We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Trojan removal
Comments
-
---- Directory of c:\windows\system32\bits ----
2009-07-09 18:21 . 2004-07-01 22:08 361984
w- c:\windows\system32\bits\qmgr.dll
Sigcheck
[-] 2004-08-04 06:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\ip6fw.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-07-14_10.40.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-14 14:51 . 2009-07-14 14:51 16384 c:\windows\Temp\Perflib_Perfdata_668.dat
+ 2009-07-14 14:51 . 2009-07-14 14:51 16384 c:\windows\Temp\Perflib_Perfdata_614.dat
- 2009-06-30 11:02 . 2009-07-14 10:39 49152 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-06-30 11:02 . 2009-07-14 14:51 49152 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-06-30 11:02 . 2009-07-14 10:39 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-06-30 11:02 . 2009-07-14 14:51 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-06-30 11:02 . 2009-07-14 10:39 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-06-30 11:02 . 2009-07-14 14:51 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-07-14 11:49 . 2009-07-14 11:49 148888 c:\windows\system32\javaws.exe
+ 2009-07-14 11:49 . 2009-07-14 11:49 144792 c:\windows\system32\javaw.exe
+ 2009-07-14 11:49 . 2009-07-14 11:49 144792 c:\windows\system32\java.exe
+ 2009-07-14 11:49 . 2009-07-14 11:49 536576 c:\windows\Installer\403189.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\ctfmon.exe" [2003-03-31 13312]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-11-15 1670144]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-23 1830128]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-04 39408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-16 2577632]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-14 148888]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-03-17 32768]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-25 339968]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-07-04 122368]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"Spooler SubSystem App"="c:\windows\System32\spooIsv.exe" [BU]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-07-22 88361]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2003-03-31 13312]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [14/04/2004 00:52 5632]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [04/07/2009 04:53 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [23/06/2009 11:01 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [23/06/2009 11:01 72944]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [23/06/2009 11:01 7408]
S3 DOSMEMIO;MEMIO;\??\d:\memio.sys --> d:\MEMIO.SYS [?]
.
.
Supplementary Scan
.
uStart Page = https://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
FF - ProfilePath - c:\documents and settings\johnny\Application Data\Mozilla\Firefox\Profiles\b2vgctu6.default\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-14 10:19
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(608)
c:\windows\system32\ODBC32.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\System32\SSSensor.dll
- - - - - - - > 'lsass.exe'(664)
c:\windows\System32\dssenh.dll
- - - - - - - > 'explorer.exe'(2596)
c:\windows\System32\msi.dll
c:\windows\System32\SSSensor.dll
c:\program files\Google\Quick Search Box\bin\1.2.1137.3514\qsb.dll
.
Completion time: 2009-07-14 10:20
ComboFix-quarantined-files.txt 2009-07-14 17:20
ComboFix2.txt 2009-07-14 17:12
ComboFix3.txt 2009-07-14 10:43
Pre-Run: 25,760,415,744 bytes free
Post-Run: 25,750,732,800 bytes free
1148 --- E O F --- 2009-07-14 09:430 -
Phew! I think thats all of it.0
-
Then download DR WEBS CURE IT
It will auto scan a quick scan. Once thats run, get it to run a COMPLETE SCAN:idea:0 -
Running the full scan now. May take a while.0
-
Dr Web said the system is clean. SAS is still picking up :trojan.spoolSV. SAS log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 07/15/2009 at 00:17 AM
Application Version : 4.26.1006
Core Rules Database Version : 3994
Trace Rules Database Version: 1934
Scan type : Quick Scan
Total Scan Time : 00:03:23
Memory items scanned : 431
Memory threats detected : 0
Registry items scanned : 263
Registry threats detected : 1
File items scanned : 2616
File threats detected : 0
Trojan.SpooISV
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#Spooler SubSystem App [ C:\WINDOWS\System32\spooIsv.exe ]0 -
Run CCLEANER again to remove temp files then ~
Open notepad and copy/paste the text in RED below
File::
C:\WINDOWS\System32\spooIsv.exe
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.:idea:0 -
ComboFix 09-07-13.01 - johnny 15/07/2009 21:08.4.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.44.1033.18.703.404 [GMT -7:00]
Running from: c:\documents and settings\johnny\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\windows\CFScript.txt
FW: Sygate Personal Firewall *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
FILE ::
"c:\windows\System32\spooIsv.exe"
.
((((((((((((((((((((((((( Files Created from 2009-06-16 to 2009-07-16 )))))))))))))))))))))))))))))))
.
2009-07-15 06:22 . 2009-07-16 01:34 117760 ----a-w- c:\documents and settings\johnny\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-14 19:27 . 2009-07-14 19:27
d
w- c:\documents and settings\johnny\DoctorWeb
2009-07-14 11:49 . 2009-07-14 11:49 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-14 11:48 . 2009-07-14 11:48 152576 ----a-w- c:\documents and settings\johnny\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-14 11:43 . 2009-07-14 11:43
d
w- c:\windows\Sun
2009-07-14 10:29 . 2009-07-14 10:29 3775176 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-14 08:05 . 2004-10-28 18:06 201216 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-07-14 08:04 . 2005-10-20 22:33 991232 ----a-w- c:\windows\system32\esent.dll
2009-07-14 08:03 . 2005-09-01 01:49 16384 ----a-w- c:\windows\system32\linkinfo.dll
2009-07-14 08:02 . 2006-03-01 19:44 83456 ----a-w- c:\windows\system32\mtxoci.dll
2009-07-14 08:02 . 2006-03-01 19:44 64512 ----a-w- c:\windows\system32\mtxclu.dll
2009-07-13 15:05 . 2009-07-13 15:05
d
w- c:\windows\system32\bits
2009-07-13 15:04 . 2009-07-14 09:39
d--h--w- c:\windows\$hf_mig$
2009-07-09 18:51 . 2009-07-09 20:58
d
w- C:\WDM
2009-07-09 18:51 . 2009-07-09 18:51
d
w- C:\VAS
2009-07-09 18:41 . 2009-07-09 18:41
d
w- c:\documents and settings\johnny\Application Data\Malwarebytes
2009-07-09 18:41 . 2009-07-13 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-09 18:40 . 2009-07-14 10:29
d
w- c:\program files\Malwarebytes' Anti-Malware
2009-07-09 18:40 . 2009-07-13 20:36 18456 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-09 18:40 . 2009-07-09 18:40
d
w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-09 18:21 . 2004-07-01 22:08 7680 -c----w- c:\windows\system32\dllcache\bitsprx2.dll
2009-07-09 18:21 . 2004-07-01 22:08 7680
w- c:\windows\system32\bitsprx2.dll
2009-07-09 18:21 . 2004-07-01 22:08 7168 -c----w- c:\windows\system32\dllcache\bitsprx3.dll
2009-07-09 18:21 . 2004-07-01 22:08 7168
w- c:\windows\system32\bitsprx3.dll
2009-07-09 18:21 . 2004-07-01 22:08 361984 -c----w- c:\windows\system32\dllcache\qmgr.dll
2009-07-09 18:21 . 2004-07-01 22:08 331776 -c----w- c:\windows\system32\dllcache\winhttp.dll
2009-07-09 18:21 . 2004-07-01 22:08 331776 ----a-w- c:\windows\system32\winhttp.dll
2009-07-09 18:21 . 2004-07-01 22:08 17408 -c----w- c:\windows\system32\dllcache\qmgrprxy.dll
2009-07-09 18:21 . 2004-07-01 22:08 17408 ----a-w- c:\windows\system32\qmgrprxy.dll
2009-07-09 18:18 . 2008-10-16 21:13 202776 ----a-w- c:\windows\system32\wuweb.dll
2009-07-09 18:18 . 2008-10-16 21:12 323608 ----a-w- c:\windows\system32\wucltui.dll
2009-07-09 18:18 . 2008-10-16 21:12 561688 ----a-w- c:\windows\system32\wuapi.dll
2009-07-09 18:18 . 2008-10-16 21:08 34328 ----a-w- c:\windows\system32\wups.dll
2009-07-09 18:18 . 2004-08-03 21:03 186136 ----a-w- c:\windows\system32\wuaueng1.dll
2009-07-09 18:18 . 2004-08-03 21:01 167704 ----a-w- c:\windows\system32\wuauclt1.exe
2009-07-09 16:38 . 2009-07-09 16:38
dc-h--w- c:\windows\$MSI30UninstallMSI30-KB884016$
2009-07-09 16:28 . 2009-07-09 16:33
d
w- c:\documents and settings\johnny\Application Data\Spotify
2009-07-09 16:28 . 2009-07-09 16:29
d
w- c:\documents and settings\johnny\Local Settings\Application Data\Spotify
2009-07-09 16:28 . 2009-07-09 16:28
d
w- c:\program files\Spotify
2009-07-08 10:36 . 2009-07-09 16:44
d
w- c:\documents and settings\All Users\Application Data\DriverCure
2009-07-08 10:36 . 2009-07-08 10:36
d
w- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-07-07 18:02 . 2009-07-07 18:02 0 ----a-w- c:\windows\nsreg.dat
2009-07-07 18:02 . 2009-07-07 18:02
d
w- c:\documents and settings\johnny\Local Settings\Application Data\Mozilla
2009-07-04 12:06 . 2009-07-04 12:06
d
w- c:\documents and settings\johnny\Local Settings\Application Data\Help
2009-07-04 11:53 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-07-04 11:53 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-07-04 11:53 . 2009-02-05 20:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-07-04 11:53 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-07-04 11:53 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-07-04 11:53 . 2009-02-05 20:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-07-04 11:53 . 2009-02-05 20:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-07-04 11:52 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-07-04 11:52 . 2003-03-18 19:20 1060864 ----a-w- c:\windows\system32\MFC71.dll
2009-07-04 11:52 . 2003-03-18 18:14 499712 ----a-w- c:\windows\system32\MSVCP71.dll
2009-07-04 11:52 . 2003-02-21 02:42 348160 ----a-w- c:\windows\system32\MSVCR71.dll
2009-07-04 11:52 . 2009-07-04 11:52
d
w- c:\program files\Alwil Software
2009-07-04 11:50 . 2009-07-04 16:43
d
w- c:\documents and settings\johnny\Local Settings\Application Data\Google
2009-07-04 11:45 . 2009-07-04 11:52
d
w- c:\program files\Google
2009-07-04 11:42 . 2009-07-04 11:42
d
w- c:\program files\CCleaner
2009-07-04 11:06 . 2009-07-04 11:06
d
w- c:\program files\ATI Technologies
2009-07-04 10:38 . 2009-07-04 10:38
d
w- c:\documents and settings\All Users\Application Data\CyberLink
2009-07-04 10:38 . 2009-07-04 10:38
d
w- c:\program files\CyberLink
2009-07-04 10:37 . 2009-07-14 11:49
d
w- c:\program files\Java
2009-07-04 10:37 . 2009-07-04 10:37
d
w- c:\program files\Common Files\Java
2009-07-04 10:37 . 2009-07-04 10:37
d
w- c:\documents and settings\johnny\Local Settings\Application Data\{7148F0A6-6813-11D6-A77B-00B0D0142030}
2009-07-04 09:34 . 2009-07-04 11:43
d
w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-04 09:34 . 2009-07-04 09:35
d
w- c:\program files\Spybot - Search & Destroy
2009-07-04 09:28 . 2009-07-04 09:28
d
w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-04 09:27 . 2009-07-15 06:21
d
w- c:\program files\SUPERAntiSpyware
2009-07-04 09:27 . 2009-07-15 06:21
d
w- c:\documents and settings\johnny\Application Data\SUPERAntiSpyware.com
2009-07-03 21:22 . 2003-09-26 00:41 44032 ----a-w- c:\windows\system32\drivers\bcm4sbxp.sys
2009-07-03 20:24 . 2004-07-22 12:50 1268234 ----a-w- c:\windows\system32\drivers\AGRSM.sys
2009-07-03 20:24 . 2004-07-22 11:38 88361 ----a-w- c:\windows\AGRSMMSG.exe
2009-07-03 20:24 . 2004-04-05 08:49 64512 ----a-w- c:\windows\agrsmdel.exe
2009-07-03 14:39 . 2009-07-03 14:39 13104 ----a-w- c:\documents and settings\johnny\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-03 14:37 . 2009-07-04 09:17
d
w- c:\windows\system32\wbem\AutoRecover
2009-07-03 14:32 . 2009-07-09 20:58
d--h--w- c:\program files\InstallShield Installation Information
2009-07-03 14:31 . 2009-07-04 09:11
d
w- c:\windows\peernet
2009-07-03 14:31 . 2009-07-03 14:31
d
w- c:\windows\provisioning
2009-07-03 14:29 . 2009-07-09 22:24
d
w- c:\program files\Common Files\InstallShield
2009-07-03 14:22 . 2002-05-14 19:08 20540
w- c:\windows\system32\dllcache\admin.dll
2009-07-03 14:21 . 2005-08-22 18:36 154624 -c----w- c:\windows\system32\dllcache\netman.dll
2009-07-03 14:14 . 2004-10-16 01:32 14568 ----a-w- c:\windows\system32\drivers\wg6n.sys
2009-07-03 14:14 . 2004-10-16 01:32 14568 ----a-w- c:\windows\system32\drivers\wg5n.sys
2009-07-03 14:14 . 2004-10-16 01:32 14568 ----a-w- c:\windows\system32\drivers\wg4n.sys
2009-07-03 14:14 . 2004-10-16 01:32 14568 ----a-w- c:\windows\system32\drivers\wg3n.sys
2009-07-03 14:14 . 2004-10-16 01:18 21075 ----a-w- c:\windows\system32\drivers\wpsdrvnt.sys
2009-07-03 14:14 . 2004-10-16 01:17 60496 ----a-w- c:\windows\system32\drivers\Teefer.sys
2009-07-03 14:14 . 2004-10-16 01:32 83096 ----a-w- c:\windows\system32\SSSensor.dll
2009-07-03 14:13 . 2009-07-03 14:13
d
w- c:\program files\Sygate
2009-07-03 14:12 . 2009-07-15 06:21
d
w- c:\program files\Common Files\Wise Installation Wizard
2009-07-03 13:44 . 2009-07-03 13:44
d-s---w- c:\documents and settings\johnny\UserData
2009-06-30 11:37 . 2009-06-30 11:37
d-s---w- c:\windows\system32\Microsoft
2009-06-30 11:27 . 2009-06-30 11:27
d
w- c:\documents and settings\johnny\Application Data\MSN6
2009-06-30 11:27 . 2009-06-30 11:27
d
w- c:\documents and settings\All Users\Application Data\MSN6
2009-06-30 11:24 . 2003-03-31 12:00 3584 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\USMT\iconlib.dll
2009-06-30 11:01 . 2003-03-31 12:00 31232 -c--a-w- c:\windows\system32\dllcache\weitekp9.sys
2009-06-30 11:00 . 2003-03-31 12:00 44032 -c--a-w- c:\windows\system32\dllcache\imekrmig.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-04 09:11 . 2009-06-30 10:59 70691 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-06-30 11:00 . 2009-06-30 11:00
d
w- c:\program files\microsoft frontpage
2009-06-30 10:56 . 2009-06-30 10:56 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-06-24 14:37 . 2009-07-09 10:56 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.
Sigcheck
[-] 2004-08-04 06:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\ip6fw.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-07-14_10.40.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-16 01:34 . 2009-07-16 01:34 16384 c:\windows\Temp\Perflib_Perfdata_62c.dat
+ 2009-07-16 01:34 . 2009-07-16 01:34 16384 c:\windows\Temp\Perflib_Perfdata_5f4.dat
+ 2009-06-30 03:18 . 2009-07-15 06:46 90296 c:\windows\system32\FNTCACHE.DAT
+ 2009-06-30 11:02 . 2009-07-16 01:33 49152 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-06-30 11:02 . 2009-07-14 10:39 49152 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-06-30 11:02 . 2009-07-16 01:33 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-06-30 11:02 . 2009-07-14 10:39 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-06-30 11:02 . 2009-07-16 01:33 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-06-30 11:02 . 2009-07-14 10:39 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-07-04 09:27 . 2009-07-04 09:27 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2009-07-15 06:21 . 2009-07-15 06:21 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2009-07-15 06:21 . 2009-07-15 06:21 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
- 2009-07-04 09:27 . 2009-07-04 09:27 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2009-07-14 11:49 . 2009-07-14 11:49 148888 c:\windows\system32\javaws.exe
+ 2009-07-14 11:49 . 2009-07-14 11:49 144792 c:\windows\system32\javaw.exe
+ 2009-07-14 11:49 . 2009-07-14 11:49 144792 c:\windows\system32\java.exe
+ 2009-07-14 11:49 . 2009-07-14 11:49 536576 c:\windows\Installer\403189.msi
+ 2009-07-15 06:21 . 2009-07-15 06:21 1516544 c:\windows\Installer\1613570.msi
+ 2009-07-14 09:03 . 2009-07-07 15:10 24539592 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\ctfmon.exe" [2003-03-31 13312]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-11-15 1670144]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-04 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-23 1830128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-16 2577632]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-14 148888]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-03-17 32768]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-25 339968]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-07-04 122368]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"Spooler SubSystem App"="c:\windows\System32\spooIsv.exe" [BU]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-07-22 88361]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2003-03-31 13312]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [14/04/2004 00:52 5632]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [04/07/2009 04:53 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [23/06/2009 11:01 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [23/06/2009 11:01 72944]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [23/06/2009 11:01 7408]
S3 DOSMEMIO;MEMIO;\??\d:\memio.sys --> d:\MEMIO.SYS [?]
.
.
Supplementary Scan
.
uStart Page = https://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
FF - ProfilePath - c:\documents and settings\johnny\Application Data\Mozilla\Firefox\Profiles\b2vgctu6.default\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-15 21:11
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(612)
c:\windows\system32\ODBC32.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\System32\SSSensor.dll
- - - - - - - > 'lsass.exe'(668)
c:\windows\System32\dssenh.dll
- - - - - - - > 'explorer.exe'(3788)
c:\windows\System32\msi.dll
c:\program files\Google\Quick Search Box\bin\1.2.1137.3514\qsb.dll
c:\windows\System32\SSSensor.dll
.
Completion time: 2009-07-16 21:12
ComboFix-quarantined-files.txt 2009-07-16 04:12
ComboFix2.txt 2009-07-14 17:20
ComboFix3.txt 2009-07-14 17:12
ComboFix4.txt 2009-07-14 10:43
Pre-Run: 29,054,251,008 bytes free
Post-Run: 29,024,595,968 bytes free
263 --- E O F --- 2009-07-16 01:570
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 352.2K Banking & Borrowing
- 253.6K Reduce Debt & Boost Income
- 454.3K Spending & Discounts
- 245.3K Work, Benefits & Business
- 601K Mortgages, Homes & Bills
- 177.5K Life & Family
- 259.1K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards