022C2F6DCCDFA0AD73024D254E62AFAC
CRC32: 5BA24007
Version: 1.6.2.14
{9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Windows Live Sign-in Helper
Path: D:\Program Files\Common Files\Microsoft Shared\Windows Live\
Long name: WindowsLiveLogin.dll
Short name: WINDOW~1.DLL
Date (created): 1/22/2009 6:41:30 PM
Date (last access): 5/21/2009 6:44:02 AM
Date (last write): 1/22/2009 6:41:30 PM
Filesize: 408448
Attributes: archive
MD5: B7899C3E21B299D7A3C0DA96CAE340BD
CRC32: 288935F8
Version: 5.0.818.5
{AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Google Toolbar Helper
description: Google toolbar
classification: Open for discussion
known filename: googletoolbar.dll<br>googletoolbar*.dll<br>(* = number)<br>googletoolbar_en_*.**-big.dll<br>Googletoolbar_en_*.*.**-deleon.dll
info link: http://toolbar.google.com/
info source: TonyKlein
Path: d:\program files\google\
Long name: GoogleToolbar1.dll
Short name: GOOGLE~1.DLL
Date (created): 5/19/2009 11:11:18 PM
Date (last access): 5/21/2009 6:44:02 AM
Date (last write): 5/19/2009 11:11:18 PM
Filesize: 2403392
Attributes: readonly archive
MD5: 6319F2D4708DBCAE37CFA03DA10782C0
CRC32: D51D8296
Version: 4.0.1601.4978
{AE7CD045-E861-484f-8273-0445EE161910} (AcroIEToolbarHelper Class)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: AcroIEToolbarHelper Class
description: Adobe Acrobat
classification: Legitimate
known filename: AcroIEFavClient.dll
info link: http://www.adobe.com/products/acrobatpro/main.html
info source: TonyKlein
Path: F:\Adobe\Acrobat\Acrobat\
Long name: AcroIEFavClient.dll
Short name: ACROIE~1.DLL
Date (created): 12/14/2004 5:13:40 AM
Date (last access): 5/21/2009 6:44:02 AM
Date (last write): 12/14/2004 5:13:40 AM
Filesize: 225280
Attributes: archive
MD5: 1BA6D822A6BA2402BC5DF7F65955D3A8
CRC32: E355B594
Version: 7.0.0.0
--- ActiveX list ---
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} ()
DPF name:
CLSID name:
Installer: D:\WINDOWS\Downloaded Program Files\erma.inf
Codebase: http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
{C7DB51B4-BCF7-4923-8874-7F1A0DC92277} (Office Update Installation Engine)
DPF name:
CLSID name: Office Update Installation Engine
Installer: D:\WINDOWS\Downloaded Program Files\opuc.inf
Codebase: http://office.microsoft.com/officeupdate/content/opuc4.cab
Path: D:\WINDOWS\
Long name: opuc.dll
Short name:
Date (created): 3/16/2009 9:42:26 PM
Date (last access): 5/21/2009 3:18:52 AM
Date (last write): 3/16/2009 9:42:26 PM
Filesize: 524288
Attributes: archive
MD5: 2C2FB12243C796963A7640DFFA6729D0
CRC32: CFE171AD
Version: 12.0.5606.1000
--- Process list ---
PID: 0 ( 0) [System]
PID: 448 ( 4) \SystemRoot\System32\smss.exe
size: 50688
PID: 1008 ( 448) \??\D:\WINDOWS\system32\csrss.exe
size: 6144
PID: 1032 ( 448) \??\D:\WINDOWS\system32\winlogon.exe
size: 507904
PID: 1108 (1032) D:\WINDOWS\system32\services.exe
size: 110592
MD5: 65DF52F5B8B6E9BBD183505225C37315
PID: 1120 (1032) D:\WINDOWS\system32\lsass.exe
size: 13312
MD5: BF2466B3E18E970D8A976FB95FC1CA85
PID: 1308 (1108) D:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1388 (1108) D:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1540 (1108) D:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1696 (1108) D:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1888 (1108) D:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 2036 (1108) D:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: D8E14A61ACC1D4A6CD0D38AEBAC7FA3B
PID: 704 ( 620) D:\WINDOWS\Explorer.EXE
size: 1033728
MD5: 12896823FB95BFB3DC9B46BCAEDC9923
PID: 484 ( 704) D:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
size: 131072
MD5: 37FFF683AEE7F09F5F7087138192BF02
PID: 996 ( 704) D:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3
PID: 1012 ( 704) D:\WINDOWS\system32\RUNDLL32.EXE
size: 33280
MD5: 037B1E7798960E0420003D05BB577EE6
PID: 1060 ( 704) F:\NOD32\nod32kui.exe
