Disk Defragmenter and System Restore not working

boiler55 · 04-27-2009, 02:12 PM

After trying to remove Trojan Vunda using SuperAntiSpyware I was able to stop pop-ups, but now Disk Fragmenter and System Restore not working. "Disk Fragmenter could not start" error message. No error message for System Restore but would not run.

In addition upon initial computer boot-up "Generic Host Process for Win32 Services has encountered a problem and needs to close."

Windows XP Support recommended have system checked for malware by the Security T.eam. I followed your instructions for posting but was unable to attach GMER Rootkit Scanner results due to my computer crashing each time I clicked Scan button.

DDS (Ver_09-03-16.01) - NTFSx86
Run by Owner at 12:55:14.62 on Mon 04/27/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.186 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINNT\system32\svchost -k DcomLaunch
svchost.exe
C:\WINNT\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
svchost.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\svchost.exe -k imgsvc
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\CTHELPER.EXE
C:\WINNT\system32\WDBtnMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\PhoneTools\CapFax.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://search.live.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uDefault_Page_URL = hxxp://www.msn.com
uWindow Title = Microsoft Internet Explorer presented by Comcast
mWindow Title = Microsoft Internet Explorer presented by Comcast
uInternet Connection Wizard,ShellNext = iexplore
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Live Search Club Toolbar: {719d74ab-1af9-43a1-8c62-d8750628d93e} - c:\program files\live search club toolbar\Toolbar.dll
TB: SearchPerks! Follow-On Study Assistant: {d1a1fd57-93fc-45fe-bc2a-b3a5d47d6674} - c:\program files\searchperks! follow-on study assistant\Bmbho.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {2787EA8E-8D87-48AF-88AD-B30246C917AB} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\winnt\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {9404901D-06DA-4B23-A0EE-3EA4F64EC9B3} - No File
uRun: [ctfmon.exe] c:\winnt\system32\ctfmon.exe
uRun: [NBJ] "c:\program files\ahead\nero backitup\nbj.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [WINDVDPatch] CTHELPER.EXE
mRun: [WD Button Manager] WDBtnMgr.exe
mRun: [UpdReg] c:\winnt\UpdReg.EXE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Sunkist2k] c:\program files\multimedia card reader\shwicon2k.exe
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
mRun: [MimBoot] c:\progra~1\musicm~1\musicm~1\mimboot.exe
mRun: [Jet Detection] c:\program files\creative\sbaudigy\program\ADGJDet.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
mRun: [GWMDMMSG] GWMDMMSG.exe
mRun: [CapFax] c:\program files\phonetools\CapFax.EXE
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam10\QuickCam10.exe" /hide
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NeroFilterCheck] c:\winnt\system32\NeroCheck.exe
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [IJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ding!.lnk - c:\program files\southwest airlines\ding\Ding.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
mPolicies-explorer: <NO NAME> =
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\winnt\system32\Shdocvw.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: taxact.com\www
Trusted Zone: musicmatch.com\online
DPF: ConferenceRoom Java Client - hxxp://chat.privatefeeds.com:8000/java/cr.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} - hxxp://download.microsoft.com/download/7/1/D/71D9F11F-0C02-4707-9D60-D56EA8951020/pmupd806.exe
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} - hcp://system/RunExeActiveX.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} - hxxp://moneycentral.msn.com/cabs/pmupdate2.exe
DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} - hcp://system/StartFirstControl.CAB
DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} - hxxp://fdl.msn.com/public/investor/v12/invinstl.exe
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {C7C7152F-6E85-44F3-A14B-A7F85FDDEA3B} - hxxp://www.tellmemore-online.com/bin/tol7inst.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CE37E095-ACFF-4380-A856-A560D389E5E1} - hcp://system/XPLControl.CAB
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - SABShellExecuteHook Class

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\winnt\system32\drivers\mfehidk.sys [2009-4-18 201320]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-4-18 359248]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-4-18 144704]
R3 Ausbflt;Ausbflt;c:\winnt\system32\drivers\ausbflt.sys [2002-11-6 6353]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-4-18 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\winnt\system32\drivers\mfeavfk.sys [2009-4-18 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\winnt\system32\drivers\mfebopk.sys [2009-4-18 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\winnt\system32\drivers\mfesmfk.sys [2009-4-18 40488]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
S3 mferkdk;McAfee Inc. mferkdk;c:\winnt\system32\drivers\mferkdk.sys [2009-4-18 33832]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\atf\qctest\pcdoc\pcdrdrv.sys --> c:\atf\qctest\pcdoc\PCDRDRV.sys [?]
S3 SunkFilt6;Alcor Micro Corp - 6360;\??\c:\winnt\system32\drivers\sunkfilt6.sys --> c:\winnt\system32\drivers\sunkfilt6.sys [?]
S3 SunkFilt62;Alcor Micro Corp - 6362;c:\winnt\system32\drivers\sunkfilt62.sys [2004-7-23 46536]
S3 vsdatant;vsdatant;c:\winnt\system32\vsdatant.sys --> c:\winnt\system32\vsdatant.sys [?]

=============== Created Last 30 ================

2009-04-27 08:47 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-04-27 08:47 15,504 a------- c:\winnt\system32\drivers\mbam.sys
2009-04-27 08:47 38,496 a------- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-04-27 08:47 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-27 08:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-27 07:53 <DIR> -cd-h--- c:\winnt\ie8
2009-04-27 06:42 1 a------- c:\winnt\system32\uniq.tll
2009-04-27 06:41 24,064 a------- c:\winnt\system32\loader266.exe
2009-04-26 23:27 138,752 a------- c:\winnt\system32\sndvol32.exe
2009-04-26 23:19 1,374 a------- c:\winnt\imsins.BAK
2009-04-26 19:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-26 19:22 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-04-26 19:22 <DIR> --d----- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2009-04-24 11:42 19,840 a------- c:\winnt\system32\drivers\StMp3Rec.sys
2009-04-24 11:41 <DIR> --d----- c:\program files\Philips
2009-04-18 10:58 1,089,593 -------- c:\winnt\system32\dllcache\ntprint.cat
2009-04-18 09:33 <DIR> --d----- C:\13391a4a136c33ff0e640941
2009-04-18 09:25 <DIR> --d----- C:\f9ed84a7b823f780c312
2009-04-18 08:53 12,687 a------- c:\winnt\system32\Config.MPF
2009-04-18 08:53 143,360 a------- c:\winnt\system32\dunzip32.dll
2009-04-18 08:48 33,832 a------- c:\winnt\system32\drivers\mferkdk.sys
2009-04-18 08:48 40,488 a------- c:\winnt\system32\drivers\mfesmfk.sys
2009-04-18 08:48 201,320 a------- c:\winnt\system32\drivers\mfehidk.sys
2009-04-18 08:48 79,304 a------- c:\winnt\system32\drivers\mfeavfk.sys
2009-04-18 08:48 35,240 a------- c:\winnt\system32\drivers\mfebopk.sys
2009-04-18 08:48 113,952 a------- c:\winnt\system32\drivers\Mpfp.sys
2009-04-18 08:47 <DIR> --d----- c:\program files\McAfee.com
2009-04-18 08:46 <DIR> --d----- c:\program files\common files\McAfee
2009-04-18 08:45 <DIR> --d----- c:\program files\McAfee
2009-04-17 22:48 <DIR> --d----- C:\d48ec84e341e06bfb3a32ba1b5
2009-04-17 22:47 <DIR> --d----- C:\e1cce2abe00f0518f7c6
2009-04-17 22:34 <DIR> --d----- C:\8542ce3adfda1d786c2cacd04dae
2009-04-17 22:17 <DIR> --d----- C:\a254ace7e4a5b19558c18b
2009-04-17 22:16 <DIR> --d----- C:\87b7df41ef48cb7f3b9e954ce4468716
2009-04-16 08:37 284,160 -------- c:\winnt\system32\dllcache\pdh.dll
2009-04-16 08:37 401,408 -------- c:\winnt\system32\dllcache\rpcss.dll
2009-04-16 08:37 110,592 -------- c:\winnt\system32\dllcache\services.exe
2009-04-16 08:37 473,600 -------- c:\winnt\system32\dllcache\fastprox.dll
2009-04-16 08:37 227,840 -------- c:\winnt\system32\dllcache\wmiprvse.exe
2009-04-16 08:37 453,120 -------- c:\winnt\system32\dllcache\wmiprvsd.dll
2009-04-16 08:37 729,088 -------- c:\winnt\system32\dllcache\lsasrv.dll
2009-04-16 08:37 617,472 -------- c:\winnt\system32\dllcache\advapi32.dll
2009-04-16 08:37 714,752 -------- c:\winnt\system32\dllcache\ntdll.dll
2009-04-16 08:31 2,560 -------- c:\winnt\system32\xpsp4res.dll
2009-04-16 08:30 1,203,922 -------- c:\winnt\system32\dllcache\sysmain.sdb
2009-04-15 15:47 21,504 a------- c:\winnt\system32\hidserv.dll
2009-04-15 15:47 21,504 a------- c:\winnt\system32\dllcache\hidserv.dll
2009-04-15 15:11 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-04-15 15:10 <DIR> --d----- c:\program files\Rosetta Stone
2009-04-15 15:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Rosetta Stone
2009-04-10 14:33 <DIR> --d----- c:\winnt\system32\Auralog
2009-04-09 14:16 <DIR> --d----- c:\program files\SearchPerks! Follow-On Study Assistant
2009-04-09 10:33 <DIR> --d----- c:\program files\Live Search Club Toolbar
2009-04-07 14:57 <DIR> --dsh--- c:\documents and settings\owner\IECompatCache

==================== Find3M ====================

2009-04-27 12:43 0 a------- c:\winnt\system32\drivers\lvuvc.hs
2009-03-21 08:06 989,696 -------- c:\winnt\system32\dllcache\kernel32.dll
2009-03-08 14:09 638,816 a------- c:\winnt\system32\dllcache\iexplore.exe
2009-03-08 14:09 391,536 a------- c:\winnt\system32\dllcache\iedkcs32.dll
2009-03-08 04:41 5,937,152 a------- c:\winnt\system32\dllcache\mshtml.dll
2009-03-08 04:39 11,063,808 a------- c:\winnt\system32\dllcache\ieframe.dll
2009-03-08 04:34 914,944 a------- c:\winnt\system32\wininet.dll
2009-03-08 04:34 914,944 a------- c:\winnt\system32\dllcache\wininet.dll
2009-03-08 04:34 1,206,784 a------- c:\winnt\system32\dllcache\urlmon.dll
2009-03-08 04:34 236,544 a------- c:\winnt\system32\dllcache\webcheck.dll
2009-03-08 04:34 43,008 a------- c:\winnt\system32\licmgr10.dll
2009-03-08 04:34 43,008 a------- c:\winnt\system32\dllcache\licmgr10.dll
2009-03-08 04:34 105,984 a------- c:\winnt\system32\dllcache\url.dll
2009-03-08 04:34 193,536 a------- c:\winnt\system32\dllcache\msrating.dll
2009-03-08 04:34 109,568 a------- c:\winnt\system32\dllcache\occache.dll
2009-03-08 04:33 759,296 a------- c:\winnt\system32\dllcache\VGX.dll
2009-03-08 04:33 18,944 a------- c:\winnt\system32\corpol.dll
2009-03-08 04:33 18,944 -------- c:\winnt\system32\dllcache\corpol.dll
2009-03-08 04:33 25,600 a------- c:\winnt\system32\dllcache\jsproxy.dll
2009-03-08 04:33 726,528 a------- c:\winnt\system32\dllcache\jscript.dll
2009-03-08 04:33 229,376 a------- c:\winnt\system32\dllcache\ieaksie.dll
2009-03-08 04:33 420,352 a------- c:\winnt\system32\vbscript.dll
2009-03-08 04:33 420,352 a------- c:\winnt\system32\dllcache\vbscript.dll
2009-03-08 04:33 125,952 a------- c:\winnt\system32\dllcache\ieakeng.dll
2009-03-08 04:32 72,704 a------- c:\winnt\system32\dllcache\admparse.dll
2009-03-08 04:32 72,704 a------- c:\winnt\system32\admparse.dll
2009-03-08 04:32 173,056 a------- c:\winnt\system32\dllcache\ie4uinit.exe
2009-03-08 04:32 163,840 a------- c:\winnt\system32\dllcache\ieakui.dll
2009-03-08 04:32 71,680 a------- c:\winnt\system32\iesetup.dll
2009-03-08 04:32 71,680 a------- c:\winnt\system32\dllcache\iesetup.dll
2009-03-08 04:32 55,808 a------- c:\winnt\system32\dllcache\iernonce.dll
2009-03-08 04:32 128,512 a------- c:\winnt\system32\dllcache\advpack.dll
2009-03-08 04:32 94,720 a------- c:\winnt\system32\dllcache\inseng.dll
2009-03-08 04:32 594,432 a------- c:\winnt\system32\dllcache\msfeeds.dll
2009-03-08 04:32 1,985,024 a------- c:\winnt\system32\dllcache\iertutil.dll
2009-03-08 04:32 611,840 a------- c:\winnt\system32\dllcache\mstime.dll
2009-03-08 04:24 68,608 a------- c:\winnt\system32\dllcache\hmmapi.dll
2009-03-08 04:22 156,160 a------- c:\winnt\system32\msls31.dll
2009-03-08 04:22 156,160 a------- c:\winnt\system32\dllcache\msls31.dll
2009-03-08 04:11 445,952 a------- c:\winnt\system32\dllcache\ieapfltr.dll
2009-03-06 08:22 284,160 a------- c:\winnt\system32\pdh.dll
2009-02-27 22:55 105,984 -------- c:\winnt\system32\dllcache\iecompat.dll
2009-02-09 06:10 729,088 a------- c:\winnt\system32\lsasrv.dll
2009-02-09 06:10 714,752 a------- c:\winnt\system32\ntdll.dll
2009-02-09 06:10 617,472 a------- c:\winnt\system32\advapi32.dll
2009-02-09 06:10 401,408 a------- c:\winnt\system32\rpcss.dll
2009-02-09 05:13 1,846,784 a------- c:\winnt\system32\win32k.sys
2009-02-09 05:13 1,846,784 -------- c:\winnt\system32\dllcache\win32k.sys
2009-02-07 19:02 2,066,048 a------- c:\winnt\system32\ntkrnlpa.exe
2009-02-07 19:02 2,066,048 -------- c:\winnt\system32\dllcache\ntkrnlpa.exe
2009-02-06 21:07 3,698,584 a------- c:\winnt\system32\dllcache\ieapfltr.dat
2009-02-06 05:11 110,592 a------- c:\winnt\system32\services.exe
2009-02-06 05:08 2,189,056 a------- c:\winnt\system32\ntoskrnl.exe
2009-02-06 05:08 2,189,056 -------- c:\winnt\system32\dllcache\ntoskrnl.exe
2009-02-06 05:06 2,145,280 -------- c:\winnt\system32\dllcache\ntkrnlmp.exe
2009-02-06 04:39 35,328 a------- c:\winnt\system32\sc.exe
2009-02-06 04:39 35,328 a------- c:\winnt\system32\dllcache\sc.exe
2009-02-06 04:32 2,023,936 -------- c:\winnt\system32\dllcache\ntkrpamp.exe
2009-02-03 13:59 56,832 a------- c:\winnt\system32\secur32.dll
2009-02-03 13:59 56,832 -------- c:\winnt\system32\dllcache\secur32.dll
2007-06-24 11:43 65,744 a------- c:\docume~1\owner\applic~1\GDIPFONTCACHEV1.DAT
2008-09-04 11:46 32,768 a--sh--- c:\winnt\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090420080905\index.dat

============= FINISH: 12:56:15.23 ===============

**chemist** · 04-29-2009, 06:16 AM

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

I need to see a gmer log in order to help you. Let's try this special version of gmer.

Download GMER Rootkit Scanner from here and Save it to your Desktop.

Double-click gmer.exe to run it. If asked to allow gmer.sys driver to load, please consent.
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- Sections
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and attach it to your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

------------------------------------------------------

boiler55 · 04-29-2009, 08:56 AM

Repeated several times. Gmer downloads, opens, unchecked boxes, start scan, scan starts, and after a few seconds the computer crashes. Is there any other thing I can try?

boiler55 · 04-29-2009, 09:13 AM

When I open gmer this is the file with the checked boxes on the right. Hope this might help.

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-04-29 09

22
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xEDCC39AA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xEDCC3A41]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xEDCC3958]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xEDCC396C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xEDCC3A55]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xEDCC3A81]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xEDCC3AF4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xEDCC3AD9]
Code 8306C850 ZwFlushInstructionCache
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xEDCC39EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xEDCC3B1E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xEDCC3A2D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xEDCC3930]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xEDCC3944]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xEDCC39BE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xEDCC3B5A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xEDCC3AC3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xEDCC3AAD]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xEDCC3A6B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xEDCC3B46]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xEDCC3B32]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xEDCC3996]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xEDCC3982]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xEDCC3A97]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xEDCC3A19]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xEDCC3B08]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xEDCC3A00]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xEDCC39D4]
Code 82F6E446 IofCallDriver
Code 82F6D446 IofCompleteRequest
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- Services - GMER 1.0.15 ----

Service C:\WINNT\system32\drivers\ovfsthxjctowykt.sys (*** hidden *** ) [SYSTEM] ovfsthxdoymqwru <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

**chemist** · 04-29-2009, 10:02 AM

Hello boiler55.

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please read this: How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Get help here

Please post the C:\ComboFix.txt in your next reply for further review.

------------------------------------------------------

boiler55 · 04-29-2009, 12:30 PM

Problem:Combo Fix downloaded - Followed instructions - starts - blue screen comes on - "Please wait, Combo Fix is preparing to run" - Application shuts down. Repeated, same result. Help

**chemist** · 04-29-2009, 12:48 PM

Try running ComboFix in Safe Mode.

Please reboot your computer in Safe Mode by doing the following:

Restart your computer.
After hearing your computer beep once during startup, but before the Windows icon appears, start pressing the F8 key.
In some systems, this may be the F5 key.
Instead of Windows loading as normal, a menu should appear.
Use the up arrow key to highlight Safe Mode and press Enter.
Login on your usual account.

------------------------------------------------------

If ComboFix says it needs to reboot your computer, make sure it reboots into Safe Mode.

Let me know if you still have trouble.

------------------------------------------------------

boiler55 · 04-29-2009, 01:31 PM

In Safe Mode I cannot access the Internet nor can I see the ComboFix icon on startup screen.

boiler55 · 04-29-2009, 01:37 PM

Is it possible to run ComboFix from a flash drive in Safe Mode?

**chemist** · 04-29-2009, 01:57 PM

Are you sure ComboFix.exe is still on the desktop? You should be able to see it in Safe Mode.

In Safe Mode, go Start > Run and type the following into the Run box and click OK:

"c:\documents and settings\owner\desktop\combofix.exe"

Be sure to include the quotation marks and spaces. Let me know if that didn't work.

------------------------------------------------------

boiler55 · 04-29-2009, 02:45 PM

Combofix text:

ComboFix 09-04-29.01 - Owner 04/29/2009 14:19.1 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.354 [GMT -6:00]
Running from: c:\documents and settings\owner\desktop\combofix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\protect.dll
c:\documents and settings\NetworkService\protect.dll
c:\documents and settings\Owner\protect.dll
c:\documents and settings\Owner\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\Owner\Start Menu\Programs\Startup\ChkDisk.lnk
c:\winnt\Downloaded Program Files\Temp
c:\winnt\system32\__c00FE013.dat
c:\winnt\system32\ATHPRXY(2).DLL
c:\winnt\system32\ATHPRXY(3).DLL
c:\winnt\system32\autochk.dll
c:\winnt\system32\config\systemprofile\protect.dll
c:\winnt\system32\loader266.exe
c:\winnt\system32\loader49.exe
c:\winnt\system32\uniq.tll
c:\winnt\system32\winglsetup.exe
c:\winnt\Temp\2702729412.exe
c:\winnt\Temp\3247351504.exe
c:\winnt\Temp\3991414004.exe
C:\xcrashdump.dat

Infected copy of c:\winnt\system32\sfcfiles.dll was found and disinfected
Restored copy from - c:\winnt\$NtServicePackUninstall$\sfcfiles.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SFC
-------\Service_sfc

((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.

2009-04-28 19:53 . 2009-04-28 20:09 -------- d-----w C:\CHARLIE_WILSONS_WAR1
2009-04-28 19:29 . 2009-04-28 19:50 -------- d-----w C:\CHARLIE_WILSONS_WAR
2009-04-27 14:47 . 2009-04-27 14:47 -------- d-----w c:\documents and settings\Owner\Application Data\Malwarebytes
2009-04-27 14:47 . 2009-04-06 21:32 15504 ----a-w c:\winnt\system32\drivers\mbam.sys
2009-04-27 14:47 . 2009-04-06 21:32 38496 ----a-w c:\winnt\system32\drivers\mbamswissarmy.sys
2009-04-27 14:47 . 2009-04-27 14:47 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-27 14:47 . 2009-04-27 14:47 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-27 13:53 . 2009-04-27 13:54 -------- dc-h--w c:\winnt\ie8
2009-04-27 05:45 . 2009-04-27 06:21 -------- d-----w c:\program files\RegCure
2009-04-27 05:27 . 2001-08-30 10:30 138752 ----a-w c:\winnt\system32\dllcache\sndvol32.exe
2009-04-27 05:07 . 2009-04-27 05:07 -------- d-sh--w c:\documents and settings\Administrator\IETldCache
2009-04-27 01:22 . 2009-04-27 01:22 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-27 01:22 . 2009-04-27 01:22 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-27 01:22 . 2009-04-27 01:22 -------- d-----w c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-04-24 17:42 . 2008-01-14 22:58 19840 ----a-w c:\winnt\system32\drivers\StMp3Rec.sys
2009-04-24 17:41 . 2009-04-24 17:50 -------- d-----w c:\program files\Philips
2009-04-18 21:48 . 2009-04-18 21:48 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\Deployment
2009-04-18 15:33 . 2009-04-18 15:36 -------- d-----w C:\13391a4a136c33ff0e640941
2009-04-18 15:25 . 2009-04-18 15:27 -------- d-----w C:\f9ed84a7b823f780c312
2009-04-18 14:53 . 2006-03-03 14:07 143360 ----a-w c:\winnt\system32\dunzip32.dll
2009-04-18 14:48 . 2007-11-22 12:44 33832 ----a-w c:\winnt\system32\drivers\mferkdk.sys
2009-04-18 14:48 . 2007-12-02 18:51 40488 ----a-w c:\winnt\system32\drivers\mfesmfk.sys
2009-04-18 14:48 . 2007-11-22 12:44 35240 ----a-w c:\winnt\system32\drivers\mfebopk.sys
2009-04-18 14:48 . 2007-11-22 12:44 79304 ----a-w c:\winnt\system32\drivers\mfeavfk.sys
2009-04-18 14:48 . 2007-11-22 12:44 201320 ----a-w c:\winnt\system32\drivers\mfehidk.sys
2009-04-18 14:48 . 2007-07-13 12:20 113952 ----a-w c:\winnt\system32\drivers\Mpfp.sys
2009-04-18 14:47 . 2009-04-18 14:47 -------- d-----w c:\program files\McAfee.com
2009-04-18 14:46 . 2009-04-18 14:48 -------- d-----w c:\program files\Common Files\McAfee
2009-04-18 14:45 . 2009-04-18 16:49 -------- d-----w c:\program files\McAfee
2009-04-18 04:48 . 2009-04-18 04:55 -------- d-----w C:\d48ec84e341e06bfb3a32ba1b5
2009-04-18 04:47 . 2009-04-18 04:53 -------- d-----w C:\e1cce2abe00f0518f7c6
2009-04-18 04:34 . 2009-04-18 04:55 -------- d-----w C:\8542ce3adfda1d786c2cacd04dae
2009-04-18 04:17 . 2009-04-18 04:56 -------- d-----w C:\a254ace7e4a5b19558c18b
2009-04-18 04:16 . 2009-04-18 04:32 -------- d-----w C:\87b7df41ef48cb7f3b9e954ce4468716
2009-04-16 14:37 . 2009-03-06 14:22 284160 ------w c:\winnt\system32\dllcache\pdh.dll
2009-04-16 14:37 . 2009-02-09 12:10 401408 ------w c:\winnt\system32\dllcache\rpcss.dll
2009-04-16 14:37 . 2009-02-06 11:11 110592 ------w c:\winnt\system32\dllcache\services.exe
2009-04-16 14:37 . 2009-02-09 12:10 473600 ------w c:\winnt\system32\dllcache\fastprox.dll
2009-04-16 14:37 . 2009-02-06 10:10 227840 ------w c:\winnt\system32\dllcache\wmiprvse.exe
2009-04-16 14:37 . 2009-02-09 12:10 453120 ------w c:\winnt\system32\dllcache\wmiprvsd.dll
2009-04-16 14:37 . 2009-02-09 12:10 729088 ------w c:\winnt\system32\dllcache\lsasrv.dll
2009-04-16 14:37 . 2009-02-09 12:10 617472 ------w c:\winnt\system32\dllcache\advapi32.dll
2009-04-16 14:37 . 2009-02-09 12:10 714752 ------w c:\winnt\system32\dllcache\ntdll.dll
2009-04-16 14:31 . 2008-05-03 11:55 2560 ------w c:\winnt\system32\xpsp4res.dll
2009-04-15 21:47 . 2008-04-14 00:11 21504 ----a-w c:\winnt\system32\dllcache\hidserv.dll
2009-04-15 21:47 . 2008-04-14 00:11 21504 ----a-w c:\winnt\system32\hidserv.dll
2009-04-15 21:12 . 2009-04-15 21:32 -------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-04-15 21:11 . 2009-04-15 21:11 -------- d-----w c:\program files\Common Files\Macrovision Shared
2009-04-15 21:10 . 2009-04-27 02:32 -------- d-----w c:\documents and settings\All Users\Application Data\Rosetta Stone
2009-04-15 21:10 . 2009-04-15 21:10 -------- d-----w c:\program files\Rosetta Stone
2009-04-10 20:33 . 2009-04-10 20:33 -------- d-----w c:\winnt\system32\Auralog
2009-04-09 20:16 . 2009-04-09 20:16 -------- d-----w c:\program files\SearchPerks! Follow-On Study Assistant
2009-04-09 16:34 . 2009-04-26 18:14 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\Live Search Club Toolbar
2009-04-09 16:33 . 2009-04-09 16:33 -------- d-----w c:\program files\Live Search Club Toolbar
2009-04-07 20:57 . 2009-04-07 20:57 -------- d-sh--w c:\documents and settings\Owner\IECompatCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-29 20:11 . 2003-03-26 23:19 24 ----a-w c:\winnt\system32\DVCStateBkp-{00000002-00000000-0000000C-00001102-00000004-00581102}.dat
2009-04-29 20:11 . 2003-03-26 23:19 24 ----a-w c:\winnt\system32\DVCState-{00000002-00000000-0000000C-00001102-00000004-00581102}.dat
2009-04-29 20:07 . 2006-08-19 02:04 0 ----a-w c:\winnt\system32\drivers\lvuvc.hs
2009-04-27 01:21 . 2006-01-08 13:35 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-24 17:50 . 2002-08-28 18:45 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-18 23:10 . 2008-08-03 23:11 -------- d-----w c:\program files\Linksys
2009-04-18 20:55 . 2002-09-14 21:45 66672 ----a-w c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-24 21:49 . 2008-09-03 19:23 664 ----a-w c:\winnt\system32\d3d9caps.dat
2009-03-15 21:35 . 2009-03-15 20:09 -------- d-----w c:\program files\LSFE7
2009-03-15 20:21 . 2008-09-25 22:23 -------- d-----w c:\program files\QuickTime
2009-03-13 17:56 . 2009-03-13 17:56 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-08 10:34 . 2004-02-07 00:05 914944 ----a-w c:\winnt\system32\wininet.dll
2009-03-08 10:34 . 2004-05-03 16:05 43008 ----a-w c:\winnt\system32\licmgr10.dll
2009-03-08 10:33 . 1980-01-01 05:00 18944 ----a-w c:\winnt\system32\corpol.dll
2009-03-08 10:33 . 2004-05-03 16:07 420352 ----a-w c:\winnt\system32\vbscript.dll
2009-03-08 10:32 . 1980-01-01 05:00 72704 ----a-w c:\winnt\system32\admparse.dll
2009-03-08 10:32 . 2004-05-03 16:04 71680 ----a-w c:\winnt\system32\iesetup.dll
2009-03-08 10:31 . 2004-05-03 16:04 34816 ----a-w c:\winnt\system32\imgutil.dll
2009-03-08 10:31 . 2004-05-03 16:05 48128 ----a-w c:\winnt\system32\mshtmler.dll
2009-03-08 10:31 . 1980-01-01 05:00 45568 ----a-w c:\winnt\system32\mshta.exe
2009-03-08 10:22 . 1980-01-01 05:00 156160 ----a-w c:\winnt\system32\msls31.dll
2009-03-06 14:22 . 2004-05-03 16:06 284160 ----a-w c:\winnt\system32\pdh.dll
2009-02-09 12:10 . 1980-01-01 05:00 729088 ----a-w c:\winnt\system32\lsasrv.dll
2009-02-09 12:10 . 2004-04-29 15:09 401408 ----a-w c:\winnt\system32\rpcss.dll
2009-02-09 12:10 . 1980-01-01 05:00 714752 ----a-w c:\winnt\system32\ntdll.dll
2009-02-09 12:10 . 1980-01-01 05:00 617472 ----a-w c:\winnt\system32\advapi32.dll
2009-02-09 11:13 . 1980-01-01 05:00 1846784 ----a-w c:\winnt\system32\win32k.sys
2009-02-08 01:02 . 2001-08-17 18:48 2066048 ----a-w c:\winnt\system32\ntkrnlpa.exe
2009-02-06 11:11 . 1980-01-01 05:00 110592 ----a-w c:\winnt\system32\services.exe
2009-02-06 11:08 . 1980-01-01 05:00 2189056 ----a-w c:\winnt\system32\ntoskrnl.exe
2009-02-06 10:39 . 1980-01-01 05:00 35328 ----a-w c:\winnt\system32\sc.exe
2009-02-03 19:59 . 2004-05-03 16:06 56832 ----a-w c:\winnt\system32\secur32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2008-04-14 15360]
"NBJ"="c:\program files\Ahead\Nero BackItUp\nbj.exe" [2005-10-12 1961984]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"UpdReg"="c:\winnt\UpdReg.EXE" [2000-05-11 90112]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-04-18 180269]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2004-09-03 139264]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-01-13 69632]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe" [2006-01-19 11776]
"Jet Detection"="c:\program files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-10-04 28672]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-10-18 278528]
"CapFax"="c:\program files\PhoneTools\CapFax.EXE" [2001-11-07 20480]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-06-19 684032]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-05-17 505368]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" [2007-05-17 780312]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"NeroFilterCheck"="c:\winnt\system32\NeroCheck.exe" [2006-01-12 155648]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-18 1848648]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-08 136600]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-02 582992]
"WINDVDPatch"="CTHELPER.EXE" - c:\winnt\system32\CTHELPER.EXE [2002-02-07 40960]
"WD Button Manager"="WDBtnMgr.exe" - c:\winnt\system32\WDBtnMgr.exe [2005-06-08 331776]
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" - c:\winnt\system32\SK9910DM.EXE [2001-01-03 66048]
"GWMDMMSG"="GWMDMMSG.exe" - c:\winnt\GWMDMMSG.exe [2002-05-07 65536]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2005-5-17 462848]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"EnableProfileQuota"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 18:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
R3 PCDRDRV;Pcdr Helper Driver; [x]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
R3 SunkFilt6;Alcor Micro Corp - 6360; [x]
R3 SunkFilt62;Alcor Micro Corp - 6362;c:\winnt\System32\Drivers\sunkfilt62.sys [2004-07-23 46536]
S3 Ausbflt;Ausbflt;c:\winnt\system32\Drivers\Ausbflt.sys [2001-12-08 6353]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NMSSVC
*NewlyCreated* - SYMTDI
*Deregistered* - SYMTDI

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a45ec505-a28b-11dc-abbe-0007e99c0ea8}]
\Shell\AutoRun\command - I:\setupSNK.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\winnt\system32\rundll32.exe" "c:\winnt\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2008-05-27 c:\winnt\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-04-18 c:\winnt\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-18 19:32]

2009-04-18 c:\winnt\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-18 19:32]

2009-04-29 c:\winnt\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 17:58]

2009-04-27 c:\winnt\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 17:58]

2009-04-29 c:\winnt\Tasks\User_Feed_Synchronization-{E1F06C30-DA81-42FB-91AA-A562BACCF879}.job
- c:\winnt\system32\msfeedssync.exe [2006-10-17 10:31]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKLM-Run-autochk - c:\winnt\system32\autochk.dll
HKU-Default-Run-autochk - c:\winnt\system32\config\SYSTEM~1\protect.dll
HKU-Default-Run-A00F25E43.exe - c:\winnt\TEMP\_A00F25E43.exe
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
Notify-__c00FE013 - c:\winnt\system32\__c00FE013.dat

.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mWindow Title = Microsoft Internet Explorer presented by Comcast
uInternet Connection Wizard,ShellNext = iexplore
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: taxact.com\www
Trusted Zone: musicmatch.com\online
DPF: ConferenceRoom Java Client - hxxp://chat.privatefeeds.com:8000/java/cr.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
DPF: {C7C7152F-6E85-44F3-A14B-A7F85FDDEA3B} - hxxp://www.tellmemore-online.com/bin/tol7inst.cab
DPF: {CE37E095-ACFF-4380-A856-A560D389E5E1} - hcp://system/XPLControl.CAB
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-29 14:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\winnt\system32\drivers\ovfsthxjctowykt.sys 81408 bytes executable
c:\winnt\system32\ovfsthxdabwerba.dll 18432 bytes executable
c:\winnt\system32\ovfsthxkiagrrpb.dat 43 bytes
c:\winnt\system32\ovfsthxsvxdwbpe.dll 18432 bytes executable
c:\winnt\system32\ovfsthxuldnefsp.dll 59904 bytes executable
c:\winnt\system32\ovfsthxyxgfthow.dat 177849 bytes

scan completed successfully
hidden files: 6

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(252)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\winnt\System32\ctmp3.acm

- - - - - - - > 'explorer.exe'(668)
c:\winnt\system32\ieframe.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
c:\winnt\system32\OneX.DLL
c:\winnt\system32\eappprxy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2009-04-29 14:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-29 20:32

Pre-Run: 25,075,183,616 bytes free
Post-Run: 24,992,993,280 bytes free

Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
290 --- E O F --- 2009-04-27 06:48

**chemist** · 04-29-2009, 03:40 PM

When you ran gmer and it produced a log, were you in Safe Mode?

Please run gmer again according to the instructions in post #2 above and post the log.

------------------------------------------------------

boiler55 · 04-29-2009, 03:55 PM

Never ran gmer in Safe Mode. Log I sent was text when gmer opened and each time I started scan, my computer crashed. Tried again - same computer crash.

boiler55 · 04-29-2009, 03:57 PM

Should I try running in Safe Mode?

**chemist** · 04-29-2009, 05:58 PM

Try this one instead:

Download RootRepeal.zip to your Desktop and extract the compressed file to it's own folder.

Open the folder and double-click on RootRepeal.exe to run it.

Click on the 'Report' tab, and then click on 'Scan'.
A window opens asking what to include in the scan.
Check the following boxes then click 'OK':

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

You will then be asked which drive to scan.
Check C: (or the drive your operating system is installed on, if not C:)
Click 'OK' once again.
The tool will begin scanning and may take a while to complete, so please be patient.
When the scan finishes, click on 'Save Report'.
Save the log to your desktop, using a distinctive name, such as RootRepeal.txt.
Post the log in your next reply.

------------------------------------------------------

boiler55 · 04-29-2009, 06:48 PM

Root Report:

ROOTREPEAL (c) AD, 2007-2008
==================================================
Scan Time: 2009/04/29 18:21
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINNT\System32\Drivers\dump_atapi.sys
Address: 0xEC226000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINNT\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8B7E000 Size: 8192 File Visible: No
Status: -

Name: ovfsthxjctowykt.sys
Image Path: C:\WINNT\system32\drivers\ovfsthxjctowykt.sys
Address: 0xECF97000 Size: 94208 File Visible: -
Status: Hidden from Windows API!

Name: rootrepeal.sys
Image Path: C:\WINNT\system32\drivers\rootrepeal.sys
Address: 0xF6EC6000 Size: 45056 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINNT\system32\ovfsthxdabwerba.dll
Status: Invisible to the Windows API!

Path: C:\WINNT\system32\ovfsthxkiagrrpb.dat
Status: Invisible to the Windows API!

Path: C:\WINNT\system32\ovfsthxsvxdwbpe.dll
Status: Invisible to the Windows API!

Path: C:\WINNT\system32\ovfsthxuldnefsp.dll
Status: Invisible to the Windows API!

Path: C:\WINNT\system32\ovfsthxyxgfthow.dat
Status: Invisible to the Windows API!

Path: C:\WINNT\Temp\mcmsc_x3IPdVBtiWxf1mp
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\Documents and Settings\Owner\Recent
Status: Visible to the Windows API, but not on disk.

Path: C:\WINNT\system32\drivers\ovfsthxjctowykt.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\temp\~DF4F3F.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Documents and Settings\Owner\Local Settings\temp\~DF579E.tmp
Status: Allocation size mismatch (API: 1048576, Raw: 16384)

Path: C:\Documents and Settings\Owner\Local Settings\temp\~DFB1D.tmp
Status: Allocation size mismatch (API: 98304, Raw: 16384)

Path: C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-4-27-2009( 8-59-51 ).SDB
Status: Allocation size mismatch (API: 4096, Raw: 488)

Path: C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-4-29-2009( 8-36-18 ).SDB
Status: Allocation size mismatch (API: 4096, Raw: 488)

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\bjacobs256@msn.com\SharingMetadata\aline.gossein@hotmail.com\DFSR\Staging\CS{9D50C1A0-37C0-4298-DAF9-2B77839791C8}\01\10-{9D50C1A0-37C0-4298-DAF9-2B77839791C8}-v1-{0907F5F3-8C9F-4C5A-84EE-2AC4D2D1E7D2}-v10-Downloaded.frx
Status: Locked to the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: ovfsthxuldnefsp.dll]
Process: svchost.exe (PID: 748) Address: 0x10000000 Size: 69632

Object: Hidden Module [Name: ovfsthxdabwerba.dll]
Process: Explorer.EXE (PID: 376) Address: 0x10000000 Size: 24576

Object: Hidden Module [Name: ovfsthxsvxdwbpe.dll]
Process: IEXPLORE.EXE (PID: 3392) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: ovfsthxsvxdwbpe.dll]
Process: IEXPLORE.EXE (PID: 3724) Address: 0x10000000 Size: 28672

Hidden Services
-------------------
Service Name: ovfsthxdoymqwru
Image Path: C:\WINNT\system32\drivers\ovfsthxjctowykt.sys

**chemist** · 04-29-2009, 07:35 PM

Hello again, boiler55.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Quote:

RegCure

We do not recommend the use of registry cleaners. Our colleague miekiemoes has an excellent writeup here

We suggest uninstalling them via Add or Remove Programs in your Control Panel.

------------------------------------------------------

Close any open browsers.

Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.

Open Notepad and copy/paste all the text in the codebox below into Notepad:

Code:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/370977-disk-defragmenter-system-restore-not-working.html#post2109752

Collect::
C:\WINNT\system32\ovfsthxdabwerba.dll
C:\WINNT\system32\ovfsthxkiagrrpb.dat
C:\WINNT\system32\ovfsthxsvxdwbpe.dll
C:\WINNT\system32\ovfsthxuldnefsp.dll
C:\WINNT\system32\ovfsthxyxgfthow.dat
C:\WINNT\system32\drivers\ovfsthxjctowykt.sys

DDS::
uInternet Connection Wizard,ShellNext = iexplore
Trusted Zone: internet

FixCSet::

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000

Driver::
ovfsthxdoymqwru

KillAll::

Save this Notepad file as CFScript.txt to your Desktop and then close the file.

Referring to the picture above, drag CFScript onto ComboFix

If you are prompted to update ComboFix and have an internet connection, please choose Yes

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, ComboFix.txt in your next reply.

------------------------------------------------------

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

Ensure you are connected to the internet and click OK on the message box.

If you do not get a message box, please do the following:

There should be a file named [4]-Submit_date@time.zip with today's date, located here:

C:\QooBox\Quarantine\[4]-Submit_date@time.zip

Using the 'Browse' button, please submit it to this site ==> http://www.bleepingcomputer.com/subm....php?channel=4

Please let me know if you successfully submitted the file. Thanks.

------------------------------------------------------

boiler55 · 04-29-2009, 08:59 PM

Found QooBox file But didn't understand instruction to use 'browse' button to submit. Please let me know how I can submit.

ComboFix Log:

ComboFix 09-04-29.03 - Owner 04/29/2009 20:28.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.191 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*

file zipped: c:\winnt\system32\drivers\ovfsthxjctowykt.sys
file zipped: c:\winnt\system32\ovfsthxdabwerba.dll
file zipped: c:\winnt\system32\ovfsthxkiagrrpb.dat
file zipped: c:\winnt\system32\ovfsthxsvxdwbpe.dll
file zipped: c:\winnt\system32\ovfsthxuldnefsp.dll
file zipped: c:\winnt\system32\ovfsthxyxgfthow.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\protect.dll
c:\documents and settings\NetworkService\protect.dll
c:\documents and settings\Owner\protect.dll
c:\winnt\system32\autochk.dll
c:\winnt\system32\config\systemprofile\protect.dll
c:\winnt\system32\drivers\ovfsthxjctowykt.sys
c:\winnt\system32\ovfsthxdabwerba.dll
c:\winnt\system32\ovfsthxkiagrrpb.dat
c:\winnt\system32\ovfsthxsvxdwbpe.dll
c:\winnt\system32\ovfsthxuldnefsp.dll
c:\winnt\system32\ovfsthxyxgfthow.dat

.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-30 )))))))))))))))))))))))))))))))
.

2009-04-30 00:14 . 2009-04-30 02:11 27648 ----a-w c:\winnt\system32\lmppcsetup.exe
2009-04-28 19:53 . 2009-04-28 20:09 -------- d-----w C:\CHARLIE_WILSONS_WAR1
2009-04-28 19:29 . 2009-04-28 19:50 -------- d-----w C:\CHARLIE_WILSONS_WAR
2009-04-27 14:47 . 2009-04-27 14:47 -------- d-----w c:\documents and settings\Owner\Application Data\Malwarebytes
2009-04-27 14:47 . 2009-04-06 21:32 15504 ----a-w c:\winnt\system32\drivers\mbam.sys
2009-04-27 14:47 . 2009-04-06 21:32 38496 ----a-w c:\winnt\system32\drivers\mbamswissarmy.sys
2009-04-27 14:47 . 2009-04-27 14:47 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-27 14:47 . 2009-04-27 14:47 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-27 13:53 . 2009-04-27 13:54 -------- dc-h--w c:\winnt\ie8
2009-04-27 05:45 . 2009-04-27 06:21 -------- d-----w c:\program files\RegCure
2009-04-27 05:27 . 2001-08-30 10:30 138752 ----a-w c:\winnt\system32\dllcache\sndvol32.exe
2009-04-27 05:07 . 2009-04-27 05:07 -------- d-sh--w c:\documents and settings\Administrator\IETldCache
2009-04-27 01:22 . 2009-04-27 01:22 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-27 01:22 . 2009-04-27 01:22 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-27 01:22 . 2009-04-27 01:22 -------- d-----w c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-04-24 17:42 . 2008-01-14 22:58 19840 ----a-w c:\winnt\system32\drivers\StMp3Rec.sys
2009-04-24 17:41 . 2009-04-24 17:50 -------- d-----w c:\program files\Philips
2009-04-18 23:14 . 2009-04-18 23:14 150624 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-04-18 21:48 . 2009-04-18 21:48 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\Deployment
2009-04-18 15:33 . 2009-04-18 15:36 -------- d-----w C:\13391a4a136c33ff0e640941
2009-04-18 15:25 . 2009-04-18 15:27 -------- d-----w C:\f9ed84a7b823f780c312
2009-04-18 14:53 . 2006-03-03 14:07 143360 ----a-w c:\winnt\system32\dunzip32.dll
2009-04-18 14:48 . 2007-11-22 12:44 33832 ----a-w c:\winnt\system32\drivers\mferkdk.sys
2009-04-18 14:48 . 2007-12-02 18:51 40488 ----a-w c:\winnt\system32\drivers\mfesmfk.sys
2009-04-18 14:48 . 2007-11-22 12:44 35240 ----a-w c:\winnt\system32\drivers\mfebopk.sys
2009-04-18 14:48 . 2007-11-22 12:44 79304 ----a-w c:\winnt\system32\drivers\mfeavfk.sys
2009-04-18 14:48 . 2007-11-22 12:44 201320 ----a-w c:\winnt\system32\drivers\mfehidk.sys
2009-04-18 14:48 . 2007-07-13 12:20 113952 ----a-w c:\winnt\system32\drivers\Mpfp.sys
2009-04-18 14:47 . 2009-04-18 14:47 -------- d-----w c:\program files\McAfee.com
2009-04-18 14:46 . 2009-04-18 14:48 -------- d-----w c:\program files\Common Files\McAfee
2009-04-18 14:45 . 2009-04-18 16:49 -------- d-----w c:\program files\McAfee
2009-04-18 04:48 . 2009-04-18 04:55 -------- d-----w C:\d48ec84e341e06bfb3a32ba1b5
2009-04-18 04:47 . 2009-04-18 04:53 -------- d-----w C:\e1cce2abe00f0518f7c6
2009-04-18 04:34 . 2009-04-18 04:55 -------- d-----w C:\8542ce3adfda1d786c2cacd04dae
2009-04-18 04:17 . 2009-04-18 04:56 -------- d-----w C:\a254ace7e4a5b19558c18b
2009-04-18 04:16 . 2009-04-18 04:32 -------- d-----w C:\87b7df41ef48cb7f3b9e954ce4468716
2009-04-16 14:37 . 2009-03-06 14:22 284160 ------w c:\winnt\system32\dllcache\pdh.dll
2009-04-16 14:37 . 2009-02-09 12:10 401408 ------w c:\winnt\system32\dllcache\rpcss.dll
2009-04-16 14:37 . 2009-02-06 11:11 110592 ------w c:\winnt\system32\dllcache\services.exe
2009-04-16 14:37 . 2009-02-09 12:10 473600 ------w c:\winnt\system32\dllcache\fastprox.dll
2009-04-16 14:37 . 2009-02-06 10:10 227840 ------w c:\winnt\system32\dllcache\wmiprvse.exe
2009-04-16 14:37 . 2009-02-09 12:10 453120 ------w c:\winnt\system32\dllcache\wmiprvsd.dll
2009-04-16 14:37 . 2009-02-09 12:10 729088 ------w c:\winnt\system32\dllcache\lsasrv.dll
2009-04-16 14:37 . 2009-02-09 12:10 617472 ------w c:\winnt\system32\dllcache\advapi32.dll
2009-04-16 14:37 . 2009-02-09 12:10 714752 ------w c:\winnt\system32\dllcache\ntdll.dll
2009-04-16 14:31 . 2008-05-03 11:55 2560 ------w c:\winnt\system32\xpsp4res.dll
2009-04-15 21:47 . 2008-04-14 00:11 21504 ----a-w c:\winnt\system32\dllcache\hidserv.dll
2009-04-15 21:47 . 2008-04-14 00:11 21504 ----a-w c:\winnt\system32\hidserv.dll
2009-04-15 21:12 . 2009-04-15 21:32 -------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-04-15 21:11 . 2009-04-15 21:11 -------- d-----w c:\program files\Common Files\Macrovision Shared
2009-04-15 21:10 . 2009-04-27 02:32 -------- d-----w c:\documents and settings\All Users\Application Data\Rosetta Stone
2009-04-15 21:10 . 2009-04-15 21:10 -------- d-----w c:\program files\Rosetta Stone
2009-04-10 20:33 . 2009-04-10 20:33 -------- d-----w c:\winnt\system32\Auralog
2009-04-09 20:16 . 2009-04-09 20:16 -------- d-----w c:\program files\SearchPerks! Follow-On Study Assistant
2009-04-09 16:34 . 2009-04-26 18:14 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\Live Search Club Toolbar
2009-04-09 16:33 . 2009-04-09 16:33 -------- d-----w c:\program files\Live Search Club Toolbar
2009-04-07 20:57 . 2009-04-07 20:57 -------- d-sh--w c:\documents and settings\Owner\IECompatCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-30 02:33 . 2006-08-19 02:04 0 ----a-w c:\winnt\system32\drivers\lvuvc.hs
2009-04-30 02:32 . 2003-03-26 23:19 24 ----a-w c:\winnt\system32\DVCStateBkp-{00000002-00000000-0000000C-00001102-00000004-00581102}.dat
2009-04-30 02:32 . 2003-03-26 23:19 24 ----a-w c:\winnt\system32\DVCState-{00000002-00000000-0000000C-00001102-00000004-00581102}.dat
2009-04-27 01:21 . 2006-01-08 13:35 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-24 17:50 . 2002-08-28 18:45 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-18 23:10 . 2008-08-03 23:11 -------- d-----w c:\program files\Linksys
2009-04-18 20:55 . 2002-09-14 21:45 66672 ----a-w c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-24 21:49 . 2008-09-03 19:23 664 ----a-w c:\winnt\system32\d3d9caps.dat
2009-03-15 21:35 . 2009-03-15 20:09 -------- d-----w c:\program files\LSFE7
2009-03-15 20:21 . 2008-09-25 22:23 -------- d-----w c:\program files\QuickTime
2009-03-13 17:56 . 2009-03-13 17:56 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-08 10:34 . 2004-02-07 00:05 914944 ----a-w c:\winnt\system32\wininet.dll
2009-03-08 10:34 . 2004-05-03 16:05 43008 ----a-w c:\winnt\system32\licmgr10.dll
2009-03-08 10:33 . 1980-01-01 05:00 18944 ----a-w c:\winnt\system32\corpol.dll
2009-03-08 10:33 . 2004-05-03 16:07 420352 ----a-w c:\winnt\system32\vbscript.dll
2009-03-08 10:32 . 1980-01-01 05:00 72704 ----a-w c:\winnt\system32\admparse.dll
2009-03-08 10:32 . 2004-05-03 16:04 71680 ----a-w c:\winnt\system32\iesetup.dll
2009-03-08 10:31 . 2004-05-03 16:04 34816 ----a-w c:\winnt\system32\imgutil.dll
2009-03-08 10:31 . 2004-05-03 16:05 48128 ----a-w c:\winnt\system32\mshtmler.dll
2009-03-08 10:31 . 1980-01-01 05:00 45568 ----a-w c:\winnt\system32\mshta.exe
2009-03-08 10:22 . 1980-01-01 05:00 156160 ----a-w c:\winnt\system32\msls31.dll
2009-03-06 14:22 . 2004-05-03 16:06 284160 ----a-w c:\winnt\system32\pdh.dll
2009-02-09 12:10 . 1980-01-01 05:00 729088 ----a-w c:\winnt\system32\lsasrv.dll
2009-02-09 12:10 . 2004-04-29 15:09 401408 ----a-w c:\winnt\system32\rpcss.dll
2009-02-09 12:10 . 1980-01-01 05:00 714752 ----a-w c:\winnt\system32\ntdll.dll
2009-02-09 12:10 . 1980-01-01 05:00 617472 ----a-w c:\winnt\system32\advapi32.dll
2009-02-09 11:13 . 1980-01-01 05:00 1846784 ----a-w c:\winnt\system32\win32k.sys
2009-02-08 01:02 . 2001-08-17 18:48 2066048 ----a-w c:\winnt\system32\ntkrnlpa.exe
2009-02-06 11:11 . 1980-01-01 05:00 110592 ----a-w c:\winnt\system32\services.exe
2009-02-06 11:08 . 1980-01-01 05:00 2189056 ----a-w c:\winnt\system32\ntoskrnl.exe
2009-02-06 10:39 . 1980-01-01 05:00 35328 ----a-w c:\winnt\system32\sc.exe
2009-02-03 19:59 . 2004-05-03 16:06 56832 ----a-w c:\winnt\system32\secur32.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-04-29_20.26.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-30 02:34 . 2009-04-30 02:34 16384 c:\winnt\Temp\Perflib_Perfdata_628.dat
- 2001-10-09 17:54 . 2009-04-29 20:25 49152 c:\winnt\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2001-10-09 17:54 . 2009-04-30 01:56 49152 c:\winnt\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2001-10-09 17:54 . 2009-04-30 01:56 32768 c:\winnt\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2001-10-09 17:54 . 2009-04-29 20:25 32768 c:\winnt\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2001-10-09 17:54 . 2009-04-30 01:56 32768 c:\winnt\system32\config\systemprofile\Cookies\index.dat
- 2001-10-09 17:54 . 2009-04-29 20:25 32768 c:\winnt\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2008-04-14 15360]
"NBJ"="c:\program files\Ahead\Nero BackItUp\nbj.exe" [2005-10-12 1961984]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"UpdReg"="c:\winnt\UpdReg.EXE" [2000-05-11 90112]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-04-18 180269]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2004-09-03 139264]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-01-13 69632]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe" [2006-01-19 11776]
"Jet Detection"="c:\program files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-10-04 28672]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-10-18 278528]
"CapFax"="c:\program files\PhoneTools\CapFax.EXE" [2001-11-07 20480]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-06-19 684032]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-05-17 505368]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" [2007-05-17 780312]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"NeroFilterCheck"="c:\winnt\system32\NeroCheck.exe" [2006-01-12 155648]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-18 1848648]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-08 136600]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-02 582992]
"autochk"="c:\winnt\system32\autochk.dll" [BU]
"WINDVDPatch"="CTHELPER.EXE" - c:\winnt\system32\CTHELPER.EXE [2002-02-07 40960]
"WD Button Manager"="WDBtnMgr.exe" - c:\winnt\system32\WDBtnMgr.exe [2005-06-08 331776]
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" - c:\winnt\system32\SK9910DM.EXE [2001-01-03 66048]
"GWMDMMSG"="GWMDMMSG.exe" - c:\winnt\GWMDMMSG.exe [2002-05-07 65536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"autochk"="c:\docume~1\LOCALS~1\protect.dll" [BU]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
ChkDisk.dll [2009-4-29 24064]
ChkDisk.lnk - c:\winnt\system32\rundll32.exe [1979-12-31 33280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2005-5-17 462848]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"EnableProfileQuota"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 18:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R3 PCDRDRV;Pcdr Helper Driver; [x]
R3 SunkFilt6;Alcor Micro Corp - 6360; [x]
R3 SunkFilt62;Alcor Micro Corp - 6362;c:\winnt\System32\Drivers\sunkfilt62.sys [2004-07-23 46536]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S3 Ausbflt;Ausbflt;c:\winnt\system32\Drivers\Ausbflt.sys [2001-12-08 6353]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NMSCFG
*NewlyCreated* - NMSSVC
*NewlyCreated* - SYMTDI
*Deregistered* - SYMTDI

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a45ec505-a28b-11dc-abbe-0007e99c0ea8}]
\Shell\AutoRun\command - I:\setupSNK.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\winnt\system32\rundll32.exe" "c:\winnt\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2008-05-27 c:\winnt\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-04-18 c:\winnt\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-18 19:32]

2009-04-18 c:\winnt\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-18 19:32]

2009-04-30 c:\winnt\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 17:58]

2009-04-27 c:\winnt\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 17:58]

2009-04-30 c:\winnt\Tasks\User_Feed_Synchronization-{E1F06C30-DA81-42FB-91AA-A562BACCF879}.job
- c:\winnt\system32\msfeedssync.exe [2006-10-17 10:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mWindow Title = Microsoft Internet Explorer presented by Comcast
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
Trusted Zone: mcafee.com
Trusted Zone: taxact.com\www
Trusted Zone: musicmatch.com\online
DPF: ConferenceRoom Java Client - hxxp://chat.privatefeeds.com:8000/java/cr.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
DPF: {C7C7152F-6E85-44F3-A14B-A7F85FDDEA3B} - hxxp://www.tellmemore-online.com/bin/tol7inst.cab
DPF: {CE37E095-ACFF-4380-A856-A560D389E5E1} - hcp://system/XPLControl.CAB
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-29 20:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(536)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3608)
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\winnt\system32\ieframe.dll
c:\winnt\system32\OneX.DLL
c:\winnt\system32\eappprxy.dll
c:\winnt\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\winnt\system32\CTsvcCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\winnt\system32\NMSSvc.Exe
c:\winnt\system32\nvsvc32.exe
c:\program files\Dantz\Retrospect\retrorun.exe
c:\progra~1\Dantz\RETROS~1\wdsvc.exe
c:\winnt\system32\wdfmgr.exe
c:\winnt\system32\MsPMSPSv.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\winnt\system32\wscntfy.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\MUSICM~1\MUSICM~1\MMDiag.exe
c:\program files\MusicMatch\MusicMatch Jukebox\mim.exe
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2009-04-30 20:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-30 02:41
ComboFix2.txt 2009-04-29 20:32

Pre-Run: 24,389,324,800 bytes free
Post-Run: 24,381,054,976 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

312 --- E O F --- 2009-04-27 06:48

**chemist** · 04-30-2009, 06:00 AM

Hello again, boiler55.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

There should be a file named [4]-Submit_date@time.zip with yesterday's date, located here:

C:\QooBox\Quarantine\[4]-Submit_date@time.zip

Please go to this site ==> http://www.bleepingcomputer.com/subm....php?channel=4

Using the 'Browse' button, navigate to C:\QooBox\Quarantine\[4]-Submit_date@time.zip

Left-click the [4]-Submit_date@time.zip file and click 'Open' then 'Send File'.

Please let me know if you successfully submitted the file. Thanks.

------------------------------------------------------

Close any open browsers.

Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.

Open Notepad and copy/paste all the text in the quotebox below into Notepad:

Quote:

File::
c:\winnt\system32\drivers\lvuvc.hs
c:\documents and settings\Owner\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\Owner\Start Menu\Programs\Startup\ChkDisk.lnk

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"autochk"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"autochk"=-

SkipFix::

Save this Notepad file as CFScript.txt to your Desktop and then close the file.

Referring to the picture above, drag CFScript onto ComboFix

If you are prompted to update ComboFix, please choose Yes

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, ComboFix.txt in your next reply.

Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall.

------------------------------------------------------

boiler55 · 04-30-2009, 06:55 AM

Successfully submitted last file.

ComboFix File:

ComboFix 09-04-29.07 - Owner 04/30/2009 6:47.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.179 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -

FILE ::
c:\documents and settings\Owner\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\Owner\Start Menu\Programs\Startup\ChkDisk.lnk
c:\winnt\system32\drivers\lvuvc.hs
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\Owner\Start Menu\Programs\Startup\ChkDisk.lnk
c:\winnt\system32\drivers\lvuvc.hs
c:\winnt\system32\lmppcsetup.exe

.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-30 )))))))))))))))))))))))))))))))
.

2009-04-28 19:53 . 2009-04-28 20:09 -------- d-----w C:\CHARLIE_WILSONS_WAR1
2009-04-28 19:29 . 2009-04-28 19:50 -------- d-----w C:\CHARLIE_WILSONS_WAR
2009-04-27 14:47 . 2009-04-27 14:47 -------- d-----w c:\documents and settings\Owner\Application Data\Malwarebytes
2009-04-27 14:47 . 2009-04-06 21:32 15504 ----a-w c:\winnt\system32\drivers\mbam.sys
2009-04-27 14:47 . 2009-04-06 21:32 38496 ----a-w c:\winnt\system32\drivers\mbamswissarmy.sys
2009-04-27 14:47 . 2009-04-27 14:47 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-27 14:47 . 2009-04-27 14:47 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-27 13:53 . 2009-04-27 13:54 -------- dc-h--w c:\winnt\ie8
2009-04-27 05:27 . 2001-08-30 10:30 138752 ----a-w c:\winnt\system32\dllcache\sndvol32.exe
2009-04-27 05:07 . 2009-04-27 05:07 -------- d-sh--w c:\documents and settings\Administrator\IETldCache
2009-04-27 01:22 . 2009-04-27 01:22 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-27 01:22 . 2009-04-27 01:22 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-27 01:22 . 2009-04-27 01:22 -------- d-----w c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-04-24 17:42 . 2008-01-14 22:58 19840 ----a-w c:\winnt\system32\drivers\StMp3Rec.sys
2009-04-24 17:41 . 2009-04-24 17:50 -------- d-----w c:\program files\Philips
2009-04-18 23:14 . 2009-04-18 23:14 150624 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-04-18 21:48 . 2009-04-18 21:48 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\Deployment
2009-04-18 15:33 . 2009-04-18 15:36 -------- d-----w C:\13391a4a136c33ff0e640941
2009-04-18 15:25 . 2009-04-18 15:27 -------- d-----w C:\f9ed84a7b823f780c312
2009-04-18 14:53 . 2006-03-03 14:07 143360 ----a-w c:\winnt\system32\dunzip32.dll
2009-04-18 14:48 . 2007-11-22 12:44 33832 ----a-w c:\winnt\system32\drivers\mferkdk.sys
2009-04-18 14:48 . 2007-12-02 18:51 40488 ----a-w c:\winnt\system32\drivers\mfesmfk.sys
2009-04-18 14:48 . 2007-11-22 12:44 35240 ----a-w c:\winnt\system32\drivers\mfebopk.sys
2009-04-18 14:48 . 2007-11-22 12:44 79304 ----a-w c:\winnt\system32\drivers\mfeavfk.sys
2009-04-18 14:48 . 2007-11-22 12:44 201320 ----a-w c:\winnt\system32\drivers\mfehidk.sys
2009-04-18 14:48 . 2007-07-13 12:20 113952 ----a-w c:\winnt\system32\drivers\Mpfp.sys
2009-04-18 14:47 . 2009-04-18 14:47 -------- d-----w c:\program files\McAfee.com
2009-04-18 14:46 . 2009-04-18 14:48 -------- d-----w c:\program files\Common Files\McAfee
2009-04-18 14:45 . 2009-04-18 16:49 -------- d-----w c:\program files\McAfee
2009-04-18 04:48 . 2009-04-18 04:55 -------- d-----w C:\d48ec84e341e06bfb3a32ba1b5
2009-04-18 04:47 . 2009-04-18 04:53 -------- d-----w C:\e1cce2abe00f0518f7c6
2009-04-18 04:34 . 2009-04-18 04:55 -------- d-----w C:\8542ce3adfda1d786c2cacd04dae
2009-04-18 04:17 . 2009-04-18 04:56 -------- d-----w C:\a254ace7e4a5b19558c18b
2009-04-18 04:16 . 2009-04-18 04:32 -------- d-----w C:\87b7df41ef48cb7f3b9e954ce4468716
2009-04-16 14:37 . 2009-03-06 14:22 284160 ------w c:\winnt\system32\dllcache\pdh.dll
2009-04-16 14:37 . 2009-02-09 12:10 401408 ------w c:\winnt\system32\dllcache\rpcss.dll
2009-04-16 14:37 . 2009-02-06 11:11 110592 ------w c:\winnt\system32\dllcache\services.exe
2009-04-16 14:37 . 2009-02-09 12:10 473600 ------w c:\winnt\system32\dllcache\fastprox.dll
2009-04-16 14:37 . 2009-02-06 10:10 227840 ------w c:\winnt\system32\dllcache\wmiprvse.exe
2009-04-16 14:37 . 2009-02-09 12:10 453120 ------w c:\winnt\system32\dllcache\wmiprvsd.dll
2009-04-16 14:37 . 2009-02-09 12:10 729088 ------w c:\winnt\system32\dllcache\lsasrv.dll
2009-04-16 14:37 . 2009-02-09 12:10 617472 ------w c:\winnt\system32\dllcache\advapi32.dll
2009-04-16 14:37 . 2009-02-09 12:10 714752 ------w c:\winnt\system32\dllcache\ntdll.dll
2009-04-16 14:31 . 2008-05-03 11:55 2560 ------w c:\winnt\system32\xpsp4res.dll
2009-04-15 21:47 . 2008-04-14 00:11 21504 ----a-w c:\winnt\system32\dllcache\hidserv.dll
2009-04-15 21:47 . 2008-04-14 00:11 21504 ----a-w c:\winnt\system32\hidserv.dll
2009-04-15 21:12 . 2009-04-15 21:32 -------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-04-15 21:11 . 2009-04-15 21:11 -------- d-----w c:\program files\Common Files\Macrovision Shared
2009-04-15 21:10 . 2009-04-27 02:32 -------- d-----w c:\documents and settings\All Users\Application Data\Rosetta Stone
2009-04-15 21:10 . 2009-04-15 21:10 -------- d-----w c:\program files\Rosetta Stone
2009-04-10 20:33 . 2009-04-10 20:33 -------- d-----w c:\winnt\system32\Auralog
2009-04-09 20:16 . 2009-04-09 20:16 -------- d-----w c:\program files\SearchPerks! Follow-On Study Assistant
2009-04-09 16:34 . 2009-04-26 18:14 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\Live Search Club Toolbar
2009-04-09 16:33 . 2009-04-09 16:33 -------- d-----w c:\program files\Live Search Club Toolbar
2009-04-07 20:57 . 2009-04-07 20:57 -------- d-sh--w c:\documents and settings\Owner\IECompatCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-30 03:27 . 2003-03-26 23:19 24 ----a-w c:\winnt\system32\DVCStateBkp-{00000002-00000000-0000000C-00001102-00000004-00581102}.dat
2009-04-30 03:27 . 2003-03-26 23:19 24 ----a-w c:\winnt\system32\DVCState-{00000002-00000000-0000000C-00001102-00000004-00581102}.dat
2009-04-27 01:21 . 2006-01-08 13:35 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-24 17:50 . 2002-08-28 18:45 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-18 23:10 . 2008-08-03 23:11 -------- d-----w c:\program files\Linksys
2009-04-18 20:55 . 2002-09-14 21:45 66672 ----a-w c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-24 21:49 . 2008-09-03 19:23 664 ----a-w c:\winnt\system32\d3d9caps.dat
2009-03-15 21:35 . 2009-03-15 20:09 -------- d-----w c:\program files\LSFE7
2009-03-15 20:21 . 2008-09-25 22:23 -------- d-----w c:\program files\QuickTime
2009-03-13 17:56 . 2009-03-13 17:56 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-08 10:34 . 2004-02-07 00:05 914944 ----a-w c:\winnt\system32\wininet.dll
2009-03-08 10:34 . 2004-05-03 16:05 43008 ----a-w c:\winnt\system32\licmgr10.dll
2009-03-08 10:33 . 1980-01-01 05:00 18944 ----a-w c:\winnt\system32\corpol.dll
2009-03-08 10:33 . 2004-05-03 16:07 420352 ----a-w c:\winnt\system32\vbscript.dll
2009-03-08 10:32 . 1980-01-01 05:00 72704 ----a-w c:\winnt\system32\admparse.dll
2009-03-08 10:32 . 2004-05-03 16:04 71680 ----a-w c:\winnt\system32\iesetup.dll
2009-03-08 10:31 . 2004-05-03 16:04 34816 ----a-w c:\winnt\system32\imgutil.dll
2009-03-08 10:31 . 2004-05-03 16:05 48128 ----a-w c:\winnt\system32\mshtmler.dll
2009-03-08 10:31 . 1980-01-01 05:00 45568 ----a-w c:\winnt\system32\mshta.exe
2009-03-08 10:22 . 1980-01-01 05:00 156160 ----a-w c:\winnt\system32\msls31.dll
2009-03-06 14:22 . 2004-05-03 16:06 284160 ----a-w c:\winnt\system32\pdh.dll
2009-02-09 12:10 . 1980-01-01 05:00 729088 ----a-w c:\winnt\system32\lsasrv.dll
2009-02-09 12:10 . 2004-04-29 15:09 401408 ----a-w c:\winnt\system32\rpcss.dll
2009-02-09 12:10 . 1980-01-01 05:00 714752 ----a-w c:\winnt\system32\ntdll.dll
2009-02-09 12:10 . 1980-01-01 05:00 617472 ----a-w c:\winnt\system32\advapi32.dll
2009-02-09 11:13 . 1980-01-01 05:00 1846784 ----a-w c:\winnt\system32\win32k.sys
2009-02-08 01:02 . 2001-08-17 18:48 2066048 ----a-w c:\winnt\system32\ntkrnlpa.exe
2009-02-06 11:11 . 1980-01-01 05:00 110592 ----a-w c:\winnt\system32\services.exe
2009-02-06 11:08 . 1980-01-01 05:00 2189056 ----a-w c:\winnt\system32\ntoskrnl.exe
2009-02-06 10:39 . 1980-01-01 05:00 35328 ----a-w c:\winnt\system32\sc.exe
2009-02-03 19:59 . 2004-05-03 16:06 56832 ----a-w c:\winnt\system32\secur32.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-04-29_20.26.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-30 12:15 . 2009-04-30 12:15 16384 c:\winnt\Temp\Perflib_Perfdata_628.dat
+ 2009-04-30 12:20 . 2009-04-30 12:21 32768 c:\winnt\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2001-10-09 17:54 . 2009-04-30 12:21 32768 c:\winnt\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2001-10-09 17:54 . 2009-04-29 20:25 32768 c:\winnt\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2001-10-09 17:54 . 2009-04-30 12:21 32768 c:\winnt\system32\config\systemprofile\Cookies\index.dat
- 2001-10-09 17:54 . 2009-04-29 20:25 32768 c:\winnt\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2008-04-14 15360]
"NBJ"="c:\program files\Ahead\Nero BackItUp\nbj.exe" [2005-10-12 1961984]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"UpdReg"="c:\winnt\UpdReg.EXE" [2000-05-11 90112]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-04-18 180269]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2004-09-03 139264]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-01-13 69632]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe" [2006-01-19 11776]
"Jet Detection"="c:\program files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-10-04 28672]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-10-18 278528]
"CapFax"="c:\program files\PhoneTools\CapFax.EXE" [2001-11-07 20480]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-06-19 684032]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-05-17 505368]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" [2007-05-17 780312]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"NeroFilterCheck"="c:\winnt\system32\NeroCheck.exe" [2006-01-12 155648]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-18 1848648]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-08 136600]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-02 582992]
"WINDVDPatch"="CTHELPER.EXE" - c:\winnt\system32\CTHELPER.EXE [2002-02-07 40960]
"WD Button Manager"="WDBtnMgr.exe" - c:\winnt\system32\WDBtnMgr.exe [2005-06-08 331776]
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" - c:\winnt\system32\SK9910DM.EXE [2001-01-03 66048]
"GWMDMMSG"="GWMDMMSG.exe" - c:\winnt\GWMDMMSG.exe [2002-05-07 65536]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2005-5-17 462848]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"EnableProfileQuota"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 18:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R3 PCDRDRV;Pcdr Helper Driver; [x]
R3 SunkFilt6;Alcor Micro Corp - 6360; [x]
R3 SunkFilt62;Alcor Micro Corp - 6362;c:\winnt\System32\Drivers\sunkfilt62.sys [2004-07-23 46536]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S3 Ausbflt;Ausbflt;c:\winnt\system32\Drivers\Ausbflt.sys [2001-12-08 6353]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NMSSVC
*NewlyCreated* - SYMTDI
*Deregistered* - SYMTDI

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a45ec505-a28b-11dc-abbe-0007e99c0ea8}]
\Shell\AutoRun\command - I:\setupSNK.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\winnt\system32\rundll32.exe" "c:\winnt\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2008-05-27 c:\winnt\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-04-18 c:\winnt\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-18 19:32]

2009-04-18 c:\winnt\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-18 19:32]

2009-04-30 c:\winnt\Tasks\User_Feed_Synchronization-{E1F06C30-DA81-42FB-91AA-A562BACCF879}.job
- c:\winnt\system32\msfeedssync.exe [2006-10-17 10:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mWindow Title = Microsoft Internet Explorer presented by Comcast
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
Trusted Zone: mcafee.com
Trusted Zone: taxact.com\www
Trusted Zone: musicmatch.com\online
DPF: ConferenceRoom Java Client - hxxp://chat.privatefeeds.com:8000/java/cr.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
DPF: {C7C7152F-6E85-44F3-A14B-A7F85FDDEA3B} - hxxp://www.tellmemore-online.com/bin/tol7inst.cab
DPF: {CE37E095-ACFF-4380-A856-A560D389E5E1} - hcp://system/XPLControl.CAB
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-30 06:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(536)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-04-30 6:51
ComboFix-quarantined-files.txt 2009-04-30 12:50
ComboFix2.txt 2009-04-30 02:41
ComboFix3.txt 2009-04-29 20:32

Pre-Run: 24,343,941,120 bytes free
Post-Run: 24,339,791,872 bytes free

250 --- E O F --- 2009-04-27 06:48

04-29-2009, 06:16 AM	#2 (permalink)
chemist Moderator, Analyst, Security Team; Rangemaster, TSF Academy Join Date: Oct 2007 Location: Georgia Posts: 10,545 OS: XP SP3	Re: Disk Defragmenter and System Restore not working Hello and Welcome to TSF. Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription. Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed. ------------------------------------------------------ I need to see a gmer log in order to help you. Let's try this special version of gmer. Download GMER Rootkit Scanner from here and Save it to your Desktop. Double-click gmer.exe to run it. If asked to allow gmer.sys driver to load, please consent. If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO. Click the image to enlarge it In the right panel, you will see several boxes that have been checked. Uncheck the following ... Sections IAT/EAT Drives/Partition other than Systemdrive (typically C:\) Show All (don't miss this one) Then click the Scan button & wait for it to finish. Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post. Save it where you can easily find it, such as your desktop, and attach it to your next reply. Caution Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries ------------------------------------------------------ __________________ Our help is free but please donate Proud member of ASAP Proud member of UNITE

04-29-2009, 08:56 AM	#3 (permalink)
boiler55 Registered User Join Date: Apr 2009 Posts: 20 OS: XP SP3	Re: Disk Defragmenter and System Restore not working Repeated several times. Gmer downloads, opens, unchecked boxes, start scan, scan starts, and after a few seconds the computer crashes. Is there any other thing I can try?

04-29-2009, 09:13 AM	#4 (permalink)
boiler55 Registered User Join Date: Apr 2009 Posts: 20 OS: XP SP3	Re: Disk Defragmenter and System Restore not working When I open gmer this is the file with the checked boxes on the right. Hope this might help. GMER 1.0.15.14972 - http://www.gmer.net Rootkit scan 2009-04-29 0922 Windows 5.1.2600 Service Pack 3 ---- System - GMER 1.0.15 ---- Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xEDCC39AA] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xEDCC3A41] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xEDCC3958] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xEDCC396C] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xEDCC3A55] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xEDCC3A81] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xEDCC3AF4] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xEDCC3AD9] Code 8306C850 ZwFlushInstructionCache Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xEDCC39EA] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xEDCC3B1E] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xEDCC3A2D] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xEDCC3930] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xEDCC3944] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xEDCC39BE] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xEDCC3B5A] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xEDCC3AC3] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xEDCC3AAD] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xEDCC3A6B] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xEDCC3B46] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xEDCC3B32] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xEDCC3996] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xEDCC3982] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xEDCC3A97] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xEDCC3A19] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xEDCC3B08] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xEDCC3A00] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xEDCC39D4] Code 82F6E446 IofCallDriver Code 82F6D446 IofCompleteRequest Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) ---- Services - GMER 1.0.15 ---- Service C:\WINNT\system32\drivers\ovfsthxjctowykt.sys (* hidden * ) [SYSTEM] ovfsthxdoymqwru <-- ROOTKIT !!! ---- EOF - GMER 1.0.15 ----

04-29-2009, 10:02 AM	#5 (permalink)
chemist Moderator, Analyst, Security Team; Rangemaster, TSF Academy Join Date: Oct 2007 Location: Georgia Posts: 10,545 OS: XP SP3	Re: Disk Defragmenter and System Restore not working Hello boiler55. One or more of the identified infections is a backdoor trojan. This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. Please read this: How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud? ------------------------------------------------------ Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. Please stay with me until given the 'all clear' even if symptoms seemingly abate. Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper. ------------------------------------------------------ Please visit this webpage for download links, and instructions for running ComboFix: http://www.bleepingcomputer.com/comb...o-use-combofix * Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix. Get help here Please post the C:\ComboFix.txt in your next reply for further review. ------------------------------------------------------ __________________ Our help is free but please donate Proud member of ASAP Proud member of UNITE

04-29-2009, 12:30 PM	#6 (permalink)
boiler55 Registered User Join Date: Apr 2009 Posts: 20 OS: XP SP3	Re: Disk Defragmenter and System Restore not working Problem:Combo Fix downloaded - Followed instructions - starts - blue screen comes on - "Please wait, Combo Fix is preparing to run" - Application shuts down. Repeated, same result. Help

04-29-2009, 12:48 PM	#7 (permalink)
chemist Moderator, Analyst, Security Team; Rangemaster, TSF Academy Join Date: Oct 2007 Location: Georgia Posts: 10,545 OS: XP SP3	Re: Disk Defragmenter and System Restore not working Try running ComboFix in Safe Mode. Please reboot your computer in Safe Mode by doing the following: Restart your computer. After hearing your computer beep once during startup, but before the Windows icon appears, start pressing the F8 key. In some systems, this may be the F5 key. Instead of Windows loading as normal, a menu should appear. Use the up arrow key to highlight Safe Mode and press Enter. Login on your usual account. ------------------------------------------------------ If ComboFix says it needs to reboot your computer, make sure it reboots into Safe Mode. Let me know if you still have trouble. ------------------------------------------------------ __________________ Our help is free but please donate Proud member of ASAP Proud member of UNITE

04-29-2009, 01:31 PM	#8 (permalink)
boiler55 Registered User Join Date: Apr 2009 Posts: 20 OS: XP SP3	Re: Disk Defragmenter and System Restore not working In Safe Mode I cannot access the Internet nor can I see the ComboFix icon on startup screen.

04-29-2009, 01:37 PM	#9 (permalink)
boiler55 Registered User Join Date: Apr 2009 Posts: 20 OS: XP SP3	Re: Disk Defragmenter and System Restore not working Is it possible to run ComboFix from a flash drive in Safe Mode?

04-29-2009, 01:57 PM	#10 (permalink)
chemist Moderator, Analyst, Security Team; Rangemaster, TSF Academy Join Date: Oct 2007 Location: Georgia Posts: 10,545 OS: XP SP3	Re: Disk Defragmenter and System Restore not working Are you sure ComboFix.exe is still on the desktop? You should be able to see it in Safe Mode. In Safe Mode, go Start > Run and type the following into the Run box and click OK: "c:\documents and settings\owner\desktop\combofix.exe" Be sure to include the quotation marks and spaces. Let me know if that didn't work. ------------------------------------------------------ __________________ Our help is free but please donate Proud member of ASAP Proud member of UNITE

04-29-2009, 02:45 PM	#11 (permalink)
boiler55 Registered User Join Date: Apr 2009 Posts: 20 OS: XP SP3	Re: Disk Defragmenter and System Restore not working Combofix text: ComboFix 09-04-29.01 - Owner 04/29/2009 14:19.1 - NTFSx86 MINIMAL Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.354 [GMT -6:00] Running from: c:\documents and settings\owner\desktop\combofix.exe AV: McAfee VirusScan On-access scanning disabled (Updated) FW: McAfee Personal Firewall enabled WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\LocalService\protect.dll c:\documents and settings\NetworkService\protect.dll c:\documents and settings\Owner\protect.dll c:\documents and settings\Owner\Start Menu\Programs\Startup\ChkDisk.dll c:\documents and settings\Owner\Start Menu\Programs\Startup\ChkDisk.lnk c:\winnt\Downloaded Program Files\Temp c:\winnt\system32\__c00FE013.dat c:\winnt\system32\ATHPRXY(2).DLL c:\winnt\system32\ATHPRXY(3).DLL c:\winnt\system32\autochk.dll c:\winnt\system32\config\systemprofile\protect.dll c:\winnt\system32\loader266.exe c:\winnt\system32\loader49.exe c:\winnt\system32\uniq.tll c:\winnt\system32\winglsetup.exe c:\winnt\Temp\2702729412.exe c:\winnt\Temp\3247351504.exe c:\winnt\Temp\3991414004.exe C:\xcrashdump.dat Infected copy of c:\winnt\system32\sfcfiles.dll was found and disinfected Restored copy from - c:\winnt\$NtServicePackUninstall$\sfcfiles.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_SFC -------\Service_sfc ((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 ))))))))))))))))))))))))))))))) . 2009-04-28 19:53 . 2009-04-28 20:09 -------- d-----w C:\CHARLIE_WILSONS_WAR1 2009-04-28 19:29 . 2009-04-28 19:50 -------- d-----w C:\CHARLIE_WILSONS_WAR 2009-04-27 14:47 . 2009-04-27 14:47 -------- d-----w c:\documents and settings\Owner\Application Data\Malwarebytes 2009-04-27 14:47 . 2009-04-06 21:32 15504 ----a-w c:\winnt\system32\drivers\mbam.sys 2009-04-27 14:47 . 2009-04-06 21:32 38496 ----a-w c:\winnt\system32\drivers\mbamswissarmy.sys 2009-04-27 14:47 . 2009-04-27 14:47 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes 2009-04-27 14:47 . 2009-04-27 14:47 -------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-04-27 13:53 . 2009-04-27 13:54 -------- dc-h--w c:\winnt\ie8 2009-04-27 05:45 . 2009-04-27 06:21 -------- d-----w c:\program files\RegCure 2009-04-27 05:27 . 2001-08-30 10:30 138752 ----a-w c:\winnt\system32\dllcache\sndvol32.exe 2009-04-27 05:07 . 2009-04-27 05:07 -------- d-sh--w c:\documents and settings\Administrator\IETldCache 2009-04-27 01:22 . 2009-04-27 01:22 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-04-27 01:22 . 2009-04-27 01:22 -------- d-----w c:\program files\SUPERAntiSpyware 2009-04-27 01:22 . 2009-04-27 01:22 -------- d-----w c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com 2009-04-24 17:42 . 2008-01-14 22:58 19840 ----a-w c:\winnt\system32\drivers\StMp3Rec.sys 2009-04-24 17:41 . 2009-04-24 17:50 -------- d-----w c:\program files\Philips 2009-04-18 21:48 . 2009-04-18 21:48 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\Deployment 2009-04-18 15:33 . 2009-04-18 15:36 -------- d-----w C:\13391a4a136c33ff0e640941 2009-04-18 15:25 . 2009-04-18 15:27 -------- d-----w C:\f9ed84a7b823f780c312 2009-04-18 14:53 . 2006-03-03 14:07 143360 ----a-w c:\winnt\system32\dunzip32.dll 2009-04-18 14:48 . 2007-11-22 12:44 33832 ----a-w c:\winnt\system32\drivers\mferkdk.sys 2009-04-18 14:48 . 2007-12-02 18:51 40488 ----a-w c:\winnt\system32\drivers\mfesmfk.sys 2009-04-18 14:48 . 2007-11-22 12:44 35240 ----a-w c:\winnt\system32\drivers\mfebopk.sys 2009-04-18 14:48 . 2007-11-22 12:44 79304 ----a-w c:\winnt\system32\drivers\mfeavfk.sys 2009-04-18 14:48 . 2007-11-22 12:44 201320 ----a-w c:\winnt\system32\drivers\mfehidk.sys 2009-04-18 14:48 . 2007-07-13 12:20 113952 ----a-w c:\winnt\system32\drivers\Mpfp.sys 2009-04-18 14:47 . 2009-04-18 14:47 -------- d-----w c:\program files\McAfee.com 2009-04-18 14:46 . 2009-04-18 14:48 -------- d-----w c:\program files\Common Files\McAfee 2009-04-18 14:45 . 2009-04-18 16:49 -------- d-----w c:\program files\McAfee 2009-04-18 04:48 . 2009-04-18 04:55 -------- d-----w C:\d48ec84e341e06bfb3a32ba1b5 2009-04-18 04:47 . 2009-04-18 04:53 -------- d-----w C:\e1cce2abe00f0518f7c6 2009-04-18 04:34 . 2009-04-18 04:55 -------- d-----w C:\8542ce3adfda1d786c2cacd04dae 2009-04-18 04:17 . 2009-04-18 04:56 -------- d-----w C:\a254ace7e4a5b19558c18b 2009-04-18 04:16 . 2009-04-18 04:32 -------- d-----w C:\87b7df41ef48cb7f3b9e954ce4468716 2009-04-16 14:37 . 2009-03-06 14:22 284160 ------w c:\winnt\system32\dllcache\pdh.dll 2009-04-16 14:37 . 2009-02-09 12:10 401408 ------w c:\winnt\system32\dllcache\rpcss.dll 2009-04-16 14:37 . 2009-02-06 11:11 110592 ------w c:\winnt\system32\dllcache\services.exe 2009-04-16 14:37 . 2009-02-09 12:10 473600 ------w c:\winnt\system32\dllcache\fastprox.dll 2009-04-16 14:37 . 2009-02-06 10:10 227840 ------w c:\winnt\system32\dllcache\wmiprvse.exe 2009-04-16 14:37 . 2009-02-09 12:10 453120 ------w c:\winnt\system32\dllcache\wmiprvsd.dll 2009-04-16 14:37 . 2009-02-09 12:10 729088 ------w c:\winnt\system32\dllcache\lsasrv.dll 2009-04-16 14:37 . 2009-02-09 12:10 617472 ------w c:\winnt\system32\dllcache\advapi32.dll 2009-04-16 14:37 . 2009-02-09 12:10 714752 ------w c:\winnt\system32\dllcache\ntdll.dll 2009-04-16 14:31 . 2008-05-03 11:55 2560 ------w c:\winnt\system32\xpsp4res.dll 2009-04-15 21:47 . 2008-04-14 00:11 21504 ----a-w c:\winnt\system32\dllcache\hidserv.dll 2009-04-15 21:47 . 2008-04-14 00:11 21504 ----a-w c:\winnt\system32\hidserv.dll 2009-04-15 21:12 . 2009-04-15 21:32 -------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet 2009-04-15 21:11 . 2009-04-15 21:11 -------- d-----w c:\program files\Common Files\Macrovision Shared 2009-04-15 21:10 . 2009-04-27 02:32 -------- d-----w c:\documents and settings\All Users\Application Data\Rosetta Stone 2009-04-15 21:10 . 2009-04-15 21:10 -------- d-----w c:\program files\Rosetta Stone 2009-04-10 20:33 . 2009-04-10 20:33 -------- d-----w c:\winnt\system32\Auralog 2009-04-09 20:16 . 2009-04-09 20:16 -------- d-----w c:\program files\SearchPerks! Follow-On Study Assistant 2009-04-09 16:34 . 2009-04-26 18:14 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\Live Search Club Toolbar 2009-04-09 16:33 . 2009-04-09 16:33 -------- d-----w c:\program files\Live Search Club Toolbar 2009-04-07 20:57 . 2009-04-07 20:57 -------- d-sh--w c:\documents and settings\Owner\IECompatCache . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-29 20:11 . 2003-03-26 23:19 24 ----a-w c:\winnt\system32\DVCStateBkp-{00000002-00000000-0000000C-00001102-00000004-00581102}.dat 2009-04-29 20:11 . 2003-03-26 23:19 24 ----a-w c:\winnt\system32\DVCState-{00000002-00000000-0000000C-00001102-00000004-00581102}.dat 2009-04-29 20:07 . 2006-08-19 02:04 0 ----a-w c:\winnt\system32\drivers\lvuvc.hs 2009-04-27 01:21 . 2006-01-08 13:35 -------- d-----w c:\program files\Common Files\Wise Installation Wizard 2009-04-24 17:50 . 2002-08-28 18:45 -------- d--h--w c:\program files\InstallShield Installation Information 2009-04-18 23:10 . 2008-08-03 23:11 -------- d-----w c:\program files\Linksys 2009-04-18 20:55 . 2002-09-14 21:45 66672 ----a-w c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-03-24 21:49 . 2008-09-03 19:23 664 ----a-w c:\winnt\system32\d3d9caps.dat 2009-03-15 21:35 . 2009-03-15 20:09 -------- d-----w c:\program files\LSFE7 2009-03-15 20:21 . 2008-09-25 22:23 -------- d-----w c:\program files\QuickTime 2009-03-13 17:56 . 2009-03-13 17:56 -------- d-----w c:\program files\Microsoft Silverlight 2009-03-08 10:34 . 2004-02-07 00:05 914944 ----a-w c:\winnt\system32\wininet.dll 2009-03-08 10:34 . 2004-05-03 16:05 43008 ----a-w c:\winnt\system32\licmgr10.dll 2009-03-08 10:33 . 1980-01-01 05:00 18944 ----a-w c:\winnt\system32\corpol.dll 2009-03-08 10:33 . 2004-05-03 16:07 420352 ----a-w c:\winnt\system32\vbscript.dll 2009-03-08 10:32 . 1980-01-01 05:00 72704 ----a-w c:\winnt\system32\admparse.dll 2009-03-08 10:32 . 2004-05-03 16:04 71680 ----a-w c:\winnt\system32\iesetup.dll 2009-03-08 10:31 . 2004-05-03 16:04 34816 ----a-w c:\winnt\system32\imgutil.dll 2009-03-08 10:31 . 2004-05-03 16:05 48128 ----a-w c:\winnt\system32\mshtmler.dll 2009-03-08 10:31 . 1980-01-01 05:00 45568 ----a-w c:\winnt\system32\mshta.exe 2009-03-08 10:22 . 1980-01-01 05:00 156160 ----a-w c:\winnt\system32\msls31.dll 2009-03-06 14:22 . 2004-05-03 16:06 284160 ----a-w c:\winnt\system32\pdh.dll 2009-02-09 12:10 . 1980-01-01 05:00 729088 ----a-w c:\winnt\system32\lsasrv.dll 2009-02-09 12:10 . 2004-04-29 15:09 401408 ----a-w c:\winnt\system32\rpcss.dll 2009-02-09 12:10 . 1980-01-01 05:00 714752 ----a-w c:\winnt\system32\ntdll.dll 2009-02-09 12:10 . 1980-01-01 05:00 617472 ----a-w c:\winnt\system32\advapi32.dll 2009-02-09 11:13 . 1980-01-01 05:00 1846784 ----a-w c:\winnt\system32\win32k.sys 2009-02-08 01:02 . 2001-08-17 18:48 2066048 ----a-w c:\winnt\system32\ntkrnlpa.exe 2009-02-06 11:11 . 1980-01-01 05:00 110592 ----a-w c:\winnt\system32\services.exe 2009-02-06 11:08 . 1980-01-01 05:00 2189056 ----a-w c:\winnt\system32\ntoskrnl.exe 2009-02-06 10:39 . 1980-01-01 05:00 35328 ----a-w c:\winnt\system32\sc.exe 2009-02-03 19:59 . 2004-05-03 16:06 56832 ----a-w c:\winnt\system32\secur32.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2008-04-14 15360] "NBJ"="c:\program files\Ahead\Nero BackItUp\nbj.exe" [2005-10-12 1961984] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="NvQTwk" [X] "UpdReg"="c:\winnt\UpdReg.EXE" [2000-05-11 90112] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-04-18 180269] "Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2004-09-03 139264] "RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-01-13 69632] "MimBoot"="c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe" [2006-01-19 11776] "Jet Detection"="c:\program files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-10-04 28672] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-10-18 278528] "CapFax"="c:\program files\PhoneTools\CapFax.EXE" [2001-11-07 20480] "AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-06-19 684032] "LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-05-17 505368] "LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" [2007-05-17 780312] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696] "NeroFilterCheck"="c:\winnt\system32\NeroCheck.exe" [2006-01-12 155648] "CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488] "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-18 1848648] "IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-08 136600] "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-02 582992] "WINDVDPatch"="CTHELPER.EXE" - c:\winnt\system32\CTHELPER.EXE [2002-02-07 40960] "WD Button Manager"="WDBtnMgr.exe" - c:\winnt\system32\WDBtnMgr.exe [2005-06-08 331776] "Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" - c:\winnt\system32\SK9910DM.EXE [2001-01-03 66048] "GWMDMMSG"="GWMDMMSG.exe" - c:\winnt\GWMDMMSG.exe [2002-05-07 65536] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696] DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2005-5-17 462848] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "EnableProfileQuota"= 1 (0x1) [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) "NoActiveDesktopChanges"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 18:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32 "wave1"= serwvdrv.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= "c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"= "c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"= "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "67:UDP"= 67:UDP:DHCP Discovery Service R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944] R3 PCDRDRV;Pcdr Helper Driver; [x] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408] R3 SunkFilt6;Alcor Micro Corp - 6360; [x] R3 SunkFilt62;Alcor Micro Corp - 6362;c:\winnt\System32\Drivers\sunkfilt62.sys [2004-07-23 46536] S3 Ausbflt;Ausbflt;c:\winnt\system32\Drivers\Ausbflt.sys [2001-12-08 6353] --- Other Services/Drivers In Memory --- NewlyCreated - NMSSVC NewlyCreated - SYMTDI Deregistered - SYMTDI [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a45ec505-a28b-11dc-abbe-0007e99c0ea8}] \Shell\AutoRun\command - I:\setupSNK.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\winnt\system32\rundll32.exe" "c:\winnt\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2008-05-27 c:\winnt\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34] 2009-04-18 c:\winnt\Tasks\McDefragTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-18 19:32] 2009-04-18 c:\winnt\Tasks\McQcTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-18 19:32] 2009-04-29 c:\winnt\Tasks\RegCure Program Check.job - c:\program files\RegCure\RegCure.exe [2008-12-29 17:58] 2009-04-27 c:\winnt\Tasks\RegCure.job - c:\program files\RegCure\RegCure.exe [2008-12-29 17:58] 2009-04-29 c:\winnt\Tasks\User_Feed_Synchronization-{E1F06C30-DA81-42FB-91AA-A562BACCF879}.job - c:\winnt\system32\msfeedssync.exe [2006-10-17 10:31] . - - - - ORPHANS REMOVED - - - - WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file) HKLM-Run-autochk - c:\winnt\system32\autochk.dll HKU-Default-Run-autochk - c:\winnt\system32\config\SYSTEM~1\protect.dll HKU-Default-Run-A00F25E43.exe - c:\winnt\TEMP\_A00F25E43.exe ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file) Notify-__c00FE013 - c:\winnt\system32\__c00FE013.dat . ------- Supplementary Scan ------- . uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 mWindow Title = Microsoft Internet Explorer presented by Comcast uInternet Connection Wizard,ShellNext = iexplore IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html Trusted Zone: internet Trusted Zone: mcafee.com Trusted Zone: taxact.com\www Trusted Zone: musicmatch.com\online DPF: ConferenceRoom Java Client - hxxp://chat.privatefeeds.com:8000/java/cr.cab DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab DPF: {C7C7152F-6E85-44F3-A14B-A7F85FDDEA3B} - hxxp://www.tellmemore-online.com/bin/tol7inst.cab DPF: {CE37E095-ACFF-4380-A856-A560D389E5E1} - hcp://system/XPLControl.CAB . ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-29 14:26 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... c:\winnt\system32\drivers\ovfsthxjctowykt.sys 81408 bytes executable c:\winnt\system32\ovfsthxdabwerba.dll 18432 bytes executable c:\winnt\system32\ovfsthxkiagrrpb.dat 43 bytes c:\winnt\system32\ovfsthxsvxdwbpe.dll 18432 bytes executable c:\winnt\system32\ovfsthxuldnefsp.dll 59904 bytes executable c:\winnt\system32\ovfsthxyxgfthow.dat 177849 bytes scan completed successfully hidden files: 6 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(252) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\winnt\System32\ctmp3.acm - - - - - - - > 'explorer.exe'(668) c:\winnt\system32\ieframe.dll c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll c:\winnt\system32\OneX.DLL c:\winnt\system32\eappprxy.dll . ------------------------ Other Running Processes ------------------------ . c:\progra~1\McAfee\MSC\mcmscsvc.exe c:\progra~1\McAfee.com\Agent\mcagent.exe c:\progra~1\McAfee\MSC\mcuimgr.exe . ************************************************************************ . Completion time: 2009-04-29 14:32 - machine was rebooted ComboFix-quarantined-files.txt 2009-04-29 20:32 Pre-Run: 25,075,183,616 bytes free Post-Run: 24,992,993,280 bytes free Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4 290 --- E O F --- 2009-04-27 06:48

04-29-2009, 03:40 PM	#12 (permalink)
chemist Moderator, Analyst, Security Team; Rangemaster, TSF Academy Join Date: Oct 2007 Location: Georgia Posts: 10,545 OS: XP SP3	Re: Disk Defragmenter and System Restore not working When you ran gmer and it produced a log, were you in Safe Mode? Please run gmer again according to the instructions in post #2 above and post the log. ------------------------------------------------------ __________________ Our help is free but please donate Proud member of ASAP Proud member of UNITE

04-29-2009, 03:55 PM	#13 (permalink)
boiler55 Registered User Join Date: Apr 2009 Posts: 20 OS: XP SP3	Re: Disk Defragmenter and System Restore not working Never ran gmer in Safe Mode. Log I sent was text when gmer opened and each time I started scan, my computer crashed. Tried again - same computer crash.

04-29-2009, 03:57 PM	#14 (permalink)
boiler55 Registered User Join Date: Apr 2009 Posts: 20 OS: XP SP3	Re: Disk Defragmenter and System Restore not working Should I try running in Safe Mode?

04-29-2009, 05:58 PM	#15 (permalink)
chemist Moderator, Analyst, Security Team; Rangemaster, TSF Academy Join Date: Oct 2007 Location: Georgia Posts: 10,545 OS: XP SP3	Re: Disk Defragmenter and System Restore not working Try this one instead: Download RootRepeal.zip to your Desktop and extract the compressed file to it's own folder. Open the folder and double-click on RootRepeal.exe to run it. Click on the 'Report' tab, and then click on 'Scan'. A window opens asking what to include in the scan. Check the following boxes then click 'OK': Drivers Files Processes SSDT Stealth Objects Hidden Services You will then be asked which drive to scan. Check C: (or the drive your operating system is installed on, if not C:) Click 'OK' once again. The tool will begin scanning and may take a while to complete, so please be patient. When the scan finishes, click on 'Save Report'. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Post the log in your next reply. ------------------------------------------------------ __________________ Our help is free but please donate Proud member of ASAP Proud member of UNITE

04-29-2009, 06:48 PM	#16 (permalink)
boiler55 Registered User Join Date: Apr 2009 Posts: 20 OS: XP SP3	Re: Disk Defragmenter and System Restore not working Root Report: ROOTREPEAL (c) AD, 2007-2008 ================================================== Scan Time: 2009/04/29 18:21 Program Version: Version 1.2.3.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: dump_atapi.sys Image Path: C:\WINNT\System32\Drivers\dump_atapi.sys Address: 0xEC226000 Size: 98304 File Visible: No Status: - Name: dump_WMILIB.SYS Image Path: C:\WINNT\System32\Drivers\dump_WMILIB.SYS Address: 0xF8B7E000 Size: 8192 File Visible: No Status: - Name: ovfsthxjctowykt.sys Image Path: C:\WINNT\system32\drivers\ovfsthxjctowykt.sys Address: 0xECF97000 Size: 94208 File Visible: - Status: Hidden from Windows API! Name: rootrepeal.sys Image Path: C:\WINNT\system32\drivers\rootrepeal.sys Address: 0xF6EC6000 Size: 45056 File Visible: No Status: - Hidden/Locked Files ------------------- Path: C:\hiberfil.sys Status: Locked to the Windows API! Path: C:\WINNT\system32\ovfsthxdabwerba.dll Status: Invisible to the Windows API! Path: C:\WINNT\system32\ovfsthxkiagrrpb.dat Status: Invisible to the Windows API! Path: C:\WINNT\system32\ovfsthxsvxdwbpe.dll Status: Invisible to the Windows API! Path: C:\WINNT\system32\ovfsthxuldnefsp.dll Status: Invisible to the Windows API! Path: C:\WINNT\system32\ovfsthxyxgfthow.dat Status: Invisible to the Windows API! Path: C:\WINNT\Temp\mcmsc_x3IPdVBtiWxf1mp Status: Allocation size mismatch (API: 4096, Raw: 0) Path: C:\Documents and Settings\Owner\Recent Status: Visible to the Windows API, but not on disk. Path: C:\WINNT\system32\drivers\ovfsthxjctowykt.sys Status: Invisible to the Windows API! Path: C:\Documents and Settings\Owner\Local Settings\temp\~DF4F3F.tmp Status: Allocation size mismatch (API: 16384, Raw: 0) Path: C:\Documents and Settings\Owner\Local Settings\temp\~DF579E.tmp Status: Allocation size mismatch (API: 1048576, Raw: 16384) Path: C:\Documents and Settings\Owner\Local Settings\temp\~DFB1D.tmp Status: Allocation size mismatch (API: 98304, Raw: 16384) Path: C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-4-27-2009( 8-59-51 ).SDB Status: Allocation size mismatch (API: 4096, Raw: 488) Path: C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-4-29-2009( 8-36-18 ).SDB Status: Allocation size mismatch (API: 4096, Raw: 488) Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\bjacobs256@msn.com\SharingMetadata\aline.gossein@hotmail.com\DFSR\Staging\CS{9D50C1A0-37C0-4298-DAF9-2B77839791C8}\01\10-{9D50C1A0-37C0-4298-DAF9-2B77839791C8}-v1-{0907F5F3-8C9F-4C5A-84EE-2AC4D2D1E7D2}-v10-Downloaded.frx Status: Locked to the Windows API! Stealth Objects ------------------- Object: Hidden Module [Name: ovfsthxuldnefsp.dll] Process: svchost.exe (PID: 748) Address: 0x10000000 Size: 69632 Object: Hidden Module [Name: ovfsthxdabwerba.dll] Process: Explorer.EXE (PID: 376) Address: 0x10000000 Size: 24576 Object: Hidden Module [Name: ovfsthxsvxdwbpe.dll] Process: IEXPLORE.EXE (PID: 3392) Address: 0x10000000 Size: 28672 Object: Hidden Module [Name: ovfsthxsvxdwbpe.dll] Process: IEXPLORE.EXE (PID: 3724) Address: 0x10000000 Size: 28672 Hidden Services ------------------- Service Name: ovfsthxdoymqwru Image Path: C:\WINNT\system32\drivers\ovfsthxjctowykt.sys

04-30-2009, 06:55 AM	#20 (permalink)
boiler55 Registered User Join Date: Apr 2009 Posts: 20 OS: XP SP3	Re: Disk Defragmenter and System Restore not working Successfully submitted last file. ComboFix File: ComboFix 09-04-29.07 - Owner 04/30/2009 6:47.3 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.179 [GMT -6:00] Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt AV: McAfee VirusScan On-access scanning disabled (Updated) FW: McAfee Personal Firewall enabled * Created a new restore point . - REDUCED FUNCTIONALITY MODE - FILE :: c:\documents and settings\Owner\Start Menu\Programs\Startup\ChkDisk.dll c:\documents and settings\Owner\Start Menu\Programs\Startup\ChkDisk.lnk c:\winnt\system32\drivers\lvuvc.hs . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Owner\Start Menu\Programs\Startup\ChkDisk.dll c:\documents and settings\Owner\Start Menu\Programs\Startup\ChkDisk.lnk c:\winnt\system32\drivers\lvuvc.hs c:\winnt\system32\lmppcsetup.exe . ((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-30 ))))))))))))))))))))))))))))))) . 2009-04-28 19:53 . 2009-04-28 20:09 -------- d-----w C:\CHARLIE_WILSONS_WAR1 2009-04-28 19:29 . 2009-04-28 19:50 -------- d-----w C:\CHARLIE_WILSONS_WAR 2009-04-27 14:47 . 2009-04-27 14:47 -------- d-----w c:\documents and settings\Owner\Application Data\Malwarebytes 2009-04-27 14:47 . 2009-04-06 21:32 15504 ----a-w c:\winnt\system32\drivers\mbam.sys 2009-04-27 14:47 . 2009-04-06 21:32 38496 ----a-w c:\winnt\system32\drivers\mbamswissarmy.sys 2009-04-27 14:47 . 2009-04-27 14:47 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes 2009-04-27 14:47 . 2009-04-27 14:47 -------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-04-27 13:53 . 2009-04-27 13:54 -------- dc-h--w c:\winnt\ie8 2009-04-27 05:27 . 2001-08-30 10:30 138752 ----a-w c:\winnt\system32\dllcache\sndvol32.exe 2009-04-27 05:07 . 2009-04-27 05:07 -------- d-sh--w c:\documents and settings\Administrator\IETldCache 2009-04-27 01:22 . 2009-04-27 01:22 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-04-27 01:22 . 2009-04-27 01:22 -------- d-----w c:\program files\SUPERAntiSpyware 2009-04-27 01:22 . 2009-04-27 01:22 -------- d-----w c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com 2009-04-24 17:42 . 2008-01-14 22:58 19840 ----a-w c:\winnt\system32\drivers\StMp3Rec.sys 2009-04-24 17:41 . 2009-04-24 17:50 -------- d-----w c:\program files\Philips 2009-04-18 23:14 . 2009-04-18 23:14 150624 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat 2009-04-18 21:48 . 2009-04-18 21:48 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\Deployment 2009-04-18 15:33 . 2009-04-18 15:36 -------- d-----w C:\13391a4a136c33ff0e640941 2009-04-18 15:25 . 2009-04-18 15:27 -------- d-----w C:\f9ed84a7b823f780c312 2009-04-18 14:53 . 2006-03-03 14:07 143360 ----a-w c:\winnt\system32\dunzip32.dll 2009-04-18 14:48 . 2007-11-22 12:44 33832 ----a-w c:\winnt\system32\drivers\mferkdk.sys 2009-04-18 14:48 . 2007-12-02 18:51 40488 ----a-w c:\winnt\system32\drivers\mfesmfk.sys 2009-04-18 14:48 . 2007-11-22 12:44 35240 ----a-w c:\winnt\system32\drivers\mfebopk.sys 2009-04-18 14:48 . 2007-11-22 12:44 79304 ----a-w c:\winnt\system32\drivers\mfeavfk.sys 2009-04-18 14:48 . 2007-11-22 12:44 201320 ----a-w c:\winnt\system32\drivers\mfehidk.sys 2009-04-18 14:48 . 2007-07-13 12:20 113952 ----a-w c:\winnt\system32\drivers\Mpfp.sys 2009-04-18 14:47 . 2009-04-18 14:47 -------- d-----w c:\program files\McAfee.com 2009-04-18 14:46 . 2009-04-18 14:48 -------- d-----w c:\program files\Common Files\McAfee 2009-04-18 14:45 . 2009-04-18 16:49 -------- d-----w c:\program files\McAfee 2009-04-18 04:48 . 2009-04-18 04:55 -------- d-----w C:\d48ec84e341e06bfb3a32ba1b5 2009-04-18 04:47 . 2009-04-18 04:53 -------- d-----w C:\e1cce2abe00f0518f7c6 2009-04-18 04:34 . 2009-04-18 04:55 -------- d-----w C:\8542ce3adfda1d786c2cacd04dae 2009-04-18 04:17 . 2009-04-18 04:56 -------- d-----w C:\a254ace7e4a5b19558c18b 2009-04-18 04:16 . 2009-04-18 04:32 -------- d-----w C:\87b7df41ef48cb7f3b9e954ce4468716 2009-04-16 14:37 . 2009-03-06 14:22 284160 ------w c:\winnt\system32\dllcache\pdh.dll 2009-04-16 14:37 . 2009-02-09 12:10 401408 ------w c:\winnt\system32\dllcache\rpcss.dll 2009-04-16 14:37 . 2009-02-06 11:11 110592 ------w c:\winnt\system32\dllcache\services.exe 2009-04-16 14:37 . 2009-02-09 12:10 473600 ------w c:\winnt\system32\dllcache\fastprox.dll 2009-04-16 14:37 . 2009-02-06 10:10 227840 ------w c:\winnt\system32\dllcache\wmiprvse.exe 2009-04-16 14:37 . 2009-02-09 12:10 453120 ------w c:\winnt\system32\dllcache\wmiprvsd.dll 2009-04-16 14:37 . 2009-02-09 12:10 729088 ------w c:\winnt\system32\dllcache\lsasrv.dll 2009-04-16 14:37 . 2009-02-09 12:10 617472 ------w c:\winnt\system32\dllcache\advapi32.dll 2009-04-16 14:37 . 2009-02-09 12:10 714752 ------w c:\winnt\system32\dllcache\ntdll.dll 2009-04-16 14:31 . 2008-05-03 11:55 2560 ------w c:\winnt\system32\xpsp4res.dll 2009-04-15 21:47 . 2008-04-14 00:11 21504 ----a-w c:\winnt\system32\dllcache\hidserv.dll 2009-04-15 21:47 . 2008-04-14 00:11 21504 ----a-w c:\winnt\system32\hidserv.dll 2009-04-15 21:12 . 2009-04-15 21:32 -------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet 2009-04-15 21:11 . 2009-04-15 21:11 -------- d-----w c:\program files\Common Files\Macrovision Shared 2009-04-15 21:10 . 2009-04-27 02:32 -------- d-----w c:\documents and settings\All Users\Application Data\Rosetta Stone 2009-04-15 21:10 . 2009-04-15 21:10 -------- d-----w c:\program files\Rosetta Stone 2009-04-10 20:33 . 2009-04-10 20:33 -------- d-----w c:\winnt\system32\Auralog 2009-04-09 20:16 . 2009-04-09 20:16 -------- d-----w c:\program files\SearchPerks! Follow-On Study Assistant 2009-04-09 16:34 . 2009-04-26 18:14 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\Live Search Club Toolbar 2009-04-09 16:33 . 2009-04-09 16:33 -------- d-----w c:\program files\Live Search Club Toolbar 2009-04-07 20:57 . 2009-04-07 20:57 -------- d-sh--w c:\documents and settings\Owner\IECompatCache . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-30 03:27 . 2003-03-26 23:19 24 ----a-w c:\winnt\system32\DVCStateBkp-{00000002-00000000-0000000C-00001102-00000004-00581102}.dat 2009-04-30 03:27 . 2003-03-26 23:19 24 ----a-w c:\winnt\system32\DVCState-{00000002-00000000-0000000C-00001102-00000004-00581102}.dat 2009-04-27 01:21 . 2006-01-08 13:35 -------- d-----w c:\program files\Common Files\Wise Installation Wizard 2009-04-24 17:50 . 2002-08-28 18:45 -------- d--h--w c:\program files\InstallShield Installation Information 2009-04-18 23:10 . 2008-08-03 23:11 -------- d-----w c:\program files\Linksys 2009-04-18 20:55 . 2002-09-14 21:45 66672 ----a-w c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-03-24 21:49 . 2008-09-03 19:23 664 ----a-w c:\winnt\system32\d3d9caps.dat 2009-03-15 21:35 . 2009-03-15 20:09 -------- d-----w c:\program files\LSFE7 2009-03-15 20:21 . 2008-09-25 22:23 -------- d-----w c:\program files\QuickTime 2009-03-13 17:56 . 2009-03-13 17:56 -------- d-----w c:\program files\Microsoft Silverlight 2009-03-08 10:34 . 2004-02-07 00:05 914944 ----a-w c:\winnt\system32\wininet.dll 2009-03-08 10:34 . 2004-05-03 16:05 43008 ----a-w c:\winnt\system32\licmgr10.dll 2009-03-08 10:33 . 1980-01-01 05:00 18944 ----a-w c:\winnt\system32\corpol.dll 2009-03-08 10:33 . 2004-05-03 16:07 420352 ----a-w c:\winnt\system32\vbscript.dll 2009-03-08 10:32 . 1980-01-01 05:00 72704 ----a-w c:\winnt\system32\admparse.dll 2009-03-08 10:32 . 2004-05-03 16:04 71680 ----a-w c:\winnt\system32\iesetup.dll 2009-03-08 10:31 . 2004-05-03 16:04 34816 ----a-w c:\winnt\system32\imgutil.dll 2009-03-08 10:31 . 2004-05-03 16:05 48128 ----a-w c:\winnt\system32\mshtmler.dll 2009-03-08 10:31 . 1980-01-01 05:00 45568 ----a-w c:\winnt\system32\mshta.exe 2009-03-08 10:22 . 1980-01-01 05:00 156160 ----a-w c:\winnt\system32\msls31.dll 2009-03-06 14:22 . 2004-05-03 16:06 284160 ----a-w c:\winnt\system32\pdh.dll 2009-02-09 12:10 . 1980-01-01 05:00 729088 ----a-w c:\winnt\system32\lsasrv.dll 2009-02-09 12:10 . 2004-04-29 15:09 401408 ----a-w c:\winnt\system32\rpcss.dll 2009-02-09 12:10 . 1980-01-01 05:00 714752 ----a-w c:\winnt\system32\ntdll.dll 2009-02-09 12:10 . 1980-01-01 05:00 617472 ----a-w c:\winnt\system32\advapi32.dll 2009-02-09 11:13 . 1980-01-01 05:00 1846784 ----a-w c:\winnt\system32\win32k.sys 2009-02-08 01:02 . 2001-08-17 18:48 2066048 ----a-w c:\winnt\system32\ntkrnlpa.exe 2009-02-06 11:11 . 1980-01-01 05:00 110592 ----a-w c:\winnt\system32\services.exe 2009-02-06 11:08 . 1980-01-01 05:00 2189056 ----a-w c:\winnt\system32\ntoskrnl.exe 2009-02-06 10:39 . 1980-01-01 05:00 35328 ----a-w c:\winnt\system32\sc.exe 2009-02-03 19:59 . 2004-05-03 16:06 56832 ----a-w c:\winnt\system32\secur32.dll . ((((((((((((((((((((((((((((( SnapShot@2009-04-29_20.26.50 ))))))))))))))))))))))))))))))))))))))))) . + 2009-04-30 12:15 . 2009-04-30 12:15 16384 c:\winnt\Temp\Perflib_Perfdata_628.dat + 2009-04-30 12:20 . 2009-04-30 12:21 32768 c:\winnt\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2001-10-09 17:54 . 2009-04-30 12:21 32768 c:\winnt\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2001-10-09 17:54 . 2009-04-29 20:25 32768 c:\winnt\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2001-10-09 17:54 . 2009-04-30 12:21 32768 c:\winnt\system32\config\systemprofile\Cookies\index.dat - 2001-10-09 17:54 . 2009-04-29 20:25 32768 c:\winnt\system32\config\systemprofile\Cookies\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2008-04-14 15360] "NBJ"="c:\program files\Ahead\Nero BackItUp\nbj.exe" [2005-10-12 1961984] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="NvQTwk" [X] "UpdReg"="c:\winnt\UpdReg.EXE" [2000-05-11 90112] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-04-18 180269] "Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2004-09-03 139264] "RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-01-13 69632] "MimBoot"="c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe" [2006-01-19 11776] "Jet Detection"="c:\program files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-10-04 28672] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-10-18 278528] "CapFax"="c:\program files\PhoneTools\CapFax.EXE" [2001-11-07 20480] "AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-06-19 684032] "LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-05-17 505368] "LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" [2007-05-17 780312] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696] "NeroFilterCheck"="c:\winnt\system32\NeroCheck.exe" [2006-01-12 155648] "CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488] "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-18 1848648] "IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-08 136600] "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-02 582992] "WINDVDPatch"="CTHELPER.EXE" - c:\winnt\system32\CTHELPER.EXE [2002-02-07 40960] "WD Button Manager"="WDBtnMgr.exe" - c:\winnt\system32\WDBtnMgr.exe [2005-06-08 331776] "Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" - c:\winnt\system32\SK9910DM.EXE [2001-01-03 66048] "GWMDMMSG"="GWMDMMSG.exe" - c:\winnt\GWMDMMSG.exe [2002-05-07 65536] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696] DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2005-5-17 462848] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "EnableProfileQuota"= 1 (0x1) [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) "NoActiveDesktopChanges"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 18:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32 "wave1"= serwvdrv.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= "c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"= "c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"= "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "67:UDP"= 67:UDP:DHCP Discovery Service R3 PCDRDRV;Pcdr Helper Driver; [x] R3 SunkFilt6;Alcor Micro Corp - 6360; [x] R3 SunkFilt62;Alcor Micro Corp - 6362;c:\winnt\System32\Drivers\sunkfilt62.sys [2004-07-23 46536] S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968] S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944] S3 Ausbflt;Ausbflt;c:\winnt\system32\Drivers\Ausbflt.sys [2001-12-08 6353] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408] --- Other Services/Drivers In Memory --- NewlyCreated - NMSSVC NewlyCreated - SYMTDI Deregistered - SYMTDI [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a45ec505-a28b-11dc-abbe-0007e99c0ea8}] \Shell\AutoRun\command - I:\setupSNK.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\winnt\system32\rundll32.exe" "c:\winnt\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2008-05-27 c:\winnt\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34] 2009-04-18 c:\winnt\Tasks\McDefragTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-18 19:32] 2009-04-18 c:\winnt\Tasks\McQcTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-18 19:32] 2009-04-30 c:\winnt\Tasks\User_Feed_Synchronization-{E1F06C30-DA81-42FB-91AA-A562BACCF879}.job - c:\winnt\system32\msfeedssync.exe [2006-10-17 10:31] . . ------- Supplementary Scan ------- . uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 mWindow Title = Microsoft Internet Explorer presented by Comcast IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html Trusted Zone: mcafee.com Trusted Zone: taxact.com\www Trusted Zone: musicmatch.com\online DPF: ConferenceRoom Java Client - hxxp://chat.privatefeeds.com:8000/java/cr.cab DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab DPF: {C7C7152F-6E85-44F3-A14B-A7F85FDDEA3B} - hxxp://www.tellmemore-online.com/bin/tol7inst.cab DPF: {CE37E095-ACFF-4380-A856-A560D389E5E1} - hcp://system/XPLControl.CAB . ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-30 06:48 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(536) c:\program files\SUPERAntiSpyware\SASWINLO.dll . Completion time: 2009-04-30 6:51 ComboFix-quarantined-files.txt 2009-04-30 12:50 ComboFix2.txt 2009-04-30 02:41 ComboFix3.txt 2009-04-29 20:32 Pre-Run: 24,343,941,120 bytes free Post-Run: 24,339,791,872 bytes free 250 --- E O F --- 2009-04-27 06:48