Zombie Worm

C

ChugNut

New member
Have been trying to remove zbot / ngen trojan thing for the last two days , but it's so far managed to defeat SB S&D, MalwareBytes, SuperAntiSpyware and nothing seems to show that's obvious in hijack this.

SuperAntiSpyware and Spybot both discover the thread, and apparently remove it, but on reboot, it's back again.

Symptoms include :

Random infrequent pop-ups in new windows or new tabs in firefox.

Disabled Windows Update in IE (or scheduled task)

Disabled update in Malwarebytes

Constant accessing of Floppy Disk.

Hard disk making nose frequently when nothing is apparently running (I'm not loading programs or anything.)



SuperAntiSpyware labels it as Backdoor.Bot[Zbot] / Malware.Trace / Trojan.Agent/Gen

Any ideas short of reinstalling windows would be appreciated! :thanks:

Updated from first post:




Have been trying to remove zbot / ngen trojan thing for the last two days , but it's so far managed to defeat SB S&D, MalwareBytes, SuperAntiSpyware and nothing seems to show that's obvious in hijack this.


SuperAntiSpyware and Spybot both discover the thread, and apparently remove it, but on reboot, it's back again.


Symptoms include :


Random infrequent pop-ups in new windows or new tabs in firefox.


Disabled Windows Update in IE (or scheduled task)


Access to windows update site (microsoft domain) disabled (times out)


Disabled update in Malwarebytes


Constant accessing of Floppy Disk.


Cannot install manual windows service pack updates (SP3) - get ACCESS DENIED


Hard disk making nose frequently when nothing is apparently running (I'm not loading programs or anything.)


Every time I start windows, Spybot prevents several changes to the registry, including a remote desktop program, a change of user init and a few other things.


Two CMD.exe boxes also quickly run before anything else has a chance to load.






Seems that both Spybot & SuperAntiSpyware labels it as Backdoor.Bot[Zbot] / Malware.Trace / Trojan.Agent/Gen


Any ideas short of reinstalling windows would be appreciated!






BTW - since trying to post on this forum, I've had intermittent connection problems to the site, hopefully the trojan/backdoor thing isn't intelligent to block access to the site!


Yesterday my diskspace has went from 12gig free to 100meg .. Not sure what's going on, as nothing shows when running WinDirStat to find it!


I've tried booting windows from a DVD, then deleting the sdra64.exe file manually, but it's come back.


The trojan is running inside firefox, as even in SAFE MODE , without a browser open, there will be processes for Firefox running.


So yeah, I have the following :
http://www.threatexpert.com/report.aspx?md5=5adb8989296959faebb89db4d2558bd7 the zbot worm.








Here's the DDS Log






DDS (Ver_10-03-17.01) - NTFSx86
Run by John at 20:40:51.65 on 25/07/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535.965 [GMT 1:00]


AV: AVG Anti-Virus *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}


============== Running Processes ===============


C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Safari\Safari.exe
C:\Documents and Settings\John\Desktop\dds.scr
C:\WINDOWS\System32\wbem\wmiprvse.exe


============== Pseudo HJT Report ===============


mWinlogon: Userinit=c:\windows\system32\userinit.exe,,c:\program files\bonjour\mdnsrespondersrv.exe,c:\windows\system32\sdra64.exe,
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\john\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1279826211718
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {E23136A1-1AC4-4D1B-926F-5D537CFFF359} - No File
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 c:\windows\system32\ddcYPfee
LSA: Notification Packages = scecli scecli scecli scecli scecli
Hosts: 127.0.0.1 www.spywareinfo.com


============= SERVICES / DRIVERS ===============


R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-6 67656]
R2 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\drivers\ousbehci.sys [2007-8-26 42752]
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\drivers\ousb2hub.sys [2007-8-26 55680]
S1 510f9a85;510f9a85;c:\windows\system32\drivers\510f9a85.sys [2009-3-26 0]
S3 CTL511Plus;Video Blaster WebCam 3/WebCam Plus (WDM);c:\windows\system32\drivers\webc3vid.sys [2007-12-29 166504]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2007-4-1 13224]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe --> c:\progra~1\avg\avg8\avgwdsvc.exe [?]


=============== Created Last 30 ================


2010-07-25 19:39:15 92216 ---ha-w- c:\windows\system32\mlfcache.dat
2010-07-25 18:12:44 105 ----a-w- C:\zoom.bat
2010-07-25 17:29:24 0 d-sh--w- c:\windows\system32\lowsec
2010-07-25 00:19:49 54156 ---ha-w- c:\windows\QTFont.qfn
2010-07-25 00:19:49 1409 ----a-w- c:\windows\QTFont.for
2010-07-24 17:24:47 19569 ----a-w- c:\windows\001442_.tmp
2010-07-24 17:24:11 8454656 ----a-w- c:\windows\system32\dllcache\shell32.dll
2010-07-24 17:24:08 26112 ----a-w- c:\windows\system32\userinit.exe
2010-07-24 16:38:29 19569 ----a-w- c:\windows\001441_.tmp
2010-07-24 00:04:46 0 d-----w- C:\VundoFix Backups
2010-07-23 23:32:11 46080 ----a-w- c:\windows\system32\MsiExecSrv.exe
2010-07-23 23:31:15 46080 ----a-w- c:\windows\ExplorerSrv.exe
2010-07-21 20:39:21 0 d-----w- c:\program files\riva
2010-07-09 21:29:27 0 d-----w- c:\docume~1\alluse~1\applic~1\Symantec
2010-07-09 21:29:27 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-07-09 21:29:24 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2010-07-07 22:26:36 0 d-----w- c:\docume~1\alluse~1\applic~1\NVIDIA Corporation
2010-07-07 22:26:31 217180 ----a-w- c:\windows\system32\nvdrsdb0.bin
2010-07-07 22:26:28 217180 ----a-w- c:\windows\system32\nvdrsdb1.bin
2010-07-07 22:26:28 1 ----a-w- c:\windows\system32\nvdrssel.bin
2010-07-07 22:26:28 0 ----a-w- c:\windows\system32\nvdrswr.lk
2010-07-07 22:24:42 7959 ----a-w- c:\windows\system32\nvinfo.pb
2010-07-07 22:24:42 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-07-07 22:24:40 4554752 ----a-w- c:\windows\system32\nvcuda.dll
2010-07-07 22:24:40 2632296 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-07-07 22:24:40 2165352 ----a-w- c:\windows\system32\nvcuvid.dll
2010-07-07 22:24:39 2186342 ----a-w- c:\windows\system32\nvdata.bin
2010-07-07 22:24:39 10256384 ----a-w- c:\windows\system32\nvcompiler.dll
2010-07-07 13:57:09 0 d-----w- c:\program files\Sculptris


