Results 1 to 4 of 4

Thread: here is my logs

  1. #1
    Member lupus's Avatar
    Join Date
    Dec 2005
    Posts
    7
    Points
    0

    Default here is my logs

    so i was looking through videos on my 20-10 year old laptop and each video leads to a different site. suddenly i'm struck with a windows security virus or so i thought because it keeps changing. it changed into a worm then into a malware protector. it was then i realized that being connected to the internet was making it easy for the infection to backdoor transfer more viruses onto my laptop. this also explains why the spyware and malware kept comming right after getting rid of it.


    before i went down the list of purging the virus, it's main effects were ram and harddrive shortage as well as erasing my desktop, start up menus, and wireless connection. i was still able to access the programs through run command and have restored some control. the did hijack detective 4 times until it said nothing as wrong anymore but there are still things that look out of place and seem uncertain on the hijack log. before i couldn't system restore to get the missing things back because the win sec virus incompletes the process. so atm i'm in safe mode unless you think it's safe to go back to normal and to system restore to get the desktop and menu's back? the virus icon is a red circle with an x in the center.




    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 12:48:58 AM, on 5/22/2011
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Safe mode with network support

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Viruses\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = SEARCH - WEB SEARCH - XFINITY.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Comcast.net | Entertainment | News | Sports | Email | Watch TV Online | Comcast Deals | On Demand
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = SEARCH - WEB SEARCH - XFINITY.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
    O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
    O4 - HKLM\..\Run: [ISTray] "C:\Program Files\PC Tools Security\pctsGui.exe" /hideGUI
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1129422761284
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\PC Tools Security\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\PC Tools Security\pctsSvc.exe

    --
    End of file - 3730 bytes




    Malwarebytes' Anti-Malware 1.50.1.1100
    Malwarebytes : Free anti-malware, anti-virus and spyware removal download

    Database version: 6637

    Windows 5.1.2600 Service Pack 2 (Safe Mode)
    Internet Explorer 6.0.2900.2180

    5/22/2011 1:44:46 AM
    mbam-log-2011-05-22 (01-44-46).txt

    Scan type: Quick scan
    Objects scanned: 146818
    Time elapsed: 4 minute(s), 6 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)




    i keep clearing them and they keep comming back.

    SUPERAntiSpyware Scan Log
    SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

    Generated 05/22/2011 at 01:37 AM

    Application Version : 4.52.1000

    Core Rules Database Version : 7108
    Trace Rules Database Version: 4920

    Scan type : Quick Scan
    Total Scan Time : 00:13:38

    Memory items scanned : 280
    Memory threats detected : 0
    Registry items scanned : 1364
    Registry threats detected : 0
    File items scanned : 4370
    File threats detected : 11

    Adware.Tracking Cookie
    C:\Documents and Settings\hyper\Cookies\hyper@questionmarket[2].txt
    C:\Documents and Settings\hyper\Cookies\hyper@ru4[1].txt
    C:\Documents and Settings\hyper\Cookies\hyper@media6degrees[2].txt
    C:\Documents and Settings\hyper\Cookies\hyper@mediabrandsww[1].txt
    C:\Documents and Settings\hyper\Cookies\hyper@realmedia[2].txt
    C:\Documents and Settings\hyper\Cookies\hyper@ads.undertone[2].txt
    C:\Documents and Settings\hyper\Cookies\hyper@serving-sys[1].txt
    C:\Documents and Settings\hyper\Cookies\hyper@tribalfusion[1].txt
    C:\Documents and Settings\hyper\Cookies\hyper@network.realmedia[1].txt
    C:\Documents and Settings\hyper\Cookies\hyper@invitemedia[1].txt
    C:\Documents and Settings\hyper\Cookies\hyper@adx.bidsystem[1].txt

  2. #2
    Member Net_Surfer's Avatar
    Join Date
    May 2008
    Location
    Paradise Ca.
    Posts
    1,179
    Points
    89
    Blog Entries
    4

    Default

    Hello lupus and Welcome to the Help2Go Spyware Help Forum

    Sorry for the delay!!
    .

    so i was looking through videos on my 20-10 year old laptop and each video leads to a different site. suddenly i'm struck with a windows security virus or so i thought because it keeps changing. it changed into a worm then into a malware protector. it was then i realized that being connected to the internet was making it easy for the infection to backdoor transfer more viruses onto my laptop. this also explains why the spyware and malware kept comming right after getting rid of it.


    before i went down the list of purging the virus, it's main effects were ram and harddrive shortage as well as erasing my desktop, start up menus, and wireless connection. i was still able to access the programs through run command and have restored some control. the did hijack detective 4 times until it said nothing as wrong anymore but there are still things that look out of place and seem uncertain on the hijack log. before i couldn't system restore to get the missing things back because the win sec virus incompletes the process. so atm i'm in safe mode unless you think it's safe to go back to normal and to system restore to get the desktop and menu's back? the virus icon is a red circle with an x in the center.
    That program is a fake antivirus,and you may be infected also with a TDL4 rootkit.

    Ransomware Program is a program that literally ransoms the data or functionality of your computer until you perform an action, which is typically to purchase the program or send someone money.



    Detailed description:

    Ransomware are programs that take your computer hostage in order to force you to give them money so that your computer operates properly again. These programs typically change the behavior of your computer in the following ways:

    Make it so that you can not execute programs other than ones required to pay the ransom.

    Terminate any non-essential programs that may be running.

    Encrypt your data so that you can no longer access it or open it with programs.

    Remove your ability to browse the Internet other than to locations that will allow you to pay the ransom

    Once you pay the requested ransom, the criminals may send you a code that you can input into the Ransomware program that will then allow you to use your computer or decrypt your data. In some situations, though, even if you do pay the ransom, the criminals will just take your money and run, with you being left with your problem unresolved.

    Though the loss of your data and computer can be devastating, sending the ransom could be even more so. Depending on how the criminals want you to pay the ransom could put you at risk for Identity Theft as the information you send may contain personal information. Therefore, we suggest that you never pay these ransoms as in almost all situations a solution will be found that will allow you to remove the ransomware or restore your data without you having to pay the ransom. Therefore, if you ever run into a ransomware, please do not send the payment, and instead you should ask around in our forum or research your situation through Google, as the answer will most likely be published or at least being worked on.
    Details by Grinler.


    My nick is Net_Surfer and I will be helping you with your malware issues, this may or may not solve other issues you may have with your machine.

    Please note that whatever repairs we make, are for fixing "your computer problems only" and by no means should be used on another computer.

    I would also like to inform you that most of us here at Help2Go support forums offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!


    Please be patient and I'd be grateful if you would note the following:

    The cleaning process is not instant. Combofix, OTL and hijackthis logs can take some time to research, Please be aware that I am a volunteer here with a job and family so I ask that you be patient when waiting for replies.

    I use Google as resource to research what the problem is just to understand some of the infections that are infecting the computer and understand where I need to focus more on to ensure that the member get the best and honest service.

    so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.


    1. Please Read All Instructions Carefully and perform the steps fully and in the order they are written.
    2. If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
    3. Do not attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process. Never will there be an all in one solution for repairing an infected computer. You must have a great arsenal of utilities that can take care of what another program may miss or isn't as specialized as another.
    4. In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.
    5. Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
    6. Please continue to review my answers until I tell you that your machine is clean and free of malware. (Absence of symptoms does not mean that everything is clear.
    Just because you can't see a problem doesn't mean it isn't there.

    If you can do these things, everything should go smoothly!


    OK..If you have a Vista or Win7 computer ensure that you right click on the tools and run them as an Admin. IF XP double click on the program to run them.

    Before we begin, you should save these instructions in Notepad to your Desktop, or print them, for easy reference and to make sure you don't get lost.
    Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If at any point you have questions, or are unsure of the instructions, do not hesitate to post here and ask for clarification before proceeding with the fixes.

    Please carefully follow the next set of steps:


    If you can not download and run the following tools, then I would like for you to try another approach:

    If you have the use of another computer please either use a Flash Drive or a CD to download the following and transfer them for use on the infected machine.
    Be sure you put them on the desktop of the infected computer.


    Step 1.

    Please download the following 5 programs to a clean computer and then transfer them on to a usb stick. Ensure that you place them into the desktop of the infected computer.

    Download FixNCR.reg
    Download Rkill
    Download TDSSKiller.exe (v2.4.0.0) from Kaspersky Labs and save it to your desktop. <-Important!!!
    Link 3

    Run FixNCR, Rkill, and re-run malwarebytes and TDSSKIller in safe mode with networking...after that reboot into normal mode and run combofix.

    Step 2.

    Please reboot your Infected computer in Safe Mode with Networking by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, a menu with options should appear;
      You will need to use the 'keyboard arrow keys' to navigate on this menu.
    • Select the option, to run Windows in Safe Mode With Networking, then press "Enter".
    • Then choose your usual account.

    • Once you have downloaded all the necessary files to a removable device, you need to plug it into your infected computer so it can access them.
    • Now open the drive that corresponds to the removable media that you copied the programs from the earlier step. Once open, double-click on the FixNCR.reg file. When Windows prompts whether or not you want to allow the data to be added to your computer, click on the Yes button.
    • Now run RKill.
      If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by the malware when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself .

      If the malware is persistant, you may have to run RKill a number of times.
      When it has finished, the black window will automatically close and you can continue with the next step.

      If you continue having problems running rkill.com, you can download iExplore or eXplorer.exe from the rkill download page. Both of these files are renamed copies of rkill.com, which you can try instead. Please note that the download page will open in a new browser window or tab.

      Note: If Rkill detects a proxy, it will disable it and make a backup on the desktop as rk-proxy.reg. At the end of the fix you can safely delete it by right click and select delete.


      Please do not reboot your system until you have completed the following step, or the Malware will restart itself:

    • You should now be able to run the MBAM

    Step 3.

    We should Re-run MBAM like this:

    Let's get your MalwareBytes AntiMalware updated and run a final scan:

    Please update MBAM and run another scan:
    Start MBAM
    Click on the Update tab



    click Check for Updates



    If it says that MBAM needs to close to update it... let it close and then restart.
    Then click the Scan button.

    Don't forget:
    • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
    • Click OK to close the message box and continue with the removal process.
    • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
    • Make sure that everything is checked, and click Remove Selected.
    • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
    • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
    • Copy and paste the contents of that report in your next reply and exit MBAM.
    Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
    Post the report that comes up after the scan.


    Step 4.
    Download TDSSKiller.exe (v2.4.0.0) from Kaspersky Labs and save it to your desktop. <-Important!!!
    • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
      Vista/Windows 7 users right-click and select Run As Administrator
    • If TDSSKiller does not run, try renaming it.
    • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension
    • Click the Start Scan button.
    • Do not use the computer during the scan.
    • If the scan completes with nothing found, click Close to exit.
    • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

    A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_14.17.05_log.txt) will be created and saved to the root directory ( usually Local Disk C ).
    * Post this log to your next message.

    If needed see the TDSS Rootkit Removing Tool website for detailed instructions on running TDSSkiller.
    ========

    Step 5.

    We will use ComboFix to install the Microsoft Recovery Console for windows XP

    - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat.

    Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

    * Please visit this webpage for instructions for downloading and running ComboFix if you have problems running it:

    Please download ComboFix from one of the following mirrors, and save it to your desktop.
    Warning: This tool is not a toy and not for everyday use!.
    Link 1
    Link 2
    Link 3
    • Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
    • Please insert all usb-drives before running Combofix
    • Close any open browsers.
    • Double click on your desktop.
      If using Vista/Win7, right-click and Run as Administrator...
    • Read and accept (Press Yes) to the disclaimer.
    • Follow the prompts...And allow the installation of the Recovery Console!!! <--IMPORTANT
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
      Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
      **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
    • *Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

      Post the log from ComboFix in your next reply.


    *EXTRA NOTES*

    * If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
    * If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
    * If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)



    Summary of the logs I will need in your next reply:
    • Rkill log.
    • MBAM log.
    • The report log of TDSSKiller.exe
    • The report log of combofix

    How are things your end ?


    Upon completing the above steps I will review your logs again and take the steps necessary with you to get your machine back in working order clean and free of malware.

    Again, Please DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean and free of malware!!!

    The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day then I will close the topic.

    Kind regards
    Net_Surfer

    Our help here is always free but it does cost money to keep the site running. If you feel we've helped you kindly, Click here: >> Please Donate to the Forum <<


    "Obstacles are what you see when yo take your eyes off your Goals"

    Net_Surfer is a Graduate of BleepingComputer Malware Removal Training ProgramYou too could train to help others!.

  3. #3
    Member lupus's Avatar
    Join Date
    Dec 2005
    Posts
    7
    Points
    0

    Default

    the TDSSkiller wouldn't run until i did the combofix. the combo fix found and root problem which restored the desktop and all missing stuff on it. now the start menu and bottom bar is missing. everything seems almost back to normal except that. i haven't tried system restore yet. my firefox internet isn't working anymore i don't know why, i was using it to reply now, but then it turned invisible though the task manger still shows it running.

    as combofix was doing its thing it said that i didn't have recovery console and whenever i restart or start up the laptop, when i select normal mode, it brings up a boot up list of recovery console, other, or windows xp now




    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 05/22/2011 at 12:23:02.
    Operating System: Microsoft Windows XP


    Processes terminated by Rkill or while it was running:

    C:\WINDOWS\system32\grpconv.exe


    Rkill completed on 05/22/2011 at 12:23:08.




    Malwarebytes' Anti-Malware 1.50.1.1100
    Malwarebytes : Free anti-malware, anti-virus and spyware removal download

    Database version: 6641

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 6.0.2900.2180

    5/22/2011 1:16:54 PM
    mbam-log-2011-05-22 (13-16-54).txt

    Scan type: Quick scan
    Objects scanned: 146245
    Time elapsed: 4 minute(s), 45 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)




    2011/05/22 11:47:56.0287 2440 TDSS rootkit removing tool 2.5.1.0 May 13 2011 13:20:29
    2011/05/22 11:47:56.0687 2440 ================================================================================
    2011/05/22 11:47:56.0687 2440 SystemInfo:
    2011/05/22 11:47:56.0687 2440
    2011/05/22 11:47:56.0687 2440 OS Version: 5.1.2600 ServicePack: 2.0
    2011/05/22 11:47:56.0687 2440 Product type: Workstation
    2011/05/22 11:47:56.0687 2440 ComputerName: HEB56
    2011/05/22 11:47:56.0687 2440 UserName: hyper
    2011/05/22 11:47:56.0687 2440 Windows directory: C:\WINDOWS
    2011/05/22 11:47:56.0687 2440 System windows directory: C:\WINDOWS
    2011/05/22 11:47:56.0687 2440 Processor architecture: Intel x86
    2011/05/22 11:47:56.0687 2440 Number of processors: 1
    2011/05/22 11:47:56.0687 2440 Page size: 0x1000
    2011/05/22 11:47:56.0687 2440 Boot type: Normal boot
    2011/05/22 11:47:56.0687 2440 ================================================================================
    2011/05/22 11:47:57.0518 2440 Initialize success
    2011/05/22 11:48:06.0381 2624 ================================================================================
    2011/05/22 11:48:06.0381 2624 Scan started
    2011/05/22 11:48:06.0381 2624 Mode: Manual;
    2011/05/22 11:48:06.0381 2624 ================================================================================
    2011/05/22 11:48:07.0222 2624 ac97intc (0f2d66d5f08ebe2f77bb904288dcf6f0) C:\WINDOWS\system32\drivers\ac97intc.sys
    2011/05/22 11:48:07.0443 2624 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2011/05/22 11:48:07.0613 2624 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    2011/05/22 11:48:07.0923 2624 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
    2011/05/22 11:48:08.0204 2624 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
    2011/05/22 11:48:08.0384 2624 agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) C:\WINDOWS\system32\DRIVERS\agp440.sys
    2011/05/22 11:48:09.0235 2624 ANIO (4a5c7eaefa4c43d139c402c6da5bfd2c) C:\WINDOWS\System32\ANIO.SYS
    2011/05/22 11:48:09.0756 2624 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2011/05/22 11:48:09.0946 2624 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2011/05/22 11:48:10.0417 2624 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2011/05/22 11:48:10.0597 2624 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2011/05/22 11:48:10.0848 2624 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2011/05/22 11:48:11.0168 2624 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2011/05/22 11:48:11.0459 2624 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2011/05/22 11:48:11.0649 2624 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
    2011/05/22 11:48:11.0849 2624 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2011/05/22 11:48:12.0280 2624 CmBatt (4266be808f85826aedf3c64c1e240203) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
    2011/05/22 11:48:12.0570 2624 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys
    2011/05/22 11:48:13.0201 2624 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
    2011/05/22 11:48:13.0421 2624 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
    2011/05/22 11:48:13.0642 2624 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
    2011/05/22 11:48:13.0842 2624 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2011/05/22 11:48:14.0192 2624 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
    2011/05/22 11:48:14.0493 2624 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
    2011/05/22 11:48:14.0703 2624 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
    2011/05/22 11:48:14.0944 2624 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
    2011/05/22 11:48:15.0264 2624 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
    2011/05/22 11:48:15.0464 2624 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
    2011/05/22 11:48:15.0675 2624 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    2011/05/22 11:48:15.0945 2624 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\drivers\fltmgr.sys
    2011/05/22 11:48:16.0205 2624 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2011/05/22 11:48:16.0426 2624 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2011/05/22 11:48:16.0616 2624 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2011/05/22 11:48:16.0836 2624 hidusb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2011/05/22 11:48:17.0227 2624 HPZid412 (5faba4775d4c61e55ec669d643ffc71f) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
    2011/05/22 11:48:17.0447 2624 HPZipr12 (a3c43980ee1f1beac778b44ea65dbdd4) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
    2011/05/22 11:48:17.0657 2624 HPZius12 (2906949bd4e206f2bb0dd1896ce9f66f) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
    2011/05/22 11:48:17.0908 2624 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
    2011/05/22 11:48:18.0439 2624 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2011/05/22 11:48:18.0639 2624 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2011/05/22 11:48:18.0949 2624 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
    2011/05/22 11:48:19.0210 2624 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2011/05/22 11:48:19.0400 2624 ip6fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\drivers\ip6fw.sys
    2011/05/22 11:48:19.0610 2624 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2011/05/22 11:48:19.0841 2624 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2011/05/22 11:48:20.0121 2624 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2011/05/22 11:48:20.0331 2624 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2011/05/22 11:48:20.0552 2624 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2011/05/22 11:48:20.0782 2624 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2011/05/22 11:48:21.0012 2624 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
    2011/05/22 11:48:21.0313 2624 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
    2011/05/22 11:48:21.0663 2624 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2011/05/22 11:48:21.0853 2624 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
    2011/05/22 11:48:22.0124 2624 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2011/05/22 11:48:22.0334 2624 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2011/05/22 11:48:22.0514 2624 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
    2011/05/22 11:48:22.0825 2624 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2011/05/22 11:48:23.0055 2624 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2011/05/22 11:48:23.0286 2624 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
    2011/05/22 11:48:23.0456 2624 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2011/05/22 11:48:23.0646 2624 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2011/05/22 11:48:23.0826 2624 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
    2011/05/22 11:48:24.0017 2624 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2011/05/22 11:48:24.0287 2624 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
    2011/05/22 11:48:24.0527 2624 N3AB (0bb59b42cf3431d55a0bfbb5d7f77ee5) C:\WINDOWS\system32\DRIVERS\N3AB.sys
    2011/05/22 11:48:24.0728 2624 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
    2011/05/22 11:48:24.0898 2624 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2011/05/22 11:48:25.0208 2624 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2011/05/22 11:48:25.0419 2624 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2011/05/22 11:48:25.0609 2624 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
    2011/05/22 11:48:25.0799 2624 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2011/05/22 11:48:26.0009 2624 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2011/05/22 11:48:26.0260 2624 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
    2011/05/22 11:48:26.0500 2624 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
    2011/05/22 11:48:26.0710 2624 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2011/05/22 11:48:27.0171 2624 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
    2011/05/22 11:48:27.0502 2624 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2011/05/22 11:48:27.0672 2624 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2011/05/22 11:48:27.0862 2624 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
    2011/05/22 11:48:28.0082 2624 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
    2011/05/22 11:48:28.0313 2624 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2011/05/22 11:48:28.0503 2624 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
    2011/05/22 11:48:28.0954 2624 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
    2011/05/22 11:48:30.0005 2624 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2011/05/22 11:48:30.0266 2624 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys
    2011/05/22 11:48:30.0466 2624 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
    2011/05/22 11:48:30.0636 2624 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2011/05/22 11:48:31.0427 2624 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2011/05/22 11:48:31.0638 2624 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2011/05/22 11:48:31.0828 2624 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2011/05/22 11:48:32.0028 2624 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2011/05/22 11:48:32.0309 2624 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2011/05/22 11:48:32.0499 2624 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2011/05/22 11:48:32.0719 2624 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    2011/05/22 11:48:32.0909 2624 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
    2011/05/22 11:48:33.0180 2624 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2011/05/22 11:48:33.0400 2624 RimUsb (0f6756ef8bda6dfa7be50465c83132bb) C:\WINDOWS\system32\Drivers\RimUsb.sys
    2011/05/22 11:48:33.0610 2624 RimVSerPort (d9b34325ee5df78b8f28a3de9f577c7d) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
    2011/05/22 11:48:33.0781 2624 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
    2011/05/22 11:48:33.0961 2624 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
    2011/05/22 11:48:34.0021 2624 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
    2011/05/22 11:48:34.0241 2624 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2011/05/22 11:48:34.0442 2624 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\drivers\Serial.sys
    2011/05/22 11:48:34.0632 2624 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2011/05/22 11:48:35.0143 2624 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
    2011/05/22 11:48:35.0353 2624 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
    2011/05/22 11:48:35.0593 2624 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
    2011/05/22 11:48:35.0804 2624 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2011/05/22 11:48:36.0024 2624 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
    2011/05/22 11:48:36.0815 2624 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
    2011/05/22 11:48:37.0085 2624 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2011/05/22 11:48:37.0286 2624 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2011/05/22 11:48:37.0466 2624 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
    2011/05/22 11:48:37.0666 2624 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2011/05/22 11:48:37.0977 2624 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
    2011/05/22 11:48:38.0357 2624 Update (ced744117e91bdc0beb810f7d8608183) C:\WINDOWS\system32\DRIVERS\update.sys
    2011/05/22 11:48:38.0568 2624 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2011/05/22 11:48:38.0748 2624 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2011/05/22 11:48:38.0918 2624 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    2011/05/22 11:48:39.0148 2624 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    2011/05/22 11:48:39.0329 2624 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2011/05/22 11:48:39.0529 2624 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2011/05/22 11:48:39.0709 2624 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
    2011/05/22 11:48:39.0990 2624 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
    2011/05/22 11:48:40.0330 2624 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2011/05/22 11:48:40.0630 2624 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
    2011/05/22 11:48:40.0951 2624 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
    2011/05/22 11:48:41.0291 2624 ================================================================================
    2011/05/22 11:48:41.0291 2624 Scan finished
    2011/05/22 11:48:41.0291 2624 ================================================================================




    ComboFix 11-05-21.03 - hyper 05/22/2011 11:17:11.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.250 [GMT -7:00]
    Running from: c:\documents and settings\hyper\Desktop\ComboFix.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\hyper\WINDOWS
    .
    Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
    Restored copy from - Kitty had a snack
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_USNJSVC
    -------\Service_usnjsvc
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-04-22 to 2011-05-22 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-22 03:17 . 2011-05-22 17:41 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
    2011-05-21 23:59 . 2011-05-22 02:06 -------- d-----w- c:\program files\AVAST Software
    2011-05-21 23:59 . 2011-05-22 02:06 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
    2011-05-21 23:52 . 2011-05-21 23:52 -------- d-----w- c:\documents and settings\hyper\Application Data\Malwarebytes
    2011-05-21 23:52 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-21 23:52 . 2011-05-21 23:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-05-21 23:52 . 2011-05-22 02:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-05-21 22:37 . 2011-05-21 22:37 -------- d-----w- c:\documents and settings\hyper\Application Data\SUPERAntiSpyware.com
    2011-05-21 22:37 . 2011-05-21 22:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2011-05-21 22:36 . 2011-05-21 22:37 -------- d-----w- c:\program files\SUPERAntiSpyware
    2011-05-21 22:32 . 2011-05-22 16:43 -------- d-----w- c:\program files\Viruses
    2011-05-21 18:36 . 2011-05-21 18:36 -------- d-----w- c:\documents and settings\Administrator
    2011-05-20 18:50 . 2011-05-20 18:50 -------- d-----w- c:\documents and settings\All Users\Application Data\AutoUpdate
    2011-05-20 18:50 . 2011-05-22 17:41 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2011-05-20 18:50 . 2011-05-20 18:50 -------- d-----w- c:\program files\Eltima Software
    2011-05-20 18:39 . 2011-05-20 18:47 -------- d-----w- c:\program files\Magic Flash Decompiler
    2011-05-20 18:35 . 2011-05-20 18:38 -------- d-----w- c:\program files\Magic Swf2Gif
    2011-05-12 02:11 . 2011-05-12 02:11 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
    2011-05-12 02:11 . 2011-05-12 02:11 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
    2011-05-12 02:11 . 2011-05-12 02:11 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
    2011-05-12 02:11 . 2011-05-12 02:11 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
    2011-05-12 02:11 . 2011-05-12 02:11 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
    2011-05-12 02:11 . 2011-05-12 02:11 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
    2011-05-12 02:11 . 2011-05-12 02:11 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
    2011-05-12 02:11 . 2011-05-12 02:11 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
    2011-05-06 07:24 . 2010-06-14 14:30 743936 -c----w- c:\windows\system32\dllcache\helpsvc.exe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2003-08-25 21:06 . 2006-06-06 01:22 40960 -c--a-w- c:\program files\internet explorer\plugins\ftdwser.dll
    2011-05-12 02:11 . 2011-05-12 02:11 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-05-04 2424192]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
    "c:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=
    .
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
    S3 N3AB;N3AB Wireless Network Adapter Service;c:\windows\system32\drivers\N3AB.sys [11/19/2005 8:20 PM 457312]
    S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/25/2007 12:45 PM 24652]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-05-22 c:\windows\Tasks\WGASetup.job
    - c:\windows\system32\KB905474\wgasetup.exe [2009-04-10 05:18]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.comcast.net/comcast.html
    mWindow Title = Microsoft Internet Explorer presented by Comcast
    uInternet Settings,ProxyServer = actsvr.comcastonline.com:8100
    uInternet Settings,ProxyOverride = cdn
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - c:\documents and settings\hyper\Application Data\Mozilla\Firefox\Profiles\uh471yj0.default\
    FF - prefs.js: browser.search.selectedEngine - Answers.com
    FF - prefs.js: browser.startup.homepage - google.com
    FF - prefs.js: network.proxy.type - 4
    FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Notify-WgaLogon - (no file)
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
    Rootkit scan 2011-05-22 11:27
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(616)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2011-05-22 11:40:49 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-05-22 18:40
    .
    Pre-Run: 8,258,940,928 bytes free
    Post-Run: 8,213,147,648 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
    .
    - - End Of File - - 35A128A86EB33E7D29300963049A1752

  4. #4
    Member Net_Surfer's Avatar
    Join Date
    May 2008
    Location
    Paradise Ca.
    Posts
    1,179
    Points
    89
    Blog Entries
    4

    Default

    • Download: >>> OTL by Old Timer <<< to your desktop.
    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • When the window appears, underneath Output at the top change it to Minimal Output.
    • Check the boxes beside LOP Check and Purity Check
    .

    .

    • Now copy the lines below.

      netsvcs
      msconfig
      %SYSTEMDRIVE%\*.exe
      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      ahcix86.sys
      KR10N.sys
      nvstor32.sys
      ahcix86s.sys
      nvrd32.sys
      symmpi.sys
      adp3132.sys
      /md5stop
      %systemroot%\*. /mp /s
      %systemroot%\system32\*.dll /lockedfiles
      %systemroot%\Tasks\*.job /lockedfiles
      %systemroot%\system32\drivers\*.sys /lockedfiles
      CREATERESTOREPOINT


    • right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.


      .
    • Click the Run Scan button.


    • Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them with your next reply.

    =========
    Our help here is always free but it does cost money to keep the site running. If you feel we've helped you kindly, Click here: >> Please Donate to the Forum <<


    "Obstacles are what you see when yo take your eyes off your Goals"

    Net_Surfer is a Graduate of BleepingComputer Malware Removal Training ProgramYou too could train to help others!.