Hi there,
good to know that there are no more infections! :thanks:
For some reason I have 2 combofix logs. I will post them both.
ComboFix 07-12-15.5 - L 2007-12-15 12:26:22.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.819 [GMT -5:00]
Running from: C:\Documents and Settings\L\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\L\My Documents\ASKS~1
C:\Documents and Settings\L\My Documents\CROSOF~1.NET
C:\Program Files\Temporary
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\bkR11
C:\Temp\bkR11\ftCa.log
C:\WINDOWS\system32\pac.txt
.
((((((((((((((((((((((((( Files Created from 2007-11-15 to 2007-12-15 )))))))))))))))))))))))))))))))
.
2007-12-15 00:49 . 2007-12-15 12:20 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-15 00:49 . 2007-12-15 00:49 <DIR> d-------- C:\Documents and Settings\L\Application Data\SUPERAntiSpyware.com
2007-12-15 00:49 . 2007-12-15 00:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-13 23:20 . 2007-12-13 23:20 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-13 20:34 . 2007-12-15 12:16 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-13 20:34 . 2007-12-13 20:34 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-13 19:48 . 2007-12-15 01:21 7,494 --ahs---- C:\WINDOWS\system32\gfhkj.ini2
2007-12-13 01:14 . 2007-12-13 08:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-12 23:42 . 2007-12-12 23:42 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-12-12 22:33 . 2007-12-15 00:42 917,260 ---hs---- C:\WINDOWS\system32\xesrieab.ini
2007-12-12 00:29 . 2007-12-12 00:29 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-12 00:29 . 2007-12-12 00:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-11 19:44 . 2007-12-13 00:10 <DIR> d-------- C:\VundoFix Backups
2007-12-10 22:37 . 2007-12-10 22:37 <DIR> d-------- C:\Documents and Settings\L\Application Data\SuperAdBlocker.com
2007-12-10 22:36 . 2007-12-10 22:36 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2007-12-10 22:36 . 2007-12-10 22:36 <DIR> d-------- C:\Program Files\SuperAdBlocker.com
2007-12-10 17:20 . 2007-12-10 17:20 858,824 --ahs---- C:\WINDOWS\system32\qvyyhgwq.ini
2007-12-10 16:19 . 2007-12-10 16:19 294 --ahs---- C:\WINDOWS\system32\uuudolji.ini
2007-12-10 00:36 . 2007-12-13 19:52 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-12-09 22:51 . 2007-12-10 12:33 512 --a------ C:\ScanSectorLog.dat
2007-12-09 20:10 . 2007-12-15 11:12 2,070 --a------ C:\rollback.ini
2007-12-09 20:06 . 2007-12-15 12:31 2,822,432 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-09 20:06 . 2007-12-15 12:30 40,940 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-09 20:06 . 2007-12-15 12:30 31,776 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-09 20:06 . 2007-12-15 12:30 4,028 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-09 20:04 . 2007-12-09 20:04 <DIR> d-------- C:\Documents and Settings\L\Application Data\MailFrontier
2007-12-09 19:42 . 2007-12-15 00:32 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-12-09 19:40 . 2007-12-15 12:19 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-12-07 23:57 . 2007-12-09 19:50 16 --a------ C:\WINDOWS\system32\coh.cache
2007-12-07 22:21 . 2007-12-09 19:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-07 21:00 . 2007-12-07 21:00 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-12-07 20:50 . 2007-12-13 23:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-12-07 20:47 . 2007-12-07 20:47 <DIR> d-------- C:\WINDOWS\system32\tdm2
2007-12-07 20:47 . 2007-12-08 13:16 <DIR> d-------- C:\WINDOWS\system32\pi3
2007-12-07 20:47 . 2007-12-08 14:30 <DIR> d-------- C:\WINDOWS\system32\eu1
2007-12-07 20:46 . 2007-12-08 13:12 <DIR> d-------- C:\WINDOWS\system32\daSgo01
