Mourning the loss of our friend, WhitPhil.
There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
Search
 
Malware Removal & HijackThis Logs
Tag Cloud
access audio black screen blue screen boot bsod connection crash dell desktop driver drivers dvd email error excel firefox hard drive hardware hijackthis internet keyboard laptop malware monitor motherboard network networking outlook problem recovery registry cleaner router safe mode screen slow sound spyware tdlwsp.dll trojan vba video virus vista vundo windows windows 7 windows vista windows xp wireless
Search
Search for:
Tech Support Guy Forums > Security & Malware Removal > Malware Removal & HijackThis Logs >
Solved: Malwarebytes anti-malware uses chkdsk?

Tip: Click here to scan for System Errors and Optimize PC performance
[ Sponsored Link ]

Closed Thread
Page 1 of 2 1 2
 
Thread Tools
Tact's Avatar
Senior Member with 476 posts.
  
Join Date: Sep 2002
Location: California
30-Jun-2009, 08:51 AM #1
Malwarebytes anti-malware uses chkdsk?
Hi, i am new to using Malwarebyes anti malware. I recently did a full drive scan of drive C, and a it found a few hundred things and most of them it couldn't remove without a reboot.

so it reboots and i'm surprised to see chkdsk running on reboot. is this normal? does malwarebytes use this to remove those files? or did something else happen to cause this?

after this was done and i got back onto the desktop, i did another scan to make sure it really did get rid of everything and it seems that it did. it did not find anything at all on the second scan.

i just wanted to confirm if this was normal behavior because it kinds scared me. i normally only see chkdsk run on it's own after something bad happend. i wasn't able to read it all cause it went so fast but it seemed to be repairing a lot of things and deleting things....

it was hard to tell.

any info on this is greatly appreciated. thoughts, ideas, (maybe something similar happend to other people) anything at all to help me understand this would be great. thx a lot.
__________________
My PC Specs
--Phoenix--
Register for free to hide this ad!
Cookiegal's Avatar
Administrator with 63,642 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
30-Jun-2009, 09:45 AM #2
I don't think MalwareBytes triggers chkdsk but chkdsk will run on its own if problems with the drive are detected. Let's see the report from the chkdsk run and see what it did. I assume it's not running one very boot but only the one time?

Go to Start - Run and type in eventvwr.msc, and hit enter.
When Event Viewer opens, click on "Application", then scroll
down to "Winlogon" and double-click on it to open it up. This is the log
created after running chkdsk. Click on the icon that looks like two pieces of paper to copy it and then paste it here please.


Also, please post your MalwareBytes scan log.
__________________
Microsoft MVP - Consumer Security
Tact's Avatar
Senior Member with 476 posts.
  
Join Date: Sep 2002
Location: California
30-Jun-2009, 04:24 PM #3
thx for your help. here is what you requested.



eventviewer

Quote:
Event Type: Information
Event Source: Winlogon
Event Category: None
Event ID: 1001
Date: 6/30/2009
Time: 4:50:51 AM
User: N/A
Computer: PHOENIX
Description:
Checking file system on C:
The type of the file system is NTFS.
Volume label is Winxp.


