Can't get rid of kagevizu.dll

[J.L.C.]

After an infection a few weeks ago that eventually lead to a new Windows install, I'm now hyper-paranoid.

I keep finding an instance of kagevizu.dll in \Windows\System32

I have run SUPERAntiSpyware Professional a few times, it finds the dll, I choose to delete it, reboot and it's there again on the next scan..

Here is my HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:29:24 PM, on 5/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
F:\NOD32\nod32krn.exe
D:\WINDOWS\system32\nvsvc32.exe
F:\Sygate\smc.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\TUProgSt.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
D:\WINDOWS\system32\RUNDLL32.EXE
F:\NOD32\nod32kui.exe
F:\Adobe\Acrobat\Distillr\Acrotray.exe
D:\WINDOWS\system32\DeltaIITray.exe
F:\Open VPN\bin\openvpn-gui.exe
D:\Program Files\Microsoft Hardware\Mouse\point32.exe
D:\WINDOWS\vsnpstd3.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Messenger\msmsgs.exe
F:\Atomic Alarm Clock\AtomicAlarmClock.exe
F:\SuperAnitSpyware\SUPERAntiSpyware.exe
D:\WINDOWS\DvzCommon\DvzMsgr.exe
F:\Palm\Palm Desktop\HOTSYNC.EXE
D:\Program Files\Windows Live\Messenger\msnmsgr.exe
D:\Program Files\Windows Live\Contacts\wlcomm.exe
F:\Firefox\firefox.exe
F:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - F:\Snag-It\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9ce66458-0e88-4668-8bfd-fed718e3cdd1} - D:\WINDOWS\system32\begujuru.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - F:\Snag-It\SnagItIEAddin.dll
O4 - HKLM\..\Run: [NVMixerTray] "D:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "F:\NOD32\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SmcService] F:\Sygate\smc.exe -startgui
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "F:\Adobe\Acrobat\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] D:\WINDOWS\System32\DeltaIITray.exe
O4 - HKLM\..\Run: [DeltaIITaskbarApp] D:\WINDOWS\system32\DeltaIITray.exe
O4 - HKLM\..\Run: [openvpn-gui] F:\Open VPN\bin\openvpn-gui.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [snpstd3] D:\WINDOWS\vsnpstd3.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SkinClock] F:\Atomic Alarm Clock\AtomicAlarmClock.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] F:\SuperAnitSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - Startup: HotSync Manager.lnk = F:\Palm\Palm Desktop\HOTSYNC.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: DataViz Messenger.lnk = D:\WINDOWS\DvzCommon\DvzMsgr.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: D:\WINDOWS\system32\wosuyuwi.dll d:\windows\system32\kagevizu.dll
O20 - Winlogon Notify: !SASWinLogon - F:\SuperAnitSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - F:\NOD32\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - F:\Open VPN\bin\openvpnserv.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - F:\Sygate\smc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - D:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - D:\WINDOWS\System32\TUProgSt.exe

--
End of file - 7412 bytes

[pskelley]

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

1) Please DO NOT ENABLE Spybot S&D TeaTimer while we work together.

2) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

Download ComboFix from here:

Link 1

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• See this Link for programs that need to be disabled and instruction on how to disable them.
• Remember to re-enable them when we're done.
  
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Tutorial if needed
http://www.bleepingcomputer.com/comb...o-use-combofix

3) Post also an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Image: http://img.bleepingcomputer.com/tuto...nstall-man.jpg

Thanks

[pskelley]

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.

[J.L.C.]

Some updates:

SUPERAnitspyware is still seeing kagevizu.dll

Here is my ComboFix log:

ComboFix 09-05-18.02 - Reggie 05/19/2009 2:43.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.655 [GMT -4:00]
Running from: d:\documents and settings\Reggie\Desktop\ComboFix.exe
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: Sygate Personal Firewall Pro *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2009-04-19 to 2009-05-19 )))))))))))))))))))))))))))))))
.