2007-12-07 20:46 . 2007-12-15 12:28 <DIR> d-------- C:\Temp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-15 05:48 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-12 02:51 1,203,447 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-12-11 12:37 96,571 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_12_11_00_37_27_small.dmp.zip
2007-12-10 00:58 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-02 22:15 --------- d-----w C:\Program Files\BitComet
2007-11-15 02:42 --------- d-----w C:\Program Files\TuneUp Utilities 2006
2007-11-13 17:44 1,617,920 ----a-r C:\WINDOWS\system32\pdbox28.exe
2007-11-03 19:02 --------- d-----w C:\Program Files\SpookyManor_at
2007-11-01 03:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-19 20:41 1,536,000 ----a-r C:\WINDOWS\system32\clubbox.exe
2007-02-16 01:24 87,608 ----a-w C:\Documents and Settings\L\Application Data\ezpinst.exe
2007-02-16 01:24 47,360 ----a-w C:\Documents and Settings\L\Application Data\pcouffin.sys
2007-02-16 01:22 94,080 ----a-w C:\Documents and Settings\L\Application Data\ezplay.sys
2006-05-03 09:06 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sha-r C:\WINDOWS\system32\msfDX.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3DF11C63-051F-4EEC-9BCE-8C5BA1EB71D1}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6556CCAC-C1D5-4C24-A3DB-D54145F6225C}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{82E42D62-88C8-4ED4-91D5-0D50F577A337}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F38858FF-F237-437D-999C-068A62B52016}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-08-18 12:49]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiS7012Utility"="C:\WINDOWS\system32\SiSAudUt.exe" [2001-11-21 06:39]
"SiS KHooker"="C:\WINDOWS\system32\khooker.exe" [2001-12-13 11:27]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-14 09:00]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-01-08 14:29]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-03 18:56 C:\WINDOWS\system32\narrator.exe]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-01-05 20:30:47]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 00:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 23:05:56]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
R2 TTDec;ATI WDM Teletext Decoder;C:\WINDOWS\system32\DRIVERS\ATINTTXX.sys
R3 SiS7012;Service for AC'97 Sample Driver (WDM);C:\WINDOWS\system32\drivers\sis7012.sys
S1 SABKUTIL;SABKUTIL;\??\C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys
S3 dwusbdnt;dwusbdnt;C:\WINDOWS\system32\DRIVERS\dwusbdnt.sys
S3 sscdbus;SAMSUNG USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\sscdbus.sys
S3 sscdmdfl;SAMSUNG CDMA Modem Filter;C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys
S3 sscdmdm;SAMSUNG CDMA Modem Drivers;C:\WINDOWS\system32\DRIVERS\sscdmdm.sys
S3 sscdserd;SAMSUNG CDMA Modem Diagnostic Serial Port (WDM);C:\WINDOWS\system32\DRIVERS\sscdserd.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-12-08 00:09:34 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-15 12:36:48
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2007-12-15 12:37:10 - machine was rebooted
ComboFix 09-01-13.04 - L 2009-01-14 17:47:01.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1248.936 [GMT -5:00]
Running from: c:\documents and settings\L\Desktop\ComboFix.exe
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Outdated)
FW: ZoneAlarm Security Suite Firewall *disabled*
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
F:\Autorun.inf
F:\resycled
f:\resycled\boot.com
.
((((((((((((((((((((((((( Files Created from 2008-12-14 to 2009-01-14 )))))))))))))))))))))))))))))))
.
2009-01-13 14:52 . 2009-01-13 14:52 <DIR> d-------- C:\rsit
2009-01-13 09:18 . 2009-01-13 09:18 <DIR> d-------- c:\documents and settings\L\Application Data\Malwarebytes
