invisible pop ups and my realtek wave volume keeps turning down

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by MRFRIENDLYGUY, Jul 3, 2010.

  1. MRFRIENDLYGUY

    MRFRIENDLYGUY Private E-2

    ok so i keep getting invisable pop ups from e.i and i use google chrome and my realtek wave keeps turing down. i will turn it back up but shortly after down it goes again and when it do that i cant hear any sound from my computer someone please helpppp meeee :cry
     
    MRFRIENDLYGUY, Jul 3, 2010
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I see you have posted the same message in the hardware forum. What do you mean by invisible pop-ups?

    If you think you have a malware issue, then please follow these instructions:

    READ & RUN ME FIRST. Malware Removal Guide
     
    TimW, Jul 3, 2010
    #2
  3. MRFRIENDLYGUY

    MRFRIENDLYGUY Private E-2

    hey man thanks for replying i got the same problem as a guy you helped named ktran this is his link http://forums.majorgeeks.com/showthread.php?t=218164 i try following the instructions you give to him but i guess the instructions was meant for only is computer and not minds
    can you help me timw ???
     
    MRFRIENDLYGUY, Jul 3, 2010
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I can only help you if you follow the instructions that I already gave to you and then attach the requested logs.
     
    TimW, Jul 3, 2010
    #4
  5. MRFRIENDLYGUY

    MRFRIENDLYGUY Private E-2

    ok i will
     
    MRFRIENDLYGUY, Jul 3, 2010
    #5
  6. MRFRIENDLYGUY

    MRFRIENDLYGUY Private E-2

    hey, this is what i got after i ran superantispyware what do i do now ???





    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 07/03/2010 at 04:52 PM

    Application Version : 4.40.1002

    Core Rules Database Version : 5153
    Trace Rules Database Version: 2965

    Scan type : Complete Scan
    Total Scan Time : 01:07:55

    Memory items scanned : 472
    Memory threats detected : 0
    Registry items scanned : 6460
    Registry threats detected : 0
    File items scanned : 26214
    File threats detected : 2

    Trojan.Agent/Gen-NumTemp
    C:\WINDOWS\SYSTEM32\384.TMP

    Trojan.Agent/Gen-FraudLoad
    C:\WINDOWS\SYSTEM32\IEAKUI32(2).DLL
     
    MRFRIENDLYGUY, Jul 3, 2010
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to follow 100% of the instructions in this
    READ & RUN ME FIRST. Malware Removal Guide as TimW already stated. And you need to attach logs as stated in the instructions. Do not post them inline like you did with SUPERAntiSpyware.
     
    chaslang, Jul 3, 2010
    #7
  8. MRFRIENDLYGUY

    MRFRIENDLYGUY Private E-2

    i did every thing up to Please attach the Scan Log results to your next reply whether it finds anything or not. This way we no that the correct updated version of the program has been run. i cant move on and finish the rest of READ & RUN ME FIRST untill you tell me what to do next and i dont under stand what you mean when you say you need to attach logs as stated in the instructions. Do not post them inline like you did with SUPERAntiSpyware. i have no idea what you are talking bout sorry please help im goin crazy over here :cry
     
    MRFRIENDLYGUY, Jul 3, 2010
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you read the instructions in the READ & RUN ME, it tells you to complete every single step and then attach the logs at the end. It also tells you how to attach logs. You need to keep on going. SUPERAntiSpyware is only the first of 5 logs. TimW took a little bit of a shortcut and just said to run the READ & RUN ME which is typically all most people need to see to get going. Full instructions would have said the below. ;)
     
    chaslang, Jul 3, 2010
    #9
  10. MRFRIENDLYGUY

    MRFRIENDLYGUY Private E-2

    thanks man i appreciate it imma continue now =] hope all goes well
     
    MRFRIENDLYGUY, Jul 3, 2010
    #10
  11. MRFRIENDLYGUY

    MRFRIENDLYGUY Private E-2

    YOOOOOOOOOOOOO thank yall so muchhhhhhhhhhhhhhhhhhhhhhhhhhhhh man i think my computer is back =D thankkkkkks 4 da hellllp sssoooooo muchhhhhhhhhh TimW and chaslang =]
     
    MRFRIENDLYGUY, Jul 4, 2010
    #11
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your welcome. But understand that without seeing the requested logs, we have no way of confirming that you are malware free.
     
    TimW, Jul 4, 2010
    #12
  13. MRFRIENDLYGUY

    MRFRIENDLYGUY Private E-2

    ok i will post it and buy the way the problem came back =[
     
    MRFRIENDLYGUY, Jul 5, 2010
    #13
  14. MRFRIENDLYGUY

    MRFRIENDLYGUY Private E-2

    this is da logs
     

    Attached Files:

    MRFRIENDLYGUY, Jul 5, 2010
    #14
  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please just save the logs from SAS, MBAM, and Combo as plain text files which is the default on how the programs save them. You should not be converting them to RTF files which then require them to be zip'ed to attach them.

    Also please put Combo directly on your desktop as was requested. It shouldnt be run from here:
    Running from: c:\documents and settings\SLEEPY HOLLOW\My Documents\Downloads\ComboFix.exe

    Next, you need to read this:
    Warning about Porn, Keygens, Cracks, and other Illegal Software

    You need to run both SAS and MBAM on each user account. It is a bad idea to allow each user to have Admin. privileges.

    I also suggest that you remove all your toolbars.

    Attach the logs from each user account that shows any infections....label them accordingly.
     
    Last edited by a moderator: Jul 5, 2010
    TimW, Jul 5, 2010
    #15
  16. MRFRIENDLYGUY

    MRFRIENDLYGUY Private E-2

    it wont let me post plain text i think its to long
     
    MRFRIENDLYGUY, Jul 5, 2010
    #16
  17. MRFRIENDLYGUY

    MRFRIENDLYGUY Private E-2

    ok ima now run combo fix then ill post
     
    Last edited: Jul 5, 2010
    MRFRIENDLYGUY, Jul 5, 2010
    #17
  18. MRFRIENDLYGUY

    MRFRIENDLYGUY Private E-2

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 07/03/2010 at 04:52 PM

    Application Version : 4.40.1002

    Core Rules Database Version : 5153
    Trace Rules Database Version: 2965

    Scan type : Complete Scan
    Total Scan Time : 01:07:55

    Memory items scanned : 472
    Memory threats detected : 0
    Registry items scanned : 6460
    Registry threats detected : 0
    File items scanned : 26214
    File threats detected : 2

    Trojan.Agent/Gen-NumTemp
    C:\WINDOWS\SYSTEM32\384.TMP

    Trojan.Agent/Gen-FraudLoad
    C:\WINDOWS\SYSTEM32\IEAKUI32(2).DLL
     
    MRFRIENDLYGUY, Jul 5, 2010
    #18
  19. MRFRIENDLYGUY

    MRFRIENDLYGUY Private E-2

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4273

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 6.0.2900.5512

    7/3/2010 10:01:16 PM
    mbam-log-2010-07-03 (22-01-16).txt

    Scan type: Quick scan
    Objects scanned: 181457
    Time elapsed: 39 minute(s), 12 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 1
    Files Infected: 22

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\WINDOWS\system32\LocalService (Worm.Archive) -> Quarantined and deleted successfully.

