Infected w Win32.Prolaco.p, Delf.PQB, Dropper.Generic.CKLK, Trojan.Swisyn, others

[I_dream_of_Mercury]

Hello ~

I wasn't sure which Trojan is the central theme in this infection. I apologize if this is too much info or not the right stuff.

The following Trojans were found on my computer:

First, AVG detected Trojans Delf.PQB, and Dropper.Generic.CKLK

Then, I ran Spybot S&D, which detected Win32.Prolaco.p.

Cryptic.DE was then detected (not sure by which software).

I disabled TeaTimer and rebooted.

I installed and ran SuperAntispyware and Malwarebytes. Malwarebytes detected Trojan.Swisyn, Trojan.Agent, and Malware.Trace.

I installed, but have not run: ComboFix and RootRepeal.

All software reported that it successfully either deleted Trojans or quarantined them.

I then ran a second scan with AVG, Spybot S&D, SuperAntispyware, and Malwarebytes.
Now the only thing detected is from AVG, which found Trojans Delf.PQB and Dropper.Generic.CLBZ, all in
C:\System Volume Information\_restore files.

I copied some most important files to a thumbnail drive, just in case, and now I see your note about external drives that have connected to an infected computer. So please advise me how to make the thumbnail drive safe again, too, if possible.

Thank you so much for any help with this!


HJT log:


Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 3:00:37 PM, on 4/6/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17023)
Boot mode: Normal
Running processes:
C:\WINXPHM\System32\smss.exe
C:\WINXPHM\system32\winlogon.exe
C:\WINXPHM\system32\services.exe
C:\WINXPHM\system32\lsass.exe
C:\WINXPHM\system32\svchost.exe
C:\WINXPHM\System32\svchost.exe
C:\WINXPHM\system32\ZoneLabs\vsmon.exe
C:\WINXPHM\Explorer.EXE
C:\WINXPHM\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINXPHM\System32\svchost.exe
C:\WINXPHM\System32\hkcmd.exe
C:\WINXPHM\BCMSMMSG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINXPHM\system32\RunDLL32.exe
C:\WINXPHM\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINXPHM\system32\wuauclt.exe
C:\WINXPHM\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINXPHM\System32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.safer-networking.org/en/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINXPHM\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINXPHM\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINXPHM\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINXPHM\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINXPHM\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINXPHM\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PD0630 STISvc] RunDLL32.exe P0630Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5660] command.com /c del "C:\WINXPHM\SchedLgU.Txt"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1064] cmd.exe /c del "C:\WINXPHM\SchedLgU.Txt"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINXPHM\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB2454] command.com /c del "C:\WINXPHM\SchedLgU.Txt"
O4 - HKCU\..\RunOnce: [SpybotDeletingD921] cmd.exe /c del "C:\WINXPHM\SchedLgU.Txt"
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINXPHM\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINXPHM\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - http://www.collarme.com/chat
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1238990141514
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINXPHM\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINXPHM\System32\browseui.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINXPHM\system32\ZoneLabs\vsmon.exe
--
End of file - 6284 bytes

[Blade81]

Hi,

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

• When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt
• Save both reports to your desktop. Post them back to your topic.

[I_dream_of_Mercury]

Thanks for your response!

I hope I understand yours and the forum instructions correctly, *not* to zip and attach but to copy and paste both logs.

DDS.txt:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 8:12:11.81 on Sat 04/10/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.190 [GMT -7:00]
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
============== Running Processes ===============
C:\WINXPHM\system32\svchost -k DcomLaunch
svchost.exe
C:\WINXPHM\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINXPHM\system32\ZoneLabs\vsmon.exe
C:\WINXPHM\Explorer.EXE
C:\WINXPHM\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINXPHM\System32\svchost.exe -k imgsvc
C:\WINXPHM\BCMSMMSG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINXPHM\system32\RunDLL32.exe
C:\WINXPHM\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINXPHM\system32\wuauclt.exe
C:\WINXPHM\System32\svchost.exe -k HTTPFilter
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.com
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.safer-networking.org/en/index.html
mDefault_Page_URL = about:blank
mDefault_Search_URL = about:blank
mSearch Page = about:blank
mStart Page = about:blank
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\winxphm\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRunOnce: [SpybotDeletingB2454] command.com /c del "c:\winxphm\SchedLgU.Txt"
uRunOnce: [SpybotDeletingD921] cmd.exe /c del "c:\winxphm\SchedLgU.Txt"
mRun: [IgfxTray] c:\winxphm\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\winxphm\system32\hkcmd.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [IMJPMIG8.1] "c:\winxphm\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\winxphm\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\winxphm\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\winxphm\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [PD0630 STISvc] RunDLL32.exe P0630Pin.dll,RunDLL32EP 513
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [SpybotDeletingA5660] command.com /c del "c:\winxphm\SchedLgU.Txt"
mRunOnce: [SpybotDeletingC1064] cmd.exe /c del "c:\winxphm\SchedLgU.Txt"
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - hxxp://www.collarme.com/chat
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238990141514
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
============= SERVICES / DRIVERS ===============
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\winxphm\system32\drivers\avgldx86.sys [2009-4-10 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\winxphm\system32\drivers\avgmfx86.sys [2009-4-10 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\winxphm\system32\drivers\avgtdix.sys [2009-4-10 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R1 vsdatant;vsdatant;c:\winxphm\system32\vsdatant.sys [2009-4-6 353672]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-4-10 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-10 297752]
R2 vsmon;TrueVector Internet Monitor;c:\winxphm\system32\zonelabs\vsmon.exe -service --> c:\winxphm\system32\zonelabs\vsmon.exe -service [?]
R3 P0630VID;Creative WebCam Live!;c:\winxphm\system32\drivers\P0630Vid.sys [2009-12-20 91841]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
=============== Created Last 30 ================
2010-04-06 21:56:34 0 d-----w- c:\program files\TrendMicro
2010-04-06 01:42:16 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-04-06 01:41:55 38224 ----a-w- c:\winxphm\system32\drivers\mbamswissarmy.sys
2010-04-06 01:41:52 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2010-04-06 01:41:50 20824 ----a-w- c:\winxphm\system32\drivers\mbam.sys
2010-04-06 01:41:49 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-05 21:05:58 0 d-----w- c:\docume~1\alluse~1.win\applic~1\SUPERAntiSpyware.com
2010-04-05 21:05:35 0 d-----w- c:\program files\SUPERAntiSpyware
2010-04-05 21:05:35 0 d-----w- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2010-04-05 20:59:40 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-04-05 20:50:42 2388895 ----a-w- C:\MGtools.exe
2010-04-05 20:24:18 0 ----a-w- c:\documents and settings\owner\defogger_reenable
2010-04-05 19:59:53 0 d-----w- c:\program files\CCleaner
2010-04-05 12:34:40 0 d-----w- c:\winxphm\pss
2010-04-05 11:30:22 73728 ----a-w- c:\winxphm\system32\javacpl.cpl
2010-04-03 10:52:54 0 ----a-w- c:\winxphm\00xjvpiu0b1azkr19b978mu8.ini
==================== Find3M ====================
2010-04-05 11:29:59 411368 ----a-w- c:\winxphm\system32\deploytk.dll
2010-03-11 12:38:54 832512 ----a-w- c:\winxphm\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\winxphm\system32\ieencode.dll
2010-03-11 12:38:51 17408 ----a-w- c:\winxphm\system32\corpol.dll
2010-02-23 22:26:53 161296 ----a-w- c:\winxphm\system32\drivers\tmcomm.sys
2007-02-23 05:08:08 925696 ----a-w- c:\program files\GSpot.exe
2007-02-20 00:28:02 117974 -c--a-r- c:\program files\GSpot27.dat
2007-01-17 07:37:50 3615 -c--a-r- c:\program files\license.txt
2007-01-17 07:37:50 10684 -c--a-r- c:\program files\ExportFormat.txt
2005-12-26 05:24:22 895488 ----a-w- c:\program files\iview397.exe
2005-12-26 04:36:09 900277 ----a-w- c:\program files\HYDEIST music room.EXE
============= FINISH: 8:13:45.17 ===============