2009-01-13 09:18 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-13 09:17 . 2009-01-13 09:18 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-13 09:17 . 2009-01-13 09:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-13 09:17 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-07 19:26 . 2009-01-07 19:26 <DIR> d-------- c:\windows\Sun
2009-01-07 19:26 . 2009-01-07 19:25 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-07 19:26 . 2009-01-07 19:25 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-07 19:25 . 2009-01-07 19:25 <DIR> d-------- c:\program files\Java
2009-01-07 19:10 . 2009-01-07 19:10 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-07 19:10 . 2009-01-07 19:10 1,409 --a------ c:\windows\QTFont.for
2008-12-30 00:40 . 2008-12-30 00:40 1,626,112 -ra------ c:\windows\system32\clubbox.exe
2008-12-15 22:35 . 2009-01-03 15:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\NJStar
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-14 22:49 33,741,600 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-01-14 22:49 1,768,480 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-01-14 22:19 455,144 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-01-14 22:19 169,520 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-01-14 16:31 55,849 ----a-w c:\windows\system32\fscflist.ini.tmp
2009-01-13 22:30 94,080 ----a-w c:\documents and settings\L\Application Data\ezplay.sys
2009-01-13 22:30 87,608 ----a-w c:\documents and settings\L\Application Data\ezpinst.exe
2009-01-13 22:30 47,360 ----a-w c:\documents and settings\L\Application Data\pcouffin.sys
2009-01-13 22:30 --------- d-----w c:\program files\BitComet
2009-01-13 22:30 --------- d-----w c:\documents and settings\L\Application Data\Vso
2009-01-13 22:22 --------- d-----w c:\program files\Slice N Hook
2009-01-12 20:53 24,419,387 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_01_12_15_51_31_full.dmp.zip
2009-01-11 15:55 44,484,230 ----a-w c:\windows\Internet Logs\tvDebug.zip
2009-01-06 02:24 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-06 02:12 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-06 02:11 --------- d-----w c:\program files\SpywareBlaster
2008-11-13 12:45 15,104 ----a-r c:\windows\system32\nowmemdf.sys
2008-11-13 12:36 155,648 ----a-r c:\windows\system32\downengine.dll
2008-08-14 00:14 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-08-14 00:14 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-08-14 00:14 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-08-14 00:14 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-08-14 00:14 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2006-05-03 10:06 163,328 --sh--r c:\windows\system32\flvDX.dll
2007-02-21 11:47 31,232 --sh--r c:\windows\system32\msfDX.dll
2007-12-17 13:43 27,648 --sh--w c:\windows\system32\Smab0.dll
2008-02-04 19:26 151,040 --sh--w c:\windows\system32\VistaUltm.dll
.
((((((((((((((((((((((((((((( snapshot@2007-12-15_12.32.49.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-01-17 06:00:00 2,504 ----a-w c:\windows\Downloaded Program Files\catalog.dat
+ 2007-01-17 06:00:00 1,957 ----a-w c:\windows\Downloaded Program Files\tinfl.dat
+ 2007-01-22 21:43:49 2,072 ----a-w c:\windows\Downloaded Program Files\vscanmsx.dat
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\erdnt\Hiv-backup\ERDNT.EXE
+ 2000-08-31 13:00:00 89,504 ----a-w c:\windows\fdsv.exe
+ 2000-08-31 13:00:00 80,412 ----a-w c:\windows\grep.exe
+ 2008-09-06 02:17:19 81,920 ----a-r c:\windows\Installer\{58BAA8D0-404E-4585-9FD3-ED1BB72AC2EE}\ARPPRODUCTICON.exe
- 2006-04-12 13:47:22 217,073 ----a-w c:\windows\meta4.exe
+ 2006-04-12 14:47:22 217,073 ----a-w c:\windows\meta4.exe
+ 2000-08-31 13:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