One of your disks needs to be checked for consistency. You
may cancel the disk check, but it is strongly recommended
that you continue.
Windows will now check the disk.
Deleting orphan file record segment 812.
Deleting orphan file record segment 3348.
Deleting orphan file record segment 4340.
Deleting orphan file record segment 11792.
Deleting orphan file record segment 16180.
Deleting orphan file record segment 21088.
Deleting orphan file record segment 28080.
Deleting orphan file record segment 31004.
Deleting orphan file record segment 32476.
Deleting orphan file record segment 33384.
Deleting orphan file record segment 33764.
Deleting orphan file record segment 39684.
Deleting orphan file record segment 44192.
Deleting orphan file record segment 46292.
The object id index entry in file 0x19 points to file 0xb4d4
but the file has no object id in it.
Deleting an index entry from index $O of file 25.
The object id index entry in file 0x19 points to file 0x9b04
but the file has no object id in it.
Deleting an index entry from index $O of file 25.
The multi-sector header signature for VCN 0x45 of index $I30
in file 0x20 is incorrect.
07 05 05 33 5a 30 31 30 30 3f 00 00 00 00 00 00 ...3Z0100?......
00 00 00 00 00 00 01 00 00 00 00 00 28 00 02 00 ............(...
Correcting error in index $I30 for file 32.
The index bitmap $I30 in file 0x20 is incorrect.
Correcting error in index $I30 for file 32.
The down pointer of current index entry with length 0x78 is invalid.
9b 2e 00 00 00 00 02 00 78 00 5a 00 01 00 00 00 ........x.Z.....
20 00 00 00 00 00 ec 5b 00 f8 da ce 05 2c c1 01 ......[.....,..
00 c8 a2 f9 00 7a c4 01 0c ac 57 39 d9 32 c7 01 .....z....W9.2..
10 31 22 f8 75 f9 c9 01 00 50 00 00 00 00 00 00 .1".u....P......
00 48 00 00 00 00 00 00 20 00 00 00 00 00 00 00 .H...... .......
0c 03 77 00 74 00 73 00 61 00 70 00 69 00 33 00 ..w.t.s.a.p.i.3.
32 00 2e 00 64 00 6c 00 6c 00 00 00 00 00 02 00 2...d.l.l.......
ff ff ff ff ff ff ff ff 50 17 00 00 00 00 63 00 ........P.....c.
88 00 6a 00 01 00 00 00 20 00 00 00 00 00 ec 5b ..j..... ......[
Sorting index $I30 in file 32.
The multi-sector header signature for VCN 0x0 of index $I30
in file 0x46d is incorrect.
07 05 05 33 5a 30 31 30 30 3f 00 00 00 00 00 00 ...3Z0100?......
00 00 00 00 00 00 01 00 00 00 00 00 28 00 02 00 ............(...
Correcting error in index $I30 for file 1133.
The index bitmap $I30 in file 0x46d is incorrect.
Correcting error in index $I30 for file 1133.
The down pointer of current index entry with length 0x78 is invalid.
bf 04 00 00 00 00 03 00 78 00 5a 00 01 00 00 00 ........x.Z.....
6d 04 00 00 00 00 03 00 00 64 5d 8a e7 5d c2 01 m........d]..]..
00 64 5d 8a e7 5d c2 01 26 ee 04 26 ed 32 c7 01 .d]..]..&..&.2..
38 71 bc ed 73 f9 c9 01 00 d0 3d 00 00 00 00 00 8q..s.....=.....
00 cc 3d 00 00 00 00 00 20 00 00 00 00 00 00 00 ..=..... .......
0c 03 50 00 4d 00 61 00 67 00 69 00 63 00 39 00 ..P.M.a.g.i.c.9.
78 00 2e 00 65 00 78 00 65 00 00 00 00 00 03 00 x...e.x.e.......
ff ff ff ff ff ff ff ff 5d 05 00 00 00 00 03 00 ........].......
78 00 5a 00 01 00 00 00 6d 04 00 00 00 00 03 00 x.Z.....m.......
Sorting index $I30 in file 1133.
The multi-sector header signature for VCN 0xc0 of index $I30
in file 0x2375 is incorrect.
07 05 05 33 5a 30 31 30 30 3f 00 00 00 00 00 00 ...3Z0100?......
00 00 00 00 00 00 01 00 00 00 00 00 28 00 02 00 ............(...
The multi-sector header signature for VCN 0x100 of index $I30
in file 0x2375 is incorrect.
07 05 05 33 5a 30 31 30 30 3f 00 00 00 00 00 00 ...3Z0100?......
00 00 00 00 00 00 01 00 00 00 00 00 28 00 02 00 ............(...
Correcting error in index $I30 for file 9077.
The index bitmap $I30 in file 0x2375 is incorrect.
Correcting error in index $I30 for file 9077.
The down pointer of current index entry with length 0x78 is invalid.
14 04 00 00 00 00 17 5e 78 00 5a 00 01 00 00 00 .......^x.Z.....
75 23 00 00 00 00 01 00 40 4d 94 03 aa 75 c8 01 u#......@M...u..
c2 82 0e 0e aa 75 c8 01 c2 82 0e 0e aa 75 c8 01 .....u.......u..
3c e5 b7 94 72 f9 c9 01 a8 00 00 00 00 00 00 00 <...r...........
a7 00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 ........ .......
0c 02 54 00 41 00 33 00 41 00 32 00 33 00 7e 00 ..T.A.3.A.2.3.~.
31 00 2e 00 54 00 58 00 54 00 74 00 78 00 74 00 1...T.X.T.t.x.t.
ff ff ff ff ff ff ff ff bf 68 00 00 00 00 b6 00 .........h......
78 00 5a 00 01 00 00 00 75 23 00 00 00 00 01 00 x.Z.....u#......
Sorting index $I30 in file 9077.
The multi-sector header signature for VCN 0x17 of index $I30
in file 0x4ade is incorrect.
07 05 05 33 5a 30 31 30 30 3f 00 00 00 00 00 00 ...3Z0100?......
00 00 00 00 00 00 01 00 00 00 00 00 28 00 02 00 ............(...
Correcting error in index $I30 for file 19166.
The multi-sector header signature for VCN 0x42 of index $I30
in file 0x4ade is incorrect.
07 05 05 33 5a 30 31 30 30 3f 00 00 00 00 00 00 ...3Z0100?......
00 00 00 00 00 00 01 00 00 00 00 00 28 00 02 00 ............(...
Correcting error in index $I30 for file 19166.
The index bitmap $I30 in file 0x4ade is incorrect.
Correcting error in index $I30 for file 19166.
The down pointer of current index entry with length 0x70 is invalid.
bb a3 00 00 00 00 57 00 70 00 56 00 01 00 00 00 ......W.p.V.....
de 4a 00 00 00 00 d6 01 12 5c 75 cb a1 f7 c9 01 .J.......\u.....
12 5c 75 cb a1 f7 c9 01 12 5c 75 cb a1 f7 c9 01 .\u......\u.....
12 df 55 3a 73 f9 c9 01 00 20 00 00 00 00 00 00 ..U:s.... ......
db 1e 00 00 00 00 00 00 20 00 00 00 00 00 00 00 ........ .......
0a 02 33 00 5f 00 32 00 5f 00 7e 00 31 00 2e 00 ..3._.2._.~.1...
4a 00 50 00 47 00 4c 00 ff ff ff ff ff ff ff ff J.P.G.L.........
62 b3 00 00 00 00 45 00 78 00 5a 00 01 00 00 00 b.....E.x.Z.....
Sorting index $I30 in file 19166.
The multi-sector header signature for VCN 0x14 of index $I30
in file 0x7066 is incorrect.
07 05 05 33 5a 30 31 30 30 3f 00 00 00 00 00 00 ...3Z0100?......
00 00 00 00 00 00 01 00 00 00 00 00 28 00 02 00 ............(...
Correcting error in index $I30 for file 28774.
The index bitmap $I30 in file 0x7066 is incorrect.
Correcting error in index $I30 for file 28774.
The down pointer of current index entry with length 0xb8 is invalid.
41 71 00 00 00 00 01 00 b8 00 9c 00 01 00 00 00 Aq..............
66 70 00 00 00 00 01 00 00 a8 26 a5 b0 d6 c6 01 fp........&.....
00 a8 26 a5 b0 d6 c6 01 d4 a1 15 36 46 92 c8 01 ..&........6F...
6e 61 55 70 73 f9 c9 01 00 20 00 00 00 00 00 00 naUps.... ......
1c 17 00 00 00 00 00 00 21 00 00 00 00 00 00 00 ........!.......
2d 01 57 00 53 00 35 00 38 00 61 00 30 00 34 00 -.W.S.5.8.a.0.4.
61 00 38 00 32 00 32 00 65 00 33 00 65 00 35 00 a.8.2.2.e.3.e.5.
30 00 31 00 30 00 32 00 62 00 64 00 36 00 31 00 0.1.0.2.b.d.6.1.
35 00 31 00 30 00 39 00 37 00 39 00 34 00 31 00 5.1.0.9.7.9.4.1.
39 00 35 00 66 00 66 00 2d 00 37 00 64 00 31 00 9.5.f.f.-.7.d.1.
66 00 2e 00 68 00 74 00 6d 00 6c 00 00 00 01 00 f...h.t.m.l.....
ff ff ff ff ff ff ff ff 32 71 00 00 00 00 01 00 ........2q......
b8 00 9c 00 01 00 00 00 66 70 00 00 00 00 01 00 ........fp......
Sorting index $I30 in file 28774.
The multi-sector header signature for VCN 0x0 of index $I30
in file 0x9033 is incorrect.
07 05 05 33 5a 30 31 30 30 3f 00 00 00 00 00 00 ...3Z0100?......
00 00 00 00 00 00 01 00 00 00 00 00 28 00 02 00 ............(...
Correcting error in index $I30 for file 36915.
The index bitmap $I30 in file 0x9033 is incorrect.
Correcting error in index $I30 for file 36915.
The down pointer of current index entry with length 0x18 is invalid.
00 00 00 00 00 00 00 00 18 00 00 00 03 00 00 00 ................
ff ff ff ff ff ff ff ff 1e 64 5e 6f 55 e9 c9 01 .........d^oU...
00 39 50 08 4e 33 c8 01 78 c6 60 6f 55 e9 c9 01 .9P.N3..x.`oU...
Sorting index $I30 in file 36915.
Index entry comp.exe of index $I30 in file 0x20 points to unused file 0x32c.
Deleting index entry comp.exe in index $I30 of file 32.
Index entry compact.exe of index $I30 in file 0x20 points to unused file 0x32d.
Deleting index entry compact.exe in index $I30 of file 32.
Index entry WMVXENCD.dll of index $I30 in file 0x20 points to unused file 0x9b05.
Deleting index entry WMVXENCD.dll in index $I30 of file 32.
Index entry serenum.sys of index $I30 in file 0x22 points to unused file 0x2e11.
Deleting index entry serenum.sys in index $I30 of file 34.
Index entry serial.sys of index $I30 in file 0x22 points to unused file 0x2e10.
Deleting index entry serial.sys in index $I30 of file 34.
Index entry htable.xsl of index $I30 in file 0x40 points to unused file 0x10f4.
Deleting index entry htable.xsl in index $I30 of file 64.
Index entry c_21027.nls of index $I30 in file 0x4a points to unused file 0x791d.
Deleting index entry c_21027.nls in index $I30 of file 74.
Index entry Cookies of index $I30 in file 0xcb0 points to unused file 0xd14.
Deleting index entry Cookies in index $I30 of file 3248.
Index entry Desktop of index $I30 in file 0xcb0 points to unused file 0xd15.
Deleting index entry Desktop in index $I30 of file 3248.
Index entry Offline of index $I30 in file 0x10ec points to unused file 0x10f5.
Deleting index entry Offline in index $I30 of file 4332.
Index entry WmiApRpl.ini of index $I30 in file 0x13b6 points to unused file 0x791c.
Deleting index entry WmiApRpl.ini in index $I30 of file 5046.
Index entry MyVectorStore[1].htm of index $I30 in file 0x148f points to unused file 0x8268.
Deleting index entry MyVectorStore[1].htm in index $I30 of file 5263.
Index entry MYVECT~1.HTM of index $I30 in file 0x148f points to unused file 0x8268.
Deleting index entry MYVECT~1.HTM in index $I30 of file 5263.
Index entry emalware.346 of index $I30 in file 0x2004 points to unused file 0x8269.
Deleting index entry emalware.346 in index $I30 of file 8196.
Index entry emalware.i69 of index $I30 in file 0x2004 points to unused file 0x83e4.
Deleting index entry emalware.i69 in index $I30 of file 8196.
Index entry CAC0BXR3.87 of index $I30 in file 0x2039 points to unused file 0x83e5.
Deleting index entry CAC0BXR3.87 in index $I30 of file 8249.
Index entry TAA3E6~1.TXT of index $I30 in file 0x2375 points to unused file 0x6db1.
Deleting index entry TAA3E6~1.TXT in index $I30 of file 9077.
Index entry tact@htmlhelp[1].txt of index $I30 in file 0x2375 points to unused file 0x6db1.
Deleting index entry tact@htmlhelp[1].txt in index $I30 of file 9077.
Index entry annasophia_robb_1182836542.jpg of index $I30 in file 0x23be points to unused file 0x9b04.
Deleting index entry annasophia_robb_1182836542.jpg in index $I30 of file 9150.
Index entry ANNASO~3.JPG of index $I30 in file 0x23be points to unused file 0x9b04.
Deleting index entry ANNASO~3.JPG in index $I30 of file 9150.
Index entry woww43i67X2757Q5.jpg of index $I30 in file 0x23be points to unused file 0xb4d4.
Deleting index entry woww43i67X2757Q5.jpg in index $I30 of file 9150.
Index entry WOWW43~1.JPG of index $I30 in file 0x23be points to unused file 0xb4d4.
Deleting index entry WOWW43~1.JPG in index $I30 of file 9150.
Index entry SVE9FE~1.MOD of index $I30 in file 0x2dbc points to unused file 0xb4d5.
Deleting index entry SVE9FE~1.MOD in index $I30 of file 11708.
Index entry svg-basic-font.mod of index $I30 in file 0x2dbc points to unused file 0xb4d5.
Deleting index entry svg-basic-font.mod in index $I30 of file 11708.
Index entry ME1B93~1.PRO of index $I30 in file 0x3391 points to unused file 0x3f34.
Deleting index entry ME1B93~1.PRO in index $I30 of file 13201.
Index entry messages_ko.properties of index $I30 in file 0x3391 points to unused file 0x3f34.
Deleting index entry messages_ko.properties in index $I30 of file 13201.
Index entry GTA3 Zone Gängid.url of index $I30 in file 0x5252 points to unused file 0x5260.
Deleting index entry GTA3 Zone Gängid.url in index $I30 of file 21074.
Index entry GTA3ZO~1.URL of index $I30 in file 0x5252 points to unused file 0x5260.
Deleting index entry GTA3ZO~1.URL in index $I30 of file 21074.
Index entry HerV4 Review - Killer Instinct [SNES].url of index $I30 in file 0x5252 points to unused file 0x5261.
Deleting index entry HerV4 Review - Killer Instinct [SNES].url in index $I30 of file 21074.
Index entry HERV4R~1.URL of index $I30 in file 0x5252 points to unused file 0x5261.
Deleting index entry HERV4R~1.URL in index $I30 of file 21074.
Index entry dunecrescent1884291802.xml of index $I30 in file 0x64be points to unused file 0x3f35.
Deleting index entry dunecrescent1884291802.xml in index $I30 of file 25790.
Index entry DUNECR~1.XML of index $I30 in file 0x64be points to unused file 0x3f35.
Deleting index entry DUNECR~1.XML in index $I30 of file 25790.
Index entry {7B87C92D-F9AF-4CA3-8863-F55D6A1D8068}.xml of index $I30 in file 0x7ed7 points to unused file 0x7edd.
Deleting index entry {7B87C92D-F9AF-4CA3-8863-F55D6A1D8068}.xml in index $I30 of file 32471.
Index entry {7B87C~1.XML of index $I30 in file 0x7ed7 points to unused file 0x7edd.
Deleting index entry {7B87C~1.XML in index $I30 of file 32471.
Index entry {A720C10C-6E01-49FE-BD0A-FC6FD61DC932}.xml of index $I30 in file 0x7ed7 points to unused file 0x7edc.
Deleting index entry {A720C10C-6E01-49FE-BD0A-FC6FD61DC932}.xml in index $I30 of file 32471.
Index entry {A720C~1.XML of index $I30 in file 0x7ed7 points to unused file 0x7edc.
Deleting index entry {A720C~1.XML in index $I30 of file 32471.
Index entry HOFF8F~1.XML of index $I30 in file 0x8d69 points to unused file 0x6db0.
Deleting index entry HOFF8F~1.XML in index $I30 of file 36201.
Index entry HomeCity_age3x05.xml of index $I30 in file 0x8d69 points to unused file 0x6db0.
Deleting index entry HomeCity_age3x05.xml in index $I30 of file 36201.
Index entry gct23201.dll of index $I30 in file 0xac9f points to unused file 0xaca0.
Deleting index entry gct23201.dll in index $I30 of file 44191.
Index entry uisy3201.dll of index $I30 in file 0xac9f points to unused file 0xaca1.
Deleting index entry uisy3201.dll in index $I30 of file 44191.
Cleaning up minor inconsistencies on the drive.
CHKDSK is recovering lost files.
Recovering orphaned file License.txt (1111) into directory file 1133.
Recovering orphaned file DOCS (1138) into directory file 1133.
Recovering orphaned file DrvMap.exe (1144) into directory file 1133.
Recovering orphaned file pe07.dll (1147) into directory file 1133.
Recovering orphaned file pe09.dll (1148) into directory file 1133.
Recovering orphaned file pe0A.dll (1150) into directory file 1133.
Recovering orphaned file pe0C.dll (1151) into directory file 1133.
Recovering orphaned file pe10.dll (1152) into directory file 1133.
Recovering orphaned file pe11.dll (1153) into directory file 1133.
Recovering orphaned file pe12.dll (1160) into directory file 1133.
Recovering orphaned file pe16.dll (1161) into directory file 1133.
Recovering orphaned file PeAbout.pqg (1162) into directory file 1133.
Recovering orphaned file Pesp.pqg (1165) into directory file 1133.
Recovering orphaned file About.pqg (1197) into directory file 1133.
Recovering orphaned file af.cmd (1198) into directory file 1133.
Recovering orphaned file INETWH32.dll (1201) into directory file 1133.
Recovering orphaned file MASTER.CNT (1203) into directory file 1133.
Recovering orphaned file pm.cnt (1206) into directory file 1133.
Recovering orphaned file PM.HLP (1208) into directory file 1133.
Recovering orphaned file PMagic.exe (1209) into directory file 1133.
Recovering orphaned file DOS (1247) into directory file 1133.
Recovering orphaned file wshisn.dll (2688) into directory file 32.
Recovering orphaned file wshnetbs.dll (2689) into directory file 32.
Recovering orphaned file TA39D9~1.TXT (7032) into directory file 9077.
Recovering orphaned file TA39D7~1.TXT (7037) into directory file 9077.
Recovering orphaned file TA3992~1.TXT (9308) into directory file 9077.
Recovering orphaned file wstdecod.dll (11933) into directory file 32.
Recovering orphaned file wsock32.dll (11934) into directory file 32.
Recovering orphaned file wsnmp32.dll (11936) into directory file 32.
Recovering orphaned file wshtcpip.dll (11937) into directory file 32.
Recovering orphaned file wshrm.dll (11939) into direc