    Files Infected:
    C:\Documents and Settings\Owner\Local Settings\Temp\mHia.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\Q614CKCX\eH8fb6bac3V0100f060006Re847ada8102Tc4ea9fa1204l0409K18fff4f3318J100006010[1] (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\LocalService\313.crack.zip (Worm.Archive) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\LocalService\313.crack.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\LocalService\314.keygen.zip (Worm.Archive) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\LocalService\314.keygen.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\LocalService\315.serial.zip (Worm.Archive) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\LocalService\315.serial.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\LocalService\316.setup.zip (Worm.Archive) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\LocalService\316.setup.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\LocalService\317.music.au (Worm.Archive) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\LocalService\317.music.au.kwd (Worm.Archive) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\LocalService\318.music2.au (Worm.Archive) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\LocalService\318.music2.au.kwd (Worm.Archive) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\LocalService\319.music3.au (Worm.Archive) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\LocalService\319.music3.au.kwd (Worm.Archive) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\LocalService\320.music4.au (Worm.Archive) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\LocalService\320.music4.au.kwd (Worm.Archive) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Owner\Favorites\Free Porn, Sex, Tube Videos, XXX Pics, Porno Movies - XNXX.COM.url (Rogue.Link) -> Quarantined and deleted successfully.
    C:\Documents and Settings\SLEEPY HOLLOW\Favorites\Free Porn Videos & ***** Movies- Sex Videos, Porno, Porn Tube, XXX and ***** Porn..url (Rogue.Link) -> Quarantined and deleted successfully.
    C:\Documents and Settings\SLEEPY HOLLOW\Favorites\Free Porn Videos, Porn Tube, Free Porn, Free Porno Movies, Porno, Sex.url (Rogue.Link) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\GroupPolicy000.dat (Malware.Trace) -> Quarantined and deleted successfully.
     
    MRFRIENDLYGUY, Jul 5, 2010
    #19
  20. MRFRIENDLYGUY

    MRFRIENDLYGUY Private E-2

    ComboFix 10-07-04.04 - SLEEPY HOLLOW 07/05/2010 17:29:15.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1215.859 [GMT -7:00]
    Running from: c:\documents and settings\SLEEPY HOLLOW\My Documents\Downloads\ComboFix.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\%appdata%
    c:\windows\system32\%appdata%\FCSB000062035\Toolbar\patch.bat
    c:\windows\system32\%appdata%\FCSB000062035\Toolbar\settings.xml
    c:\windows\system32\%appdata%\FCSB000062035\Toolbar\ShoppingBHO.dll
    c:\windows\system32\%appdata%\FCSB000062035\Toolbar\Uninst.exe
    c:\windows\system32\%appdata%\FCSB000062035\Toolbar\version.txt

    .
    ((((((((((((((((((((((((( Files Created from 2010-06-06 to 2010-07-06 )))))))))))))))))))))))))))))))
    .

    2010-07-04 07:10 . 2010-07-04 07:10 -------- d-----w- c:\documents and settings\SLEEPY HOLLOW\Local Settings\Application Data\Yahoo
    2010-07-03 22:25 . 2010-07-04 16:38 -------- d-----w- C:\MGtools
    2010-07-03 22:22 . 2010-07-03 22:22 0 ----a-w- c:\documents and settings\SLEEPY HOLLOW\settings.dat
    2010-07-03 22:05 . 2010-07-03 22:05 -------- d-----w- c:\documents and settings\SLEEPY HOLLOW\Application Data\Malwarebytes
    2010-07-03 22:05 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-07-03 22:05 . 2010-07-03 22:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-07-03 22:05 . 2010-07-03 22:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-07-03 22:05 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-07-03 22:03 . 2010-07-03 22:03 -------- d-----w- c:\documents and settings\SLEEPY HOLLOW\Application Data\SUPERAntiSpyware.com
    2010-07-03 22:03 . 2010-07-03 22:03 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2010-07-03 22:03 . 2010-07-03 22:03 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-07-03 20:51 . 2010-07-03 20:51 -------- d-----w- c:\program files\CCleaner
    2010-07-03 16:51 . 2010-07-06 00:07 -------- d-----w- c:\documents and settings\LocalService\Application Data\PriceGong
    2010-07-03 16:51 . 2010-07-03 16:51 -------- d-----w- c:\documents and settings\LocalService\Application Data\Yahoo!
    2010-07-03 04:21 . 2010-07-03 05:50 -------- d-----w- c:\documents and settings\NetworkService\Application Data\PriceGong
    2010-07-03 04:21 . 2010-07-03 04:21 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
    2010-07-03 04:10 . 2010-07-03 04:10 -------- d-s---w- c:\documents and settings\NetworkService\UserData
    2010-07-03 02:54 . 2010-07-03 02:54 -------- d-----w- c:\documents and settings\SLEEPY HOLLOW\Application Data\BitZipper
    2010-07-03 02:54 . 2010-07-03 02:54 -------- d-----w- c:\program files\BitZipper
    2010-07-03 02:53 . 2010-07-03 02:53 -------- d-----w- c:\program files\W3i
    2010-07-03 02:53 . 2010-07-03 02:53 -------- d-----w- c:\documents and settings\All Users\Application Data\W3i
    2010-07-03 02:53 . 2010-07-03 02:53 -------- d-----w- c:\program files\Freeze.com
    2010-07-03 02:53 . 2010-07-04 07:37 -------- d-----w- c:\documents and settings\SLEEPY HOLLOW\Application Data\PriceGong
    2010-07-03 02:53 . 2010-07-03 02:53 -------- d-----w- c:\documents and settings\SLEEPY HOLLOW\Application Data\FCSB000062035
    2010-07-03 02:53 . 2010-07-03 02:53 -------- d-----w- c:\program files\PriceGong
    2010-07-03 02:53 . 2010-07-03 02:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
    2010-07-03 02:53 . 2010-07-03 02:53 -------- d-----w- c:\program files\Shop to Win 2
    2010-07-03 02:53 . 2010-07-04 15:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
    2010-07-03 02:53 . 2010-07-03 02:53 -------- d-----w- c:\documents and settings\SLEEPY HOLLOW\Application Data\Yahoo!
    2010-07-03 02:53 . 2010-07-03 02:53 -------- d-----w- c:\program files\Yahoo!
    2010-07-02 22:11 . 2010-07-02 22:20 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Softonic-Eng7
    2010-07-02 22:11 . 2010-07-02 22:11 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Conduit
    2010-07-02 22:08 . 2010-07-02 22:08 -------- d-----w- c:\program files\Common Files\xing shared
    2010-07-02 22:08 . 2010-07-02 22:08 -------- d-----w- c:\program files\Real
    2010-07-02 22:08 . 2010-07-02 22:08 -------- d-----w- c:\program files\Common Files\Real
    2010-07-02 20:03 . 2006-08-01 22:02 49152 ----a-w- c:\windows\system32\ChCfg.exe
    2010-07-02 20:03 . 2008-09-24 17:40 4122368 ----a-r- c:\windows\system32\drivers\alcxwdm.sys
    2010-07-02 20:02 . 2010-07-02 20:02 -------- d-----w- c:\program files\Realtek AC97
    2010-07-02 20:02 . 2006-12-08 22:20 10528768 ----a-w- c:\windows\system32\RTLCPL.exe
    2010-07-02 20:02 . 2007-04-16 22:28 577536 ----a-w- c:\windows\soundman.exe
    2010-07-02 20:02 . 2006-10-18 09:53 147456 ----a-w- c:\windows\system32\RtlCPAPI.dll
    2010-07-02 20:02 . 2006-07-31 18:19 315392 ----a-w- c:\windows\alcupd.exe
    2010-07-02 20:02 . 2006-07-31 18:27 217088 ----a-w- c:\windows\Alcrmv.exe
    2010-07-02 19:08 . 2010-07-03 16:51 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Softonic-Eng7
    2010-07-02 19:08 . 2010-07-02 19:09 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Conduit
    2010-07-02 18:25 . 2010-07-02 18:25 -------- d-----w- c:\documents and settings\SLEEPY HOLLOW\Local Settings\Application Data\Conduit
    2010-07-02 18:25 . 2010-07-02 18:25 -------- d-----w- c:\program files\Conduit
    2010-07-02 18:25 . 2010-07-04 07:10 -------- d-----w- c:\documents and settings\SLEEPY HOLLOW\Local Settings\Application Data\Softonic-Eng7
    2010-07-02 18:25 . 2010-07-02 22:11 -------- d-----w- c:\program files\Softonic-Eng7
    2010-07-02 18:01 . 2010-07-02 18:01 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
    2010-07-02 06:46 . 2010-07-02 06:46 -------- d-----w- c:\windows\system32\wbem\Repository
    2010-07-02 06:44 . 2010-07-02 06:44 -------- d-----w- c:\documents and settings\LocalService\Application Data\Adobe(2)
    2010-07-02 05:53 . 2010-07-02 06:44 -------- d-----w- c:\documents and settings\LocalService\UserData