+ 2006-09-18 02:22:05 2,722 ----a-w c:\windows\pchealth\helpctr\PackageStore\SkuStore.bin
+ 2000-08-31 13:00:00 98,816 ----a-w c:\windows\sed.exe
+ 2000-08-31 13:00:00 161,792 ----a-w c:\windows\SWREG.exe
+ 2000-08-31 13:00:00 136,704 ----a-w c:\windows\SWSC.exe
+ 2000-08-31 13:00:00 212,480 ----a-w c:\windows\SWXCACLS.exe
+ 2001-08-23 12:00:00 2,000 ----a-w c:\windows\system\KEYBOARD.DRV
+ 2001-08-23 12:00:00 73,376 ----a-w c:\windows\system\MCIAVI.DRV
+ 2001-08-23 12:00:00 25,264 ----a-w c:\windows\system\MCISEQ.DRV
+ 2001-08-23 12:00:00 28,160 ----a-w c:\windows\system\MCIWAVE.DRV
+ 2001-08-23 12:00:00 2,032 ----a-w c:\windows\system\MOUSE.DRV
+ 2001-08-23 12:00:00 1,744 ----a-w c:\windows\system\SOUND.DRV
+ 2001-08-23 12:00:00 3,360 ----a-w c:\windows\system\SYSTEM.DRV
+ 2001-08-23 12:00:00 4,048 ----a-w c:\windows\system\TIMER.DRV
+ 2001-08-23 12:00:00 2,176 ----a-w c:\windows\system\VGA.DRV
+ 2001-08-23 12:00:00 13,600 ----a-w c:\windows\system\WFWNET.DRV
+ 2004-08-03 23:56:58 146,432 ----a-w c:\windows\system\WINSPOOL.DRV
+ 2008-08-06 20:22:02 114,688 ----a-w c:\windows\system32\Adobe\Director\np32dsw.dll
+ 2008-08-06 20:30:48 202,168 ----a-w c:\windows\system32\Adobe\Director\swdir.dll
+ 2008-08-06 20:31:08 67,000 ----a-w c:\windows\system32\Adobe\Director\SwDnld.exe
+ 2008-08-06 20:22:42 499,712 ----a-w c:\windows\system32\Adobe\Shockwave 11\Control.dll
+ 2008-08-06 19:45:40 1,798,144 ----a-w c:\windows\system32\Adobe\Shockwave 11\dirapi.dll
+ 2008-08-06 20:22:44 9,216 ----a-w c:\windows\system32\Adobe\Shockwave 11\DynaPlayer.dll
+ 2008-08-06 19:35:52 706,048 ----a-w c:\windows\system32\Adobe\Shockwave 11\gi.dll
+ 2008-08-06 19:35:52 1,145,896 ----a-w c:\windows\system32\Adobe\Shockwave 11\gt.exe
+ 2008-08-06 19:35:52 52,288 ----a-w c:\windows\system32\Adobe\Shockwave 11\gtapi.dll
+ 2008-08-06 19:42:04 892,928 ----a-w c:\windows\system32\Adobe\Shockwave 11\iml32.dll
+ 2008-08-06 19:35:52 54,656 ----a-w c:\windows\system32\Adobe\Shockwave 11\pccuapi.dll
+ 2008-08-06 20:21:14 266,240 ----a-w c:\windows\system32\Adobe\Shockwave 11\Plugin.dll
+ 2008-08-06 20:24:14 446,464 ----a-w c:\windows\system32\Adobe\Shockwave 11\Proj.dll
+ 2008-08-06 20:30:30 447,928 ----a-w c:\windows\system32\Adobe\Shockwave 11\SwHelper_1100465.exe
+ 2008-08-06 20:24:56 114,688 ----a-w c:\windows\system32\Adobe\Shockwave 11\SwInit.exe
+ 2008-08-06 20:21:04 94,208 ----a-w c:\windows\system32\Adobe\Shockwave 11\SwMenu.dll
+ 2008-08-06 19:35:52 50,808 ----a-w c:\windows\system32\Adobe\Shockwave 11\SYMCCHECKER.DLL
+ 1999-06-25 14:55:30 149,504 ----a-w c:\windows\system32\Adobe\Shockwave 11\UNWISE.EXE
+ 2001-08-23 12:00:00 10,544 ----a-w c:\windows\system32\comm.drv
+ 2004-08-04 00:07:22 1,788 ----a-w c:\windows\system32\Dcache.bin
+ 2001-08-23 12:00:00 2,000 -c--a-w c:\windows\system32\dllcache\keyboard.drv
+ 2001-08-23 12:00:00 2,560 -c--a-w c:\windows\system32\dllcache\lz32.dll
+ 2001-08-23 12:00:00 73,376 -c--a-w c:\windows\system32\dllcache\mciavi.drv
+ 2001-08-23 12:00:00 25,264 -c--a-w c:\windows\system32\dllcache\mciseq.drv
+ 2001-08-23 12:00:00 28,160 -c--a-w c:\windows\system32\dllcache\mciwave.drv
+ 2001-08-23 12:00:00 2,032 -c--a-w c:\windows\system32\dllcache\mouse.drv
+ 2001-08-23 12:00:00 2,944 -c--a-w c:\windows\system32\dllcache\null.sys
+ 2001-08-23 12:00:00 1,744 -c--a-w c:\windows\system32\dllcache\sound.drv
+ 2001-08-23 12:00:00 3,360 -c--a-w c:\windows\system32\dllcache\system.drv
+ 2001-08-23 12:00:00 4,048 -c--a-w c:\windows\system32\dllcache\timer.drv
+ 2001-08-23 12:00:00 2,176 -c--a-w c:\windows\system32\dllcache\vga.drv
+ 2001-08-23 12:00:00 13,600 -c--a-w c:\windows\system32\dllcache\wfwnet.drv
+ 2001-08-23 12:00:00 2,864 -c--a-w c:\windows\system32\dllcache\winsock.dll
+ 2004-08-03 23:56:58 146,432 -c--a-w c:\windows\system32\dllcache\winspool.drv
+ 2001-08-23 12:00:00 2,112 -c--a-w c:\windows\system32\dllcache\winspool.exe
+ 2001-08-23 12:00:00 2,736 -c--a-w c:\windows\system32\dllcache\wowdeb.exe
+ 2006-05-19 21:16:24 2,432 ------w c:\windows\system32\drivers\cdr4_xp.sys
+ 2006-05-19 21:16:24 2,560 ------w c:\windows\system32\drivers\cdralw2k.sys
+ 2004-08-03 23:07:58 2,944 ----a-w c:\windows\system32\drivers\drmkaud.sys
+ 2001-08-17 14:00:04 2,944 ----a-w c:\windows\system32\drivers\msmpu401.sys
+ 2001-08-23 12:00:00 2,944 ----a-w c:\windows\system32\drivers\null.sys
- 2007-04-13 10:06:40 159,744 ----a-r c:\windows\system32\fscagent.exe
+ 2008-02-25 16:24:40 159,744 ----a-r c:\windows\system32\fscagent.exe
+ 2009-01-08 00:25:51 144,792 ----a-w c:\windows\system32\java.exe
+ 2009-01-08 00:25:51 144,792 ----a-w c:\windows\system32\javaw.exe
+ 2009-01-08 00:25:51 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2001-08-23 12:00:00 2,000 ----a-w c:\windows\system32\keyboard.drv
+ 2001-08-23 12:00:00 221,600 ----a-w c:\windows\system32\lanman.drv
+ 2001-08-23 12:00:00 2,560 ----a-w c:\windows\system32\lz32.dll
+ 2008-03-15 03:31:26 57,344 ----a-w c:\windows\system32\Macromed\Common\SwSupport.dll
+ 2008-03-24 23:32:46 218,496 ----a-r c:\windows\system32\Macromed\Flash\FlashUtil9f.exe
+ 2008-03-25 03:21:18 2,889,088 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2008-03-25 03:21:20 218,496 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2008-09-03 01:53:26 70,264 ----a-w c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2008-03-15 03:29:22 581,632 ----a-w c:\windows\system32\Macromed\Shockwave 10\Control.dll
+ 2008-03-15 03:12:30 1,490,944 ----a-w c:\windows\system32\Macromed\Shockwave 10\dirapiX.dll
+ 2008-03-15 03:29:58 24,576 ----a-w c:\windows\system32\Macromed\Shockwave 10\DynaPlayer.dll
+ 2008-03-15 03:10:06 606,208 ----a-w c:\windows\system32\Macromed\Shockwave 10\iml32X.dll
+ 2008-03-15 03:28:48 339,968 ----a-w c:\windows\system32\Macromed\Shockwave 10\Plugin.dll
+ 2008-03-15 03:28:56 475,136 ----a-w c:\windows\system32\Macromed\Shockwave 10\PluginPing.dll
+ 2008-03-15 03:21:52 180,224 ----a-w c:\windows\system32\Macromed\Shockwave 10\Proj.dll
+ 2008-03-15 03:31:28 77,824 ----a-w c:\windows\system32\Macromed\Shockwave 10\SwInit.exe
+ 2008-03-15 15:38:08 86,016 ----a-w c:\windows\system32\Macromed\Shockwave 10\SwMenuX.dll
+ 2008-03-15 03:31:28 98,304 ----a-w c:\windows\system32\Macromed\Shockwave 10\SwOnce.dll
+ 2001-08-23 12:00:00 73,376 ----a-w c:\windows\system32\mciavi.drv
+ 2001-08-23 12:00:00 25,264 ----a-w c:\windows\system32\mciseq.drv
+ 2001-08-23 12:00:00 28,160 ----a-w c:\windows\system32\mciwave.drv
+ 2001-08-23 12:00:00 2,032 ----a-w c:\windows\system32\mouse.drv
+ 2001-08-23 12:00:00 20,480 ----a-w c:\windows\system32\msacm32.drv
+ 2004-08-03 23:56:58 188,416 ----a-w c:\windows\system32\msh261.drv
+ 2004-08-04 00:05:44 294,912 ----a-w c:\windows\system32\msh263.drv
+ 2001-08-23 12:00:00 2,656 ----a-w c:\windows\system32\netware.drv
- 2007-11-13 17:44:42 1,617,920 ----a-r c:\windows\system32\pdbox28.exe
+ 2008-02-28 10:57:34 1,622,016 ----a-r c:\windows\system32\pdbox28.exe
- 2007-10-28 20:09:56 40,196 ----a-w c:\windows\system32\perfc009.dat
+ 2008-10-26 21:06:51 40,196 ----a-w c:\windows\system32\perfc009.dat
- 2007-10-28 20:09:56 311,934 ----a-w c:\windows\system32\perfh009.dat
+ 2008-10-26 21:06:51 311,934 ----a-w c:\windows\system32\perfh009.dat
- 2007-05-14 19:24:30 394,240 ----a-w c:\windows\system32\Smab.dll
+ 2007-11-13 14:31:46 399,360 ----a-w c:\windows\system32\Smab.dll
+ 2001-08-23 12:00:00 1,744 ----a-w c:\windows\system32\sound.drv
+ 2001-08-23 12:00:00 3,360 ----a-w c:\windows\system32\system.drv
+ 2001-08-23 12:00:00 4,048 ----a-w c:\windows\system32\timer.drv
+ 2001-08-23 12:00:00 2,176 ----a-w c:\windows\system32\vga.drv
+ 2004-08-04 00:05:44 23,552 ----a-w c:\windows\system32\wdmaud.drv
+ 2001-08-23 12:00:00 13,600 ----a-w c:\windows\system32\wfwnet.drv
+ 2001-08-23 12:00:00 2,864 ----a-w c:\windows\system32\winsock.dll
+ 2004-08-03 23:56:58 146,432 ----a-w c:\windows\system32\winspool.drv
+ 2001-08-23 12:00:00 2,112 ----a-w c:\windows\system32\winspool.exe
+ 2001-08-23 12:00:00 2,736 ----a-w c:\windows\system32\wowdeb.exe
- 2007-12-15 05:32:45 4,212 ---h--w c:\windows\system32\zllictbl.dat
+ 2009-01-10 17:12:53 4,212 ---h--w c:\windows\system32\zllictbl.dat
- 2007-12-15 17:15:36 246,796 ----a-w c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2009-01-14 22:43:08 299,492 ----a-w c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
- 2007-01-08 19:30:04 153,240 ----a-w c:\windows\system32\ZoneLabs\lib\licenseui.zip.dll
+ 2008-05-12 23:26:34 152,976 ----a-w c:\windows\system32\ZoneLabs\lib\licenseui.zip.dll
- 2007-12-10 01:10:38 714,208 ----a-w c:\windows\system32\ZoneLabs\qrbase.dll
+ 2007-12-26 18:09:19 714,208 ----a-w c:\windows\system32\ZoneLabs\qrbase.dll
- 2007-12-10 01:10:38 787,936 ----a-w c:\windows\system32\ZoneLabs\qrsrecl.dll
+ 2007-12-26 18:09:19 792,032 ----a-w c:\windows\system32\ZoneLabs\qrsrecl.dll
- 2007-12-15 05:37:16 7,139,599 ----a-w c:\windows\system32\ZoneLabs\spyware.dat
+ 2009-01-13 16:00:25 10,707,916 ----a-w c:\windows\system32\ZoneLabs\spyware.dat
- 2007-12-10 01:10:43 6,463,239 ----a-w c:\windows\system32\ZoneLabs\spyware0.dat
+ 2009-01-10 18:00:49 10,696,658 ----a-w c:\windows\system32\ZoneLabs\spyware0.dat
- 2007-12-10 01:10:38 1,500,640 ----a-w c:\windows\system32\ZoneLabs\srescan.dll
+ 2007-12-26 18:09:19 1,504,736 ----a-w c:\windows\system32\ZoneLabs\srescan.dll
- 2007-12-10 01:10:38 51,176 ----a-w c:\windows\system32\ZoneLabs\srescan.sys
+ 2007-12-26 18:09:19 51,176 ----a-w c:\windows\system32\ZoneLabs\srescan.sys
- 2007-12-13 05:37:43 8,824,832 ----a-w c:\windows\system32\ZoneLabs\zlqrtdb.dat
+ 2008-04-08 03:12:32 8,953,856 ----a-w c:\windows\system32\ZoneLabs\zlqrtdb.dat
+ 2009-01-14 22:20:50 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_7a4.dat
+ 2008-05-01 21:02:56 2,546 ----a-w c:\windows\unins000.dat
+ 2008-05-01 20:55:18 691,545 ----a-w c:\windows\unins000.exe
+ 2000-08-31 13:00:00 49,152 ----a-w c:\windows\VFIND.exe
+ 2000-08-31 13:00:00 68,096 ----a-w c:\windows\zip.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-03-08 1481968]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiS7012Utility"="c:\windows\system32\SiSAudUt.exe" [2001-11-21 294912]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-01-08 919280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-07 136600]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-03 c:\windows\system32\narrator.exe]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-01-05 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"vidc.uyvy"= c:\windows\system32\msyuv.DLL
"vidc.yuy2"= ATIVYUY.DLL
"vidc.3iv2"= 3ivxVfWCodec.dll
"VIDC.HFYU"= huffyuv.dll
"VIDC.VP31"= vp31vfw.dll
"MSACM.MI-SC4"= MI-SC4.acm
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"updateMgr"=c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"SiS KHooker"=c:\windows\system32\khooker.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2006-10-10 5632]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2007-02-27 51440]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [2006-09-17 165760]
R4 TTDec;ATI WDM Teletext Decoder;c:\windows\system32\drivers\atinttxx.sys [2006-09-17 13824]
S1 DW;DW; [x]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys --> c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [?]