==================== Find3M ====================


2010-06-07 23:57:00 6300544 ----a-w- c:\windows\system32\nv4_disp.dll
2010-06-07 23:57:00 600680 ----a-w- c:\windows\system32\nvudisp.exe
2010-06-07 23:57:00 232040 ----a-w- c:\windows\system32\nvcodins.dll
2010-06-07 23:57:00 232040 ----a-w- c:\windows\system32\nvcod.dll
2010-06-07 23:57:00 15192064 ----a-w- c:\windows\system32\nvoglnt.dll
2010-06-07 23:57:00 1359872 ----a-w- c:\windows\system32\nvapi.dll
2010-06-07 23:57:00 10531200 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-06-07 16:34:52 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-06-07 16:34:42 277608 ----a-w- c:\windows\system32\nvmccs.dll
2010-06-07 16:34:42 13902440 ----a-w- c:\windows\system32\nvcpl.dll
2010-06-07 16:34:42 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-06-07 16:34:40 154728 ----a-w- c:\windows\system32\nvsvc32.exe
2010-06-07 16:34:40 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-06-06 14:33:08 508 --sh--r- c:\docume~1\alluse~1\applic~1\winpage.sys
2010-05-28 11:58:26 600680 ----a-w- c:\windows\system32\NVUninst.exe
2008-07-20 13:32:10 88 --sha-r- c:\windows\system32\41DF03AF1D.sys
2008-07-20 13:32:51 1264 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-08-27 21:23:17 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082720080828\index.dat


============= FINISH: 20:44:37.81 ===============
 
Last edited by a moderator:
hi ChugNut,

you have some nasty malware on board, and yes it can block you from reaching websites as well as redirect your browsing. Your log is few days old if you still need help simply post back.
 
shelf life said:
hi ChugNut,

you have some nasty malware on board, and yes it can block you from reaching websites as well as redirect your browsing. Your log is few days old if you still need help simply post back.
Click to expand...



Yes indeed! I still can't actually post responses to this forum at home still!

Help would be very much appreciated!

Here's the latest DDS log :

DDS (Ver_10-03-17.01) - NTFSx86
Run by John at 21:20:17.82 on 29/07/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535.793 [GMT 1:00]

AV: AVG Anti-Virus *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Documents and Settings\John\Desktop\dds.scr

============== Pseudo HJT Report ===============

mWinlogon: Userinit=c:\windows\system32\userinit.exe,,c:\program files\bonjour\mdnsrespondersrv.exe,c:\windows\system32\sdra64.exe,,c:\program files\bonjour\mdnsrespondersrvsrv.exe,c:\program files\microsoft\desktoplayer.exe
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Sony Ericsson PC Companion] "c:\program files\sony ericsson\sony ericsson pc companion\PCCompanion.exe" /Background
uRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\john\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1279826211718
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {E23136A1-1AC4-4D1B-926F-5D537CFFF359} - No File
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 c:\windows\system32\ddcYPfee
LSA: Notification Packages = scecli scecli scecli scecli scecli
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\john\applic~1\mozilla\firefox\profiles\sotg653z.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampab&query=
FF - plugin: c:\documents and settings\john\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npvirtools.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: XUL Cache: {F661641E-4CB4-45DB-A27B-B7276CB893BC} - c:\documents and settings\john\local settings\application data\{F661641E-4CB4-45DB-A27B-B7276CB893BC}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-6 67656]
R2 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\drivers\ousbehci.sys [2007-8-26 42752]
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\drivers\ousb2hub.sys [2007-8-26 55680]
S1 510f9a85;510f9a85;c:\windows\system32\drivers\510f9a85.sys [2009-3-26 0]
S3 CTL511Plus;Video Blaster WebCam 3/WebCam Plus (WDM);c:\windows\system32\drivers\webc3vid.sys [2007-12-29 166504]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2007-4-1 13224]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2008-10-5 38224]
S3 Sony Ericsson PCCompanion;Sony Ericsson PCCompanion;c:\program files\sony ericsson\sony ericsson pc companion\PCCService.exe [2010-7-27 153808]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe --> c:\progra~1\avg\avg8\avgwdsvc.exe [?]

=============== Created Last 30 ================

2010-07-27 21:50:24 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-07-27 21:31:33 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2010-07-27 21:29:28 581192 ----a-w- c:\windows\system32\WinUSBCoInstaller.dll
2010-07-27 21:28:32 0 d-----w- c:\docume~1\alluse~1\applic~1\Sony Ericsson
2010-07-27 21:20:35 46080 ----a-w- c:\windows\system32\RUNDLL32Srv.exe
2010-07-27 21:17:53 545 ----a-w- c:\windows\UC.PIF
2010-07-27 21:17:53 545 ----a-w- c:\windows\RAR.PIF
2010-07-27 21:17:53 545 ----a-w- c:\windows\PKZIP.PIF
2010-07-27 21:17:53 545 ----a-w- c:\windows\PKUNZIP.PIF
2010-07-27 21:17:53 545 ----a-w- c:\windows\NOCLOSE.PIF
2010-07-27 21:17:53 545 ----a-w- c:\windows\LHA.PIF
2010-07-27 21:17:53 545 ----a-w- c:\windows\ARJ.PIF
2010-07-27 21:17:53 0 d-----w- C:\totalcmd
2010-07-27 21:17:53 0 d-----w- c:\docume~1\john\applic~1\GHISLER
2010-07-26 21:37:51 250 ----a-w- c:\windows\gmer.ini
2010-07-26 21:34:49 0 d-----w- c:\windows\system32\riva
2010-07-26 20:35:05 0 d-----w- c:\program files\ESET
2010-07-26 20:14:38 0 d-----w- c:\program files\TabletPlugins
2010-07-26 20:09:56 0 d-----w- c:\windows\system32\lowsec
2010-07-25 19:39:15 92216 ---ha-w- c:\windows\system32\mlfcache.dat
2010-07-25 18:12:44 105 ----a-w- C:\zoom.bat
2010-07-25 00:19:49 54156 ---ha-w- c:\windows\QTFont.qfn
2010-07-25 00:19:49 1409 ----a-w- c:\windows\QTFont.for
2010-07-24 17:24:47 19569 ----a-w- c:\windows\001442_.tmp
2010-07-24 17:24:11 8454656 ----a-w- c:\windows\system32\dllcache\shell32.dll
2010-07-24 17:24:08 26112 ----a-w- c:\windows\system32\userinit.exe
2010-07-24 16:38:29 19569 ----a-w- c:\windows\001441_.tmp
2010-07-24 00:04:46 0 d-----w- C:\VundoFix Backups
2010-07-23 23:32:11 46080 ----a-w- c:\windows\system32\MsiExecSrv.exe
2010-07-23 23:31:15 46080 ----a-w- c:\windows\ExplorerSrv.exe
2010-07-21 20:39:21 0 d-----w- c:\program files\riva
2010-07-09 21:29:27 0 d-----w- c:\docume~1\alluse~1\applic~1\Symantec
2010-07-09 21:29:27 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-07-09 21:29:24 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2010-07-07 22:26:36 0 d-----w- c:\docume~1\alluse~1\applic~1\NVIDIA Corporation
2010-07-07 22:26:31 217180 ----a-w- c:\windows\system32\nvdrsdb0.bin
2010-07-07 22:26:28 217180 ----a-w- c:\windows\system32\nvdrsdb1.bin
2010-07-07 22:26:28 1 ----a-w- c:\windows\system32\nvdrssel.bin
2010-07-07 22:26:28 0 ----a-w- c:\windows\system32\nvdrswr.lk
2010-07-07 22:24:42 7959 ----a-w- c:\windows\system32\nvinfo.pb
2010-07-07 22:24:42 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-07-07 22:24:40 4554752 ----a-w- c:\windows\system32\nvcuda.dll
2010-07-07 22:24:40 2632296 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-07-07 22:24:40 2165352 ----a-w- c:\windows\system32\nvcuvid.dll
2010-07-07 22:24:39 2186342 ----a-w- c:\windows\system32\nvdata.bin
2010-07-07 22:24:39 10256384 ----a-w- c:\windows\system32\nvcompiler.dll
2010-07-07 13:57:09 0 d-----w- c:\program files\Sculptris

