Please Help. Trying to reinstall Spybot and other problems.

appletree · Sep 30, 2009

I can be very wordy sometimes so I will keep it short. Since graduating college I have still been looking for a job (in the oil industry, which sucks right now) and so I still have my sony vaio for about 3 or 4 years now. The past few months its just been getting super slow at everything. I completely followed a whole 40 page tutorial and went through and messed with startup programs and defrag'ed and so forth. Although I have been having problems before this cleanup, so I feel the programs acting up is something else. For the record, I am not an expert but I am fairly knowledgeable with computers and I did not change or edit anything I was unsure about.

Well I wanted to run spybot and I went ahead and updated it and when I go to scan it crashes. I tried uninstalling and reinstalling but to no avail. So I decided to uninstall again and remove all existing spybot files. It won't let me delete SpybotSD.exe, so after research I came here. I also tried downloading Malwarebytes Anti-Malware and well it crashed. I did download and run ERUNT and tried running HJT but it crashed and won't reopen. I get the error "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

thanks in advance for any help in this matter.

.austin

Hi,

I felt I should add more information and be more specific with my problem.

My computer specifications: (using belarc advisor)

Windows XP Professional Service Pack 3 (build 2600)

Sony Corporation VGC-RB38G

3.40 gigahertz Intel Pentium 4
16 kilobyte primary memory cache
1024 kilobyte secondary memory cache
Hyper-threaded (2 total)

250.05 Gigabytes Usable Hard Drive Capacity

1024 Megabytes Usable Installed Memory

76.24 Gigabytes Hard Drive Free Space

I am not sure what else you might need from that as there is like three pages of information.

..........

Ok, so that's my computer and I have had it for around 3 years, most of my time spent in college I had it. After freshman year my laptop crapped out so I got this. About a year and half ago my power flickered causing my hard drive to crash. After I got a new one and my schools computer place fixed it they named my drive wrong and I spent forever trying to change it from Baker to Austin.

Usually the first result in google always redirects me to another website or some random search engine or even youtube. AVG, Spybot, Malwarebytes, and HJT all closed shortly after running and they won't reopen.

Once again I greatly appreciate any volunteer helping me with this matter.

.austin

shelf life · Oct 4, 2009

see if you can get a copy of drweb on board to run;

Download Dr.Web CureIt to the desktop:

ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

* Doubleclick the drweb-cureit icon to start the program.
* press start
* Allow the program to run the initial express scan
* This will scan the files currently running in memory. If something is found, click the YES button when it asks you if you want to cure it. This is only a short scan.
Note: A pop up may appear during this phase suggesting you purchase their program - click the X at the top right corner of this pop-up to close it.
* Once the short scan has finished, check the Complete scan box on the left side, even if nothing was found on the initial scan.
* Then click the small green arrow button on the right under the Dr.Web Antivirus picture to start the complete scan. (This scan will take several hours)
* During this complete scan - if Dr.Web finds an infection a window will pop up requesting your attention. Select the Cure button.
Note

If the file cannot be cured, Dr.Web will automatically delete the file)
* Once the scan is complete, on the menu bar, click file and choose report list.
* Save the report to your desktop. The report will be called DrWeb.csv
* Note:this report will need to be renamed to Dr.Web.txt in order to post it on the forum.
* Close Dr.Web Cureit.
* Please post the Dr.Web.txt report in your next reply.

appletree · Oct 5, 2009

Thanks for your reply. I hate to say it but Dr. Web was a no go. It ran the initial scan and did not find anything. A pop-up came up at the end about (sorry I don't fully remember its contents) how something in windows had been modified and if I wanted to restore to the defaults, which I did. Then following your instructions I started the full scan in which its prepares to scan for about a minute or two then just closes. I tried again and it did the same thing just shut down. I checked the menu bar and still did not find it. Unlike other programs it does reopen (usually Spybot and others won't even reopen) but to no avail.

I await any further instructions, thanks for your patience and help.

.austin

shelf life · Oct 5, 2009

ok we will try something else. Its called Combofix. There is a guide to read first which will explain what you need to know. Read through the guide. Before you save combofix to your desktop, rename it to combofix1.exe then save it.
Disable your AV etc has explained in the guide, double click combofix1.exe on your desktop and follow the prompts. Post the log if successful.

Guide to using Combofix

appletree · Oct 5, 2009

Thanks for the reply once again. Before I post the log I feel I should be as specific as possible.

1) I went to rename the text file and realized that I was supposed to rename the program and messed that up. If I need to remove ComboFix and redo it after naming the program combofix1.exe I will if instructed. I apologize.