S3 dwusbdnt;dwusbdnt;c:\windows\system32\drivers\dwusbdnt.sys [2006-10-17 10368]
.
Contents of the 'Scheduled Tasks' folder
2009-01-09 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2006\SystemOptimizer.exe [2005-09-22 00:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
IE: Download All by FlashGet - c:\program files\FlashGet\jc_all.htm
IE: Download using FlashGet - c:\program files\FlashGet\jc_link.htm
c:\windows\DownUpdater.exe - c:\windows\Downloaded Program Files\NowStarter.ocx
O16 -: {072039AB-2117-4ED5-A85F-9B9EB903E021}
hxxp://www.clubbox.co.kr/neo.fld/NowStarter.cab
c:\windows\Downloaded Program Files\NowStarter.inf
FF - ProfilePath - c:\documents and settings\L\Application Data\Mozilla\Firefox\Profiles\cv2hil3o.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-14 17:49:27
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1960408961-1417001333-1801674531-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(556)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-01-14 17:52:03
ComboFix-quarantined-files.txt 2009-01-14 22:52:00
ComboFix2.txt 2007-12-16 04:08:14
Pre-Run: 7,985,745,920 bytes free
Post-Run: 8,192,135,168 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
316
DDS (Ver_09-07-30.01) - NTFSx86
Run by L at 20:49:11.85 on Thu 09/17/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1248.857 [GMT -4:00]
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\SiSAudUt.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\L\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.ca/
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - IeCatch5 Class
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {f156768e-81ef-470c-9057-481ba8380dba} - gFlash Class
TB: FlashGet Bar: {e0e899ab-f487-11d5-8d29-0050ba6940e3} - c:\progra~1\flashget\fgiebar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
uRun: [Creative Detector] "c:\program files\creative\mediasource\detector\CTDetect.exe" /R
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SiS7012Utility] c:\windows\system32\SiSAudUt.exe -wdm
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\l\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: Download All by FlashGet - c:\program files\flashget\jc_all.htm
IE: Download using FlashGet - c:\program files\flashget\jc_link.htm
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\progra~1\flashget\flashget.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {44226DFF-747E-4edc-B30C-78752E50CD0C} - {44226DFF-747E-4edc-B30C-78752E50CD0C} - c:\program files\ati multimedia\tv\EXPLBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: clubbox.co.kr
Trusted Zone: spybot.info\forums
DPF: {0349EF81-B9C1-4B97-86F7-7B931D0E2532} - hxxp://sticube.clubbox.co.kr/sticubeupdate/cab/NowStarter2.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1252612289843
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl.sun.com/webapps/download/AutoDL?BundleId=26688
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: avgrsstarter - avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\l\applic~1\mozilla\firefox\profiles\cv2hil3o.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
============= SERVICES / DRIVERS ===============
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-9-14 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-9-14 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-9-14 108552]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-1-15 127768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2006-10-10 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2007-2-27 74480]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-12-9 394952]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-9-14 297752]
R2 TTDec;ATI WDM Teletext Decoder;c:\windows\system32\drivers\atinttxx.sys [2006-9-17 13824]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]
R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [2006-9-17 165760]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\superadblocker.com\super ad blocker\sabkutil.sys --> c:\program files\superadblocker.com\super ad blocker\SABKUTIL.sys [?]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 dwusbdnt;dwusbdnt;c:\windows\system32\drivers\dwusbdnt.sys [2006-10-18 10368]
=============== Created Last 30 ================
2009-09-15 18:53 <DIR> --d----- c:\program files\ESET
