also @ TechSpot: Windows 8 Release Preview leaked, Microsoft may raise OEM prices

TechSpot

TechSpot News Products Downloads Forums

Register now for a live online demo to see how the Office 365 suite of tools
- professional email, calendars, video conferencing, and file sharing -

[Active] MBAM,gmer and DDS results!

Discussion in 'Virus and Malware Removal' started by megabomination, Jun 15, 2011.

Thread Status:: Not open for further replies.

Page 1 of 2

megabomination Newcomer, in training

Hi guys. Ive pasted my results after following the 'seven step' guide for your help.
The symptoms my pc is having is a constantly redirected IE8, unable to use task manager and all of my files and some programs seem to have been erased!?
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 6624

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

14/06/2011 7:56:25 PM
mbam-log-2011-06-14 (19-56-25).txt

Scan type: Quick scan
Objects scanned: 166444
Time elapsed: 4 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
.
DDS (Ver_2011-06-03.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Adam Livermore at 19:51:23 on 2011-06-15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3583.3017 [GMT 10:00]
.
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
E:\Program Files\VIRGIN BROADBAND\VIRGIN BROADBAND.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Adam Livermore\Desktop\ujd3zmfq.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = ${URL_SEARCHPAGE}
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: HistoryTriggerBHO Class: {21a88cb9-84d2-4020-a2d1-b25a21034884} - c:\program files\lg electronics\lg pc suite iv\linkair\LinkAirBrowserHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
uPolicies-system: DisableTaskMgr = 30
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: LG Air Sync (R-Click) - Save as Mobile Image - c:\program files\lg electronics\lg pc suite iv\linkair\IEContextMenu.dll/206
IE: LG Air Sync (R-Click) - Save as Mobile Memo - c:\program files\lg electronics\lg pc suite iv\linkair\IEContextMenu.dll/208
IE: LG Air Sync (R-Click) - Save as Mobile Text file - c:\program files\lg electronics\lg pc suite iv\linkair\IEContextMenu.dll/210
IE: LG Air Sync (R-Click) - Set as Mobile Wallpaper - c:\program files\lg electronics\lg pc suite iv\linkair\IEContextMenu.dll/205
IE: LG Air Sync Option - c:\program files\lg electronics\lg pc suite iv\linkair\IEContextMenu.dll/209
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-4-30 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-18 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-18 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-4-30 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-4-30 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-4-30 61960]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [2010-10-8 101904]
R3 LgBttPort;LGE Bluetooth TransPort;c:\windows\system32\drivers\lgbtport.sys [2009-9-29 12160]
R3 lgbusenum;LG Bluetooth Bus Enumerator;c:\windows\system32\drivers\lgbtbus.sys [2009-9-29 10496]
R3 LGVMODEM;LGE Virtual Modem;c:\windows\system32\drivers\lgvmodem.sys [2009-9-29 12928]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-19 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-6-3 135664]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-5-1 1684736]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-18 12872]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-19 753504]
S4 LGScsiCommandService;LG SCSI command service;c:\windows\system32\LGScsiCommandService.exe [2010-11-20 47616]
.
=============== Created Last 30 ================
.
2011-05-29 20:27:30 601048 ----a-w- c:\windows\system32\PerfStringBackup.TMP
.
==================== Find3M ====================
.
2011-04-17 04:36:18 6264 ---ha-w- c:\windows\system32\ealregsnapshot1.reg
.
============= FINISH: 19:51:32.62 ===============
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-03.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 29/04/2010 2:33:05 PM
System Uptime: 15/06/2011 6:28:08 PM (1 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | P5G41T-M LX
Processor: Intel Pentium III Xeon processor | LGA775 | 2933/266mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 466 GiB total, 395.852 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 77 GiB total, 48.746 GiB free.
F: is FIXED (FAT32) - 64 GiB total, 63.874 GiB free.
I: is Removable
J: is Removable
K: is Removable
L: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Ethernet Controller
Device ID: PCI\VEN_1969&DEV_1063&SUBSYS_83FE1043&REV_C0\4&38D2602C&0&00E1
Manufacturer:
Name: Ethernet Controller
PNP Device ID: PCI\VEN_1969&DEV_1063&SUBSYS_83FE1043&REV_C0\4&38D2602C&0&00E1
Service:
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ACPI\ATK0110\1010110
Manufacturer:
Name:
PNP Device ID: ACPI\ATK0110\1010110
Service:
.
==== System Restore Points ===================
.
RP186: 8/03/2011 8:19:38 PM - System Checkpoint
RP187: 10/03/2011 7:19:04 AM - Software Distribution Service 3.0
RP188: 10/03/2011 7:24:01 PM - Software Distribution Service 3.0
RP189: 12/03/2011 8:38:44 AM - System Checkpoint
RP190: 14/03/2011 7:22:01 PM - System Checkpoint
RP191: 15/03/2011 7:46:04 PM - System Checkpoint
RP192: 21/03/2011 6:23:20 AM - System Checkpoint
RP193: 22/03/2011 6:54:52 AM - System Checkpoint
RP194: 23/03/2011 9:03:00 PM - System Checkpoint
RP195: 24/03/2011 7:00:12 AM - Software Distribution Service 3.0
RP196: 3/04/2011 8:11:28 AM - System Checkpoint
RP197: 5/04/2011 7:17:22 AM - System Checkpoint
RP198: 11/04/2011 8:01:22 AM - Installed Windows Internet Explorer 8.
RP199: 11/04/2011 7:33:23 PM - Software Distribution Service 3.0
RP200: 13/04/2011 7:06:01 AM - System Checkpoint
RP201: 15/04/2011 8:45:53 AM - System Checkpoint
RP202: 15/04/2011 9:10:06 PM - Software Distribution Service 3.0
RP203: 16/04/2011 8:27:50 AM - Software Distribution Service 3.0
RP204: 16/04/2011 3:32:49 PM - Software Distribution Service 3.0
RP205: 17/04/2011 2:15:26 PM - Installed Dead Space™
RP206: 17/04/2011 2:36:19 PM - Installed EA Download Manager
RP207: 18/04/2011 5:27:00 PM - System Checkpoint
RP208: 20/04/2011 2:54:14 PM - System Checkpoint
RP209: 25/04/2011 5:39:59 PM - System Checkpoint
RP210: 28/04/2011 7:48:20 PM - System Checkpoint
RP211: 29/04/2011 7:26:10 AM - Software Distribution Service 3.0
RP212: 1/05/2011 5:13:48 PM - System Checkpoint
RP213: 3/05/2011 6:20:32 AM - System Checkpoint
RP214: 5/05/2011 9:17:59 AM - System Checkpoint
RP215: 6/05/2011 6:23:26 PM - System Checkpoint
RP216: 8/05/2011 9:14:13 AM - System Checkpoint
RP217: 10/05/2011 7:13:51 AM - System Checkpoint
RP218: 11/05/2011 7:00:12 AM - Software Distribution Service 3.0
RP219: 15/05/2011 8:25:02 AM - System Checkpoint
RP220: 17/05/2011 8:52:55 PM - System Checkpoint
RP221: 19/05/2011 7:05:51 AM - System Checkpoint
RP222: 28/05/2011 10:52:17 PM - System Checkpoint
RP223: 2/06/2011 7:11:57 PM - System Checkpoint
RP224: 2/06/2011 10:26:13 PM - Restore Operation
RP225: 3/06/2011 11:09:24 PM - System Checkpoint
RP226: 5/06/2011 6:00:42 PM - System Checkpoint
.
==== Installed Programs ======================
.
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.4.4
Apple Application Support
Apple Software Update
ATI AVIVO Codecs
ATI Catalyst Install Manager
ATI Problem Report Wizard
Avanquest update
Avira AntiVir Personal - Free Antivirus
Battlefield 2142
Call of Duty Game of the Year Edition
Call of Duty(R) - World at War(TM)
Call of Duty(R) - World at War(TM) 1.1 Patch
Call of Duty(R) - World at War(TM) 1.2 Patch
Canon Camera Access Library
Canon Camera Support Core Library
Canon Digital Camera Solution Disk 34 Software Starter Guide
Canon Direct Print User Guide
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon MP Navigator EX 1.0
Canon MP220 series
Canon My Printer
Canon PowerShot A470 Camera User Guide
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities Easy-PhotoPrint EX
Canon Utilities EOS Utility
Canon Utilities MyCamera
Canon Utilities MyCamera DC
Canon Utilities PhotoStitch
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities Solution Menu
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center HydraVision Full
Catalyst Control Center Localization All
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
CCleaner
Crysis(R)
Dead Space™
DivX Setup
Far Cry
Far Cry (Patch 1.4)
Far Cry 2
GameSpy Comrade
Google Toolbar for Internet Explorer
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB954550-v5)
HydraVision
Java Auto Updater
Java(TM) 6 Update 20
LG Bluetooth Drivers
LG PC Suite IV
LG United Mobile Drivers
LG USB Modem Drivers
Malwarebytes' Anti-Malware
Medieval II Total War
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual J# .NET Redistributable Package 1.1
Microsoft Works
Motorola Phone Tools
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
PCFriendly
PIXMA Extended Survey Program
Power Tab Editor 1.7
Power Tab Librarian
PunkBuster Services
QuickTime
Raptr
Realtek AC'97 Audio
Realtek High Definition Audio Driver
Recuva
ScanSoft OmniPage SE 4
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows XP (KB923789)
Skins
SUPERAntiSpyware Free Edition
The Lord of the Rings FREE Trial
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
VC80CRTRedist - 8.0.50727.4053
VIRGIN BROADBAND
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows XP Service Pack 3
WinRAR archiver
World of Warcraft
.
==== Event Viewer Messages From Past Week ========
.
8/06/2011 7:50:15 PM, error: Service Control Manager [7000] - The SASDIFSV service failed to start due to the following error: Cannot create a file when that file already exists.
.
==== End Of File ===========================
GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-15 19:56:30
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-f SAMSUNG_HD501LJ rev.CR100-13
Running: ujd3zmfq.exe; Driver: C:\DOCUME~1\ADAMLI~1\LOCALS~1\Temp\kwadrfob.sys

INITc ...

---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA479F620]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

SSDT BA6DB630 ZwOpenProcess
SSDT BA6DB635 ZwOpenThread
SSDT BA6DB644 ZwCreateThread
SSDT BA6DB64E ZwCreateKey
SSDT BA6DB653 ZwDeleteKey
SSDT BA6DB658 ZwSetValueKey
SSDT BA6DB65D ZwDeleteValueKey
SSDT BA6DB662 ZwLoadKey
SSDT BA6DB667 ZwRestoreKey
SSDT BA6DB66C ZwReplaceKey

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E517A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5117 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E50B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4F7C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4F1A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5049 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4FDE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] WININET.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 00B06B70
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 00B06D70
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00E0000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00DF000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00E3000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 00E2000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00DE000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3136] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00B4000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3148] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3148] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E517A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3148] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5117 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3148] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E50B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3148] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3148] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4F7C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3148] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4F1A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3148] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5049 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3148] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4FDE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3148] WININET.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 00B06B70
.text C:\Program Files\Internet Explorer\iexplore.exe[3148] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 00B06D70
.text C:\Program Files\Internet Explorer\iexplore.exe[3148] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0121000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3148] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00B4000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3148] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 0124000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3148] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 0123000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3148] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00B3000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3148] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0122000A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[3264] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3264] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDBB8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3264] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E547F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3264] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD125 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3264] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3264] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E517A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3264] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5117 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3264] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E50B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3264] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3264] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4F7C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3264] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4F1A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3264] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5049 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3264] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4FDE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3264] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9B01 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3264] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254664 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3264] WININET.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 00B06B70
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3264] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 00B06D70
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3264] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00D0000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3264] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00CF000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3264] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00D3000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3264] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 00D2000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3264] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00CE000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3264] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00D1000A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\iexplore.exe[3272] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[3272] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDBB8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3272] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E547F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD125 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E517A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5117 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E50B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4F7C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4F1A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5049 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4FDE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9B01 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3272] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254664 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3272] WININET.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 00B06B70
.text C:\Program Files\Internet Explorer\iexplore.exe[3272] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 00B06D70
.text C:\Program Files\Internet Explorer\iexplore.exe[3272] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0123000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3272] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 0122000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3272] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 0126000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3272] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 0125000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3272] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0121000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3272] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0124000A

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB97F5000, 0x273B67, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text E:\Program Files\VIRGIN BROADBAND\VIRGIN BROADBAND.exe[2260] USER32.dll!EnableScrollBar 7E468005 7 Bytes JMP 00452230 E:\Program Files\VIRGIN BROADBAND\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text E:\Program Files\VIRGIN BROADBAND\VIRGIN BROADBAND.exe[2260] USER32.dll!GetScrollInfo 7E42DFE2 7 Bytes JMP 00452270 E:\Program Files\VIRGIN BROADBAND\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text E:\Program Files\VIRGIN BROADBAND\VIRGIN BROADBAND.exe[2260] USER32.dll!GetScrollPos 7E42F704 5 Bytes JMP 004522B0 E:\Program Files\VIRGIN BROADBAND\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text E:\Program Files\VIRGIN BROADBAND\VIRGIN BROADBAND.exe[2260] USER32.dll!GetScrollRange 7E42F787 5 Bytes JMP 004522E0 E:\Program Files\VIRGIN BROADBAND\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text E:\Program Files\VIRGIN BROADBAND\VIRGIN BROADBAND.exe[2260] USER32.dll!GetSysColor 7E418E78 5 Bytes JMP 00452430 E:\Program Files\VIRGIN BROADBAND\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text E:\Program Files\VIRGIN BROADBAND\VIRGIN BROADBAND.exe[2260] USER32.dll!GetSysColorBrush 7E418EAB 5 Bytes JMP 00452490 E:\Program Files\VIRGIN BROADBAND\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text E:\Program Files\VIRGIN BROADBAND\VIRGIN BROADBAND.exe[2260] USER32.dll!SetScrollInfo 7E419056 7 Bytes JMP 00452320 E:\Program Files\VIRGIN BROADBAND\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text E:\Program Files\VIRGIN BROADBAND\VIRGIN BROADBAND.exe[2260] USER32.dll!SetScrollPos 7E42F750 5 Bytes JMP 00452360 E:\Program Files\VIRGIN BROADBAND\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text E:\Program Files\VIRGIN BROADBAND\VIRGIN BROADBAND.exe[2260] USER32.dll!SetScrollRange 7E42F99B 5 Bytes JMP 004523A0 E:\Program Files\VIRGIN BROADBAND\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text E:\Program Files\VIRGIN BROADBAND\VIRGIN BROADBAND.exe[2260] USER32.dll!ShowScrollBar 7E42F2F2 5 Bytes JMP 004523F0 E:\Program Files\VIRGIN BROADBAND\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)

---- Threads - GMER 1.0.15 ----

Thread System [4:124] 8A7F8E7A
Thread System [4:128] 8A7FB008

---- Kernel code sections - GMER 1.0.15 ----

INITc VolSnap.sys BA0D3BD0 4 Bytes [B0, A5, 53, 80]
INITc VolSnap.sys BA0D3BF8 4 Bytes [B8, A1, 4F, 80]
INITc VolSnap.sys BA0D3C20 4 Bytes [B6, AE, 4F, 80]
INITc VolSnap.sys BA0D3C48 4 Bytes [30, FF, 4F, 80]
INITc VolSnap.sys BA0D3C70 4 Bytes [7A, A8, 4F, 80]

---- EOF - GMER 1.0.15 ----

megabomination, Jun 15, 2011

#1
Bobbye Helper on the Fringe
I'll be glad to help you, but first you need to repeat Malwarebytes with the current version. If the database isn't current, it's not going to find the current malware. Please follow this link and uninstall the Mbam you now have on the system:

Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware from from HERE

Double-click mbam-setup.exe and follow the prompts to install the program.

At the end, be sure a checkmark is placed next to
[o] Update Malwarebytes' Anti-Malware
[o] and Launch Malwarebytes' Anti-Malware

then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform Quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click Remove Selected.

When completed, a log will open in Notepad. please attach this log with your reply
[o] If you accidentally close it, the log file is saved here and will be named like this:
[o] C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

========================
Do you know what this running executable is> C:\Documents and Settings\Adam Livermore\Desktop\ujd3zmfq.exe
===========================
My Guidelines: please read and follow:

Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.

Read my instructions carefully. If you don't understand or have a problem, ask me.

Follow the order of the tasks I give you. Order is crucial in cleaning process.

File sharing programs should be uninstalled or disabled during the cleaning process..

Observe these:
[o] Don't use any other cleaning programs or scans while I'm helping you.
[o] Don't use a Registry cleaner or make any changes in the Registry.
[o] Don't download and install new programs- except those I give you.

Reminder to be patient

If I have not replied for 2 days, you can send me a PM reminder. Include the URL of your thread. Please do not send me a PM to tell me your logs are up.
If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
=====================================
As for the missing files, not to worry- there are several malware programs out now which 'hide' the files- they are not gone. We will handle that later.
Bobbye, Jun 15, 2011

#2
megabomination Newcomer, in training

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6863

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

16/06/2011 7:02:12 AM
mbam-log-2011-06-16 (07-02-12).txt

Scan type: Quick scan
Objects scanned: 157826
Time elapsed: 2 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Downloaded new version ,updated and ran quick scan. Here are the results!
"Do you know what this running executable is> C:\Documents and Settings\Adam Livermore\Desktop\ujd3zmfq.exe" Yes ,its the gmer program!

So i shouldnt use avira or super anti spyware at all at the moment?
Also, why only a quick scan using mbam? Thanks for your help!

megabomination, Jun 15, 2011

#3
megabomination Newcomer, in training

I forgot to ask if i can use crap cleaner at the moment? Thanks.

megabomination, Jun 16, 2011

#4
Bobbye Helper on the Fringe
No, please don't use CCleaner at this point. We'll clean out some files later.

The reason you may not be able to access the Task Manager is this:
uPolicies-system: DisableTaskMgr = 30

This has most likely been done by the malware. We can fix this after you run Combofix as follows:
Please note: If you have Combofix on the desktop already, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

Click START> then RUN

Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------
Download Combofix from HERE or HERE and save to the desktop

Double click combofix.exe & follow the prompts.

ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

.Click on Yes, to continue scanning for malware

.If Combofix asks you to update the program, allow

.Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

.Close any open browsers.

.Double click combofix.exe & follow the prompts to run.

When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
=====================================

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESETOnlineScan

For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
[o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
[o] Double click on the on your desktop.

Check 'Yes I accept terms of use.'

Click Start button

Accept any security warnings from your browser.

Uncheck 'Remove found threats'

Check 'Scan archives/

Leave remaining settings as is.

Press the Start button.

ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.

When the scan completes, press List of found threats

Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.

Push the Back button

Push Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
Bobbye, Jun 16, 2011

#5
megabomination Newcomer, in training

ComboFix 11-06-16.01 - Adam Livermore 17/06/2011 7:38.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3583.3088 [GMT 10:00]
Running from: c:\documents and settings\Adam Livermore\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Adam Livermore\Start Menu\Programs\Windows XP Recovery
F:\resycled
.
Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
Restored copy from - Kitty had a snack
.
((((((((((((((((((((((((( Files Created from 2011-05-16 to 2011-06-16 )))))))))))))))))))))))))))))))
.
.
2011-06-15 20:55 . 2011-05-28 23:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-03 10:19 . 2011-06-03 10:19 -------- d-----w- c:\program files\Recuva
2011-05-29 20:27 . 2011-05-29 20:27 601048 ----a-w- c:\windows\system32\PerfStringBackup.TMP
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-17 04:36 . 2011-04-17 04:36 6264 ---ha-w- c:\windows\system32\ealregsnapshot1.reg
2011-03-19 03:53 . 2010-04-29 14:33 137656 ---ha-w- c:\windows\system32\drivers\avipbb.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-06-08 2424192]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-06-03 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-07 281768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ---ha-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-20 12:07 932288 ---ha-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:44 35760 ---ha-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2007-04-03 16:50 1603152 ---ha-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2007-05-14 16:01 644696 ---ha-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-06-03 00:50 1144104 ---ha-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LG LinkAir]
2010-11-20 21:23 2440552 ---ha-w- c:\program files\LG Electronics\LG PC Suite IV\LinkAir\LinkAir.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 12:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
2007-02-04 02:02 79400 ---ha-w- c:\program files\ScanSoft\OmniPageSE4\OpWareSE4.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 04:53 421888 ---ha-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Raptr]
2010-12-16 21:53 53160 ---ha-w- c:\progra~1\Raptr\raptrstub.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2010-04-30 14:17 18782720 ---ha-w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-24 23:03 210472 ---ha-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2009-09-18 10:25 98304 ---ha-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 18:43 248040 ---ha-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2011-06-03 10:22 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"PnkBstrA"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"IJPLMSVC"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"gusvc"=3 (0x3)
"gupdate"=2 (0x2)
"CCALib8"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"LGScsiCommandService"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Raptr\\raptr.exe"=
"c:\\Program Files\\Raptr\\raptr_im.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [18/02/2010 4:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [18/02/2010 4:15 AM 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [30/04/2010 12:33 AM 136360]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [8/10/2010 8:57 PM 101904]
R3 LgBttPort;LGE Bluetooth TransPort;c:\windows\system32\drivers\lgbtport.sys [29/09/2009 7:11 AM 12160]
R3 lgbusenum;LG Bluetooth Bus Enumerator;c:\windows\system32\drivers\lgbtbus.sys [29/09/2009 7:11 AM 10496]
R3 LGVMODEM;LGE Virtual Modem;c:\windows\system32\drivers\lgvmodem.sys [29/09/2009 7:11 AM 12928]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [19/03/2010 6:16 AM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/06/2011 8:22 PM 135664]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [1/05/2010 12:18 AM 1684736]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [18/02/2010 4:15 AM 12872]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [19/03/2010 6:16 AM 753504]
S4 LGScsiCommandService;LG SCSI command service;c:\windows\system32\LGScsiCommandService.exe [20/11/2010 5:28 PM 47616]
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-03 10:22]
.
2011-06-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-03 10:22]
.
.
------- Supplementary Scan -------
.
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: LG Air Sync (R-Click) - Save as Mobile Image - c:\program files\LG Electronics\LG PC Suite IV\LinkAir\IEContextMenu.dll/206
IE: LG Air Sync (R-Click) - Save as Mobile Memo - c:\program files\LG Electronics\LG PC Suite IV\LinkAir\IEContextMenu.dll/208
IE: LG Air Sync (R-Click) - Save as Mobile Text file - c:\program files\LG Electronics\LG PC Suite IV\LinkAir\IEContextMenu.dll/210
IE: LG Air Sync (R-Click) - Set as Mobile Wallpaper - c:\program files\LG Electronics\LG PC Suite IV\LinkAir\IEContextMenu.dll/205
IE: LG Air Sync Option - c:\program files\LG Electronics\LG PC Suite IV\LinkAir\IEContextMenu.dll/209
TCP: Interfaces\{79FBAC50-0848-438F-A8BC-98C091237C9B}: NameServer = 123.200.191.17 123.200.191.18
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-UfQshXkFHeIUkQ - c:\documents and settings\All Users\Application Data\UfQshXkFHeIUkQ.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-17 07:40
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-436374069-1425521274-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:7a,b4,b8,c1,9f,e0,8d,20,bb,e6,a8,fd,33,18,a2,8f,68,67,aa,4b,33,
f7,3b,84,14,30,69,4a,6b,29,63,f1,64,f7,55,a4,0a,8e,bf,d5,55,a5,b7,29,62,19,\
"rkeysecu"=hex:39,cc,8a,da,7f,44,84,09,da,b7,e2,0c,b8,a9,a5,33
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(564)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
- - - - - - - > 'explorer.exe'(3400)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-06-17 07:45:07
ComboFix-quarantined-files.txt 2011-06-16 21:45
.
Pre-Run: 424,917,725,184 bytes free
Post-Run: 424,905,068,544 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - C7DFD8D00732032086737DC7ED764535

Ive yet to do the online scan, will do that this arvo! but allready pc is working much better, you guys are ace!

megabomination, Jun 16, 2011

#6
Bobbye Helper on the Fringe
Before I forget, if you start another thred in the future in this forum, please make the subject describe your problem. For instance> this one could have been: Redirects/no TaskManager/Missing files & Programs

When I'm working on the thread, I can look at the top of the browser and see Redirects and can't use TaskManager. When I look up now, all I see is Mbam,gmer and DDS results! So while I'm helping you and 30 0ther memebers at the same time, I have to refer back to your 1st post to find the problem.
===================================
Please run this Custom CFScript:

[1]. Close any open browsers.
[2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
[3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.

Code:

File:: c:\windows\system32\PerfStringBackup.TMP d:\pcicon.sys DDS:: uSearch Page = ${URL_SEARCHPAGE} uPolicies-system: DisableTaskMgr = 30 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab FileLook:: c:\windows\system32\ealregsnapshot1.reg Driver:: PciCon FCopy::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
Reboot the computer after Combofix. Can you access the Task Manager now? Are you still missing files and programs?

Please post the Eset scan log when ready.
Bobbye, Jun 16, 2011

#7
megabomination Newcomer, in training

Thanks. Here are the results for combofix.Im trying to run the online scanner but when it is trying to download the 'signiture database' it gets about 10% done and wont go any more? It says 'unexpected error 2002'? I will try tomorrow as its currently prime time friday night and internet speeds are slow so im wondering if that could be it?
ComboFix 11-06-16.01 - Adam Livermore 17/06/2011 20:48:51.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3583.3049 [GMT 10:00]
Running from: c:\documents and settings\Adam Livermore\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Adam Livermore\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
FILE ::
"c:\windows\system32\PerfStringBackup.TMP"
"d:\pcicon.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\PerfStringBackup.TMP
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_PCICON
-------\Service_PciCon
.
.
((((((((((((((((((((((((( Files Created from 2011-05-17 to 2011-06-17 )))))))))))))))))))))))))))))))
.
.
2011-06-15 20:55 . 2011-05-28 23:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-03 10:19 . 2011-06-03 10:19 -------- d-----w- c:\program files\Recuva
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-17 04:36 . 2011-04-17 04:36 6264 ----a-w- c:\windows\system32\ealregsnapshot1.reg
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
--- c:\windows\system32\ealregsnapshot1.reg ---
Company: ------
File Description: ------
File Version: ------
Product Name: ------
Copyright: ------
Original Filename: ------
File size: 6264
Created time: 2011-04-17 04:36
Modified time: 2011-04-17 04:36
MD5: C8AE9262AF7A65615849743C87AC1F88
SHA1: B916120DB8291446D4096DF699C83536A238ED78
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-06-08 2424192]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-06-03 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-07 281768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-20 12:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2007-04-03 16:50 1603152 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2007-05-14 16:01 644696 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-06-03 00:50 1144104 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LG LinkAir]
2010-11-20 21:23 2440552 ----a-w- c:\program files\LG Electronics\LG PC Suite IV\LinkAir\LinkAir.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 12:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
2007-02-04 02:02 79400 ----a-w- c:\program files\ScanSoft\OmniPageSE4\OpWareSE4.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 04:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Raptr]
2010-12-16 21:53 53160 ----a-w- c:\progra~1\Raptr\raptrstub.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2010-04-30 14:17 18782720 ----a-w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-24 23:03 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2009-09-18 10:25 98304 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 18:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2011-06-03 10:22 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"PnkBstrA"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"IJPLMSVC"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"gusvc"=3 (0x3)
"gupdate"=2 (0x2)
"CCALib8"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"LGScsiCommandService"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Raptr\\raptr.exe"=
"c:\\Program Files\\Raptr\\raptr_im.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [18/02/2010 4:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [18/02/2010 4:15 AM 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [30/04/2010 12:33 AM 136360]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [8/10/2010 8:57 PM 101904]
R3 LgBttPort;LGE Bluetooth TransPort;c:\windows\system32\drivers\lgbtport.sys [29/09/2009 7:11 AM 12160]
R3 lgbusenum;LG Bluetooth Bus Enumerator;c:\windows\system32\drivers\lgbtbus.sys [29/09/2009 7:11 AM 10496]
R3 LGVMODEM;LGE Virtual Modem;c:\windows\system32\drivers\lgvmodem.sys [29/09/2009 7:11 AM 12928]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [19/03/2010 6:16 AM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/06/2011 8:22 PM 135664]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [1/05/2010 12:18 AM 1684736]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [18/02/2010 4:15 AM 12872]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [19/03/2010 6:16 AM 753504]
S4 LGScsiCommandService;LG SCSI command service;c:\windows\system32\LGScsiCommandService.exe [20/11/2010 5:28 PM 47616]
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-03 10:22]
.
2011-06-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-03 10:22]
.
.
------- Supplementary Scan -------
.
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: LG Air Sync (R-Click) - Save as Mobile Image - c:\program files\LG Electronics\LG PC Suite IV\LinkAir\IEContextMenu.dll/206
IE: LG Air Sync (R-Click) - Save as Mobile Memo - c:\program files\LG Electronics\LG PC Suite IV\LinkAir\IEContextMenu.dll/208
IE: LG Air Sync (R-Click) - Save as Mobile Text file - c:\program files\LG Electronics\LG PC Suite IV\LinkAir\IEContextMenu.dll/210
IE: LG Air Sync (R-Click) - Set as Mobile Wallpaper - c:\program files\LG Electronics\LG PC Suite IV\LinkAir\IEContextMenu.dll/205
IE: LG Air Sync Option - c:\program files\LG Electronics\LG PC Suite IV\LinkAir\IEContextMenu.dll/209
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-17 20:53
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-436374069-1425521274-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:7a,b4,b8,c1,9f,e0,8d,20,bb,e6,a8,fd,33,18,a2,8f,68,67,aa,4b,33,
f7,3b,84,14,30,69,4a,6b,29,63,f1,64,f7,55,a4,0a,8e,bf,d5,55,a5,b7,29,62,19,\
"rkeysecu"=hex:39,cc,8a,da,7f,44,84,09,da,b7,e2,0c,b8,a9,a5,33
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(568)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
- - - - - - - > 'explorer.exe'(3664)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
.
**************************************************************************
.
Completion time: 2011-06-17 20:55:37 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-17 10:55
ComboFix2.txt 2011-06-16 21:45
.
Pre-Run: 424,908,062,720 bytes free
Post-Run: 424,827,142,144 bytes free
.
- - End Of File - - 0FB0D68DD9FED81C86C2B636330AA314

megabomination, Jun 17, 2011

#8
Bobbye Helper on the Fringe

Do you know what this is? c:\windows\system32\ealregsnapshot1.reg If you do not, do this:

Right click on the Taskbar> Explore> Tools> Folder Options> View tab> Check 'show hidden files and folders> Uncheck 'hide system files (Recommended)> then click on My Computer> Windows> System 32> look for ealregsnapshot1 and do RIGHT click> Properties. Does it give any info?

Please go back and rehide the files and folders when you have finished.

There is a program called RegSnap that's a 'try and buy' tool- I don't see it installed on your system. I took a look into the file and found a VirSCAN had already been done with no malware showing. But the stats for what you have and the stats on the VirSCAN do not match.

Has there been any change in our accessing the Task Manager?

Bobbye, Jun 17, 2011

#9
megabomination Newcomer, in training

1.No.I have no idea what this c:\windows\system32\ealregsnapshot1.reg is!?
2.I found the file after following your instructions and the info under Properties>General tab is exactly that. It has a file size and date created etc.. and also a 'summary tab which is empty?How would i go about sending you the info on these tabs,short of typeing it out of course?
3.Ive never heard of reg snap!
4.Yes i can access task manager now and also all files in my documents and some other places are fully restored and IE8 is working correctly( no redirecting ). Some components of programs are still missing however! For example The CCC programme(catalyst cntrl cntre) for my NTI card is now showing in start>all programs>Catalyst control centre but when i mouse over it the pop up window is empty?There are many others like this also.
5.AVIRA seems to be functioning correctly and has been detecting threats and asking me what to do, remove, ignore ect.. I have been simply closeing pop up for now as i wasnt sure?Is this correct or should i be removeing anything that it finds?
6.Im currently 1/2 way through online scan and will post results immediatley when done!Thanks.

megabomination, Jun 18, 2011

#10
megabomination Newcomer, in training

Hi.I just completed online scan.No threats found!?
Avira threats found was Object A0044314.sys What should i do with this ?quarentine it?

megabomination, Jun 18, 2011

#11
Bobbye Helper on the Fringe

For the moment, you can ignore Avira. The Eset scan was clean. The system AV will show entries no matter where they are, and where they are is what determines if they are active in the system. For instance, entries in the Qoobox, System Volume or Recycler have already be handled and are no longer active.

I am reasonably certain that the location for Object A0044314.sys is System Volume. I will have you drop all the old restore points when we finish and set a new clean one.

Regarding this:

4.Yes i can access task manager now and also all files in my documents and some other places are fully restored and IE8 is working correctly( no redirecting ). Some components of programs are still missing however! For example The CCC programme(catalyst cntrl cntre) for my NTI card is now showing in start>all programs>Catalyst control centre but when i mouse over it the pop up window is empty?There are many others like this also.

Can you clarify this for me? When you go to All Programs, have you tried actually opening the program, with the left click? If there is a > to the right of the program do you mean this is empty? Are the programs actually missing?

Bobbye, Jun 19, 2011

#12
megabomination Newcomer, in training

Yes i have tried opening programme to no avail.
Yes there is a >to the right... this actually says the word(Empty)
I have checked in (C>Programme files> The programme doesnt appear to be there!

megabomination, Jun 19, 2011

#13
Bobbye Helper on the Fringe
Run this and see if it 'restores' the programs:

Download Unhide.exe and save to the desktop.

Double-click on Unhide.exe icon to run the program.

This program will remove the +H, or hidden, attribute from all the files on your hard drives.

Let me know- there is no log to leave.
Bobbye, Jun 20, 2011

#14
megabomination Newcomer, in training

Hi. I ran programme and it hasnt seemed to have done anything? Some programmes that arent in start>all programmes are in c:>programme files but others arent?

megabomination, Jun 21, 2011

#15
Bobbye Helper on the Fringe

Open Windows Explorer> Windows key + E> Click on C:\Documents and Settings> All Users> Start Menu> Programs> do you see the program here? Then click on your Doc & Settings below that- such as 'Adam's docs' if you have named them that- Start Menu Programs. If the programs were in the All Users but not on yours, most likely one of the other users listed has the original Start Menu.

Let me now about this please.

Bobbye, Jun 21, 2011

#16
megabomination Newcomer, in training

Yes this programme(CCC) is in the start menu under all users but not under Adams...?
The CCC folder in all users>start menu>programmes is present but is empty! Some other examples of this are, WIN RAR, Microsoft works,etc..
I should also point out that the popup window when you go start>all programmes has only about 3/4 the programmes that used to be there!? Thanks.

megabomination, Jun 21, 2011

#17
megabomination Newcomer, in training

I just ran programme again with all anti virus etc.. swithced off and it still hasnt seemed to do anything? Im happy to download/reinstall the missing programmes if we're unable to restore them! The main things that i was concerned about were personal items in my documents and pictures which were restored/found after i ran combofix and i have allready backed these up. Is cleaning considered finished now or are there more steps?Thanks.

megabomination, Jun 24, 2011

#18
Bobbye Helper on the Fringe
Try running the Unhide program again. If it does not work, do the following:

You should log on under the user Adam

Download Restore Accessories Program Files Menu with accrestore.zip for XP

Extract (unzip) the tool, double-click on it to run and ensure that the following check boxes are checked (as shown below): Note: I am going to vary the Destination below.>>> Check the box for Current User instead of All Users.

Then click on the Restore button.

Download Restore Admin Tools Program Files Menu with admintools.zip for XP

Extract (unzip) the tool, double-click on it to run and click on Restore Administrative Tools Items (as shown below):

Then click on the Restore button.

For any other missing program shortcuts you will probably need to reinstall the application or manually create new shortcuts.
Source: Directions and images courtesy SweerTech on bleepingcomputer.com
Bobbye, Jun 24, 2011

#19
megabomination Newcomer, in training

Tried all these steps , nothing? i typed ccc into the start>run utility and what do you know? the cntrl ctre opened and is fully usable but the programme doesnt seem to exist any where? I have also noticed,for example, that quicktime is running and its icon is in the tray in lower right corner of screen and all its associated files are in c:>programme files>quicktime but if you go into the start menu its start>all programmes>quicktime>(empty)!?
I looked at you advise on dragging and dropping to re create shortcuts but from what i can see thats not the problem that im having its that my programmes are still hidden....i think lol.
If you have any other thoughts that would be great.Thanks again!

megabomination, Jun 25, 2011

#20

(You must log in or sign up to reply here.)

Page 1 of 2

Thread Status:: Not open for further replies.

TechSpot | Technology News and Analysis
Copyright © 1998-2012, TechSpot, Inc.
Forum software by XenForo™
TechSpot is a registered trademark
All Rights Reserved