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-07-06 00:45 . 2010-04-17 23:33 -------- d-----w- c:\documents and settings\SLEEPY HOLLOW\Application Data\LimeWire
    2010-07-03 22:32 . 2010-07-03 22:03 63488 ----a-w- c:\documents and settings\SLEEPY HOLLOW\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
    2010-07-03 22:32 . 2010-07-03 22:03 117760 ----a-w- c:\documents and settings\SLEEPY HOLLOW\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-07-03 22:03 . 2010-07-03 22:03 52224 ----a-w- c:\documents and settings\SLEEPY HOLLOW\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-07-03 17:41 . 2010-01-29 15:18 -------- d-----w- c:\documents and settings\SLEEPY HOLLOW\Application Data\vlc
    2010-07-03 02:53 . 2010-07-03 02:53 14534 ----a-r- c:\documents and settings\SLEEPY HOLLOW\Application Data\Microsoft\Installer\{E7B100D8-98A5-42AA-830F-16D6BD5351F1}\SystemFolder_msiexec.exe
    2010-07-03 02:53 . 2010-07-03 02:53 638976 ----a-w- c:\documents and settings\SLEEPY HOLLOW\Application Data\FCSB000062035\Toolbar\ShoppingBHO.dll
    2010-07-03 02:53 . 2010-07-03 02:53 47275 ----a-w- c:\documents and settings\SLEEPY HOLLOW\Application Data\FCSB000062035\Toolbar\Uninst.exe
    2010-07-02 22:09 . 2010-07-02 22:09 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
    2010-07-02 22:09 . 2010-07-02 22:09 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
    2010-07-02 22:09 . 2010-07-02 22:09 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
    2010-07-02 22:09 . 2010-07-02 22:09 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
    2010-07-02 22:09 . 2010-07-02 22:09 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
    2010-07-02 22:09 . 2010-07-02 22:09 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
    2010-07-02 22:09 . 2010-07-02 22:09 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
    2010-07-02 22:09 . 2010-07-02 22:09 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
    2010-07-02 22:08 . 2010-07-02 22:08 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
    2010-07-02 22:08 . 2009-08-16 02:05 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2010-07-02 22:08 . 2009-08-16 02:05 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2010-07-02 20:02 . 2009-08-16 01:36 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-07-02 06:13 . 2009-09-19 05:34 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
    2010-06-26 02:14 . 2010-01-28 17:59 -------- d-----w- c:\documents and settings\SLEEPY HOLLOW\Application Data\Digidesign
    2010-06-23 23:44 . 2010-06-23 23:44 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb15E.tmp.exe
    2010-05-02 05:22 . 2008-04-14 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
    2010-04-20 05:30 . 2008-04-14 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
    2010-04-16 16:09 . 2008-04-14 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
    2010-04-16 16:09 . 2008-04-14 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}"= "c:\program files\Softonic-Eng7\tbSof1.dll" [2010-07-02 2515552]
    "{E38FA08E-F56A-4169-ABF5-5C71E3C153A1}"= "c:\program files\Freeze.com\My.Freeze.com NetAssistant\NetAssistant.dll" [2010-01-19 361592]

    [HKEY_CLASSES_ROOT\clsid\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]

    [HKEY_CLASSES_ROOT\clsid\{e38fa08e-f56a-4169-abf5-5c71e3c153a1}]
    [HKEY_CLASSES_ROOT\NetAssistant.NetAssistantBHO.1]
    [HKEY_CLASSES_ROOT\TypeLib\{1E8FC16F-4C51-49C4-BC9B-4FC24BDDCEE7}]
    [HKEY_CLASSES_ROOT\NetAssistant.NetAssistantBHO]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1631550F-191D-4826-B069-D9439253D926}]
    2010-03-28 19:53 353656 ----a-w- c:\program files\PriceGong\2.1.0\PriceGongIE.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{20FEC4E7-F7B7-438B-8191-33D2EFC5EBEA}]
    2010-07-03 02:53 638976 ----a-w- c:\program files\Shop to Win 2\ShoppingBHO.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]
    2010-07-02 22:12 2515552 ----a-w- c:\program files\Softonic-Eng7\tbSof1.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E38FA08E-F56A-4169-ABF5-5C71E3C153A1}]
    2010-01-19 22:08 361592 ----a-w- c:\program files\Freeze.com\My.Freeze.com NetAssistant\NetAssistant.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}"= "c:\program files\Softonic-Eng7\tbSof1.dll" [2010-07-02 2515552]

    [HKEY_CLASSES_ROOT\clsid\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{414B6D9D-4A95-4E8D-B5B1-149DD2D93BB3}"= "c:\program files\Softonic-Eng7\tbSof1.dll" [2010-07-02 2515552]