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


post was too long so i'll put the malwarebytes log after this.
Tact's Avatar
Senior Member with 476 posts.
  
Join Date: Sep 2002
Location: California
30-Jun-2009, 04:24 PM #4
MALWAREBYTES log

Quote:
Malwarebytes' Anti-Malware 1.38
Database version: 2310
Windows 5.1.2600 Service Pack 2

6/30/2009 4:45:35 AM
mbam-log-2009-06-30 (04-45-35).txt

Scan type: Full Scan (C:\|)
Objects scanned: 133770
Time elapsed: 38 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 177

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Default User\Desktop\TSC.lnk (Rogue.Total.Security) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\VundoFixTool.lnk (Fake.VundoFixTool) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\AntiVirus_Pro.lnk (Rogue.AntiVirusPro) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\AntiVirus 2010.lnk (Rogue.AntiVirus2010) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Total Virus Protection.lnk (Rogue.TotalVirusProtection) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\AntiSpy Monitor.lnk (Rogue.AntiSpywareProtector) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\A360.lnk (Rogue.AntiVirus360) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\IE-Security.lnk (Rogue.IE-Security) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Privacy components.lnk (Rogue.SystemGuard2009) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\AntiVirus.lnk (Rogue.AntiVirus) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\AMS_FreeSetup.exe (Rogue.Installer) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\AntiSpyware.lnk (Rogue.AntiSpyware) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\AutorunManager.lnk (Rogue.Link) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\ProcessManager.lnk (Rogue.Link) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\ServiceManager.lnk (Rogue.Link) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Adobe PDF Money Guide.lnk (Rogue.Link) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Crack Money Maker Checker.lnk (Rogue.Link) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Money Maker Checker Help Guide.lnk (Rogue.Link) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Money Maker Checker.lnk (Rogue.Link) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Quick Money Guide.lnk (Rogue.Link) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\metro.exe (Trojan.Agent) -> Delete on reboot.
c:\documents and settings\Default User\Cookies\MM2048.dat (Trojan.Agent) -> Delete on reboot.
c:\documents and settings\Default User\Cookies\MM256.dat (Trojan.Agent) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\UPS_letter.doc.exe (Trojan.Agent) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\VRM_Free.exe (Rogue.Installer) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Remove Spyware.lnk (Malware.Trace) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Today's BufferThis Newsletter.lnk (Malware.Trace) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Today's FunFunPages Newsletter.lnk (Malware.Trace) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Today's Funnies Newsletter.lnk (Malware.Trace) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Today's GoodCleanVideos Newsletter.lnk (Malware.Trace) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Today's NewFunPages Newsletter.lnk (Malware.Trace) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Today's PositiveThoughts Newsletter.lnk (Malware.Trace) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Today's ThisSiteRocks Newsletter.lnk (Malware.Trace) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\XPProtectorInstaller.exe (Rogue.Installer) -> Delete on reboot.
c:\documents and settings\Default User\Cookies\bumo.reg (Fake.Dropped.Malware) -> Delete on reboot.
c:\documents and settings\Default User\Cookies\jababug.inf (Fake.Dropped.Malware) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Uncensored porn.url (Malware.Trace) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\BDSM galleries.url (Malware.Trace) -> Delete on reboot.
c:\documents and settings\Default User\Cookies\uwux.exe (Fake.Dropped.Malware) -> Delete on reboot.
c:\documents and settings\Default User\Cookies\jiceji._sy (Fake.Dropped.Malware) -> Delete on reboot.
c:\documents and settings\Default User\Cookies\esycire._dl (Fake.Dropped.Malware) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\blackbird.jpg (Fake.Dropped.Malware) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\EditorFKWP1.5.exe (Fake.Dropped.Malware) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\EditorFKWP2.0.exe (Fake.Dropped.Malware) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\filemanagerclient.exe (Fake.Dropped.Malware) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\fkwp1.5.exe (Fake.Dropped.Malware) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\fkwp2.0.exe (Fake.Dropped.Malware) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\fwebd.exe (Fake.Dropped.Malware) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\FWebdEditor.exe (Fake.Dropped.Malware) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Trojan.Win32.BlackBird.exe (Fake.Dropped.Malware) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\updatedd.pif (Trojan.Agent) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\codec.lnk (Dialer) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\iexplor.exe (Trojan.Downloader) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\WinSock.exe (Backdoor.IRCBot) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\ieupdr2.exe (Trojan.Agent) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\SMS TRAP.url (Rogue.Link) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\FullBSCodecz.exe (Trojan.FakeAlert) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\TotalSecure2009.exe (Trojan.FakeAlert) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\VideoTube.com.avi.exe (Trojan.FakeAlert) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\AdobeFlashPlayerHD.exe (Trojan.FakeAlert) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\c-setup.exe (Trojan.FakeAlert) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\VideoAccessCodecInstall.exe (Trojan.FakeAlert) -> Delete on reboot.
c:\documents and settings\Default User\Cookies\syssp.exe (Fake.Dropped.Malware) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\SpywareSoftStop.lnk (Rogue.SpywareSoftStop) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\ignoredomainsbase.bin (Rogue.DioCleaner) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\urlbase.bin (Rogue.DioCleaner) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Instant Access.lnk (Adware.EGDAccess) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\NoCreditCard.lnk (Adware.EGDAccess) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Join The Orgy.lnk (Adware.EGDAccess) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\GoRecord.lnk (Adware.EGDAccess) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\InternetGameBox.lnk (Adware.EGDAccess) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\SudoPlanet.lnk (Adware.EGDAccess) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\WebMediaPlayer.lnk (Adware.EGDAccess) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\msdos.pif (Trojan.Downloader) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\SMS Trap.lnk (Malware.Trace) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Lhoroscope.com (Rogue.App) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Optimize Internet (Rogue.Multiple) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\PC SpeedScan Pro (Rogue.Multiple) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Performance Center (Rogue.Multiple) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Spam Blocking Update (Rogue.Multiple) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\WebMediaPlayer (Rogue.WebMediaPlayer) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\XP Police AntiVirus.lnk (Rogue.XP-Police-AntiVirus) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Cleaner2009 Freeware (Rogue.MalwareCleaner2009) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Newfolder Fix Wizard (Rogue.NewFolderFixWizard) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Coreguard 2009.lnk (Rogue.CoreGuard2009) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Sys Cleaner Pro Demo.lnk (Rogue.sysCleanerPro) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Shop Ebay and Save!.lnk (Rogue.RepairRegistryPro) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Repair Registry Pro.lnk (Rogue.RepairRegistryPro) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\WindowsPerformance.lnk (Rogue.WindowsPerformance) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Virus Melt.lnk (Rogue.VirusMelt) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Anti-Virus-1.lnk (Rogue.AntiVirus1) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\System GuardCenter.lnk (Rogue.SystemGuardCenter) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\SystemGuardCenter.lnk (Rogue.SystemGuardCenter) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Spy Protector (Rogue.SpyProtector) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\ANG AntiVirus 09.lnk (Rogue.ANGav2009) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\AntiVirus Agent Pro.lnk (Rogue.AntiVirusAgentPro) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\AntiMalwareSuite.lnk (Rogue.AntiMalwareSuite) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\ThreatNuker.lnk (Rogue.ThreatNuker) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\RegistryFox.lnk (Rogue.RegistryFox) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\TotalAntiSpyware Demo.lnk (Rogue.TotalAntiSpyware) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Cheap Pharmacy Online.LNK (Malware.Trace) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\MP3 Download.LNK (Malware.Trace) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Cheap Software.LNK (Malware.Trace) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Search Online.LNK (Malware.Trace) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\VIP Casino.LNK (Malware.Trace) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Malware Sweeper.lnk (Rogue.MalwareSweeper) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\General AntiVirus.lnk (Rogue.GenaralAntiVirus) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Personal AntiVirus.lnk (Rogue.PersonalAntiVirus) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Anti-Spam Bastion.lnk (Adware.Purityscan) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\SpyFighter.lnk (Rogue.SpyFighter) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Cheap Pharmacy Online.url (Rogue.Link) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Search Online.url (Rogue.Link) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\VIP Casino.url (Rogue.Link) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Privacy center.lnk (Rogue.PrivacyCenter) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\AdwareFREE.lnk (Rogue.AdwareFREE) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\ErrorSweeper.lnk (Rogue.ErrorSweeper) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Ultra Antivir2009.lnk (Rogue.UltraAntiVir2009) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Sec Anti-Spy Adware Demo.lnk (Rogue.SecAntiSpy) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Registry-Defender v5.lnk (Rogue.RegistryDefender5) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Registry Mighty (Rogue.RegistryMighty) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\RegistryCleanerPro.lnk (Rogue.RegistryCleanerPro) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\AntiMalware_Pro.lnk (Rogue.AntiMalwarePro) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\CrisysTec Sentry 3.0.lnk (Rogue.CrisysTecSentry) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\homeantiVirus2009.lnk (Rogue.HomeAntiVirus) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\EvidenceEraser.lnk (Rogue.EvidenceEraser) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\ErrorSmart.lnk (Rogue.ErrorSmart) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\China.lnk (Rogue.Link) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Hot_jp.lnk (Rogue.Link) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\ErrorRepairTool.lnk (Rogue.ErrorRepairTool) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\RegTool.lnk (Rogue.RegTool) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\1 Click Spy Clean.lnk (Rogue.1ClickSpyClean) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\ErrorFix.lnk (Rogue.ErrorFix) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\RegFixPro.lnk (Rogue.RegFixPro) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Malware Cleaner.lnk (Rogue.MalwareCleaner) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Manual scanner.lnk (Rogue.AdvancedSpywareDetector) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\ErrorEasy.lnk (Rogue.ErrorEasy) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Virus Shield 2009.lnk (Rogue.VirusShield) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Gold VIP Club Casino.lnk (Adware.Casino) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\PCPrivacyDefender Freeware.lnk (Rogue.PCPrivacyDefender) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\REFOG Personal Monitor (Refog.Keylogger) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\StopBot Demo.lnk (Rogue.StopBot) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\PCenter.lnk (Rogue.PrivacyCenter) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Malware Catcher 2009.lnk (Rogue.MalwareCatcher2009) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Microsoft Word Document.scr (Virus.Rungbu) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Spyware Process Detector.lnk (Rogue.SpywareProcessDetector) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Special Picture.exe (Worm.AutoRun) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Infinity Optimizer.lnk (Rogue.InfinityOptimizer) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Games.exe (Worm.AutoRun) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\mp3.exe (Worm.AutoRun) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Videos.exe (Worm.AutoRun) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Adio Registry Optimizer.lnk (Rogue.AdioRegistryOptimizer) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Ulubione strony.exe (Trojan.PornDialer) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Best BDSM P0rn.url (Malware.Trace) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Gay Fetish Sex.url (Malware.Trace) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\AIM Monitor Sniffer.lnk (PUP.Logger) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\ICQ Monitor Sniffer.lnk (PUP.Logger) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\IMMonitor AIM Spy.lnk (PUP.Logger) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\IMMonitor ICQ Spy.lnk (PUP.Logger) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\IMMonitor MSN Spy.lnk (PUP.Logger) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\IMMonitor MySpaceIM Spy.lnk (PUP.Logger) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\IMMonitor Yahoo Messenger Spy.lnk (PUP.Logger) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\MSN Messenger Monitor Sniffer.lnk (PUP.Logger) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\MySpaceIM Monitor Sniffer.lnk (PUP.Logger) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Yahoo Messenger Monitor Sniffer.lnk (PUP.Logger) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Adware_Pro.lnk (Rogue.AdwarePro) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\uISGRLFile.dat (Adware.Fastlook) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Registry Doktor 2009.lnk (Rogue.RegistryDoktor2009) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Advanced Virus Remover.lnk (Rogue.AdvancedVirusRemover) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\UnVirex.lnk (Rogue.UnVirex) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\XP Deluxe Protector.LNK (Rogue.DeluxeProtector) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\RegistryCleaner_Pro.lnk (Rogue.RegistryCleanerPro) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\NoAdware5.lnk (Rogue.NoAdware) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Internet Exp1orer.lnk (Malware.Trace) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Protection System.lnk (Rogue.ProtectionSystem) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Internet Exp1orer.url (Trojan.BHO) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Malware Destructor 2009.lnk (Rogue.MalwareDestructor) -> Delete on reboot.
c:\documents and settings\Default User\Desktop\Virus Remover Pro..lnk (Rogue.VirusRemoverPro) -> Delete on reboot.



