Tech Support Forum - View Single Post - Google Redirect, Probably a Rootkit Issue

FreeFal311 · 05-02-2009, 01:33 PM

Hi tetonbob-

Again, thank you for the help! ComboFix ran successfully, and my log is below.

ComboFix 09-05-02.4 - Matthew 05/02/2009 13:40.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.634 [GMT -5:00]
Running from: c:\documents and settings\Matthew\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Matthew\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\msettings.ini
c:\windows\system32\drivers\ovfsthxhqntykdn.sys
c:\windows\system32\open.ico
c:\windows\system32\ovfsthxbkvubrow.dat
c:\windows\system32\ovfsthxmfkxvaao.dll
c:\windows\system32\ovfsthxnuvawfbb.dat
c:\windows\system32\ovfsthxpmybtklp.dll
c:\windows\system32\ovfsthxqorkcxer.dll
c:\windows\system32\tmp.reg
c:\windows\SYSTEM32\ybeeg.bak1

Infected copy of c:\windows\system32\sfcfiles.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\sfcfiles.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthxafhmoscc
-------\Legacy_SFC
-------\Service_sfc

((((((((((((((((((((((((( Files Created from 2009-04-02 to 2009-05-02 )))))))))))))))))))))))))))))))
.

2009-04-29 16:29 . 2004-08-04 07:56 33280 ----a-w c:\windows\system32\dllcache\rundll32.exe
2009-04-29 16:29 . 2004-08-04 07:56 33280 ----a-w c:\windows\system32\rundll32.exe
2009-04-29 16:23 . 2001-08-18 03:36 26624 ----a-w c:\windows\system32\dllcache\umaxu22.dll
2009-04-29 16:22 . 2001-08-18 03:36 57856 ----a-w c:\windows\system32\dllcache\EXCH_scripto.dll
2009-04-29 16:21 . 2001-08-17 17:12 32840 ----a-w c:\windows\system32\dllcache\ngrpci.sys
2009-04-29 16:20 . 2001-08-17 19:55 6144 ----a-w c:\windows\system32\dllcache\kbd101b.dll
2009-04-29 16:19 . 2001-08-18 03:36 43520 ----a-w c:\windows\system32\dllcache\EXCH_fcachdll.dll
2009-04-29 16:18 . 2001-08-17 18:57 248064 ----a-w c:\windows\system32\dllcache\cl546xm.sys
2009-04-29 16:17 . 2001-08-17 19:56 268160 ----a-w c:\windows\system32\dllcache\atidvai.dll
2009-04-28 16:36 . 2004-08-04 05:59 43136 ----a-w c:\windows\system32\dllcache\sbp2port.sys
2009-04-28 16:36 . 2004-08-04 05:59 43136 ----a-w c:\windows\system32\drivers\sbp2port.sys
2009-04-28 05:21 . 2009-04-28 05:30 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-28 04:29 . 2009-04-28 04:29 -------- d-----w c:\program files\Trend Micro
2009-04-28 03:36 . 2009-04-28 03:36 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-28 03:36 . 2009-04-29 13:57 -------- d-----w C:\SUPERAntiSpyware
2009-04-28 03:36 . 2009-04-28 03:36 -------- d-----w c:\documents and settings\Matthew\Application Data\SUPERAntiSpyware.com
2009-04-28 01:27 . 2009-04-28 01:27 -------- d-----w c:\documents and settings\Matthew\Application Data\Malwarebytes
2009-04-28 01:27 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-28 01:27 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-28 01:27 . 2009-04-28 01:27 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-28 01:27 . 2009-04-28 01:27 -------- d-----w C:\Malwarebytes' Anti-Malware
2009-04-27 02:46 . 2009-04-27 18:28 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-27 01:23 . 2009-04-27 01:23 -------- d-----w c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-04-27 01:23 . 2009-04-27 01:23 -------- d-----w c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-04-27 01:23 . 2009-04-27 01:23 -------- d-----w c:\program files\SDHelper (Spybot - Search & Destroy)
2009-04-27 01:23 . 2009-04-27 01:23 -------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-04-26 23:59 . 2009-04-26 23:59 -------- d-----w c:\windows\ERUNT
2009-04-26 23:53 . 2009-04-29 03:06 -------- d-----w C:\SDFix
2009-04-18 20:16 . 2009-04-29 12:54 -------- d--h--w C:\$AVG8.VAULT$
2009-04-18 18:09 . 2009-04-18 18:09 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-18 18:09 . 2009-04-18 18:09 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-18 18:09 . 2009-04-18 18:09 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-18 18:09 . 2009-04-28 11:35 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-18 18:08 . 2009-04-28 11:35 -------- d-----w C:\AVG8
2009-04-18 18:08 . 2009-04-27 00:08 -------- d-----w c:\documents and settings\All Users\Application Data\avg8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-02 18:44 . 2004-01-12 21:01 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-02 18:43 . 2004-09-09 03:49 288 ----a-w c:\windows\system32\DVCStateBkp-{00000002-00000000-00000003-00001102-00000004-10031102}.dat
2009-05-02 18:43 . 2004-09-09 03:49 288 ----a-w c:\windows\system32\DVCState-{00000002-00000000-00000003-00001102-00000004-10031102}.dat
2009-04-28 05:30 . 2004-01-12 21:06 -------- d-----w c:\program files\Java
2009-04-23 21:15 . 2008-12-23 05:18 284 ----a-w c:\windows\Tasks\AppleSoftwareUpdate.job
2009-04-03 23:18 . 2007-07-12 02:37 189072 ----a-w c:\windows\system32\PnkBstrB.exe
2009-04-03 23:12 . 2007-07-12 02:38 138920 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-03-28 03:28 . 2007-11-19 01:24 75064 ----a-w c:\windows\system32\PnkBstrA.exe
2009-03-06 14:44 . 2002-08-29 11:00 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-06-23 16:33 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-04 07:56 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 10:20 . 2005-07-26 04:31 399360 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:20 . 2002-08-29 11:00 723456 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:20 . 2002-08-29 11:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:20 . 2002-08-29 11:00 616960 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:19 . 2002-08-29 11:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-06 17:22 . 1980-01-01 06:00 2136064 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 17:14 . 2002-08-29 11:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 16:54 . 2002-08-29 11:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 16:49 . 1980-01-01 06:00 2015744 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 20:08 . 2002-08-29 11:00 55808 ----a-w c:\windows\system32\secur32.dll
2007-08-18 00:20 . 2007-08-17 23:32 246 ----a-w c:\program files\Common Files\lavu
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\quicktime\qttask.exe" [2008-11-04 413696]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800]
"MXO Auto Loader"="c:\windows\MXOALDR.EXE" [2003-04-08 118784]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe" [2006-01-19 11776]
"MaxtorOneTouch"="c:\maxtor\OneTouch\Utils\OneTouch.exe" [2003-05-21 45056]
"iTunesHelper"="c:\itunes\iTunesHelper.exe" [2008-11-20 290088]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2003-09-15 126976]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 49152]
"CTDVDDet"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056]
"AVG8_TRAY"="c:\avg8\avgtray.exe" [2009-04-18 1932568]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-28 148888]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-05-16 19968]
"CTHelper"="CTHELPER.EXE" - c:\windows\SYSTEM32\CTHELPER.EXE [2007-10-28 28672]
"AsioReg"="CTASIO.DLL" - c:\windows\SYSTEM32\CTASIO.DLL [2003-02-20 110592]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\superantispyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w c:\superantispyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-18 18:09 10520 ----a-w c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MCVSRte"=3 (0x3)
"mcupdmgr.exe"=3 (0x3)
"McShield"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\mIRC\\mirc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Call of Duty 2\\CoD2MP_s.exe"=
"c:\\FileZilla\\filezilla.exe"=
"c:\\AIM\\aim.exe"=
"c:\\Battlefield 2\\BF2.exe"=
"c:\\Enemy Territory - QUAKE Wars Beta\\etqw.exe"=
"c:\\WINDOWS\\SYSTEM32\\PnkBstrA.exe"=
"c:\\WINDOWS\\SYSTEM32\\PnkBstrB.exe"=
"c:\\Call of Duty\\CoDMP.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Tribes\\Tribes.exe"=
"c:\\LimeWire\\LimeWire.exe"=
"c:\\Call of Duty 4\\iw3mp.exe"=
"c:\\iTunes\\iTunes.exe"=
"c:\\AVG8\\avgemc.exe"=
"c:\\AVG8\\avgupd.exe"=
"c:\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 qkpwczbr;Logical Disk Manager Monitor;c:\windows\System32\svchost.exe [2004-08-04 14336]
R3 SASENUM;SASENUM;c:\superantispyware\SASENUM.SYS [2009-03-23 7408]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-18 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-18 108552]
S1 SASDIFSV;SASDIFSV;c:\superantispyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\superantispyware\SASKUTIL.sys [2009-03-23 72944]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\avg8\avgemc.exe [2009-04-18 908056]
S2 avg8wd;AVG Free8 WatchDog;c:\avg8\avgwdsvc.exe [2009-04-18 298264]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
qkpwczbr

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{52fc83e4-3411-11de-ba24-000cf1a3d844}]
\Shell\AutoRun\command - F:\InstallSeagateManager.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:34]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
FF - ProfilePath - c:\documents and settings\Matthew\Application Data\Mozilla\Firefox\Profiles\1avju18g.default\
FF - component: c:\avg8\Firefox\components\avgssff.dll
FF - component: c:\mozilla firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-02 13:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\superantispyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3684)
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\nslsvice.exe
c:\windows\SYSTEM32\nsl.exe
c:\windows\SYSTEM32\ati2evxx.exe
c:\windows\SYSTEM32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\SYSTEM32\CTSVCCDA.EXE
c:\program files\Intel\Intel Application Accelerator\IAANTmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Lotus\Notes\ntmulti.exe
c:\windows\SYSTEM32\PnkBstrA.exe
c:\windows\SYSTEM32\PnkBstrB.exe
c:\windows\SYSTEM32\MsPMSPSv.exe
c:\avg8\avgrsx.exe
c:\avg8\avgnsx.exe
c:\avg8\avgcsrvx.exe

05-02-2009, 01:33 PM	#5 (permalink)
FreeFal311 Registered User Join Date: Apr 2009 Posts: 9 OS: Windows XP	Re: Google Redirect, Probably a Rootkit Issue Hi tetonbob- Again, thank you for the help! ComboFix ran successfully, and my log is below. ComboFix 09-05-02.4 - Matthew 05/02/2009 13:40.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.634 [GMT -5:00] Running from: c:\documents and settings\Matthew\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Matthew\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe AV: AVG Anti-Virus Free On-access scanning disabled (Updated) . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\msettings.ini c:\windows\system32\drivers\ovfsthxhqntykdn.sys c:\windows\system32\open.ico c:\windows\system32\ovfsthxbkvubrow.dat c:\windows\system32\ovfsthxmfkxvaao.dll c:\windows\system32\ovfsthxnuvawfbb.dat c:\windows\system32\ovfsthxpmybtklp.dll c:\windows\system32\ovfsthxqorkcxer.dll c:\windows\system32\tmp.reg c:\windows\SYSTEM32\ybeeg.bak1 Infected copy of c:\windows\system32\sfcfiles.dll was found and disinfected Restored copy from - c:\windows\ServicePackFiles\i386\sfcfiles.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_ovfsthxafhmoscc -------\Legacy_SFC -------\Service_sfc ((((((((((((((((((((((((( Files Created from 2009-04-02 to 2009-05-02 ))))))))))))))))))))))))))))))) . 2009-04-29 16:29 . 2004-08-04 07:56 33280 ----a-w c:\windows\system32\dllcache\rundll32.exe 2009-04-29 16:29 . 2004-08-04 07:56 33280 ----a-w c:\windows\system32\rundll32.exe 2009-04-29 16:23 . 2001-08-18 03:36 26624 ----a-w c:\windows\system32\dllcache\umaxu22.dll 2009-04-29 16:22 . 2001-08-18 03:36 57856 ----a-w c:\windows\system32\dllcache\EXCH_scripto.dll 2009-04-29 16:21 . 2001-08-17 17:12 32840 ----a-w c:\windows\system32\dllcache\ngrpci.sys 2009-04-29 16:20 . 2001-08-17 19:55 6144 ----a-w c:\windows\system32\dllcache\kbd101b.dll 2009-04-29 16:19 . 2001-08-18 03:36 43520 ----a-w c:\windows\system32\dllcache\EXCH_fcachdll.dll 2009-04-29 16:18 . 2001-08-17 18:57 248064 ----a-w c:\windows\system32\dllcache\cl546xm.sys 2009-04-29 16:17 . 2001-08-17 19:56 268160 ----a-w c:\windows\system32\dllcache\atidvai.dll 2009-04-28 16:36 . 2004-08-04 05:59 43136 ----a-w c:\windows\system32\dllcache\sbp2port.sys 2009-04-28 16:36 . 2004-08-04 05:59 43136 ----a-w c:\windows\system32\drivers\sbp2port.sys 2009-04-28 05:21 . 2009-04-28 05:30 410984 ----a-w c:\windows\system32\deploytk.dll 2009-04-28 04:29 . 2009-04-28 04:29 -------- d-----w c:\program files\Trend Micro 2009-04-28 03:36 . 2009-04-28 03:36 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-04-28 03:36 . 2009-04-29 13:57 -------- d-----w C:\SUPERAntiSpyware 2009-04-28 03:36 . 2009-04-28 03:36 -------- d-----w c:\documents and settings\Matthew\Application Data\SUPERAntiSpyware.com 2009-04-28 01:27 . 2009-04-28 01:27 -------- d-----w c:\documents and settings\Matthew\Application Data\Malwarebytes 2009-04-28 01:27 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-04-28 01:27 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-28 01:27 . 2009-04-28 01:27 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes 2009-04-28 01:27 . 2009-04-28 01:27 -------- d-----w C:\Malwarebytes' Anti-Malware 2009-04-27 02:46 . 2009-04-27 18:28 -------- d-----w c:\program files\Spybot - Search & Destroy 2009-04-27 01:23 . 2009-04-27 01:23 -------- d-----w c:\program files\Misc. Support Library (Spybot - Search & Destroy) 2009-04-27 01:23 . 2009-04-27 01:23 -------- d-----w c:\program files\TeaTimer (Spybot - Search & Destroy) 2009-04-27 01:23 . 2009-04-27 01:23 -------- d-----w c:\program files\SDHelper (Spybot - Search & Destroy) 2009-04-27 01:23 . 2009-04-27 01:23 -------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy) 2009-04-26 23:59 . 2009-04-26 23:59 -------- d-----w c:\windows\ERUNT 2009-04-26 23:53 . 2009-04-29 03:06 -------- d-----w C:\SDFix 2009-04-18 20:16 . 2009-04-29 12:54 -------- d--h--w C:\$AVG8.VAULT$ 2009-04-18 18:09 . 2009-04-18 18:09 10520 ----a-w c:\windows\system32\avgrsstx.dll 2009-04-18 18:09 . 2009-04-18 18:09 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys 2009-04-18 18:09 . 2009-04-18 18:09 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys 2009-04-18 18:09 . 2009-04-28 11:35 -------- d-----w c:\windows\system32\drivers\Avg 2009-04-18 18:08 . 2009-04-28 11:35 -------- d-----w C:\AVG8 2009-04-18 18:08 . 2009-04-27 00:08 -------- d-----w c:\documents and settings\All Users\Application Data\avg8 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-05-02 18:44 . 2004-01-12 21:01 6 ---ha-w c:\windows\Tasks\SA.DAT 2009-05-02 18:43 . 2004-09-09 03:49 288 ----a-w c:\windows\system32\DVCStateBkp-{00000002-00000000-00000003-00001102-00000004-10031102}.dat 2009-05-02 18:43 . 2004-09-09 03:49 288 ----a-w c:\windows\system32\DVCState-{00000002-00000000-00000003-00001102-00000004-10031102}.dat 2009-04-28 05:30 . 2004-01-12 21:06 -------- d-----w c:\program files\Java 2009-04-23 21:15 . 2008-12-23 05:18 284 ----a-w c:\windows\Tasks\AppleSoftwareUpdate.job 2009-04-03 23:18 . 2007-07-12 02:37 189072 ----a-w c:\windows\system32\PnkBstrB.exe 2009-04-03 23:12 . 2007-07-12 02:38 138920 ----a-w c:\windows\system32\drivers\PnkBstrK.sys 2009-03-28 03:28 . 2007-11-19 01:24 75064 ----a-w c:\windows\system32\PnkBstrA.exe 2009-03-06 14:44 . 2002-08-29 11:00 283648 ----a-w c:\windows\system32\pdh.dll 2009-03-03 00:18 . 2006-06-23 16:33 826368 ----a-w c:\windows\system32\wininet.dll 2009-02-20 18:09 . 2004-08-04 07:56 78336 ----a-w c:\windows\system32\ieencode.dll 2009-02-09 10:20 . 2005-07-26 04:31 399360 ----a-w c:\windows\system32\rpcss.dll 2009-02-09 10:20 . 2002-08-29 11:00 723456 ----a-w c:\windows\system32\lsasrv.dll 2009-02-09 10:20 . 2002-08-29 11:00 714752 ----a-w c:\windows\system32\ntdll.dll 2009-02-09 10:20 . 2002-08-29 11:00 616960 ----a-w c:\windows\system32\advapi32.dll 2009-02-09 10:19 . 2002-08-29 11:00 1846272 ----a-w c:\windows\system32\win32k.sys 2009-02-06 17:22 . 1980-01-01 06:00 2136064 ----a-w c:\windows\system32\ntoskrnl.exe 2009-02-06 17:14 . 2002-08-29 11:00 110592 ----a-w c:\windows\system32\services.exe 2009-02-06 16:54 . 2002-08-29 11:00 35328 ----a-w c:\windows\system32\sc.exe 2009-02-06 16:49 . 1980-01-01 06:00 2015744 ----a-w c:\windows\system32\ntkrnlpa.exe 2009-02-03 20:08 . 2002-08-29 11:00 55808 ----a-w c:\windows\system32\secur32.dll 2007-08-18 00:20 . 2007-08-17 23:32 246 ----a-w c:\program files\Common Files\lavu . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="c:\quicktime\qttask.exe" [2008-11-04 413696] "PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800] "MXO Auto Loader"="c:\windows\MXOALDR.EXE" [2003-04-08 118784] "MimBoot"="c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe" [2006-01-19 11776] "MaxtorOneTouch"="c:\maxtor\OneTouch\Utils\OneTouch.exe" [2003-05-21 45056] "iTunesHelper"="c:\itunes\iTunesHelper.exe" [2008-11-20 290088] "IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2003-09-15 126976] "DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741] "CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 49152] "CTDVDDet"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056] "AVG8_TRAY"="c:\avg8\avgtray.exe" [2009-04-18 1932568] "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-28 148888] "Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-05-16 19968] "CTHelper"="CTHELPER.EXE" - c:\windows\SYSTEM32\CTHELPER.EXE [2007-10-28 28672] "AsioReg"="CTASIO.DLL" - c:\windows\SYSTEM32\CTASIO.DLL [2003-02-20 110592] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\superantispyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 17:05 356352 ----a-w c:\superantispyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-04-18 18:09 10520 ----a-w c:\windows\SYSTEM32\avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "MCVSRte"=3 (0x3) "mcupdmgr.exe"=3 (0x3) "McShield"=3 (0x3) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\mIRC\\mirc.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Call of Duty 2\\CoD2MP_s.exe"= "c:\\FileZilla\\filezilla.exe"= "c:\\AIM\\aim.exe"= "c:\\Battlefield 2\\BF2.exe"= "c:\\Enemy Territory - QUAKE Wars Beta\\etqw.exe"= "c:\\WINDOWS\\SYSTEM32\\PnkBstrA.exe"= "c:\\WINDOWS\\SYSTEM32\\PnkBstrB.exe"= "c:\\Call of Duty\\CoDMP.exe"= "c:\\Program Files\\NetMeeting\\conf.exe"= "c:\\QuickTime\\QuickTimePlayer.exe"= "c:\\Tribes\\Tribes.exe"= "c:\\LimeWire\\LimeWire.exe"= "c:\\Call of Duty 4\\iw3mp.exe"= "c:\\iTunes\\iTunes.exe"= "c:\\AVG8\\avgemc.exe"= "c:\\AVG8\\avgupd.exe"= "c:\\AVG8\\avgnsx.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R2 qkpwczbr;Logical Disk Manager Monitor;c:\windows\System32\svchost.exe [2004-08-04 14336] R3 SASENUM;SASENUM;c:\superantispyware\SASENUM.SYS [2009-03-23 7408] S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-18 325640] S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-18 108552] S1 SASDIFSV;SASDIFSV;c:\superantispyware\SASDIFSV.SYS [2009-03-23 9968] S1 SASKUTIL;SASKUTIL;c:\superantispyware\SASKUTIL.sys [2009-03-23 72944] S2 avg8emc;AVG Free8 E-mail Scanner;c:\avg8\avgemc.exe [2009-04-18 908056] S2 avg8wd;AVG Free8 WatchDog;c:\avg8\avgwdsvc.exe [2009-04-18 298264] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs qkpwczbr [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{52fc83e4-3411-11de-ba24-000cf1a3d844}] \Shell\AutoRun\command - F:\InstallSeagateManager.exe . Contents of the 'Scheduled Tasks' folder 2009-04-23 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:34] . . ------- Supplementary Scan ------- . uInternet Connection Wizard,ShellNext = iexplore FF - ProfilePath - c:\documents and settings\Matthew\Application Data\Mozilla\Firefox\Profiles\1avju18g.default\ FF - component: c:\avg8\Firefox\components\avgssff.dll FF - component: c:\mozilla firefox\components\xpinstal.dll . ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-05-02 13:46 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(664) c:\superantispyware\SASWINLO.dll c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(3684) c:\program files\Logitech\MouseWare\System\LgWndHk.dll c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\SYSTEM32\nslsvice.exe c:\windows\SYSTEM32\nsl.exe c:\windows\SYSTEM32\ati2evxx.exe c:\windows\SYSTEM32\ati2evxx.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\windows\SYSTEM32\CTSVCCDA.EXE c:\program files\Intel\Intel Application Accelerator\IAANTmon.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Lotus\Notes\ntmulti.exe c:\windows\SYSTEM32\PnkBstrA.exe c:\windows\SYSTEM32\PnkBstrB.exe c:\windows\SYSTEM32\MsPMSPSv.exe c:\avg8\avgrsx.exe c:\avg8\avgnsx.exe c:\avg8\avgcsrvx.exe