Highjack scan decode, please

robnj · June 27, 2010

Hello - New here, as you can tell. Pulling my hair out with a bug that redirects windows update. Works fine in safe mode. In fact, I can only post to this site in safe mode. Several scanners and virus programs cant see anything.

Can someone take a look at my mess?

Thanks in advance!

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 3:16:45 PM, on 6/27/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

D:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

d:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

d:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\GEARSec.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\NMSSvc.exe

D:\Program Files\Norton Ghost\Agent\VProSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\PROGRA~1\COMMON~1\X10\COMMON\x10nets.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

d:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

d:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\Explorer.EXE

D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\r2 studios\HideOE\HideOE.exe

D:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\system32\MDM.EXE

D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Documents and Settings\rweingart\My Documents\hjthis\HijackThis.exe

C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://centurylink.net

O4 - HKLM\..\Run: [avast!] d:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [HideOE] "C:\Program Files\r2 studios\HideOE\HideOE.exe"

O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKCU\..\Run: [sUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1249357522906

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O18 - Filter hijack: text/html - {13f4a161-4996-4c5c-9205-79fc5296e5cd} - (no file)

O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - d:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: avast! Antivirus - ALWIL Software - d:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - d:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - d:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Diskeeper - Executive Software International, Inc. - D:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe

O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe (file missing)

O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe

O23 - Service: Norton Ghost - Symantec Corporation - D:\Program Files\Norton Ghost\Agent\VProSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\COMMON\x10nets.exe

--

End of file - 5035 bytes

solbjerg · June 27, 2010

Hi robnj

From a cursory glance at your file I will say that it seems like you have several Anti Virus programs running at the same time? Not a wise move!

I think this thread should be moved to the malware experts to take care of.

If you need more space for your file please attach it as a .zip file

Read about it in Usage of IObit Products - link in my signature.

Cheers

solbjerg

So_sad · June 28, 2010

Hi guys ;

robnj : are you getting redirects when using search engines as well ?

You may have a rootkit there and Hijack scans can't see those. I see Norton Ghost on your machine and I'm thinking you could re-image the system as an easy solution ; if you have a recent image that is.

This definitely needs malware removal attention, if you can't or won't re-image.

===

robnj · June 28, 2010

Yes, a few programs running... in my attempt to get rid of this thing.

Only seems to redirect windows update and sites related to virus removal (some not all).

I will research the rootkit. All else fails, restore from backup.

Thanks.

So_sad · June 28, 2010

Hi again robnj,

I think this needs a look by the malware fighters. If it is a rootkit like we've seen lately, you won't be able to detect it yourself, most likely, because they hide very well. There are ways though, but you won't find them easily, if at all.

Stick around, and please don't run things/tools you don't have experience with unless guided by someone with current knowledge on these infections. You do have an image to go back to, which is good.

===

robnj · June 28, 2010

Maybe this will be of help. I ran GMER and got this log. I am thinking the registry lines are in question? If I try to view them in regedit, it says error opening key. Tried to delete (I know, I know) and it wont let me delete anyway.

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-06-27 23:11:40

Windows 5.1.2600 Service Pack 3

Running: grrcouqn.exe; Driver: C:\DOCUME~1\RWEING~1\LOCALS~1\Temp\pxtdipow.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xA2A066B8]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xA2A06574]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xA2A06A52]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xA2A0614C]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xA2A0664E]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xA2A0608C]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xA2A060F0]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xA2A0676E]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xA2A0672E]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xA2A068AE]

SSDT \??\D:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA2AC4620]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1284] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0092000A

.text C:\WINDOWS\System32\svchost.exe[1284] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0093000A

.text C:\WINDOWS\System32\svchost.exe[1284] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0091000C

.text C:\WINDOWS\System32\svchost.exe[1284] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 03C7000A

.text C:\WINDOWS\System32\svchost.exe[1284] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00D3000A

.reloc C:\WINDOWS\Explorer.EXE[1420] C:\WINDOWS\Explorer.EXE section is executable [0x010FB000, 0x3800, 0xE0000040]

.text C:\WINDOWS\Explorer.EXE[1420] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A

.text C:\WINDOWS\Explorer.EXE[1420] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A

.text C:\WINDOWS\Explorer.EXE[1420] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[848] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003B0002

IAT C:\WINDOWS\system32\services.exe[848] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003B0000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \FileSystem\Fastfat \Fat SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc)

AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9553575F-AFF9-2F44-8FBD-7BD8DE0DE6FB}

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9553575F-AFF9-2F44-8FBD-7BD8DE0DE6FB}@jakebdimdcjadjmkdhlg 0x62 0x61 0x67 0x6F ...

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9553575F-AFF9-2F44-8FBD-7BD8DE0DE6FB}@jakebdimdcjadjmkdhpg 0x62 0x61 0x64 0x69 ...

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9553575F-AFF9-2F44-8FBD-7BD8DE0DE6FB}@iakfciigfidfkkhkni 0x6B 0x61 0x6C 0x6F ...

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9553575F-AFF9-2F44-8FBD-7BD8DE0DE6FB}@haahaigammbphknc 0x6B 0x61 0x6C 0x6F ...

---- EOF - GMER 1.0.15 ----

robnj · June 28, 2010

And here is the 360 log file. I deleted the tracking cookies from log as it had my email name.

IObit Security 360

OS:Windows XP

Version:1.4.5.67

Define Version:1620

Time Elapsed:00:02:33

Objects Scanned:49697

Threats Found:27

Misleading.DefenseCenter - Removed, Registry Key, HKEY_CLASSES_ROOT\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}, 4-29314

Misleading.DefenseCenter - Removed, Registry Value, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved Value={5E2121EE-0300-11D4-8D3B-444553540000}, 4-30156

So_sad · June 28, 2010

Hi Rob,

GMER isn't showing a rootkit, so please don't attempt to delete things yourself. Those registry entries are unkown to me but possibly legit. GMER can't see some of the newer rootkits, not yet anyway.

IS360's detection on that shell extension and CLSID was a nasty though. It's a backdoor that allows for the bad guys to remotely control your machine, and these rarely come alone.

I'm hoping this thread will be moved to the appropriate section, for malware removal.

===

enoskype · June 28, 2010

Thread MOVED HERE!

Thanks So_sad, the thread is moved to this section.

@ robnj,

Please wait for a Malware Fighter to respond.

Thanks and cheers.

robnj · June 28, 2010

Thanks guys.... I need to put the mouse down and walk away...

So, I shouldnt even keep this PC powered up on the net?

Got a bad feeling :oops:

robnj · June 29, 2010

Very odd. Come home today from work and my wife had the PC on already. Forgot to tell her to not use.

I login to my profile and try windows update and now it works !?! Very odd.

I did nothing since last posting yesterday. Here is the latest 360 log.

(again I deleted my email in the tracking cookie part, 2 of them)

IObit Security 360

OS:Windows XP

Version:1.4.5.67

Define Version:1621

Time Elapsed:00:02:32

Objects Scanned:50121

Threats Found:2

robnj · June 29, 2010

So today it appears to be back. I was driving to work and my wife logged in and I asked her to try windows update. Can not connect.

So, this thing is intermittently coming and going.

Superdave · June 29, 2010

Hello and welcome to IOBit Forums. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.

2. The fixes are specific to your problem and should only be used for this issue on this machine.

3. If you don't know or understand something, please don't hesitate to ask.

4. Please DO NOT run any other tools or scans while I am helping you.

5. It is important that you reply to this thread. Do not start a new topic.

6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

7. Absence of symptoms does not mean that everything is clear.

Please go to Jotti's malware scan

(If more than one file needs scanned they must be done separately and links posted for each one)

* Copy the file path in the below Code box:

C:\WINDOWS\system32\MDM.EXE

* At the upload site, click once inside the window next to Browse.

* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.

* Next click Submit file

* Your file will possibly be entered into a queue which normally takes less than a minute to clear.

* This will perform a scan across multiple different virus scanning engines.

* Important: Wait for all of the scanning engines to complete.

* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.

================================

HJT is not running from the correct place. Please uninstall it and download a new version. It should install by default in C:\ Program Files. Please run another scan. There appears to be some lines missing.

Please download: HiJackThis to your Desktop.

Double Click the HijackThis icon, located on your Desktop.
By Default, it will install to: C:\Program Files\Trend Micro\HijackThis
Accept the license agreement.
Click the Open the Misc Tools section button.
Place a checkmark beside Calculate MD5 of files if possible. Then, click Back.
Click Do a System Scan and Save a Logfile. Or, if you see a white screen, click Scan.
Please post the log in your next reply.

===================================

Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1

Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.

* Open the Security Check folder and double-click Security Check.bat

* Follow the on-screen instructions inside of the black box.

* A Notepad document should open automatically called checkup.txt

* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

=================================

SUPERAntiSpyware

If you already have SUPERAntiSpyware be sure to check for updates before scanning!

Download SuperAntispyware Free Edition (SAS)

* Double-click the icon on your desktop to run the installer.

* When asked to Update the program definitions, click Yes

* If you encounter any problems while downloading the updates, manually download and unzip them from here

* Next click the Preferences button.

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts

* Click the Scanning Control tab.

* Under Scanner Options make sure only the following are checked:

•Close browsers before scanning

•Scan for tracking cookies

•Terminate memory threats before quarantining

•Please leave the others unchecked

•Click the Close button to leave the control center screen.

* On the main screen click Scan your computer

* On the left check the box for the drive you are scanning.

* On the right choose Perform Complete Scan

* Click Next to start the scan. Please be patient while it scans your computer.

* After the scan is complete a summary box will appear. Click OK

* Make sure everything in the white box has a check next to it, then click Next

* It will quarantine what it found and if it asks if you want to reboot, click Yes

•To retrieve the removal information please do the following:

•After reboot, double-click the SUPERAntiSpyware icon on your desktop.

•Click Preferences. Click the Statistics/Logs tab.

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

•It will open in your default text editor (preferably Notepad).

•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

* Save the log somewhere you can easily find it. (normally the desktop)

* Click close and close again to exit the program.

*Copy and Paste the log in your post.

=================================

Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
Please save the log to a location you will remember.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

robnj · June 30, 2010

Thanks for the help and the details steps, much appreciated.

Oddly enough, I come home from work and can get to Windows Update. This seems to come and go now.

Jotti link:

http://virusscan.jotti.org/en/scanresult/35ac1e6ab7194da38dfb1106079cd6e20a193af3/4574b72db6d172eb75e69d73e939e4a8d4d4a1c6

Hijack:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:10:31 PM, on 6/29/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

d:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

d:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\GEARSec.exe

d:\Program Files\IObit\IObit Security 360\IS360srv.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\NMSSvc.exe

D:\Program Files\Norton Ghost\Agent\VProSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\PROGRA~1\COMMON~1\X10\COMMON\x10nets.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

d:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

d:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\r2 studios\HideOE\HideOE.exe

C:\Program Files\outlook express\msimn.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\MDM.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://centurylink.net

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local

O4 - HKLM\..\Run: [avast!] d:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exed:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [HideOE] "C:\Program Files\r2 studios\HideOE\HideOE.exe" (filesize 65536 bytes, MD5 CB64F805F518D880920377D2E5F3DB43)

O4 - HKCU\..\Run: [Advanced SystemCare 3] "d:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup (filesize 2346192 bytes, MD5 1FCC6891865DB2034ACCB7B6B2897FAD)

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1249357522906

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1277693634734

O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O18 - Filter hijack: text/html - {13f4a161-4996-4c5c-9205-79fc5296e5cd} - (no file)

O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.DLLD:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - d:\Program Files\Alwil Software\Avast4\aswUpdSv.exed:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: avast! Antivirus - ALWIL Software - d:\Program Files\Alwil Software\Avast4\ashServ.exed:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - d:\Program Files\Alwil Software\Avast4\ashMaiSv.exed:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - d:\Program Files\Alwil Software\Avast4\ashWebSv.exed:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exeC:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exeC:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Diskeeper - Executive Software International, Inc. - D:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exeD:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe

O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe (file missing)

O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exeC:\WINDOWS\System32\GEARSec.exe

O23 - Service: IS360service - IObit - d:\Program Files\IObit\IObit Security 360\IS360srv.exed:\Program Files\IObit\IObit Security 360\IS360srv.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exeC:\WINDOWS\System32\NMSSvc.exe

O23 - Service: Norton Ghost - Symantec Corporation - D:\Program Files\Norton Ghost\Agent\VProSvc.exeD:\Program Files\Norton Ghost\Agent\VProSvc.exe

O23 - Service: OSBIBZ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\RWEING~1\LOCALS~1\Temp\OSBIBZ.exeC:\DOCUME~1\RWEING~1\LOCALS~1\Temp\OSBIBZ.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exeC:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\COMMON\x10nets.exeC:\PROGRA~1\COMMON~1\X10\COMMON\x10nets.exe

--

End of file - 6633 bytes

screen317:

Results of screen317's Security Check version 0.99.4

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

avast! Antivirus

Antivirus up to date!

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

HijackThis 2.0.2

Java 6 Update 15 Out of date Java (6 update 20 available)

Adobe Flash Player 10.1.53.7

Adobe Reader 9.3.2 Adobe Out of Date! (9.3.3 available)

Mozilla Firefox (3.5.10) Firefox Out of Date! (3.6.6 available)

````````````````````````````````

Process Check:

objlist.exe by Laurent

Alwil Software Avast4 aswUpdSv.exe

Alwil Software Avast4 ashServ.exe

Alwil Software Avast4 ashDisp.exe

Alwil Software Avast4 ashMaiSv.exe

Alwil Software Avast4 ashWebSv.exe

````````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

Superanitspyware:

NOTE: I deleted my tracking cookie lines, since it had my login names on it.

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

Generated 06/29/2010 at 11:42 PM

Application Version : 4.39.1002

Core Rules Database Version : 5135

Trace Rules Database Version: 2947

Scan type : Complete Scan

Total Scan Time : 02:25:52

Memory items scanned : 477

Memory threats detected : 0

Registry items scanned : 6958

Registry threats detected : 0

File items scanned : 137209

File threats detected : 83

C:\Documents and Settings\NetworkService\Cookies\system@ads.pointroll[5].txt

C:\Documents and Settings\NetworkService\Cookies\system@trafficengine[3].txt

C:\Documents and Settings\NetworkService\Cookies\system@pointroll[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@tacoda[3].txt

C:\Documents and Settings\NetworkService\Cookies\system@at.atwola[3].txt

C:\Documents and Settings\NetworkService\Cookies\system@trafficmp[8].txt

C:\Documents and Settings\NetworkService\Cookies\system@xml.trafficengine[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@cdn1.trafficmp[1].txt

media1.break.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\NV8SXJRB ]

secure-us.imrworldwide.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\NV8SXJRB ]

media.mtvnservices.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\NV8SXJRB ]

media.scanscout.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\NV8SXJRB ]

objects.tremormedia.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\NV8SXJRB ]

service.twistage.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\NV8SXJRB ]

convoad.technoratimedia.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\NV8SXJRB ]

core.insightexpressai.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\NV8SXJRB ]

media.entertonement.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\NV8SXJRB ]

media-glam.pictela.net [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\NV8SXJRB ]

s0.2mdn.net [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\NV8SXJRB ]

objects.tremormedia.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\T93REMTN ]

secure-us.imrworldwide.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\T93REMTN ]

media.mtvnservices.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\T93REMTN ]

media.scanscout.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\T93REMTN ]

Malwarebytes:

Will be added shortly.

robnj · June 30, 2010

Malwarebytes:

Malwarebytes' Anti-Malware 1.46

http://www.malwarebytes.org

Database version: 4260

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/30/2010 6:47:44 AM

mbam-log-2010-06-30 (06-47-44).txt

Scan type: Full scan (C:\|D:\|F:\|)

Objects scanned: 228012

Time elapsed: 47 minute(s), 53 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 11

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\eeshellx.shellext (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\TypeLib\{0e6117e2-c367-4be3-8045-52669e71b5df} (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{f272845d-cec2-4f95-92ee-6d08fdfbd471} (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{a7c6e906-b0b8-4810-ae82-71809ed409eb} (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\Evidence Eliminator Quick Mode (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\Evidence Eliminator Safe Restart (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\Evidence Eliminator Safe Shutdown (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Evidence Eliminator Safe Recycle (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\Evidence Eliminator (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Evidence Eliminator (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Evidence Eliminator (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{a7c6e906-b0b8-4810-ae82-71809ed409eb} (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\Eeshellx.dll (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.

C:\Documents and Settings\rweingart\Desktop\Evidence Eliminator v6.01.exe (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.

C:\Documents and Settings\rweingart\Desktop\Evidence Eliminator - Help.chm (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.

C:\Documents and Settings\rweingart\Desktop\Evidence Eliminator.lnk (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.

Superdave · June 30, 2010

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

O18 - Filter hijack: text/html - {13f4a161-4996-4c5c-9205-79fc5296e5cd} - (no file)

O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe (file missing)

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

===================================

Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.

First Verify your Java Version

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the Sun Java Runtime Environment.

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old versions

1. Download JavaRa and unzip the file to your Desktop.

2. Open JavaRA.exe and choose Remove Older Versions

3. Once complete exit JavaRA.

4. Run CCleaner.

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.

=============================

Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.

Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).

Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.

=================================

Please download ComboFix http://img7.imageshack.us/img7/4930/combofix.gif from BleepingComputer.com

Alternate link: GeeksToGo.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here

Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

http://img.photobucket.com/albums/v666/sUBs/Query_RC.gif

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v666/sUBs/RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix

robnj · July 1, 2010

Superdave, you are the MAN...

I could not remove: O18 - Filter hijack: text/html - {13f4a161-4996-4c5c-9205-79fc5296e5cd} - (no file)

O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe (file missing)

Did the rest of the steps you gave.

Combofix found some stuff. The Windows recovery found some rootkit activity and forced a reboot. Then Combofix went to town.

If I am reading this right, my explorer.exe was infected and my RAID controller driver?

Now I load windows update and it pops up instantly. I noticed before even when it "worked" it would flash a few times before loading, almost like it was trying to go somewhere else.

NO MORE!!!

Also after I ran combofix, I did a hijack and was able to removel the O18, but still have that O23. Not a big deal, right?

Here is the combofix:

ComboFix 10-06-30.02 - rw 06/30/2010 20:39:34.1.1 - FAT32x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1574 [GMT -4:00]

Running from: c:\documents and settings\rw\desktop\commy.exe

Command switches used :: /stepdel

AV: avast! antivirus 4.8.1368 [VPS 100630-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\INSTALL.LOG

c:\windows\system32\WINKRNME.DLL

Infected copy of c:\windows\system32\drivers\SI3112r.sys was found and disinfected

Restored copy from - Kitty had a snack :p

Infected copy of c:\windows\explorer.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe

.

((((((((((((((((((((((((( Files Created from 2010-06-01 to 2010-07-01 )))))))))))))))))))))))))))))))

.

2010-07-01 00:04 . 2010-07-01 00:04 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Adobe

2010-07-01 00:03 . 2010-07-01 00:03 53632 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2010-07-01 00:03 . 2010-07-01 00:03 -------- d-----w- c:\program files\Common Files\Adobe AIR

2010-07-01 00:02 . 2010-07-01 00:02 71680 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe

2010-06-30 23:55 . 2010-06-30 23:55 -------- d-----w- c:\program files\Common Files\Java

2010-06-30 23:55 . 2010-06-30 23:55 61440 ----a-w- c:\documents and settings\rw\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-29735ad9-n\decora-sse.dll

2010-06-30 23:55 . 2010-06-30 23:55 503808 ----a-w- c:\documents and settings\rw\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-49dd4ec2-n\msvcp71.dll

2010-06-30 23:55 . 2010-06-30 23:55 499712 ----a-w- c:\documents and settings\rw\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-49dd4ec2-n\jmc.dll

2010-06-30 23:55 . 2010-06-30 23:55 348160 ----a-w- c:\documents and settings\rw\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-49dd4ec2-n\msvcr71.dll

2010-06-30 23:55 . 2010-06-30 23:55 12800 ----a-w- c:\documents and settings\rw\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-29735ad9-n\decora-d3d.dll

2010-06-30 23:54 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-06-30 01:14 . 2010-06-30 01:14 63488 ----a-w- c:\documents and settings\rw\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

2010-06-30 01:08 . 2010-06-30 01:08 -------- d-----w- c:\program files\Trend Micro

2010-06-29 00:58 . 2010-06-29 00:58 -------- d-----w- c:\documents and settings\rw\Application Data\IObit

2010-06-28 03:52 . 2010-06-28 03:52 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit

2010-06-28 02:39 . 2010-05-26 14:45 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys

2010-06-28 02:13 . 2010-06-28 02:13 -------- d--h--w- c:\windows\PIF

2010-06-27 20:02 . 2010-06-29 12:11 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-06-27 17:58 . 2010-06-27 18:07 52224 ----a-w- c:\documents and settings\rw\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-06-27 17:57 . 2010-06-30 01:14 117760 ----a-w- c:\documents and settings\rw\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-06-27 17:56 . 2010-06-27 17:56 -------- d-----w- c:\documents and settings\rw\Application Data\SUPERAntiSpyware.com

2010-06-27 17:56 . 2010-06-27 17:56 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-06-27 00:46 . 2010-06-27 00:46 -------- d-----w- c:\program files\Windows Live Safety Center

2010-06-26 11:53 . 2010-06-26 11:53 -------- d-----w- C:\FOUND.001

2010-06-25 06:23 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

2010-06-25 02:28 . 2010-05-21 18:14 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-06-25 02:25 . 2010-06-25 02:25 -------- d-----w- C:\FOUND.000

2010-06-25 01:52 . 2010-06-25 01:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-06-07 18:42 . 2010-06-07 18:42 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-27 19:04 . 2003-03-31 16:00 24064 ----a-w- c:\windows\system32\ctfmon.exe

2010-06-25 11:44 . 2009-08-05 12:43 36768 ----a-w- c:\documents and settings\abw\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-05-14 23:21 . 2010-05-14 23:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive

2010-05-14 23:16 . 2010-05-14 23:16 -------- d-----w- c:\program files\Virtual Assistant

2010-05-14 23:15 . 2010-05-14 23:15 2232 ----a-w- c:\windows\java\Packages\Data\HRRDR3PV.DAT

2010-05-14 23:15 . 2010-05-14 23:15 155995 ----a-w- c:\windows\java\Packages\YOKLB9NF.ZIP

2010-05-14 23:15 . 2010-05-14 23:15 2678 ----a-w- c:\windows\java\Packages\Data\N1FRHB7V.DAT

2010-05-14 23:15 . 2010-05-14 23:15 2678 ----a-w- c:\windows\java\Packages\Data\Z3RFNVV1.DAT

2010-05-14 23:15 . 2010-05-14 23:15 2678 ----a-w- c:\windows\java\Packages\Data\VVTVJBN3.DAT

2010-05-14 23:15 . 2010-05-14 23:15 2678 ----a-w- c:\windows\java\Packages\Data\PZLRF9FP.DAT

2010-05-14 23:15 . 2010-05-14 23:15 2678 ----a-w- c:\windows\java\Packages\Data\DFDFV13P.DAT

2010-05-14 23:15 . 2010-05-14 23:15 -------- d-----w- c:\program files\CenturyLink

2010-05-14 23:13 . 2010-05-14 23:13 -------- d-----w- c:\program files\EMBARQ

2010-05-06 10:41 . 2003-03-31 16:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:22 . 2003-03-31 16:00 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-29 19:39 . 2009-08-17 00:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 19:39 . 2009-08-17 00:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-20 05:30 . 2003-03-31 16:00 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-17 19:37 . 2010-02-04 03:10 6 ----a-w- c:\windows\system32\PCTiming.dat

1998-12-08 18:53 . 1998-12-08 18:53 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL

1998-12-08 18:53 . 1998-12-08 18:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL

1998-12-08 18:53 . 1998-12-08 18:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL

1998-12-08 18:53 . 1998-12-08 18:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL

1998-12-08 18:53 . 1998-12-08 18:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL

1998-12-08 18:53 . 1998-12-08 18:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL

.

------- Sigcheck -------

[-] 2010-06-27 19:04 . C3A2915C71AE6F225EB906C25CCD29B5 . 24064 . . [1.0.0.5] . . c:\windows\system32\ctfmon.exe

[-] 2010-06-27 19:04 . C3A2915C71AE6F225EB906C25CCD29B5 . 24064 . . [1.0.0.5] . . c:\windows\ServicePackFiles\i386\ctfmon.exe

[7] 2009-08-22 . 24232996A38C0B0CF151C2140AE29FC8 . 15360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ctfmon.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avast!"="d:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

"HideOE"="c:\program files\r2 studios\HideOE\HideOE.exe" [2002-09-06 65536]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2010-06-27 19:14 548352 ----a-w- d:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiTrayTools]

2007-05-22 15:04 521128 ------w- c:\program files\DNA-drivers\DNA-ATi\Driver\DNA-ATI Tray Tools\atitray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]

2006-11-04 00:20 866584 ----a-w- d:\program files\Windows Defender\MSASCui.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Brother\\Brmfl08d\\FAXRX.exe"=

"c:\\WINDOWS\\System32\\mmc.exe"=

"c:\\Program Files\\Java\\JRE6\\BIN\\JAVA.EXE"=

"f:\\Program Files\\BitLord\\BitLord.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"54925:UDP"= 54925:UDP:BrotherNetwork Scanner

"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443

"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674

"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674

"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [8/3/2009 11:40 PM 116264]

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [8/5/2009 12:05 AM 114768]

R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\SASDIFSV.SYS [7/28/2009 10:53 AM 12872]

R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/28/2009 10:53 AM 67656]

R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [6/27/2010 10:39 PM 18816]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/5/2009 12:05 AM 20560]

R2 IS360service;IS360service;d:\program files\IObit\IObit Security 360\is360srv.exe [6/27/2010 11:52 PM 312152]

R3 hpdat;hpdat;c:\windows\system32\drivers\hpdat.sys [4/15/2009 3:41 PM 7936]

R3 X10Hid;X10 Hid Device;c:\windows\system32\drivers\x10hid.sys [2/28/2010 1:43 PM 7040]

S1 atitray;atitray;\??\c:\program files\DNA-drivers\DNA-ATi\Driver\ATI Tray Tools\atitray.sys --> c:\program files\DNA-drivers\DNA-ATi\Driver\ATI Tray Tools\atitray.sys [?]

S2 WinDefend;Windows Defender;d:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]

S3 4mmdat;4mmdat;c:\windows\system32\drivers\4mmdat.sys [8/3/2009 11:16 PM 12288]

S3 DCamUSBLTN;Kodak DVC325 Digital Video Camera;c:\windows\system32\drivers\dvc325.sys [8/4/2009 8:47 PM 112624]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\75.tmp --> c:\windows\system32\75.tmp [?]

S3 OSBIBZ;OSBIBZ;c:\docume~1\RWEING~1\LOCALS~1\Temp\OSBIBZ.exe --> c:\docume~1\RWEING~1\LOCALS~1\Temp\OSBIBZ.exe [?]

S3 SASENUM;SASENUM;d:\program files\SUPERAntiSpyware\SASENUM.SYS [7/28/2009 10:53 AM 12872]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NMSCFG

.

Contents of the 'Scheduled Tasks' folder

2010-06-29 c:\windows\Tasks\SmartDefrag.job

- d:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2010-06-29 16:57]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://centurylink.net

uInternet Settings,ProxyOverride = local

DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

FF - ProfilePath - c:\documents and settings\rw\Application Data\Mozilla\Firefox\Profiles\iqdkydo9.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.myembarq.com/

FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll

FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

FF - plugin: d:\program files\Mozilla Firefox\plugins\npitunes.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);

d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Adobe Reader Speed Launcher - d:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-30 20:48

Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\atitray]

"ImagePath"=hex:5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,\

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\atitray]

"ImagePath"=hex:5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,\

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]

"ImagePath"="\??\c:\windows\system32\75.tmp"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1645522239-1677128483-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9553575F-AFF9-2F44-8FBD-7BD8DE0DE6FB}*]

@Allowed: (Read) (RestrictedCode)

"jakebdimdcjadjmkdhlg"=hex:62,61,67,6f,00,00

"jakebdimdcjadjmkdhpg"=hex:62,61,64,69,00,00

"iakfciigfidfkkhkni"=hex:6b,61,6c,6f,6b,63,69,68,69,63,66,6d,6d,63,62,66,6d,63,

69,65,69,69,00,00

"haahaigammbphknc"=hex:6b,61,6c,6f,6b,63,6a,68,66,62,61,69,70,70,66,6c,67,64,

6a,6f,69,70,00,00

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\HID\Vid_046d&Pid_c016\6&24e83e2c&0&0000\LogConf]

@DACL=(02 0000)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(800)

d:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2184)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

d:\program files\Alwil Software\Avast4\aswUpdSv.exe

d:\program files\Alwil Software\Avast4\ashServ.exe

c:\windows\System32\GEARSec.exe

c:\windows\System32\NMSSvc.exe

d:\program files\Norton Ghost\Agent\VProSvc.exe

c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

c:\progra~1\COMMON~1\X10\COMMON\x10nets.exe

c:\program files\Canon\CAL\CALMAIN.exe

d:\program files\Alwil Software\Avast4\ashMaiSv.exe

d:\program files\Alwil Software\Avast4\ashWebSv.exe

.

**************************************************************************

.

Completion time: 2010-06-30 20:51:17 - machine was rebooted

ComboFix-quarantined-files.txt 2010-07-01 00:51

Pre-Run: 7,940,603,904 bytes free

Post-Run: 8,621,408,256 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 7B582659FC51F7D4958C1999B8AEAA61

Superdave · July 3, 2010

Sorry for being so late in getting back to you. There was something in the logs I had to check.

but still have that O23. Not a big deal, right?

If it shows up again, we'll get it.

Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.

==============================

P2P - I see you have P2P software installed on your machine. (BitLord) We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

==============================

Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
C:\FOUND.001
C:\FOUND.000
Save this as CFScript.txt, in the same location as ComboFix.exe

http://img19.imageshack.us/img19/5660/cfscriptb4.gif
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

=====================================

ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop

* Double click on the esetsmartinstaller_enu.exe icon on your desktop.

* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.

* Accept any security warnings from your browser.

* Leave the check mark next to Remove found threats and place a check next to Scan archives.

* Click the Start button.

* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.

* When the scan completes, click List of found threats.

* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.

* Click the Back button then click Finish.

In your next reply please include the ESET Online Scan Log

robnj · July 6, 2010

OK Dave, here is the latest combo fix file:

ComboFix 10-07-04.04 - rw 07/05/2010 21:15:38.3.1 - FAT32x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1557 [GMT -4:00]

Running from: c:\documents and settings\rw\Desktop\Commy.exe

Command switches used :: c:\documents and settings\rw\Desktop\CFScript.txt

AV: avast! antivirus 4.8.1368 [VPS 100706-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::

"C:\FOUND.000"

"C:\FOUND.001"

.

((((((((((((((((((((((((( Files Created from 2010-06-06 to 2010-07-06 )))))))))))))))))))))))))))))))

.

2010-07-01 01:05 . 2010-07-01 01:05 -------- d-----w- C:\Commy