also. when i shutdown. it seemed to take a very long time. and when i booted up again after it was off for the night, i got another chkdsk but it seemed/felt shorter and faster. but the log appears to be just as long now that i compare the two.
__________________
My PC Specs
--Phoenix--
Phantom010's Avatar
Computer Specs
Distinguished Member with 7,671 posts.
  
Join Date: Mar 2009
Location: Cyberspace
Experience: Advanced
30-Jun-2009, 04:46 PM #5
Do you have an antivirus on that machine? That's a lot of infected files!

Remember, MBAM is not an antivirus program.

You might want to post a HijackThis log. It will help malware removal experts.

Please click here to download and install the HijackThis installer.

Run it and select Do a system scan and save a logfile.

The log will be saved in Notepad. Copy and paste the log in your next post.

Do not fix anything
Tact's Avatar
Senior Member with 476 posts.
  
Join Date: Sep 2002
Location: California
30-Jun-2009, 05:00 PM #6
thx. i do. recently replaced norton with avira antivir. been using it for a few weeks now.


here it is

Quote:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:00:00 PM, on 6/30/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Program Files\Maxthon2\Maxthon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - D:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-21-1606980848-838170752-839522115-1003\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download with Star Downloader - D:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm TaskBar Icon - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComTaskBarIcon.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: TaskBar - {320AF880-6646-11D3-ABEE-C5DBF3571F51} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComTaskBarIcon.html
O9 - Extra 'Tools' menuitem: RoboForm TaskBar Icon - {320AF880-6646-11D3-ABEE-C5DBF3571F51} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComTaskBarIcon.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} (dnlplayer Class) - http://www.digitalwebbooks.com/reader/dbplugin.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/ca..._2.3.6.108.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.4.8.cab
O16 - DPF: {4A116A80-85B6-4299-A018-A717FD7AC66A} (AXIDMDCP Class) - http://m1.cdn.gaiaonline.com/plugins/IDMFlash.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {A57B79D8-9501-42B7-BA9B-B961454712F2} (WLANinfo.WLANX) - https://www.jiwire.com/activeX/wlaninfo.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.gamengame.com/KALogoutComponent.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Speed Disk service - Symantec Corporation - D:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7762 bytes
Phantom010's Avatar
Computer Specs
Distinguished Member with 7,671 posts.
  
Join Date: Mar 2009
Location: Cyberspace
Experience: Advanced
30-Jun-2009, 06:11 PM #7
You still have traces of Norton you should remove. Use the Norton Removal Tool.
Cookiegal's Avatar
Administrator with 63,642 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
30-Jun-2009, 06:18 PM #8
Well if you had any wallpaper on your desktop, perhaps now you can see it.

Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Combo-Fix.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.

Note: During this process, it would help a great deal and be very much appreciated if you would refrain from installing any new software or hardware on this machine, unless absolutely necessary, until the clean up process is finished as it makes our job more tedious, with additional new files that may have to be researched, which is very time consuming.

Also, please do not run any security programs or fixes on your own as doing so may compromise what we will be doing. It is important that you wait for instructions.
__________________
Microsoft MVP - Consumer Security
Tact's Avatar
Senior Member with 476 posts.
  
Join Date: Sep 2002
Location: California
30-Jun-2009, 07:20 PM #9
okie dokie. here is the combofix log

Quote:
ComboFix 09-06-29.07 - Tact 06/30/2009 16:12.1 - NTFSx86
Running from: c:\documents and settings\Tact\Desktop\Combo-Fix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Tact\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb

.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-30 )))))))))))))))))))))))))))))))
.

2009-06-30 23:00 . 2009-06-30 23:13 -------- d-----w- c:\temp\7zS15.tmp
2009-06-30 20:59 . 2009-06-30 20:59 -------- d-----w- c:\program files\Trend Micro
2009-06-30 20:06 . 2009-06-30 20:06 -------- d-sh--w- C:\found.001
2009-06-30 11:49 . 2009-06-30 11:49 -------- d-sh--w- C:\found.000
2009-06-21 10:07 . 2009-06-21 10:07 -------- d-----w- c:\program files\VS Revo Group
2009-06-20 02:36 . 2009-06-20 02:36 -------- d-----w- c:\documents and settings\Tact\Application Data\Malwarebytes
2009-06-20 02:36 . 2009-06-17 18:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-20 02:36 . 2009-06-20 02:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-20 02:36 . 2009-06-20 02:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-20 02:36 . 2009-06-17 18:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-20 01:55 . 2009-06-30 23:05 117760 ----a-w- c:\documents and settings\Tact\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-20 01:55 . 2009-06-20 01:55 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-20 01:55 . 2009-06-30 10:19 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-20 01:55 . 2009-06-20 01:55 -------- d-----w- c:\documents and settings\Tact\Application Data\SUPERAntiSpyware.com
2009-06-19 05:38 . 2008-10-17 19:39 20092 ----a-w- c:\windows\system32\drivers\lgusbbus.sys
2009-06-14 21:58 . 2008-10-16 21:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-06-14 21:58 . 2008-10-16 21:06 208744 ----a-w- c:\windows\system32\muweb.dll
2009-06-14 04:13 . 2009-06-29 23:28 -------- d-----w- c:\documents and settings\Tact\Tracing
2009-06-14 04:11 . 2009-06-14 04:11 -------- d-----w- c:\program files\Microsoft
2009-06-14 04:11 . 2009-06-14 04:11 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-06-14 04:11 . 2009-06-14 04:11 -------- d-----w- c:\program files\Windows Live
2009-06-14 04:06 . 2009-06-14 04:06 -------- d-----w- c:\program files\Common Files\Windows Live
2009-06-10 19:10 . 2009-06-10 19:10 -------- d-----w- c:\documents and settings\Tact\Local Settings\Application Data\Blizzard Entertainment
2009-06-10 04:39 . 2008-05-29 06:03 37176 ----a-w- c:\documents and settings\Tact\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\airapp...pinstaller.exe
2009-06-10 02:54 . 2009-06-11 03:08 -------- d-----w- c:\documents and settings\Tact\Application Data\gtk-2.0
2009-06-10 02:54 . 2009-06-10 02:54 -------- d-----w- c:\documents and settings\Tact\Application Data\Inkscape
2009-06-08 06:24 . 2009-06-08 06:24 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-06-08 06:16 . 2009-06-08 06:16 -------- d-----w- c:\program files\Adobe Media Player
2009-06-08 06:16 . 2009-06-08 06:16 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-06-08 03:07 . 2009-06-08 06:01 -------- d-----w- c:\documents and settings\Tact\Application Data\Download Manager
2009-06-02 23:20 . 2009-06-02 23:20 -------- d-----w- c:\documents and settings\Tact\Local Settings\Application Data\Xenocode

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-30 23:02 . 2007-01-08 04:52 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-20 04:07 . 2009-05-13 20:18 -------- d-----w- c:\program files\Lavasoft
2009-06-20 03:48 . 2007-01-08 04:15 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-20 01:55 . 2008-01-12 07:02 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-18 04:04 . 2007-01-14 04:50 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-14 04:12 . 2007-01-08 03:59 254880 ----a-w- c:\documents and settings\Tact\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-14 04:12 . 2007-03-06 18:36 -------- d-----w- c:\program files\MSN Messenger
2009-06-02 06:52 . 2008-03-18 22:18 -------- d-----w- c:\documents and settings\Tact\Application Data\FileZilla
2009-05-25 04:03 . 2009-05-25 04:03 -------- d-----w- c:\program files\Windows Media Connect 2
2009-05-16 04:14 . 2009-05-16 04:14 -------- d-----w- c:\program files\Avira
2009-05-16 04:14 . 2009-05-16 04:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-05-14 21:22 . 2009-05-14 21:22 -------- d-----w- c:\program files\Panda Security
2009-05-13 20:18 . 2008-01-12 07:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-05-13 19:45 . 2007-01-08 05:30 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-05-13 19:29 . 2007-01-08 05:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-08 20:13 . 2007-01-08 04:10 -------- d-----w- c:\program files\Common Files\InstallShield
2009-05-07 15:44 . 2001-08-23 19:00 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:52 . 2001-08-23 19:00 659456 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:52 . 2007-01-08 03:54 81920 ------w- c:\windows\system32\ieencode.dll
2009-04-23 02:23 . 2009-04-27 23:08 2797468 ----a-w- c:\documents and settings\Tact\Application Data\Mozilla\Firefox\Profiles\dkj8wlux.default\extensions\{3b56bcc7-54e5-44a2-9b44-66c3ef58c13e}\components\nstidy.dll
2009-04-17 09:58 . 2001-08-23 19:00 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2001-08-23 19:00 584192 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-26 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2006-03-16 755480]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\Shell ExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Background Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\EPSON Background Monitor.lnk
backup=c:\windows\pss\EPSON Background Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check.lnk
backup=c:\windows\pss\EPSON Status Monitor 3 Environment Check.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Tact^Start Menu^Programs^Startup^Yahoo! Widget Engine.lnk]
path=c:\documents and settings\Tact\Start Menu\Programs\Startup\Yahoo! Widget Engine.lnk
backup=c:\windows\pss\Yahoo! Widget Engine.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NVSvc"=2 (0x2)
"SNDSrvc"=3 (0x3)
"ccPwdSvc"=3 (0x3)
"ERSvc"=2 (0x2)
"Schedule"=2 (0x2)
"srservice"=2 (0x2)
"SBService"=2 (0x2)
"mysql"=2 (0x2)
"Apache2.2"=2 (0x2)
"usnjsvc"=3 (0x3)
"gusvc"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"CCALib8"=2 (0x2)
"aawservice"=2 (0x2)
"IDriverT"=3 (0x3)
"EpsonBidirectionalService"=2 (0x2)
"npkcmsvc"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"Symantec Core LC"=3 (0x3)
"Lavasoft Ad-Aware Service"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="d:\program files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=
"d:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"d:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"d:\\Program Files\\LimeWire\\LimeWire.exe"=

R0 oeiwl;oeiwl;c:\windows\system32\drivers\tcxmd.sys [x]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-20 28544]
S0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\DRIVERS\xfilt.sys [2006-02-23 11264]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-05-26 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-05-26 72944]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-06-14 108289]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-05-26 7408]

.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Download with Star Downloader - d:\program files\Star Downloader\sdie.htm
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\Office10\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm TaskBar Icon - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComTaskBarIcon.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} - hxxp://www.digitalwebbooks.com/reader/dbplugin.cab
DPF: {4A116A80-85B6-4299-A018-A717FD7AC66A} - hxxp://m1.cdn.gaiaonline.com/plugins/IDMFlash.cab
DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} - hxxp://www.gamengame.com/KALogoutComponent.cab
FF - ProfilePath - c:\documents and settings\Tact\Application Data\Mozilla\Firefox\Profiles\dkj8wlux.default\
FF - component: c:\documents and settings\Tact\Application Data\Mozilla\Firefox\Profiles\dkj8wlux.default\extensions\{3b56bcc7-54e5-44a2-9b44-66c3ef58c13e}\components\nstidy.dll
FF - component: c:\documents and settings\Tact\Application Data\Mozilla\Firefox\Profiles\dkj8wlux.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - plugin: c:\program files\IGN\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
FF - plugin: d:\program files\Adobe\Reader 8.0\Reader\browser\nppdf32.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\np32dsw.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npnul32.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npqtplugin.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npqtplugin2.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npqtplugin3.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npqtplugin4.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npqtplugin5.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npqtplugin6.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npqtplugin7.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin7.dll
FF - plugin: d:\program files\Real\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: d:\program files\Real\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: d:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll
FF - plugin: d:\program files\VideoLAN\VLC\npvlc.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-30 16:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1606980848-838170752-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Erogos\~0{0_0~0*0J0W0ƒ0v0Š0è}-*SOšHr-*]
"Order"=hex:08,00,00,00,02,00,00,00,1c,01,00,00,01,00,00,00,02,00,00,00,86, 00,
00,00,00,00,00,00,78,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,66,00,32, \
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(592)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-06-30 16:16
ComboFix-quarantined-files.txt 2009-06-30 23:15

Pre-Run: 20,476,510,208 bytes free
Post-Run: 20,618,629,120 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

230 --- E O F --- 2009-06-15 20:56
and i'll assume i won't have room for the hjt one so i'll post that after this
Tact's Avatar
Senior Member with 476 posts.
  
Join Date: Sep 2002
Location: California
30-Jun-2009, 07:21 PM #10
new HJT log

Quote:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:21:36 PM, on 6/30/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\Maxthon2\Maxthon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - D:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-21-1606980848-838170752-839522115-1003\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download with Star Downloader - D:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm TaskBar Icon - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComTaskBarIcon.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: TaskBar - {320AF880-6646-11D3-ABEE-C5DBF3571F51} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComTaskBarIcon.html
O9 - Extra 'Tools' menuitem: RoboForm TaskBar Icon - {320AF880-6646-11D3-ABEE-C5DBF3571F51} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComTaskBarIcon.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} (dnlplayer Class) - http://www.digitalwebbooks.com/reader/dbplugin.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/ca..._2.3.6.108.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.4.8.cab
O16 - DPF: {4A116A80-85B6-4299-A018-A717FD7AC66A} (AXIDMDCP Class) - http://m1.cdn.gaiaonline.com/plugins/IDMFlash.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {A57B79D8-9501-42B7-BA9B-B961454712F2} (WLANinfo.WLANX) - https://www.jiwire.com/activeX/wlaninfo.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.gamengame.com/KALogoutComponent.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7557 bytes


something that came up which i hope will not ruin everything thus far. I used to have teatimer from Spybot isntalled, which would bug me about registry changes, i disabled it a few weeks ago and removed it from my startup. however AFTER the combofix thingy finished, i got a series of warnings from teatimer about registry changes. i denied them all. i hope that was ok. and i'm sorry i didn't pay too much attention to what they were. one of them was blank in the "old/new" change, and the first 3 or so were trying to update a microsoft link from "microsoft.com..." to "go.microsoft.com..." the rest i cant' remember.

so hopefully i didn't ruin things. i thought it would be safest to deny them. i should probably completely uninstall teatimer now isntead to make sure it doesn't somehow revive again.
__________________
My PC Specs
--Phoenix--
Cookiegal's Avatar
Administrator with 63,642 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
01-Jul-2009, 11:25 AM #11
TeaTimer wasn't showing as running in your HijackThis log but if you allowed it to block registry changes ComboFix was trying to make then yes, that could have compromised the fix.

I suggest you uninstall Spybot S&D and then reboot the computer. You can always reinstall it after we're finished is you wish.

Then run ComboFix again and post the new scan log.
__________________
Microsoft MVP - Consumer Security
Tact's Avatar
Senior Member with 476 posts.
  
Join Date: Sep 2002
Location: California
01-Jul-2009, 08:48 PM #12
uninstalled spybot, rebooted, and then ran combox fix again


ComboFix 09-07-01.01 - Tact 07/01/2009 17:40.2 - NTFSx86
Running from: c:\documents and settings\Tact\Desktop\Combo-Fix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-06-02 to 2009-07-02 )))))))))))))))))))))))))))))))
.

2009-07-02 00:42 . 2009-07-02 00:42 53248 ----a-w- c:\temp\catchme.dll
2009-07-02 00:40 . 2009-07-02 00:40 -------- d-----w- c:\temp\WPDNSE
2009-06-30 23:00 . 2009-06-30 23:13 -------- d-----w- c:\temp\7zS15.tmp
2009-06-30 20:59 . 2009-06-30 20:59 -------- d-----w- c:\program files\Trend Micro
2009-06-30 20:06 . 2009-06-30 20:06 -------- d-sh--w- C:\found.001
2009-06-30 11:49 . 2009-06-30 11:49 -------- d-sh--w- C:\found.000
2009-06-21 10:07 . 2009-06-21 10:07 -------- d-----w- c:\program files\VS Revo Group
2009-06-20 02:36 . 2009-06-20 02:36 -------- d-----w- c:\documents and settings\Tact\Application Data\Malwarebytes
2009-06-20 02:36 . 2009-06-17 18:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-20 02:36 . 2009-06-20 02:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-20 02:36 . 2009-06-20 02:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-20 02:36 . 2009-06-17 18:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-20 01:55 . 2009-07-02 00:36 117760 ----a-w- c:\documents and settings\Tact\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-20 01:55 . 2009-06-20 01:55 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-20 01:55 . 2009-06-30 10:19 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-20 01:55 . 2009-06-20 01:55 -------- d-----w- c:\documents and settings\Tact\Application Data\SUPERAntiSpyware.com
2009-06-19 05:38 . 2008-10-17 19:39 20092 ----a-w- c:\windows\system32\drivers\lgusbbus.sys
2009-06-14 21:58 . 2008-10-16 21:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-06-14 21:58 . 2008-10-16 21:06 208744 ----a-w- c:\windows\system32\muweb.dll
2009-06-14 04:13 . 2009-06-29 23:28 -------- d-----w- c:\documents and settings\Tact\Tracing
2009-06-14 04:11 . 2009-06-14 04:11 -------- d-----w- c:\program files\Microsoft
2009-06-14 04:11 . 2009-06-14 04:11 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-06-14 04:11 . 2009-06-14 04:11 -------- d-----w- c:\program files\Windows Live
2009-06-14 04:06 . 2009-06-14 04:06 -------- d-----w- c:\program files\Common Files\Windows Live
2009-06-10 19:10 . 2009-06-10 19:10 -------- d-----w- c:\documents and settings\Tact\Local Settings\Application Data\Blizzard Entertainment
2009-06-10 04:39 . 2008-05-29 06:03 37176 ----a-w- c:\documents and settings\Tact\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\airapp...pinstaller.exe
2009-06-10 02:54 . 2009-06-11 03:08 -------- d-----w- c:\documents and settings\Tact\Application Data\gtk-2.0
2009-06-10 02:54 . 2009-06-10 02:54 -------- d-----w- c:\documents and settings\Tact\Application Data\Inkscape
2009-06-08 06:24 . 2009-06-08 06:24 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-06-08 06:16 . 2009-06-08 06:16 -------- d-----w- c:\program files\Adobe Media Player
2009-06-08 06:16 . 2009-06-08 06:16 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-06-08 03:07 . 2009-06-08 06:01 -------- d-----w- c:\documents and settings\Tact\Application Data\Download Manager
2009-06-02 23:20 . 2009-06-02 23:20 -------- d-----w- c:\documents and settings\Tact\Local Settings\Application Data\Xenocode

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-02 00:31 . 2007-01-08 05:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-30 23:02 . 2007-01-08 04:52 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-20 04:07 . 2009-05-13 20:18 -------- d-----w- c:\program files\Lavasoft
2009-06-20 03:48 . 2007-01-08 04:15 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-20 01:55 . 2008-01-12 07:02 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-18 04:04 . 2007-01-14 04:50 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-14 04:12 . 2007-01-08 03:59 254880 ----a-w- c:\documents and settings\Tact\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-14 04:12 . 2007-03-06 18:36 -------- d-----w- c:\program files\MSN Messenger
2009-06-02 06:52 . 2008-03-18 22:18 -------- d-----w- c:\documents and settings\Tact\Application Data\FileZilla
2009-05-25 04:03 . 2009-05-25 04:03 -------- d-----w- c:\program files\Windows Media Connect 2
2009-05-16 04:14 . 2009-05-16 04:14 -------- d-----w- c:\program files\Avira
2009-05-16 04:14 . 2009-05-16 04:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-05-14 21:22 . 2009-05-14 21:22 -------- d-----w- c:\program files\Panda Security
2009-05-13 20:18 . 2008-01-12 07:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-05-08 20:13 . 2007-01-08 04:10 -------- d-----w- c:\program files\Common Files\InstallShield
2009-05-07 15:44 . 2001-08-23 19:00 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:52 . 2001-08-23 19:00 659456 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:52 . 2007-01-08 03:54 81920 ------w- c:\windows\system32\ieencode.dll
2009-04-23 02:23 . 2009-04-27 23:08 2797468 ----a-w- c:\documents and settings\Tact\Application Data\Mozilla\Firefox\Profiles\dkj8wlux.default\extensions\{3b56bcc7-54e5-44a2-9b44-66c3ef58c13e}\components\nstidy.dll
2009-04-17 09:58 . 2001-08-23 19:00 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2001-08-23 19:00 584192 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-26 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2006-03-16 755480]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\Shell ExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavaso ft Ad-Aware Service]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Background Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\EPSON Background Monitor.lnk
backup=c:\windows\pss\EPSON Background Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check.lnk
backup=c:\windows\pss\EPSON Status Monitor 3 Environment Check.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Tact^Start Menu^Programs^Startup^Yahoo! Widget Engine.lnk]
path=c:\documents and settings\Tact\Start Menu\Programs\Startup\Yahoo! Widget Engine.lnk
backup=c:\windows\pss\Yahoo! Widget Engine.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NVSvc"=2 (0x2)
"SNDSrvc"=3 (0x3)
"ccPwdSvc"=3 (0x3)
"ERSvc"=2 (0x2)
"Schedule"=2 (0x2)
"srservice"=2 (0x2)
"SBService"=2 (0x2)
"mysql"=2 (0x2)
"Apache2.2"=2 (0x2)
"usnjsvc"=3 (0x3)
"gusvc"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"CCALib8"=2 (0x2)
"aawservice"=2 (0x2)
"IDriverT"=3 (0x3)
"EpsonBidirectionalService"=2 (0x2)
"npkcmsvc"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"Symantec Core LC"=3 (0x3)
"Lavasoft Ad-Aware Service"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="d:\program files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=
"d:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"d:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"d:\\Program Files\\LimeWire\\LimeWire.exe"=

R0 oeiwl;oeiwl;c:\windows\system32\drivers\tcxmd.sys [x]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-20 28544]
S0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\DRIVERS\xfilt.sys [2006-02-23 11264]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-05-26 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-05-26 72944]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-06-14 108289]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-05-26 7408]

.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Download with Star Downloader - d:\program files\Star Downloader\sdie.htm
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\Office10\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm TaskBar Icon - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComTaskBarIcon.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} - hxxp://www.digitalwebbooks.com/reader/dbplugin.cab
DPF: {4A116A80-85B6-4299-A018-A717FD7AC66A} - hxxp://m1.cdn.gaiaonline.com/plugins/IDMFlash.cab
DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} - hxxp://www.gamengame.com/KALogoutComponent.cab
FF - ProfilePath - c:\documents and settings\Tact\Application Data\Mozilla\Firefox\Profiles\dkj8wlux.default\
FF - component: c:\documents and settings\Tact\Application Data\Mozilla\Firefox\Profiles\dkj8wlux.default\extensions\{3b56bcc7-54e5-44a2-9b44-66c3ef58c13e}\components\nstidy.dll
FF - component: c:\documents and settings\Tact\Application Data\Mozilla\Firefox\Profiles\dkj8wlux.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - plugin: c:\program files\IGN\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
FF - plugin: d:\program files\Adobe\Reader 8.0\Reader\browser\nppdf32.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\np32dsw.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npnul32.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npqtplugin.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npqtplugin2.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npqtplugin3.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npqtplugin4.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npqtplugin5.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npqtplugin6.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npqtplugin7.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin7.dll
FF - plugin: d:\program files\Real\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: d:\program files\Real\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: d:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll
FF - plugin: d:\program files\VideoLAN\VLC\npvlc.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-01 17:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1606980848-838170752-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Erogos\~0{0_0~0*0J0W0ƒ0v0Š0è}-*SOšHr-*]
"Order"=hex:08,00,00,00,02,00,00,00,1c,01,00,00,01,00,00,00,02,00,00,00,86, 00,
00,00,00,00,00,00,78,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,66,00,32, \
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(588)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(2456)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-07-02 17:44
ComboFix-quarantined-files.txt 2009-07-02 00:44
ComboFix2.txt 2009-06-30 23:16

Pre-Run: 20,629,712,896 bytes free
Post-Run: 20,628,807,680 bytes free

226 --- E O F --- 2009-06-15 20:56


btw. since yesterday's combofix, i no longer have a super looong shutdown and i did not get chkdsk anymore. so i think it helped.

not sure if i have anything though. and from the last log, ijji should have been a harmless file since i use that to run an online game. but ah well. i rarely play it so i didn't care that combofix got rid of it.
__________________
My PC Specs
--Phoenix--
Last edited by Cookiegal : 02-Jul-2009 08:10 PM.
Jason08's Avatar
Jason08 has a Photo Album
Computer Specs
Distinguished Member with 3,622 posts.
  
Join Date: Oct 2008
Location: Near Washington, D.C.
Experience: Advanced in Networking
02-Jul-2009, 10:43 AM #13
I think it probably deleted the file because it thinks it is slowing down the computer.
Cookiegal's Avatar
Administrator with 63,642 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
02-Jul-2009, 08:15 PM #14
Open Notepad and copy and paste the text in the code box below into it:

Code:
File::
c:\temp\7zS15.tmp

Driver::
oeiwl
Save the file to your desktop and name it CFScript.txt

Referring to the picture below, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.




This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.
__________________
Microsoft MVP - Consumer Security
Tact's Avatar
Senior Member with 476 posts.
  
Join Date: Sep 2002
Location: California
03-Jul-2009, 06:29 AM #15
alrighty. here's combo's

ComboFix 09-07-02.02 - Tact 07/03/2009 3:18.3 - NTFSx86
Running from: c:\documents and settings\Tact\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Tact\Desktop\CFScript.txt
* Created a new restore point

FILE ::
"c:\temp\7zS15.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_oeiwl


((((((((((((((((((((((((( Files Created from 2009-06-03 to 2009-07-03 )))))))))))))))))))))))))))))))
.

2009-07-03 10:23 . 2009-07-03 10:23 53248 ----a-w- c:\temp\catchme.dll
2009-07-03 10:23 . 2009-07-03 10:23 -------- d-----w- c:\temp\WPDNSE
2009-07-03 10:21 . 2009-07-03 10:21 60416 ----a-w- c:\temp\Perflib_Perfdata__755.dat
2009-07-03 04:22 . 2009-07-03 04:22 -------- d-----w- c:\temp\MessengerCache
2009-06-30 23:00 . 2009-06-30 23:13 -------- d-----w- c:\temp\7zS15.tmp
2009-06-30 20:59 . 2009-06-30 20:59 -------- d-----w- c:\program files\Trend Micro
2009-06-30 20:06 . 2009-06-30 20:06 -------- d-sh--w- C:\found.001
2009-06-30 11:49 . 2009-06-30 11:49 -------- d-sh--w- C:\found.000
2009-06-21 10:07 . 2009-06-21 10:07 -------- d-----w- c:\program files\VS Revo Group
2009-06-20 02:36 . 2009-06-20 02:36 -------- d-----w- c:\documents and settings\Tact\Application Data\Malwarebytes
2009-06-20 02:36 . 2009-06-17 18:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-20 02:36 . 2009-06-20 02:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-20 02:36 . 2009-06-20 02:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-20 02:36 . 2009-06-17 18:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-20 01:55 . 2009-07-03 10:23 117760 ----a-w- c:\documents and settings\Tact\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-20 01:55 . 2009-06-20 01:55 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-20 01:55 . 2009-06-30 10:19 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-20 01:55 . 2009-06-20 01:55 -------- d-----w- c:\documents and settings\Tact\Application Data\SUPERAntiSpyware.com
2009-06-19 05:38 . 2008-10-17 19:39 20092 ----a-w- c:\windows\system32\drivers\lgusbbus.sys
2009-06-14 21:58 . 2008-10-16 21:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-06-14 21:58 . 2008-10-16 21:06 208744 ----a-w- c:\windows\system32\muweb.dll
2009-06-14 04:13 . 2009-07-03 04:22 -------- d-----w- c:\documents and settings\Tact\Tracing
2009-06-14 04:11 . 2009-06-14 04:11 -------- d-----w- c:\program files\Microsoft
2009-06-14 04:11 . 2009-06-14 04:11 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-06-14 04:11 . 2009-06-14 04:11 -------- d-----w- c:\program files\Windows Live
2009-06-14 04:06 . 2009-06-14 04:06 -------- d-----w- c:\program files\Common Files\Windows Live
2009-06-10 19:10 . 2009-06-10 19:10 -------- d-----w- c:\documents and settings\Tact\Local Settings\Application Data\Blizzard Entertainment
2009-06-10 04:39 . 2008-05-29 06:03 37176 ----a-w- c:\documents and settings\Tact\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\airapp...pinstaller.exe
2009-06-10 02:54 . 2009-06-11 03:08 -------- d-----w- c:\documents and settings\Tact\Application Data\gtk-2.0
2009-06-10 02:54 . 2009-06-10 02:54 -------- d-----w- c:\documents and settings\Tact\Application Data\Inkscape
2009-06-08 06:24 . 2009-06-08 06:24 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-06-08 06:16 . 2009-06-08 06:16 -------- d-----w- c:\program files\Adobe Media Player
2009-06-08 06:16 . 2009-06-08 06:16 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-06-08 03:07 . 2009-06-08 06:01 -------- d-----w- c:\documents and settings\Tact\Application Data\Download Manager

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-02 00:31 . 2007-01-08 05:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-30 23:02 . 2007-01-08 04:52 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-20 04:07 . 2009-05-13 20:18 -------- d-----w- c:\program files\Lavasoft
2009-06-20 03:48 . 2007-01-08 04:15 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-20 01:55 . 2008-01-12 07:02 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-18 04:04 . 2007-01-14 04:50 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-14 04:12 . 2007-01-08 03:59 254880 ----a-w- c:\documents and settings\Tact\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-14 04:12 . 2007-03-06 18:36 -------- d-----w- c:\program files\MSN Messenger
2009-06-02 06:52 . 2008-03-18 22:18 -------- d-----w- c:\documents and settings\Tact\Application Data\FileZilla
2009-05-25 04:03 . 2009-05-25 04:03 -------- d-----w- c:\program files\Windows Media Connect 2
2009-05-16 04:14 . 2009-05-16 04:14 -------- d-----w- c:\program files\Avira
2009-05-16 04:14 . 2009-05-16 04:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-05-14 21:22 . 2009-05-14 21:22 -------- d-----w- c:\program files\Panda Security
2009-05-13 20:18 . 2008-01-12 07:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-05-08 20:13 . 2007-01-08 04:10 -------- d-----w- c:\program files\Common Files\InstallShield
2009-05-07 15:44 . 2001-08-23 19:00 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:52 . 2001-08-23 19:00 659456 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:52 . 2007-01-08 03:54 81920 ------w- c:\windows\system32\ieencode.dll
2009-04-23 02:23 . 2009-04-27 23:08 2797468 ----a-w- c:\documents and settings\Tact\Application Data\Mozilla\Firefox\Profiles\dkj8wlux.default\extensions\{3b56bcc7-54e5-44a2-9b44-66c3ef58c13e}\components\nstidy.dll
2009-04-17 09:58 . 2001-08-23 19:00 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2001-08-23 19:00 584192 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-06-30_23.14.16 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-11-14 23:38 . 2005-11-14 23:38 72192 c:\windows\Installer\80702.msp
+ 2009-06-08 06:16 . 2009-06-08 06:16 23552 c:\windows\Installer\1ea5d16.msi
+ 2009-06-08 06:16 . 2009-06-08 06:16 26112 c:\windows\Installer\1ea5d0d.msi
+ 2009-06-14 04:11 . 2009-06-14 04:11 25088 c:\windows\Installer\17b239.msi
+ 2009-06-14 04:11 . 2009-06-14 04:11 28160 c:\windows\Installer\17b230.msi
+ 2009-06-14 04:11 . 2009-06-14 04:11 83456 c:\windows\Installer\17b202.msi
+ 2009-06-14 04:11 . 2009-06-14 04:11 59904 c:\windows\Installer\17b1f9.msi
+ 2008-08-18 20:06 . 2008-08-18 20:06 89600 c:\windows\Installer\1064c.msi
+ 2008-07-15 03:03 . 2008-07-15 03:03 451584 c:\windows\Installer\fe734b.msi
+ 2008-11-12 20:05 . 2008-11-12 20:05 432640 c:\windows\Installer\89935.msi
+ 2008-07-23 06:20 . 2008-07-23 06:20 110592 c:\windows\Installer\80779.msp
+ 2009-04-20 21:59 . 2009-04-20 21:59 219648 c:\windows\Installer\80749.msp
+ 2009-02-10 15:50 . 2009-02-10 15:50 536576 c:\windows\Installer\8068a.msp
+ 2008-01-24 17:04 . 2008-01-24 17:04 678400 c:\windows\Installer\8063f.msp
+ 2008-05-23 18:18 . 2008-05-23 18:18 409600 c:\windows\Installer\620bc.msi
+ 2007-06-08 17:57 . 2007-06-08 17:57 213504 c:\windows\Installer\44dafc.msi
+ 2009-05-13 20:18 . 2009-05-13 20:18 236032 c:\windows\Installer\2dc09d.msi
+ 2009-05-16 04:12 . 2009-05-16 04:12 228352 c:\windows\Installer\2d42561.msi
+ 2007-01-08 03:34 . 2007-01-08 03:34 264704 c:\windows\Installer\20319.msi
+ 2007-01-26 06:46 . 2007-01-26 06:46 188928 c:\windows\Installer\1b6fb09.msi
+ 2009-06-14 04:11 . 2009-06-14 04:11 431104 c:\windows\Installer\17b244.msi
+ 2009-06-14 04:11 . 2009-06-14 04:11 140288 c:\windows\Installer\17b227.msi
+ 2009-06-14 04:11 . 2009-06-14 04:11 202752 c:\windows\Installer\17b214.msi
+ 2009-06-14 04:11 . 2009-06-14 04:11 152576 c:\windows\Installer\17b20b.msi
+ 2009-06-14 04:10 . 2009-06-14 04:10 107008 c:\windows\Installer\17b1f0.msi
+ 2009-06-14 04:10 . 2009-06-14 04:10 301056 c:\windows\Installer\17b1e7.msi
+ 2008-08-22 05:49 . 2008-08-22 05:49 527872 c:\windows\Installer\1381160.msi
+ 2008-07-27 08:52 . 2008-07-27 08:52 431104 c:\windows\Installer\11f1e5b.msi
+ 2008-08-03 23:52 . 2008-08-03 23:52 579584 c:\windows\Installer\119b0ed.msi
+ 2008-08-18 20:13 . 2008-08-18 20:13 390656 c:\windows\Installer\1065c.msi
+ 2001-08-23 19:00 . 2004-07-17 19:35 1326080 c:\windows\system32\webfldrs.msi
+ 2007-01-08 03:53 . 2004-07-17 19:35 1326080 c:\windows\ServicePackFiles\i386\webfldrs.msi
+ 2008-07-26 00:53 . 2008-07-26 00:53 1602560 c:\windows\Installer\e16af6.msi
+ 2007-01-14 04:53 . 2007-01-14 04:53 3537408 c:\windows\Installer\cdaf0a.msi
+ 2007-04-19 03:24 . 2007-04-19 03:24 1067520 c:\windows\Installer\ca870.msi
+ 2007-03-16 06:04 . 2007-03-16 06:04 3485184 c:\windows\Installer\8e6e4e.msi
+ 2009-05-01 06:02 . 2009-05-01 06:02 9628672 c:\windows\Installer\80732.msp
+ 2008-09-04 22:52 . 2008-09-04 22:52 4337664 c:\windows\Installer\80719.msp
+ 2008-01-11 21:13 . 2008-01-11 21:13 5862912 c:\windows\Installer\806d1.msp
+ 2008-01-14 21:26 . 2008-01-14 21:26 4478464 c:\windows\Installer\806ba.msp
+ 2006-02-27 23:31 . 2006-02-27 23:31 1269248 c:\windows\Installer\806a2.msp
+ 2006-03-28 22:37 . 2006-03-28 22:37 6956032 c:\windows\Installer\80671.msp
+ 2006-08-30 00:50 . 2006-08-30 00:50 3210240 c:\windows\Installer\80657.msp
+ 2004-03-10 16:13 . 2004-03-10 16:13 2602496 c:\windows\Installer\80623.msp
+ 2009-04-29 22:03 . 2009-04-29 22:03 8404992 c:\windows\Installer\8060c.msp
+ 2004-09-13 07:35 . 2004-09-13 07:35 1452544 c:\windows\Installer\805f4.msp
+ 2008-06-12 03:13 . 2008-06-12 03:13 7988224 c:\windows\Installer\8059d.msp
+ 2008-03-31 23:35 . 2008-03-31 23:35 8309760 c:\windows\Installer\80584.msp
+ 2006-02-22 16:41 . 2006-02-22 16:41 2815488 c:\windows\Installer\8056d.msp
+ 2007-03-22 01:03 . 2007-03-22 01:03 3443712 c:\windows\Installer\772c83.msi
+ 2008-08-12 20:03 . 2008-08-12 20:03 1341440 c:\windows\Installer\5098bb.msi
+ 2007-01-08 06:20 . 2007-01-08 06:20 2262016 c:\windows\Installer\3b33ae.msi
+ 2008-07-30 20:36 . 2008-07-30 20:36 1528832 c:\windows\Installer\2bfc8e4.msi
+ 2007-01-08 04:15 . 2007-01-08 04:15 2707456 c:\windows\Installer\27e49.msi
+ 2008-05-28 23:01 . 2008-05-28 23:01 8984576 c:\windows\Installer\156d66.msi
+ 2007-01-25 22:44 . 2007-01-25 22:44 2910720 c:\windows\Installer\14ad1b.msi
+ 2009-06-20 01:55 . 2009-06-20 01:55 1516544 c:\windows\Installer\14639d.msi
+ 2007-01-08 03:49 . 2001-08-23 19:00 1308672 c:\windows\$NtServicePackUninstall$\webfldrs.msi
+ 2007-03-06 18:36 . 2007-01-19 21:20 16633344 c:\windows\Installer\MSN Messenger 8.1.0178\MsnMsgs.Msi
+ 2009-05-06 01:06 . 2009-05-06 01:06 17515008 c:\windows\Installer\80791.msp
+ 2008-01-24 22:56 . 2008-01-24 22:56 13570560 c:\windows\Installer\80762.msp
+ 2005-09-25 18:46 . 2005-09-25 18:46 16084480 c:\windows\Installer\806ea.msp
+ 2004-01-30 10:19 . 2004-01-30 10:19 56269996 c:\windows\Installer\19c0345.msp
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-26 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2006-03-16 755480]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\Shell ExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavaso ft Ad-Aware Service]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Background Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\EPSON Background Monitor.lnk
backup=c:\windows\pss\EPSON Background Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check.lnk
backup=c:\windows\pss\EPSON Status Monitor 3 Environment Check.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Tact^Start Menu^Programs^Startup^Yahoo! Widget Engine.lnk]
path=c:\documents and settings\Tact\Start Menu\Programs\Startup\Yahoo! Widget Engine.lnk
backup=c:\windows\pss\Yahoo! Widget Engine.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NVSvc"=2 (0x2)
"SNDSrvc"=3 (0x3)
"ccPwdSvc"=3 (0x3)
"ERSvc"=2 (0x2)
"Schedule"=2 (0x2)
"srservice"=2 (0x2)
"SBService"=2 (0x2)
"mysql"=2 (0x2)
"Apache2.2"=2 (0x2)
"usnjsvc"=3 (0x3)
"gusvc"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"CCALib8"=2 (0x2)
"aawservice"=2 (0x2)
"IDriverT"=3 (0x3)
"EpsonBidirectionalService"=2 (0x2)
"npkcmsvc"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"Symantec Core LC"=3 (0x3)
"Lavasoft Ad-Aware Service"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="d:\program files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=
"d:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"d:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"d:\\Program Files\\LimeWire\\LimeWire.exe"=

S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-20 28544]
S0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\DRIVERS\xfilt.sys [2006-02-23 11264]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-05-26 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-05-26 72944]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-06-14 108289]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-05-26 7408]

.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Download with Star Downloader - d:\program files\Star Downloader\sdie.htm
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\Office10\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm TaskBar Icon - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComTaskBarIcon.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} - hxxp://www.digitalwebbooks.com/reader/dbplugin.cab
DPF: {4A116A80-85B6-4299-A018-A717FD7AC66A} - hxxp://m1.cdn.gaiaonline.com/plugins/IDMFlash.cab
DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} - hxxp://www.gamengame.com/KALogoutComponent.cab
FF - ProfilePath - c:\documents and settings\Tact\Application Data\Mozilla\Firefox\Profiles\dkj8wlux.default\
FF - component: c:\documents and settings\Tact\Application Data\Mozilla\Firefox\Profiles\dkj8wlux.default\extensions\{3b56bcc7-54e5-44a2-9b44-66c3ef58c13e}\components\nstidy.dll
FF - component: c:\documents and settings\Tact\Application Data\Mozilla\Firefox\Profiles\dkj8wlux.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - plugin: c:\program files\IGN\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
FF - plugin: d:\program files\Adobe\Reader 8.0\Reader\browser\nppdf32.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\np32dsw.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npnul32.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npqtplugin.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npqtplugin2.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npqtplugin3.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npqtplugin4.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npqtplugin5.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npqtplugin6.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npqtplugin7.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin7.dll
FF - plugin: d:\program files\Real\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: d:\program files\Real\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: d:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll
FF - plugin: d:\program files\VideoLAN\VLC\npvlc.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-03 03:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1606980848-838170752-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Erogos\~0{0_0~0*0J0W0ƒ0v0Š0è}-*SOšHr-*]
"Order"=hex:08,00,00,00,02,00,00,00,1c,01,00,00,01,00,00,00,02,00,00,00,86, 00,
00,00,00,00,00,00,78,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,66,00,32, \
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(592)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3048)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\system32\ZoneLabs\vsmon.exe
.
**************************************************************************
.
Completion time: 2009-07-03 3:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-03 10:26
ComboFix2.txt 2009-07-02 00:44
ComboFix3.txt 2009-06-30 23:16

Pre-Run: 20,542,603,264 bytes free
Post-Run: 20,524,572,672 bytes free

311 --- E O F --- 2009-06-15 20:56
__________________
My PC Specs
--Phoenix--
Last edited by Cookiegal : 03-Jul-2009 04:41 PM.
Closed Thread Bookmark and Share
Page 1 of 2 1 2

THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Smart Search

Find your solution!


« Previous Thread | Malware Removal & HijackThis Logs | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.

Thread Tools


Twitter Twitter! | Podcast | Mobile | Advertise
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -5. The time now is 09:21 AM.
Copyright © 1996 - 2009 TechGuy, Inc. All rights reserved.
Powered by vBulletin, Copyright © 2000 - 2009, Jelsoft Enterprises Ltd.
 Powered by Cermak Technologies, Inc.