2009-05-11 17:43 . 2009-05-12 00:06 -------- d-----w d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-11 16:30 . 2008-04-14 05:42 1033728 ----a-w d:\windows\explorer.exe
2009-05-11 16:04 . 2009-05-11 16:04 -------- d--h--w d:\windows\PIF
2009-05-11 15:46 . 2009-05-11 15:46 -------- d-----w d:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-11 15:46 . 2009-05-11 15:46 -------- d-----w d:\documents and settings\Reggie\Application Data\SUPERAntiSpyware.com
2009-05-11 15:23 . 2009-05-11 15:23 -------- d-----w d:\windows\ERUNT
2009-05-11 15:20 . 2009-05-11 15:30 -------- d-----w D:\SDFix
2009-05-11 03:33 . 2009-05-11 03:33 -------- d-----w d:\program files\MSXML 4.0
2009-05-10 19:34 . 2009-05-10 19:34 2975 ----a-w d:\windows\system32\SpoonUninstall-dBpoweramp FLAC Codec.dat
2009-05-10 19:31 . 2009-05-10 19:31 1845 ----a-w d:\windows\system32\SpoonUninstall-dBpowerAMP Update ID Tag.dat
2009-05-10 19:31 . 2009-05-10 19:31 2059 ----a-w d:\windows\system32\SpoonUninstall-dBpowerAMP Tag From Filename.dat
2009-05-10 19:29 . 2009-05-10 19:29 36579 ----a-w d:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
2009-05-10 19:29 . 2009-05-10 19:34 515760 ----a-w d:\windows\system32\SpoonUninstall.exe
2009-05-10 19:04 . 2009-05-10 19:04 -------- d-----w d:\documents and settings\Reggie\Application Data\Nero
2009-05-10 18:56 . 2009-05-10 18:56 -------- d-----w d:\program files\Windows Sidebar
2009-05-10 18:52 . 2009-05-10 18:53 -------- d-----w d:\documents and settings\All Users\Application Data\Nero
2009-05-10 18:52 . 2009-05-10 19:00 -------- d-----w d:\program files\Common Files\Nero
2009-05-10 00:40 . 2008-04-14 04:09 5504 -c--a-w d:\windows\system32\dllcache\mstee.sys
2009-05-10 00:40 . 2008-04-14 04:09 5504 ----a-w d:\windows\system32\drivers\MSTEE.sys
2009-05-10 00:40 . 2008-04-14 04:16 10880 -c--a-w d:\windows\system32\dllcache\ndisip.sys
2009-05-10 00:40 . 2008-04-14 04:16 10880 ----a-w d:\windows\system32\drivers\NdisIP.sys
2009-05-10 00:40 . 2008-04-14 04:16 15232 -c--a-w d:\windows\system32\dllcache\streamip.sys
2009-05-10 00:40 . 2008-04-14 04:16 15232 ----a-w d:\windows\system32\drivers\StreamIP.sys
2009-05-10 00:39 . 2008-04-14 04:16 11136 -c--a-w d:\windows\system32\dllcache\slip.sys
2009-05-10 00:39 . 2008-04-14 04:16 11136 ----a-w d:\windows\system32\drivers\SLIP.sys
2009-05-10 00:39 . 2008-04-14 04:16 17024 -c--a-w d:\windows\system32\dllcache\ccdecode.sys
2009-05-10 00:39 . 2008-04-14 04:16 17024 ----a-w d:\windows\system32\drivers\CCDECODE.sys
2009-05-10 00:39 . 2008-04-14 04:16 19200 -c--a-w d:\windows\system32\dllcache\wstcodec.sys
2009-05-10 00:39 . 2008-04-14 04:16 19200 ----a-w d:\windows\system32\drivers\WSTCODEC.SYS
2009-05-10 00:39 . 2008-04-14 04:16 85248 -c--a-w d:\windows\system32\dllcache\nabtsfec.sys
2009-05-10 00:39 . 2008-04-14 04:16 85248 ----a-w d:\windows\system32\drivers\NABTSFEC.sys
2009-05-10 00:39 . 2008-04-14 04:15 60032 -c--a-w d:\windows\system32\dllcache\usbaudio.sys
2009-05-10 00:39 . 2008-04-14 04:15 60032 ----a-w d:\windows\system32\drivers\USBAUDIO.sys
2009-05-10 00:39 . 2008-04-14 09:42 53760 -c--a-w d:\windows\system32\dllcache\vfwwdm32.dll
2009-05-10 00:39 . 2008-04-14 09:42 53760 ----a-w d:\windows\system32\vfwwdm32.dll
2009-05-10 00:35 . 2006-09-19 13:07 827392 ----a-w d:\windows\vsnpstd3.exe
2009-05-10 00:35 . 2006-02-07 00:19 8410880 ----a-w d:\windows\system32\drivers\snpstd3.sys
2009-05-10 00:35 . 2005-12-23 21:17 53248 ----a-w d:\windows\vsnpstd3.dll
2009-05-10 00:35 . 2006-01-10 21:02 147456 ----a-w d:\windows\system32\rsnpstd3.dll
2009-05-10 00:35 . 2005-11-23 17:55 53248 ----a-w d:\windows\system32\csnpstd3.dll
2009-05-10 00:35 . 2004-12-08 22:40 20480 ----a-w d:\windows\usnpstd3.exe
2009-05-10 00:35 . 2009-05-10 00:35 -------- d-----w d:\program files\Common Files\snpstd3
2009-05-08 22:37 . 2009-05-08 23:33 -------- d-----w d:\documents and settings\Reggie\Local Settings\Application Data\Paint.NET
2009-05-08 03:28 . 2009-05-08 03:28 -------- d-sh--w d:\documents and settings\Reggie\IECompatCache
2009-05-08 03:26 . 2009-05-08 03:26 -------- d-sh--w d:\documents and settings\Reggie\PrivacIE
2009-05-06 21:15 . 2009-05-06 21:15 -------- d-sh--w d:\documents and settings\Reggie\IETldCache
2009-05-06 21:05 . 2009-05-06 21:05 -------- d-----w d:\windows\ie8updates
2009-05-06 21:05 . 2009-02-28 04:55 105984 -c----w d:\windows\system32\dllcache\iecompat.dll
2009-05-06 21:05 . 2009-05-06 21:05 -------- dc-h--w d:\windows\ie8
2009-05-06 20:55 . 2009-05-06 21:12 -------- d-----w d:\windows\SxsCaPendDel
2009-05-06 15:42 . 2009-05-06 15:43 -------- d-----w d:\documents and settings\Reggie\Application Data\YouSendIt
2009-05-05 04:10 . 2009-05-05 04:10 -------- d-----w d:\documents and settings\Reggie\Local Settings\Application Data\WMTools Downloaded Files
2009-05-03 04:45 . 2009-05-03 04:45 -------- d-----w d:\documents and settings\All Users\Application Data\TechSmith
2009-05-03 01:40 . 2001-12-27 14:59 57552 ----a-w d:\windows\system32\WKDOS.EXE
2009-05-03 01:40 . 2001-12-27 14:59 29696 ----a-w d:\windows\system32\drivers\Wibukey2.sys
2009-05-03 01:40 . 2001-12-27 14:59 67072 ----a-w d:\windows\system32\drivers\Wibukey.sys
2009-05-03 01:40 . 2001-12-27 14:59 139264 ----a-w d:\windows\system32\WkWin32.dll
2009-05-03 01:40 . 2001-12-27 14:59 52736 ----a-w d:\windows\system\WkWin.dll
2009-05-03 01:40 . 2009-05-03 01:40 -------- d-----w d:\program files\WIBU-SYSTEMS
2009-05-03 01:40 . 2009-05-03 01:40 -------- d-----w d:\program files\WIBUKEY
2009-05-03 01:40 . 2004-03-01 22:53 37760 ----a-w d:\windows\system32\drivers\P2k.sys
2009-05-03 01:40 . 2004-03-08 14:18 77895 ----a-w d:\windows\system32\unibus_tcutil.dll
2009-05-03 01:40 . 2009-05-08 05:40 -------- d-----w d:\program files\Motorola
2009-05-03 01:06 . 2008-04-14 04:15 32128 -c--a-w d:\windows\system32\dllcache\usbccgp.sys
2009-05-03 01:06 . 2008-04-14 04:15 32128 ----a-w d:\windows\system32\drivers\usbccgp.sys
2009-05-02 23:46 . 2009-05-02 23:46 -------- d-----w d:\program files\MSBuild
2009-05-02 23:46 . 2009-05-06 20:55 -------- d-----w d:\windows\system32\XPSViewer
2009-05-02 23:46 . 2009-05-02 23:46 -------- d-----w d:\program files\Reference Assemblies
2009-05-02 23:45 . 2006-06-29 17:07 14048 ------w d:\windows\system32\spmsg2.dll
2009-05-02 17:20 . 2008-04-14 04:15 26112 -c--a-w d:\windows\system32\dllcache\usbser.sys
2009-05-02 17:20 . 2008-04-14 04:15 26112 ----a-w d:\windows\system32\drivers\usbser.sys
2009-05-02 17:20 . 2007-10-10 20:41 42112 ----a-w d:\windows\system32\drivers\motodrv.sys
2009-05-02 16:50 . 2009-05-02 16:50 -------- d-----w d:\documents and settings\Reggie\Local Settings\Application Data\BVRP Software
2009-05-02 16:42 . 2009-05-02 17:13 -------- d-----w d:\program files\Avanquest update
2009-05-02 16:41 . 2007-06-18 18:18 23680 ----a-w d:\windows\system32\drivers\motmodem.sys
2009-05-02 16:41 . 2006-11-13 18:45 1419232 ----a-w d:\windows\system32\wdfcoinstaller01005.dll
2009-05-02 16:41 . 2009-05-08 05:41 -------- dc----w d:\windows\system32\DRVSTORE
2009-05-02 16:40 . 2009-05-08 05:47 -------- d-----w d:\program files\Common Files\Motorola Shared
2009-05-02 16:40 . 2009-05-02 17:09 -------- d-----w d:\documents and settings\All Users\Application Data\BVRP Software
2009-05-01 02:58 . 2009-05-01 02:58 -------- d-----w d:\documents and settings\Reggie\WINDOWS
2009-04-30 21:12 . 2009-04-30 21:12 -------- d-----w d:\windows\system32\NtmsData
2009-04-30 21:11 . 2008-04-14 04:15 26368 -c--a-w d:\windows\system32\dllcache\usbstor.sys
2009-04-28 04:50 . 2009-04-28 04:50 -------- d-----w d:\program files\Microsoft Hardware
2009-04-27 23:57 . 2009-04-27 23:57 -------- d-----w d:\documents and settings\Reggie\Application Data\LEAPS
2009-04-27 23:45 . 2001-08-18 02:36 5632 ----a-w d:\windows\system32\ptpusb.dll
2009-04-27 23:45 . 2008-04-14 09:42 159232 ----a-w d:\windows\system32\ptpusd.dll
2009-04-27 23:45 . 2008-04-14 04:15 15104 -c--a-w d:\windows\system32\dllcache\usbscan.sys
2009-04-27 23:45 . 2008-04-14 04:15 15104 ----a-w d:\windows\system32\drivers\usbscan.sys
2009-04-27 23:32 . 2009-04-27 23:32 -------- d-----w d:\documents and settings\Reggie\Application Data\Pegasys Inc
2009-04-27 19:59 . 2009-04-27 19:59 -------- d-----w d:\documents and settings\Reggie\.spss
2009-04-27 14:54 . 2008-10-16 18:06 208744 ----a-w d:\windows\system32\muweb.dll
2009-04-27 14:54 . 2008-10-16 18:06 268648 ----a-w d:\windows\system32\mucltui.dll
2009-04-27 07:21 . 2009-04-27 07:21 -------- d-----w d:\documents and settings\Reggie\Local Settings\Application Data\Help
2009-04-27 07:04 . 2003-03-16 04:15 90112 ----a-w d:\windows\unvise32.exe
2009-04-27 06:57 . 2009-04-27 06:57 2328704 ----a-w d:\windows\system32\TUKernel.exe
2009-04-27 06:20 . 2008-11-24 11:19 27904 ----a-w d:\windows\system32\uxtuneup.dll
2009-04-27 06:20 . 2009-04-27 06:20 362240 ----a-w d:\windows\system32\TuneUpDefragService.exe
2009-04-27 06:17 . 2009-04-27 06:20 603904 ----a-w d:\windows\system32\TUProgSt.exe
2009-04-27 06:17 . 2009-04-27 06:17 -------- d-----w d:\documents and settings\Reggie\Application Data\TuneUp Software
2009-04-27 06:17 . 2009-04-27 06:17 -------- d-----w d:\documents and settings\All Users\Application Data\TuneUp Software
2009-04-27 06:17 . 2009-04-27 06:20 -------- d-----w d:\program files\TuneUp Utilities 2009
2009-04-27 06:10 . 2009-04-27 06:10 -------- d-sh--w d:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2009-04-27 05:53 . 2009-05-06 15:42 -------- d-----w d:\windows\Downloaded Installations
2009-04-27 03:45 . 2009-04-27 03:45 -------- d-----w d:\windows\system32\LogFiles
2009-04-27 03:11 . 2002-07-27 02:24 790528 ------w d:\windows\system32\FreeImageX.dll
2009-04-27 03:11 . 1999-01-04 20:32 10752 ------w d:\windows\system32\xtimers.dll
2009-04-27 03:11 . 1996-01-31 04:00 92160 ------w d:\windows\system32\MSO5ENU.DLL
2009-04-27 03:11 . 2003-03-26 16:22 196608 ------w d:\windows\system32\PitchPC.exe
2009-04-27 03:11 . 2002-05-20 16:50 26624 ------w d:\windows\system32\WebRequest.exe
2009-04-27 03:11 . 2003-05-15 19:59 49152 ------w d:\windows\system32\qsheetc.dll
2009-04-27 02:44 . 2007-12-24 17:47 7680 ----a-w d:\windows\system32\ff_vfw.dll
2009-04-27 02:44 . 2007-11-29 16:52 60273 ----a-w d:\windows\system32\pthreadGC2.dll
2009-04-27 02:38 . 2009-04-27 02:38 -------- d-----w d:\windows\DvzCommon
2009-04-27 02:30 . 2009-04-27 02:31 -------- d-----w d:\documents and settings\Reggie\Application Data\EndNote
2009-04-27 02:23 . 2008-03-03 17:13 12296 ----a-w d:\windows\system32\deltaIICoIn.dll
2009-04-27 02:23 . 2008-03-03 17:13 236040 ----a-w d:\windows\system32\DeltaIITray.exe
2009-04-27 02:23 . 2008-03-03 17:13 739848 ----a-w d:\windows\system32\DeltaIICpl.exe
2009-04-27 02:23 . 2008-03-03 17:13 302728 ----a-w d:\windows\system32\drivers\deltaII.sys
2009-04-27 02:23 . 2008-03-03 17:13 21000 ----a-w d:\windows\system32\DeltaIIpnl.dll
2009-04-27 02:23 . 2008-03-03 17:13 25096 ----a-w d:\windows\system32\deltaIIasio.dll
2009-04-27 02:23 . 2008-03-03 17:13 2513432 ----a-w d:\windows\system32\pcifmdio.dll
2009-04-27 02:19 . 2009-04-27 02:19 -------- d-----w d:\program files\M-Audio
2009-04-27 02:19 . 2009-04-27 02:19 -------- d-----w d:\documents and settings\Reggie\Application Data\InstallShield
2009-04-27 02:09 . 2000-03-29 14:17 5824 ----a-w d:\windows\system32\drivers\ASUSHWIO.SYS
2009-04-27 01:57 . 2009-04-27 01:57 -------- d-----w d:\documents and settings\Reggie\Application Data\AdobeUM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-18 02:45 . 2009-04-26 17:24 21480 ----a-w d:\documents and settings\Reggie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-11 16:26 . 2009-04-26 18:06 -------- d-----w d:\program files\Common Files\PC Tools
2009-05-11 15:46 . 2009-04-26 17:51 -------- d-----w d:\program files\Common Files\Wise Installation Wizard
2009-05-10 00:34 . 2009-04-26 17:31 -------- d--h--w d:\program files\InstallShield Installation Information
2009-05-02 17:09 . 2009-05-02 17:09 0 ---ha-w d:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2009-05-02 17:09 . 2009-05-02 17:09 0 ---ha-w d:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-04-26 21:51 . 2009-04-26 17:33 -------- d-----w d:\program files\Common Files\Adobe
2009-04-26 21:42 . 2008-04-14 12:42 218624 ----a-w d:\windows\system32\uxtheme.dll
2009-04-26 19:58 . 2009-04-26 19:58 -------- d-----w d:\program files\microsoft frontpage
2009-04-26 19:55 . 2009-04-26 19:55 21640 ----a-w d:\windows\system32\emptyregdb.dat
2009-04-26 19:55 . 2009-04-26 19:55 -------- d-----w d:\program files\Windows Media Connect 2
2009-04-26 18:33 . 2009-04-26 18:33 -------- d-----w d:\program files\Common Files\i4j_jres
2009-04-26 18:27 . 2009-04-26 18:27 0 ----a-w d:\windows\nsreg.dat
2009-04-26 17:46 . 2009-04-26 17:47 512096 ----a-w d:\windows\system32\drivers\amon.sys
2009-04-26 17:46 . 2009-04-26 17:47 298104 ----a-w d:\windows\system32\imon.dll
2009-04-26 17:46 . 2009-04-26 17:47 15424 ----a-w d:\windows\system32\drivers\nod32drv.sys
2009-04-26 17:31 . 2009-04-26 17:31 -------- d-----w d:\program files\NVIDIA Corporation
2009-04-26 17:31 . 2009-04-26 17:31 -------- d-----w d:\program files\Common Files\NVIDIA Shared
2009-04-26 17:23 . 2009-04-26 17:23 8 ----a-w d:\windows\system32\nvModes.dat
2009-03-17 01:42 . 2009-03-17 01:42 524288 ----a-w d:\windows\opuc.dll
2009-03-08 08:34 . 2009-01-12 02:43 914944 ----a-w d:\windows\system32\wininet.dll
2009-03-08 08:34 . 2009-01-12 02:43 43008 ----a-w d:\windows\system32\licmgr10.dll
2009-03-08 08:33 . 2009-01-12 02:43 18944 ----a-w d:\windows\system32\corpol.dll
2009-03-08 08:33 . 2008-04-14 12:42 420352 ----a-w d:\windows\system32\vbscript.dll
2009-03-08 08:32 . 2009-01-12 02:43 72704 ----a-w d:\windows\system32\admparse.dll
2009-03-08 08:32 . 2009-01-12 02:43 71680 ----a-w d:\windows\system32\iesetup.dll
2009-03-08 08:31 . 2009-01-12 02:43 34816 ----a-w d:\windows\system32\imgutil.dll
2009-03-08 08:31 . 2009-01-12 02:43 48128 ----a-w d:\windows\system32\mshtmler.dll
2009-03-08 08:31 . 2009-01-12 02:43 45568 ----a-w d:\windows\system32\mshta.exe
2009-03-08 08:22 . 2009-01-12 02:43 156160 ----a-w d:\windows\system32\msls31.dll
2009-03-06 14:22 . 2008-04-14 12:42 284160 ----a-w d:\windows\system32\pdh.dll
.