2) When ComboFix was running (I did not see it in the directions) my computer restarted and ComboFix continued to make my log and run as normal. Although once restarted programs opened. iTunes, AIM, yahoo widgets and I noticed some anti virus programs re-enabled themselves. I continued to let ComboFix run (the window stating preparing log report was open) and I closed all programs. I also disabled antivir and mcafee.

3) All other instructions followed as stated in the guide. No problems but the ones I mentioned. I never clicked on the window nor used the computer (except upon computer restarting).

once again thanks a ton for the help

.austin

<<<<<<<<<<<<<<<<<<<<<<The log is as follows>>>>>>>>>>>>>>>>>>>>

ComboFix 09-10-04.01 - Baker 10/04/2009 21:29.1.2 - NTFSx86
Running from: c:\documents and settings\Baker\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-2000478354-616249376-682003330-500
c:\windows\Installer\1c1783c5.msi
c:\windows\Installer\1c1783c6.msp
c:\windows\Installer\1c1783c7.msp
c:\windows\Installer\1c1783c8.msp
c:\windows\Installer\1c1783c9.msp
c:\windows\Installer\1c1783ca.msp
c:\windows\Installer\1c1783cb.msp
c:\windows\Installer\1c1783cc.msp
c:\windows\Installer\1c1783cd.msp
c:\windows\Installer\1c1783ce.msp
c:\windows\Installer\1c1783cf.msp
c:\windows\Installer\1f65cbec.msi
c:\windows\Installer\27b3415c.msi

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

((((((((((((((((((((((((( Files Created from 2009-09-05 to 2009-10-05 )))))))))))))))))))))))))))))))
.

2009-10-04 23:33 . 2009-10-05 00:21 -------- d-----w- c:\documents and settings\Baker\DoctorWeb
2009-09-30 14:18 . 2009-09-30 14:18 -------- d-----w- c:\program files\Belarc
2009-09-30 14:18 . 2008-03-06 16:51 3840 ----a-w- c:\windows\system32\drivers\BANTExt.sys
2009-09-30 04:10 . 2009-09-30 04:10 -------- d-----w- c:\program files\ERUNT
2009-09-30 04:02 . 2009-09-30 04:02 -------- d-----w- c:\documents and settings\Baker\Application Data\Malwarebytes
2009-09-30 04:02 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-30 04:02 . 2009-09-30 04:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-30 04:02 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-30 04:02 . 2009-09-30 04:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-30 01:21 . 2009-09-30 04:27 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-29 23:24 . 2009-09-29 23:24 -------- d-----w- c:\documents and settings\NetworkService\Application Data\WTablet
2009-09-29 19:21 . 2009-09-30 01:28 -------- d-----w- c:\program files\TweakNow RegCleaner
2009-09-29 19:21 . 2009-09-30 01:28 -------- d-----w- c:\documents and settings\Baker\Application Data\TweakNow RegCleaner
2009-09-29 03:23 . 2009-09-29 03:23 -------- d-----w- c:\program files\Trend Micro
2009-09-18 13:52 . 2009-09-18 14:04 -------- d-----w- c:\program files\RAR Password Cracker
2009-09-18 06:36 . 2009-10-05 02:29 0 ----a-w- c:\windows\win32k.sys
2009-09-15 05:46 . 2009-09-15 05:47 -------- d-----w- c:\program files\iPhone Configuration Utility
2009-09-15 05:43 . 2009-09-15 05:43 -------- d-----w- c:\program files\iPod
2009-09-15 05:43 . 2009-09-15 05:45 -------- d-----w- c:\program files\iTunes
2009-09-15 05:43 . 2009-09-15 05:45 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-15 05:37 . 2009-09-15 05:39 -------- d-----w- c:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-05 02:45 . 2008-07-25 19:36 -------- d-----w- c:\documents and settings\Baker\Application Data\WTablet
2009-10-03 14:09 . 2008-06-09 22:57 -------- d-----w- c:\documents and settings\Baker\Application Data\uTorrent
2009-09-30 04:27 . 2008-06-10 18:15 -------- d-----w- c:\program files\Spybot - Search & Destroy_old
2009-09-30 03:34 . 2008-06-10 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-29 05:21 . 2008-07-26 05:44 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet
2009-09-29 04:11 . 2008-06-03 21:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-29 04:10 . 2009-02-07 01:35 -------- d-----w- c:\program files\BAS
2009-09-29 03:44 . 2008-06-10 18:28 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-22 08:26 . 2008-06-11 08:52 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-16 02:08 . 2008-06-09 23:26 -------- d-----w- c:\documents and settings\Baker\Application Data\Apple Computer
2009-09-15 05:43 . 2008-06-09 23:24 -------- d-----w- c:\program files\Common Files\Apple
2009-08-29 00:42 . 2009-03-27 02:09 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-29 00:42 . 2008-10-09 07:16 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-28 13:26 . 2008-06-11 08:52 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-28 13:26 . 2008-06-11 08:52 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-28 13:26 . 2008-06-11 08:52 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-09 06:35 . 2008-06-10 02:12 23864 -c--a-w- c:\documents and settings\Baker\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-09 02:47 . 2009-08-09 02:47 -------- d-----w- c:\program files\MSBuild
2009-08-06 08:19 . 2009-08-06 08:19 -------- d-----w- c:\program files\Reference Assemblies
2009-08-06 03:09 . 2009-03-23 00:46 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"ATI Launchpad"="c:\program files\ATI Multimedia\main\LaunchPd.exe" [2001-10-02 98304]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]
"ccleaner"="c:\documents and settings\Baker\My Documents\safety first\CCleaner.exe" [2009-01-20 1451248]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-27 1830128]
"Octoshape Streaming Services"="c:\documents and settings\Baker\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" [2009-01-12 70936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"WUSB54Gv2"="c:\program files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe" [2004-04-19 24576]
"Lachesis"="c:\program files\Razer\Lachesis\razerhid.exe" [2008-10-14 172032]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-29 88363]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" - c:\windows\system32\Hdaudpropshortcut.exe [2004-08-12 61952]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2004-10-21 2744832]

c:\documents and settings\Baker\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2008-6-9 3581680]
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-3-18 4742184]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{A7091E1D-36A4-47F1-A739-173CC341414F}\Icon3E5562ED7.ico [2008-12-4 6144]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 13:26 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Baker\\Application Data\\Octoshape\\Octoshape Streaming Services\\OctoshapeClient.exe"=
"c:\\Program Files\\Raptr\\Raptr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"51321:TCP"= 51321:TCP:51321
"62515:UDP"= 62515:UDP:Cisco VPN Service

R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-08-28 908056]
R3 atinysxx;ATI USB 2.0 TV Audio Crossbar;c:\windows\system32\DRIVERS\atinysxx.sys [2005-01-26 79360]
R3 atinyvxx;ATI TV WONDER USB2.0 Video & Audio;c:\windows\system32\DRIVERS\atinyvxx.sys [2005-01-26 174592]
R3 ATITUNEP2;ATI TV WONDER USB2.0 TV Tuner;c:\windows\system32\DRIVERS\atinyuxx.sys [2005-01-26 64512]
R3 ATIUTD;ATI TV WONDER USB2.0 Device Driver;c:\windows\system32\Drivers\ATIUTD.sys [2005-01-26 38912]
R3 PAC7302;PAC7302 VGA USB Camera;c:\windows\system32\DRIVERS\PAC7302.SYS [2007-06-14 457856]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]
R3 TTDec;ATI TV WONDER USB2.0 Teletext Decoder;c:\windows\system32\DRIVERS\atinyttx.sys [2005-01-26 13824]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\DRIVERS\wacmoumonitor.sys [2008-04-23 15656]
R3 WPRO_40_1340;WinPcap Packet Driver (WPRO_40_1340);c:\windows\system32\drivers\WPRO_40_1340.sys [x]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-28 335240]
S1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-05-05 108552]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-27 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-22 55024]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-06-10 108289]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-28 297752]
S2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2008-06-06 3406120]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 LachesisFltr;Lachesis Mouse Driver;c:\windows\system32\drivers\Lachesis.sys [2007-08-08 12032]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder

2009-10-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = plimus.com,www.plimus.com,regnow.com,www.regnow.com,
uInternet Settings,ProxyServer = socks=
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Baker\Application Data\Mozilla\Firefox\Profiles\fk8errpw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.myspace.com/ | www.facebook.com
FF - component: c:\documents and settings\Baker\Application Data\Mozilla\Firefox\Profiles\fk8errpw.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Baker\Application Data\Mozilla\plugins\npoctoshape.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {1B1E558C-4DA4-4AA8-85F2-C8E2BAA23F20} - c:\documents and settings\Baker\Local Settings\Application Data\{1B1E558C-4DA4-4AA8-85F2-C8E2BAA23F20}
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-04 21:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1484)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\documents and settings\Baker\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2092)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv2.exe
c:\windows\system32\ati2evxx.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\WTablet\Wacom_TabletUser.exe
c:\windows\system32\wscntfy.exe
c:\program files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
c:\program files\Razer\Lachesis\OSD.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\program files\Razer\Lachesis\razertra.exe
c:\program files\Razer\Lachesis\razerofa.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2009-10-05 21:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-05 02:51

Pre-Run: 73,529,495,552 bytes free
Post-Run: 77,495,967,744 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

249 --- E O F --- 2009-10-04 08:01

shelf life · Oct 5, 2009

ok good. Check Malwarebytes for updates and do a scan with it and post the log:

click the MBAM icon on your desktop. Once the program has loaded, click the Update tab, then check for updates. Select Scanner tab, Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click **Remove Selected.**

**A restart of your computer most likely will be required to remove some items. If prompted please chose yes to restart your computer.**

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.

appletree · Oct 6, 2009

First I removed Malwarebytes from my machine through the control panel and reinstalled the newest version.

After updating like you instructed I ran a full scan and it actually did not crash.

Once again thanks for the help.

.austin

<<<<<<<<<<<<<<<<<The following log was produced>>>>>>>>>>>>>>>>>

Malwarebytes' Anti-Malware 1.41
Database version: 2911
Windows 5.1.2600 Service Pack 3

10/5/2009 9:40:14 PM
mbam-log-2009-10-05 (21-40-14).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|)
Objects scanned: 209314
Time elapsed: 2 hour(s), 4 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir (Trojan.Sirefef) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FB130BB5-9AE3-40F6-97B9-C422EE2C9759}\RP462\A0102031.sys (Worm.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\win32k.sys (Trojan.Dropper) -> Quarantined and deleted successfully.

shelf life · Oct 6, 2009

hi,

ok thanks for the info. Disable your AV again and run combofix once more. It may update itself first. If prompted let it update, otherwise just let it run and post the log. After combofix is done download and run Rootrepeal. Link and directions:

Please download: RootRepeal

http://ad13.geekstogo.com/RootRepeal.exe

Click the icon on your desktop to start.
Click on the Report tab at the bottom of the window
Next, Click on the Scan button
In the Select Scan Window check everything:

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Click the OK button
In the next dialog window select all the drives that are listed
Click OK to start the scan

May take some time to complete.
When done click the Save Report button.
Save the report to your desktop
To Exit RootRepeal: click File>Exit
Post the report in your reply

appletree · Oct 7, 2009

once again thanks for the help. combofix gave me an error at first that I still had mcafee virusscan enterprise on but I was sure I didnt. I exited out of two processes that started with mc... (I am not sure if that is dangerous or harmful to computer but yeah)

ComboFix ran and produced a report, it didn't restart my computer this time and I did update it when asked.

RootRepeal ran and opened a report when done both are posted in the following

Thanks for your help.

<<<<<<<<<<<<<<<<<<<<<<ComboFix Starts Here>>>>>>>>>>>>>>>>>>>>

ComboFix 09-10-06.03 - Baker 10/06/2009 20:56.2.2 - NTFSx86
Running from: c:\documents and settings\Baker\Desktop\combofix1.exe.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-09-07 to 2009-10-07 )))))))))))))))))))))))))))))))
.

2009-10-06 00:33 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-06 00:33 . 2009-10-06 00:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-06 00:33 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-04 23:33 . 2009-10-05 00:21 -------- d-----w- c:\documents and settings\Baker\DoctorWeb
2009-09-30 14:18 . 2009-09-30 14:18 -------- d-----w- c:\program files\Belarc
2009-09-30 14:18 . 2008-03-06 16:51 3840 ----a-w- c:\windows\system32\drivers\BANTExt.sys
2009-09-30 04:10 . 2009-09-30 04:10 -------- d-----w- c:\program files\ERUNT
2009-09-30 04:02 . 2009-09-30 04:02 -------- d-----w- c:\documents and settings\Baker\Application Data\Malwarebytes
2009-09-30 04:02 . 2009-09-30 04:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-30 01:21 . 2009-09-30 04:27 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-29 23:24 . 2009-09-29 23:24 -------- d-----w- c:\documents and settings\NetworkService\Application Data\WTablet
2009-09-29 19:21 . 2009-09-30 01:28 -------- d-----w- c:\program files\TweakNow RegCleaner
2009-09-29 19:21 . 2009-09-30 01:28 -------- d-----w- c:\documents and settings\Baker\Application Data\TweakNow RegCleaner
2009-09-29 03:23 . 2009-09-29 03:23 -------- d-----w- c:\program files\Trend Micro
2009-09-18 13:52 . 2009-09-18 14:04 -------- d-----w- c:\program files\RAR Password Cracker
2009-09-15 05:46 . 2009-09-15 05:47 -------- d-----w- c:\program files\iPhone Configuration Utility
2009-09-15 05:43 . 2009-09-15 05:43 -------- d-----w- c:\program files\iPod
2009-09-15 05:43 . 2009-09-15 05:45 -------- d-----w- c:\program files\iTunes
2009-09-15 05:43 . 2009-09-15 05:45 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-15 05:37 . 2009-09-15 05:39 -------- d-----w- c:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-07 01:43 . 2008-06-09 22:57 -------- d-----w- c:\documents and settings\Baker\Application Data\uTorrent
2009-10-06 02:45 . 2008-07-25 19:36 -------- d-----w- c:\documents and settings\Baker\Application Data\WTablet
2009-09-30 04:27 . 2008-06-10 18:15 -------- d-----w- c:\program files\Spybot - Search & Destroy_old
2009-09-30 03:34 . 2008-06-10 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-29 05:21 . 2008-07-26 05:44 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet
2009-09-29 04:11 . 2008-06-03 21:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-29 04:10 . 2009-02-07 01:35 -------- d-----w- c:\program files\BAS
2009-09-29 03:44 . 2008-06-10 18:28 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-22 08:26 . 2008-06-11 08:52 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-16 02:08 . 2008-06-09 23:26 -------- d-----w- c:\documents and settings\Baker\Application Data\Apple Computer
2009-09-15 05:43 . 2008-06-09 23:24 -------- d-----w- c:\program files\Common Files\Apple
2009-08-29 00:42 . 2009-03-27 02:09 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-29 00:42 . 2008-10-09 07:16 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-28 13:26 . 2008-06-11 08:52 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-28 13:26 . 2008-06-11 08:52 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-28 13:26 . 2008-06-11 08:52 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-09 06:35 . 2008-06-10 02:12 23864 -c--a-w- c:\documents and settings\Baker\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-09 02:47 . 2009-08-09 02:47 -------- d-----w- c:\program files\MSBuild
2009-08-06 03:09 . 2009-03-23 00:46 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-10-05_02.46.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-06 00:29 . 2009-10-06 00:29 208896 c:\windows\ERDNT\AutoBackup\10-5-2009\Users\00000002\UsrClass.dat
+ 2009-10-06 00:29 . 2005-10-20 17:02 163328 c:\windows\ERDNT\AutoBackup\10-5-2009\ERDNT.EXE
+ 2009-10-06 00:29 . 2009-10-06 00:29 8716288 c:\windows\ERDNT\AutoBackup\10-5-2009\Users\00000001\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"ATI Launchpad"="c:\program files\ATI Multimedia\main\LaunchPd.exe" [2001-10-02 98304]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]
"ccleaner"="c:\documents and settings\Baker\My Documents\safety first\CCleaner.exe" [2009-01-20 1451248]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-27 1830128]
"Octoshape Streaming Services"="c:\documents and settings\Baker\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" [2009-01-12 70936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"WUSB54Gv2"="c:\program files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe" [2004-04-19 24576]
"Lachesis"="c:\program files\Razer\Lachesis\razerhid.exe" [2008-10-14 172032]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-29 88363]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" - c:\windows\system32\Hdaudpropshortcut.exe [2004-08-12 61952]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2004-10-21 2744832]

c:\documents and settings\Baker\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2008-6-9 3581680]
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-3-18 4742184]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{A7091E1D-36A4-47F1-A739-173CC341414F}\Icon3E5562ED7.ico [2008-12-4 6144]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 13:26 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Baker\\Application Data\\Octoshape\\Octoshape Streaming Services\\OctoshapeClient.exe"=
"c:\\Program Files\\Raptr\\Raptr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"51321:TCP"= 51321:TCP:51321
"62515:UDP"= 62515:UDP:Cisco VPN Service

R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-08-28 908056]
R3 atinysxx;ATI USB 2.0 TV Audio Crossbar;c:\windows\system32\DRIVERS\atinysxx.sys [2005-01-26 79360]
R3 atinyvxx;ATI TV WONDER USB2.0 Video & Audio;c:\windows\system32\DRIVERS\atinyvxx.sys [2005-01-26 174592]
R3 ATITUNEP2;ATI TV WONDER USB2.0 TV Tuner;c:\windows\system32\DRIVERS\atinyuxx.sys [2005-01-26 64512]
R3 ATIUTD;ATI TV WONDER USB2.0 Device Driver;c:\windows\system32\Drivers\ATIUTD.sys [2005-01-26 38912]
R3 PAC7302;PAC7302 VGA USB Camera;c:\windows\system32\DRIVERS\PAC7302.SYS [2007-06-14 457856]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]
R3 TTDec;ATI TV WONDER USB2.0 Teletext Decoder;c:\windows\system32\DRIVERS\atinyttx.sys [2005-01-26 13824]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\DRIVERS\wacmoumonitor.sys [2008-04-23 15656]
R3 WPRO_40_1340;WinPcap Packet Driver (WPRO_40_1340);c:\windows\system32\drivers\WPRO_40_1340.sys [x]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-28 335240]
S1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-05-05 108552]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-27 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-22 55024]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-06-10 108289]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-28 297752]
S2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2008-06-06 3406120]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 LachesisFltr;Lachesis Mouse Driver;c:\windows\system32\drivers\Lachesis.sys [2007-08-08 12032]

.
Contents of the 'Scheduled Tasks' folder

2009-10-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = plimus.com,www.plimus.com,regnow.com,www.regnow.com,
uInternet Settings,ProxyServer = socks=
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Baker\Application Data\Mozilla\Firefox\Profiles\fk8errpw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.myspace.com/ | www.facebook.com
FF - component: c:\documents and settings\Baker\Application Data\Mozilla\Firefox\Profiles\fk8errpw.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Baker\Application Data\Mozilla\plugins\npoctoshape.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {1B1E558C-4DA4-4AA8-85F2-C8E2BAA23F20} - c:\documents and settings\Baker\Local Settings\Application Data\{1B1E558C-4DA4-4AA8-85F2-C8E2BAA23F20}
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-06 21:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1480)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\documents and settings\Baker\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(5640)
c:\windows\system32\WININET.dll
c:\program files\Stardock\ObjectDock\DockShellHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-10-07 21:02
ComboFix-quarantined-files.txt 2009-10-07 02:02

Pre-Run: 79,750,537,216 bytes free
Post-Run: 80,019,697,664 bytes free

195 --- E O F --- 2009-10-04 08:01

<<<<<<<<<<<<<<<<<<ComboFix Ends Here>>>>>>>>>>>>>>>>>>>>>

<<<<<<<<<<<<<<<<<<RootRepeal Starts Here>>>>>>>>>>>>>>>>>>>

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/10/06 21:05
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: catchme.sys
Image Path: C:\DOCUME~1\Baker\LOCALS~1\Temp\catchme.sys
Address: 0xF794B000 Size: 31744 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB644D000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7AED000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_PNP4616
Image Path: \Driver\PCI_PNP4616
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: PROCEXP90.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP90.SYS
Address: 0xF7AD5000 Size: 6464 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB2A87000 Size: 49152 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: spwb.sys
Image Path: spwb.sys
Address: 0xF7482000 Size: 1048576 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\RECYCLER
Status: Locked to the Windows API!

Path: \\?\C:\RECYCLER\*
Status: Could not enumerate files with the Windows API (0x00000005)!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xf7b6d956

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xf7b6d94c

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xf7b6d95b

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xf7b6d965

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spwb.sys" at address 0xf74a1ca2

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spwb.sys" at address 0xf74a2030

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xf7b6d96a

#: 119 Function Name: NtOpenKey
Status: Hooked by "spwb.sys" at address 0xf74830c0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xf7b6d938

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xf7b6d93d

#: 160 Function Name: NtQueryKey
Status: Hooked by "spwb.sys" at address 0xf74a2108

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "spwb.sys" at address 0xf74a1f88

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xf7b6d974

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xf7b6d96f

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xf7b6d960

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xf7b6d947

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x86fd31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x86fd31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x86fd31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x86fd31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x86fd31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x86fd31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x86fd31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x86fd31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86fd31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86fd31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x86fd31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x86fd31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x86fd31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86fd31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86fd31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x86fd31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x86fd31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x86fd31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x86fd31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x86fd31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x86fd31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x86fd31f8 Size: 121

Object: Hidden Code [Driver: Udfsࠅ扏煓ࠁఄ灐畳畘⠈뢸ÿ, IRP_MJ_CREATE]
Process: System Address: 0x86bda500 Size: 121

Object: Hidden Code [Driver: Udfsࠅ扏煓ࠁఄ灐畳畘⠈뢸ÿ, IRP_MJ_CLOSE]
Process: System Address: 0x86bda500 Size: 121

Object: Hidden Code [Driver: Udfsࠅ扏煓ࠁఄ灐畳畘⠈뢸ÿ, IRP_MJ_READ]
Process: System Address: 0x86bda500 Size: 121

Object: Hidden Code [Driver: Udfsࠅ扏煓ࠁఄ灐畳畘⠈뢸ÿ, IRP_MJ_WRITE]
Process: System Address: 0x86bda500 Size: 121

Object: Hidden Code [Driver: Udfsࠅ扏煓ࠁఄ灐畳畘⠈뢸ÿ, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x86bda500 Size: 121

Object: Hidden Code [Driver: Udfsࠅ扏煓ࠁఄ灐畳畘⠈뢸ÿ, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x86bda500 Size: 121

Object: Hidden Code [Driver: Udfsࠅ扏煓ࠁఄ灐畳畘⠈뢸ÿ, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86bda500 Size: 121

Object: Hidden Code [Driver: Udfsࠅ扏煓ࠁఄ灐畳畘⠈뢸ÿ, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x86bda500 Size: 121

Object: Hidden Code [Driver: Udfsࠅ扏煓ࠁఄ灐畳畘⠈뢸ÿ, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x86bda500 Size: 121

Object: Hidden Code [Driver: Udfsࠅ扏煓ࠁఄ灐畳畘⠈뢸ÿ, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86bda500 Size: 121

Object: Hidden Code [Driver: Udfsࠅ扏煓ࠁఄ灐畳畘⠈뢸ÿ, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x86bda500 Size: 121

Object: Hidden Code [Driver: Udfsࠅ扏煓ࠁఄ灐畳畘⠈뢸ÿ, IRP_MJ_CLEANUP]
Process: System Address: 0x86bda500 Size: 121

Object: Hidden Code [Driver: Udfsࠅ扏煓ࠁఄ灐畳畘⠈뢸ÿ, IRP_MJ_PNP]
Process: System Address: 0x86bda500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x86ad11f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x86ad11f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x86ad11f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x86ad11f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86ad11f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86ad11f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86ad11f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86ad11f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x86ad11f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86ad11f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x86ad11f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_CREATE]
Process: System Address: 0x86cae500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_CLOSE]
Process: System Address: 0x86cae500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_READ]
Process: System Address: 0x86cae500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_WRITE]
Process: System Address: 0x86cae500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86cae500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86cae500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_POWER]
Process: System Address: 0x86cae500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86cae500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_PNP]
Process: System Address: 0x86cae500 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x86f661f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x86f661f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x86f661f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x86f661f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86f661f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86f661f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86f661f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86f661f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x86f661f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86f661f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x86f661f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x86cce1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x86cce1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86cce1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86cce1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x86cce1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86cce1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x86cce1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x86fd51f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x86fd51f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x86fd51f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86fd51f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86fd51f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86fd51f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86fd51f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x86fd51f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x86fd51f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86fd51f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x86fd51f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x86bd7500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x86bd7500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86bd7500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86bd7500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x86bd7500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x86bd7500 Size: 121

Object: Hidden Code [Driver: ACPI#PNP, IRP_MJ_CREATE]
Process: System Address: 0x86ac91f8 Size: 121

Object: Hidden Code [Driver: ACPI#PNP, IRP_MJ_CLOSE]
Process: System Address: 0x86ac91f8 Size: 121

Object: Hidden Code [Driver: ACPI#PNP, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86ac91f8 Size: 121

Object: Hidden Code [Driver: ACPI#PNP, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86ac91f8 Size: 121

Object: Hidden Code [Driver: ACPI#PNP, IRP_MJ_POWER]
Process: System Address: 0x86ac91f8 Size: 121

Object: Hidden Code [Driver: ACPI#PNP, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86ac91f8 Size: 121

Object: Hidden Code [Driver: ACPI#PNP, IRP_MJ_PNP]
Process: System Address: 0x86ac91f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x86d5e500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x86d5e500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86d5e500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86d5e500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x86d5e500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86d5e500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x86d5e500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x86bc5500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x86bc5500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x86bc5500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x86bc5500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x86bc5500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x86bc5500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x86bc5500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x86bc5500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x86bc5500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86bc5500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86bc5500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x86bc5500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x86bc5500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x86bc5500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86bc5500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86bc5500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86bc5500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x86bc5500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x86bc5500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x86bc5500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x86bc5500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x86bc5500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x86bc5500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86bc5500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x86bc5500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x86bc5500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x86bc5500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x86bc5500 Size: 121

Object: Hidden Code [Driver: Cdfs؅ః瑎て, IRP_MJ_CREATE]
Process: System Address: 0x86c01500 Size: 121

Object: Hidden Code [Driver: Cdfs؅ః瑎て, IRP_MJ_CLOSE]
Process: System Address: 0x86c01500 Size: 121

Object: Hidden Code [Driver: Cdfs؅ః瑎て, IRP_MJ_READ]
Process: System Address: 0x86c01500 Size: 121

Object: Hidden Code [Driver: Cdfs؅ః瑎て, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x86c01500 Size: 121

Object: Hidden Code [Driver: Cdfs؅ః瑎て, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x86c01500 Size: 121

Object: Hidden Code [Driver: Cdfs؅ః瑎て, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86c01500 Size: 121

Object: Hidden Code [Driver: Cdfs؅ః瑎て, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x86c01500 Size: 121

Object: Hidden Code [Driver: Cdfs؅ః瑎て, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x86c01500 Size: 121

Object: Hidden Code [Driver: Cdfs؅ః瑎て, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86c01500 Size: 121

Object: Hidden Code [Driver: Cdfs؅ః瑎て, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86c01500 Size: 121

Object: Hidden Code [Driver: Cdfs؅ః瑎て, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x86c01500 Size: 121

Object: Hidden Code [Driver: Cdfs؅ః瑎て, IRP_MJ_CLEANUP]
Process: System Address: 0x86c01500 Size: 121

Object: Hidden Code [Driver: Cdfs؅ః瑎て, IRP_MJ_PNP]
Process: System Address: 0x86c01500 Size: 121

==EOF==

<<<<<<<<<<<<<<<<<RootRepeal Ends Here>>>>>>>>>>>>>>>

shelf life · Oct 8, 2009

thanks for all the info. combofix replaced a file but other than that Iam not seeing much as far as malware goes. Hows it all looking on your end now?

appletree · Oct 8, 2009

Ok wow um yeah I guess things are better. A few questions though, if you dont mind.

1. I have not tried running spybot or any others yet. Do I need to redownload them and install them fresh. If so is the control panels add/remove programs good enough to remove before reinstalling?

2. I feel I may have too many programs. Should I have only like 1 antivirus program and a few others?

3. Can you suggest programs/applications to use even if weekly or whatever that I maybe should use on this computer and future computers I own (I plan on building one and running windows 7)

4. Similar to question 1 since a lot of programs were giving me error messages and not allowing me to delete the programs from 'program files'. Do I need to try and run HJT?

5. Thanks a lot for your help and I appreciate everything.

shelf life · Oct 9, 2009

ok no problem, I like questions.

1) yes you can try running them now. always use the add/remove programs panel for uninstalling software. If the programs give you problems: uninstall first and re-download/install.

2) For sure you have to many antivirus apps. Only one of those per computer. definitely remove two of them via the add/remove programs panel and reboot your computer after the uninstall. Antimalware apps 2 -3 is plenty. One firewall per computer.

3) The core security apps would be 1 AV and 2-3 anti-malware.

4) Once a program is uninstalled from the add/remove programs panel then you should be able to delete the folder in C:\Program Files, but its not necessary to do so. Yes you can run and post a hjt log.

malware prevention is more than just having the core security apps like AV etc, normally i save this for last but here are some other tips that will help:

Simply knowing what constitutes a safe action on a computer and what may not will help you tremendously.

1) It is essential to Keep your OS,(Windows) browser (IE, FireFox) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update frequently or use the auto-update feature. Staying updated is also necessary for web based applications like Java, Adobe Flash/Reader, QuickTime etc. Check there version status here.

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and your then prompted to install software to remedy this. See also the signs that you may have malware on your computer.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If you frequently have malware then you should review your computer habits.

4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem.

5) Don't click on ads/pop ups or offers from websites requesting that you need to install software, media players or codecs to your computer--for any reason.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website?

7) Set up and use limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts can help prevent *malware from installing and lessen its potential impact.*

8) Install and understand the limitations of a software firewall.

9) A utility for automatically hardening and securing Internet Explorer 8.0. Requires site registration for downloading. You can also manually make the changes yourself. Read the FAQ's. Changes some of the default settings of IE 8.0

10) Warez, cracks etc are very popular for carrying malware payloads. Avoid. If you install files via p2p networks then you are much more likely to encounter malicious code. Do you trust the source of the file? Do you really need another malware source?

More questions? fire away.

Please Help. Trying to reinstall Spybot and other problems.

appletree

New member

shelf life

Emeritus

appletree

New member

shelf life

Emeritus

appletree

New member

shelf life

Emeritus

appletree

New member

shelf life

Emeritus

appletree

New member

shelf life

Emeritus

appletree

New member

shelf life

Emeritus