Attach.txt:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-03-17.01)
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 4/5/2009 7:20:48 PM
System Uptime: 4/5/2010 7:22:02 PM (109 hours ago)
Motherboard: Dell Computer Corp. | | 0G1548
Processor: Intel(R) Celeron(R) CPU 2.20GHz | Microprocessor | 2192/400mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 74 GiB total, 13.745 GiB free.
D: is CDROM ()
E: is CDROM ()
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP373: 3/3/2010 7:06:58 AM - System Checkpoint
RP374: 3/4/2010 7:45:01 AM - System Checkpoint
RP375: 3/5/2010 8:37:03 AM - System Checkpoint
RP376: 3/6/2010 8:43:34 AM - System Checkpoint
RP377: 3/7/2010 9:43:34 AM - System Checkpoint
RP378: 3/8/2010 10:55:34 AM - System Checkpoint
RP379: 3/9/2010 5:55:28 AM - Avg8 Update
RP380: 3/10/2010 6:17:00 AM - System Checkpoint
RP381: 3/11/2010 12:00:24 AM - Software Distribution Service 3.0
RP382: 3/12/2010 12:44:33 AM - System Checkpoint
RP383: 3/13/2010 3:20:34 AM - System Checkpoint
RP384: 3/14/2010 6:32:51 AM - System Checkpoint
RP385: 3/15/2010 7:40:37 AM - System Checkpoint
RP386: 3/16/2010 10:47:41 AM - System Checkpoint
RP387: 3/17/2010 11:47:28 AM - System Checkpoint
RP388: 3/18/2010 1:26:56 PM - System Checkpoint
RP389: 3/18/2010 11:41:47 PM - Avg8 Update
RP390: 3/18/2010 11:44:08 PM - Avg8 Update
RP391: 3/20/2010 12:40:47 AM - System Checkpoint
RP392: 3/21/2010 1:53:14 AM - System Checkpoint
RP393: 3/22/2010 3:54:36 AM - System Checkpoint
RP394: 3/23/2010 6:31:41 AM - System Checkpoint
RP395: 3/24/2010 7:57:22 AM - System Checkpoint
RP396: 3/25/2010 8:28:49 AM - System Checkpoint
RP397: 3/26/2010 10:53:55 AM - System Checkpoint
RP398: 3/27/2010 11:28:51 AM - System Checkpoint
RP399: 3/28/2010 12:28:52 PM - System Checkpoint
RP400: 3/29/2010 1:28:50 PM - System Checkpoint
RP401: 3/30/2010 2:24:31 PM - System Checkpoint
RP402: 3/30/2010 11:55:20 PM - Software Distribution Service 3.0
RP403: 4/1/2010 1:13:32 AM - System Checkpoint
RP404: 4/2/2010 1:47:32 AM - System Checkpoint
RP405: 4/3/2010 4:13:55 AM - System Checkpoint
RP406: 4/4/2010 4:42:08 AM - System Checkpoint
RP407: 4/5/2010 4:12:31 AM - Removed Java(TM) 6 Update 13
RP408: 4/5/2010 4:29:47 AM - Installed Java(TM) 6 Update 19
RP409: 4/5/2010 2:05:33 PM - Installed SUPERAntiSpyware Free Edition
RP410: 4/6/2010 2:56:32 PM - Installed HiJackThis
RP411: 4/7/2010 3:27:25 PM - System Checkpoint
RP412: 4/8/2010 4:27:19 PM - System Checkpoint
RP413: 4/9/2010 5:27:19 PM - System Checkpoint
==== Installed Programs ======================
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Advanced Video FX Utility
AVG 8.5
BCM V.92 56K Modem
BitTorrent
CCleaner
Creative Photo Manager
Creative WebCam Center
Creative WebCam Live! Driver (1.02.03.0606)
Creative WebCam Live! User's Guide (English)
DNA
ERUNT 1.1j
Foxit Reader
Get Yahoo! Messenger
HiJackThis
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Intel(R) Extreme Graphics Driver
IrfanView (remove only)
Java Auto Updater
Java(TM) 6 Update 19
Malwarebytes' Anti-Malware
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 Redistributable
QuickTime
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
SightSpeed (remove only)
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC 9.0 Runtime
VLC media player 1.0.5
WebCam Live! Product Registration
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows XP Service Pack 3
WinRAR archiver
Xvid 1.2.1 final uninstall
ZoneAlarm
==== Event Viewer Messages From Past Week ========
4/5/2010 4:13:48 AM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
==== End Of File ===========================

[Blade81]

Hi,

I hope I understand yours and the forum instructions correctly, *not* to zip and attach but to copy and paste both logs.

Yes, that's right


IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

BitTorrent



I'd like you to read this thread.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).


After that:


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully first.


Please continue as follows:

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
   Remember to re-enable them afterwards.
   
   
2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

[I_dream_of_Mercury]

Blade, hello,

I’m stuck! The ComboFix instructions link to their instructions for disabling security software, http://www.bleepingcomputer.com/forums/topic114351.html. When it comes to downloading ResetTeaTimer.zip, as part of disabling Spybot S&D, the file is not at the link.