size: 949376
MD5: DD855A1E52C391F52400CA4162A3BAFF
PID: 1236 ( 704) F:\Adobe\Acrobat\Distillr\Acrotray.exe
size: 483328
MD5: FBD06A45DB2D543EFD932768029EC5F2
PID: 1264 ( 704) D:\WINDOWS\system32\DeltaIITray.exe
size: 236040
MD5: 63E35605AF4E9545799E238984E74638
PID: 1272 ( 704) F:\Open VPN\bin\openvpn-gui.exe
size: 99328
MD5: D5DE3333EA2BB10015F484134565DB92
PID: 1288 ( 704) D:\WINDOWS\vsnpstd3.exe
size: 827392
MD5: FB0C8699B87F7140BB6201BE7B4B6778
PID: 1340 ( 704) D:\Program Files\Messenger\msmsgs.exe
size: 1695232
MD5: 3E930C641079443D4DE036167A69CAA2
PID: 1464 ( 704) F:\Atomic Alarm Clock\AtomicAlarmClock.exe
size: 527360
MD5: 1A18737F95C9D111F206A2946157B62B
PID: 1604 ( 704) D:\WINDOWS\DvzCommon\DvzMsgr.exe
size: 24576
MD5: D0322C668422DF021D8DAAEFC8D1ADA4
PID: 1792 ( 704) F:\Palm\Palm Desktop\HOTSYNC.EXE
size: 299008
MD5: 7FB566C5816D8959C9F3AB918C00CD1F
PID: 1960 (1108) D:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 520 (1108) F:\NOD32\nod32krn.exe
size: 552064
MD5: 82F52E10A4DF718FF4CA67D2DBDE8D07
PID: 604 (1108) D:\WINDOWS\system32\nvsvc32.exe
size: 155716
MD5: 472A00D2183C9E5EDB3E076272741812
PID: 1480 (1108) F:\Sygate\smc.exe
size: 2635472
MD5: 91AEE5D6DA89054987BCA6170C828E71
PID: 848 (1108) D:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1984 (1108) D:\WINDOWS\System32\TUProgSt.exe
size: 603904
MD5: 05C322CB811E8A3D52F6C53D91A68036
PID: 2472 (1108) D:\WINDOWS\System32\alg.exe
size: 44544
MD5: 8C515081584A38AA007909CD02020B3D
PID: 720 (1308) D:\WINDOWS\system32\wbem\wmiprvse.exe
size: 227840
MD5: 798A9E6828997EEF4517ADA8A2259831
PID: 2832 (3772) F:\Spybot - Search & Destroy\TeaTimer.exe
size: 2144088
MD5: 896A1DB9A972AD2339C2E8569EC926D1
PID: 2020 ( 704) F:\Microsoft Office\OFFICE11\OUTLOOK.EXE
size: 199688
MD5: 8219160C141B505AB5C112F73405C348
PID: 3992 (1308) D:\Program Files\Windows Live\Messenger\msnmsgr.exe
size: 3885408
MD5: 16C3811F3A5CD8EA7030A42A75892136
PID: 3788 (1308) F:\Microsoft Office\OFFICE11\WINWORD.EXE
size: 12310864
MD5: 35EC2ACA2F0F37AA977F7D50DC2DFE54
PID: 2580 (1308) D:\Program Files\Windows Live\Contacts\wlcomm.exe
size: 27512
MD5: 654480EA67078C7B4C6C8BA871B07D5D
PID: 3236 ( 704) F:\Firefox\firefox.exe
size: 307704
MD5: CA2AC84AA6C67F742D9785E553848927
PID: 3276 (2832) F:\Spybot - Search & Destroy\SpybotSD.exe
size: 5365592
MD5: 0477C2F9171599CA5BC3307FDFBA8D89
PID: 4 ( 0) System
--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 5/21/2009 11:24:35 AM
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
D:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.google.ca/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
D:\WINDOWS\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
--- Winsock Layered Service Provider list ---
Protocol 0: NOD32 protected [MSAFD Tcpip [TCP/IP]]
GUID: {DCBFABF6-7BF9-4E75-A4C4-717641184F0E}
Filename: D:\WINDOWS\system32\imon.dll
Protocol 1: NOD32 protected [MSAFD Tcpip [UDP/IP]]
GUID: {7B66B40F-E9B5-46DA-B428-E4D5705A817E}
Filename: D:\WINDOWS\system32\imon.dll
Protocol 2: NOD32 protected [MSAFD Tcpip [RAW/IP]]
GUID: {527A0896-E2F4-4B5F-BBD3-8578BBDD3355}
Filename: D:\WINDOWS\system32\imon.dll
Protocol 3: NOD32 protected [RSVP UDP Service Provider]
GUID: {356B691C-807D-4D92-857E-26C08CEFA11B}
Filename: D:\WINDOWS\system32\imon.dll
Protocol 4: NOD32 protected [RSVP TCP Service Provider]
GUID: {AE8C194C-EC25-49AB-9754-6D2EBBF55A14}
Filename: D:\WINDOWS\system32\imon.dll
Protocol 5: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 6: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 7: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 8: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 9: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 10: NOD32
GUID: {28A4D8DA-E908-4C6F-A926-A66CC7AD3224}
Filename: D:\WINDOWS\system32\imon.dll
Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C192BABD-36FE-4114-8F47-29B84F4105F3}] SEQPACKET 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C192BABD-36FE-4114-8F47-29B84F4105F3}] DATAGRAM 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{303FD458-ADFA-482E-9DFD-3DEEE9DA4696}] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{303FD458-ADFA-482E-9DFD-3DEEE9DA4696}] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A0B143C2-FB46-417A-B055-4E00E6B92F3B}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A0B143C2-FB46-417A-B055-4E00E6B92F3B}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 17: MSAFD NetBIOS [\Device\NetBT_Tcpip_{FA687938-32D7-4668-8791-47667C2A99D1}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 18: MSAFD NetBIOS [\Device\NetBT_Tcpip_{FA687938-32D7-4668-8791-47667C2A99D1}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 19: MSAFD NetBIOS [\Device\NetBT_Tcpip_{710E5203-1E0E-4A50-A3EA-4022FD5227DE}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 20: MSAFD NetBIOS [\Device\NetBT_Tcpip_{710E5203-1E0E-4A50-A3EA-4022FD5227DE}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 21: MSAFD NetBIOS [\Device\NetBT_Tcpip_{50BCC9E5-A4D1-4FED-B683-3A05582C1E31}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 22: MSAFD NetBIOS [\Device\NetBT_Tcpip_{50BCC9E5-A4D1-4FED-B683-3A05582C1E31}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 23: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D2B19DEE-133E-4ED4-BD33-847FB1C0F37D}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 24: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D2B19DEE-133E-4ED4-BD33-847FB1C0F37D}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP
Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS
Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace
pskelley
2009-05-21, 19:30
I believe this is just a registry leftover and don't know why it is being so hard to remove.
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.
http://www.systemlookup.com/lists.php?list=1 <<< a scan here by CLSID number shows:
ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4
Search Results
No results. Please try a different search term
which is what I would expect from a leftover random CLSID number. Let's see if we can remode this item manually using regedit.
** make sure you are signed in as administrator ***
1) For safety, be sure to create a registry backup before you proceed.
You already have ERUNT so:
In the box that opens ONLY choose "System registry"
Click OK.
Click save and then go to File > Exit.
Once you have the backup on the Desktop, being very careful!
2) Start > Run > (type) regedit Register Editor will open
3) Scroll down until you see HKEY_CLASSES_ROOT (may be right at the top)
4) click the + to expand and scroll until you see CLSID and click the + to expand
5) Look for this number: ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4
6) When you have the right number, look carefully to be sure, then right click on that number and click DELETE. If you are asked if you are sure, say yes or OK.
7) Restart and scan with MBAM to be sure it is gone.
Thanks
I get:
'Cannot Delete {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4}: Error while deleting key'
pskelley
2009-05-22, 01:59
Now you know how to do it and where the key is, see if you can find anything here to help:
http://www.google.com/search?hl=en&q=Error+while+deleting+key&btnG=Search&aq=f&oq=&aqi=g6
This may help:
http://support.microsoft.com/kb/310516
More information:
http://www.google.com/search?hl=en&q=how+to+delete+a+registry+key&btnG=Google+Search&aq=f&oq=&aqi=g3
Was able to remove the key by playing with the permissions.
MBAM gives a clear report.
Re-installed SAS and now it gives a clear report.
Thank you very much for all your help and patience!!
pskelley
2009-05-22, 10:52
Thanks for taking the time to let me know:bigthumb: safe surfing.