==================== Find3M ====================

2010-07-27 21:49:56 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-07 23:57:00 6300544 ----a-w- c:\windows\system32\nv4_disp.dll
2010-06-07 23:57:00 600680 ----a-w- c:\windows\system32\nvudisp.exe
2010-06-07 23:57:00 232040 ----a-w- c:\windows\system32\nvcodins.dll
2010-06-07 23:57:00 232040 ----a-w- c:\windows\system32\nvcod.dll
2010-06-07 23:57:00 15192064 ----a-w- c:\windows\system32\nvoglnt.dll
2010-06-07 23:57:00 1359872 ----a-w- c:\windows\system32\nvapi.dll
2010-06-07 23:57:00 10531200 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-06-07 16:34:52 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-06-07 16:34:42 277608 ----a-w- c:\windows\system32\nvmccs.dll
2010-06-07 16:34:42 13902440 ----a-w- c:\windows\system32\nvcpl.dll
2010-06-07 16:34:42 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-06-07 16:34:40 154728 ----a-w- c:\windows\system32\nvsvc32.exe
2010-06-07 16:34:40 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-06-06 14:33:08 508 --sh--r- c:\docume~1\alluse~1\applic~1\winpage.sys
2010-05-28 11:58:26 600680 ----a-w- c:\windows\system32\NVUninst.exe
2008-07-20 13:32:10 88 --sha-r- c:\windows\system32\41DF03AF1D.sys
2008-07-20 13:32:51 1264 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-08-27 21:23:17 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082720080828\index.dat

============= FINISH: 21:21:48.06 ===============
 
hi,

We will get a download to use. Its called combofix. There is a short guide to read first about using combofix. Please read through the guide and apply the instructions on your own computer. Post the combofix log in your reply:

Guide to using Combofix
 
Downloaded and tried running combo fix as per instructions. It ran but said it was corrupted. I downloaded again from the second mirror on the site, and ran it, my machine now refuses to run windows in any mode ( normal, safe mode command line etc or last known good settings)

Is this normal?

Is the machine now irrecoverably broken, or having the windows install disk, could I install windows again and keep my files, if only as a temporary
fix in order to back up what I'd not already saved?
 
No, its not normal. So it dosnt boot past the screen with all the options listed?
You could try a repair of Windows, which should leave your files intact.
If you have commercially purchased machine then you should first visit there web site for information. It may have a restore partition on the hard drive as a option, but would this keep all your data, I cant say thats why you should check the website first for possible options before you do anything.

Some links for a repair of XP;

Repair XP
Repair XP
 
Okay, I did a repair install last night, I saved off all my files to an external HD, its now booting, but it looks like ComboFix deleted my TCPIP settings, so no internet.

I tried restoring the files, a fresh install of winsock and netsh to reset TCPIP, all to no avail.

Combofix log shows it's deleted a bunch of things ( again, no internet access so can't post logs) , but it appears the malware is still active and alert.

One thing it couldn't delete was DesktopLayer.exe - which appears to be a component of the zbot malware.

Am going to trade another "in-place upgrade" (as I did the first time to restore booting after the first combofix run) to fix my internet.

Hopefully I can post the logs tonight if successful.


I can monitor this forum from my phone/work, but as yet still (when the internet was working atleast) can't post on this forum (connection reset) and windows update site is disabled also.



.
 
Okay, pulled up a spare drive and did a clean install. Hopefully nothing was written to the BIOS, wasn't sure if I had the manufacturer disks, so didn't reset to factory settings , but simply unplugged the old HD and plugged in a new one.

Am busy reinstalling SpyBot/Malwarebytes etc, and hopefully on a clean install will be (temporarily at least) spyware free... :clown:
 
If you have pulled off files you want to keep why not just reformat and reinstall Windows? Can you post the combofix log? I think a repair would have fixed a tcp/ip issue. At the most combofix would disconnect you from the internet during a run, not remove vital Window components.

In cmd prompt type; and see if you get a reply

Code: 
ping -n 5 localhost
 
Okay, it came back, I think I failed when I plugged in the infected drive as a slave.

I ran combofix, here's the latest log, though it lists most of the files as deleted, I still appear to have rouge processes running (IE will be running as a process without there being any actual IE windows open)

LOG :

ComboFix 10-08-10.01 - JohnnySix 08/10/2010 21:04:22.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1231 [GMT 1:00]
Running from: c:\documents and settings\JohnnySix\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\JohnnySix\Application Data\Aviva\wyarh.exe
c:\program files\Internet Explorer\complete.dat
c:\program files\Internet Explorer\dmlconf.dat
c:\program files\Microsoft\DesktopLayer.exe

Infected copy of c:\windows\system32\drivers\tcpip.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-07-10 to 2010-08-10 )))))))))))))))))))))))))))))))
.