2009-09-14 13:25 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-09-14 12:24 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-09-14 12:24 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-09-14 12:23 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-09-14 12:23 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-09-14 12:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-09-14 12:21 <DIR> --d----- c:\program files\AVG
2009-09-14 12:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-09-14 11:47 <DIR> --d----- c:\docume~1\l\applic~1\AVG8
2009-09-10 18:07 221,184 a------- c:\windows\system32\wmpns.dll
2009-09-10 18:04 <DIR> --d----- c:\windows\ServicePackFiles
2009-09-10 17:30 2,136,064 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-09-10 17:30 2,180,480 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-09-10 17:30 2,015,744 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-09-10 17:30 2,057,728 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2009-09-10 17:22 453,632 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-09-10 15:57 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-09-10 15:57 272,128 -------- c:\windows\system32\drivers\bthport.sys
2009-09-10 15:56 <DIR> --d----- c:\windows\system32\PreInstall
2009-09-10 15:56 26,488 a------- c:\windows\system32\spupdsvc.exe
2009-09-10 15:52 23,576 a------- c:\windows\system32\wuapi.dll.mui
==================== Find3M ====================
2009-09-17 20:49 20,516,640 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-09-17 13:02 280,784 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-09-12 12:49 4,212 ----h--- c:\windows\system32\zllictbl.dat
2009-08-05 05:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-29 00:53 119,808 a------- c:\windows\system32\t2embed.dll
2009-07-29 00:53 82,432 a------- c:\windows\system32\fontsub.dll
2009-07-26 12:21 34,300 a------- c:\windows\system32\fscflist.ini.tmp
2009-07-19 21:33 167,936 a------- c:\windows\system32\fscagent.exe
2009-07-17 14:55 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 02:18 233,472 a------- c:\windows\system32\wmpdxm.dll
2009-07-03 15:28 640,240 a------- c:\windows\system32\NowUpdate.exe
2009-07-03 02:34 46,866 a------- c:\windows\system32\clubboxuninstall.exe
2009-07-01 22:53 1,626,112 a------- c:\windows\system32\clubbox.exe
2009-06-26 12:18 659,456 a------- c:\windows\system32\wininet.dll
2009-06-26 12:18 81,920 a------- c:\windows\system32\ieencode.dll
2009-06-25 14:36 661,504 a------- c:\windows\system32\mqqm.dll
2009-06-25 14:36 517,120 a------- c:\windows\system32\mqsnap.dll
2009-06-25 14:36 471,552 a------- c:\windows\system32\mqutil.dll
2009-06-25 14:36 225,280 a------- c:\windows\system32\mqoa.dll
2009-06-25 14:36 186,880 a------- c:\windows\system32\mqtrig.dll
2009-06-25 14:36 177,152 a------- c:\windows\system32\mqrt.dll
2009-06-25 14:36 138,240 a------- c:\windows\system32\mqad.dll
2009-06-25 14:36 123,392 a------- c:\windows\system32\mqrtdep.dll
2009-06-25 14:36 95,744 a------- c:\windows\system32\mqsec.dll
2009-06-25 14:36 48,640 a------- c:\windows\system32\mqupgrd.dll
2009-06-25 14:36 47,104 a------- c:\windows\system32\mqdscli.dll
2009-06-25 14:36 16,896 a------- c:\windows\system32\mqise.dll
2009-06-22 07:49 117,248 a------- c:\windows\system32\mqtgsvc.exe
2009-06-22 07:49 19,968 a------- c:\windows\system32\mqbkup.exe
2009-06-22 07:49 4,608 a------- c:\windows\system32\mqsvc.exe
2009-01-13 18:30 87,608 a------- c:\docume~1\l\applic~1\ezpinst.exe
2009-01-13 18:30 94,080 a------- c:\docume~1\l\applic~1\ezplay.sys
2009-01-13 18:30 47,360 a------- c:\docume~1\l\applic~1\pcouffin.sys
2006-05-03 06:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2007-02-21 07:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
2007-12-17 09:43 27,648 ---sh--- c:\windows\system32\Smab0.dll
2008-02-04 15:26 151,040 ---sh--- c:\windows\system32\VistaUltm.dll
============= FINISH: 20:50:20.79 ===============
Hi,
Clean out all your temp files and all other not needed garbage.
Download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean
Do that Defrag you mentioned. As far as trying to sort out what starting, I am linking you to a windows support site, those guys work with those issues as we just do malware removal on this one.
http://forums.whatthetech.com/Microsoft_Windows_f119.html
You can install Spybot search and Destroy but leave the TeaTimer disabled as the TeaTimer will conflict with SpywareBlaster.
How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
Safe Surfn
Ken