The BullGuard products and services are part of NortonLifeLock Inc., a global leader in consumer Cyber Safety with a portofolio of brands including Norton, Avira and more. Learn more at NortonLifeLock.com

System Security 2009

Posted 6/16/2009 9:11 PM
#74414
User avatar

OlvidadaAlma Valued member

Date Joined Nov 2016
Total Posts: 15
I somehow got this malware program on my computer that keeps telling me my computer's infected with all sorts of junk, but I'm pretty sure System Security 2009 itself is the problem. It changed my wallpaper to a black screen with "WARNING: YOUR COMPUTER IS INFECTED!" written over it. I have to run in safe mode to even open any programs. It won't even let me open the Task Manager. When I try, it say "tskmngr.exe is infected and cannot be opened." Any help on getting rid of this thing would be much appreciated. Thanks in advance.


Logfile of HijackThis v1.99.1
Scan saved at 5:05:07 PM, on 6/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\HP_Administrator\Desktop\Technical Stuff\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O1 - Hosts: ::1 localhost
O1 - Hosts: ??????????????? browser-security.microsoft.com
O1 - Hosts: ??????????????? antiwareprotect.com
O1 - Hosts: ??????????????? www.antiwareprotect.com
O2 - BHO: WinInet Class - {39fc2065-c9c7-49cd-8942-44cc2dedc844} - C:\WINDOWS\ieocx.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [sysldtray] C:\windows\ld09.exe
O4 - HKLM\..\Run: [39A7] C:\WINDOWS\TEMP\39A7.tmp
O4 - HKLM\..\Run: [16677034] C:\Documents and Settings\All Users\Application Data\16677034\16677034.exe
O4 - HKLM\..\Run: [96687026] C:\Documents and Settings\All Users\Application Data\96687026\96687026.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Tunebite] C:\Program Files\RapidSolution\Tunebite\Tunebite.exe -tray
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Rip YouTube File - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\MelodyCan\YouTubeRipper.dll
O9 - Extra 'Tools' menuitem: Rip YouTube file embedded in this page - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\MelodyCan\YouTubeRipper.dll
O9 - Extra button: Add to VideoGet - {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - C:\PROGRA~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL
O9 - Extra 'Tools' menuitem: Add to &VideoGet - {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - C:\PROGRA~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - https://www.srtest.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - https://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - https://h30155.www3.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - https://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1210865201781
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - https://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - https://asp.mathxl.com/books/_Players/MathPlayer.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\mmmbsfbs.dll
O20 - Winlogon Notify: cbxvtqo - cbxvtqo.dll (file missing)
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: jybacbre - jybacbre.dll (file missing)
O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - c:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMovieServer - SoundMovieServer - C:\WINDOWS\system32\snmvtsvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Posted 6/17/2009 4:15 AM
#74418
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Hello :smile:




It sounds like you´ve got a virut infection, if you have, is it - Game over.



However, I´ll suggest we check your computer, and see if it is Virut.




[2]# Copyright (c) 1998 Microsoft Corp. [/2]

[2]#[/2][2] This is a sample HOSTS file used by Microsoft TCP/IP stack for Windows98 [/2]


[2]# This file contains the mappings of IP addresses to host names. Each [/2]


[2]# entry should be kept on an individual line. The IP address should [/2]


[2]# be placed in the first column followed by the corresponding host name.[/2]


[2]# The IP address and the host name should be separated by at least one [/2]


[2]# space. [/2]


[2]# Additionally, comments (such as these) may be inserted on individual [/2]


[2]# lines or following the machine name denoted by a '#' symbol. [/2]


[2]# For example:[/2]


[2]# 102.54.94.97 rhino.acme.com # source server[/2]


[2]# 38.25.63.10 x.acme.com # x client host [/2]


[2]127.0.0.1 localhost [/2]





Reboot.

Please download combofix here ->



https://subs.geekstogo.com/ComboFix.exe

Before Saving it to Desktop, please rename it to 123.com to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows.


Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall.
It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after
scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt.



Please post combofix log.

NB. It is possible you´ll have to run comfix from safe mode




[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 6/17/2009 7:56 PM
#74428
User avatar

OlvidadaAlma Valued member

Date Joined Nov 2016
Total Posts: 15
OK, everything seems to be back to normal. Thanks so much for the help. Anything else I should consider doing?


ComboFix 09-06-16.05 - HP_Administrator 06/17/2009 15:33.3 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.755 [GMT -4:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\123.com.exe
AV: Norton AntiVirus 2005 *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Personal Firewall *enabled* {825036E0-9F94-4752-8789-8B92454AF49B}
.
ADS - netcfgx.dll: deleted 49152 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\16677034
c:\documents and settings\All Users\Application Data\96687026
c:\windows\system32\AdCache
c:\windows\system32\cache329
c:\windows\system32\lowsec
c:\windows\system32\sdra64.exe
C:\-1731319534
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\services.exe
c:\documents and settings\All Users\Application Data\16677034\16677034.exe
c:\documents and settings\All Users\Application Data\16677034\16677034.glu
c:\documents and settings\All Users\Application Data\16677034\pc16677034cnf
c:\documents and settings\All Users\Application Data\16677034\pc16677034ins
c:\documents and settings\All Users\Application Data\96687026\96687026.exe
c:\documents and settings\HP_Administrator\Application Data\wiaserva.log
c:\documents and settings\HP_Administrator\Application Data\wiaservg.log
c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\zqosys32.exe
c:\documents and settings\HP_Administrator\ydf.exe
C:\tamut.exe
c:\windows\9129837.exe
c:\windows\freddy46.exe
c:\windows\IE4 Error Log.txt
c:\windows\ieocx.dll
c:\windows\kb913800.exe
c:\windows\ld09.exe
c:\windows\services.exe
c:\windows\system32\55324328.dll
c:\windows\system32\drivers\beep.sys
c:\windows\system32\gjkmp.ini
c:\windows\system32\gsf83iujid.dll
c:\windows\system32\kr_done1
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\sdra64.exe
c:\windows\system32\wbem\grpconv.exe
c:\windows\system32\wbem\proquota.exe
c:\windows\TEMP\1948356024.exe
c:\windows\TEMP\1949449774.exe
c:\windows\TEMP\2200496302.exe
c:\windows\TEMP\3481019566.exe
c:\windows\TEMP\919973038.exe
c:\windows\zaponce52597.dat
c:\windows\zaponce52689.dat
D:\Desktop.ini

c:\windows\system32\grpconv.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\grpconv.exe

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DRIVER
-------\Service_driver


((((((((((((((((((((((((( Files Created from 2009-05-17 to 2009-06-17 )))))))))))))))))))))))))))))))
.

2009-06-17 19:39 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-06-17 19:39 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-06-17 12:24 . 2009-06-17 12:24 245 ----a-w- c:\windows\tmp55342093.bat
2009-06-17 12:24 . 2009-06-17 12:24 118784 ----a-w- c:\windows\system32\sgc1klj0etcc.dll
2009-06-17 12:24 . 2009-06-17 12:24 80191 ----a-w- c:\windows\system32\qgc5klj0etcc.exe
2009-06-17 12:24 . 2009-06-17 12:24 15000 ----a-w- c:\windows\system32\sdjee3inf.dll
2009-06-17 12:24 . 2009-06-17 12:24 1 ---h--w- c:\windows\bf23567.dat
2009-06-17 12:24 . 2009-06-17 12:24 30208 ----a-w- c:\windows\system32\updb.exe
2009-06-17 12:24 . 2009-06-17 12:24 -------- d-----w- c:\program files\driver
2009-06-17 12:23 . 2009-06-17 12:23 91136 ----a-w- C:\ynuntear.exe
2009-06-17 12:23 . 2009-06-17 12:23 205321 ----a-w- C:\sakl.exe
2009-06-16 12:26 . 2009-06-16 12:26 16896 ----a-w- c:\windows\system32\mmmbsfbs.dll
2009-06-13 21:39 . 2006-10-12 16:29 83504 ----a-w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\TEMP\ProgUpd.dll
2009-06-03 21:18 . 2009-06-03 21:18 724992 ----a-w- c:\windows\is-PMMVI.exe
2009-05-29 07:45 . 2009-05-29 07:45 -------- d-----w- c:\program files\Common Files\xing shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-17 19:44 . 2004-11-06 06:02 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-17 19:43 . 2009-01-29 12:32 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-16 18:41 . 2005-03-28 00:05 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Azureus
2009-06-13 21:41 . 2009-05-14 19:14 -------- d-----w- c:\program files\AIM6
2009-06-13 21:41 . 2005-03-26 21:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-06-13 21:40 . 2009-06-13 21:40 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-06-12 06:43 . 2005-08-12 00:59 -------- d-----w- c:\program files\mIRC
2009-06-03 21:18 . 2007-02-07 18:18 -------- d-----w- c:\program files\Combined Community Codec Pack
2009-05-29 07:45 . 2004-11-05 12:14 -------- d-----w- c:\program files\Real
2009-05-29 07:45 . 2004-11-05 12:14 -------- d-----w- c:\program files\Common Files\Real
2009-05-22 04:57 . 2008-08-12 19:48 1915520 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-05-19 05:35 . 2009-06-13 21:40 11568 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\tbinst.dll
2009-05-15 05:56 . 2009-04-27 09:03 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Move Networks
2009-05-14 19:17 . 2009-05-14 19:15 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL OCP
2009-05-14 19:16 . 2009-05-14 19:16 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\acccore
2009-05-14 19:16 . 2005-03-26 21:42 -------- d-----w- c:\program files\Viewpoint
2009-05-14 19:15 . 2009-05-14 19:15 -------- d-----w- c:\documents and settings\All Users\Application Data\acccore
2009-05-14 19:15 . 2009-05-14 19:15 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-05-14 19:15 . 2009-05-14 19:15 -------- d-----w- c:\program files\Common Files\AOL
2009-05-14 19:14 . 2005-03-26 21:42 -------- d-----w- c:\program files\AIM
2009-05-11 22:19 . 2009-02-01 14:58 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\DVD Flick
2009-05-11 05:01 . 2009-03-09 20:54 -------- d-----w- c:\program files\World of Warcraft
2009-05-03 01:02 . 2008-02-16 20:31 -------- d-----w- c:\program files\eMule
2009-04-28 10:03 . 2009-04-28 10:03 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-04-28 10:03 . 2009-04-28 10:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-04-28 10:03 . 2009-04-28 10:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-28 08:00 . 2009-04-28 08:00 -------- d-----w- c:\program files\Enigma Software Group
2009-04-27 09:03 . 2009-04-27 09:03 34062 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Move Networks\ie_bin\Uninst.exe
2009-04-06 19:32 . 2009-04-28 10:03 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2009-04-28 10:03 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2006-07-02 14:19 . 2006-07-02 14:19 569396 --sha-w- c:\windows\system32\pmkjg.dll.vir
.

------- Sigcheck -------

[-] 2004-08-09 21:00 14336 8F078AE4ED187AAABC0A305146DE6716 c:\windows\$NtServicePackUninstall$\svchost.exe
[7] 2008-04-14 00:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\ServicePackFiles\i386\svchost.exe
[-] 2008-04-14 00:12 17408 D41D8CD98F00B204E9800998ECF8427E c:\windows\system32\svchost.exe

[-] 2005-01-27 17:08 657920 A8EAC5330876548E9966A7D13025D196 c:\windows\$hf_mig$\KB867282\SP2QFE\wininet.dll
[-] 2005-05-02 20:57 658944 E1E18136F9DD3DF1AD9C82193A5898A6 c:\windows\$hf_mig$\KB883939\SP2QFE\wininet.dll
[-] 2005-03-10 07:43 657920 C8663B488996E89A84C3D17C1D12B79E c:\windows\$hf_mig$\KB890923\SP2QFE\wininet.dll
[-] 2005-09-02 23:53 660480 97A6FD7CAFD688CF2C78939EBAF0CD0C c:\windows\$hf_mig$\KB896688\SP2QFE\wininet.dll
[-] 2005-07-03 02:09 659456 6E533D155B259EB2363D3E04B5BE309F c:\windows\$hf_mig$\KB896727\SP2QFE\wininet.dll
[-] 2005-10-21 03:38 661504 AF785C4947676A7FC1673FDC5C8D0B5B c:\windows\$hf_mig$\KB905915\SP2QFE\wininet.dll
[-] 2006-03-04 03:58 663552 C0845ECBF4F9164E618EE381B79C9032 c:\windows\$hf_mig$\KB912812\SP2QFE\wininet.dll
[-] 2006-05-10 05:25 663552 D94CFFDB53E7AC867438E2DFD50E7CBC c:\windows\$hf_mig$\KB916281\SP2QFE\wininet.dll
[-] 2006-06-23 11:25 664576 64CE26DB72810B30F7855EA51E1DF836 c:\windows\$hf_mig$\KB918899\SP2QFE\wininet.dll
[-] 2006-09-14 08:31 664576 D207370287CF769AEBEBF03837784963 c:\windows\$hf_mig$\KB922760\SP2QFE\wininet.dll
[-] 2006-10-23 15:34 664576 231EF4179ACABE486376B5CA893F1076 c:\windows\$hf_mig$\KB925454\SP2QFE\wininet.dll
[-] 2007-01-04 14:05 665088 3FFA1573FC274E5AA7467D03941C45EE c:\windows\$hf_mig$\KB928090\SP2QFE\wininet.dll
[-] 2007-02-20 09:52 665600 B258C922D22DEEC880B60720531D7627 c:\windows\$hf_mig$\KB931768\SP2QFE\wininet.dll
[-] 2007-04-18 12:46 665600 4261BA03AFD659DE04F0A17DFBDD454D c:\windows\$hf_mig$\KB933566\SP2QFE\wininet.dll
[-] 2007-06-26 14:35 665600 E1A3DD68B5380B360A7310A64D9BB188 c:\windows\$hf_mig$\KB937143\SP2QFE\wininet.dll
[-] 2007-08-22 12:55 665600 A1BC17EB3758D73C3938B2318820F5B4 c:\windows\$hf_mig$\KB939653\SP2QFE\wininet.dll
[-] 2007-10-11 05:57 666112 80D660A49E0D118144423099B2A9F5DA c:\windows\$hf_mig$\KB942615\SP2QFE\wininet.dll
[-] 2007-12-07 00:44 666112 085A7C37F9C6EDE1BA870B7DBEC06399 c:\windows\$hf_mig$\KB944533\SP2QFE\wininet.dll
[-] 2007-12-07 01:07 659456 57D1B5150CF6331FAC6B3E04C1FCB966 c:\windows\$NtServicePackUninstall$\wininet.dll
[-] 2007-08-22 13:12 658944 1901AD51DA8BE9F8B38D5D526E5D1788 c:\windows\$NtUninstallKB942615$\wininet.dll
[-] 2007-10-11 06:13 659456 2005AD86A22AEE68E21EE59F9CCB77F2 c:\windows\$NtUninstallKB944533$\wininet.dll
[7] 2008-04-14 00:12 666112 7A4F775ABB2F1C97DEF3E73AFA2FAEDD c:\windows\ie7\wininet.dll
[7] 2008-04-14 00:12 666112 7A4F775ABB2F1C97DEF3E73AFA2FAEDD c:\windows\ServicePackFiles\i386\wininet.dll
[-] 2008-10-16 20:38 826368 6741EAF7B7F110E803A6E38F6E5FA6B0 c:\windows\SoftwareDistribution\Download\1aada90d3aca2362b0231ac90aa9a9fd\SP2GDR\wininet.dll
[-] 2008-10-16 20:24 827904 0D5B75171FF51775B630A431B6C667E8 c:\windows\SoftwareDistribution\Download\1aada90d3aca2362b0231ac90aa9a9fd\SP2QFE\wininet.dll
[-] 2008-12-20 23:15 826368 A82935D32D0672E8FF4E91AE398E901C c:\windows\SoftwareDistribution\Download\21b9c2f7b1db683e3d83bfb825d32092\SP2GDR\wininet.dll
[-] 2008-12-20 23:56 827904 044E0A4E9FE97C0FB9AFE9C89E2A82E6 c:\windows\SoftwareDistribution\Download\21b9c2f7b1db683e3d83bfb825d32092\SP2QFE\wininet.dll
[-] 2009-03-03 00:18 826368 28775945CCD53DEE280EF58DEA1A94C4 c:\windows\SoftwareDistribution\Download\263159e92061f273983a0f9531635ce0\sp3gdr\wininet.dll
[-] 2009-03-03 00:17 828416 C8667854873938CA13C986F16B0CD183 c:\windows\SoftwareDistribution\Download\263159e92061f273983a0f9531635ce0\sp3qfe\wininet.dll
[-] 2008-02-16 08:59 659456 0C690E77C0E924C45B4D7045B182FFF1 c:\windows\SoftwareDistribution\Download\4f34fed83363df83031761e8fceb73ae\sp2gdr\wininet.dll
[-] 2008-02-16 09:32 666112 BB1EACD6AB47E78EBCA02EB781550D55 c:\windows\SoftwareDistribution\Download\4f34fed83363df83031761e8fceb73ae\sp2qfe\wininet.dll
[-] 2008-03-01 13:06 826368 AD21461AEF8244EDEC2EF18E55E1DCF3 c:\windows\SoftwareDistribution\Download\574548bb1821009dfc939b99bf38919d\SP2GDR\wininet.dll
[-] 2008-03-01 13:03 827392 6316C2F0C61271C8ABDFF7429174879E c:\windows\SoftwareDistribution\Download\574548bb1821009dfc939b99bf38919d\SP2QFE\wininet.dll
[-] 2009-04-29 04:56 827392 8E2D471157B0DF329D8D0EA5D83B0DDB c:\windows\SoftwareDistribution\Download\82c738ec00f0f07f8ea182bc95439593\sp3gdr\wininet.dll
[-] 2009-04-29 04:49 828928 62CCA075F44015147B8971DAFFBCFF76 c:\windows\SoftwareDistribution\Download\82c738ec00f0f07f8ea182bc95439593\sp3qfe\wininet.dll
[-] 2008-03-01 13:06 826368 AD21461AEF8244EDEC2EF18E55E1DCF3 c:\windows\SoftwareDistribution\Download\ceba12074e2ee6f2478e27a2b926a276\SP2GDR\wininet.dll
[-] 2008-03-01 13:03 827392 6316C2F0C61271C8ABDFF7429174879E c:\windows\SoftwareDistribution\Download\ceba12074e2ee6f2478e27a2b926a276\SP2QFE\wininet.dll
[-] 2008-04-23 04:16 826368 F6589BE784647CFDBC22EA51CCB1A57A c:\windows\SoftwareDistribution\Download\f4bbe93413da6448b38093eb5244141e\SP2GDR\wininet.dll
[-] 2008-04-23 03:35 827392 41546B396A526918DA7995A02EA04E51 c:\windows\SoftwareDistribution\Download\f4bbe93413da6448b38093eb5244141e\SP2QFE\wininet.dll
[-] 2008-06-23 16:57 826368 8C13D4A7479FA0A026EDA8ABCE82C0ED c:\windows\SoftwareDistribution\Download\f6d390a5c8cb03ef1624d5e3583de48b\SP2GDR\wininet.dll
[-] 2008-06-23 16:01 827904 C66402A06B83B036C195242C0C8CF83C c:\windows\SoftwareDistribution\Download\f6d390a5c8cb03ef1624d5e3583de48b\SP2QFE\wininet.dll
[-] 1996-10-15 14:40 291600 642CFEF8525339FB83F2A1909898EAAB c:\windows\system\WININET.DLL
[-] 2008-03-01 13:06 826368 AD21461AEF8244EDEC2EF18E55E1DCF3 c:\windows\system32\wininet.dll

[-] 2004-08-09 21:00 502272 01C3346C241652F43AED8E2149881BFE c:\windows\$NtServicePackUninstall$\winlogon.exe
[7] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-04-14 00:12 512000 D41D8CD98F00B204E9800998ECF8427E c:\windows\system32\winlogon.exe

[-] 2008-04-14 00:12 1036288 D41D8CD98F00B204E9800998ECF8427E c:\windows\explorer.exe
[-] 2007-06-13 11:26 1033216 7712DF0CDDE3A5AC89843E61CD5B3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 10:23 1033216 97BD6515465659FF8F3B7BE375B2EA87 c:\windows\$NtServicePackUninstall$\explorer.exe
[7] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\ServicePackFiles\i386\explorer.exe

[-] 2004-08-09 21:00 108032 C6CE6EEC82F187615D1002BB3BB50ED4 c:\windows\$NtServicePackUninstall$\services.exe
[7] 2008-04-14 00:12 108544 0E776ED5F7CC9F94299E70461B7B8185 c:\windows\ServicePackFiles\i386\services.exe
[-] 2009-02-06 17:14 110592 37561F8D4160D62DA86D24AE41FAE8DE c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2GDR\services.exe
[-] 2009-02-06 10:22 110592 4712531AB7A01B7EE059853CA17D39BD c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2QFE\services.exe
[-] 2009-02-06 11:11 110592 65DF52F5B8B6E9BBD183505225C37315 c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3GDR\services.exe
[-] 2009-02-06 11:06 110592 020CEAAEDC8EB655B6506B8C70D53BB6 c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3QFE\services.exe
[-] 2008-04-14 00:12 111104 D41D8CD98F00B204E9800998ECF8427E c:\windows\system32\services.exe

[-] 2004-08-09 21:00 13312 84885F9B82F4D55C6146EBF6065D75D2 c:\windows\$NtServicePackUninstall$\lsass.exe
[7] 2008-04-14 00:12 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\ServicePackFiles\i386\lsass.exe
[-] 2008-04-14 00:12 14848 D41D8CD98F00B204E9800998ECF8427E c:\windows\system32\lsass.exe

[-] 2005-06-11 00:17 57856 AD3D9D191AEA7B5445FE1D82FFBB4788 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2005-06-10 23:53 57856 DA81EC57ACD4CDC3D4C51CF3D409AF9F c:\windows\$NtServicePackUninstall$\spoolsv.exe
[7] 2008-04-14 00:12 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\ServicePackFiles\i386\spoolsv.exe
[-] 2008-04-14 00:12 58880 D41D8CD98F00B204E9800998ECF8427E c:\windows\system32\spoolsv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\valve\steam\steam.exe" [2009-06-10 1217784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2006-06-19 1253376]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_02\bin\jusched.exe" [2005-03-04 36975]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-21 155648]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-08 49152]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-08 659456]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-04-13 59040]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2006-07-02 100056]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2004-12-20 33792]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-11-22 842584]
"!AVG Anti-Spyware"="c:\program files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 6731312]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2006-09-14 157592]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"SpyHunter Security Suite"="c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2009-04-02 868352]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-29 180269]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-03-04 88209]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-04-06 90112]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2005-04-06 2805248]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-12-25 113664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-29 241664]
HPAiODevice(hp officejet g series) - 1.lnk - c:\program files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-11-20 151552]
Updates from HP.lnk - c:\program files\Updates from HP\309731\Program\Updates from HP.exe [2004-11-5 45056]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-02-16 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"VLKbjEBvX"= {98CE2913-3264-83B9-7191-D79695FD175B} - c:\windows\system32\aejg.dll [2008-04-14 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SASWinLogon]
2006-06-20 18:29 258048 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\mmmbsfbs.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\beep.sys]
@="beep"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

R1 driverdrv;driverdrv;c:\program files\driver\driver.sys [6/17/2009 8:24 AM 9472]
R1 ewido security suite driver;ewido security suite driver;c:\program files\ewido\security suite\guard.sys [11/22/2004 10:15 AM 3072]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/16/2006 5:51 PM 5632]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/9/2006 3:45 PM 23552]
R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [3/29/2005 11:23 PM 2368]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/14/2009 3:16 PM 24652]
R3 CamdAudio;CamdAudio;c:\windows\system32\drivers\CamdAudio.sys [12/11/2008 6:50 AM 23096]
R3 CamdVideo;CamdVideo;c:\windows\system32\drivers\CamdVideo.sys [12/11/2008 6:50 AM 3768]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 5:51 PM 4096]
R3 wsvad_driver;WS Audio Device;c:\windows\system32\drivers\VirtualAudio.sys [1/20/2009 5:45 PM 16896]
S0 xuievodt;xuievodt;c:\windows\system32\drivers\unxssdgt.sys --> c:\windows\system32\drivers\unxssdgt.sys [?]
S3 AimersoftAlVideoConverter;AimersoftAlVideoConverter;c:\windows\system32\drivers\AimersoftAlVideoConverter.sys [1/20/2009 6:26 PM 16640]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [1/29/2009 8:53 AM 337800]
S3 SoundMovieServer;SoundMovieServer;c:\windows\system32\snmvtsvc.exe [12/11/2008 6:50 AM 200704]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{621FCD24-4498-4324-A81E-07D331376EDF}]
c:\program files\PixiePack Codec Pack\InstallerHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{E2CA86ED-82F6-26CA-87B4-0469322DC6A4}]
c:\windows\system32\javawa.exe
.
Contents of the 'Scheduled Tasks' folder

2009-06-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-06-13 c:\windows\Tasks\Norton AntiVirus - Scan my computer - HP_Administrator.job
- c:\progra~1\NORTON~1\Navw32.exe [2004-08-18 16:54]

2009-06-16 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-11-06 17:24]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MSMSGS - c:\program files\Messenger\msmsgs.exe
HKCU-Run-Tunebite - c:\program files\RapidSolution\Tunebite\Tunebite.exe
HKLM-Run-PS2 - c:\windows\system32\ps2.exe
HKLM-Run-16677034 - c:\documents and settings\All Users\Application Data\16677034\16677034.exe
HKLM-Run-96687026 - c:\documents and settings\All Users\Application Data\96687026\96687026.exe
Notify-cbxvtqo - cbxvtqo.dll
Notify-jybacbre - jybacbre.dll
SafeBoot-AVG Anti-Spyware Driver


.
------- Supplementary Scan -------
.
uStart Page = www.msn.com/
uInternet Settings,ProxyOverride = *.local
IE: {{88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - {17A84966-F1E9-4645-AA9E-5E771EE1C859} - c:\progra~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2009-06-17 15:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(688)
c:\windows\system32\Ati2evxx.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\Enigma Software Group\SpyHunter\SpyHunterMonitor.dll

- - - - - - - > 'lsass.exe'(756)
c:\program files\Enigma Software Group\SpyHunter\SpyHunterMonitor.dll

- - - - - - - > 'explorer.exe'(4928)
c:\program files\Enigma Software Group\SpyHunter\SpyHunterMonitor.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\CCPROXY.EXE
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\windows\system32\ati2evxx.exe
c:\program files\Norton AntiVirus\NAVAPSVC.EXE
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\ewido\security suite\ewidoctrl.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Common Files\Symantec Shared\Security Center\symwsc.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\AIM6\aolsoftware.exe
c:\progra~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
c:\windows\system32\hpoipm07.exe
c:\program files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2009-06-17 15:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-17 19:51
ComboFix2.txt 2007-11-26 13:49

Pre-Run: 96,198,352,896 bytes free
Post-Run: 95,792,287,744 bytes free

358 --- E O F --- 2009-03-16 12:24
Posted 6/18/2009 2:38 AM
#74432
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
There are still some infections to deal with -



Please upload and have these files scanned:

c:\windows\system\WININET.DLL
c:\windows\system32\wininet.dll

c:\windows\explorer.exe

Here:



[color=#0000ff>https://virusscan.jotti.org/[/url] Or here: https://www.virustotal.com/en/indexf.html



Post back the results.



Please note - you have wininet.dll in two folders, therefore have them both scanned.[/2][/color]

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 6/18/2009 5:19 PM
#74455
User avatar

OlvidadaAlma Valued member

Date Joined Nov 2016
Total Posts: 15
https://www.virustotal.com/analisis/3b76310bfd81747e1416c7d0e365f9d2c3bb3410a0d6a99ed724fcf05e04727a-1177222532


https://www.virustotal.com/analisis/f6c67c7aa44c98f2c7088bfb2859602f598bc8f72977141091a1f9ec26c841d8-1243688815



It wouldn't let me upload C:\Windows\explorer.exe to either site. Here's another HijackThis log, just in case. Also, sometimes when I start up my computer outside of safe mode, it says there's a problem with svchost.exe and will force a shut-down or restart.



Logfile of HijackThis v1.99.1
Scan saved at 2:36:57 PM, on 6/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Java\jre1.5.0_02\bin\javaw.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\HP_Administrator\Desktop\Technical Stuff\Alt.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Rip YouTube File - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\MelodyCan\YouTubeRipper.dll
O9 - Extra 'Tools' menuitem: Rip YouTube file embedded in this page - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\MelodyCan\YouTubeRipper.dll
O9 - Extra button: Add to VideoGet - {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - C:\PROGRA~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL
O9 - Extra 'Tools' menuitem: Add to &VideoGet - {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - C:\PROGRA~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - https://www.srtest.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - https://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - https://h30155.www3.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - https://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1210865201781
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - https://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - https://asp.mathxl.com/books/_Players/MathPlayer.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\mmmbsfbs.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: VLKbjEBvX - {98CE2913-3264-83B9-7191-D79695FD175B} - C:\WINDOWS\system32\aejg.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - c:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMovieServer - SoundMovieServer - C:\WINDOWS\system32\snmvtsvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Posted 6/19/2009 5:41 AM
#74470
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Open notepad and copy/paste the text in the quotebox below into it:

Name the file as CFScript
and Save it on the desktop


Quote:


Killall::

Snapshot::

File::
c:\windows\tmp55342093.bat
c:\windows\system32\sgc1klj0etcc.dll
c:\windows\system32\qgc5klj0etcc.exe
c:\windows\bf23567.dat
C:\ynuntear.exe
C:\sakl.exe


c:\windows\system32\mmmbsfbs.dll

c:\windows\is-PMMVI.exe

c:\windows\system32\pmkjg.dll.vir

c:\windows\system32\drivers\unxssdgt.sys

c:\windows\system32\javawa.exe

c:\program files\driver\driver.sys
Filelook::


c:\windows\system32\updb.exe

c:\windows\system32\sdjee3inf.dll

C:\WINDOWS\system32\aejg.dll

Driver::

driverdrv

xuievodt
Registry::

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-


[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{E2CA86ED-82F6-26CA-87B4-0469322DC6A4}]






User image



Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe.



Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please post it to your next reply



Note:

Do not mouseclick combofix's window whilst it's running. That may cause it to stall

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 6/23/2009 8:25 AM
#74635
User avatar

Steve_B Member

Date Joined Nov 2016
Total Posts: 4
[s]ieocx.dll file links to a Browser Helper Object (BHO) that was likely installed by System Security 2009. You must remove this file too.[/s]
  • Unread posts or replies
  • No unread posts or replies
  • Unread Posts (Read Only Forum)
  • No Unread Posts (Read Only Forum)

Forum Information

Currently it is Friday, August 12, 2022, 4:11 AM (GMT +2)
There are a total of 61,974 posts in 13,697 threads.
In the last 3 days there were 0 new threads and 0 reply posts.

Who's online

This forum has 38,573 registered members. Please welcome our newest member, iAwake.
60 Guest(s), 0 Registered Member(s) are currently online.