There it says,

“SPYBOT TEATIMER
Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
On the left hand side, click on Tools, then click on the Resident Icon in the list.
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
Click on the "System Startup" icon in the List
Uncheck the "TeaTimer" box and "OK" any prompts.
If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
Exit Spybot S&D when done and reboot your computer.
(When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.]

Please download ResetTeaTimer.zip and save to your Desktop. Extract (unzip) the file and double-click ResetTeaTimer.bat to run the script. This will remove all entries set by TeaTimer and it from restoring them upon reactivation).”

I already unchecked TeaTimer and rebooted, but resetteatimer.zip doesn’t download.When the link is right-clicked to save, it gives this message:

“Internet Explorer cannot download ResetTeatimer.zip from TechSupportForum.com. Internet Explorer was not able to open this Internet site. The requested site is either unavailable or cannot be found. Please try again later.”

I then searched for this file online, and the other links I found for it no longer have the file, either.

Are these old instructions, or is ResetTeaTimer.bat still necessary, and if I need it, do you know where to obtain the file?

Thanks!

[Blade81]

Hi,

You may ignore TeaTimer reset part. Disabling it is all needed

[I_dream_of_Mercury]

Phew! Scary running that :P!

Everything seemed to go smoothly, though.

The ComboFix log, new DDS log, and Attach log:

ComboFix 10-04-10.02 - Owner 04/11/2010 9:32.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.209 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\AVG.exe
c:\recycler\S-1-5-21-1614895754-73586283-682003330-500
c:\windows\$hf_mig$\KB873339\spuninst.exe
c:\windows\$hf_mig$\KB873339\update\update.exe
c:\windows\$hf_mig$\KB885250\spuninst.exe
c:\windows\$hf_mig$\KB885250\update\update.exe
c:\windows\$hf_mig$\KB885835\spuninst.exe
c:\windows\$hf_mig$\KB885835\update\update.exe
c:\windows\$hf_mig$\KB885836\spuninst.exe
c:\windows\$hf_mig$\KB885836\update\update.exe
c:\windows\$hf_mig$\KB888113\spuninst.exe
c:\windows\$hf_mig$\KB888113\update\update.exe
c:\windows\$hf_mig$\KB888302\spuninst.exe
c:\windows\$hf_mig$\KB888302\update\update.exe
c:\windows\$hf_mig$\KB890046\spuninst.exe
c:\windows\$hf_mig$\KB890046\update\update.exe
c:\windows\$hf_mig$\KB890859\SP2GDR\ntkrnlmp.exe
c:\windows\$hf_mig$\KB890859\SP2GDR\ntkrnlpa.exe
c:\windows\$hf_mig$\KB890859\SP2GDR\ntkrpamp.exe
c:\windows\$hf_mig$\KB890859\SP2GDR\ntoskrnl.exe
c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlmp.exe
c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrpamp.exe
c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
c:\windows\$hf_mig$\KB890859\spuninst.exe
c:\windows\$hf_mig$\KB890859\update\update.exe
c:\windows\$hf_mig$\KB891781\spuninst.exe
c:\windows\$hf_mig$\KB891781\update\update.exe
c:\windows\$hf_mig$\KB893756\spuninst.exe
c:\windows\$hf_mig$\KB893756\update\arpidfix.exe
c:\windows\$hf_mig$\KB893756\update\update.exe
c:\windows\$hf_mig$\KB896358\SP2GDR\hh.exe
c:\windows\$hf_mig$\KB896358\SP2QFE\hh.exe
c:\windows\$hf_mig$\KB896358\spuninst.exe
c:\windows\$hf_mig$\KB896358\update\update.exe
c:\windows\$hf_mig$\KB896422\spuninst.exe
c:\windows\$hf_mig$\KB896422\update\update.exe
c:\windows\$hf_mig$\KB896423\SP2GDR\spoolsv.exe
c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
c:\windows\$hf_mig$\KB896423\spuninst.exe
c:\windows\$hf_mig$\KB896423\update\arpidfix.exe
c:\windows\$hf_mig$\KB896423\update\update.exe
c:\windows\$hf_mig$\KB896424\spuninst.exe
c:\windows\$hf_mig$\KB896424\update\arpidfix.exe
c:\windows\$hf_mig$\KB896424\update\update.exe
c:\windows\$hf_mig$\KB896428\SP2GDR\telnet.exe
c:\windows\$hf_mig$\KB896428\SP2QFE\telnet.exe
c:\windows\$hf_mig$\KB896428\spuninst.exe
c:\windows\$hf_mig$\KB896428\update\update.exe
c:\windows\$hf_mig$\KB898461\spuninst.exe
c:\windows\$hf_mig$\KB898461\spupdsvc.exe
c:\windows\$hf_mig$\KB898461\update\update.exe
c:\windows\$hf_mig$\KB899587\spuninst.exe
c:\windows\$hf_mig$\KB899587\update\arpidfix.exe
c:\windows\$hf_mig$\KB899587\update\update.exe
c:\windows\$hf_mig$\KB899589\spuninst.exe
c:\windows\$hf_mig$\KB899589\update\arpidfix.exe
c:\windows\$hf_mig$\KB899589\update\update.exe
c:\windows\$hf_mig$\KB899591\spuninst.exe
c:\windows\$hf_mig$\KB899591\update\arpidfix.exe
c:\windows\$hf_mig$\KB899591\update\update.exe
c:\windows\$hf_mig$\KB900725\spuninst.exe
c:\windows\$hf_mig$\KB900725\update\arpidfix.exe
c:\windows\$hf_mig$\KB900725\update\update.exe
c:\windows\$hf_mig$\KB901017\spuninst.exe
c:\windows\$hf_mig$\KB901017\update\arpidfix.exe
c:\windows\$hf_mig$\KB901017\update\update.exe
c:\windows\$hf_mig$\KB901190\spuninst.exe
c:\windows\$hf_mig$\KB901190\update\update.exe
c:\windows\$hf_mig$\KB901214\spuninst.exe
c:\windows\$hf_mig$\KB901214\update\update.exe
c:\windows\$hf_mig$\KB902400\SP2GDR\migregdb.exe
c:\windows\$hf_mig$\KB902400\SP2QFE\migregdb.exe
c:\windows\$hf_mig$\KB902400\spuninst.exe
c:\windows\$hf_mig$\KB902400\update\arpidfix.exe
c:\windows\$hf_mig$\KB902400\update\update.exe
c:\windows\$hf_mig$\KB905414\spuninst.exe
c:\windows\$hf_mig$\KB905414\update\arpidfix.exe
c:\windows\$hf_mig$\KB905414\update\update.exe
c:\windows\$hf_mig$\KB905749\spuninst.exe
c:\windows\$hf_mig$\KB905749\update\arpidfix.exe
c:\windows\$hf_mig$\KB905749\update\update.exe
c:\windows\$hf_mig$\KB908519\spuninst.exe
c:\windows\$hf_mig$\KB908519\update\update.exe
c:\windows\$hf_mig$\KB908531\SP2GDR\verclsid.exe
c:\windows\$hf_mig$\KB908531\SP2QFE\verclsid.exe
c:\windows\$hf_mig$\KB908531\spuninst.exe
c:\windows\$hf_mig$\KB908531\update\update.exe
c:\windows\$hf_mig$\KB910437\spuninst.exe
c:\windows\$hf_mig$\KB910437\update\update.exe
c:\windows\$hf_mig$\KB911280\spuninst.exe
c:\windows\$hf_mig$\KB911280\update\update.exe
c:\windows\$hf_mig$\KB911562\spuninst.exe
c:\windows\$hf_mig$\KB911562\update\update.exe
c:\windows\$hf_mig$\KB911927\spuninst.exe
c:\windows\$hf_mig$\KB911927\update\update.exe
c:\windows\$hf_mig$\KB912919\spuninst.exe
c:\windows\$hf_mig$\KB912919\update\update.exe
c:\windows\$hf_mig$\KB913446\spuninst.exe
c:\windows\$hf_mig$\KB913446\update\update.exe
c:\windows\$hf_mig$\KB913580\spuninst.exe
c:\windows\$hf_mig$\KB913580\update\update.exe
c:\windows\$hf_mig$\KB914388\spuninst.exe
c:\windows\$hf_mig$\KB914388\update\update.exe
c:\windows\$hf_mig$\KB914389\spuninst.exe
c:\windows\$hf_mig$\KB914389\update\update.exe
c:\windows\$hf_mig$\KB917159\spuninst.exe
c:\windows\$hf_mig$\KB917159\update\update.exe
c:\windows\$hf_mig$\KB917344\spuninst.exe
c:\windows\$hf_mig$\KB917344\update\update.exe
c:\windows\$hf_mig$\KB917422\spuninst.exe
c:\windows\$hf_mig$\KB917422\update\update.exe
c:\windows\$hf_mig$\KB917953\spuninst.exe
c:\windows\$hf_mig$\KB917953\update\update.exe
c:\windows\$hf_mig$\KB920670\spuninst.exe
c:\windows\$hf_mig$\KB920670\update\update.exe
c:\windows\$hf_mig$\KB920683\spuninst.exe
c:\windows\$hf_mig$\KB920683\update\update.exe
c:\windows\$hf_mig$\KB921398\spuninst.exe
c:\windows\$hf_mig$\KB921398\update\update.exe
c:\windows\$hf_mig$\KB921883\spuninst.exe
c:\windows\$hf_mig$\KB921883\update\update.exe
c:\windows\$hf_mig$\KB922616\spuninst.exe
c:\windows\$hf_mig$\KB922616\update\update.exe
c:\windows\$MSI31Uninstall_KB893803v2$\msiexec.exe
c:\windows\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB823182$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB823559$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB824105$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB828035$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB828741$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB828741_RTM$\comrepl.exe
c:\windows\$NtUninstallKB828741_RTM$\migregdb.exe
c:\windows\$NtUninstallKB828741_RTM$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB833407$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB833987$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB834707-IE6-20040929.115007$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB835409$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB835732$\helpctr.exe
c:\windows\$NtUninstallKB835732$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB835732_RTM$\helpctr.exe
c:\windows\$NtUninstallKB835732_RTM$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB837001$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB839645$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB840374$\helpctr.exe
c:\windows\$NtUninstallKB840374$\hscupd.exe
c:\windows\$NtUninstallKB840374$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB840987$\krnl386.exe
c:\windows\$NtUninstallKB840987$\ntvdm.exe
c:\windows\$NtUninstallKB840987$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB841356$\grpconv.exe
c:\windows\$NtUninstallKB841356$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB841533$\netdde.exe
c:\windows\$NtUninstallKB841533$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB841533$\winlogon.exe
c:\windows\$NtUninstallKB841873$\mstinit.exe
c:\windows\$NtUninstallKB841873$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB842773$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB871250$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB873339$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB873376$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB885250$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB885835$\ntkrnlpa.exe
c:\windows\$NtUninstallKB885835$\ntoskrnl.exe
c:\windows\$NtUninstallKB885835$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB885836$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB885836$\wordpad.exe
c:\windows\$NtUninstallKB888113$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB888302$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB890046$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB890859$\ntkrnlmp.exe
c:\windows\$NtUninstallKB890859$\ntkrnlpa.exe
c:\windows\$NtUninstallKB890859$\ntkrpamp.exe
c:\windows\$NtUninstallKB890859$\ntoskrnl.exe
c:\windows\$NtUninstallKB890859$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB891781$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB892944$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB893756$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB896358$\hh.exe
c:\windows\$NtUninstallKB896358$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB896422$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB896423$\spoolsv.exe
c:\windows\$NtUninstallKB896423$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB896424$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB896428$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB896428$\telnet.exe
c:\windows\$NtUninstallKB897715-OE6SP1-20050503.210336$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB898461$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB899587$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB899589$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB899591$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB900725$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB901017$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB901190$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB901214$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB902400$\migregdb.exe
c:\windows\$NtUninstallKB902400$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB904706$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB905414$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB905495$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB905749$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB905915-IE6SP1-20051122.175908$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB908519$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB908531$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB910437$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB911280$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB911562$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB911564$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB911565$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB911567-OE6SP1-20060316.165634$\msimn.exe
c:\windows\$NtUninstallKB911567-OE6SP1-20060316.165634$\oemig50.exe
c:\windows\$NtUninstallKB911567-OE6SP1-20060316.165634$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB911567-OE6SP1-20060316.165634$\wab.exe
c:\windows\$NtUninstallKB911567-OE6SP1-20060316.165634$\wabmig.exe
c:\windows\$NtUninstallKB911927$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB912812-IE6SP1-20060322.182418$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB912919$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB913446$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB913580$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB914388$\ipv6.exe
c:\windows\$NtUninstallKB914388$\netsh.exe
c:\windows\$NtUninstallKB914388$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB914389$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB917159$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB917344$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB917422$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB917953$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB918439-IE6SP1-20060530.145346$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB918899-IE6SP1-20060725.123917$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB920670$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB920683$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB921398$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB921883$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB922616$\spuninst\spuninst.exe
c:\windows\$NtUninstallQ328310$\spuninst\spuninst.exe
c:\windows\$NtUninstallQ329048$\spuninst\spuninst.exe
c:\windows\$NtUninstallQ329048_RTM$\spuninst\spuninst.exe
c:\windows\$NtUninstallQ329115$\spuninst\spuninst.exe
c:\windows\$NtUninstallQ329170$\spuninst\spuninst.exe
c:\windows\$NtUninstallQ329170_RTM$\spuninst\spuninst.exe
c:\windows\$NtUninstallQ329390$\spuninst\spuninst.exe
c:\windows\$NtUninstallQ329390_RTM$\spuninst\spuninst.exe
c:\windows\$NtUninstallQ329441$\spuninst\spuninst.exe
c:\windows\$NtUninstallQ329441_RTM$\spuninst\spuninst.exe
c:\windows\$NtUninstallQ329834$\spuninst\spuninst.exe
c:\windows\$NtUninstallQ329834_RTM$\spuninst\spuninst.exe
c:\windows\$NtUninstallQ810565$\accwiz.exe
c:\windows\$NtUninstallQ810565$\magnify.exe
c:\windows\$NtUninstallQ810565$\migwiz.exe
c:\windows\$NtUninstallQ810565$\narrator.exe
c:\windows\$NtUninstallQ810565$\osk.exe
c:\windows\$NtUninstallQ810565$\spuninst\spuninst.exe
c:\windows\$NtUninstallQ810577$\spuninst\spuninst.exe
c:\windows\$NtUninstallQ810577_RTM$\spuninst\spuninst.exe
c:\windows\$NtUninstallQ810833$\locator.exe
c:\windows\$NtUninstallQ810833$\spuninst\spuninst.exe
c:\windows\$NtUninstallQ810833_RTM$\locator.exe
c:\windows\$NtUninstallQ810833_RTM$\spuninst\spuninst.exe
c:\windows\$NtUninstallQ814033$\spuninst\spuninst.exe
c:\windows\$NtUninstallQ815021$\spuninst\spuninst.exe
c:\windows\$NtUninstallQ817287$\spuninst\spuninst.exe
c:\windows\$NtUninstallQ817606$\spuninst\spuninst.exe
c:\windows\$NtUninstallQ817606_RTM$\spuninst\spuninst.exe
c:\windows\$NtUninstallQ828026$\spuninst\spuninst.exe
c:\windows\$xpsp1hfm$\KB828741\comrepl.exe
c:\windows\$xpsp1hfm$\KB828741\migregdb.exe
c:\windows\$xpsp1hfm$\KB828741\spuninst.exe
c:\windows\$xpsp1hfm$\KB828741\update\update.exe
c:\windows\$xpsp1hfm$\KB835732\helpctr.exe
c:\windows\$xpsp1hfm$\KB835732\spuninst.exe
c:\windows\$xpsp1hfm$\KB835732\update\update.exe
c:\windows\$xpsp1hfm$\Q329048\spuninst.exe
c:\windows\$xpsp1hfm$\Q329048\update\update.exe
c:\windows\$xpsp1hfm$\Q329170\spuninst.exe
c:\windows\$xpsp1hfm$\Q329170\update\update.exe
c:\windows\$xpsp1hfm$\Q329390\spuninst.exe
c:\windows\$xpsp1hfm$\Q329390\update\update.exe
c:\windows\$xpsp1hfm$\Q329441\spuninst.exe
c:\windows\$xpsp1hfm$\Q329441\update\update.exe
c:\windows\$xpsp1hfm$\Q329834\spuninst.exe
c:\windows\$xpsp1hfm$\Q329834\update\update.exe
c:\windows\$xpsp1hfm$\Q810577\spuninst.exe
c:\windows\$xpsp1hfm$\Q810577\update\update.exe
c:\windows\$xpsp1hfm$\Q810833\locator.exe
c:\windows\$xpsp1hfm$\Q810833\spuninst.exe
c:\windows\$xpsp1hfm$\Q810833\update\update.exe
c:\windows\$xpsp1hfm$\Q811630\hh.exe
c:\windows\$xpsp1hfm$\Q811630\spuninst.exe
c:\windows\$xpsp1hfm$\Q811630\update\update.exe
c:\windows\$xpsp1hfm$\Q817606\spuninst.exe
c:\windows\$xpsp1hfm$\Q817606\update\update.exe
c:\windows\advisor_update.exe
c:\windows\BCMSMD2K.exe
c:\windows\BCMSMMSG.exe
c:\windows\BCMSMU.exe
c:\windows\CtDrvIns.exe
c:\windows\CtDrvInstall\{70303633-30646576-0000000000000000}\CtDrvIns.exe
c:\windows\CtDrvInstall\{70303633-30646576-0000000000000000}\P0630Cfg.exe
c:\windows\CtDrvInstall\{70303633-30646576-0000000000000000}\P0630Srv.exe
c:\windows\Ctregrun.exe
c:\windows\dla.exe
c:\windows\Driver Cache\i386\ntkrnlmp.exe
c:\windows\Driver Cache\i386\ntkrnlpa.exe
c:\windows\Driver Cache\i386\ntkrpamp.exe
c:\windows\Driver Cache\i386\ntoskrnl.exe
c:\windows\ehome\medctrro.exe
c:\windows\ehome\snchk.exe
c:\windows\explorer.exe
c:\windows\Help\Tours\mmTour\tour.exe
c:\windows\hh.exe
c:\windows\HYDEIST 1 crosshairs 3 pic.exe
c:\windows\Hydeist music room fade.exe
c:\windows\Hydeist.exe
c:\windows\Hydeist1.exe
c:\windows\hydeist5 redeyes.EXE
c:\windows\ime\imjp8_1\cplexe.exe
c:\windows\ime\imjp8_1\imjpdadm.exe
c:\windows\ime\imjp8_1\imjpdct.exe
c:\windows\ime\imjp8_1\imjpdsvr.exe
c:\windows\ime\imjp8_1\imjpinst.exe
c:\windows\ime\imjp8_1\imjpmig.exe
c:\windows\ime\imjp8_1\imjprw.exe
c:\windows\ime\imjp8_1\imjpuex.exe
c:\windows\ime\imjp8_1\imjputy.exe
c:\windows\ime\imkr6_1\imekrmig.exe
c:\windows\ime\imkr6_1\imkrinst.exe
c:\windows\ime\shared\imepadsv.exe
c:\windows\inf\unregmp2.exe
c:\windows\Inst9753.exe
c:\windows\Install.exe
c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.7969\EXCEL.EXE
c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.7969\INFOPATH.EXE
c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.7969\OUTLOOK.EXE
c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.7969\POWERPNT.EXE
c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.7969\WINWORD.EXE
c:\windows\Installer\{09DA4F91-2A09-4232-AB8C-6BC740096DE3}\ARPIcon.exe
c:\windows\Installer\{0B8FF60F-C012-4459-AADF-A3AD4E3757DE}\ARPPRODUCTICON.exe
c:\windows\Installer\{0B8FF60F-C012-4459-AADF-A3AD4E3757DE}\Camio.exe
c:\windows\Installer\{0B8FF60F-C012-4459-AADF-A3AD4E3757DE}\NewShortcut1_2.exe
c:\windows\Installer\{0B8FF60F-C012-4459-AADF-A3AD4E3757DE}\NewShortcut1_4.exe
c:\windows\Installer\{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}\ARPIcon.exe
c:\windows\Installer\{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}\places.exe
c:\windows\Installer\{644F9DBE-CEDB-45AF-ACB8-E26692B74F62}\_3E3FCB283DFC_4BA5_A5A8_E759EABAD01C.exe
c:\windows\Installer\{644F9DBE-CEDB-45AF-ACB8-E26692B74F62}\CDLabel.exe
c:\windows\Installer\{644F9DBE-CEDB-45AF-ACB8-E26692B74F62}\KK.exe
c:\windows\Installer\{644F9DBE-CEDB-45AF-ACB8-E26692B74F62}\KKMain.exe
c:\windows\Installer\{644F9DBE-CEDB-45AF-ACB8-E26692B74F62}\MediaSX.exe
c:\windows\Installer\{644F9DBE-CEDB-45AF-ACB8-E26692B74F62}\MGIShowServer.exe
c:\windows\Installer\{644F9DBE-CEDB-45AF-ACB8-E26692B74F62}\PMStudio.exe
c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
c:\windows\Installer\{90170409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
c:\windows\Installer\{90170409-6000-11D3-8CFE-0150048383C9}\fpicon.exe
c:\windows\Installer\{90170409-6000-11D3-8CFE-0150048383C9}\misc.exe
c:\windows\Installer\{90170409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
c:\windows\Installer\{90170409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
c:\windows\Installer\{903B0409-6000-11D3-8CFE-0150048383C9}\misc.exe
c:\windows\Installer\{903B0409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
c:\windows\Installer\{903B0409-6000-11D3-8CFE-0150048383C9}\pj11icon.exe
c:\windows\Installer\{90510409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
c:\windows\Installer\{90510409-6000-11D3-8CFE-0150048383C9}\misc.exe
c:\windows\Installer\{90510409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
c:\windows\Installer\{90510409-6000-11D3-8CFE-0150048383C9}\visicon.exe
c:\windows\Installer\{90A10409-6000-11D3-8CFE-0150048383C9}\joticon.exe
c:\windows\Installer\{90A10409-6000-11D3-8CFE-0150048383C9}\misc.exe
c:\windows\Installer\{90A10409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
c:\windows\Installer\{9541FED0-327F-4DF0-8B96-EF57EF622F19}\RecordNow.exe
c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A70900000002}\SC_Reader.exe
c:\windows\Installer\{D6DE02C7-1F47-11D4-9515-00105AE4B89A}\ARPPRODUCTICON.exe
c:\windows\Installer\{D6DE02C7-1F47-11D4-9515-00105AE4B89A}\PaintShopPro_TryNBuy.exe
c:\windows\Installer\{D6DE02C7-1F47-11D4-9515-00105AE4B89A}\PSP_GettingStartedGuide.exe
c:\windows\IsUninst.exe
c:\windows\MPLAYER.EXE
c:\windows\notepad.exe
c:\windows\oeuninst.exe
c:\windows\P0630Cfg.exe
c:\windows\regedit.exe
c:\windows\TASKMAN.EXE
c:\windows\twunk_16.exe
c:\windows\twunk_32.exe
c:\windows\unins000.exe
c:\windows\uninst.exe
c:\windows\unvise32.exe
c:\windows\unvise32qt.exe
c:\windows\Unwash6.exe
c:\windows\winhelp.exe
c:\windows\winhlp32.exe
c:\windows\zllsputility.exe
.
((((((((((((((((((((((((( Files Created from 2010-03-11 to 2010-04-11 )))))))))))))))))))))))))))))))
.
2010-04-06 21:40 . 2010-04-06 21:40 -------- d-----w- c:\program files\ERUNT
2010-04-06 05:11 . 2010-04-11 09:14 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2010-04-06 01:42 . 2010-04-06 01:42 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-04-06 01:41 . 2010-04-06 01:41 -------- d-----w- c:\documents and settings\All Users.WINXPHM\Application Data\Malwarebytes
2010-04-06 01:41 . 2010-04-11 16:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-05 21:05 . 2010-04-05 21:05 -------- d-----w- c:\documents and settings\All Users.WINXPHM\Application Data\SUPERAntiSpyware.com
2010-04-05 21:05 . 2010-04-05 21:05 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-05 21:05 . 2010-04-05 21:05 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2010-04-05 20:59 . 2010-04-05 20:59 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-05 20:50 . 2010-04-05 20:50 2388895 ----a-w- C:\MGtools.exe
2010-04-05 19:59 . 2010-04-05 20:00 -------- d-----w- c:\program files\CCleaner
2010-04-05 11:42 . 2010-04-05 11:42 -------- d-----w- c:\program files\Common Files\Java
2010-03-25 12:22 . 2010-04-05 12:21 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-10 17:05 . 2009-04-08 23:21 -------- d-----w- c:\program files\BitTorrent
2010-04-10 14:52 . 2010-04-05 21:07 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-06 21:56 . 2010-04-06 21:56 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-04-06 21:56 . 2010-04-06 21:56 -------- d-----w- c:\program files\TrendMicro
2010-04-05 21:07 . 2010-04-05 21:07 52224 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-05 20:29 . 2009-04-06 20:05 -------- d-----w- c:\documents and settings\All Users.WINXPHM\Application Data\Spybot - Search & Destroy
2010-04-05 11:31 . 2010-04-05 11:31 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5da2969d-n\msvcp71.dll
2010-04-05 11:31 . 2010-04-05 11:31 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5da2969d-n\jmc.dll
2010-04-05 11:31 . 2010-04-05 11:31 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5da2969d-n\msvcr71.dll
2010-04-05 11:31 . 2010-04-05 11:31 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6751b1b7-n\decora-sse.dll
2010-04-05 11:31 . 2010-04-05 11:31 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6751b1b7-n\decora-d3d.dll
2010-04-05 11:29 . 2009-04-20 20:44 411368 ----a-w- c:\winxphm\system32\deploytk.dll
2010-03-11 12:38 . 2009-04-06 01:55 832512 ----a-w- c:\winxphm\system32\wininet.dll
2010-03-11 12:38 . 2009-08-13 05:02 78336 ----a-w- c:\winxphm\system32\ieencode.dll
2010-03-11 12:38 . 2009-04-06 01:54 17408 ----a-w- c:\winxphm\system32\corpol.dll
2010-03-09 05:13 . 2010-03-09 05:09 -------- d-----w- c:\documents and settings\All Users.WINXPHM\Application Data\NOS
2010-03-09 05:09 . 2010-03-09 05:09 -------- d-----w- c:\program files\NOS
2010-03-02 18:02 . 2009-04-09 05:08 7442880 ----a-w- c:\winxphm\Internet Logs\tvDebug.Zip
2010-02-23 22:26 . 2010-02-23 22:26 161296 ----a-w- c:\winxphm\system32\drivers\tmcomm.sys
2007-02-23 05:08 . 2008-10-31 19:51 925696 ----a-w- c:\program files\GSpot.exe
2007-02-20 00:28 . 2008-10-31 19:51 117974 -c--a-r- c:\program files\GSpot27.dat
2007-01-17 07:37 . 2008-10-31 19:51 3615 -c--a-r- c:\program files\license.txt
2007-01-17 07:37 . 2008-10-31 19:51 10684 -c--a-r- c:\program files\ExportFormat.txt
2005-12-26 05:24 . 2005-12-26 05:24 895488 ----a-w- c:\program files\iview397.exe
2005-12-26 04:36 . 2005-12-26 14:12 900277 ----a-w- c:\program files\HYDEIST music room.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\winxphm\System32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\winxphm\System32\hkcmd.exe" [2005-10-19 126976]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-19 2046816]
"IMJPMIG8.1"="c:\winxphm\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\winxphm\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\winxphm\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\winxphm\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PD0630 STISvc"="P0630Pin.dll" [2005-06-05 36864]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-21 08:10 11952 ----a-w- c:\winxphm\system32\avgrsstx.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe"
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\winxphm\system32\drivers\avgldx86.sys [4/10/2009 2:33 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\winxphm\system32\drivers\avgtdix.sys [4/10/2009 2:33 AM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [4/10/2009 2:33 AM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/10/2009 2:33 AM 297752]
R3 P0630VID;Creative WebCam Live!;c:\winxphm\system32\drivers\P0630Vid.sys [12/20/2009 12:59 PM 91841]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.safer-networking.org/en/index.html
mStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -
AddRemove-KB923789 - c:\winxphm\system32\MacroMed\Flash\genuinst.exe

**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-11 09:52
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(648)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\winxphm\system32\WININET.dll
.
Completion time: 2010-04-11 09:58:23
ComboFix-quarantined-files.txt 2010-04-11 16:58
Pre-Run: 14,627,794,944 bytes free
Post-Run: 14,744,514,560 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINXPHM
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINXPHM="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect
- - End Of File - - 177034F0CD6F59B13E04F0718EB3586F





DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 10:06:18.64 on Sun 04/11/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.183 [GMT -7:00]
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
============== Running Processes ===============
C:\WINXPHM\system32\svchost -k DcomLaunch
svchost.exe
C:\WINXPHM\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINXPHM\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINXPHM\BCMSMMSG.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINXPHM\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINXPHM\System32\svchost.exe -k imgsvc
C:\WINXPHM\system32\wscntfy.exe
C:\WINXPHM\system32\wuauclt.exe
C:\WINXPHM\system32\notepad.exe
C:\WINXPHM\explorer.exe
C:\Documents and Settings\Owner\Desktop\dds.com
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.safer-networking.org/en/index.html
mStart Page = about:blank
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [IgfxTray] c:\winxphm\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\winxphm\system32\hkcmd.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [IMJPMIG8.1] "c:\winxphm\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\winxphm\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\winxphm\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\winxphm\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [PD0630 STISvc] RunDLL32.exe P0630Pin.dll,RunDLL32EP 513
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - hxxp://www.collarme.com/chat
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238990141514
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
============= SERVICES / DRIVERS ===============
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\winxphm\system32\drivers\avgldx86.sys [2009-4-10 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\winxphm\system32\drivers\avgmfx86.sys [2009-4-10 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\winxphm\system32\drivers\avgtdix.sys [2009-4-10 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R1 vsdatant;vsdatant;c:\winxphm\system32\vsdatant.sys [2009-4-6 353672]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-4-10 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-10 297752]
R3 P0630VID;Creative WebCam Live!;c:\winxphm\system32\drivers\P0630Vid.sys [2009-12-20 91841]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S2 vsmon;TrueVector Internet Monitor;c:\winxphm\system32\zonelabs\vsmon.exe -service --> c:\winxphm\system32\zonelabs\vsmon.exe -service [?]
=============== Created Last 30 ================
2010-04-11 16:27:53 0 d-sha-r- C:\cmdcons
2010-04-11 16:25:46 98816 ----a-w- c:\winxphm\sed.exe
2010-04-11 16:25:46 77312 ----a-w- c:\winxphm\MBR.exe
2010-04-11 16:25:46 261632 ----a-w- c:\winxphm\PEV.exe
2010-04-11 16:25:46 161792 ----a-w- c:\winxphm\SWREG.exe
2010-04-06 21:56:34 0 d-----w- c:\program files\TrendMicro
2010-04-06 01:42:16 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-04-06 01:41:52 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2010-04-06 01:41:49 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-05 21:05:58 0 d-----w- c:\docume~1\alluse~1.win\applic~1\SUPERAntiSpyware.com
2010-04-05 21:05:35 0 d-----w- c:\program files\SUPERAntiSpyware
2010-04-05 21:05:35 0 d-----w- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2010-04-05 20:59:40 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-04-05 20:50:42 2388895 ----a-w- C:\MGtools.exe
2010-04-05 20:24:18 0 ----a-w- c:\documents and settings\owner\defogger_reenable
2010-04-05 19:59:53 0 d-----w- c:\program files\CCleaner
2010-04-05 12:34:40 0 d-----w- c:\winxphm\pss
2010-04-05 11:30:22 73728 ----a-w- c:\winxphm\system32\javacpl.cpl
2010-04-03 10:52:54 0 ----a-w- c:\winxphm\00xjvpiu0b1azkr19b978mu8.ini
==================== Find3M ====================
2010-04-05 11:29:59 411368 ----a-w- c:\winxphm\system32\deploytk.dll
2010-03-11 12:38:54 832512 ------w- c:\winxphm\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\winxphm\system32\ieencode.dll
2010-03-11 12:38:51 17408 ----a-w- c:\winxphm\system32\corpol.dll
2010-02-23 22:26:53 161296 ----a-w- c:\winxphm\system32\drivers\tmcomm.sys
2007-02-23 05:08:08 925696 ----a-w- c:\program files\GSpot.exe
2007-02-20 00:28:02 117974 -c--a-r- c:\program files\GSpot27.dat
2007-01-17 07:37:50 3615 -c--a-r- c:\program files\license.txt
2007-01-17 07:37:50 10684 -c--a-r- c:\program files\ExportFormat.txt
2005-12-26 05:24:22 895488 ----a-w- c:\program files\iview397.exe
2005-12-26 04:36:09 900277 ----a-w- c:\program files\HYDEIST music room.EXE
============= FINISH: 10:06:59.62 ===============




Attach log:
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-03-17.01)
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 4/5/2009 7:20:48 PM
System Uptime: 4/11/2010 9:01:22 AM (1 hours ago)
Motherboard: Dell Computer Corp. | | 0G1548
Processor: Intel(R) Celeron(R) CPU 2.20GHz | Microprocessor | 2193/400mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 74 GiB total, 13.765 GiB free.
D: is CDROM ()
E: is CDROM ()
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP373: 3/3/2010 7:06:58 AM - System Checkpoint
RP374: 3/4/2010 7:45:01 AM - System Checkpoint
RP375: 3/5/2010 8:37:03 AM - System Checkpoint
RP376: 3/6/2010 8:43:34 AM - System Checkpoint
RP377: 3/7/2010 9:43:34 AM - System Checkpoint
RP378: 3/8/2010 10:55:34 AM - System Checkpoint
RP379: 3/9/2010 5:55:28 AM - Avg8 Update
RP380: 3/10/2010 6:17:00 AM - System Checkpoint
RP381: 3/11/2010 12:00:24 AM - Software Distribution Service 3.0
RP382: 3/12/2010 12:44:33 AM - System Checkpoint
RP383: 3/13/2010 3:20:34 AM - System Checkpoint
RP384: 3/14/2010 6:32:51 AM - System Checkpoint
RP385: 3/15/2010 7:40:37 AM - System Checkpoint
RP386: 3/16/2010 10:47:41 AM - System Checkpoint
RP387: 3/17/2010 11:47:28 AM - System Checkpoint
RP388: 3/18/2010 1:26:56 PM - System Checkpoint
RP389: 3/18/2010 11:41:47 PM - Avg8 Update
RP390: 3/18/2010 11:44:08 PM - Avg8 Update
RP391: 3/20/2010 12:40:47 AM - System Checkpoint
RP392: 3/21/2010 1:53:14 AM - System Checkpoint
RP393: 3/22/2010 3:54:36 AM - System Checkpoint
RP394: 3/23/2010 6:31:41 AM - System Checkpoint
RP395: 3/24/2010 7:57:22 AM - System Checkpoint
RP396: 3/25/2010 8:28:49 AM - System Checkpoint
RP397: 3/26/2010 10:53:55 AM - System Checkpoint
RP398: 3/27/2010 11:28:51 AM - System Checkpoint
RP399: 3/28/2010 12:28:52 PM - System Checkpoint
RP400: 3/29/2010 1:28:50 PM - System Checkpoint
RP401: 3/30/2010 2:24:31 PM - System Checkpoint
RP402: 3/30/2010 11:55:20 PM - Software Distribution Service 3.0
RP403: 4/1/2010 1:13:32 AM - System Checkpoint
RP404: 4/2/2010 1:47:32 AM - System Checkpoint
RP405: 4/3/2010 4:13:55 AM - System Checkpoint
RP406: 4/4/2010 4:42:08 AM - System Checkpoint
RP407: 4/5/2010 4:12:31 AM - Removed Java(TM) 6 Update 13
RP408: 4/5/2010 4:29:47 AM - Installed Java(TM) 6 Update 19
RP409: 4/5/2010 2:05:33 PM - Installed SUPERAntiSpyware Free Edition
RP410: 4/6/2010 2:56:32 PM - Installed HiJackThis
RP411: 4/7/2010 3:27:25 PM - System Checkpoint
RP412: 4/8/2010 4:27:19 PM - System Checkpoint
RP413: 4/9/2010 5:27:19 PM - System Checkpoint
RP414: 4/10/2010 6:27:24 PM - System Checkpoint
==== Installed Programs ======================
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Advanced Video FX Utility
AVG 8.5
BCM V.92 56K Modem
CCleaner
Creative Photo Manager
Creative WebCam Center
Creative WebCam Live! Driver (1.02.03.0606)
Creative WebCam Live! User's Guide (English)
DNA
ERUNT 1.1j
Foxit Reader
Get Yahoo! Messenger
HiJackThis
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Intel(R) Extreme Graphics Driver
IrfanView (remove only)
Java Auto Updater
Java(TM) 6 Update 19
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 Redistributable
QuickTime
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
SightSpeed (remove only)
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC 9.0 Runtime
VLC media player 1.0.5
WebCam Live! Product Registration
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows XP Service Pack 3
WinRAR archiver
Xvid 1.2.1 final uninstall
ZoneAlarm
==== Event Viewer Messages From Past Week ========
4/5/2010 4:13:51 AM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
==== End Of File ===========================

[Blade81]

Hi,

Upload following files to http://www.virustotal.com and post back the results:
c:\qoobox\quarantine\c\windows\$xpsp1hfm$\Q817606\spuninst.exe.vir
c:\qoobox\quarantine\c\windows\Help\Tours\mmTour\tour.exe.vir
c:\qoobox\quarantine\c\windows\hh.exe.vir
c:\qoobox\quarantine\c\windows\notepad.exe.vir
c:\qoobox\quarantine\c\windows\zllsputility.exe.vir

[I_dream_of_Mercury]

Blade, you're quick!

The results for
c:\qoobox\quarantine\c\windows\$xpsp1hfm$\Q817606\spuninst.exe.vir
is here: http://www.virustotal.com/analisis/7...90c-1254306583

For c:\qoobox\quarantine\c\windows\Help\Tours\mmTour\tour.exe.vir:
http://www.virustotal.com/analisis/f...40a-1269495595

For c:\qoobox\quarantine\c\windows\hh.exe.vir:
http://www.virustotal.com/analisis/d...5d7-1262137428

For c:\qoobox\quarantine\c\windows\notepad.exe.vir:
http://www.virustotal.com/analisis/e...a5c-1270044987

For c:\qoobox\quarantine\c\windows\zllsputility.exe.vir:
http://www.virustotal.com/analisis/8...803-1261942749

Thanks for your continued help!

[Blade81]

Hi again,

Uninstall DNA entry that was left after BitTorrent uninstall.

Open notepad and copy/paste the text in the quotebox below into it:

Code:

Folder::
c:\program files\BitTorrent
c:\program files\DNA
Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BitTorrent DNA"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\DNA\\btdna.exe"=-

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



Close all browser windows, disable protection and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Check here to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here. Fresh version can be obtained here.



Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.

Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.