------- Sigcheck -------

[-] 2009-01-12 02:44 1614848 362BC5AF8EAF712832C58CC13AE05750 d:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="d:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SkinClock"="f:\atomic alarm clock\AtomicAlarmClock.exe" [2008-09-24 527360]
"SUPERAntiSpyware"="f:\superanitspyware\SUPERAntiSpyware.exe" [2009-05-11 1830128]
"SpybotSD TeaTimer"="f:\spybot - search & destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="d:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-21 131072]
"NvCplDaemon"="d:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"NvMediaCenter"="d:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"nod32kui"="f:\nod32\nod32kui.exe" [2009-04-26 949376]
"SmcService"="f:\sygate\smc.exe" [2005-09-27 2635472]
"Acrobat Assistant 7.0"="f:\adobe\Acrobat\Distillr\Acrotray.exe" [2004-12-14 483328]
"M-Audio Taskbar Icon"="d:\windows\System32\DeltaIITray.exe" [2008-03-03 236040]
"DeltaIITaskbarApp"="d:\windows\system32\DeltaIITray.exe" [2008-03-03 236040]
"openvpn-gui"="f:\open vpn\bin\openvpn-gui.exe" [2005-08-18 99328]
"snpstd3"="d:\windows\vsnpstd3.exe" [2006-09-19 827392]
"nwiz"="nwiz.exe" - d:\windows\system32\nwiz.exe [2007-12-05 1626112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_2"="shell32" [X]

d:\documents and settings\Reggie\Start Menu\Programs\Startup\
HotSync Manager.lnk - f:\palm\Palm Desktop\HOTSYNC.EXE [2004-4-13 299008]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - d:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2009-4-26 25214]
DataViz Messenger.lnk - d:\windows\DvzCommon\DvzMsgr.exe [2009-4-26 24576]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "f:\superanitspyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="d:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w f:\superanitspyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"CPM033a0027"=Rundll32.exe "d:\windows\system32\kagevizu.dll",a

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"f:\\SPSS16\\spss.exe"=
"f:\\SPSS16\\spss.com"=
"f:\\SPSS16\\SPSSWinWrapIDE.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;d:\windows\system32\drivers\SI3112r.sys [4/21/2003 9:49 AM 85333]
R0 SiWinAcc;SiWinAcc;d:\windows\system32\drivers\SiWinAcc.sys [2/25/2003 6:08 AM 9600]
R1 nod32drv;nod32drv;d:\windows\system32\drivers\nod32drv.sys [4/26/2009 1:47 PM 15424]
R1 SASDIFSV;SASDIFSV;f:\superanitspyware\sasdifsv.sys [4/28/2009 11:33 AM 9968]
R1 SASKUTIL;SASKUTIL;f:\superanitspyware\SASKUTIL.SYS [4/28/2009 11:33 AM 72944]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;d:\windows\system32\TUProgSt.exe [4/27/2009 2:17 AM 603904]
R3 DELTAII;Service for M-Audio Delta Driver (WDM);d:\windows\system32\drivers\deltaII.sys [4/26/2009 10:23 PM 302728]
R3 SASENUM;SASENUM;f:\superanitspyware\SASENUM.SYS [4/28/2009 11:33 AM 7408]
R3 tap0801;TAP-Win32 Adapter V8;d:\windows\system32\drivers\tap0801.sys [6/23/2004 10:54 PM 23552]
S0 TfFsMon;TfFsMon;d:\windows\system32\drivers\TfFsMon.sys --> d:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;d:\windows\system32\drivers\TfSysMon.sys --> d:\windows\system32\drivers\TfSysMon.sys [?]
S3 MotDev;Motorola Inc. USB Device;d:\windows\system32\drivers\motodrv.sys [5/2/2009 1:20 PM 42112]
S3 TfNetMon;TfNetMon;\??\d:\windows\system32\drivers\TfNetMon.sys --> d:\windows\system32\drivers\TfNetMon.sys [?]
S4 pctplsg;pctplsg;\??\d:\windows\system32\drivers\pctplsg.sys --> d:\windows\system32\drivers\pctplsg.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"d:\windows\system32\rundll32.exe" "d:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-19 d:\windows\Tasks\1-Click Maintenance.job
- d:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-12-04 14:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
IE: Convert link target to Adobe PDF - f:\adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - f:\adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - f:\adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - f:\adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - f:\adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - f:\adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - f:\adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - f:\adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - f:\micros~1\OFFICE11\EXCEL.EXE/3000
LSP: d:\windows\system32\imon.dll
FF - ProfilePath - d:\documents and settings\Reggie\Application Data\Mozilla\Firefox\Profiles\an0b03se.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca
FF - plugin: f:\adobe\Acrobat\Acrobat\browser\nppdf32.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-19 02:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\InprocServer32]
@DACL=(02 0000)
@="d:\\WINDOWS\\SYSTEM32\\KAGEVIZU.DLL"
"ThreadingModel"="Both"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1036)
f:\superanitspyware\SASWINLO.dll
d:\documents and settings\Reggie\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

- - - - - - - > 'lsass.exe'(1116)
d:\windows\system32\imon.dll

- - - - - - - > 'explorer.exe'(2540)
d:\windows\system32\webcheck.dll
d:\windows\system32\IEFRAME.dll
d:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
d:\windows\system32\msi.dll
d:\windows\system32\SSSensor.dll
f:\atomic alarm clock\Clock.dll
d:\windows\system32\msls31.dll
d:\windows\system32\OneX.DLL
d:\windows\system32\eappprxy.dll
d:\windows\system32\wpdshserviceobj.dll
d:\windows\system32\portabledevicetypes.dll
d:\windows\system32\portabledeviceapi.dll
.
Completion time: 2009-05-19 2:45
ComboFix-quarantined-files.txt 2009-05-19 06:45
ComboFix2.txt 2009-05-19 06:35

Pre-Run: 14,321,766,400 bytes free
Post-Run: 14,311,112,704 bytes free

313 --- E O F --- 2009-05-11 03:33


and the HijackThis Unistall list:

Adobe Acrobat 7.0 Professional
Adobe Acrobat 7.0.1 and Reader 7.0.1 Update
Adobe Flash Player 10 Plugin
Atomic Alarm Clock 5.85
Avanquest update
BitPim 1.0.3
Choice Guard
Critical Update for Windows Media Player 11 (KB959772)
dBpoweramp FLAC Codec
dBpowerAMP Music Converter
dBpowerAMP Tag From Filename
dBpowerAMP Update ID Tag
Delta
Documents To Go
DVDFab Ghosthunter release 5.2.3.2
Dynex Webcam
EndNote X.0.2 Volume License Edition
ERUNT 1.1j
ffdshow [rev 1723] [2007-12-24]
FLAC 1.2.1b (remove only)
Flash&Backup
GoldWave v5.14
Guitar Pro 5.2
Handmark® Tetris Classic(TM) Game Pak for Palm OS
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Image Resizer Powertoy for Windows XP
ISI ResearchSoft - Export Helper
Java Adapter for Mobile
KeySuite (TM)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 Redistributable
Motorola Driver Installation 3.7.0
Motorola Phone Tools
Motorola PST
Motorola Software Update
Mozilla Firefox (3.0.10)
MSVCRT
MSXML 4.0 SP2 (KB954430)
Nero 9
neroxml
NOD32 antivirus system
NVIDIA Drivers
NvMixer
OpenVPN 2.0.5-gui-1.0.3
Paint.NET v3.36
Palm Desktop
Quickoffice
RadioComm v11.0.3
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Segoe UI
SnagIt 8
SPSS 16.0 for Windows
Spybot - Search & Destroy
SUPERAntiSpyware Professional
Sygate Personal Firewall Pro
TMPGEnc 4.0 XPress
TuneUp Utilities 2009
UltraUXThemePatcher
Update for Windows Internet Explorer 8 (KB968220)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Vuze
WIBU-KEY Setup (WIBU-KEY Remove)
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
WinRAR archiver
WinZip
YouSendIt Express

[pskelley]

SUPERAnitspyware is still seeing kagevizu.dll

I do not use SUPERAnitspyware and know little about it. You might ask questions about that program at one of these:
http://www.google.com/search?hl=en&e...+forum&spell=1

Just exactly where does SAS say the file is located? You said you knew it was in the C:\Windows\System32\ folder and I said you could delete it??

What does ESET NOD32 antivirus system say when you scan with it, I would trust those results.

Looking at the uninstall list first

Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.
Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested:
http://secunia.com/vulnerability_scanning/personal/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.

Installed programs are a bit wierd.

Adobe Acrobat 7.0.1 and Reader 7.0.1 Update <<< i have not seen this before, but I have this information about Adobe Reader:
http://news.cnet.com/8301-1009_3-100...ml?tag=nl.e433
http://blogs.adobe.com/psirt/2009/04...der_issue.html
http://www.filehippo.com/download_adobe_reader/
(if you want a smaller program, look at this one)
Foxit Reader 2.3 for Windows (make sure to uncheck any toolbars)
http://www.foxitsoftware.com/pdf/rd_intro.php

Adobe Flash Player 10 Plugin <<< I am trying to understand why you would have a Plugin and no Adobe Flash Player:
Adobe recommends all users of Adobe Flash Player 10.0.12.36 and earlier versions upgrade to the newest version 10.0.22.87
http://www.adobe.com/support/securit...apsb09-01.html

In order to proceed I need the HJT log I requested.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

[J.L.C.]

SAS says the file is located in Windows\System32

However, I don't see it in there.

It may be time to uninstall Acrobat and try something else, I don't have Reader listed anywhere that I can run it from.

The flash player, I'm not sure about. I use firefox as my default browser so I assume that's where the plugin is from. I will download the new player.

A new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:22:52 PM, on 5/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
F:\NOD32\nod32krn.exe
D:\WINDOWS\system32\nvsvc32.exe
F:\Sygate\smc.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\TUProgSt.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
D:\WINDOWS\system32\RUNDLL32.EXE
F:\Adobe\Acrobat\Distillr\Acrotray.exe
D:\WINDOWS\System32\DeltaIITray.exe
F:\Open VPN\bin\openvpn-gui.exe
D:\WINDOWS\vsnpstd3.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Messenger\msmsgs.exe
F:\Atomic Alarm Clock\AtomicAlarmClock.exe
D:\WINDOWS\DvzCommon\DvzMsgr.exe
F:\Palm\Palm Desktop\HOTSYNC.EXE
D:\Program Files\Windows Live\Messenger\msnmsgr.exe
D:\Program Files\Windows Live\Contacts\wlcomm.exe
F:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - F:\Snag-It\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9ce66458-0e88-4668-8bfd-fed718e3cdd1} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - F:\Snag-It\SnagItIEAddin.dll
O4 - HKLM\..\Run: [NVMixerTray] "D:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "F:\NOD32\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SmcService] F:\Sygate\smc.exe -startgui
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "F:\Adobe\Acrobat\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] D:\WINDOWS\System32\DeltaIITray.exe
O4 - HKLM\..\Run: [DeltaIITaskbarApp] D:\WINDOWS\system32\DeltaIITray.exe
O4 - HKLM\..\Run: [openvpn-gui] F:\Open VPN\bin\openvpn-gui.exe
O4 - HKLM\..\Run: [snpstd3] D:\WINDOWS\vsnpstd3.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SkinClock] F:\Atomic Alarm Clock\AtomicAlarmClock.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] F:\SuperAnitSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - Startup: HotSync Manager.lnk = F:\Palm\Palm Desktop\HOTSYNC.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: DataViz Messenger.lnk = D:\WINDOWS\DvzCommon\DvzMsgr.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - F:\SuperAnitSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - F:\NOD32\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - F:\Open VPN\bin\openvpnserv.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - F:\Sygate\smc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - D:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - D:\WINDOWS\System32\TUProgSt.exe

--
End of file - 7123 bytes

[pskelley]

Follow the directions carefully and in the numbered order.

1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

3) Open notepad and copy/paste the text in the codebox below into it:

Code:

File::
d:\windows\system32\kagevizu.dll

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"CPM033a0027"=-

Folder::
D:\SDFix

Save this as CFScript



Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {9ce66458-0e88-4668-8bfd-fed718e3cdd1} - (no file)
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/art...efetch-XP.html

6) Download Malwarebytes' Anti-Malware to your Desktop
http://www.malwarebytes.org/

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript, the log fram MBAM and a new HJT log.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Tutorial if needed:
http://www.techsupportteam.org/forum...ware-mbam.html

How is the computer running?

Thanks

[J.L.C.]

Here are the requested logs:

CFScript:
ComboFix 09-05-19.08 - Reggie 05/19/2009 21:15.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.678 [GMT -4:00]
Running from: d:\documents and settings\Reggie\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\Reggie\Desktop\CFScript.txt
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: Sygate Personal Firewall Pro *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
* Resident AV is active


FILE ::
d:\windows\system32\kagevizu.dll
.

((((((((((((((((((((((((( Files Created from 2009-04-20 to 2009-05-20 )))))))))))))))))))))))))))))))
.

2009-05-20 00:55 . 2009-05-20 00:55 -------- d-----w d:\documents and settings\Reggie\Application Data\Malwarebytes
2009-05-20 00:55 . 2009-04-06 19:32 15504 ----a-w d:\windows\system32\drivers\mbam.sys
2009-05-20 00:55 . 2009-04-06 19:32 38496 ----a-w d:\windows\system32\drivers\mbamswissarmy.sys
2009-05-20 00:55 . 2009-05-20 00:55 -------- d-----w d:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-11 17:43 . 2009-05-12 00:06 -------- d-----w d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-11 16:30 . 2008-04-14 05:42 1033728 ----a-w d:\windows\explorer.exe
2009-05-11 16:04 . 2009-05-11 16:04 -------- d--h--w d:\windows\PIF
2009-05-11 15:46 . 2009-05-11 15:46 -------- d-----w d:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-11 15:46 . 2009-05-11 15:46 -------- d-----w d:\documents and settings\Reggie\Application Data\SUPERAntiSpyware.com
2009-05-11 15:23 . 2009-05-11 15:23 -------- d-----w d:\windows\ERUNT
2009-05-11 03:33 . 2009-05-11 03:33 -------- d-----w d:\program files\MSXML 4.0
2009-05-10 19:34 . 2009-05-10 19:34 2975 ----a-w d:\windows\system32\SpoonUninstall-dBpoweramp FLAC Codec.dat
2009-05-10 19:31 . 2009-05-10 19:31 1845 ----a-w d:\windows\system32\SpoonUninstall-dBpowerAMP Update ID Tag.dat
2009-05-10 19:31 . 2009-05-10 19:31 2059 ----a-w d:\windows\system32\SpoonUninstall-dBpowerAMP Tag From Filename.dat
2009-05-10 19:29 . 2009-05-10 19:29 36579 ----a-w d:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
2009-05-10 19:29 . 2009-05-10 19:34 515760 ----a-w d:\windows\system32\SpoonUninstall.exe
2009-05-10 19:04 . 2009-05-10 19:04 -------- d-----w d:\documents and settings\Reggie\Application Data\Nero
2009-05-10 18:56 . 2009-05-10 18:56 -------- d-----w d:\program files\Windows Sidebar
2009-05-10 18:52 . 2009-05-10 18:53 -------- d-----w d:\documents and settings\All Users\Application Data\Nero
2009-05-10 18:52 . 2009-05-10 19:00 -------- d-----w d:\program files\Common Files\Nero
2009-05-10 00:40 . 2008-04-14 04:09 5504 -c--a-w d:\windows\system32\dllcache\mstee.sys
2009-05-10 00:40 . 2008-04-14 04:09 5504 ----a-w d:\windows\system32\drivers\MSTEE.sys
2009-05-10 00:40 . 2008-04-14 04:16 10880 -c--a-w d:\windows\system32\dllcache\ndisip.sys
2009-05-10 00:40 . 2008-04-14 04:16 10880 ----a-w d:\windows\system32\drivers\NdisIP.sys
2009-05-10 00:40 . 2008-04-14 04:16 15232 -c--a-w d:\windows\system32\dllcache\streamip.sys
2009-05-10 00:40 . 2008-04-14 04:16 15232 ----a-w d:\windows\system32\drivers\StreamIP.sys
2009-05-10 00:39 . 2008-04-14 04:16 11136 -c--a-w d:\windows\system32\dllcache\slip.sys
2009-05-10 00:39 . 2008-04-14 04:16 11136 ----a-w d:\windows\system32\drivers\SLIP.sys
2009-05-10 00:39 . 2008-04-14 04:16 17024 -c--a-w d:\windows\system32\dllcache\ccdecode.sys
2009-05-10 00:39 . 2008-04-14 04:16 17024 ----a-w d:\windows\system32\drivers\CCDECODE.sys
2009-05-10 00:39 . 2008-04-14 04:16 19200 -c--a-w d:\windows\system32\dllcache\wstcodec.sys
2009-05-10 00:39 . 2008-04-14 04:16 19200 ----a-w d:\windows\system32\drivers\WSTCODEC.SYS
2009-05-10 00:39 . 2008-04-14 04:16 85248 -c--a-w d:\windows\system32\dllcache\nabtsfec.sys
2009-05-10 00:39 . 2008-04-14 04:16 85248 ----a-w d:\windows\system32\drivers\NABTSFEC.sys
2009-05-10 00:39 . 2008-04-14 04:15 60032 -c--a-w d:\windows\system32\dllcache\usbaudio.sys
2009-05-10 00:39 . 2008-04-14 04:15 60032 ----a-w d:\windows\system32\drivers\USBAUDIO.sys
2009-05-10 00:39 . 2008-04-14 09:42 53760 -c--a-w d:\windows\system32\dllcache\vfwwdm32.dll
2009-05-10 00:39 . 2008-04-14 09:42 53760 ----a-w d:\windows\system32\vfwwdm32.dll
2009-05-10 00:35 . 2006-09-19 13:07 827392 ----a-w d:\windows\vsnpstd3.exe
2009-05-10 00:35 . 2006-02-07 00:19 8410880 ----a-w d:\windows\system32\drivers\snpstd3.sys
2009-05-10 00:35 . 2005-12-23 21:17 53248 ----a-w d:\windows\vsnpstd3.dll
2009-05-10 00:35 . 2006-01-10 21:02 147456 ----a-w d:\windows\system32\rsnpstd3.dll
2009-05-10 00:35 . 2005-11-23 17:55 53248 ----a-w d:\windows\system32\csnpstd3.dll
2009-05-10 00:35 . 2004-12-08 22:40 20480 ----a-w d:\windows\usnpstd3.exe
2009-05-10 00:35 . 2009-05-10 00:35 -------- d-----w d:\program files\Common Files\snpstd3
2009-05-08 22:37 . 2009-05-08 23:33 -------- d-----w d:\documents and settings\Reggie\Local Settings\Application Data\Paint.NET
2009-05-08 03:28 . 2009-05-08 03:28 -------- d-sh--w d:\documents and settings\Reggie\IECompatCache
2009-05-08 03:26 . 2009-05-08 03:26 -------- d-sh--w d:\documents and settings\Reggie\PrivacIE
2009-05-06 21:15 . 2009-05-06 21:15 -------- d-sh--w d:\documents and settings\Reggie\IETldCache
2009-05-06 21:05 . 2009-05-06 21:05 -------- d-----w d:\windows\ie8updates
2009-05-06 21:05 . 2009-02-28 04:55 105984 -c----w d:\windows\system32\dllcache\iecompat.dll
2009-05-06 21:05 . 2009-05-06 21:05 -------- dc-h--w d:\windows\ie8
2009-05-06 20:55 . 2009-05-06 21:12 -------- d-----w d:\windows\SxsCaPendDel
2009-05-06 15:42 . 2009-05-06 15:43 -------- d-----w d:\documents and settings\Reggie\Application Data\YouSendIt
2009-05-05 04:10 . 2009-05-05 04:10 -------- d-----w d:\documents and settings\Reggie\Local Settings\Application Data\WMTools Downloaded Files
2009-05-03 04:45 . 2009-05-03 04:45 -------- d-----w d:\documents and settings\All Users\Application Data\TechSmith
2009-05-03 01:40 . 2001-12-27 14:59 57552 ----a-w d:\windows\system32\WKDOS.EXE
2009-05-03 01:40 . 2001-12-27 14:59 29696 ----a-w d:\windows\system32\drivers\Wibukey2.sys
2009-05-03 01:40 . 2001-12-27 14:59 67072 ----a-w d:\windows\system32\drivers\Wibukey.sys
2009-05-03 01:40 . 2001-12-27 14:59 139264 ----a-w d:\windows\system32\WkWin32.dll
2009-05-03 01:40 . 2001-12-27 14:59 52736 ----a-w d:\windows\system\WkWin.dll
2009-05-03 01:40 . 2009-05-03 01:40 -------- d-----w d:\program files\WIBU-SYSTEMS
2009-05-03 01:40 . 2009-05-03 01:40 -------- d-----w d:\program files\WIBUKEY
2009-05-03 01:40 . 2004-03-01 22:53 37760 ----a-w d:\windows\system32\drivers\P2k.sys
2009-05-03 01:40 . 2004-03-08 14:18 77895 ----a-w d:\windows\system32\unibus_tcutil.dll
2009-05-03 01:40 . 2009-05-08 05:40 -------- d-----w d:\program files\Motorola
2009-05-03 01:06 . 2008-04-14 04:15 32128 -c--a-w d:\windows\system32\dllcache\usbccgp.sys
2009-05-03 01:06 . 2008-04-14 04:15 32128 ----a-w d:\windows\system32\drivers\usbccgp.sys
2009-05-02 23:46 . 2009-05-02 23:46 -------- d-----w d:\program files\MSBuild
2009-05-02 23:46 . 2009-05-06 20:55 -------- d-----w d:\windows\system32\XPSViewer
2009-05-02 23:46 . 2009-05-02 23:46 -------- d-----w d:\program files\Reference Assemblies
2009-05-02 23:45 . 2006-06-29 17:07 14048 ------w d:\windows\system32\spmsg2.dll
2009-05-02 17:20 . 2008-04-14 04:15 26112 -c--a-w d:\windows\system32\dllcache\usbser.sys
2009-05-02 17:20 . 2008-04-14 04:15 26112 ----a-w d:\windows\system32\drivers\usbser.sys
2009-05-02 17:20 . 2007-10-10 20:41 42112 ----a-w d:\windows\system32\drivers\motodrv.sys
2009-05-02 16:50 . 2009-05-02 16:50 -------- d-----w d:\documents and settings\Reggie\Local Settings\Application Data\BVRP Software
2009-05-02 16:42 . 2009-05-02 17:13 -------- d-----w d:\program files\Avanquest update
2009-05-02 16:41 . 2007-06-18 18:18 23680 ----a-w d:\windows\system32\drivers\motmodem.sys
2009-05-02 16:41 . 2006-11-13 18:45 1419232 ----a-w d:\windows\system32\wdfcoinstaller01005.dll
2009-05-02 16:41 . 2009-05-08 05:41 -------- dc----w d:\windows\system32\DRVSTORE
2009-05-02 16:40 . 2009-05-08 05:47 -------- d-----w d:\program files\Common Files\Motorola Shared
2009-05-02 16:40 . 2009-05-02 17:09 -------- d-----w d:\documents and settings\All Users\Application Data\BVRP Software
2009-05-01 02:58 . 2009-05-01 02:58 -------- d-----w d:\documents and settings\Reggie\WINDOWS
2009-04-30 21:12 . 2009-04-30 21:12 -------- d-----w d:\windows\system32\NtmsData
2009-04-30 21:11 . 2008-04-14 04:15 26368 -c--a-w d:\windows\system32\dllcache\usbstor.sys
2009-04-28 04:50 . 2009-04-28 04:50 -------- d-----w d:\program files\Microsoft Hardware
2009-04-27 23:57 . 2009-04-27 23:57 -------- d-----w d:\documents and settings\Reggie\Application Data\LEAPS
2009-04-27 23:45 . 2001-08-18 02:36 5632 ----a-w d:\windows\system32\ptpusb.dll
2009-04-27 23:45 . 2008-04-14 09:42 159232 ----a-w d:\windows\system32\ptpusd.dll
2009-04-27 23:45 . 2008-04-14 04:15 15104 -c--a-w d:\windows\system32\dllcache\usbscan.sys
2009-04-27 23:45 . 2008-04-14 04:15 15104 ----a-w d:\windows\system32\drivers\usbscan.sys
2009-04-27 23:32 . 2009-04-27 23:32 -------- d-----w d:\documents and settings\Reggie\Application Data\Pegasys Inc
2009-04-27 19:59 . 2009-04-27 19:59 -------- d-----w d:\documents and settings\Reggie\.spss
2009-04-27 14:54 . 2008-10-16 18:06 208744 ----a-w d:\windows\system32\muweb.dll
2009-04-27 14:54 . 2008-10-16 18:06 268648 ----a-w d:\windows\system32\mucltui.dll
2009-04-27 07:21 . 2009-04-27 07:21 -------- d-----w d:\documents and settings\Reggie\Local Settings\Application Data\Help
2009-04-27 07:04 . 2003-03-16 04:15 90112 ----a-w d:\windows\unvise32.exe
2009-04-27 06:57 . 2009-04-27 06:57 2328704 ----a-w d:\windows\system32\TUKernel.exe
2009-04-27 06:20 . 2008-11-24 11:19 27904 ----a-w d:\windows\system32\uxtuneup.dll
2009-04-27 06:20 . 2009-04-27 06:20 362240 ----a-w d:\windows\system32\TuneUpDefragService.exe
2009-04-27 06:17 . 2009-04-27 06:20 603904 ----a-w d:\windows\system32\TUProgSt.exe
2009-04-27 06:17 . 2009-04-27 06:17 -------- d-----w d:\documents and settings\Reggie\Application Data\TuneUp Software
2009-04-27 06:17 . 2009-04-27 06:17 -------- d-----w d:\documents and settings\All Users\Application Data\TuneUp Software
2009-04-27 06:17 . 2009-04-27 06:20 -------- d-----w d:\program files\TuneUp Utilities 2009
2009-04-27 06:10 . 2009-04-27 06:10 -------- d-sh--w d:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2009-04-27 05:53 . 2009-05-06 15:42 -------- d-----w d:\windows\Downloaded Installations
2009-04-27 03:45 . 2009-04-27 03:45 -------- d-----w d:\windows\system32\LogFiles
2009-04-27 03:11 . 2002-07-27 02:24 790528 ------w d:\windows\system32\FreeImageX.dll
2009-04-27 03:11 . 1999-01-04 20:32 10752 ------w d:\windows\system32\xtimers.dll
2009-04-27 03:11 . 1996-01-31 04:00 92160 ------w d:\windows\system32\MSO5ENU.DLL
2009-04-27 03:11 . 2003-03-26 16:22 196608 ------w d:\windows\system32\PitchPC.exe
2009-04-27 03:11 . 2002-05-20 16:50 26624 ------w d:\windows\system32\WebRequest.exe
2009-04-27 03:11 . 2003-05-15 19:59 49152 ------w d:\windows\system32\qsheetc.dll
2009-04-27 02:44 . 2007-12-24 17:47 7680 ----a-w d:\windows\system32\ff_vfw.dll
2009-04-27 02:44 . 2007-11-29 16:52 60273 ----a-w d:\windows\system32\pthreadGC2.dll
2009-04-27 02:38 . 2009-04-27 02:38 -------- d-----w d:\windows\DvzCommon
2009-04-27 02:30 . 2009-04-27 02:31 -------- d-----w d:\documents and settings\Reggie\Application Data\EndNote
2009-04-27 02:23 . 2008-03-03 17:13 12296 ----a-w d:\windows\system32\deltaIICoIn.dll
2009-04-27 02:23 . 2008-03-03 17:13 236040 ----a-w d:\windows\system32\DeltaIITray.exe
2009-04-27 02:23 . 2008-03-03 17:13 739848 ----a-w d:\windows\system32\DeltaIICpl.exe
2009-04-27 02:23 . 2008-03-03 17:13 302728 ----a-w d:\windows\system32\drivers\deltaII.sys
2009-04-27 02:23 . 2008-03-03 17:13 21000 ----a-w d:\windows\system32\DeltaIIpnl.dll
2009-04-27 02:23 . 2008-03-03 17:13 25096 ----a-w d:\windows\system32\deltaIIasio.dll
2009-04-27 02:23 . 2008-03-03 17:13 2513432 ----a-w d:\windows\system32\pcifmdio.dll
2009-04-27 02:19 . 2009-04-27 02:19 -------- d-----w d:\program files\M-Audio

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-18 02:45 . 2009-04-26 17:24 21480 ----a-w d:\documents and settings\Reggie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-11 16:26 . 2009-04-26 18:06 -------- d-----w d:\program files\Common Files\PC Tools
2009-05-11 15:46 . 2009-04-26 17:51 -------- d-----w d:\program files\Common Files\Wise Installation Wizard
2009-05-10 00:34 . 2009-04-26 17:31 -------- d--h--w d:\program files\InstallShield Installation Information
2009-05-02 17:09 . 2009-05-02 17:09 0 ---ha-w d:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2009-05-02 17:09 . 2009-05-02 17:09 0 ---ha-w d:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-04-26 21:51 . 2009-04-26 17:33 -------- d-----w d:\program files\Common Files\Adobe
2009-04-26 21:42 . 2008-04-14 12:42 218624 ----a-w d:\windows\system32\uxtheme.dll
2009-04-26 19:58 . 2009-04-26 19:58 -------- d-----w d:\program files\microsoft frontpage
2009-04-26 19:55 . 2009-04-26 19:55 21640 ----a-w d:\windows\system32\emptyregdb.dat
2009-04-26 19:55 . 2009-04-26 19:55 -------- d-----w d:\program files\Windows Media Connect 2
2009-04-26 18:33 . 2009-04-26 18:33 -------- d-----w d:\program files\Common Files\i4j_jres
2009-04-26 18:27 . 2009-04-26 18:27 0 ----a-w d:\windows\nsreg.dat
2009-04-26 17:46 . 2009-04-26 17:47 512096 ----a-w d:\windows\system32\drivers\amon.sys
2009-04-26 17:46 . 2009-04-26 17:47 298104 ----a-w d:\windows\system32\imon.dll
2009-04-26 17:46 . 2009-04-26 17:47 15424 ----a-w d:\windows\system32\drivers\nod32drv.sys
2009-04-26 17:31 . 2009-04-26 17:31 -------- d-----w d:\program files\NVIDIA Corporation
2009-04-26 17:31 . 2009-04-26 17:31 -------- d-----w d:\program files\Common Files\NVIDIA Shared
2009-04-26 17:23 . 2009-04-26 17:23 8 ----a-w d:\windows\system32\nvModes.dat
2009-03-17 01:42 . 2009-03-17 01:42 524288 ----a-w d:\windows\opuc.dll
2009-03-08 08:34 . 2009-01-12 02:43 914944 ----a-w d:\windows\system32\wininet.dll
2009-03-08 08:34 . 2009-01-12 02:43 43008 ----a-w d:\windows\system32\licmgr10.dll
2009-03-08 08:33 . 2009-01-12 02:43 18944 ----a-w d:\windows\system32\corpol.dll
2009-03-08 08:33 . 2008-04-14 12:42 420352 ----a-w d:\windows\system32\vbscript.dll
2009-03-08 08:32 . 2009-01-12 02:43 72704 ----a-w d:\windows\system32\admparse.dll
2009-03-08 08:32 . 2009-01-12 02:43 71680 ----a-w d:\windows\system32\iesetup.dll
2009-03-08 08:31 . 2009-01-12 02:43 34816 ----a-w d:\windows\system32\imgutil.dll
2009-03-08 08:31 . 2009-01-12 02:43 48128 ----a-w d:\windows\system32\mshtmler.dll
2009-03-08 08:31 . 2009-01-12 02:43 45568 ----a-w d:\windows\system32\mshta.exe
2009-03-08 08:22 . 2009-01-12 02:43 156160 ----a-w d:\windows\system32\msls31.dll
2009-03-06 14:22 . 2008-04-14 12:42 284160 ----a-w d:\windows\system32\pdh.dll
.

------- Sigcheck -------

[-] 2009-01-12 02:44 1614848 362BC5AF8EAF712832C58CC13AE05750 d:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="d:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SkinClock"="f:\atomic alarm clock\AtomicAlarmClock.exe" [2008-09-24 527360]
"SUPERAntiSpyware"="f:\superanitspyware\SUPERAntiSpyware.exe" [2009-05-11 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="d:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-21 131072]
"NvCplDaemon"="d:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"NvMediaCenter"="d:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"nod32kui"="f:\nod32\nod32kui.exe" [2009-04-26 949376]
"SmcService"="f:\sygate\smc.exe" [2005-09-27 2635472]
"Acrobat Assistant 7.0"="f:\adobe\Acrobat\Distillr\Acrotray.exe" [2004-12-14 483328]
"M-Audio Taskbar Icon"="d:\windows\System32\DeltaIITray.exe" [2008-03-03 236040]
"DeltaIITaskbarApp"="d:\windows\system32\DeltaIITray.exe" [2008-03-03 236040]
"openvpn-gui"="f:\open vpn\bin\openvpn-gui.exe" [2005-08-18 99328]
"snpstd3"="d:\windows\vsnpstd3.exe" [2006-09-19 827392]
"nwiz"="nwiz.exe" - d:\windows\system32\nwiz.exe [2007-12-05 1626112]