2010-08-10 19:49 . 2010-08-10 19:54 -------- d-----w- c:\windows\system32\NtmsData
2010-08-10 18:56 . 2010-08-10 18:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-08-09 20:30 . 2010-08-09 20:30 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-09 19:08 . 2010-08-09 20:30 -------- d-----w- c:\windows\system32\MpEngineStore
2010-08-09 18:48 . 2010-08-09 18:48 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-08-09 18:45 . 2010-08-10 19:47 -------- d-----w- c:\program files\riv
2010-08-08 05:35 . 2010-08-08 05:35 -------- d-----w- c:\documents and settings\JohnnySix\Local Settings\Application Data\Identities
2010-08-07 22:03 . 2010-08-07 23:28 -------- d-----w- c:\documents and settings\JohnnySix\Application Data\vlc
2010-08-07 21:55 . 2010-08-07 21:55 -------- d-----w- c:\program files\VideoLAN
2010-08-07 21:02 . 2010-08-07 21:07 -------- d-----w- c:\program files\ConTEXT
2010-08-07 18:13 . 2010-08-07 18:13 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2010-08-07 18:09 . 2010-08-07 18:09 -------- d-----w- c:\program files\riva
2010-08-07 18:09 . 2010-08-10 20:07 -------- d-----w- c:\program files\Microsoft
2010-08-07 17:55 . 2010-08-08 16:18 -------- d-----w- C:\UT2004
2010-08-07 17:32 . 2010-08-10 20:07 -------- d-----w- c:\documents and settings\JohnnySix\Application Data\Aviva
2010-08-07 16:56 . 2008-04-13 23:15 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2010-08-07 16:37 . 2010-08-07 17:54 -------- d-----w- c:\documents and settings\JohnnySix\Application Data\FileZilla
2010-08-07 16:36 . 2010-08-07 16:36 -------- d-----w- c:\program files\FileZilla FTP Client
2010-08-05 22:02 . 2010-08-05 22:03 -------- d-----w- c:\documents and settings\JohnnySix\Application Data\Autodesk
2010-08-05 22:00 . 2010-08-05 22:00 -------- d-----w- c:\documents and settings\JohnnySix\Local Settings\Application Data\Autodesk
2010-08-05 22:00 . 2010-08-05 22:00 10134 ----a-r- c:\documents and settings\JohnnySix\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2010-08-05 22:00 . 2010-08-05 22:00 -------- d-----w- c:\program files\Microsoft WSE
2010-08-05 21:59 . 2010-08-09 19:07 -------- d-----w- c:\documents and settings\JohnnySix\Application Data\Xotyun
2010-08-05 21:57 . 2010-08-05 22:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk
2010-08-05 21:57 . 2010-08-05 21:58 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2010-08-05 21:56 . 2010-08-05 21:58 -------- d-----w- c:\program files\Autodesk
2010-08-05 21:56 . 2007-05-16 15:45 443752 ----a-w- c:\windows\system32\d3dx10_34.dll
2010-08-05 21:56 . 2007-05-16 15:45 1124720 ----a-w- c:\windows\system32\D3DCompiler_34.dll
2010-08-05 21:56 . 2007-05-16 15:45 3497832 ----a-w- c:\windows\system32\d3dx9_34.dll
2010-08-05 21:56 . 2006-11-29 12:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2010-08-05 21:56 . 2006-09-28 15:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2010-08-05 21:35 . 2010-08-05 21:35 -------- d-----w- c:\program files\MagicISO
2010-08-05 20:35 . 2010-08-05 20:35 -------- d-----w- c:\program files\ASIO4ALL v2
2010-08-05 20:25 . 2006-06-20 08:56 225280 ----a-w- c:\windows\system32\rewire.dll
2010-08-05 20:25 . 2010-08-05 20:25 -------- d-----w- c:\program files\VstPlugins
2010-08-05 20:25 . 2010-08-05 20:25 -------- d-----w- c:\program files\Outsim
2010-08-05 20:24 . 2010-08-05 20:25 -------- d-----w- c:\program files\Image-Line
2010-08-05 06:30 . 2010-08-05 06:30 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet
2010-08-05 03:33 . 2010-08-07 19:37 -------- d-----w- c:\documents and settings\JohnnySix\Application Data\Ucnyp
2010-08-04 20:24 . 2010-08-04 20:24 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-08-04 20:22 . 2010-08-04 20:22 -------- d-----w- c:\program files\Adobe Media Player
2010-08-04 20:21 . 2010-08-04 20:21 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-08-04 20:18 . 2010-08-04 20:18 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2010-08-04 19:56 . 2010-08-04 19:56 -------- d-----w- c:\windows\system32\XPSViewer
2010-08-04 19:56 . 2010-08-04 19:56 -------- d-----w- c:\program files\MSBuild
2010-08-04 19:56 . 2010-08-04 19:56 -------- d-----w- c:\program files\Reference Assemblies
2010-08-04 19:56 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-08-04 19:56 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-08-04 19:56 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-08-04 19:56 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-08-04 19:56 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-08-04 19:56 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-08-04 19:56 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-08-04 19:56 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-08-04 19:56 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-08-04 19:49 . 2010-08-04 19:49 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2010-08-04 19:30 . 2010-08-04 19:30 63488 ----a-w- c:\documents and settings\JohnnySix\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-08-04 19:30 . 2010-08-04 19:30 52224 ----a-w- c:\documents and settings\JohnnySix\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-08-04 19:30 . 2010-08-04 19:30 117760 ----a-w- c:\documents and settings\JohnnySix\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-08-04 19:30 . 2010-08-04 19:30 -------- d-----w- c:\documents and settings\JohnnySix\Application Data\SUPERAntiSpyware.com
2010-08-04 19:30 . 2010-08-04 19:30 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-08-04 19:30 . 2010-08-04 19:30 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-08-04 18:59 . 2010-08-04 18:59 -------- d-----w- c:\documents and settings\JohnnySix\Application Data\Malwarebytes
2010-08-04 18:59 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-04 18:59 . 2010-08-04 18:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-04 18:59 . 2010-08-04 18:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-04 18:59 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-04 18:27 . 2010-08-04 18:27 60416 ----a-w- c:\windows\ALCFDRTM.EXE
2010-08-04 18:27 . 2010-08-04 18:27 -------- d-----w- c:\windows\system32\Lang
2010-08-04 18:24 . 2010-08-04 18:24 -------- d-----w- c:\program files\Realtek Sound Manager
2010-08-04 18:24 . 2010-08-04 18:24 -------- d-----w- c:\program files\AvRack
2010-08-04 18:24 . 2010-08-04 18:24 -------- d-----w- c:\program files\Realtek AC97
2010-08-04 18:24 . 2006-07-31 10:27 217088 ----a-r- c:\windows\Alcrmv.exe
2010-08-04 18:24 . 2006-07-31 10:19 315392 ----a-r- c:\windows\alcupd.exe
2010-08-04 01:46 . 2010-08-04 01:46 146944 ----a-w- c:\documents and settings\JohnnySix\Application Data\Ofxote\liewc.exe
2010-08-04 01:46 . 2010-08-04 01:46 -------- d-----w- c:\documents and settings\JohnnySix\Application Data\Ofxote
2010-08-03 23:11 . 2010-08-03 23:11 -------- d-----w- c:\documents and settings\JohnnySix\Application Data\ElevatedDiagnostics
2010-08-03 22:26 . 2010-08-03 23:10 -------- d-----w- c:\program files\sculptris
2010-08-03 22:11 . 2010-08-03 22:11 -------- d-sh--w- c:\documents and settings\JohnnySix\PrivacIE
2010-08-03 22:05 . 2010-08-03 22:05 -------- d-sh--w- c:\documents and settings\JohnnySix\IETldCache
2010-08-03 22:01 . 2010-08-03 22:01 -------- dc-h--w- c:\windows\ie8
2010-08-03 21:53 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-08-03 21:53 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-08-03 21:53 . 2010-02-24 13:11 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-08-03 21:52 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
2010-08-03 21:50 . 2010-08-04 20:22 -------- d-----w- c:\program files\Common Files\Adobe
2010-08-03 21:50 . 2010-02-17 08:10 2189952 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-08-03 21:50 . 2010-02-16 14:08 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-08-03 21:50 . 2010-02-16 13:25 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-08-03 21:49 . 2010-08-04 22:34 -------- d-----w- c:\documents and settings\JohnnySix\Local Settings\Application Data\Adobe
2010-08-03 21:47 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-08-03 21:41 . 2010-08-03 21:41 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-08-03 21:41 . 2010-08-03 21:41 232968 ----a-w- c:\windows\system32\nvdrsdb0.bin
2010-08-03 21:41 . 2010-08-03 21:41 1 ----a-w- c:\windows\system32\nvdrssel.bin
2010-08-03 21:41 . 2010-08-03 21:41 232968 ----a-w- c:\windows\system32\nvdrsdb1.bin
2010-08-03 21:41 . 2010-08-03 21:41 -------- d-----w- c:\program files\NVIDIA Corporation
2010-08-03 21:26 . 2010-08-03 21:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-03 21:26 . 2010-08-03 21:34 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-03 21:21 . 2010-08-03 21:21 0 ----a-w- c:\windows\nsreg.dat
2010-08-03 21:20 . 2010-08-03 21:20 -------- d-----w- c:\documents and settings\JohnnySix\Local Settings\Application Data\Mozilla
2010-08-03 21:17 . 2009-01-07 17:21 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2010-08-03 21:17 . 2010-08-04 18:30 -------- d--h--w- c:\windows\$hf_mig$
2010-08-03 21:17 . 2010-08-03 21:17 -------- d-s---w- c:\documents and settings\JohnnySix\UserData
2010-08-03 21:13 . 2006-08-31 03:55 123904 ----a-w- c:\windows\system32\drivers\Rtnic64.sys
2010-08-03 21:13 . 2006-08-31 03:54 81280 ----a-r- c:\windows\system32\drivers\Rtnicxp.sys
2010-08-03 21:13 . 2006-08-31 03:54 80768 ----a-w- c:\windows\system32\drivers\Rtnic.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-10 20:04 . 2010-08-03 23:12 -------- d-----w- c:\documents and settings\JohnnySix\Application Data\WTablet
2010-08-04 20:24 . 2010-08-03 20:10 12328 ----a-w- c:\documents and settings\JohnnySix\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-04 18:24 . 2010-08-03 20:34 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-04 18:24 . 2010-08-03 20:34 -------- d-----w- c:\program files\Common Files\InstallShield
2010-08-03 23:12 . 2010-08-03 23:12 -------- d-----w- c:\documents and settings\JohnnySix\Application Data\WTouch
2010-08-03 23:12 . 2010-08-03 23:12 -------- d-----w- c:\program files\WTouch
2010-08-03 23:12 . 2010-08-03 23:12 -------- d-----w- c:\program files\TabletPlugins
2010-08-03 23:12 . 2010-08-03 23:12 -------- d-----w- c:\program files\Tablet
2010-08-03 22:02 . 2010-08-03 20:40 4096 ----a-w- c:\windows\gdrv.sys
2010-08-03 20:36 . 2010-08-03 20:04 87263 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-08-03 20:05 . 2010-08-03 20:05 -------- d-----w- c:\program files\microsoft frontpage
2010-08-03 20:01 . 2010-08-03 20:01 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-07-09 22:38 . 2010-08-03 21:40 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-07-09 22:38 . 2010-08-03 21:40 2914408 ----a-w- c:\windows\system32\nvcuvid.dll
2010-07-09 22:38 . 2010-08-03 21:40 2506344 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-07-09 22:38 . 2010-08-03 21:40 13549568 ----a-w- c:\windows\system32\nvoglnt.dll
2010-07-09 22:38 . 2010-08-03 21:40 10604128 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-07-09 22:38 . 2010-08-03 21:40 6343040 ----a-w- c:\windows\system32\nv4_disp.dll
2010-07-09 22:38 . 2010-08-03 21:40 4595712 ----a-w- c:\windows\system32\nvcuda.dll
2010-07-09 22:38 . 2010-08-03 21:40 236136 ----a-w- c:\windows\system32\nvcodins.dll
2010-07-09 22:38 . 2010-08-03 21:40 236136 ----a-w- c:\windows\system32\nvcod.dll
2010-07-09 22:38 . 2010-08-03 21:40 2195030 ----a-w- c:\windows\system32\nvdata.bin
2010-07-09 22:38 . 2010-08-03 21:40 1388544 ----a-w- c:\windows\system32\nvapi.dll
2010-07-09 22:38 . 2010-08-03 21:40 10260480 ----a-w- c:\windows\system32\nvcompiler.dll
2010-06-14 14:31 . 2010-08-03 20:02 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-07 1753192]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 577536]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 15:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-07-19 17:50 2403568 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 7:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 7:41 PM 67656]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [8/4/2010 12:12 AM 4497704]
R2 WTouchService;WTouch Service;c:\program files\WTouch\WTouchService.exe [8/4/2010 12:12 AM 113448]
S0 cerc6;cerc6; [x]
S2 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max Design 2009 32-bit 32-bit;c:\program files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe [3/10/2008 12:04 AM 114688]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [8/4/2010 12:12 AM 16168]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-{1F2AA6B6-6BEF-65F9-BD4D-0EA960647F39} - c:\documents and settings\JohnnySix\Application Data\Aviva\wyarh.exe
HKU-Default-Explorer_Run-Policies - c:\windows\system32\install\server.exe
MSConfigStartUp-zzGBK - D:\setup.exe
MSConfigStartUp-{1F2AA6B6-6BEF-65F9-BD4D-0EA960647F39} - c:\documents and settings\JohnnySix\Application Data\Aviva\wyarh.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-10 21:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2010-08-10 21:08:35
ComboFix-quarantined-files.txt 2010-08-10 20:08

Pre-Run: 229,693,657,088 bytes free
Post-Run: 229,783,252,992 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 2901B2A8DA57481EB9CDDC00F0E12348
 
so that last combofix log is after the repair of windows you did? do a scan with malwarebytes after you get it installed and post the log; you should also turn on autoupdates or visit windows update to make sure everything is up to date after the repair.

Please download Malwarebytes to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.
 
Ran a full scan, get the following :

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4390

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/11/2010 12:27:22 AM
mbam-log-2010-08-11 (00-27-22).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|)
Objects scanned: 189116
Time elapsed: 34 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I have the latest updates from windows update, combofix managed to restore access to the windows update forum (and this website) again. :D
 
Oh sorry, bugger, can't edit posts.

Yeah, in answer to your question, this was after a clean install of windows on a new HD, I plugged the old ( apparently still infected ) drive in as a slave to retrieve some files off it.
 
clean install of windows on a new HD
Click to expand...
i am confused now. A new HD would have had to be reformatted before installing Windows. A newly reformatted drive wouldnt have any malware on it, but the combofix log shows that it did remove malware.
One log shows your running IE 7.0, another 8.0? your AV also appears to be outdated.
 
Hi Shelf-Life- appreciate your help.

I reinstalled Windows, and it came with IE7, then after updates became 8 I guess.

I didn't have any spyware on the machine (or so it seems), I then plugged in the old drive (the windows install from the original post) and it seems when it was loaded as a slave, the virus/trojan managed to infect the new machine, perhaps via boot sector or something?

The last two logs (from Combofix and Malware) were both run from the same operating system.

Should I run combofix again, to see if it finds anything again that it perhaps couldn't remove?
 
Malware can spread from one drive to another, primary to slave HD or even a 512K usb drive to HD. Go ahead and run combofix once more on the machine just to make sure the drive is clean. Also get a antivirus if you dont have one.
 
Whatever it is, it's still there , and still trying to reassert itself.

I tried another combofix run, and then turned back on AVG resident, there's still something creating randomly named exe files under the program files folder, and putting them in the startup list, and something spoofing itself as IE in the process list.


ComboFix 10-08-12.02 - JohnnySix 08/12/2010 21:19:01.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1142 [GMT 1:00]
Running from: c:\documents and settings\JohnnySix\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\JohnnySix\Application Data\Gedeu\fizab.exe
c:\program files\Internet Explorer\dmlconf.dat
c:\program files\Microsoft\DesktopLayer.exe

.
((((((((((((((((((((((((( Files Created from 2010-07-12 to 2010-08-12 )))))))))))))))))))))))))))))))
.

2010-08-12 20:15 . 2010-08-12 20:15 46080 ----a-w- c:\windows\explorerSrv.exe
2010-08-12 20:10 . 2010-08-12 20:10 -------- d-----w- c:\windows\LastGood
2010-08-12 20:08 . 2010-08-12 20:22 -------- d-----w- c:\program files\Microsoft
2010-08-12 20:06 . 2008-04-14 06:00 507904 ----a-w- c:\windows\system32\winlogon.exe
2010-08-11 20:00 . 2006-08-31 03:54 81280 ----a-r- c:\windows\system32\drivers\Rtnicxp.sys
2010-08-11 20:00 . 2010-08-11 20:00 -------- d-----w- c:\program files\Windows Media Connect 2
2010-08-11 19:59 . 2010-08-11 20:00 -------- d-----w- c:\windows\system32\drivers\UMDF
2010-08-11 19:59 . 2010-08-11 19:59 -------- d-----w- c:\windows\system32\LogFiles
2010-08-11 19:50 . 2010-08-11 19:50 12328 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-11 19:42 . 2010-08-11 19:42 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-08-11 18:56 . 2010-08-11 18:56 4126 ----a-w- C:\DTL_FAIL_1.reg
2010-08-11 18:52 . 2010-08-11 18:52 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-08-11 04:14 . 2010-08-11 18:44 -------- d-----w- c:\documents and settings\JohnnySix\Application Data\Ruleca
2010-08-11 01:51 . 2010-08-11 19:06 -------- d-----w- c:\documents and settings\JohnnySix\Application Data\Dibiiz
2010-08-10 23:31 . 2008-04-13 23:15 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-08-10 23:31 . 2008-04-13 23:15 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-08-10 22:24 . 2010-08-10 22:28 -------- d-----w- C:\Fraps
2010-08-10 19:49 . 2010-08-10 19:54 -------- d-----w- c:\windows\system32\NtmsData
2010-08-10 18:56 . 2010-08-10 18:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-08-09 20:30 . 2010-08-09 20:30 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-09 18:48 . 2010-08-09 18:48 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-08-09 18:45 . 2010-08-12 20:08 -------- d-----w- c:\program files\riv
2010-08-08 05:35 . 2010-08-08 05:35 -------- d-----w- c:\documents and settings\JohnnySix\Local Settings\Application Data\Identities
2010-08-07 22:03 . 2010-08-07 23:28 -------- d-----w- c:\documents and settings\JohnnySix\Application Data\vlc
2010-08-07 21:55 . 2010-08-07 21:55 -------- d-----w- c:\program files\VideoLAN
2010-08-07 21:02 . 2010-08-07 21:07 -------- d-----w- c:\program files\ConTEXT
2010-08-07 18:13 . 2010-08-07 18:13 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2010-08-07 18:09 . 2010-08-07 18:09 -------- d-----w- c:\program files\riva
2010-08-07 17:55 . 2010-08-08 16:18 -------- d-----w- C:\UT2004
2010-08-07 17:32 . 2010-08-10 20:07 -------- d-----w- c:\documents and settings\JohnnySix\Application Data\Aviva
2010-08-07 16:56 . 2008-04-13 23:15 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2010-08-07 16:37 . 2010-08-07 17:54 -------- d-----w- c:\documents and settings\JohnnySix\Application Data\FileZilla
2010-08-07 16:36 . 2010-08-07 16:36 -------- d-----w- c:\program files\FileZilla FTP Client
2010-08-07 03:09 . 2010-08-12 20:09 -------- d-----w- c:\documents and settings\JohnnySix\Application Data\Xoomxo
2010-08-05 22:02 . 2010-08-05 22:03 -------- d-----w- c:\documents and settings\JohnnySix\Application Data\Autodesk
2010-08-05 22:00 . 2010-08-05 22:00 -------- d-----w- c:\documents and settings\JohnnySix\Local Settings\Application Data\Autodesk
2010-08-05 22:00 . 2010-08-05 22:00 10134 ----a-r- c:\documents and settings\JohnnySix\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2010-08-05 22:00 . 2010-08-05 22:00 -------- d-----w- c:\program files\Microsoft WSE
2010-08-05 21:59 . 2010-08-09 19:07 -------- d-----w- c:\documents and settings\JohnnySix\Application Data\Xotyun
2010-08-05 21:57 . 2010-08-05 22:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk
2010-08-05 21:57 . 2010-08-05 21:58 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2010-08-05 21:56 . 2010-08-05 21:58 -------- d-----w- c:\program files\Autodesk
2010-08-05 21:56 . 2007-05-16 15:45 443752 ----a-w- c:\windows\system32\d3dx10_34.dll
2010-08-05 21:56 . 2007-05-16 15:45 1124720 ----a-w- c:\windows\system32\D3DCompiler_34.dll
2010-08-05 21:56 . 2007-05-16 15:45 3497832 ----a-w- c:\windows\system32\d3dx9_34.dll
2010-08-05 21:56 . 2006-11-29 12:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2010-08-05 21:56 . 2006-09-28 15:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2010-08-05 21:35 . 2010-08-05 21:35 -------- d-----w- c:\program files\MagicISO
2010-08-05 21:08 . 2010-08-11 20:57 -------- d-----w- c:\documents and settings\JohnnySix\Application Data\Lyamom
2010-08-05 20:35 . 2010-08-05 20:35 -------- d-----w- c:\program files\ASIO4ALL v2
2010-08-05 20:25 . 2006-06-20 08:56 225280 ----a-w- c:\windows\system32\rewire.dll
2010-08-05 20:25 . 2010-08-05 20:25 -------- d-----w- c:\program files\VstPlugins
2010-08-05 20:25 . 2010-08-05 20:25 -------- d-----w- c:\program files\Outsim
2010-08-05 20:24 . 2010-08-05 20:25 -------- d-----w- c:\program files\Image-Line
2010-08-05 13:30 . 2010-08-12 20:15 -------- d-----w- c:\documents and settings\JohnnySix\Application Data\Gedeu
2010-08-05 06:30 . 2010-08-10 22:15 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet
2010-08-05 03:33 . 2010-08-07 19:37 -------- d-----w- c:\documents and settings\JohnnySix\Application Data\Ucnyp
2010-08-04 20:24 . 2010-08-04 20:24 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-08-04 20:22 . 2010-08-04 20:22 -------- d-----w- c:\program files\Adobe Media Player
2010-08-04 20:21 . 2010-08-04 20:21 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-08-04 20:18 . 2010-08-04 20:18 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2010-08-04 19:56 . 2010-08-04 19:56 -------- d-----w- c:\windows\system32\XPSViewer
2010-08-04 19:56 . 2010-08-04 19:56 -------- d-----w- c:\program files\MSBuild
2010-08-04 19:56 . 2010-08-04 19:56 -------- d-----w- c:\program files\Reference Assemblies
2010-08-04 19:56 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-08-04 19:56 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-08-04 19:56 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-08-04 19:56 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-08-04 19:56 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-08-04 19:56 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-08-04 19:56 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-08-04 19:56 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-08-04 19:56 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-08-04 19:49 . 2010-08-04 19:49 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2010-08-04 19:30 . 2010-08-11 18:52 111104 ----a-w- c:\documents and settings\JohnnySix\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-08-04 19:30 . 2010-08-10 20:19 99840 ----a-w- c:\documents and settings\JohnnySix\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-08-04 19:30 . 2010-08-11 18:52 165376 ----a-w- c:\documents and settings\JohnnySix\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-08-04 19:30 . 2010-08-04 19:30 -------- d-----w- c:\documents and settings\JohnnySix\Application Data\SUPERAntiSpyware.com
2010-08-04 19:30 . 2010-08-04 19:30 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-08-04 19:30 . 2010-08-11 21:25 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-08-04 18:59 . 2010-08-04 18:59 -------- d-----w- c:\documents and settings\JohnnySix\Application Data\Malwarebytes
2010-08-04 18:59 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-04 18:59 . 2010-08-04 18:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-04 18:59 . 2010-08-04 18:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-04 18:59 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-04 18:27 . 2010-08-04 18:27 60416 ----a-w- c:\windows\ALCFDRTM.EXE
2010-08-04 18:27 . 2010-08-04 18:27 -------- d-----w- c:\windows\system32\Lang
2010-08-04 18:24 . 2010-08-04 18:24 -------- d-----w- c:\program files\Realtek Sound Manager
2010-08-04 18:24 . 2010-08-04 18:24 -------- d-----w- c:\program files\AvRack
2010-08-04 18:24 . 2010-08-04 18:24 -------- d-----w- c:\program files\Realtek AC97
2010-08-04 18:24 . 2006-07-31 10:27 217088 ----a-r- c:\windows\Alcrmv.exe
2010-08-04 18:24 . 2006-07-31 10:19 315392 ----a-r- c:\windows\alcupd.exe
2010-08-04 02:01 . 2010-08-11 20:38 -------- d-----w- c:\documents and settings\JohnnySix\Application Data\Wufief
2010-08-04 01:46 . 2010-08-04 01:46 146944 ----a-w- c:\documents and settings\JohnnySix\Application Data\Ofxote\liewc.exe
2010-08-04 01:46 . 2010-08-04 01:46 -------- d-----w- c:\documents and settings\JohnnySix\Application Data\Ofxote
2010-08-03 23:11 . 2010-08-03 23:11 -------- d-----w- c:\documents and settings\JohnnySix\Application Data\ElevatedDiagnostics
2010-08-03 22:26 . 2010-08-03 23:10 -------- d-----w- c:\program files\sculptris
2010-08-03 22:11 . 2010-08-03 22:11 -------- d-sh--w- c:\documents and settings\JohnnySix\PrivacIE
2010-08-03 22:05 . 2010-08-03 22:05 -------- d-sh--w- c:\documents and settings\JohnnySix\IETldCache
2010-08-03 22:01 . 2010-08-03 22:01 -------- dc-h--w- c:\windows\ie8
2010-08-03 21:53 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-08-03 21:53 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-08-03 21:53 . 2010-02-24 13:11 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-08-03 21:52 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
2010-08-03 21:50 . 2010-08-04 20:22 -------- d-----w- c:\program files\Common Files\Adobe
2010-08-03 21:50 . 2010-04-28 02:25 2189952 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-08-03 21:50 . 2010-04-27 13:59 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-08-03 21:50 . 2010-04-27 13:05 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-08-03 21:49 . 2010-08-04 22:34 -------- d-----w- c:\documents and settings\JohnnySix\Local Settings\Application Data\Adobe
2010-08-03 21:47 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-08-03 21:41 . 2010-08-03 21:41 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-08-03 21:41 . 2010-08-11 20:01 232968 ----a-w- c:\windows\system32\nvdrsdb0.bin
2010-08-03 21:41 . 2010-08-11 20:01 1 ----a-w- c:\windows\system32\nvdrssel.bin
2010-08-03 21:41 . 2010-08-11 20:01 232968 ----a-w- c:\windows\system32\nvdrsdb1.bin
2010-08-03 21:41 . 2010-08-03 21:41 -------- d-----w- c:\program files\NVIDIA Corporation
2010-08-03 21:40 . 2010-04-03 21:55 10232128 -c--a-w- c:\windows\system32\dllcache\nv4_mini.sys
2010-08-03 21:40 . 2010-07-09 22:38 6343040 -c--a-w- c:\windows\system32\dllcache\nv4_disp.dll
2010-08-03 21:40 . 2010-08-03 21:40 -------- d-----w- C:\NVIDIA
2010-08-03 21:26 . 2010-08-03 21:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-03 21:26 . 2010-08-03 21:34 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-03 21:21 . 2010-08-03 21:21 0 ----a-w- c:\windows\nsreg.dat
2010-08-03 21:20 . 2010-08-03 21:20 -------- d-----w- c:\documents and settings\JohnnySix\Local Settings\Application Data\Mozilla
2010-08-03 21:17 . 2009-01-07 17:21 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2010-08-03 21:17 . 2010-08-10 20:44 -------- d--h--w- c:\windows\$hf_mig$

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-12 20:08 . 2010-08-03 23:12 -------- d-----w- c:\documents and settings\JohnnySix\Application Data\WTablet
2010-08-04 20:24 . 2010-08-03 20:10 12328 ----a-w- c:\documents and settings\JohnnySix\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-04 18:24 . 2010-08-03 20:34 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-04 18:24 . 2010-08-03 20:34 -------- d-----w- c:\program files\Common Files\InstallShield
2010-08-03 23:12 . 2010-08-03 23:12 -------- d-----w- c:\documents and settings\JohnnySix\Application Data\WTouch
2010-08-03 23:12 . 2010-08-03 23:12 -------- d-----w- c:\program files\WTouch
2010-08-03 23:12 . 2010-08-03 23:12 -------- d-----w- c:\program files\TabletPlugins
2010-08-03 23:12 . 2010-08-03 23:12 -------- d-----w- c:\program files\Tablet
2010-08-03 22:02 . 2010-08-03 20:40 4096 ----a-w- c:\windows\gdrv.sys
2010-08-03 20:36 . 2010-08-03 20:04 87263 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-08-03 20:05 . 2010-08-03 20:05 -------- d-----w- c:\program files\microsoft frontpage
2010-08-03 20:01 . 2010-08-03 20:01 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-07-09 22:38 . 2010-08-11 20:01 236136 ----a-w- c:\windows\system32\nvcodins.dll
2010-07-09 22:38 . 2010-08-11 20:01 236136 ----a-w- c:\windows\system32\nvcod.dll
2010-07-09 22:38 . 2010-08-11 20:01 13549568 ----a-w- c:\windows\system32\nvoglnt.dll
2010-07-09 22:38 . 2010-08-11 20:01 2914408 ----a-w- c:\windows\system32\nvcuvid.dll
2010-07-09 22:38 . 2010-08-11 20:01 2506344 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-07-09 22:38 . 2010-08-11 20:01 2195030 ----a-w- c:\windows\system32\nvdata.bin
2010-07-09 22:38 . 2010-08-11 20:01 4595712 ----a-w- c:\windows\system32\nvcuda.dll
2010-07-09 22:38 . 2010-08-11 20:01 10260480 ----a-w- c:\windows\system32\nvcompiler.dll
2010-07-09 22:38 . 2010-08-11 20:01 1388544 ----a-w- c:\windows\system32\nvapi.dll
2010-07-09 22:38 . 2010-08-11 20:01 6343040 ----a-w- c:\windows\system32\nv4_disp.dll
2010-07-09 22:38 . 2010-08-11 20:01 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-07-09 22:38 . 2010-08-11 20:01 10604128 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-06-30 12:31 . 2008-04-14 06:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2008-04-14 06:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2008-04-14 06:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2008-04-14 06:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2008-04-14 06:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-15 01:47 . 2010-06-15 01:47 86016 ----a-w- c:\windows\system32\frapsvid.dll
2010-06-14 14:31 . 2010-08-03 20:02 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2008-04-14 06:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
.

((((((((((((((((((((((((((((( SnapShot_2010-08-11_20.38.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-11 20:00 . 2007-07-27 09:41 16760 c:\windows\system32\spmsg.dll
+ 2008-04-14 06:00 . 2009-04-01 22:02 604160 c:\windows\system32\wmspdmod.dll
+ 2008-04-14 06:00 . 2009-07-13 22:43 286208 c:\windows\system32\wmpdxm.dll
+ 2008-04-14 06:00 . 2008-06-18 04:03 938496 c:\windows\system32\WMNetmgr.dll
- 2008-04-14 06:00 . 2006-10-18 19:03 100864 c:\windows\system32\logagent.exe
+ 2008-04-14 06:00 . 2008-06-18 00:09 100864 c:\windows\system32\logagent.exe
+ 2008-04-14 06:00 . 2009-04-01 22:02 604160 c:\windows\system32\dllcache\wmspdmod.dll
+ 2008-04-14 06:00 . 2009-07-13 22:43 286208 c:\windows\system32\dllcache\wmpdxm.dll
+ 2008-04-14 06:00 . 2008-06-18 04:03 938496 c:\windows\system32\dllcache\WMNetmgr.dll
+ 2008-04-14 06:00 . 2008-06-18 00:09 100864 c:\windows\system32\dllcache\logagent.exe
- 2008-04-14 06:00 . 2006-10-18 19:03 100864 c:\windows\system32\dllcache\logagent.exe
+ 2008-04-14 06:00 . 2010-04-06 03:52 2462720 c:\windows\system32\WMVCore.dll
+ 2008-04-14 06:00 . 2010-04-06 03:52 2462720 c:\windows\system32\dllcache\WMVCore.dll
+ 2008-04-14 06:00 . 2009-07-13 22:43 10841088 c:\windows\system32\wmp.dll
+ 2008-04-14 06:00 . 2009-07-13 22:43 10841088 c:\windows\system32\dllcache\wmp.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{1F2AA6B6-6BEF-65F9-BD4D-0EA960647F39}"="c:\documents and settings\JohnnySix\Application Data\Gedeu\fizab.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-03 13670504]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
edymby.exe [2010-8-12 129536]
equr.exe [2010-8-11 129536]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^faud.exe]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\faud.exe
backup=c:\windows\pss\faud.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 06:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 06:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-04-03 18:23 13670504 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2010-04-03 18:23 110696 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2010-03-31 22:30 1657448 ----a-w- c:\program files\NVIDIA Corporation\nView\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2006-11-17 04:42 577536 ----a-r- c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 15:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-07-19 17:50 2403568 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 7:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 7:41 PM 67656]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [8/4/2010 12:12 AM 4497704]
R2 WTouchService;WTouch Service;c:\program files\WTouch\WTouchService.exe [8/4/2010 12:12 AM 113448]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [8/4/2010 12:12 AM 16168]
S0 cerc6;cerc6; [x]
S2 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max Design 2009 32-bit 32-bit;c:\program files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe [3/10/2008 12:04 AM 114688]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\JohnnySix\Application Data\Mozilla\Firefox\Profiles\f7cdkbw9.default\
FF - plugin: c:\program files\TabletPlugins\npwacom.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-12 21:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2010-08-12 21:23:50
ComboFix-quarantined-files.txt 2010-08-12 20:23
ComboFix2.txt 2010-08-12 20:13
ComboFix3.txt 2010-08-11 20:41
ComboFix4.txt 2010-08-10 20:08

Pre-Run: 214,703,226,880 bytes free
Post-Run: 214,692,896,768 bytes free

- - End Of File - - 8BA54FC60FC25F489DABE88C3281892D
 
ok we will use combofix:

Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:

Code: 
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{1F2AA6B6-6BEF-65F9-BD4D-0EA960647F39}"="-
Folder::
c:\documents and settings\JohnnySix\Application Data\Dibiiz
c:\documents and settings\JohnnySix\Application Data\Ruleca
c:\documents and settings\JohnnySix\Application Data\Wufief
c:\documents and settings\JohnnySix\Application Data\Ofxote\liewc.exe
c:\documents and settings\JohnnySix\Application Data\Ofxote
c:\documents and settings\JohnnySix\Application Data\Gedeu
c:\windows\pss\faud.exeStartup
File::
c:\windows\explorerSrv.exe
c:\documents and settings\Administrator\Start Menu\Programs\Startup\faud.exe
c:\documents and settings\Administrator\Start Menu\Programs\Startup\edymby.exe 
c:\documents and settings\Administrator\Start Menu\Programs\Startup\equr.exe

Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon, both on your desktop
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log and a new hjt log.
 
Wow, I installed AVG, ran a scan, it showed EVERY DLL/EXE (it only got as far as A before freezing/crashing) was infected with Zbot.

I can post a screen shot. Every one is infected with Zbot, everything in Program Files.

AVG didn't actually manage to fix any from the scan, and the ones it did try fix from the 'optimise' scan it did when I first installed simply moved the files to the vault rather than healing them.
 
Not good. you must have virus that writes to exe and dll's. Put this: Virus.Win32.Virut in your favorite search engine.

You have a load of these on your computer. You should consider a reformat/reinstall of Windows. You can also give Dr Web a try:

Download Dr.Web CureIt to the desktop:

ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

* Doubleclick the drweb-cureit icon to start the program.
* press start
* Allow the program to run the initial express scan
* This will scan the files currently running in memory. If something is found, click the YES button when it asks you if you want to cure it. This is only a short scan.
Note: A pop up may appear during this phase suggesting you purchase their program - click the X at the top right corner of this pop-up to close it.
* Once the short scan has finished, check the Complete scan box on the left side, even if nothing was found on the initial scan.
* Then click the small green arrow button on the right under the Dr.Web Antivirus picture to start the complete scan. (This scan will take several hours)
* During this complete scan - if Dr.Web finds an infection a window will pop up requesting your attention. Select the Cure button.
Note:(If the file cannot be cured, Dr.Web will automatically delete the file)
* Once the scan is complete, on the menu bar, click file and choose report list.
* Save the report to your desktop. The report will be called DrWeb.csv
* Note:this report will need to be renamed to Dr.Web.txt in order to post it on the forum.
* Close Dr.Web Cureit.
* Please post the Dr.Web.txt report in your next reply
 
You must log in or register to reply here.
Back
Top