Please download Malwarebytes'
Anti-Malware from
Here or
Here
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
While locked out of the community I attempted to remove a few programs as directed by Bugbatter without success. When I attempted to remove "ActivClient for CAC - PKI On", "ActivIdentify Device Installer", and the older versions of Java in Start>Control Panel>Add Remove Programs I receive a message saying "The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your supprot personnel for assistance."
The error could be related to the program
ActivIdentity\ActivClient.
Which is probably why Bugbatter suggested you uninstall it.
If the uninstaller is corrupt we can work with that. But the program
ActivClient for CAC - PKI On is used for communications with the DOD (department of defense) and it's contractors. And the default homepage you have set doesn't appear to be DOD related. AT this point I must ask; is this an employer's PC, a government PC, or a PC that you purchased from someplace that sells used PC's?
====== Services ( Services that are Whitelisted are not shown) ======
====== Uninstall List ======
======== Other Info ========
Boot Info
[boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
====== Files with Hidden Attributes====== C:\hiberfil.sys C:\IO.SYS C:\MSDOS.SYS C:\pagefile.sys C:\NTDETECT.COM
bamajim
10.4K Posts
0
February 16th, 2010 06:00
Please download Malwarebytes' Anti-Malware from Here or Here
Double Click mbam-setup.exe to install the application.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
rdeanl
16 Posts
0
February 16th, 2010 07:00
MBAM log as requested:
Malwarebytes' Anti-Malware 1.44
Database version: 3746
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
2/16/2010 8:53:23 AM
mbam-log-2010-02-16 (08-53-23).txt
Scan type: Quick Scan
Objects scanned: 127415
Time elapsed: 5 minute(s), 51 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Bugbatter
3 Apprentice
•
20.5K Posts
0
February 16th, 2010 08:00
Reference:
http://en.community.dell.com/forums/p/19320073/19649720.aspx#19649720
rdeanl
16 Posts
0
February 16th, 2010 08:00
Your reference above is to a "closed topic" due to inactivity (i was locked out of the community due to a password problem).
Are you instructing me to reply to that original topic?
Please advise
rdeanl
16 Posts
0
February 16th, 2010 09:00
Dear bamajim,
While locked out of the community I attempted to remove a few programs as directed by Bugbatter without success. When I attempted to remove "ActivClient for CAC - PKI On", "ActivIdentify Device Installer", and the older versions of Java in Start>Control Panel>Add Remove Programs I receive a message saying "The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your supprot personnel for assistance."
I am NOT running Windows in safe mode!
Bugbatter
3 Apprentice
•
20.5K Posts
0
February 16th, 2010 09:00
You are welcome to continue with bamajim. That reference was for his information so he does not repeat the same steps.:emotion-1:
bamajim
10.4K Posts
0
February 16th, 2010 14:00
The error could be related to the program ActivIdentity\ActivClient.
Which is probably why Bugbatter suggested you uninstall it.
If the uninstaller is corrupt we can work with that. But the program ActivClient for CAC - PKI On is used for communications with the DOD (department of defense) and it's contractors. And the default homepage you have set doesn't appear to be DOD related. AT this point I must ask; is this an employer's PC, a government PC, or a PC that you purchased from someplace that sells used PC's?
rdeanl
16 Posts
0
February 16th, 2010 15:00
None of the above is the case.
This is my PC which my wife uses to access US Navy info. on occassion as a reservist.
I installed AciveClient for CAC - PKI On from a CD provided by the US Navy.
bamajim
10.4K Posts
0
February 18th, 2010 06:00
1. Go HERE and download File Lister.
Copy and paste the contents of that log in your reply.
rdeanl
16 Posts
0
February 25th, 2010 11:00
++++++++++++++++++++++++++++++++++
+ File Lister Version 1.1.2 +
+ +
+ By bamajim / SpywareHammer.com +
++++++++++++++++++++++++++++++++++
Report ran on --->>> 2/18/2010 9:14:06 AM
====== Running Processes ======
====== BHO's ======
BHO: (NO NAME) - -
====== HKLM\~\Run Keys ======
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
====== HKCU\~\Run Keys ======
====== DNS Info (List may be empty) ======
====== Folders and Files from "%\" and "%\Windows" Created Last 60 Days ======
2/4/2010 12:51:05 PM 8099163 C:\cmdcons
2/4/2010 12:51:06 PM 860672 C:\cmdcons\SYSTEM32
12/29/2009 11:52:36 AM 827861 C:\EPSON
12/29/2009 12:25:09 PM 827861 C:\EPSON\epson10328
2/4/2010 12:44:04 PM 2846629 C:\Qoobox
2/6/2010 11:08:43 AM 11329 C:\Qoobox\BackEnv
2/4/2010 12:44:04 PM 1593322 C:\Qoobox\Quarantine
2/4/2010 12:52:45 PM 1580743 C:\Qoobox\Quarantine\C
2/4/2010 1:03:09 PM 20875 C:\Qoobox\Quarantine\C\Documents and Settings
2/4/2010 1:03:09 PM 9692 C:\Qoobox\Quarantine\C\Documents and Settings\Ronald Larm
2/4/2010 1:03:09 PM 9692 C:\Qoobox\Quarantine\C\Documents and Settings\Ronald Larm\Local Settings
2/4/2010 1:03:09 PM 9692 C:\Qoobox\Quarantine\C\Documents and Settings\Ronald Larm\Local Settings\Application Data
2/4/2010 1:03:09 PM 9692 C:\Qoobox\Quarantine\C\Documents and Settings\Ronald Larm\Local Settings\Application Data\{8BE48CF3-0877-4061-9F82-C4863323CB01}
2/4/2010 1:03:11 PM 8806 C:\Qoobox\Quarantine\C\Documents and Settings\Ronald Larm\Local Settings\Application Data\{8BE48CF3-0877-4061-9F82-C4863323CB01}\chrome
2/4/2010 1:03:11 PM 8806 C:\Qoobox\Quarantine\C\Documents and Settings\Ronald Larm\Local Settings\Application Data\{8BE48CF3-0877-4061-9F82-C4863323CB01}\chrome\content
2/4/2010 1:03:16 PM 11183 C:\Qoobox\Quarantine\C\Documents and Settings\Sally Larm
2/4/2010 1:03:16 PM 9692 C:\Qoobox\Quarantine\C\Documents and Settings\Sally Larm\Local Settings
2/4/2010 1:03:16 PM 9692 C:\Qoobox\Quarantine\C\Documents and Settings\Sally Larm\Local Settings\Application Data
2/4/2010 1:03:16 PM 9692 C:\Qoobox\Quarantine\C\Documents and Settings\Sally Larm\Local Settings\Application Data\{970C64C1-852F-4EB6-AB31-41ECDA94F0A0}
2/4/2010 1:03:18 PM 8806 C:\Qoobox\Quarantine\C\Documents and Settings\Sally Larm\Local Settings\Application Data\{970C64C1-852F-4EB6-AB31-41ECDA94F0A0}\chrome
2/4/2010 1:03:18 PM 8806 C:\Qoobox\Quarantine\C\Documents and Settings\Sally Larm\Local Settings\Application Data\{970C64C1-852F-4EB6-AB31-41ECDA94F0A0}\chrome\content
2/4/2010 1:03:22 PM 1491 C:\Qoobox\Quarantine\C\Documents and Settings\Sally Larm\Start Menu
2/4/2010 1:03:22 PM 1491 C:\Qoobox\Quarantine\C\Documents and Settings\Sally Larm\Start Menu\Programs
2/4/2010 1:03:23 PM 1491 C:\Qoobox\Quarantine\C\Documents and Settings\Sally Larm\Start Menu\Programs\Startup
2/4/2010 1:03:24 PM 1559868 C:\Qoobox\Quarantine\C\WINDOWS
2/4/2010 1:03:26 PM 1559130 C:\Qoobox\Quarantine\C\WINDOWS\system32
2/4/2010 12:44:04 PM 12273 C:\Qoobox\Quarantine\Registry_backups
2/6/2010 5:02:01 PM 45702 C:\RECYCLER
2/6/2010 5:02:01 PM 45702 C:\RECYCLER\S-1-5-21-188696319-2372527466-2573077138-1007
2/6/2010 11:28:43 AM 0 C:\RECYCLER\S-1-5-21-188696319-2372527466-2573077138-1007\Dc4
2/6/2010 11:28:31 AM 0 C:\RECYCLER\S-1-5-21-188696319-2372527466-2573077138-1007\Dc5
2/4/2010 12:51:12 PM 211 32 C:\Boot.bak
1/24/2010 4:27:33 PM 419 32 C:\CD3rdPartyWrapper.log
2/4/2010 12:51:07 PM 260272 32 C:\cmldr
2/6/2010 11:24:43 AM 17736 32 C:\ComboFix.txt
2/18/2010 9:14:06 AM 0 32 C:\Files.txt
2/4/2010 12:46:35 PM 72495805 C:\WINDOWS\ERDNT
2/4/2010 1:07:52 PM 23880944 C:\WINDOWS\ERDNT\cache
2/4/2010 12:46:35 PM 48614861 C:\WINDOWS\ERDNT\Hiv-backup
2/6/2010 11:08:38 AM 10493952 C:\WINDOWS\ERDNT\Hiv-backup\Users
2/6/2010 11:08:38 AM 237568 C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001
2/6/2010 11:08:38 AM 8192 C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002
2/6/2010 11:08:38 AM 233472 C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003
2/6/2010 11:08:39 AM 8192 C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004
2/6/2010 11:08:39 AM 4014080 C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005
2/6/2010 11:08:39 AM 180224 C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006
2/6/2010 11:08:39 AM 5812224 C:\WINDOWS\ERDNT\Hiv-backup\Users\00000007
12/29/2009 12:26:41 PM 30819 C:\WINDOWS\TWAIN
12/29/2009 12:26:41 PM 30819 C:\WINDOWS\TWAIN\CALIBRAT
2/7/2010 12:17:39 PM 0 32 C:\WINDOWS\0.log
1/7/2010 4:22:11 PM 120 32 C:\WINDOWS\Dlevofezip.dat
12/29/2009 12:50:31 PM 20 32 C:\WINDOWS\Epscan2.INI
2/4/2010 12:47:02 PM 80412 32 C:\WINDOWS\grep.exe
2/4/2010 12:47:02 PM 77312 32 C:\WINDOWS\MBR.exe
2/4/2010 12:47:02 PM 31232 32 C:\WINDOWS\NIRCMD.exe
2/4/2010 12:47:02 PM 261632 32 C:\WINDOWS\PEV.exe
2/4/2010 12:47:02 PM 98816 32 C:\WINDOWS\sed.exe
2/4/2010 12:47:02 PM 161792 32 C:\WINDOWS\SWREG.exe
2/4/2010 12:47:02 PM 136704 32 C:\WINDOWS\SWSC.exe
2/4/2010 12:47:02 PM 212480 32 C:\WINDOWS\SWXCACLS.exe
12/29/2009 11:52:43 AM 299520 32 C:\WINDOWS\uninst.exe
1/7/2010 4:22:11 PM 0 32 C:\WINDOWS\Wfazabefog.bin
2/4/2010 1:52:02 PM 205079 32 C:\WINDOWS\WindowsUpdate.log
2/4/2010 12:47:02 PM 68096 32 C:\WINDOWS\zip.exe
2/16/2010 8:55:35 AM 134315 C:\WINDOWS\system32\lowsec
12/29/2009 12:26:43 PM 54272 32 C:\WINDOWS\system32\epfb3cpl.dll
12/29/2009 12:26:42 PM 45056 32 C:\WINDOWS\system32\essiscsi.dll
12/29/2009 12:26:42 PM 36864 32 C:\WINDOWS\system32\icmrt20a.dll
1/14/2010 12:01:43 PM 1 32 C:\WINDOWS\system32\lfg.txt
1/14/2010 11:28:52 AM 7030 32 C:\WINDOWS\system32\qlwvvi
1/24/2010 4:45:45 PM 880640 32 C:\WINDOWS\system32\UniBox10.ocx
1/24/2010 4:45:45 PM 1101824 32 C:\WINDOWS\system32\UniBox210.ocx
1/24/2010 4:45:45 PM 212992 32 C:\WINDOWS\system32\UniBoxVB12.ocx
====== "\Administrator\Startup" Last 60 Days======
====== "\All Users\Startup" Last 60 Days======
====== "\Program Files" Last 60 Days======
2/16/2010 8:46:29 AM 4180240 C:\Program Files\Malwarebytes' Anti-Malware
1/24/2010 4:45:42 PM 19013423 C:\Program Files\Registry Mechanic
======"Drivers" Modified Last 60 Days======
2/16/2010 8:46:29 AM 19160 32 C:\WINDOWS\system32\drivers\mbam.sys
2/16/2010 8:46:30 AM 38224 32 C:\WINDOWS\system32\drivers\mbamswissarmy.sys
====== Files Deleted under "%Temp%" ======
25 Files deleted
======"All Users\Application Data" Last 60 Days======
====== HKLM\~\ShellServiceObjectDelayLoad======
====== HKLM\~\SharedTaskScheduler======
======HKLM\~\msconfig\startupreg======
HKLM\Software\microsoft\shared tools\msconfig\startupreg\
====== Services ( Services that are Whitelisted are not shown) ======
====== Uninstall List ======
======== Other Info ========
Boot Info
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
====== Files with Hidden Attributes======
C:\hiberfil.sys
C:\IO.SYS
C:\MSDOS.SYS
C:\pagefile.sys
C:\NTDETECT.COM
==End of Report==
rdeanl
16 Posts
0
February 26th, 2010 06:00
ComboFix 10-02-05.04 - Ronald Larm 02/06/2010 11:10:23.3.2 - x86
Running from: c:\documents and settings\Ronald Larm\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2010-01-06 to 2010-02-06 )))))))))))))))))))))))))))))))
.
2010-02-04 21:09 . 2010-02-04 21:19 -------- d-----w- c:\documents and settings\Ronald Larm\.SunDownloadManager
2010-01-25 00:15 . 2010-01-25 00:15 -------- d-----w- c:\documents and settings\Ronald Larm\Application Data\Registry Mechanic
2010-01-24 23:45 . 2010-01-24 23:45 -------- d-----w- c:\program files\Common Files\PC Tools
2010-01-14 23:07 . 2010-01-14 23:07 52224 ----a-w- c:\documents and settings\Sally Larm\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-14 04:07 . 2010-01-14 04:07 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-14 03:25 . 2010-01-14 03:25 52224 ----a-w- c:\documents and settings\Ronald Larm\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-07 23:22 . 2010-01-14 03:21 0 ----a-w- c:\windows\Wfazabefog.bin
2010-01-07 23:22 . 2010-01-14 03:21 120 ----a-w- c:\windows\Dlevofezip.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-06 18:06 . 2007-01-16 19:12 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-05 19:33 . 2008-07-15 15:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-02-04 21:18 . 2006-10-09 15:29 -------- d-----w- c:\program files\Java
2010-02-03 18:43 . 2009-12-06 05:52 117760 ----a-w- c:\documents and settings\Ronald Larm\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-03 18:42 . 2009-12-06 05:51 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-20 18:05 . 2009-12-08 15:43 117760 ----a-w- c:\documents and settings\Sally Larm\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-14 18:28 . 2008-01-02 23:09 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-14 04:07 . 2009-12-06 05:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-14 03:21 . 2006-10-14 02:46 70832 ----a-w- c:\documents and settings\Ronald Larm\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-07 23:07 . 2009-12-06 05:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 23:07 . 2009-12-06 05:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-21 19:14 . 2004-08-10 17:51 916480 ------w- c:\windows\system32\wininet.dll
2009-12-09 18:06 . 2008-12-03 15:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-06 05:39 . 2009-12-06 05:39 152576 ----a-w- c:\documents and settings\Ronald Larm\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-06 05:39 . 2009-12-06 05:38 79488 ----a-w- c:\documents and settings\Ronald Larm\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-05 19:29 . 2009-11-11 00:18 79488 ----a-w- c:\documents and settings\Sally Larm\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-21 15:51 . 2004-08-10 17:50 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2007-02-19 17:53 . 2007-02-19 17:53 8 --sh--r- c:\windows\system32\7A9059B1B4.sys
2007-02-19 17:53 . 2007-02-19 17:53 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
------- Sigcheck -------
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[-] 2008-04-13 18:40 . 22EDA6427EA7057F111158E89719D9DB . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys
.
((((((((((((((((((((((((((((( SnapShot@2010-02-04_20.07.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-04 21:23 . 2010-02-04 21:23 16384 c:\windows\Temp\Perflib_Perfdata_774.dat
+ 2004-08-10 17:51 . 2010-02-04 21:29 80730 c:\windows\system32\perfc009.dat
- 2004-08-10 17:51 . 2010-02-04 19:45 80730 c:\windows\system32\perfc009.dat
+ 2006-10-13 18:54 . 2010-02-04 21:23 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-10-13 18:54 . 2010-02-04 19:40 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-11-08 16:40 . 2010-02-04 19:40 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-11-08 16:40 . 2010-02-04 21:23 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2006-10-13 18:54 . 2010-02-04 21:23 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-10-13 18:54 . 2010-02-04 19:40 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2004-08-10 17:51 . 2010-02-04 19:45 463768 c:\windows\system32\perfh009.dat
+ 2004-08-10 17:51 . 2010-02-04 21:29 463768 c:\windows\system32\perfh009.dat
- 2006-10-13 18:54 . 2010-02-04 19:40 376832 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-10-13 18:54 . 2010-02-04 21:23 376832 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-07-17 389120]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-31 68856]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-11-25 3176408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2006-09-29 275456]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-11-15 286720]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
c:\documents and settings\Ronald Larm\Start Menu\Programs\Startup\
Windows Explorer.lnk - c:\windows\explorer.exe [2004-8-10 1033728]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
ActivClient Agent.lnk - c:\program files\ActivIdentity\ActivClient\acsagent.exe [2006-9-28 77312]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-10-9 24576]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
2006-09-29 00:28 189952 ----a-w- c:\windows\system32\ackpbsc.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
2006-09-29 00:28 262144 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
2006-01-02 22:41 45056 ----a-w- c:\program files\ATI Technologies\ATI.ACE\CLI.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2006-07-17 02:29 389120 ----a-w- c:\program files\Dell Support\DSAgnt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-12-10 01:29 49152 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
2007-10-25 23:33 563984 ----a-w- c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2007-10-25 23:37 2178832 ----a-w- c:\program files\Logitech\QuickCam\Quickcam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
2003-09-10 07:24 20480 ------w- c:\program files\NetWaiting\netwaiting.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
2005-08-12 22:16 1121792 ----a-w- c:\program files\McAfee\SpamKiller\MSKDetct.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2004-04-12 01:15 290816 ------w- c:\program files\Dell\Media Experience\PCMService.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-11-15 06:43 286720 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2006-10-09 15:41 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-05-27 01:41 24264488 ----a-r- c:\program files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-07-31 04:52 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys
R3 actccid;ActivCard USB Reader V2;c:\windows\system32\DRIVERS\actccid.sys [2007-05-03 63608]
R3 akspcsc;ActivIdentity Virtual PC/SC Device Driver;c:\windows\system32\DRIVERS\akspcsc.sys [2007-05-03 10161]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-11-23 7408]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys
R4 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-11-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-11-23 74480]
S2 acachsrv;ActivClient Authentication Service;c:\program files\ActivIdentity\ActivClient\acachsrv.exe [2006-09-29 74240]
S2 acautoup;ActivClient Auto-Update Service;c:\program files\ActivIdentity\ActivClient\acautoup.exe [2006-09-29 26624]
S2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [2006-09-29 129536]
S2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [2009-11-25 583640]
S3 akbus;ActivCard Virtual Reader Enumerator;c:\windows\system32\DRIVERS\akbus.sys [2007-05-03 13619]
S3 akpcsc;ActivCard Virtual PC/SC Device Driver;c:\windows\system32\DRIVERS\akpcsc.sys [2007-05-03 9493]
S3 aksbus;ActivIdentity Virtual Reader Enumerator;c:\windows\system32\DRIVERS\aksbus.sys [2007-05-03 13647]
.
Contents of the 'Scheduled Tasks' folder
2010-02-05 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-02 15:19]
2010-02-06 c:\windows\Tasks\User_Feed_Synchronization-{63C8FA9B-8FAA-44B4-B989-7B681C38701F}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ontopmarketing.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
DPF: {2D72C39D-53F6-4AEA-A9DB-1298429DA975} - hxxp://www.3dvista.com/downloads/viewer3dv2.cab
FF - ProfilePath - c:\documents and settings\Ronald Larm\Application Data\Mozilla\Firefox\Profiles\nrjfz4r1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.ontopmarketing.com/
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
AddRemove-HijackThis - c:\documents and settings\Ronald Larm\Desktop\HijackThis.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-06 11:20
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x86F4550C]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7695f28
\Driver\ACPI -> ACPI.sys @ 0xf7528cb8
\Driver\atapi -> atapi.sys @ 0xf74e0852
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> NDIS.sys @ 0xf73d6bb0
PacketIndicateHandler -> NDIS.sys @ 0xf73c5a0d
SendHandler -> NDIS.sys @ 0xf73d9b40
user & kernel MBR OK
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(816)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\ackpbsc.dll
c:\windows\system32\ACLIBEAY.dll
c:\windows\system32\aclog.dll
c:\windows\system32\acevtsub.dll
c:\windows\system32\asphat32.dll
c:\windows\system32\acerrmes.dll
c:\windows\system32\aspcom.dll
c:\program files\ActivIdentity\ActivClient\Resources\acerrmrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\asphatrc.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\ActivIdentity\ActivClient\acunlock.dll
c:\windows\system32\aipingui.dll
c:\program files\ActivIdentity\ActivClient\Resources\aipinguirc.dll
c:\program files\ActivIdentity\ActivClient\Resources\acunlockrc.dll
- - - - - - - > 'lsass.exe'(876)
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(4212)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-02-06 11:24:39
ComboFix-quarantined-files.txt 2010-02-06 18:24
ComboFix2.txt 2010-02-04 21:54
ComboFix3.txt 2010-02-04 20:11
Pre-Run: 14,048,743,424 bytes free
Post-Run: 14,033,244,160 bytes free
- - End Of File - - EFFD39F1C55D0B8AFBC491B53CAE2A31
bamajim
10.4K Posts
0
February 26th, 2010 06:00
I see that you have run Combofix.
Could you post the results of the C:\ComboFix.txt log
bamajim
10.4K Posts
0
February 26th, 2010 08:00
You still have an infected suystem driver.
Rerun Combofix in Normal windows mode and post the new Combofix log
rdeanl
16 Posts
0
February 26th, 2010 15:00
ComboFix 10-02-26.01 - Ronald Larm 02/26/2010 16:39:02.4.2 - x86
Running from: C:\Documents and Settings\Ronald Larm\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\gotomon.log
C:\WINDOWS\system32\lowsec
C:\WINDOWS\system32\lowsec\local.ds
C:\WINDOWS\system32\lowsec\user.ds
C:\WINDOWS\system32\sdra64.exe
.
((((((((((((((((((((((((( Files Created from 2010-01-26 to 2010-02-26 )))))))))))))))))))))))))))))))
.
2010-02-25 18:30:34 . 2010-02-25 18:30:34 -------- d-----w- C:\Documents and Settings\Ronald Larm\Application Data\DivX
2010-02-21 10:30:24 . 2010-02-21 10:30:24 -------- d-----w- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-02-16 15:54:41 . 2010-02-16 15:54:48 -------- d-----w- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
2010-02-16 15:46:30 . 2010-01-07 23:07:14 38224 ----a-w- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2010-02-16 15:46:29 . 2010-02-16 15:46:33 -------- d-----w- C:\Program Files\Malwarebytes' Anti-Malware
2010-02-16 15:46:29 . 2010-01-07 23:07:04 19160 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys
2010-02-16 03:21:33 . 2010-02-16 03:21:33 -------- d-----w- C:\Documents and Settings\LocalService\Local Settings\Application Data\Apple Computer
2010-02-06 23:59:04 . 2010-02-06 23:59:04 -------- d-sh--w- C:\Documents and Settings\NetworkService\IETldCache
2010-02-04 21:09:25 . 2010-02-04 21:19:16 -------- d-----w- C:\Documents and Settings\Ronald Larm\.SunDownloadManager
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
Hotmail: Free, trusted and rich email service. Get it now.
rdeanl
16 Posts
0
February 26th, 2010 16:00
Ooops! Another log was generated!
ComboFix 10-02-26.01 - Ronald Larm 02/26/2010 16:39:02.4.2 - x86
Running from: c:\documents and settings\Ronald Larm\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\gotomon.log
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\sdra64.exe
.
((((((((((((((((((((((((( Files Created from 2010-01-26 to 2010-02-26 )))))))))))))))))))))))))))))))
.
2010-02-25 18:30 . 2010-02-25 18:30 -------- d-----w- c:\documents and settings\Ronald Larm\Application Data\DivX
2010-02-21 10:30 . 2010-02-21 10:30 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-02-16 15:54 . 2010-02-16 15:54 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-02-16 15:46 . 2010-01-07 23:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-16 15:46 . 2010-02-16 15:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-16 15:46 . 2010-01-07 23:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-16 03:21 . 2010-02-16 03:21 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2010-02-06 23:59 . 2010-02-06 23:59 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-02-04 21:09 . 2010-02-04 21:19 -------- d-----w- c:\documents and settings\Ronald Larm\.SunDownloadManager
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-26 23:51 . 2007-01-16 19:12 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-26 23:16 . 2008-07-15 15:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-02-21 10:30 . 2008-01-02 23:09 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-04 21:18 . 2006-10-09 15:29 -------- d-----w- c:\program files\Java
2010-02-03 18:43 . 2009-12-06 05:52 117760 ----a-w- c:\documents and settings\Ronald Larm\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-03 18:42 . 2009-12-06 05:51 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-25 00:15 . 2010-01-25 00:15 -------- d-----w- c:\documents and settings\Ronald Larm\Application Data\Registry Mechanic
2010-01-24 23:45 . 2010-01-24 23:45 -------- d-----w- c:\program files\Common Files\PC Tools
2010-01-20 18:05 . 2009-12-08 15:43 117760 ----a-w- c:\documents and settings\Sally Larm\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-14 23:07 . 2010-01-14 23:07 52224 ----a-w- c:\documents and settings\Sally Larm\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-14 03:25 . 2010-01-14 03:25 52224 ----a-w- c:\documents and settings\Ronald Larm\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-14 03:21 . 2006-10-14 02:46 70832 ----a-w- c:\documents and settings\Ronald Larm\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-14 03:21 . 2010-01-07 23:22 0 ----a-w- c:\windows\Wfazabefog.bin
2010-01-14 03:21 . 2010-01-07 23:22 120 ----a-w- c:\windows\Dlevofezip.dat
2009-12-21 19:14 . 2004-08-10 17:51 916480 ------w- c:\windows\system32\wininet.dll
2009-12-06 05:39 . 2009-12-06 05:39 152576 ----a-w- c:\documents and settings\Ronald Larm\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-06 05:39 . 2009-12-06 05:38 79488 ----a-w- c:\documents and settings\Ronald Larm\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-05 19:29 . 2009-11-11 00:18 79488 ----a-w- c:\documents and settings\Sally Larm\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2007-02-19 17:53 . 2007-02-19 17:53 8 --sh--r- c:\windows\system32\7A9059B1B4.sys
2007-02-19 17:53 . 2007-02-19 17:53 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-07-17 389120]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-31 68856]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-11-25 3176408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2006-09-29 275456]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-11-15 286720]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
c:\documents and settings\Ronald Larm\Start Menu\Programs\Startup\
Windows Explorer.lnk - c:\windows\explorer.exe [2004-8-10 1033728]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
ActivClient Agent.lnk - c:\program files\ActivIdentity\ActivClient\acsagent.exe [2006-9-28 77312]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-10-9 24576]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
2006-09-29 00:28 189952 ----a-w- c:\windows\system32\ackpbsc.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
2006-09-29 00:28 262144 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
2006-01-02 22:41 45056 ----a-w- c:\program files\ATI Technologies\ATI.ACE\CLI.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2006-07-17 02:29 389120 ----a-w- c:\program files\Dell Support\DSAgnt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-12-10 01:29 49152 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
2007-10-25 23:33 563984 ----a-w- c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2007-10-25 23:37 2178832 ----a-w- c:\program files\Logitech\QuickCam\Quickcam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
2003-09-10 07:24 20480 ------w- c:\program files\NetWaiting\netwaiting.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
2005-08-12 22:16 1121792 ----a-w- c:\program files\McAfee\SpamKiller\MSKDetct.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2004-04-12 01:15 290816 ------w- c:\program files\Dell\Media Experience\PCMService.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-11-15 06:43 286720 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2006-10-09 15:41 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-05-27 01:41 24264488 ----a-r- c:\program files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-07-31 04:52 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys
R3 actccid;ActivCard USB Reader V2;c:\windows\system32\DRIVERS\actccid.sys [2007-05-03 63608]
R3 akspcsc;ActivIdentity Virtual PC/SC Device Driver;c:\windows\system32\DRIVERS\akspcsc.sys [2007-05-03 10161]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-11-23 7408]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys
R4 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-11-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-11-23 74480]
S2 acachsrv;ActivClient Authentication Service;c:\program files\ActivIdentity\ActivClient\acachsrv.exe [2006-09-29 74240]
S2 acautoup;ActivClient Auto-Update Service;c:\program files\ActivIdentity\ActivClient\acautoup.exe [2006-09-29 26624]
S2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [2006-09-29 129536]
S2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [2009-11-25 583640]
S3 akbus;ActivCard Virtual Reader Enumerator;c:\windows\system32\DRIVERS\akbus.sys [2007-05-03 13619]
S3 akpcsc;ActivCard Virtual PC/SC Device Driver;c:\windows\system32\DRIVERS\akpcsc.sys [2007-05-03 9493]
S3 aksbus;ActivIdentity Virtual Reader Enumerator;c:\windows\system32\DRIVERS\aksbus.sys [2007-05-03 13647]
.
Contents of the 'Scheduled Tasks' folder
2010-02-26 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-02 15:19]
2010-02-26 c:\windows\Tasks\User_Feed_Synchronization-{63C8FA9B-8FAA-44B4-B989-7B681C38701F}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ontopmarketing.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
DPF: {2D72C39D-53F6-4AEA-A9DB-1298429DA975} - hxxp://www.3dvista.com/downloads/viewer3dv2.cab
FF - ProfilePath - c:\documents and settings\Ronald Larm\Application Data\Mozilla\Firefox\Profiles\nrjfz4r1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.ontopmarketing.com/
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-26 16:51
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86F6950C]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7695f28
\Driver\ACPI -> ACPI.sys @ 0xf7528cb8
\Driver\atapi -> atapi.sys @ 0xf74e0852
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> NDIS.sys @ 0xf73d6bb0
PacketIndicateHandler -> NDIS.sys @ 0xf73e3a21
SendHandler -> NDIS.sys @ 0xf73c187b
user & kernel MBR OK
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(828)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\ackpbsc.dll
c:\windows\system32\ACLIBEAY.dll
c:\windows\system32\aclog.dll
c:\windows\system32\acevtsub.dll
c:\windows\system32\asphat32.dll
c:\windows\system32\acerrmes.dll
c:\windows\system32\aspcom.dll
c:\program files\ActivIdentity\ActivClient\Resources\acerrmrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\asphatrc.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\ActivIdentity\ActivClient\acunlock.dll
c:\windows\system32\aipingui.dll
c:\program files\ActivIdentity\ActivClient\Resources\aipinguirc.dll
c:\program files\ActivIdentity\ActivClient\Resources\acunlockrc.dll
- - - - - - - > 'lsass.exe'(888)
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(6616)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\stsystra.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\windows\system32\NOTEPAD.EXE
.
**************************************************************************
.
Completion time: 2010-02-26 16:59:05 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-26 23:58
ComboFix2.txt 2010-02-06 18:24
ComboFix3.txt 2010-02-04 21:54
ComboFix4.txt 2010-02-04 20:11
Pre-Run: 12,381,294,592 bytes free
Post-Run: 12,458,938,368 bytes free
- - End Of File - - 1E56FF4FB1E12A90D50275D6F48B4B7B
Hotmail: Powerful Free email with security by Microsoft. Get it now.