    [HKEY_CLASSES_ROOT\clsid\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-16 39408]
    "Aim6"="c:\program files\AIM6\aim6.exe" [2009-07-09 49968]
    "InstallIQUpdater"="c:\program files\W3i\InstallIQUpdater\InstallIQUpdater.exe" [2010-05-05 1000960]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-26 149280]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-12-10 30192]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
    "MSN Toolbar"="c:\program files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe" [2009-12-09 240992]
    "Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
    "VTTimer"="VTTimer.exe" [2004-10-22 53248]
    "DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2007-10-31 77824]
    "lxdpmon.exe"="c:\program files\Lexmark Z2300 Series\lxdpmon.exe" [2008-03-27 656040]
    "lxdpamon"="c:\program files\Lexmark Z2300 Series\lxdpamon.exe" [2008-03-27 16040]
    "SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]

    c:\documents and settings\SLEEPY HOLLOW\Start Menu\Programs\Startup\
    LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2010-3-30 503808]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "wave2"=Digi32.dll
    "MIDI3"=diomidi.dll

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\AIM6\\aim6.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\WINDOWS\\system32\\lxdpcoms.exe"=
    "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdppswx.exe"=
    "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdptime.exe"=
    "c:\\Program Files\\Lexmark Z2300 Series\\lxdpmon.exe"=
    "c:\\Program Files\\Lexmark Z2300 Series\\Diagnostics\\LXDPdiag.exe"=
    "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdpjswx.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\LimeWire\\LimeWire.exe"=

    R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [1/30/2010 5:40 AM 16384]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
    R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [12/16/2009 6:38 PM 375296]
    R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [1/30/2010 6:35 AM 16400]
    R2 lxdp_device;lxdp_device;c:\windows\system32\lxdpcoms.exe -service --> c:\windows\system32\lxdpcoms.exe -service [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/9/2009 10:08 PM 133104]
    S2 lxdpCATSCustConnectService;lxdpCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdpserv.exe [1/31/2010 8:23 AM 98984]
    S3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [1/30/2010 6:35 AM 97808]
    S3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [12/9/2009 10:05 PM 30192]
    S3 MBX2DFU;MBX2DFU;c:\windows\system32\drivers\mbx2dfu.sys [1/30/2010 6:36 AM 21648]
    S3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;c:\windows\system32\drivers\mbx2midk.sys [1/30/2010 6:36 AM 21904]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-07-03 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

    2010-07-06 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-08-16 15:59]

    2010-07-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-10 05:08]

    2010-07-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-10 05:08]

    2010-07-06 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 10:02]

    2010-07-06 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1614895754-1682526488-1801674531-1007.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 10:02]

    2010-07-06 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 10:02]

    2010-07-04 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1614895754-1682526488-1801674531-1007.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 10:02]
    .
    .
    ------- Supplementary Scan -------
    .
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    mDefault_Search_URL = hxxp://www.google.com/ie
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mSearchAssistant = hxxp://www.google.com/ie
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-07-05 17:41
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    c:\documents and settings\SLEEPY HOLLOW\Application Data\LimeWire\mozilla-profile\Cache\D3A366EBd01 86366 bytes

    scan completed successfully
    hidden files: 1

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(688)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL

    - - - - - - - > 'explorer.exe'(3492)
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Google\Update\1.2.183.29\GoogleCrashHandler.exe
    c:\windows\system32\lxdpcoms.exe
    c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\system32\VTTimer.exe
    c:\windows\SOUNDMAN.EXE
    c:\program files\Lexmark Z2300 Series\lxdpMsdMon.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\AIM6\aolsoftware.exe
    c:\program files\Internet Explorer\iexplore.exe
    .
    **************************************************************************
    .
    Completion time: 2010-07-05 17:47:42 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-07-06 00:47
    ComboFix2.txt 2010-07-04 06:15

    Pre-Run: 9,671,569,408 bytes free
    Post-Run: 9,727,852,544 bytes free

    - - End Of File - - E6A2E2F44F189389D527F036798C102F
     
    MRFRIENDLYGUY, Jul 6, 2010
    #20
  21. MRFRIENDLYGUY

    MRFRIENDLYGUY Private E-2

    ComboFix 10-07-04.04 - Owner 07/05/2010 18:45:57.4.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1215.974 [GMT -7:00]
    Running from: c:\documents and settings\SLEEPY HOLLOW\My Documents\Downloads\ComboFix.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\%appdata%
    c:\windows\system32\%appdata%\FCSB000062035\Toolbar\patch.bat . . . . failed to delete
    c:\windows\system32\%appdata%\FCSB000062035\Toolbar\settings.xml . . . . failed to delete
    c:\windows\system32\%appdata%\FCSB000062035\Toolbar\ShoppingBHO.dll . . . . failed to delete
    c:\windows\system32\%appdata%\FCSB000062035\Toolbar\Uninst.exe . . . . failed to delete
    c:\windows\system32\%appdata%\FCSB000062035\Toolbar\version.txt . . . . failed to delete
    .
    ---- Previous Run -------
    .
    c:\windows\system32\%appdata%

    .
    ((((((((((((((((((((((((( Files Created from 2010-06-06 to 2010-07-06 )))))))))))))))))))))))))))))))
    .

    2010-07-06 01:54 . 2010-07-06 01:54 -------- d-----w- c:\windows\system32\%APPDATA%
    2010-07-06 01:01 . 2010-07-06 01:01 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Yahoo
    2010-07-06 00:59 . 2010-07-06 00:59 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Conduit
    2010-07-06 00:59 . 2010-07-06 00:59 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Yahoo
    2010-07-06 00:59 . 2010-07-06 00:59 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Softonic-Eng7
    2010-07-06 00:59 . 2010-07-03 02:53 638976 ----a-w- c:\documents and settings\Owner\Application Data\FCSB000062035\Toolbar\ShoppingBHO.dll
    2010-07-06 00:59 . 2010-07-03 02:53 47275 ----a-w- c:\documents and settings\Owner\Application Data\FCSB000062035\Toolbar\Uninst.exe
    2010-07-06 00:59 . 2010-07-06 01:29 -------- d-----w- c:\documents and settings\Owner\Application Data\PriceGong
    2010-07-06 00:59 . 2010-07-06 00:59 -------- d-----w- c:\documents and settings\Owner\Application Data\FCSB000062035
    2010-07-06 00:59 . 2009-11-25 07:38 713 ----a-w- c:\documents and settings\Owner\Application Data\FCSB000062035\Toolbar\patch.bat
    2010-07-06 00:59 . 2010-07-06 00:59 -------- d-----w- c:\documents and settings\Owner\Application Data\Yahoo!
    2010-07-04 07:10 . 2010-07-04 07:10 -------- d-----w- c:\documents and settings\SLEEPY HOLLOW\Local Settings\Application Data\Yahoo
    2010-07-03 22:25 . 2010-07-04 16:38 -------- d-----w- C:\MGtools
    2010-07-03 22:22 . 2010-07-03 22:22 0 ----a-w- c:\documents and settings\SLEEPY HOLLOW\settings.dat
    2010-07-03 22:05 . 2010-07-03 22:05 -------- d-----w- c:\documents and settings\SLEEPY HOLLOW\Application Data\Malwarebytes
    2010-07-03 22:05 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-07-03 22:05 . 2010-07-03 22:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-07-03 22:05 . 2010-07-03 22:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-07-03 22:05 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-07-03 22:03 . 2010-07-03 22:32 63488 ----a-w- c:\documents and settings\SLEEPY HOLLOW\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
    2010-07-03 22:03 . 2010-07-03 22:03 52224 ----a-w- c:\documents and settings\SLEEPY HOLLOW\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-07-03 22:03 . 2010-07-03 22:32 117760 ----a-w- c:\documents and settings\SLEEPY HOLLOW\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-07-03 22:03 . 2010-07-03 22:03 -------- d-----w- c:\documents and settings\SLEEPY HOLLOW\Application Data\SUPERAntiSpyware.com
    2010-07-03 22:03 . 2010-07-03 22:03 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2010-07-03 22:03 . 2010-07-03 22:03 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-07-03 20:51 . 2010-07-03 20:51 -------- d-----w- c:\program files\CCleaner
    2010-07-03 16:51 . 2010-07-06 01:54 -------- d-----w- c:\documents and settings\LocalService\Application Data\PriceGong
    2010-07-03 16:51 . 2010-07-03 16:51 -------- d-----w- c:\documents and settings\LocalService\Application Data\Yahoo!
    2010-07-03 04:21 . 2010-07-03 05:50 -------- d-----w- c:\documents and settings\NetworkService\Application Data\PriceGong
    2010-07-03 04:21 . 2010-07-03 04:21 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
    2010-07-03 04:10 . 2010-07-03 04:10 -------- d-s---w- c:\documents and settings\NetworkService\UserData
    2010-07-03 02:54 . 2010-07-03 02:54 -------- d-----w- c:\documents and settings\SLEEPY HOLLOW\Application Data\BitZipper
    2010-07-03 02:54 . 2010-07-03 02:54 -------- d-----w- c:\program files\BitZipper
    2010-07-02 22:11 . 2010-07-02 22:20 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Softonic-Eng7
    2010-07-02 22:11 . 2010-07-02 22:11 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Conduit
    2010-07-02 22:09 . 2010-07-02 22:09 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
    2010-07-02 22:09 . 2010-07-02 22:09 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
    2010-07-02 22:09 . 2010-07-02 22:09 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
    2010-07-02 22:09 . 2010-07-02 22:09 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
    2010-07-02 20:03 . 2006-08-01 22:02 49152 ----a-w- c:\windows\system32\ChCfg.exe
    2010-07-02 20:03 . 2008-09-24 17:40 4122368 ----a-r- c:\windows\system32\drivers\alcxwdm.sys
    2010-07-02 20:02 . 2010-07-02 20:02 -------- d-----w- c:\program files\Realtek AC97
    2010-07-02 20:02 . 2006-12-08 22:20 10528768 ----a-w- c:\windows\system32\RTLCPL.exe
    2010-07-02 20:02 . 2007-04-16 22:28 577536 ----a-w- c:\windows\soundman.exe
    2010-07-02 20:02 . 2006-10-18 09:53 147456 ----a-w- c:\windows\system32\RtlCPAPI.dll
    2010-07-02 20:02 . 2006-07-31 18:19 315392 ----a-w- c:\windows\alcupd.exe
    2010-07-02 20:02 . 2006-07-31 18:27 217088 ----a-w- c:\windows\Alcrmv.exe
    2010-07-02 19:08 . 2010-07-03 16:51 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Softonic-Eng7
    2010-07-02 19:08 . 2010-07-02 19:09 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Conduit
    2010-07-02 18:25 . 2010-07-02 18:25 -------- d-----w- c:\documents and settings\SLEEPY HOLLOW\Local Settings\Application Data\Conduit
    2010-07-02 18:25 . 2010-07-02 18:25 -------- d-----w- c:\program files\Conduit
    2010-07-02 18:25 . 2010-07-04 07:10 -------- d-----w- c:\documents and settings\SLEEPY HOLLOW\Local Settings\Application Data\Softonic-Eng7
    2010-07-02 18:25 . 2010-07-02 22:11 -------- d-----w- c:\program files\Softonic-Eng7
    2010-07-02 18:01 . 2010-07-02 18:01 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
    2010-07-02 06:46 . 2010-07-02 06:46 -------- d-----w- c:\windows\system32\wbem\Repository
    2010-07-02 06:44 . 2010-07-02 06:44 -------- d-----w- c:\documents and settings\LocalService\Application Data\Adobe(2)
    2010-07-02 05:53 . 2010-07-02 06:44 -------- d-----w- c:\documents and settings\LocalService\UserData
    2010-06-23 23:44 . 2010-06-23 23:44 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb15E.tmp.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-07-06 02:01 . 2010-04-17 23:33 -------- d-----w- c:\documents and settings\SLEEPY HOLLOW\Application Data\LimeWire
    2010-07-04 15:53 . 2010-07-03 02:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
    2010-07-04 07:37 . 2010-07-03 02:53 -------- d-----w- c:\documents and settings\SLEEPY HOLLOW\Application Data\PriceGong
    2010-07-03 17:41 . 2010-01-29 15:18 -------- d-----w- c:\documents and settings\SLEEPY HOLLOW\Application Data\vlc
    2010-07-03 02:53 . 2010-07-03 02:53 -------- d-----w- c:\program files\W3i
    2010-07-03 02:53 . 2010-07-03 02:53 -------- d-----w- c:\documents and settings\All Users\Application Data\W3i
    2010-07-03 02:53 . 2010-07-03 02:53 14534 ----a-r- c:\documents and settings\SLEEPY HOLLOW\Application Data\Microsoft\Installer\{E7B100D8-98A5-42AA-830F-16D6BD5351F1}\SystemFolder_msiexec.exe
    2010-07-03 02:53 . 2010-07-03 02:53 -------- d-----w- c:\program files\Freeze.com
    2010-07-03 02:53 . 2010-07-03 02:53 -------- d-----w- c:\documents and settings\SLEEPY HOLLOW\Application Data\FCSB000062035
    2010-07-03 02:53 . 2010-07-03 02:53 -------- d-----w- c:\program files\PriceGong
    2010-07-03 02:53 . 2010-07-03 02:53 638976 ----a-w- c:\documents and settings\SLEEPY HOLLOW\Application Data\FCSB000062035\Toolbar\ShoppingBHO.dll
    2010-07-03 02:53 . 2010-07-03 02:53 47275 ----a-w- c:\documents and settings\SLEEPY HOLLOW\Application Data\FCSB000062035\Toolbar\Uninst.exe
    2010-07-03 02:53 . 2010-07-03 02:53 -------- d-----w- c:\program files\Shop to Win 2
    2010-07-03 02:53 . 2010-07-03 02:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
    2010-07-03 02:53 . 2010-07-03 02:53 -------- d-----w- c:\program files\Yahoo!
    2010-07-03 02:53 . 2010-07-03 02:53 -------- d-----w- c:\documents and settings\SLEEPY HOLLOW\Application Data\Yahoo!
    2010-07-02 22:09 . 2010-07-02 22:09 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
    2010-07-02 22:09 . 2010-07-02 22:09 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
    2010-07-02 22:09 . 2010-07-02 22:09 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
    2010-07-02 22:09 . 2010-07-02 22:09 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
    2010-07-02 22:08 . 2010-07-02 22:08 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
    2010-07-02 22:08 . 2010-07-02 22:08 -------- d-----w- c:\program files\Common Files\Real
    2010-07-02 22:08 . 2010-07-02 22:08 -------- d-----w- c:\program files\Real
    2010-07-02 22:08 . 2010-07-02 22:08 -------- d-----w- c:\program files\Common Files\xing shared
    2010-07-02 22:08 . 2009-08-16 02:05 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2010-07-02 22:08 . 2009-08-16 02:05 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2010-07-02 20:02 . 2009-08-16 01:36 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-07-02 06:13 . 2009-09-19 05:34 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
    2010-06-26 02:14 . 2010-01-28 17:59 -------- d-----w- c:\documents and settings\SLEEPY HOLLOW\Application Data\Digidesign
    2010-05-02 05:22 . 2008-04-14 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
    2010-04-20 05:30 . 2008-04-14 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
    2010-04-16 16:09 . 2008-04-14 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
    2010-04-16 16:09 . 2008-04-14 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}"= "c:\program files\Softonic-Eng7\tbSof1.dll" [2010-07-02 2515552]
    "{E38FA08E-F56A-4169-ABF5-5C71E3C153A1}"= "c:\program files\Freeze.com\My.Freeze.com NetAssistant\NetAssistant.dll" [2010-01-19 361592]

    [HKEY_CLASSES_ROOT\clsid\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]

    [HKEY_CLASSES_ROOT\clsid\{e38fa08e-f56a-4169-abf5-5c71e3c153a1}]
    [HKEY_CLASSES_ROOT\NetAssistant.NetAssistantBHO.1]
    [HKEY_CLASSES_ROOT\TypeLib\{1E8FC16F-4C51-49C4-BC9B-4FC24BDDCEE7}]
    [HKEY_CLASSES_ROOT\NetAssistant.NetAssistantBHO]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1631550F-191D-4826-B069-D9439253D926}]
    2010-03-28 19:53 353656 ----a-w- c:\program files\PriceGong\2.1.0\PriceGongIE.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{20FEC4E7-F7B7-438B-8191-33D2EFC5EBEA}]
    2010-07-03 02:53 638976 ----a-w- c:\program files\Shop to Win 2\ShoppingBHO.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]
    2010-07-02 22:12 2515552 ----a-w- c:\program files\Softonic-Eng7\tbSof1.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E38FA08E-F56A-4169-ABF5-5C71E3C153A1}]
    2010-01-19 22:08 361592 ----a-w- c:\program files\Freeze.com\My.Freeze.com NetAssistant\NetAssistant.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}"= "c:\program files\Softonic-Eng7\tbSof1.dll" [2010-07-02 2515552]

    [HKEY_CLASSES_ROOT\clsid\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{414B6D9D-4A95-4E8D-B5B1-149DD2D93BB3}"= "c:\program files\Softonic-Eng7\tbSof1.dll" [2010-07-02 2515552]

    [HKEY_CLASSES_ROOT\clsid\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-16 39408]
    "Aim6"="c:\program files\AIM6\aim6.exe" [2009-07-09 49968]
    "InstallIQUpdater"="c:\program files\W3i\InstallIQUpdater\InstallIQUpdater.exe" [2010-05-05 1000960]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-26 149280]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-12-10 30192]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
    "MSN Toolbar"="c:\program files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe" [2009-12-09 240992]
    "Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
    "VTTimer"="VTTimer.exe" [2004-10-22 53248]
    "DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2007-10-31 77824]
    "lxdpmon.exe"="c:\program files\Lexmark Z2300 Series\lxdpmon.exe" [2008-03-27 656040]
    "lxdpamon"="c:\program files\Lexmark Z2300 Series\lxdpamon.exe" [2008-03-27 16040]
    "SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]

    c:\documents and settings\SLEEPY HOLLOW\Start Menu\Programs\Startup\
    LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2010-3-30 503808]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "wave2"=Digi32.dll
    "MIDI3"=diomidi.dll

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\AIM6\\aim6.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\WINDOWS\\system32\\lxdpcoms.exe"=
    "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdppswx.exe"=
    "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdptime.exe"=
    "c:\\Program Files\\Lexmark Z2300 Series\\lxdpmon.exe"=
    "c:\\Program Files\\Lexmark Z2300 Series\\Diagnostics\\LXDPdiag.exe"=
    "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdpjswx.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\LimeWire\\LimeWire.exe"=

    R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [1/30/2010 5:40 AM 16384]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
    R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [12/16/2009 6:38 PM 375296]
    R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [1/30/2010 6:35 AM 16400]
    R2 lxdp_device;lxdp_device;c:\windows\system32\lxdpcoms.exe -service --> c:\windows\system32\lxdpcoms.exe -service [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/9/2009 10:08 PM 133104]
    S2 lxdpCATSCustConnectService;lxdpCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdpserv.exe [1/31/2010 8:23 AM 98984]
    S3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [1/30/2010 6:35 AM 97808]
    S3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [12/9/2009 10:05 PM 30192]
    S3 MBX2DFU;MBX2DFU;c:\windows\system32\drivers\mbx2dfu.sys [1/30/2010 6:36 AM 21648]
    S3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;c:\windows\system32\drivers\mbx2midk.sys [1/30/2010 6:36 AM 21904]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-07-03 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

    2010-07-06 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-08-16 15:59]

    2010-07-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-10 05:08]

    2010-07-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-10 05:08]

    2010-07-06 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 10:02]

    2010-07-06 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1614895754-1682526488-1801674531-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 10:02]

    2010-07-06 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1614895754-1682526488-1801674531-1007.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 10:02]

    2010-07-06 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 10:02]

    2010-07-06 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1614895754-1682526488-1801674531-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 10:02]

    2010-07-04 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1614895754-1682526488-1801674531-1007.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 10:02]
    .
    .
    ------- Supplementary Scan -------
    .
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-07-05 18:59
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(688)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL

    - - - - - - - > 'explorer.exe'(2084)
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Google\Update\1.2.183.29\GoogleCrashHandler.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\lxdpcoms.exe
    c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    c:\program files\Internet Explorer\iexplore.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\system32\VTTimer.exe
    c:\windows\SOUNDMAN.EXE
    c:\program files\Lexmark Z2300 Series\lxdpMsdMon.exe
    c:\program files\AIM6\aolsoftware.exe
    .
    **************************************************************************
    .
    Completion time: 2010-07-05 19:03:09 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-07-06 02:03
    ComboFix2.txt 2010-07-06 00:47
    ComboFix3.txt 2010-07-04 06:15

    Pre-Run: 11,015,471,104 bytes free
    Post-Run: 10,996,797,440 bytes free

    - - End Of File - - 4999181D76A33ABDC23AF9C74909F63A
     
    MRFRIENDLYGUY, Jul 6, 2010
    #21
  22. MRFRIENDLYGUY

    MRFRIENDLYGUY Private E-2

    ComboFix 10-07-04.04 - hollow 07/05/2010 19:12:16.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1215.894 [GMT -7:00]
    Running from: h:\documents and settings\hollow\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((( Files Created from 2010-06-06 to 2010-07-06 )))))))))))))))))))))))))))))))
    .

    2010-07-05 16:29 . 2010-07-05 16:29 -------- d-----w- h:\documents and settings\NetworkService\Local Settings\Application Data\Google
    2010-07-04 08:48 . 2010-07-05 16:24 -------- d-----w- h:\documents and settings\LocalService\Local Settings\Application Data\Google
    2010-07-03 06:17 . 2010-07-06 01:40 62304 ----a-w- h:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    2010-07-02 18:30 . 2010-07-02 18:30 -------- d-----w- H:\Google Desktop Data

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-07-03 06:17 . 2010-01-31 14:15 -------- d-----w- h:\program files\Google
    2010-07-03 06:00 . 2010-01-31 14:52 12328 ----a-w- h:\documents and settings\hollow\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-05-02 05:22 . 2008-04-14 12:00 1851264 ----a-w- h:\windows\system32\win32k.sys
    2010-04-20 05:30 . 2008-04-14 12:00 285696 ----a-w- h:\windows\system32\atmfd.dll
    2010-04-16 16:09 . 2008-04-14 12:00 667136 ----a-w- h:\windows\system32\wininet.dll
    2010-04-16 16:09 . 2008-04-14 12:00 81920 ----a-w- h:\windows\system32\ieencode.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Jing"="h:\program files\TechSmith\Jing\Jing.exe" [2010-01-19 3118344]
    "swg"="h:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-02-07 39408]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "VTTimer"="VTTimer.exe" [2004-10-22 53248]
    "AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=

    S2 gupdate;Google Update Service (gupdate);h:\program files\Google\Update\GoogleUpdate.exe [7/2/2010 11:17 PM 135664]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder

    2010-07-06 h:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - h:\program files\Google\Update\GoogleUpdate.exe [2010-07-03 06:17]

    2010-07-05 h:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - h:\program files\Google\Update\GoogleUpdate.exe [2010-07-03 06:17]
    .
    .
    ------- Supplementary Scan -------
    .
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Google Sidewiki... - h:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-07-05 19:15
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2010-07-05 19:16:11
    ComboFix-quarantined-files.txt 2010-07-06 02:16
    ComboFix2.txt 2010-07-06 00:47
    ComboFix3.txt 2010-07-04 06:15

    Pre-Run: 925,646,848 bytes free
    Post-Run: 1,226,547,200 bytes free

    - - End Of File - - 8A5F6E9C2374C3D6977EB212F0934804
     
    MRFRIENDLYGUY, Jul 6, 2010
    #22
  23. MRFRIENDLYGUY

    MRFRIENDLYGUY Private E-2

    here are all the longs what do i do now ?
     
    MRFRIENDLYGUY, Jul 6, 2010
    #23
  24. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please read this:
    How to attach items to your post.


    • Download bootkit_remover.rar
    • Click the underlined DOWNLOAD text to download the file and save it to your Desktop.
    • You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip
    • After extracing remover.exe to your Desktop, double click the remover.exe file to run the program.
    • Attach or post inline here, the output from remover.exe

    NOTE: The Command Prompt window text can be copied to the clip board by right clicking on the top bar of the window and using the Edit commands to Mark, Copy, and Paste.

    Now - please do the following:
    Do you have all important data backed up? You really should do this before continuing since we will need to rewrite your MBR to fix this and while most times this can be done without any problem, these infections can react badly and that could result in a PC not being bootable. You really don't have much choice though since these infections are too dangerous to your security to leave on a PC.
     
    TimW, Jul 6, 2010
    #24
  25. MRFRIENDLYGUY

    MRFRIENDLYGUY Private E-2

    Bootkit Remover version 1.0.0.1
    (c) 2009 eSage Lab
    www.esagelab.com

    \\.\C: -> \\.\PhysicalDrive0
    MD5: b6305d935ffe3d2c88fbdca980abf6be
    \\.\H: -> \\.\PhysicalDrive0

    Size Device Name MBR Status
    --------------------------------------------
    55 GB \\.\PhysicalDrive0 Unknown boot code

    Unknown boot code has been found on some of your physical disks.
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>


    Press any key to quit...
     
    MRFRIENDLYGUY, Jul 9, 2010
    #25
  26. MRFRIENDLYGUY

    MRFRIENDLYGUY Private E-2

    now what do i do ???
     
    MRFRIENDLYGUY, Jul 9, 2010
    #26
  27. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let's try to verify the MBR infection:

    Please also download MBRCheck to your desktop
    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some data on it
    • click on the top bar of the Window
    • select Edit - select all
    • again select Edit then copy.
    • Open a notepad and press Control+V
    • now please copy that report to this thread
     
    TimW, Jul 9, 2010
    #27
  28. MRFRIENDLYGUY

    MRFRIENDLYGUY Private E-2

    MBRCheck, version 1.0.2
    (c) 2010, AD

    \\.\C: --> \\.\PhysicalDrive0
    \\.\H: --> \\.\PhysicalDrive0

    Size Device Name MBR Status
    --------------------------------------------
    55 GB \\.\PhysicalDrive0 Unknown MBR code


    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:
     
    MRFRIENDLYGUY, Jul 10, 2010
    #28
  29. MRFRIENDLYGUY

    MRFRIENDLYGUY Private E-2

    what to do now ?
     
    MRFRIENDLYGUY, Jul 10, 2010
    #29
  30. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Do you have all important data backed up? You really should do this before continuing since we will need to rewrite your MBR to fix this and while most times this can be done without any problem, these infections can react badly and that could result in a PC not being bootable. You really don't have much choice though since these infections are too dangerous to your security to leave on a PC.


    Now - please do the following:

    • Click Start, Run then copy and paste the below into the Run box and click OK.

    "%userprofile%\Desktop\remover.exe" fix \\.\PhysicalDrive0

    • Now reboot your PC and after reboot continue with the below instructions.
    • Disable System Restore on all drives.
    • Look for the below folder and if if it sill exists, delete it.
      • C:\System Volume Information\Microsoft

    • Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

      Then attach the below logs:
      • C:\MGlogs.zip


    Make sure you tell me how things are working now!
     
    TimW, Jul 10, 2010
    #30
  31. MRFRIENDLYGUY

    MRFRIENDLYGUY Private E-2

    it says windows cant find it when i copy and paste it in to run
     
    MRFRIENDLYGUY, Jul 10, 2010
    #31
  32. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Is Remover.exe still on your desktop?
     
    TimW, Jul 11, 2010
    #32
  33. MRFRIENDLYGUY

    MRFRIENDLYGUY Private E-2

    yes it is
     
    MRFRIENDLYGUY, Jul 11, 2010
    #33
  34. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Hummmm.....then let's see if we can use MBRCheck.exe to fix it.
    • Double-click MBRCheck.exe to run it. {Previously downloaded}
    • When the scan results are presented and you see -
      Found non-standard or infected MBR.
      Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Now enter 'Y' and hit ENTER
    • NOTE: These options will be shown
      • Options:
        [1] Dump the MBR of a physical disk to file.
        [2] Restore the MBR of a physical disk with a standard boot code.
        [3] Exit.
        Enter your choice:
    • Select [2] ...and then hit ENTER.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\MGlogs.zip
     
    TimW, Jul 11, 2010
    #34
  35. MRFRIENDLYGUY

    MRFRIENDLYGUY Private E-2

    ******************************************************************************
    * GetLogs.Bat - (c) 10/02/2006 By Chaslang *
    * This version supports Win2K, XP, Vista and Win 7 *
    * This small batch file is just used to automatically run all of the scans *
    * that are part of the MGtools collection. *
    * It is automatically run by MGtools.exe during installation and can be run *
    * at anytime there after to create a full set of logs. *
    * 06/01/2010 Version 2.32 - Language support for Desktop folder *
    ******************************************************************************

    32 bit Windows OS found

    Running scan with GetUnkeys.bat - 08/11/2006 by Chaslang and ShadowPuterDude

    32 bit Windows OS found
    updating: GetUnKey.txt (188 bytes security) (deflated 90%)


    Running scan with GetRunKeys.Bat Version 2.54 - (c) 01/28/2006 By Chaslang


    NOTE: Ignore any error messages about not finding registry keys!
    Just wait for the program to finish running!!

    adding: runkeys.txt (188 bytes security) (deflated 81%)


    Running scan with ShowNew.Bat - (c) 07/01/2006 By Chaslang

    ************************** WARNING **************************
    If you see a popup saying that:

    SteelWerX WhoAmI application has stopped working

    do not click the Cancel button that first appears. Wait for
    the Close program button to appear and click it to continue
    ************************** WARNING **************************

    Scanning please Wait.
    ============= Finding copies of actxprxy.dll ============= Please be patient
    ============= Finding copies of atapi.sys ================ Please be patient
    ============= Finding copies of beep.sys ================= Please be patient
    ============= Finding copies of csrss.exe ================ Please be patient
    ============= Finding copies of ctfmon.exe =============== Please be patient
    ============= Finding copies of eventlog.dll ============= Please be patient
    ============= Finding copies of explorer.exe ============= Please be patient
    ============= Finding copies of kernel32.dll ============= Please be patient
    ============= Finding copies of lsass.exe ================ Please be patient
    ============= Finding copies of netlogon.dll ============= Please be patient
    ============= Finding copies of powrprof.dll ============= Please be patient
    ============= Finding copies of proquota.exe ============= Please be patient
    ============= Finding copies of regedit.exe ============== Please be patient
    ============= Finding copies of scecli.dll ============= Please be patient
    ============= Finding copies of services.exe ============= Please be patient
    ============= Finding copies of spoolsv.exe ============== Please be patient
    ============= Finding copies of svchost.exe ============== Please be patient
    ============= Finding copies of tcpip.sys ================ Please be patient
    ============= Finding copies of tcpip6.sys =============== Please be patient
    ============= Finding copies of termsrv.dll ============== Please be patient
    ============= Finding copies of userinit.exe ============= Please be patient
    ============= Finding copies of user32.dll =============== Please be patient
    ============= Finding copies of wininit.dll ============== Please be patient
    ============= Finding copies of winlogon.exe ============= Please be patient
    ============= Finding copies of ip6fw.sys ================ Please be patient
    ============= Finding copies of ndis.sys ================= Please be patient
    ============= Finding copies of ntfs.sys ================= Please be patient
    ============= Finding copies of ws2_32.dll ============== Please be patient

    Checking for .COM files to Delete. They will only print if deleted!
    Listing COM, DLL, EXE, and SYS file in C:\WINDOWS
    Locating COM files in C:\WINDOWS\system32 - recursive
    Locating DLL files in C:\WINDOWS
    Locating DLL files in C:\WINDOWS\system32 - recursive
    Locating EXE files in C:\WINDOWS
    Locating EXE files in C:\WINDOWS\system32 - recursive
    Locating SYS files in C:\WINDOWS
    Locating SYS files in C:\WINDOWS\system32 - recursive
    adding: newfiles.txt (188 bytes security) (deflated 83%)
    adding: ffdata.txt (188 bytes security) (deflated 68%)
    adding: winfiles.txt (188 bytes security) (deflated 88%)


    Zipping C:\MGtools\UserInfo.txt
    adding: UserInfo.txt (188 bytes security) (deflated 74%)

    Please be patient while the below tests are running!!
    Checking Local Loopback Ping
    Checking Google IP Ping
    Checking Google URL Ping
    Getting IPConfig Info
    Compressing nwktst.txt log file
    adding: nwktst.txt (188 bytes security) (deflated 80%)
    Finished with NwkTst.bat



    Running analyse.exe
    Finished running analyse.exe


    The C:\MGTools\temp\GRKflag.log exists. Deleting it!

    Getting System Information
    Found and Zipping sysinfo.txt
    adding: sysinfo.txt (188 bytes security) (deflated 82%)
    Finished Zipping sysinfo.txt

    Getting System Restore Information
    Found and Zipping sysrest.txt
    adding: sysrest.txt (188 bytes security) (stored 0%)
    Finished Zipping sysrest.txt

    Found and Zipping hijackthis.log
    adding: hijackthis.log (188 bytes security) (deflated 68%)
    Finished Zipping hijackthis.log

    Running processdll.exe to find loaded DLLs
    Found and Zipping procdll.txt
    adding: procdll.txt (188 bytes security) (deflated 92%)
    Finished Zipping procdll.txt

    Found and Zipping C:\combofix.txt
    adding: combofix.txt (188 bytes security) (deflated 77%)
    Finished Zipping combofix.txt



    Zipping filelog.txt
    adding: filelog.txt (188 bytes security) (deflated 81%)
    Finished Zipping filelog.txt



    *** Scanning complete - Your log file is C:\MGlogs.zip ***


    Hitting any key will close this command prompt window
    Press any key to continue . . .
     
    MRFRIENDLYGUY, Jul 13, 2010
    #35
  36. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm sorry, but you need to try and read and follow the instructions properly. First you need to stop posting logs inline with messages. All logs need to be attachments and this has been explained multiple times.

    In addition, what you just posted in your last message is not what was requested at all. You need to attach the info from MBRCheck and then you need to attach the C:\MGlogs.zip file. Even the text that you posted told you in the last lines where the log was. And you have previously already attached one of these so you clearly already know how to do it.
     
    chaslang, Jul 13, 2010
    #36
  37. MRFRIENDLYGUY

    MRFRIENDLYGUY Private E-2

    i think this is what you are asking for
     

    Attached Files:

    MRFRIENDLYGUY, Jul 19, 2010
    #37
  38. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I need to see a log from MBRCheck. Please do the below.


    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )
     
    Last edited by a moderator: Jul 19, 2010
    TimW, Jul 19, 2010
    #38

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds