Full Version: Yikes- I can't do anything right
I guess I'm lucky I still have internet. I couldn't perform any of the tasks in your guidelines for posting.I got rid of spybot. I ran Super anti spyware pro and got rid of 5 trojans before it all went very bad. Now I can't open any of the programs meant to get rid of these pests. I couldn't even run the hijackthis! sorry. Where do we go now?
Whenever I try to run anything from your guidelines directive I get the following :" Windows cannot access the specified device, path , or file. You may not have the appropriate permissions to access the item."
Also google is redirecting to ad pages.
Malwarebytes runs for 2 seconds and then shuts off. I would like to comply but I can't seem to get started here . Please help. I'm at a loss.
Also google is redirecting to ad pages.
Malwarebytes runs for 2 seconds and then shuts off. I would like to comply but I can't seem to get started here . Please help. I'm at a loss.
When I tried to do a malware bytes scan it cuts out after 1 second-no results.
Try renaming MBAM, then see if it runs..
Also, try this and see if any of the other programs run..
http://windowsxp.mvps.org/exefile.htm
Also, try this and see if any of the other programs run..
http://windowsxp.mvps.org/exefile.htm
Hi LoPhatPhuud- I tried both of these. Renaming MBAM didn't work. it starts to scan and quits right away. I got to regedit.exe and found both to be at the proper setting.
OK, lets try this,..
The Kaspersky Rescue Disk is a bootable CD based version of Kaspersky Antivirus.
The download is in ISO format.
If you are not sure how to burn an image, please read How to write a CD/DVD image or ISO. If you need a FREE utility to burn the ISO image, download and use ImgBurn.
Download the Kaspersky Rescue Disk:
http://dnl-eu10.kaspersky-labs.com/devbuilds/RescueDisk.
The Kaspersky Rescue Disk is a bootable CD based version of Kaspersky Antivirus.
The download is in ISO format.
If you are not sure how to burn an image, please read How to write a CD/DVD image or ISO. If you need a FREE utility to burn the ISO image, download and use ImgBurn.
Download the Kaspersky Rescue Disk:
http://dnl-eu10.kaspersky-labs.com/devbuilds/RescueDisk.
- Burn the Kaspersky Rescue Disk ISO image to CD.
- Insert the Kaspersky Rescue Disk CD into your CD/DVD drive and boot the computer (you may need to change the boot sequence in your system's BIOS to boot from the CD/DVD drive).
- Follow the instructions in the initial text screen to press Enter to start Kaspersky AntiVirus.
- Select your language (or wait a few seconds for the default English to load).
- Your screen may go blank for several minutes while the program loads.
- After the Kaspersky Rescue Disk loads, the database will be updated (if you have network connectivity)
- Click the Update tab to view the update progress.
- When the update has completed, click the Scan tab.
- Place a checkmark in all the available drives to scan the entire system.
- Click the "Security level" option, and select options.
- Make sure "All Files" is selected
- Under "Scan of compound files" ensure all options are selected and click the OK button.
- Click the "On threat detection" option
- Select "Do not prompt", "Disinfect", and "Delete if disinfection fails".
- Click the "Start scan" button.
- When the scan has completed, click the Reports button.
- Click the Save button, and select your System drive (normally your C: drive)
- In the "File name" box, name the file krd-log and click the Save button.
- Click Close to close the Reports window.
- Click the Exit button to close the Rescue Disk program and confirm.
In the lower left of the screen, left-click the red K button, select Logout, and confirm. - The computer will shut down.
- Restart the computer and reboot normally.
- Please post the log (krd-log.txt) in your next reply.
hello-could you please send me another link for the resue disc download. the one you sent is not working and I'd like to be sure I get the right one.thank-you
I got the Kaspersky rescue disc to run and I saved the krd-log.txt as directed and I'll be darned if I can find it to send it to you. Any clue as to how to find this log would be a great help. thanks
would suspect you may find the log in your documents folder. Try searching for it.
ALso, see if MBAM will run now.
ALso, see if MBAM will run now.
Good morning- I used search and recent documents and have no record of a krd-log.txt. I know I saved it as per your instructions and it seemed to save it to 'c' as I directed. I find other log.txt there but not this one. I was finally able to run MBAM. Here is that log. thanks.
Malwarebytes' Anti-Malware 1.41
Database version: 2837
Windows 5.1.2600 Service Pack 3
9/21/2009 11:07:58 AM
mbam-log-2009-09-21 (11-07-58).txt
Scan type: Quick Scan
Objects scanned: 98159
Time elapsed: 2 minute(s), 39 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\win32k.sys (Trojan.Dropper) -> Quarantined and deleted successfully.
Malwarebytes' Anti-Malware 1.41
Database version: 2837
Windows 5.1.2600 Service Pack 3
9/21/2009 11:07:58 AM
mbam-log-2009-09-21 (11-07-58).txt
Scan type: Quick Scan
Objects scanned: 98159
Time elapsed: 2 minute(s), 39 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\win32k.sys (Trojan.Dropper) -> Quarantined and deleted successfully.
Download ComboFix from one of these locations:
Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Give it at least 20-30 minutes to finish if needed.
Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Give it at least 20-30 minutes to finish if needed.
combo log I also ran an anti virus -Ariva-log attached--
ComboFix 09-09-22.01 - Tbarr 09/22/2009 16:10.7.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.511 [GMT -4:00]
Running from: c:\documents and settings\Tbarr\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Tbarr\Desktop\CFScript.txt
FILE ::
"c:\windows\win32k.sys"
.
((((((((((((((((((((((((( Files Created from 2009-08-22 to 2009-09-22 )))))))))))))))))))))))))))))))
.
2009-09-20 15:58 . 2009-09-20 15:58 -------- d-----w- c:\documents and settings\Tbarr\Application Data\ImgBurn
2009-09-20 15:57 . 2009-09-20 15:57 -------- d-----w- c:\program files\ImgBurn
2009-09-20 14:36 . 2009-09-20 14:36 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-09-20 13:58 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-20 13:58 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-19 19:50 . 2009-09-19 19:50 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-09-18 20:52 . 2009-09-18 20:52 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-09-18 20:52 . 2009-09-18 20:52 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-09-18 20:15 . 2009-09-18 20:15 -------- d-----w- c:\program files\Microsoft
2009-09-18 17:41 . 2009-09-18 17:41 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-09-09 13:19 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-08-31 18:20 . 2009-08-31 18:20 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-08-31 17:58 . 2009-08-31 17:58 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-22 20:13 . 2008-12-13 15:25 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-22 19:11 . 2007-11-18 02:41 -------- d-----w- c:\program files\TrueSwitchVerizonYahoo
2009-09-22 19:10 . 2006-11-08 22:50 17360 ----a-w- c:\windows\system32\wacom.dat
2009-09-22 09:08 . 2008-08-14 16:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-09-22 07:52 . 2008-08-13 17:52 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-22 07:52 . 2008-08-13 17:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-22 06:16 . 2007-09-10 21:49 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-21 15:04 . 2008-12-06 15:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-21 14:38 . 2006-11-08 22:46 24064 ----a-w- c:\documents and settings\Tbarr\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-21 14:36 . 2006-11-09 13:29 -------- d-----w- c:\program files\PCSecurityShield
2009-09-21 14:36 . 2006-11-08 22:23 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-20 13:35 . 2008-12-11 13:18 -------- d-----w- c:\program files\ERUNT
2009-09-18 21:20 . 2008-01-16 15:19 -------- d-----w- c:\program files\Soulseek
2009-09-18 20:12 . 2007-07-05 13:07 -------- d-----w- c:\program files\Java
2009-09-10 14:20 . 2006-11-09 14:57 -------- d-----w- c:\program files\Google
2009-08-06 07:12 . 2009-08-06 07:12 -------- d-----w- c:\program files\MSBuild
2009-08-06 07:12 . 2009-08-06 07:12 -------- d-----w- c:\program files\Reference Assemblies
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-31 19:23 . 2008-12-04 19:37 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-04 12:00 915456 ------w- c:\windows\system32\wininet.dll
2001-04-05 15:46 . 2006-11-10 20:35 5226496 ----a-w- c:\program files\Epson Registration.exe
2008-08-26 15:17 . 2008-02-21 21:50 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-09-21_14.30.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-15 22:17 . 2009-03-11 02:18 934792 c:\windows\system32\WgaTray.exe
+ 2007-03-15 22:17 . 2009-03-11 02:18 934792 c:\windows\system32\dllcache\WgaTray.exe
+ 2007-03-15 22:16 . 2009-03-11 02:18 239496 c:\windows\system32\dllcache\wgaLogon.dll
+ 2009-09-22 06:09 . 2009-09-22 06:09 507904 c:\windows\erdnt\AutoBackup\9-22-2009\Users\00000002\UsrClass.dat
+ 2009-09-22 06:09 . 2005-10-20 16:02 163328 c:\windows\erdnt\AutoBackup\9-22-2009\ERDNT.EXE
+ 2007-03-15 22:19 . 2009-03-11 02:18 1482112 c:\windows\system32\LegitCheckControl.dll
+ 2009-09-22 06:09 . 2009-09-22 06:09 20041728 c:\windows\erdnt\AutoBackup\9-22-2009\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-21 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-05 1994480]
"AROReminder"="c:\program files\Advanced Registry Optimizer\aro.exe" [2008-08-22 2084480]
"Google Update"="c:\documents and settings\Tbarr\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-08-31 133104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-14 344064]
"eBayToolbar"="c:\program files\eBay\eBay Toolbar2\eBayTBDaemon.exe" [2009-01-17 632048]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-05-14 35328]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-08-26 29744]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-02-21 366400]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-02-24 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"WD Button Manager"="WDBtnMgr.exe" - c:\windows\system32\WDBtnMgr.exe [2008-02-25 364544]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV03.EXE [2000-2-2 222720]
LightFrame 3.lnk - c:\program files\Philips\LightFrame 3\LightFrameV3.exe [2006-11-9 696320]
PolderbitS Audio Driver Monitor.lnk - c:\program files\PolderbitS\Recorder\Driver\PBDriverMonitor_uk.exe [2008-11-12 153104]
TabUserW.lnk - c:\program files\Wacom\TabUserW.exe [2006-11-8 77824]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-05 17:46 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\Ati2evxx.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1700:TCP"= 1700:TCP:MioNet Remote Drive Access 0
"1701:TCP"= 1701:TCP:MioNet Remote Drive Access 1
"1702:TCP"= 1702:TCP:MioNet Remote Drive Access 2
"1703:TCP"= 1703:TCP:MioNet Remote Drive Access 3
"1704:TCP"= 1704:TCP:MioNet Remote Drive Access 4
"1705:TCP"= 1705:TCP:MioNet Remote Drive Access 5
"1706:TCP"= 1706:TCP:MioNet Remote Drive Access 6
"1707:TCP"= 1707:TCP:MioNet Remote Drive Access 7
"1708:TCP"= 1708:TCP:MioNet Remote Drive Access 8
"1709:TCP"= 1709:TCP:MioNet Remote Drive Access 9
"1641:TCP"= 1641:TCP:MioNet Remote Drive Verification
"1647:TCP"= 1647:TCP:MioNet Storage Device Configuration
"5432:UDP"= 5432:UDP:MioNet Storage Device Discovery
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [12/4/2008 2:50 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/4/2008 2:50 PM 74480]
R3 PbsAuDrv;PolderbitS Audio Driver;c:\windows\system32\drivers\pbsaudrv.sys [11/12/2008 8:30 AM 106512]
S2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [11/8/2006 6:35 PM 26144]
S3 cvmonspy;CVSpyder.sys ColorVision Monitor Spyder;c:\windows\system32\drivers\CVSpyder.sys [3/21/2001 5:21 PM 17668]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2/21/2008 5:50 PM 29744]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/4/2008 2:50 PM 7408]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2/21/2008 5:38 PM 10112]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-09-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-04 20:36]
2009-09-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1390067357-1547161642-725345543-1003Core.job
- c:\documents and settings\Tbarr\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-31 18:20]
2009-09-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1390067357-1547161642-725345543-1003UA.job
- c:\documents and settings\Tbarr\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-31 18:20]
2009-09-22 c:\windows\Tasks\User_Feed_Synchronization-{C3750A41-F076-4FEA-9DFC-927C722993F0}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://verizon.yahoo.com/
uSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
mSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
IE: eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
IE: Search Using Copernic Agent - c:\program files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
Handler: copernicagent - {A979B6BD-E40B-4A07-ABDD-A62C64A4EBF6} - c:\progra~1\COPERN~1\COPERN~1.DLL
Handler: copernicagentcache - {AAC34CFD-274D-4A9D-B0DC-C74C05A67E1D} - c:\progra~1\COPERN~1\COPERN~1.DLL
FF - ProfilePath - c:\documents and settings\Tbarr\Application Data\Mozilla\Firefox\Profiles\fujj075m.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=SOLTDF&q=
FF - prefs.js: browser.search.selectedEngine - Live Search
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=SOLTDF&q=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\Tbarr\Application Data\Mozilla\Firefox\Profiles\fujj075m.default\extensions\{a6e4a4eb-d169-4e99-8988-250fcbafe767}\components\FFAlert.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\Tbarr\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-22 16:14
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(592)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\documents and settings\Tbarr\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(3108)
c:\windows\system32\WININET.dll
c:\program files\Philips\LightFrame 3\LightFrameHook.dll
c:\windows\system32\tabhook.dll
c:\program files\Philips\LightFrame 3\LFMVLCursor.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-09-22 16:16
ComboFix-quarantined-files.txt 2009-09-22 20:16
ComboFix2.txt 2009-09-21 14:33
Pre-Run: 45,438,558,208 bytes free
Post-Run: 45,479,968,768 bytes free
196 --- E O F --- 2009-09-10 07:03
Avira AntiVir Personal
Report file date: Tuesday, September 22, 2009 16:44
Scanning for 1740103 virus strains and unwanted programs.
Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : AUTHORIZ-7A20C6
Version information:
BUILD.DAT : 9.0.0.407 17961 Bytes 7/29/2009 10:34:00
AVSCAN.EXE : 9.0.3.7 466689 Bytes 7/21/2009 18:36:14
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 15:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 16:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 15:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 17:30:36
ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 14:21:42
ANTIVIR2.VDF : 7.1.6.1 3857920 Bytes 9/16/2009 20:43:08
ANTIVIR3.VDF : 7.1.6.24 313344 Bytes 9/22/2009 20:43:10
Engineversion : 8.2.1.23
AEVDF.DLL : 8.1.1.2 106867 Bytes 9/22/2009 20:43:20
AESCRIPT.DLL : 8.1.2.33 479611 Bytes 9/22/2009 20:43:20
AESCN.DLL : 8.1.2.5 127346 Bytes 9/22/2009 20:43:18
AERDL.DLL : 8.1.2.4 430452 Bytes 7/23/2009 14:59:39
AEPACK.DLL : 8.2.0.0 422261 Bytes 9/22/2009 20:43:18
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/23/2009 14:59:39
AEHEUR.DLL : 8.1.0.155 1921400 Bytes 9/22/2009 20:43:17
AEHELP.DLL : 8.1.7.0 237940 Bytes 9/22/2009 20:43:12
AEGEN.DLL : 8.1.1.63 364916 Bytes 9/22/2009 20:43:11
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 19:32:40
AECORE.DLL : 8.1.8.1 184693 Bytes 9/22/2009 20:43:10
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 19:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 13:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 15:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 19:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 15:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 20:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 15:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 20:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 13:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 15:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 20:39:58
RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 15:19:48
Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, J:, K:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Start of the scan: Tuesday, September 22, 2009 16:44
Starting search for hidden objects.
'49887' objects were checked, '0' hidden objects were found.
The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'msiexec.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'TrueWizard.exe' - '1' Module(s) have been scanned
Scan process 'TabUserW.exe' - '1' Module(s) have been scanned
Scan process 'PBDriverMonitor_uk.exe' - '1' Module(s) have been scanned
Scan process 'LightFrameV3.exe' - '1' Module(s) have been scanned
Scan process 'GoogleDesktop.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'ycommon.exe' - '1' Module(s) have been scanned
Scan process 'realsched.exe' - '1' Module(s) have been scanned
Scan process 'ALCXMNTR.EXE' - '1' Module(s) have been scanned
Scan process 'ybrwicon.exe' - '1' Module(s) have been scanned
Scan process 'PicasaMediaDetector.exe' - '1' Module(s) have been scanned
Scan process 'GoogleDesktop.exe' - '1' Module(s) have been scanned
Scan process 'WDBtnMgr.exe' - '1' Module(s) have been scanned
Scan process 'eBayTBDaemon.exe' - '1' Module(s) have been scanned
Scan process 'atiptaxx.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'Tablet.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'SeaPort.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
45 processes with 45 modules were scanned
Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!
Master boot sector HD3
[INFO] No virus was found!
Master boot sector HD4
[INFO] No virus was found!
Master boot sector HD5
[INFO] No virus was found!
Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'J:\'
[INFO] No virus was found!
Boot sector 'K:\'
[INFO] No virus was found!
Starting to scan executable files (registry).
The registry was scanned ( '71' files ).
Starting the file scan:
Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudAntivirus1.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudAntivirus2.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloaderapl3.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
C:\Documents and Settings\Tbarr\Desktop\OTL.exe
[WARNING] The file could not be opened!
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
[WARNING] The file could not be opened!
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
[WARNING] The file could not be opened!
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
[WARNING] The file could not be opened!
C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir
[DETECTION] Is the TR/Sirefef.B.3 Trojan
C:\System Volume Information\_restore{062938D6-FE0E-45B6-A834-70FE3D28CD43}\RP1015\A0281702.dll
[DETECTION] Is the TR/Sirefef.B.3 Trojan
C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe
[WARNING] The file could not be opened!
C:\WINDOWS\system32\spool\drivers\w32x86\EB3ST000.DAT
[0] Archive type: CAB SFX (self extracting)
--> \AGENTNT_t\SAgentNT.exe
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\WINDOWS\system32\spool\drivers\w32x86\3\EB3ST000.DAT
[0] Archive type: CAB SFX (self extracting)
--> \AGENTNT_t\SAgentNT.exe
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
Begin scan in 'J:\' <Data>
Begin scan in 'K:\' <My Book>
Beginning disinfection:
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudAntivirus1.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '4b1a3e68.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudAntivirus2.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '4b1a3e69.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloaderapl3.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '4b283e63.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir
[DETECTION] Is the TR/Sirefef.B.3 Trojan
[NOTE] The file was moved to '4b1e3e6d.qua'!
C:\System Volume Information\_restore{062938D6-FE0E-45B6-A834-70FE3D28CD43}\RP1015\A0281702.dll
[DETECTION] Is the TR/Sirefef.B.3 Trojan
[NOTE] The file was moved to '4aeb3e27.qua'!
End of the scan: Tuesday, September 22, 2009 17:13
Used time: 28:27 Minute(s)
The scan has been canceled!
5892 Scanned directories
187975 Files were scanned
2 Viruses and/or unwanted programs were found
3 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
5 Files were moved to quarantine
0 Files were renamed
6 Files cannot be scanned
187964 Files not concerned
998 Archives were scanned
10 Warnings
6 Notes
49887 Objects were scanned with rootkit scan
0 Hidden objects were found
ComboFix 09-09-22.01 - Tbarr 09/22/2009 16:10.7.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.511 [GMT -4:00]
Running from: c:\documents and settings\Tbarr\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Tbarr\Desktop\CFScript.txt
FILE ::
"c:\windows\win32k.sys"
.
((((((((((((((((((((((((( Files Created from 2009-08-22 to 2009-09-22 )))))))))))))))))))))))))))))))
.
2009-09-20 15:58 . 2009-09-20 15:58 -------- d-----w- c:\documents and settings\Tbarr\Application Data\ImgBurn
2009-09-20 15:57 . 2009-09-20 15:57 -------- d-----w- c:\program files\ImgBurn
2009-09-20 14:36 . 2009-09-20 14:36 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-09-20 13:58 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-20 13:58 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-19 19:50 . 2009-09-19 19:50 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-09-18 20:52 . 2009-09-18 20:52 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-09-18 20:52 . 2009-09-18 20:52 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-09-18 20:15 . 2009-09-18 20:15 -------- d-----w- c:\program files\Microsoft
2009-09-18 17:41 . 2009-09-18 17:41 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-09-09 13:19 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-08-31 18:20 . 2009-08-31 18:20 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-08-31 17:58 . 2009-08-31 17:58 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-22 20:13 . 2008-12-13 15:25 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-22 19:11 . 2007-11-18 02:41 -------- d-----w- c:\program files\TrueSwitchVerizonYahoo
2009-09-22 19:10 . 2006-11-08 22:50 17360 ----a-w- c:\windows\system32\wacom.dat
2009-09-22 09:08 . 2008-08-14 16:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-09-22 07:52 . 2008-08-13 17:52 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-22 07:52 . 2008-08-13 17:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-22 06:16 . 2007-09-10 21:49 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-21 15:04 . 2008-12-06 15:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-21 14:38 . 2006-11-08 22:46 24064 ----a-w- c:\documents and settings\Tbarr\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-21 14:36 . 2006-11-09 13:29 -------- d-----w- c:\program files\PCSecurityShield
2009-09-21 14:36 . 2006-11-08 22:23 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-20 13:35 . 2008-12-11 13:18 -------- d-----w- c:\program files\ERUNT
2009-09-18 21:20 . 2008-01-16 15:19 -------- d-----w- c:\program files\Soulseek
2009-09-18 20:12 . 2007-07-05 13:07 -------- d-----w- c:\program files\Java
2009-09-10 14:20 . 2006-11-09 14:57 -------- d-----w- c:\program files\Google
2009-08-06 07:12 . 2009-08-06 07:12 -------- d-----w- c:\program files\MSBuild
2009-08-06 07:12 . 2009-08-06 07:12 -------- d-----w- c:\program files\Reference Assemblies
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-31 19:23 . 2008-12-04 19:37 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-04 12:00 915456 ------w- c:\windows\system32\wininet.dll
2001-04-05 15:46 . 2006-11-10 20:35 5226496 ----a-w- c:\program files\Epson Registration.exe
2008-08-26 15:17 . 2008-02-21 21:50 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-09-21_14.30.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-15 22:17 . 2009-03-11 02:18 934792 c:\windows\system32\WgaTray.exe
+ 2007-03-15 22:17 . 2009-03-11 02:18 934792 c:\windows\system32\dllcache\WgaTray.exe
+ 2007-03-15 22:16 . 2009-03-11 02:18 239496 c:\windows\system32\dllcache\wgaLogon.dll
+ 2009-09-22 06:09 . 2009-09-22 06:09 507904 c:\windows\erdnt\AutoBackup\9-22-2009\Users\00000002\UsrClass.dat
+ 2009-09-22 06:09 . 2005-10-20 16:02 163328 c:\windows\erdnt\AutoBackup\9-22-2009\ERDNT.EXE
+ 2007-03-15 22:19 . 2009-03-11 02:18 1482112 c:\windows\system32\LegitCheckControl.dll
+ 2009-09-22 06:09 . 2009-09-22 06:09 20041728 c:\windows\erdnt\AutoBackup\9-22-2009\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-21 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-05 1994480]
"AROReminder"="c:\program files\Advanced Registry Optimizer\aro.exe" [2008-08-22 2084480]
"Google Update"="c:\documents and settings\Tbarr\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-08-31 133104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-14 344064]
"eBayToolbar"="c:\program files\eBay\eBay Toolbar2\eBayTBDaemon.exe" [2009-01-17 632048]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-05-14 35328]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-08-26 29744]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-02-21 366400]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-02-24 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"WD Button Manager"="WDBtnMgr.exe" - c:\windows\system32\WDBtnMgr.exe [2008-02-25 364544]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV03.EXE [2000-2-2 222720]
LightFrame 3.lnk - c:\program files\Philips\LightFrame 3\LightFrameV3.exe [2006-11-9 696320]
PolderbitS Audio Driver Monitor.lnk - c:\program files\PolderbitS\Recorder\Driver\PBDriverMonitor_uk.exe [2008-11-12 153104]
TabUserW.lnk - c:\program files\Wacom\TabUserW.exe [2006-11-8 77824]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-05 17:46 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\Ati2evxx.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1700:TCP"= 1700:TCP:MioNet Remote Drive Access 0
"1701:TCP"= 1701:TCP:MioNet Remote Drive Access 1
"1702:TCP"= 1702:TCP:MioNet Remote Drive Access 2
"1703:TCP"= 1703:TCP:MioNet Remote Drive Access 3
"1704:TCP"= 1704:TCP:MioNet Remote Drive Access 4
"1705:TCP"= 1705:TCP:MioNet Remote Drive Access 5
"1706:TCP"= 1706:TCP:MioNet Remote Drive Access 6
"1707:TCP"= 1707:TCP:MioNet Remote Drive Access 7
"1708:TCP"= 1708:TCP:MioNet Remote Drive Access 8
"1709:TCP"= 1709:TCP:MioNet Remote Drive Access 9
"1641:TCP"= 1641:TCP:MioNet Remote Drive Verification
"1647:TCP"= 1647:TCP:MioNet Storage Device Configuration
"5432:UDP"= 5432:UDP:MioNet Storage Device Discovery
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [12/4/2008 2:50 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/4/2008 2:50 PM 74480]
R3 PbsAuDrv;PolderbitS Audio Driver;c:\windows\system32\drivers\pbsaudrv.sys [11/12/2008 8:30 AM 106512]
S2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [11/8/2006 6:35 PM 26144]
S3 cvmonspy;CVSpyder.sys ColorVision Monitor Spyder;c:\windows\system32\drivers\CVSpyder.sys [3/21/2001 5:21 PM 17668]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2/21/2008 5:50 PM 29744]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/4/2008 2:50 PM 7408]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2/21/2008 5:38 PM 10112]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-09-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-04 20:36]
2009-09-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1390067357-1547161642-725345543-1003Core.job
- c:\documents and settings\Tbarr\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-31 18:20]
2009-09-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1390067357-1547161642-725345543-1003UA.job
- c:\documents and settings\Tbarr\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-31 18:20]
2009-09-22 c:\windows\Tasks\User_Feed_Synchronization-{C3750A41-F076-4FEA-9DFC-927C722993F0}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://verizon.yahoo.com/
uSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
mSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
IE: eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
IE: Search Using Copernic Agent - c:\program files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
Handler: copernicagent - {A979B6BD-E40B-4A07-ABDD-A62C64A4EBF6} - c:\progra~1\COPERN~1\COPERN~1.DLL
Handler: copernicagentcache - {AAC34CFD-274D-4A9D-B0DC-C74C05A67E1D} - c:\progra~1\COPERN~1\COPERN~1.DLL
FF - ProfilePath - c:\documents and settings\Tbarr\Application Data\Mozilla\Firefox\Profiles\fujj075m.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=SOLTDF&q=
FF - prefs.js: browser.search.selectedEngine - Live Search
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=SOLTDF&q=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\Tbarr\Application Data\Mozilla\Firefox\Profiles\fujj075m.default\extensions\{a6e4a4eb-d169-4e99-8988-250fcbafe767}\components\FFAlert.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\Tbarr\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-22 16:14
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(592)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\documents and settings\Tbarr\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(3108)
c:\windows\system32\WININET.dll
c:\program files\Philips\LightFrame 3\LightFrameHook.dll
c:\windows\system32\tabhook.dll
c:\program files\Philips\LightFrame 3\LFMVLCursor.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-09-22 16:16
ComboFix-quarantined-files.txt 2009-09-22 20:16
ComboFix2.txt 2009-09-21 14:33
Pre-Run: 45,438,558,208 bytes free
Post-Run: 45,479,968,768 bytes free
196 --- E O F --- 2009-09-10 07:03
Avira AntiVir Personal
Report file date: Tuesday, September 22, 2009 16:44
Scanning for 1740103 virus strains and unwanted programs.
Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : AUTHORIZ-7A20C6
Version information:
BUILD.DAT : 9.0.0.407 17961 Bytes 7/29/2009 10:34:00
AVSCAN.EXE : 9.0.3.7 466689 Bytes 7/21/2009 18:36:14
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 15:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 16:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 15:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 17:30:36
ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 14:21:42
ANTIVIR2.VDF : 7.1.6.1 3857920 Bytes 9/16/2009 20:43:08
ANTIVIR3.VDF : 7.1.6.24 313344 Bytes 9/22/2009 20:43:10
Engineversion : 8.2.1.23
AEVDF.DLL : 8.1.1.2 106867 Bytes 9/22/2009 20:43:20
AESCRIPT.DLL : 8.1.2.33 479611 Bytes 9/22/2009 20:43:20
AESCN.DLL : 8.1.2.5 127346 Bytes 9/22/2009 20:43:18
AERDL.DLL : 8.1.2.4 430452 Bytes 7/23/2009 14:59:39
AEPACK.DLL : 8.2.0.0 422261 Bytes 9/22/2009 20:43:18
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/23/2009 14:59:39
AEHEUR.DLL : 8.1.0.155 1921400 Bytes 9/22/2009 20:43:17
AEHELP.DLL : 8.1.7.0 237940 Bytes 9/22/2009 20:43:12
AEGEN.DLL : 8.1.1.63 364916 Bytes 9/22/2009 20:43:11
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 19:32:40
AECORE.DLL : 8.1.8.1 184693 Bytes 9/22/2009 20:43:10
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 19:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 13:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 15:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 19:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 15:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 20:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 15:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 20:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 13:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 15:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 20:39:58
RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 15:19:48
Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, J:, K:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Start of the scan: Tuesday, September 22, 2009 16:44
Starting search for hidden objects.
'49887' objects were checked, '0' hidden objects were found.
The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'msiexec.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'TrueWizard.exe' - '1' Module(s) have been scanned
Scan process 'TabUserW.exe' - '1' Module(s) have been scanned
Scan process 'PBDriverMonitor_uk.exe' - '1' Module(s) have been scanned
Scan process 'LightFrameV3.exe' - '1' Module(s) have been scanned
Scan process 'GoogleDesktop.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'ycommon.exe' - '1' Module(s) have been scanned
Scan process 'realsched.exe' - '1' Module(s) have been scanned
Scan process 'ALCXMNTR.EXE' - '1' Module(s) have been scanned
Scan process 'ybrwicon.exe' - '1' Module(s) have been scanned
Scan process 'PicasaMediaDetector.exe' - '1' Module(s) have been scanned
Scan process 'GoogleDesktop.exe' - '1' Module(s) have been scanned
Scan process 'WDBtnMgr.exe' - '1' Module(s) have been scanned
Scan process 'eBayTBDaemon.exe' - '1' Module(s) have been scanned
Scan process 'atiptaxx.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'Tablet.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'SeaPort.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
45 processes with 45 modules were scanned
Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!
Master boot sector HD3
[INFO] No virus was found!
Master boot sector HD4
[INFO] No virus was found!
Master boot sector HD5
[INFO] No virus was found!
Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'J:\'
[INFO] No virus was found!
Boot sector 'K:\'
[INFO] No virus was found!
Starting to scan executable files (registry).
The registry was scanned ( '71' files ).
Starting the file scan:
Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudAntivirus1.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudAntivirus2.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloaderapl3.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
C:\Documents and Settings\Tbarr\Desktop\OTL.exe
[WARNING] The file could not be opened!
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
[WARNING] The file could not be opened!
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
[WARNING] The file could not be opened!
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
[WARNING] The file could not be opened!
C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir
[DETECTION] Is the TR/Sirefef.B.3 Trojan
C:\System Volume Information\_restore{062938D6-FE0E-45B6-A834-70FE3D28CD43}\RP1015\A0281702.dll
[DETECTION] Is the TR/Sirefef.B.3 Trojan
C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe
[WARNING] The file could not be opened!
C:\WINDOWS\system32\spool\drivers\w32x86\EB3ST000.DAT
[0] Archive type: CAB SFX (self extracting)
--> \AGENTNT_t\SAgentNT.exe
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\WINDOWS\system32\spool\drivers\w32x86\3\EB3ST000.DAT
[0] Archive type: CAB SFX (self extracting)
--> \AGENTNT_t\SAgentNT.exe
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
Begin scan in 'J:\' <Data>
Begin scan in 'K:\' <My Book>
Beginning disinfection:
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudAntivirus1.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '4b1a3e68.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudAntivirus2.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '4b1a3e69.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloaderapl3.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '4b283e63.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir
[DETECTION] Is the TR/Sirefef.B.3 Trojan
[NOTE] The file was moved to '4b1e3e6d.qua'!
C:\System Volume Information\_restore{062938D6-FE0E-45B6-A834-70FE3D28CD43}\RP1015\A0281702.dll
[DETECTION] Is the TR/Sirefef.B.3 Trojan
[NOTE] The file was moved to '4aeb3e27.qua'!
End of the scan: Tuesday, September 22, 2009 17:13
Used time: 28:27 Minute(s)
The scan has been canceled!
5892 Scanned directories
187975 Files were scanned
2 Viruses and/or unwanted programs were found
3 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
5 Files were moved to quarantine
0 Files were renamed
6 Files cannot be scanned
187964 Files not concerned
998 Archives were scanned
10 Warnings
6 Notes
49887 Objects were scanned with rootkit scan
0 Hidden objects were found
Combofix looks good. Are there any issues still outstanding?
everything looks good thanks to you
Great...
Cleanup time.
1. Delete OTL.exe
2. Uninstall Combofix...
Click Start, then click Run.
Enter into the command box that opens: combofix /u and then click OK.
Cleanup time.
1. Delete OTL.exe
2. Uninstall Combofix...
Click Start, then click Run.
Enter into the command box that opens: combofix /u and then click OK.
Done everything is running well 
-thank-you lophatt
-thank-you lophatt
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.