d:\documents and settings\Reggie\Start Menu\Programs\Startup\
HotSync Manager.lnk - f:\palm\Palm Desktop\HOTSYNC.EXE [2004-4-13 299008]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - d:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2009-4-26 25214]
DataViz Messenger.lnk - d:\windows\DvzCommon\DvzMsgr.exe [2009-4-26 24576]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "f:\superanitspyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="d:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w f:\superanitspyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"f:\\SPSS16\\spss.exe"=
"f:\\SPSS16\\spss.com"=
"f:\\SPSS16\\SPSSWinWrapIDE.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;d:\windows\system32\drivers\SI3112r.sys [4/21/2003 9:49 AM 85333]
R0 SiWinAcc;SiWinAcc;d:\windows\system32\drivers\SiWinAcc.sys [2/25/2003 6:08 AM 9600]
R1 nod32drv;nod32drv;d:\windows\system32\drivers\nod32drv.sys [4/26/2009 1:47 PM 15424]
R1 SASDIFSV;SASDIFSV;f:\superanitspyware\sasdifsv.sys [4/28/2009 11:33 AM 9968]
R1 SASKUTIL;SASKUTIL;f:\superanitspyware\SASKUTIL.SYS [4/28/2009 11:33 AM 72944]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;d:\windows\system32\TUProgSt.exe [4/27/2009 2:17 AM 603904]
R3 DELTAII;Service for M-Audio Delta Driver (WDM);d:\windows\system32\drivers\deltaII.sys [4/26/2009 10:23 PM 302728]
R3 SASENUM;SASENUM;f:\superanitspyware\SASENUM.SYS [4/28/2009 11:33 AM 7408]
R3 tap0801;TAP-Win32 Adapter V8;d:\windows\system32\drivers\tap0801.sys [6/23/2004 10:54 PM 23552]
S0 TfFsMon;TfFsMon;d:\windows\system32\drivers\TfFsMon.sys --> d:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;d:\windows\system32\drivers\TfSysMon.sys --> d:\windows\system32\drivers\TfSysMon.sys [?]
S3 MotDev;Motorola Inc. USB Device;d:\windows\system32\drivers\motodrv.sys [5/2/2009 1:20 PM 42112]
S3 TfNetMon;TfNetMon;\??\d:\windows\system32\drivers\TfNetMon.sys --> d:\windows\system32\drivers\TfNetMon.sys [?]
S4 pctplsg;pctplsg;\??\d:\windows\system32\drivers\pctplsg.sys --> d:\windows\system32\drivers\pctplsg.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"d:\windows\system32\rundll32.exe" "d:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-20 d:\windows\Tasks\1-Click Maintenance.job
- d:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-12-04 14:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
IE: Convert link target to Adobe PDF - f:\adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - f:\adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - f:\adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - f:\adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - f:\adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - f:\adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - f:\adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - f:\adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - f:\micros~1\OFFICE11\EXCEL.EXE/3000
LSP: d:\windows\system32\imon.dll
FF - ProfilePath - d:\documents and settings\Reggie\Application Data\Mozilla\Firefox\Profiles\an0b03se.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca
FF - plugin: f:\adobe\Acrobat\Acrobat\browser\nppdf32.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-19 21:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\InprocServer32]
@DACL=(02 0000)
@="d:\\WINDOWS\\SYSTEM32\\KAGEVIZU.DLL"
"ThreadingModel"="Both"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1228)
f:\superanitspyware\SASWINLO.dll
d:\documents and settings\Reggie\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

- - - - - - - > 'lsass.exe'(1348)
d:\windows\system32\imon.dll

- - - - - - - > 'explorer.exe'(684)
d:\windows\system32\webcheck.dll
d:\windows\system32\IEFRAME.dll
d:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
d:\windows\system32\msi.dll
d:\windows\system32\SSSensor.dll
f:\atomic alarm clock\Clock.dll
d:\windows\system32\msls31.dll
d:\windows\system32\OneX.DLL
d:\windows\system32\eappprxy.dll
d:\windows\system32\wpdshserviceobj.dll
d:\windows\system32\portabledevicetypes.dll
d:\windows\system32\portabledeviceapi.dll
.
Completion time: 2009-05-20 21:17
ComboFix-quarantined-files.txt 2009-05-20 01:17
ComboFix2.txt 2009-05-20 00:47
ComboFix3.txt 2009-05-19 06:45
ComboFix4.txt 2009-05-19 06:35

Pre-Run: 14,271,344,640 bytes free
Post-Run: 14,259,154,944 bytes free

311 --- E O F --- 2009-05-11 03:33

MBAM:
Malwarebytes' Anti-Malware 1.36
Database version: 2156
Windows 5.1.2600 Service Pack 3

5/19/2009 9:30:00 PM
mbam-log-2009-05-19 (21-30-00).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 145868
Time elapsed: 7 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:09:34 PM, on 5/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
F:\NOD32\nod32krn.exe
D:\WINDOWS\system32\nvsvc32.exe
F:\Sygate\smc.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\TUProgSt.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
D:\WINDOWS\system32\RUNDLL32.EXE
F:\Adobe\Acrobat\Distillr\Acrotray.exe
D:\WINDOWS\system32\DeltaIITray.exe
F:\Open VPN\bin\openvpn-gui.exe
D:\WINDOWS\vsnpstd3.exe
D:\Program Files\Messenger\msmsgs.exe
F:\Atomic Alarm Clock\AtomicAlarmClock.exe
F:\Adobe\Acrobat\Acrobat\acrobat_sl.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\DvzCommon\DvzMsgr.exe
F:\Palm\Palm Desktop\HOTSYNC.EXE
D:\WINDOWS\system32\NOTEPAD.EXE
F:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - F:\Snag-It\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - F:\Snag-It\SnagItIEAddin.dll
O4 - HKLM\..\Run: [NVMixerTray] "D:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "F:\NOD32\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SmcService] F:\Sygate\smc.exe -startgui
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "F:\Adobe\Acrobat\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] D:\WINDOWS\System32\DeltaIITray.exe
O4 - HKLM\..\Run: [DeltaIITaskbarApp] D:\WINDOWS\system32\DeltaIITray.exe
O4 - HKLM\..\Run: [openvpn-gui] F:\Open VPN\bin\openvpn-gui.exe
O4 - HKLM\..\Run: [snpstd3] D:\WINDOWS\vsnpstd3.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SkinClock] F:\Atomic Alarm Clock\AtomicAlarmClock.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] F:\SuperAnitSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: HotSync Manager.lnk = F:\Palm\Palm Desktop\HOTSYNC.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: DataViz Messenger.lnk = D:\WINDOWS\DvzCommon\DvzMsgr.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://F:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - F:\SuperAnitSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - F:\NOD32\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - F:\Open VPN\bin\openvpnserv.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - F:\Sygate\smc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - D:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - D:\WINDOWS\System32\TUProgSt.exe

--
End of file - 6870 bytes




The computer is running okay, but a little sluggish - nothing is showing up in Add/Remove programs within control panel (SUPERAntiSpyware is still seeing kagevizu so I thought I'd try uninstalling it and the others you flagged - but I cannot because the program list is blank now).

[pskelley]

SAS may now be seeing that file in the combofix quarantine, let's do this and see what happens. We will deal with any issues then.

Did you read this information:
*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/art...efetch-XP.html

After a few reboots, that sluggishness should go away, let me know if it does not.

Follow these directions carefully:

Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.



Clean the System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.


Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.
(MBAM is yours to keep if you wish, keep it updated and run it once a month or so)

Update NOD32 and scan the system, to be sure it is running right and scanning clean. If you have problems with the program, contact tech support for instructions.

If all is well at this point, let me know and I will close the topic.
(let me know now if you have any issues)

Some good information for you:
http://users.telenet.be/bluepatchy/m...wcomputer.html
http://www.microsoft.com/windowsxp/u...s/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/m...revention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

How hard are your passwords to crack?
http://www.microsoft.com/protect/you...d/checker.mspx

http://users.telenet.be/bluepatchy/m...oes/Links.html
http://www.microsoft.com/windows/ie/...rotection.mspx
Improve the safety of your browsing and e-mail activities
http://www.microsoft.com/protect/com.../browsing.mspx

[J.L.C.]

NOD32 found and removed a couple things (a.exe in the Firefox directory).

MBAM find a registry entry and although I have chosen to remove it and rebooted several times, it shows up with every scan. Here's the log:

Malwarebytes' Anti-Malware 1.36
Database version: 2156
Windows 5.1.2600 Service Pack 3

5/19/2009 9:30:00 PM
mbam-log-2009-05-19 (21-30-00).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 145868
Time elapsed: 7 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

After several reboots the computer is running better.