Tech Support Team

ElChamuco · #1 (**permalink**) **Top** 19th May 2009, 04:41 AM

hello, new to this trojan mess and would like to fix my comp.

I found this site and very grateful to have cool people helping others, lets get started.

It started with a random pop up late night while surfing and i noticed DOS pop up and was like o Sh**. i knew right away something was wrong and norton caught something but looked like it still got trough. got the good ole need to update screen and Knew it was a virus just looked funny.

long story short. rebooted ran norton it caught some stuff but new it wasn't enough ran the windows update and it kept directing me to the same site but managed to run there online antivrus and it helped. also ran panda active scan and also helped but noticed it couldn't remove everything.

The trojans that pop up are
Trojan. fakealert
Trjojan.vundo.H
Trojan.dnschanger.

After i ran some stuff i noticed norton is not working properly it wont let me scan the comp anymore. as well i could not update java. did remove older versions tho.

here the logs and thanks in advance.

SUPERAntiSpyware Scan Log
SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

Generated 05/18/2009 at 05:18 PM

Application Version : 4.26.1002

Core Rules Database Version : 3895
Trace Rules Database Version: 1843

Scan type : Complete Scan
Total Scan Time : 01:22:21

Memory items scanned : 679
Memory threats detected : 0
Registry items scanned : 6351
Registry threats detected : 8
File items scanned : 94626
File threats detected : 0

Trojan.DNSChanger-Codec
HKLM\Software\1
HKLM\Software\1#31AC70412E939D72A9234CDEBB1AF5867B
HKLM\Software\1#31897356954C2CD3D41B221E3F24F99BBA
HKLM\Software\1#31C2E1E4D78E6A11B88DFA803456A1FFA5
HKLM\Software\9
HKLM\Software\9#31AC70412E939D72A9234CDEBB1AF5867B
HKLM\Software\9#31897356954C2CD3D41B221E3F24F99BBA
HKLM\Software\9#31C2E1E4D78E6A11B88DFA803456A1FFA5

Malwarebytes' Anti-Malware 1.36
Database version: 2149
Windows 5.1.2600 Service Pack 3

5/18/2009 6:00:18 PM
mbam-log-2009-05-18 (18-00-18).txt

Scan type: Quick Scan
Objects scanned: 85268
Time elapsed: 6 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{abc71dad-efcf-4bdf-bfd5-3251cc361274} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wyqiokml (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{abc71dad-efcf-4bdf-bfd5-3251cc361274} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\fe345.fe345mgr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\fe345.fe345mgr.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\199638 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Files Infected:
c:\windows\system32\wjbkchl.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\qhpbqtvb.dat (Rootkit.Agent) -> Delete on reboot.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:11:54 PM, on 5/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F 1.EXE
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL\AOL Search Enhancement\AOLSearch.dll
O1 - Hosts: ::1 localhost
O1 - Hosts: 94.232.248.66 browser-security.microsoft.com
O1 - Hosts: 94.232.248.66 antivirsystem.com
O1 - Hosts: 94.232.248.66 Antivirus System PRO Powerfull PC Protection
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: (no name) - {ABC71DAD-EFCF-4BDF-BFD5-3251CC361274} - c:\windows\system32\wjbkchl.dll (file missing)
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [SonyPowerCfg] "C:\Program Files\Sony\VAIO Power Management\SPMgr.exe"
O4 - HKLM\..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F 1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKLM\..\Policies\Explorer\Run: []
O4 - HKUS\S-1-5-19\..\RunOnce: [] (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [] (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [] (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase5483.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1239237559578
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: wyqiokml - wjbkchl.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: M-Audio CMIDI Installer (MA_CMIDI_InstallerService) - Unknown owner - C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardware ResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 12711 bytes

**evilfantasy** · #2 (**permalink**) **Top** 19th May 2009, 08:17 PM

Open HijackThis and select Do a system scan only

Vista users right click on HijackThis and select Run as Administrator. (you will receive a UAC prompt, please allow it)

Place a check mark next to the following entries: (if there)

O1 - Hosts: ::1 localhost
O1 - Hosts: 94.232.248.66 browser-security.microsoft.com
O1 - Hosts: 94.232.248.66 antivirsystem.com
O1 - Hosts: 94.232.248.66 Antivirus System PRO Powerfull PC Protection
O2 - BHO: (no name) - {ABC71DAD-EFCF-4BDF-BFD5-3251CC361274} - c:\windows\system32\wjbkchl.dll (file missing)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Policies\Explorer\Run: []
O4 - HKUS\S-1-5-19\..\RunOnce: [] (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [] (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [] (User 'Default user')
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O20 - Winlogon Notify: wyqiokml - wjbkchl.dll (file missing)

.
Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

ElChamuco · #3 (**permalink**) **Top** 20th May 2009, 08:01 AM

Looks like my norton is not responding anymore. Was wondering what should i do?
i was thinking of uninstalling it. please let me know on what to do next

Thanks a lot for the response.

**evilfantasy** · #4 (**permalink**) **Top** 20th May 2009, 04:30 PM

Follow through with my instructions. When the malware is removed we will see what problems still remain and deal with them then.

ElChamuco · #5 (**permalink**) **Top** 20th May 2009, 09:22 PM

sorry i didn't explain my self right. norton is not responding there for i can not disable it to run combofix.

thanks

**evilfantasy** · #6 (**permalink**) **Top** 20th May 2009, 09:23 PM

Try running ComboFix. If Norton tries to block it then just allow it to run.

ElChamuco · #7 (**permalink**) **Top** 20th May 2009, 09:48 PM

clicked on combo fix and this is what i got

ComboFix has detected the following real time scanner(s) to be active:
antivirus: Norton Internet security

Antivirus and intrusion prevention programs are known to interfere
with ComboFix's running. This may lead to upredictable results or
possible machine damage.

please disable these scanners before clicking 'OK'

**evilfantasy** · #8 (**permalink**) **Top** 20th May 2009, 09:50 PM

Go ahead and click OK.

Or uninstall Norton.

ElChamuco · #9 (**permalink**) **Top** 20th May 2009, 09:55 PM

wow thanks for the quick reply! im not sure, what do u recommend ?

**evilfantasy** · #10 (**permalink**) **Top** 20th May 2009, 09:56 PM

Just run ComboFix.

ElChamuco · #11 (**permalink**) **Top** 21st May 2009, 02:21 AM

Thanks again for the quick replies.

here the log

ComboFix 09-05-19.04 - CHUCK 05/20/2009 18:03.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.559 [GMT -7:00]
Running from: c:\documents and settings\CHUCK\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\CHUCK\Application Data\inst.exe
c:\windows\setup.exe
c:\windows\system32\drivers\ccpnklvq.sys
c:\windows\system32\drivers\dvabnppq.sys
c:\windows\system32\tyensqs.dll
c:\windows\system32\wjbkchl.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DVABNPPQ
-------\Service_dvabnppq

((((((((((((((((((((((((( Files Created from 2009-04-21 to 2009-05-21 )))))))))))))))))))))))))))))))
.

2009-05-21 01:10 . 2009-05-21 01:10 -------- d-----w c:\windows\LastGood
2009-05-18 22:36 . 2009-05-18 22:36 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-18 22:36 . 2009-05-18 22:36 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-18 22:36 . 2009-05-18 22:36 -------- d-----w c:\documents and settings\CHUCK\Application Data\SUPERAntiSpyware.com
2009-05-18 22:34 . 2009-05-18 22:34 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-18 21:22 . 2009-05-18 21:22 -------- d-----w c:\program files\CCleaner
2009-05-16 04:18 . 2009-03-24 23:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-05-11 05:19 . 2008-06-20 00:24 28544 ----a-w c:\windows\system32\drivers\pavboot.sys
2009-05-11 05:18 . 2009-05-11 05:18 -------- d-----w c:\program files\Panda Security
2009-05-11 02:10 . 2009-05-11 02:10 -------- d-----w c:\program files\SpywareBlaster
2009-05-10 23:39 . 2009-05-10 23:39 -------- d-----w c:\documents and settings\CHUCK\Application Data\Malwarebytes
2009-05-10 23:39 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-10 23:39 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-10 23:39 . 2009-05-10 23:39 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-10 23:39 . 2009-05-10 23:39 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-10 10:21 . 2009-05-10 10:21 -------- d-----w c:\documents and settings\CHUCK\Application Data\fldkdxjv
2009-05-10 10:21 . 2009-05-10 10:21 -------- d-----w c:\documents and settings\CHUCK\Local Settings\Application Data\fldkdxjv

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-05-19 03:09 . 2006-09-14 20:19 -------- d-----w c:\program files\Trend Micro
2009-05-19 03:02 . 2006-08-10 09:13 -------- d-----w c:\program files\Java
2009-05-11 02:38 . 2009-04-09 00:50 -------- d-----w c:\program files\Windows Live Safety Center
2009-05-11 02:13 . 2009-03-31 23:32 -------- d-----w c:\program files\Trojan Guarder Gold Version
2009-05-11 00:22 . 2006-09-14 20:20 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-10 10:17 . 2006-08-10 07:32 -------- d-----w c:\program files\Common Files\Mozilla Shared
2009-04-10 05:39 . 2008-06-13 04:17 -------- d-----w c:\program files\Norton Internet Security
2009-03-19 02:16 . 2006-08-10 07:32 578560 ----a-w c:\windows\system32\user32.dll
2009-03-18 19:26 . 2006-08-10 07:32 14336 ----a-w c:\windows\system32\svchost.exe
2009-04-01 05:47 . 2008-06-13 04:20 324976 ----a-w c:\program files\mozilla firefox\components\coFFPlgn.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.e xe" [2006-05-08 81920]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-04-05 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-04-05 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-04-05 118784]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-18 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-08-25 53248]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-10-12 151552]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2006-08-27 217088]
"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2006-02-14 176128]
"NeroCheck"="c:\windows\system32\NeroCheck.exe " [2003-07-13 155648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-02-01 385024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2008-02-07 718704]
"EPSON Stylus Photo R300 Series"="c:\windows\System32\spool\DRIVERS\W32X86\ 3\E_S4I2F1.EXE" [2003-06-04 99840]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-17 2879488]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-1-21 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"NoSMMyDocs"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\explorer]
"NoSMMyDocs"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-06-20 23:11 73728 ----a-w c:\windows\system32\VESWinlogon.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"midi1"= ma_cmidn.dll
"midi2"= ma_cmidn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"9420:TCP"= 9420:TCP:Red Swoosh
"5000:UDP"= 5000:UDP:Red Swoosh

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboo t.sys [5/10/2009 10:19 PM 28544]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/14/2009 2:22 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/14/2009 2:22 PM 72944]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [1/25/2008 6:47 PM 149352]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/26/2009 12:13 PM 101936]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21 sony.sys [8/10/2006 12:33 AM 226304]
S2 oknifsoigh;oknifsoigh;c:\windows\System32\svchost. exe -k netsvcs [8/10/2006 12:32 AM 14336]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mo n.sys [1/12/2008 7:32 PM 23888]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/14/2009 2:22 PM 7408]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
*NewlyCreated* - DVABNPPQ
*Deregistered* - dvabnppq

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
vejgojta
Yphiseyj
OuzJe
oknifsoigh
.
Contents of the 'Scheduled Tasks' folder

2009-05-19 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - CHUCK.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2008-02-07 14:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sony.com/vaiopeople
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Trusted Zone: trymedia.com
FF - ProfilePath - c:\documents and settings\CHUCK\Application Data\Mozilla\Firefox\Profiles\8ehdyjug.default\
FF - component: c:\program files\Mozilla Firefox\components\coFFPlgn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-05-20 18:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\c cEvtMgr]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\S AVRT]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\S NDSrvc]
"ImagePath"="-"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1312)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\VESWinlogon.dll

- - - - - - - > 'explorer.exe'(1776)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\iPod\bin\iPodService.exe
.
************************************************** ************************
.
Completion time: 2009-05-21 18:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-21 01:19

Pre-Run: 8,775,987,200 bytes free
Post-Run: 8,655,245,312 bytes free

213 --- E O F --- 2009-03-14 06:49

**evilfantasy** · #12 (**permalink**) **Top** 21st May 2009, 02:35 AM

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code:

KillAll::

NetSvc::
vejgojta
Yphiseyj
OuzJe
oknifsoigh

Driver::
oknifsoigh
vejgojta
Yphiseyj
OuzJe

FixCSet::

DDS::
Trusted Zone: trymedia.com

Folder::
c:\documents and settings\CHUCK\Application Data\fldkdxjv
c:\documents and settings\CHUCK\Local Settings\Application Data\fldkdxjv

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=-

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

ElChamuco · #13 (**permalink**) **Top** 21st May 2009, 04:19 AM

here the new log

ComboFix 09-05-19.04 - CHUCK 05/20/2009 20:08.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.574 [GMT -7:00]
Running from: c:\documents and settings\CHUCK\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\CHUCK\Desktop\CFScript.txt
AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\CHUCK\Application Data\fldkdxjv
c:\documents and settings\CHUCK\Application Data\fldkdxjv\profiles.ini
c:\documents and settings\CHUCK\Application Data\fldkdxjv\Profiles\qjf6xt8j.default\cert8.db
c:\documents and settings\CHUCK\Application Data\fldkdxjv\Profiles\qjf6xt8j.default\compatibil ity.ini
c:\documents and settings\CHUCK\Application Data\fldkdxjv\Profiles\qjf6xt8j.default\compreg.da t
c:\documents and settings\CHUCK\Application Data\fldkdxjv\Profiles\qjf6xt8j.default\cookies.sq lite
c:\documents and settings\CHUCK\Application Data\fldkdxjv\Profiles\qjf6xt8j.default\formhistor y.sqlite
c:\documents and settings\CHUCK\Application Data\fldkdxjv\Profiles\qjf6xt8j.default\key3.db
c:\documents and settings\CHUCK\Application Data\fldkdxjv\Profiles\qjf6xt8j.default\localstore .rdf
c:\documents and settings\CHUCK\Application Data\fldkdxjv\Profiles\qjf6xt8j.default\permission s.sqlite
c:\documents and settings\CHUCK\Application Data\fldkdxjv\Profiles\qjf6xt8j.default\places.sql ite-journal
c:\documents and settings\CHUCK\Application Data\fldkdxjv\Profiles\qjf6xt8j.default\places.sql ite
c:\documents and settings\CHUCK\Application Data\fldkdxjv\Profiles\qjf6xt8j.default\pluginreg. dat
c:\documents and settings\CHUCK\Application Data\fldkdxjv\Profiles\qjf6xt8j.default\prefs.js
c:\documents and settings\CHUCK\Application Data\fldkdxjv\Profiles\qjf6xt8j.default\secmod.db
c:\documents and settings\CHUCK\Application Data\fldkdxjv\Profiles\qjf6xt8j.default\webappssto re.sqlite
c:\documents and settings\CHUCK\Application Data\fldkdxjv\Profiles\qjf6xt8j.default\xpti.dat
c:\documents and settings\CHUCK\Local Settings\Application Data\fldkdxjv
c:\documents and settings\CHUCK\Local Settings\Application Data\fldkdxjv\Profiles\qjf6xt8j.default\urlclassif ier3.sqlite
c:\documents and settings\CHUCK\Local Settings\Application Data\fldkdxjv\Profiles\qjf6xt8j.default\XPC.mfl

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_oknifsoigh
-------\Legacy_VEJGOJTA
-------\Service_oknifsoigh

((((((((((((((((((((((((( Files Created from 2009-04-21 to 2009-05-21 )))))))))))))))))))))))))))))))
.

2009-05-21 01:10 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-05-21 01:10 . 2009-02-06 10:39 35328 -c----w c:\windows\system32\dllcache\sc.exe
2009-05-21 01:10 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-05-21 01:10 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-05-21 01:10 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-05-21 01:10 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-05-21 01:10 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-21 01:10 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-05-21 01:10 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-05-21 01:10 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-05-21 01:09 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-05-21 01:09 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-05-18 22:36 . 2009-05-18 22:36 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-18 22:36 . 2009-05-18 22:36 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-18 22:36 . 2009-05-18 22:36 -------- d-----w c:\documents and settings\CHUCK\Application Data\SUPERAntiSpyware.com
2009-05-18 22:34 . 2009-05-18 22:34 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-18 21:22 . 2009-05-18 21:22 -------- d-----w c:\program files\CCleaner
2009-05-16 04:18 . 2009-03-24 23:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-05-11 05:19 . 2008-06-20 00:24 28544 ----a-w c:\windows\system32\drivers\pavboot.sys
2009-05-11 05:18 . 2009-05-11 05:18 -------- d-----w c:\program files\Panda Security
2009-05-11 02:10 . 2009-05-11 02:10 -------- d-----w c:\program files\SpywareBlaster
2009-05-10 23:39 . 2009-05-10 23:39 -------- d-----w c:\documents and settings\CHUCK\Application Data\Malwarebytes
2009-05-10 23:39 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-10 23:39 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-10 23:39 . 2009-05-10 23:39 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-10 23:39 . 2009-05-10 23:39 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-05-19 03:09 . 2006-09-14 20:19 -------- d-----w c:\program files\Trend Micro
2009-05-19 03:02 . 2006-08-10 09:13 -------- d-----w c:\program files\Java
2009-05-11 02:38 . 2009-04-09 00:50 -------- d-----w c:\program files\Windows Live Safety Center
2009-05-11 02:13 . 2009-03-31 23:32 -------- d-----w c:\program files\Trojan Guarder Gold Version
2009-05-11 00:22 . 2006-09-14 20:20 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-10 10:17 . 2006-08-10 07:32 -------- d-----w c:\program files\Common Files\Mozilla Shared
2009-04-10 05:39 . 2008-06-13 04:17 -------- d-----w c:\program files\Norton Internet Security
2009-03-19 02:16 . 2006-08-10 07:32 578560 ----a-w c:\windows\system32\user32.dll
2009-03-18 19:26 . 2006-08-10 07:32 14336 ----a-w c:\windows\system32\svchost.exe
2009-03-06 14:22 . 2006-08-10 07:32 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-08-10 07:32 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2006-08-10 07:32 78336 ----a-w c:\windows\system32\ieencode.dll
2009-04-01 05:47 . 2008-06-13 04:20 324976 ----a-w c:\program files\mozilla firefox\components\coFFPlgn.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-21_01.15.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-21 03:12 . 2009-05-21 03:12 16384 c:\windows\temp\Perflib_Perfdata_330.dat
- 2006-08-10 08:47 . 2007-07-27 16:41 26488 c:\windows\system32\spupdsvc.exe
+ 2006-08-10 08:47 . 2008-07-09 07:38 26488 c:\windows\system32\spupdsvc.exe
+ 2007-03-09 07:36 . 2007-11-30 12:39 17272 c:\windows\system32\spmsg.dll
- 2007-03-09 07:36 . 2007-11-30 11:18 17272 c:\windows\system32\spmsg.dll
+ 2006-08-10 07:32 . 2009-02-03 19:59 56832 c:\windows\system32\secur32.dll
+ 2006-08-10 07:32 . 2009-02-06 10:39 35328 c:\windows\system32\sc.exe
+ 2006-08-10 07:32 . 2009-02-20 18:09 44544 c:\windows\system32\pngfilt.dll
- 2006-08-10 07:32 . 2008-12-20 23:15 44544 c:\windows\system32\pngfilt.dll
- 2006-08-10 07:32 . 2009-03-09 07:42 63930 c:\windows\system32\perfc009.dat
+ 2006-08-10 07:32 . 2009-05-21 02:59 63930 c:\windows\system32\perfc009.dat
- 2006-08-10 07:45 . 2008-04-14 00:12 91648 c:\windows\system32\mtxoci.dll
+ 2006-08-10 07:45 . 2008-06-12 14:23 91648 c:\windows\system32\mtxoci.dll
+ 2006-08-10 07:32 . 2008-06-12 14:23 66560 c:\windows\system32\mtxclu.dll
- 2006-08-10 07:32 . 2008-04-14 00:12 66560 c:\windows\system32\mtxclu.dll
- 2006-11-08 05:03 . 2008-12-20 23:15 52224 c:\windows\system32\msfeedsbs.dll
+ 2006-11-08 05:03 . 2009-02-20 18:09 52224 c:\windows\system32\msfeedsbs.dll
- 2006-08-10 07:45 . 2008-04-14 00:11 58880 c:\windows\system32\msdtclog.dll
+ 2006-08-10 07:45 . 2008-06-12 14:23 58880 c:\windows\system32\msdtclog.dll
+ 2006-08-10 07:32 . 2009-02-20 18:09 27648 c:\windows\system32\jsproxy.dll
- 2006-08-10 07:32 . 2008-12-20 23:15 27648 c:\windows\system32\jsproxy.dll
- 2006-11-07 11:26 . 2008-12-19 09:10 13824 c:\windows\system32\ieudinit.exe
+ 2006-11-07 11:26 . 2009-02-20 10:20 13824 c:\windows\system32\ieudinit.exe
- 2006-08-10 07:32 . 2008-12-20 23:15 44544 c:\windows\system32\iernonce.dll
+ 2006-08-10 07:32 . 2009-02-20 18:09 44544 c:\windows\system32\iernonce.dll
- 2006-08-10 07:32 . 2008-12-19 09:10 70656 c:\windows\system32\ie4uinit.exe
+ 2006-08-10 07:32 . 2009-02-20 10:20 70656 c:\windows\system32\ie4uinit.exe
+ 2006-10-17 19:58 . 2009-02-20 18:09 63488 c:\windows\system32\icardie.dll
- 2006-10-17 19:58 . 2008-12-20 23:15 63488 c:\windows\system32\icardie.dll
+ 2009-02-03 19:59 . 2009-02-03 19:59 56832 c:\windows\system32\dllcache\secur32.dll
+ 2006-10-23 15:34 . 2009-02-20 18:09 44544 c:\windows\system32\dllcache\pngfilt.dll
- 2006-10-23 15:34 . 2008-12-20 23:15 44544 c:\windows\system32\dllcache\pngfilt.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 91648 c:\windows\system32\dllcache\mtxoci.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 66560 c:\windows\system32\dllcache\mtxclu.dll
+ 2007-05-09 06:02 . 2009-02-20 18:09 52224 c:\windows\system32\dllcache\msfeedsbs.dll
- 2007-05-09 06:02 . 2008-12-20 23:15 52224 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 58880 c:\windows\system32\dllcache\msdtclog.dll
- 2006-10-23 15:34 . 2008-12-20 23:15 27648 c:\windows\system32\dllcache\jsproxy.dll
+ 2006-10-23 15:34 . 2009-02-20 18:09 27648 c:\windows\system32\dllcache\jsproxy.dll
- 2007-05-09 06:02 . 2008-12-19 09:10 13824 c:\windows\system32\dllcache\ieudinit.exe
+ 2007-05-09 06:02 . 2009-02-20 10:20 13824 c:\windows\system32\dllcache\ieudinit.exe
- 2006-11-07 11:26 . 2008-12-20 23:15 44544 c:\windows\system32\dllcache\iernonce.dll
+ 2006-11-07 11:26 . 2009-02-20 18:09 44544 c:\windows\system32\dllcache\iernonce.dll
+ 2009-02-20 18:09 . 2009-02-20 18:09 78336 c:\windows\system32\dllcache\ieencode.dll
- 2006-11-07 11:26 . 2008-12-19 09:10 70656 c:\windows\system32\dllcache\ie4uinit.exe
+ 2006-11-07 11:26 . 2009-02-20 10:20 70656 c:\windows\system32\dllcache\ie4uinit.exe
- 2007-08-20 10:04 . 2008-12-20 23:15 63488 c:\windows\system32\dllcache\icardie.dll
+ 2007-08-20 10:04 . 2009-02-20 18:09 63488 c:\windows\system32\dllcache\icardie.dll
+ 2009-05-21 01:39 . 2008-12-20 23:15 44544 c:\windows\ie7updates\KB963027-IE7\pngfilt.dll
+ 2009-05-21 01:39 . 2008-12-20 23:15 52224 c:\windows\ie7updates\KB963027-IE7\msfeedsbs.dll
+ 2009-05-21 01:39 . 2008-12-20 23:15 27648 c:\windows\ie7updates\KB963027-IE7\jsproxy.dll
+ 2009-05-21 01:39 . 2008-12-19 09:10 13824 c:\windows\ie7updates\KB963027-IE7\ieudinit.exe
+ 2009-05-21 01:39 . 2008-12-20 23:15 44544 c:\windows\ie7updates\KB963027-IE7\iernonce.dll
+ 2009-05-21 01:39 . 2008-04-14 00:11 81920 c:\windows\ie7updates\KB963027-IE7\ieencode.dll
+ 2009-05-21 01:39 . 2008-12-19 09:10 70656 c:\windows\ie7updates\KB963027-IE7\ie4uinit.exe
+ 2009-05-21 01:39 . 2008-12-20 23:15 63488 c:\windows\ie7updates\KB963027-IE7\icardie.dll
- 2006-08-10 07:32 . 2008-04-14 00:12 354304 c:\windows\system32\winhttp.dll
+ 2006-08-10 07:32 . 2008-12-16 12:30 354304 c:\windows\system32\winhttp.dll
- 2006-08-10 07:32 . 2008-12-20 23:15 233472 c:\windows\system32\webcheck.dll
+ 2006-08-10 07:32 . 2009-02-20 18:09 233472 c:\windows\system32\webcheck.dll
+ 2006-08-10 07:45 . 2009-02-06 10:10 227840 c:\windows\system32\wbem\wmiprvse.exe
+ 2006-08-10 07:45 . 2009-02-09 12:10 453120 c:\windows\system32\wbem\wmiprvsd.dll
+ 2006-08-10 07:45 . 2009-02-09 12:10 473600 c:\windows\system32\wbem\fastprox.dll
+ 2006-08-10 07:32 . 2009-02-20 18:09 105984 c:\windows\system32\url.dll
- 2006-08-10 07:32 . 2008-12-20 23:15 105984 c:\windows\system32\url.dll
+ 2006-08-10 07:32 . 2009-02-06 11:11 110592 c:\windows\system32\services.exe
+ 2006-08-10 07:32 . 2009-02-09 12:10 401408 c:\windows\system32\rpcss.dll
+ 2006-08-10 07:32 . 2009-05-21 02:59 406896 c:\windows\system32\perfh009.dat
- 2006-08-10 07:32 . 2009-03-09 07:42 406896 c:\windows\system32\perfh009.dat
+ 2006-08-10 07:32 . 2009-02-20 18:09 102912 c:\windows\system32\occache.dll
- 2006-08-10 07:32 . 2008-12-20 23:15 102912 c:\windows\system32\occache.dll
+ 2006-08-10 07:32 . 2009-02-09 12:10 714752 c:\windows\system32\ntdll.dll
+ 2006-08-10 07:32 . 2009-02-20 18:09 671232 c:\windows\system32\mstime.dll
- 2006-08-10 07:32 . 2008-12-20 23:15 671232 c:\windows\system32\mstime.dll
- 2006-08-10 07:32 . 2008-12-20 23:15 193024 c:\windows\system32\msrating.dll
+ 2006-08-10 07:32 . 2009-02-20 18:09 193024 c:\windows\system32\msrating.dll
- 2006-08-10 07:32 . 2008-12-20 23:15 477696 c:\windows\system32\mshtmled.dll
+ 2006-08-10 07:32 . 2009-02-20 18:09 477696 c:\windows\system32\mshtmled.dll
+ 2006-11-08 05:03 . 2009-02-20 18:09 459264 c:\windows\system32\msfeeds.dll
- 2006-11-08 05:03 . 2008-12-20 23:15 459264 c:\windows\system32\msfeeds.dll
+ 2006-08-10 07:45 . 2008-06-12 14:23 161792 c:\windows\system32\msdtcuiu.dll
- 2006-08-10 07:45 . 2008-04-14 00:11 161792 c:\windows\system32\msdtcuiu.dll
- 2006-08-10 07:45 . 2008-04-14 00:11 956928 c:\windows\system32\msdtctm.dll
+ 2006-08-10 07:45 . 2008-06-12 14:23 956928 c:\windows\system32\msdtctm.dll
+ 2006-08-10 07:45 . 2008-06-12 14:23 428032 c:\windows\system32\msdtcprx.dll
+ 2006-08-10 07:32 . 2009-02-09 12:10 729088 c:\windows\system32\lsasrv.dll
+ 2006-08-10 07:32 . 2009-03-21 14:06 989696 c:\windows\system32\kernel32.dll
- 2006-08-10 07:32 . 2008-04-14 00:11 989696 c:\windows\system32\kernel32.dll
+ 2006-10-17 19:57 . 2009-02-20 18:09 268288 c:\windows\system32\iertutil.dll
+ 2006-08-10 07:32 . 2009-02-20 18:09 385024 c:\windows\system32\iedkcs32.dll
+ 2006-10-17 19:27 . 2009-02-20 18:09 383488 c:\windows\system32\ieapfltr.dll
- 2006-10-17 19:27 . 2008-12-20 23:15 383488 c:\windows\system32\ieapfltr.dll
- 2006-08-10 07:32 . 2008-12-19 05:23 161792 c:\windows\system32\ieakui.dll
+ 2006-08-10 07:32 . 2009-02-20 05:14 161792 c:\windows\system32\ieakui.dll
- 2006-08-10 07:32 . 2008-12-20 23:15 230400 c:\windows\system32\ieaksie.dll
+ 2006-08-10 07:32 . 2009-02-20 18:09 230400 c:\windows\system32\ieaksie.dll
- 2006-08-10 07:32 . 2008-12-20 23:15 153088 c:\windows\system32\ieakeng.dll
+ 2006-08-10 07:32 . 2009-02-20 18:09 153088 c:\windows\system32\ieakeng.dll
- 2006-08-10 07:32 . 2008-12-20 23:15 133120 c:\windows\system32\extmgr.dll
+ 2006-08-10 07:32 . 2009-02-20 18:09 133120 c:\windows\system32\extmgr.dll
+ 2006-08-10 07:32 . 2009-02-20 18:09 214528 c:\windows\system32\dxtrans.dll
- 2006-08-10 07:32 . 2008-12-20 23:15 214528 c:\windows\system32\dxtrans.dll
- 2006-08-10 07:32 . 2008-12-20 23:15 347136 c:\windows\system32\dxtmsft.dll
+ 2006-08-10 07:32 . 2009-02-20 18:09 347136 c:\windows\system32\dxtmsft.dll
- 2006-10-23 15:34 . 2008-12-20 23:15 826368 c:\windows\system32\dllcache\wininet.dll
+ 2006-10-23 15:34 . 2009-03-03 00:18 826368 c:\windows\system32\dllcache\wininet.dll
+ 2008-12-16 12:30 . 2008-12-16 12:30 354304 c:\windows\system32\dllcache\winhttp.dll
- 2006-11-08 05:03 . 2008-12-20 23:15 233472 c:\windows\system32\dllcache\webcheck.dll
+ 2006-11-08 05:03 . 2009-02-20 18:09 233472 c:\windows\system32\dllcache\webcheck.dll
+ 2006-10-17 20:05 . 2009-02-20 18:09 105984 c:\windows\system32\dllcache\url.dll
- 2006-10-17 20:05 . 2008-12-20 23:15 105984 c:\windows\system32\dllcache\url.dll
- 2006-10-17 20:04 . 2008-12-20 23:15 102912 c:\windows\system32\dllcache\occache.dll
+ 2006-10-17 20:04 . 2009-02-20 18:09 102912 c:\windows\system32\dllcache\occache.dll
- 2006-10-23 15:34 . 2008-12-20 23:15 671232 c:\windows\system32\dllcache\mstime.dll
+ 2006-10-23 15:34 . 2009-02-20 18:09 671232 c:\windows\system32\dllcache\mstime.dll
+ 2006-10-23 15:34 . 2009-02-20 18:09 193024 c:\windows\system32\dllcache\msrating.dll
- 2006-10-23 15:34 . 2008-12-20 23:15 193024 c:\windows\system32\dllcache\msrating.dll
+ 2006-10-23 15:34 . 2009-02-20 18:09 477696 c:\windows\system32\dllcache\mshtmled.dll
- 2006-10-23 15:34 . 2008-12-20 23:15 477696 c:\windows\system32\dllcache\mshtmled.dll
+ 2007-05-09 06:02 . 2009-02-20 18:09 459264 c:\windows\system32\dllcache\msfeeds.dll
- 2007-05-09 06:02 . 2008-12-20 23:15 459264 c:\windows\system32\dllcache\msfeeds.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 161792 c:\windows\system32\dllcache\msdtcuiu.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 956928 c:\windows\system32\dllcache\msdtctm.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 428032 c:\windows\system32\dllcache\msdtcprx.dll
+ 2009-03-21 14:06 . 2009-03-21 14:06 989696 c:\windows\system32\dllcache\kernel32.dll
+ 2006-10-17 20:04 . 2009-02-28 04:54 636072 c:\windows\system32\dllcache\iexplore.exe
+ 2007-05-09 06:02 . 2009-02-20 18:09 268288 c:\windows\system32\dllcache\iertutil.dll
+ 2006-11-07 11:27 . 2009-02-20 18:09 385024 c:\windows\system32\dllcache\iedkcs32.dll
+ 2007-05-09 06:02 . 2009-02-20 18:09 383488 c:\windows\system32\dllcache\ieapfltr.dll
- 2007-05-09 06:02 . 2008-12-20 23:15 383488 c:\windows\system32\dllcache\ieapfltr.dll
- 2006-11-07 11:25 . 2008-12-19 05:23 161792 c:\windows\system32\dllcache\ieakui.dll
+ 2006-11-07 11:25 . 2009-02-20 05:14 161792 c:\windows\system32\dllcache\ieakui.dll
+ 2006-11-07 11:27 . 2009-02-20 18:09 230400 c:\windows\system32\dllcache\ieaksie.dll
- 2006-11-07 11:27 . 2008-12-20 23:15 230400 c:\windows\system32\dllcache\ieaksie.dll
- 2006-11-07 11:26 . 2008-12-20 23:15 153088 c:\windows\system32\dllcache\ieakeng.dll
+ 2006-11-07 11:26 . 2009-02-20 18:09 153088 c:\windows\system32\dllcache\ieakeng.dll
+ 2006-10-23 15:34 . 2009-02-20 18:09 133120 c:\windows\system32\dllcache\extmgr.dll
- 2006-10-23 15:34 . 2008-12-20 23:15 133120 c:\windows\system32\dllcache\extmgr.dll
+ 2006-10-23 15:34 . 2009-02-20 18:09 214528 c:\windows\system32\dllcache\dxtrans.dll
- 2006-10-23 15:34 . 2008-12-20 23:15 214528 c:\windows\system32\dllcache\dxtrans.dll
+ 2006-10-23 15:34 . 2009-02-20 18:09 347136 c:\windows\system32\dllcache\dxtmsft.dll
- 2006-10-23 15:34 . 2008-12-20 23:15 347136 c:\windows\system32\dllcache\dxtmsft.dll
+ 2006-11-07 11:26 . 2009-02-20 18:09 124928 c:\windows\system32\dllcache\advpack.dll
- 2006-11-07 11:26 . 2008-12-20 23:15 124928 c:\windows\system32\dllcache\advpack.dll
+ 2006-08-10 07:32 . 2009-02-20 18:09 124928 c:\windows\system32\advpack.dll
- 2006-08-10 07:32 . 2008-12-20 23:15 124928 c:\windows\system32\advpack.dll
+ 2006-08-10 07:32 . 2009-02-09 12:10 617472 c:\windows\system32\advapi32.dll
- 2006-08-10 07:32 . 2008-04-14 00:11 617472 c:\windows\system32\advapi32.dll
+ 2009-05-21 01:39 . 2008-12-20 23:15 826368 c:\windows\ie7updates\KB963027-IE7\wininet.dll
+ 2009-05-21 01:39 . 2008-12-20 23:15 233472 c:\windows\ie7updates\KB963027-IE7\webcheck.dll
+ 2009-05-21 01:39 . 2008-12-20 23:15 105984 c:\windows\ie7updates\KB963027-IE7\url.dll
+ 2009-05-21 01:39 . 2008-07-09 07:38 382840 c:\windows\ie7updates\KB963027-IE7\spuninst\updspapi.dll
+ 2009-05-21 01:39 . 2008-07-08 13:02 231288 c:\windows\ie7updates\KB963027-IE7\spuninst\spuninst.exe
+ 2009-05-21 01:39 . 2008-12-20 23:15 102912 c:\windows\ie7updates\KB963027-IE7\occache.dll
+ 2009-05-21 01:39 . 2008-12-20 23:15 671232 c:\windows\ie7updates\KB963027-IE7\mstime.dll
+ 2009-05-21 01:39 . 2008-12-20 23:15 193024 c:\windows\ie7updates\KB963027-IE7\msrating.dll
+ 2009-05-21 01:39 . 2008-12-20 23:15 477696 c:\windows\ie7updates\KB963027-IE7\mshtmled.dll
+ 2009-05-21 01:39 . 2008-12-20 23:15 459264 c:\windows\ie7updates\KB963027-IE7\msfeeds.dll
+ 2009-05-21 01:39 . 2008-12-19 05:25 634024 c:\windows\ie7updates\KB963027-IE7\iexplore.exe
+ 2009-05-21 01:39 . 2008-12-20 23:15 267776 c:\windows\ie7updates\KB963027-IE7\iertutil.dll
+ 2009-05-21 01:39 . 2008-12-20 23:15 384512 c:\windows\ie7updates\KB963027-IE7\iedkcs32.dll
+ 2009-05-21 01:39 . 2008-12-20 23:15 383488 c:\windows\ie7updates\KB963027-IE7\ieapfltr.dll
+ 2009-05-21 01:39 . 2008-12-19 05:23 161792 c:\windows\ie7updates\KB963027-IE7\ieakui.dll
+ 2009-05-21 01:39 . 2008-12-20 23:15 230400 c:\windows\ie7updates\KB963027-IE7\ieaksie.dll
+ 2009-05-21 01:39 . 2008-12-20 23:15 153088 c:\windows\ie7updates\KB963027-IE7\ieakeng.dll
+ 2009-05-21 01:39 . 2008-12-20 23:15 133120 c:\windows\ie7updates\KB963027-IE7\extmgr.dll
+ 2009-05-21 01:39 . 2008-12-20 23:15 214528 c:\windows\ie7updates\KB963027-IE7\dxtrans.dll
+ 2009-05-21 01:39 . 2008-12-20 23:15 347136 c:\windows\ie7updates\KB963027-IE7\dxtmsft.dll
+ 2009-05-21 01:39 . 2008-12-20 23:15 124928 c:\windows\ie7updates\KB963027-IE7\advpack.dll
+ 2006-08-10 07:32 . 2009-02-20 18:09 1160192 c:\windows\system32\urlmon.dll
- 2006-08-10 07:32 . 2008-12-20 23:15 1160192 c:\windows\system32\urlmon.dll
+ 2006-08-10 07:32 . 2008-12-20 22:14 1288192 c:\windows\system32\quartz.dll
- 2006-08-10 07:32 . 2008-05-07 05:12 1288192 c:\windows\system32\quartz.dll
- 2004-08-03 23:18 . 2008-08-14 10:09 2145280 c:\windows\system32\ntoskrnl.exe
+ 2004-08-03 23:18 . 2009-02-06 11:06 2145280 c:\windows\system32\ntoskrnl.exe
+ 2004-08-03 22:59 . 2009-02-06 10:32 2023936 c:\windows\system32\ntkrnlpa.exe
- 2004-08-03 22:59 . 2008-08-14 09:33 2023936 c:\windows\system32\ntkrnlpa.exe
+ 2006-08-10 07:32 . 2009-02-20 18:09 3595264 c:\windows\system32\mshtml.dll
+ 2006-11-08 05:03 . 2009-02-20 18:09 6066176 c:\windows\system32\ieframe.dll
+ 2006-09-06 07:01 . 2008-07-09 14:25 2455488 c:\windows\system32\ieapfltr.dat
- 2006-09-06 07:01 . 2007-04-17 09:28 2455488 c:\windows\system32\ieapfltr.dat
- 2006-10-23 15:34 . 2008-12-20 23:15 1160192 c:\windows\system32\dllcache\urlmon.dll
+ 2006-10-23 15:34 . 2009-02-20 18:09 1160192 c:\windows\system32\dllcache\urlmon.dll
- 2008-05-07 05:12 . 2008-05-07 05:12 1288192 c:\windows\system32\dllcache\quartz.dll
+ 2008-05-07 05:12 . 2008-12-20 22:14 1288192 c:\windows\system32\dllcache\quartz.dll
+ 2008-10-16 08:29 . 2009-02-06 11:08 2189056 c:\windows\system32\dllcache\ntoskrnl.exe
- 2008-10-16 08:29 . 2008-08-14 09:33 2023936 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2008-10-16 08:29 . 2009-02-06 10:32 2023936 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2008-10-16 08:29 . 2009-02-08 02:02 2066048 c:\windows\system32\dllcache\ntkrnlpa.exe
- 2008-10-16 08:29 . 2008-08-14 09:33 2066048 c:\windows\system32\dllcache\ntkrnlpa.exe
- 2008-10-16 08:29 . 2008-08-14 10:09 2145280 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2008-10-16 08:29 . 2009-02-06 11:06 2145280 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2006-10-23 15:34 . 2009-02-20 18:09 3595264 c:\windows\system32\dllcache\mshtml.dll
+ 2007-05-09 06:02 . 2009-02-20 18:09 6066176 c:\windows\system32\dllcache\ieframe.dll
- 2007-05-09 06:02 . 2007-04-17 09:28 2455488 c:\windows\system32\dllcache\ieapfltr.dat
+ 2007-05-09 06:02 . 2008-07-09 14:25 2455488 c:\windows\system32\dllcache\ieapfltr.dat
+ 2009-05-21 01:39 . 2008-12-20 23:15 1160192 c:\windows\ie7updates\KB963027-IE7\urlmon.dll
+ 2009-05-21 01:39 . 2009-01-17 05:35 3594752 c:\windows\ie7updates\KB963027-IE7\mshtml.dll
+ 2009-05-21 01:39 . 2008-12-20 23:15 6066688 c:\windows\ie7updates\KB963027-IE7\ieframe.dll
+ 2009-05-21 01:39 . 2007-04-17 09:28 2455488 c:\windows\ie7updates\KB963027-IE7\ieapfltr.dat
+ 2008-10-16 08:29 . 2009-02-06 11:08 2189056 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2008-10-16 08:29 . 2009-02-06 10:32 2023936 c:\windows\Driver Cache\i386\ntkrpamp.exe
- 2008-10-16 08:29 . 2008-08-14 09:33 2023936 c:\windows\Driver Cache\i386\ntkrpamp.exe
- 2008-10-16 08:29 . 2008-08-14 09:33 2066048 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2008-10-16 08:29 . 2009-02-08 02:02 2066048 c:\windows\Driver Cache\i386\ntkrnlpa.exe
- 2008-10-16 08:29 . 2008-08-14 10:09 2145280 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2008-10-16 08:29 . 2009-02-06 11:06 2145280 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2007-01-21 11:51 . 2009-05-07 07:16 24699336 c:\windows\system32\MRT.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.e xe" [2006-05-08 81920]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-04-05 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-04-05 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-04-05 118784]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-18 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-08-25 53248]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-10-12 151552]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2006-08-27 217088]
"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2006-02-14 176128]
"NeroCheck"="c:\windows\system32\NeroCheck.exe " [2003-07-13 155648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-02-01 385024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2008-02-07 718704]
"EPSON Stylus Photo R300 Series"="c:\windows\System32\spool\DRIVERS\W32X86\ 3\E_S4I2F1.EXE" [2003-06-04 99840]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-17 2879488]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-1-21 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"NoSMMyDocs"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\explorer]
"NoSMMyDocs"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-06-20 23:11 73728 ----a-w c:\windows\system32\VESWinlogon.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"midi1"= ma_cmidn.dll
"midi2"= ma_cmidn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"9420:TCP"= 9420:TCP:Red Swoosh
"5000:UDP"= 5000:UDP:Red Swoosh

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboo t.sys [5/10/2009 10:19 PM 28544]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/14/2009 2:22 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/14/2009 2:22 PM 72944]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [1/25/2008 6:47 PM 149352]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/26/2009 12:13 PM 101936]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21 sony.sys [8/10/2006 12:33 AM 226304]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mo n.sys [1/12/2008 7:32 PM 23888]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/14/2009 2:22 PM 7408]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2009-05-19 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - CHUCK.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2008-02-07 14:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sony.com/vaiopeople
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\CHUCK\Application Data\Mozilla\Firefox\Profiles\8ehdyjug.default\
FF - component: c:\program files\Mozilla Firefox\components\coFFPlgn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-05-20 20:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\c cEvtMgr]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\S AVRT]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\S NDSrvc]
"ImagePath"="-"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1308)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\VESWinlogon.dll

- - - - - - - > 'explorer.exe'(3772)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\iPod\bin\iPodService.exe
.
************************************************** ************************
.
Completion time: 2009-05-21 20:18 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-21 03:18
ComboFix2.txt 2009-05-21 01:19

Pre-Run: 8,439,799,808 bytes free
Post-Run: 8,429,944,832 bytes free

443 --- E O F --- 2009-05-21 01:40

**evilfantasy** · #14 (**permalink**) **Top** 21st May 2009, 05:09 PM

That looks better. How is the computer running now?

ElChamuco · #15 (**permalink**) **Top** 21st May 2009, 09:02 PM

looks and feels better but my norton was acting up way to much so i uninstalled it and installed avira. when i installed avira it picked up some trojans. i have a feeling that norton didnt delete the quarentine files right and thats why avira picked it up.
what u think?

Other than that it just feels better.

Thanks

**evilfantasy** · #16 (**permalink**) **Top** 21st May 2009, 09:53 PM

Click START then RUN
Now type Combofix /u in the runbox
Make sure there's a space between Combofix and /u
Then hit Enter.

The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

----------

We should do another scan to make sure since Avira found something else.

Please scan your computer with Panda ActiveScan.

This scanner requires Internet Explorer

* Once you are on the Panda site click the Scan your PC now button.
* A new window will open...click the Scan Now button.
* If it wants to install an ActiveX component allow it.
* It will start downloading the files it requires for the scan. (Note: It may take a couple of minutes)
* You may get a warning from Internet Explorer that Panda is ready to install, please allow it.
* The scan will begin. Please be patient as it can take an hour or more to complete.
* When the scan completes, if anything malicious is detected, click the Export to: button (looks like a little Notepad).
* Save the ActiveScan.txt to a convenient location like your desktop.
* Note: You do not need to select any of the Disinfect options. We will remove any threats manually.

* Post the contents of the ActiveScan report in your next reply.

ElChamuco · #17 (**permalink**) **Top** 22nd May 2009, 09:16 PM

looks like everything is ok just have azureus as a suspect but i swear i uninstalled it before i even posted anything on this thread.

;************************************************* ************************************************** ************************************************** ******************************
ANALYSIS: 2009-05-22 07:33:51
PROTECTIONS: 1
MALWARE: 0
SUSPECTS: 1
;************************************************* ************************************************** ************************************************** ******************************
PROTECTIONS
Description Version Active Updated
;================================================= ================================================== ================================================== ==============================
AntiVir Desktop 9.0.1.26 Yes Yes
;================================================= ================================================== ================================================== ==============================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;================================================= ================================================== ================================================== ==============================
;================================================= ================================================== ================================================== ==============================
SUSPECTS
Sent Location
;================================================= ================================================== ================================================== ==============================
No C:\Program Files\Azureus\Uninstall.exe
;================================================= ================================================== ================================================== ==============================
VULNERABILITIES
Id Severity Description
;================================================= ================================================== ================================================== ==============================
;================================================= ================================================== ================================================== ==============================

**evilfantasy** · #18 (**permalink**) **Top** 23rd May 2009, 12:57 AM

If you want to get rid of that just delete the folder, your choice as it's not actually a threat. For some reason some antivirus don't like uninstallers.

C:\Program Files\Azureus <- Delete that.

Use the Secunia Software Inspector to check for out of date software.

Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

----------

Go to Microsoft Windows Update and get all critical security updates. (you will need to use Internet Explorer to do this)

----------

Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for these ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

ElChamuco · #19 (**permalink**) **Top** 23rd May 2009, 02:11 AM

Thanks a whole lot man this has been a grate help i feel better now!

**evilfantasy** · #20 (**permalink**) **Top** 23rd May 2009, 06:28 AM

Your welcome.

Safe surfing.