Thanks for this free service! But if anyone can help me get rid of this Trojan there will definitely be some Paypal love!
Here's the ComboFix log: Malwarebytes and SuperAnti-spyware don't seem to find anything at all when they scan but AVG is showing it frequently, seemingly an svchost.exe trojan that hijacks pages, won't let me view technical solution pages and randomly refers following Google searches too (if you go back and search again it will let them through)
Is there any anti-virus/trojan software out there good enough to actually prevent these things? Or will they always be one step ahead of those who help find solutions?
ComboFix 09-11-25.03 - Compaq_Owner 11/25/2009 20:27.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.401 [GMT -5]
Running from: c:\documents and settings\Compaq_Owner\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\pyrizupuq.bat
c:\documents and settings\All Users\Documents\awunyl.inf
c:\documents and settings\All Users\Start Menu\HP Image Zone .lnk
c:\documents and settings\Compaq_Owner\Application Data\uderucej.vbs
c:\documents and settings\Compaq_Owner\Cookies\ewubyfah.scr
c:\documents and settings\Compaq_Owner\Cookies\ezyfur._sy
c:\documents and settings\Compaq_Owner\Cookies\otukoqusa.sys
c:\documents and settings\Compaq_Owner\Local Settings\Application Data\uvyqi.inf
c:\documents and settings\Compaq_Owner\ntuser.dll
c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\scandisk.dll
c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\scandisk.lnk
c:\recycler\S-1-5-21-3599618336-589856690-2436077665-1012
c:\recycler\S-1-5-21-9959337303-5378144185-711673109-9942
c:\windows\asaj.vbs
c:\windows\azilelypi.scr
c:\windows\system32\__c004CF81.dat
c:\windows\system32\6to4v32.dll
c:\windows\system32\calc.dll
c:\windows\system32\config\systemprofile\ntuser.dll
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.dll
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.lnk
c:\windows\system32\dagamami.dll
c:\windows\system32\daqdrv.sys
c:\windows\system32\eq7723.dll
c:\windows\system32\ikycy.vbs
c:\windows\system32\ps2.bat
c:\windows\system32\sshnas.dll
c:\windows\system32\wafatoto.dll
c:\windows\system32\zudawahi.dll
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
c:\windows\Temp\4070480208.exe
c:\windows\TEMP\rundll32.dll
D:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_6TO4
-------\Service_6to4
-------\Service_SSHNAS
((((((((((((((((((((((((( Files Created from 2009-10-26 to 2009-11-26 )))))))))))))))))))))))))))))))
.
2009-11-26 01:22 . 2009-11-26 01:22 46080 ----a-w- C:\nijap.exe
2009-11-26 01:22 . 2009-11-26 01:22 53248 ----a-w- C:\dxtsyxru.exe
2009-11-26 01:22 . 2009-11-26 01:22 12288 ----a-w- C:\jpvedf.exe
2009-11-24 04:19 . 2009-11-24 04:19 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-23 23:59 . 2009-11-23 23:59 -------- d-----w- c:\documents and settings\Erin\Application Data\SUPERAntiSpyware.com
2009-11-23 23:22 . 2009-11-23 23:22 -------- d-----w- c:\documents and settings\Erin\Application Data\Malwarebytes
2009-11-22 23:10 . 2009-11-22 23:10 -------- d-----w- c:\documents and settings\Quinn\Local Settings\Application Data\Apple Computer
2009-11-22 23:09 . 2009-11-22 23:09 79440 ----a-w- c:\documents and settings\Quinn\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-26 01:23 . 2009-08-09 16:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-25 12:29 . 2008-12-24 22:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-11-25 01:33 . 2009-08-09 18:03 117760 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-25 01:33 . 2009-08-09 18:03 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-24 14:37 . 2004-08-04 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-11-24 04:18 . 2009-11-22 23:08 -------- d-----w- c:\documents and settings\Quinn\Application Data\Gtek
2009-11-03 01:42 . 2009-10-03 12:29 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-24 20:10 . 2008-08-11 18:02 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-19 20:52 . 2009-02-05 23:32 79440 ----a-w- c:\documents and settings\Lilia Hope\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-19 12:06 . 2006-02-27 02:03 79440 ----a-w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-19 11:59 . 2006-03-13 00:56 79440 ----a-w- c:\documents and settings\Erin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-15 02:59 . 2009-10-15 02:59 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-10-13 21:10 . 2009-10-13 21:10 -------- d-----w- c:\program files\Microsoft Silverlight
2009-10-06 11:13 . 2006-12-19 02:00 -------- d-----w- c:\program files\PeerGuardian2
2009-10-03 12:41 . 2005-12-02 23:13 -------- d-----w- c:\program files\Common Files\Real
2009-10-03 12:40 . 2009-10-03 12:40 -------- d-----w- c:\program files\Common Files\xing shared
2009-10-03 12:40 . 2003-03-19 11:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-10-03 12:40 . 2003-02-21 19:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-09-11 14:18 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2008-08-16 00:16 . 2008-08-16 00:15 1513959 ----a-w- c:\program files\wordpress-2.6.1.zip
2008-12-20 04:03 . 2006-02-23 12:50 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-20 04:03 . 2006-02-23 12:50 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-20 04:03 . 2007-06-30 11:05 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-12-20 04:03 . 2007-06-30 11:05 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-12-20 04:03 . 2006-02-23 12:50 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-30 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-18 1848648]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-03 2028312]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-10-03 198160]
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-12-2 27136]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-11-25 01:32 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-11 13:23 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
backup=c:\windows\pss\Compaq Connections.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Palm\\HOTSYNC.EXE"=
"c:\\Program Files\\SupportSoft\\bin\\tgcmd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Defender\\MSASCui.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/11/2009 8:23 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/11/2009 8:23 AM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 3:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 3:06 PM 74480]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/11/2009 8:22 AM 297752]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S2 gupdate1c96614b910bed2;Google Update Service (gupdate1c96614b910bed2);c:\program files\Google\Update\GoogleUpdate.exe [12/24/2008 5:12 PM 133104]
S2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]
S2 moqmw;moqmw;\??\c:\windows\system32\drivers\ydgaqfukz.sys --> c:\windows\system32\drivers\ydgaqfukz.sys [?]
S3 daqdrv;daqdrv;\??\c:\windows\system32\daqdrv.sys --> c:\windows\system32\daqdrv.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 3:06 PM 7408]
.
Contents of the 'Scheduled Tasks' folder
2009-11-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
2009-11-26 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-26 00:59]
2009-11-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-24 04:32]
2009-11-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-24 04:32]
2009-11-26 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
2009-11-23 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-08-13 13:22]
2009-11-25 c:\windows\Tasks\User_Feed_Synchronization-{72D10B34-5CED-42D0-A5EF-DA7C7F6FDD2F}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 16:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\a46wawl0.default\
FF - prefs.js: browser.startup.homepage - http:/www.google.com
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -
BHO-{B45A4B16-23F2-41AD-F4E4-00AAC39C0004} - c:\windows\system32\eq7723.dll
BHO-{bacd3b09-56e9-4040-a9ff-ca850b3ad145} - zudawahi.dll
HKLM-Run-kewulabihe - dagamami.dll
HKU-Default-Run-calc - c:\windows\system32\config\SYSTEM~1\ntuser.dll
SharedTaskScheduler-{B45A4B16-23F2-41AD-F4E4-00AAC39C0004} - c:\windows\system32\eq7723.dll
AddRemove-CanonMyPrinter - c:\program files\Canon\MyPrinter\uninst.exe uninst.ini
AddRemove-CanonSolutionMenu - c:\program files\Canon\SolutionMenu\uninst.exe uninst.ini
AddRemove-dBpowerAMP AAC Codec - c:\windows\system32\SpoonUninstall.exec:\windows\system32\SpoonUninstall-dBpowerAMP AAC Codec.dat
AddRemove-dBpowerAMP DirectShow Decoder Codec - c:\windows\system32\SpoonUninstall.exec:\windows\system32\SpoonUninstall-dBpowerAMP DirectShow Decoder Codec.dat
AddRemove-dBpowerAMP FLAC Codec - c:\windows\system32\SpoonUninstall.exec:\windows\system32\SpoonUninstall-dBpowerAMP FLAC Codec.dat
AddRemove-dBpowerAMP Monkeys Audio Codec - c:\windows\system32\SpoonUninstall.exec:\windows\system32\SpoonUninstall-dBpowerAMP Monkeys Audio Codec.dat
AddRemove-dBpowerAMP Mp3 (MPEG Suite 2000 CLI) - c:\windows\system32\SpoonUninstall.exec:\windows\system32\SpoonUninstall-dBpowerAMP Mp3 (MPEG Suite 2000 CLI).dat
AddRemove-dBpowerAMP Music Converter - c:\windows\system32\SpoonUninstall.exec:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
AddRemove-dBpowerAMP Ogg Vorbis Codec - c:\windows\system32\SpoonUninstall.exec:\windows\system32\SpoonUninstall-dBpowerAMP Ogg Vorbis Codec.dat
AddRemove-dBpowerAMP Shorten Codec - c:\windows\system32\SpoonUninstall.exec:\windows\system32\SpoonUninstall-dBpowerAMP Shorten Codec.dat
AddRemove-dBpowerAMP Wavpack Codec - c:\windows\system32\SpoonUninstall.exec:\windows\system32\SpoonUninstall-dBpowerAMP Wavpack Codec.dat
AddRemove-dBpowerAMP WMA V9.1 Codec - c:\windows\system32\SpoonUninstall.exec:\windows\system32\SpoonUninstall-dBpowerAMP WMA V9.1 Codec.dat
AddRemove-dMC Power Pack - c:\windows\system32\SpoonUninstall.exec:\windows\system32\SpoonUninstall-dMC Power Pack.dat
AddRemove-Easy-PhotoPrint EX - c:\program files\Canon\Easy-PhotoPrint EX\uninst.exe uninst.ini
AddRemove-Flash Video Save Adapter for FireFox - c:\documents and settings\Compaq_Owner\Desktop\Powerpoint templates\New Folder\Flash Video Save Adapter for Firefox\uninst.exe
AddRemove-PS2 - c:\windows\system32\ps2.exe uninstall
AddRemove-RealPlayer 12.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|12.0
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-25 21:00
Windows 5.1.2600 Service Pack 3 NTFS
scanning hȋdden processes ...
scanning hȋdden autostart entries ...
scanning hȋdden files ...
scan completed successfully
hȋdden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8614F369]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7674f28
\Driver\ACPI -> ACPI.sys @ 0xf74e7cb8
\Driver\atapi -> atapi.sys @ 0xf73ca852
\Driver\iaStor -> iaStor.sys @ 0xf73eeade
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a
NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf727cbd4
PacketIndicateHandler -> NDIS.sys @ 0xf7288a21
SendHandler -> NDIS.sys @ 0xf727cd44
user & kernel MBR OK
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(568)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(632)
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(2340)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\CTJBNS.DLL
c:\program files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\CTIntrfc.dll
c:\program files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\JBNSHK.dll
c:\program files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\JBNSRES.DLL
c:\program files\Microsoft Office\OFFICE11\msohev.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSvcCDA.EXE
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wdfmgr.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-11-25 21:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-26 02:23
Pre-Run: 24,173,797,376 bytes free
Post-Run: 30,378,586,112 bytes free
- - End Of File - - 4059A42AE11D20B0A8B71EAF46A7D72B
Here's the ComboFix log: Malwarebytes and SuperAnti-spyware don't seem to find anything at all when they scan but AVG is showing it frequently, seemingly an svchost.exe trojan that hijacks pages, won't let me view technical solution pages and randomly refers following Google searches too (if you go back and search again it will let them through)
Is there any anti-virus/trojan software out there good enough to actually prevent these things? Or will they always be one step ahead of those who help find solutions?
ComboFix 09-11-25.03 - Compaq_Owner 11/25/2009 20:27.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.401 [GMT -5]
Running from: c:\documents and settings\Compaq_Owner\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\pyrizupuq.bat
c:\documents and settings\All Users\Documents\awunyl.inf
c:\documents and settings\All Users\Start Menu\HP Image Zone .lnk
c:\documents and settings\Compaq_Owner\Application Data\uderucej.vbs
c:\documents and settings\Compaq_Owner\Cookies\ewubyfah.scr
c:\documents and settings\Compaq_Owner\Cookies\ezyfur._sy
c:\documents and settings\Compaq_Owner\Cookies\otukoqusa.sys
c:\documents and settings\Compaq_Owner\Local Settings\Application Data\uvyqi.inf
c:\documents and settings\Compaq_Owner\ntuser.dll
c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\scandisk.dll
c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\scandisk.lnk
c:\recycler\S-1-5-21-3599618336-589856690-2436077665-1012
c:\recycler\S-1-5-21-9959337303-5378144185-711673109-9942
c:\windows\asaj.vbs
c:\windows\azilelypi.scr
c:\windows\system32\__c004CF81.dat
c:\windows\system32\6to4v32.dll
c:\windows\system32\calc.dll
c:\windows\system32\config\systemprofile\ntuser.dll
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.dll
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.lnk
c:\windows\system32\dagamami.dll
c:\windows\system32\daqdrv.sys
c:\windows\system32\eq7723.dll
c:\windows\system32\ikycy.vbs
c:\windows\system32\ps2.bat
c:\windows\system32\sshnas.dll
c:\windows\system32\wafatoto.dll
c:\windows\system32\zudawahi.dll
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
c:\windows\Temp\4070480208.exe
c:\windows\TEMP\rundll32.dll
D:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_6TO4
-------\Service_6to4
-------\Service_SSHNAS
((((((((((((((((((((((((( Files Created from 2009-10-26 to 2009-11-26 )))))))))))))))))))))))))))))))
.
2009-11-26 01:22 . 2009-11-26 01:22 46080 ----a-w- C:\nijap.exe
2009-11-26 01:22 . 2009-11-26 01:22 53248 ----a-w- C:\dxtsyxru.exe
2009-11-26 01:22 . 2009-11-26 01:22 12288 ----a-w- C:\jpvedf.exe
2009-11-24 04:19 . 2009-11-24 04:19 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-23 23:59 . 2009-11-23 23:59 -------- d-----w- c:\documents and settings\Erin\Application Data\SUPERAntiSpyware.com
2009-11-23 23:22 . 2009-11-23 23:22 -------- d-----w- c:\documents and settings\Erin\Application Data\Malwarebytes
2009-11-22 23:10 . 2009-11-22 23:10 -------- d-----w- c:\documents and settings\Quinn\Local Settings\Application Data\Apple Computer
2009-11-22 23:09 . 2009-11-22 23:09 79440 ----a-w- c:\documents and settings\Quinn\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-26 01:23 . 2009-08-09 16:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-25 12:29 . 2008-12-24 22:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-11-25 01:33 . 2009-08-09 18:03 117760 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-25 01:33 . 2009-08-09 18:03 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-24 14:37 . 2004-08-04 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-11-24 04:18 . 2009-11-22 23:08 -------- d-----w- c:\documents and settings\Quinn\Application Data\Gtek
2009-11-03 01:42 . 2009-10-03 12:29 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-24 20:10 . 2008-08-11 18:02 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-19 20:52 . 2009-02-05 23:32 79440 ----a-w- c:\documents and settings\Lilia Hope\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-19 12:06 . 2006-02-27 02:03 79440 ----a-w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-19 11:59 . 2006-03-13 00:56 79440 ----a-w- c:\documents and settings\Erin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-15 02:59 . 2009-10-15 02:59 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-10-13 21:10 . 2009-10-13 21:10 -------- d-----w- c:\program files\Microsoft Silverlight
2009-10-06 11:13 . 2006-12-19 02:00 -------- d-----w- c:\program files\PeerGuardian2
2009-10-03 12:41 . 2005-12-02 23:13 -------- d-----w- c:\program files\Common Files\Real
2009-10-03 12:40 . 2009-10-03 12:40 -------- d-----w- c:\program files\Common Files\xing shared
2009-10-03 12:40 . 2003-03-19 11:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-10-03 12:40 . 2003-02-21 19:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-09-11 14:18 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2008-08-16 00:16 . 2008-08-16 00:15 1513959 ----a-w- c:\program files\wordpress-2.6.1.zip
2008-12-20 04:03 . 2006-02-23 12:50 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-20 04:03 . 2006-02-23 12:50 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-20 04:03 . 2007-06-30 11:05 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-12-20 04:03 . 2007-06-30 11:05 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-12-20 04:03 . 2006-02-23 12:50 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-30 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-18 1848648]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-03 2028312]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-10-03 198160]
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-12-2 27136]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-11-25 01:32 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-11 13:23 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
backup=c:\windows\pss\Compaq Connections.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Palm\\HOTSYNC.EXE"=
"c:\\Program Files\\SupportSoft\\bin\\tgcmd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Defender\\MSASCui.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/11/2009 8:23 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/11/2009 8:23 AM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 3:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 3:06 PM 74480]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/11/2009 8:22 AM 297752]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S2 gupdate1c96614b910bed2;Google Update Service (gupdate1c96614b910bed2);c:\program files\Google\Update\GoogleUpdate.exe [12/24/2008 5:12 PM 133104]
S2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]
S2 moqmw;moqmw;\??\c:\windows\system32\drivers\ydgaqfukz.sys --> c:\windows\system32\drivers\ydgaqfukz.sys [?]
S3 daqdrv;daqdrv;\??\c:\windows\system32\daqdrv.sys --> c:\windows\system32\daqdrv.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 3:06 PM 7408]
.
Contents of the 'Scheduled Tasks' folder
2009-11-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
2009-11-26 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-26 00:59]
2009-11-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-24 04:32]
2009-11-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-24 04:32]
2009-11-26 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
2009-11-23 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-08-13 13:22]
2009-11-25 c:\windows\Tasks\User_Feed_Synchronization-{72D10B34-5CED-42D0-A5EF-DA7C7F6FDD2F}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 16:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\a46wawl0.default\
FF - prefs.js: browser.startup.homepage - http:/www.google.com
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -
BHO-{B45A4B16-23F2-41AD-F4E4-00AAC39C0004} - c:\windows\system32\eq7723.dll
BHO-{bacd3b09-56e9-4040-a9ff-ca850b3ad145} - zudawahi.dll
HKLM-Run-kewulabihe - dagamami.dll
HKU-Default-Run-calc - c:\windows\system32\config\SYSTEM~1\ntuser.dll
SharedTaskScheduler-{B45A4B16-23F2-41AD-F4E4-00AAC39C0004} - c:\windows\system32\eq7723.dll
AddRemove-CanonMyPrinter - c:\program files\Canon\MyPrinter\uninst.exe uninst.ini
AddRemove-CanonSolutionMenu - c:\program files\Canon\SolutionMenu\uninst.exe uninst.ini
AddRemove-dBpowerAMP AAC Codec - c:\windows\system32\SpoonUninstall.exe
AddRemove-dBpowerAMP DirectShow Decoder Codec - c:\windows\system32\SpoonUninstall.exe
AddRemove-dBpowerAMP FLAC Codec - c:\windows\system32\SpoonUninstall.exe
AddRemove-dBpowerAMP Monkeys Audio Codec - c:\windows\system32\SpoonUninstall.exe
AddRemove-dBpowerAMP Mp3 (MPEG Suite 2000 CLI) - c:\windows\system32\SpoonUninstall.exe
AddRemove-dBpowerAMP Music Converter - c:\windows\system32\SpoonUninstall.exe
AddRemove-dBpowerAMP Ogg Vorbis Codec - c:\windows\system32\SpoonUninstall.exe
AddRemove-dBpowerAMP Shorten Codec - c:\windows\system32\SpoonUninstall.exe
AddRemove-dBpowerAMP Wavpack Codec - c:\windows\system32\SpoonUninstall.exe
AddRemove-dBpowerAMP WMA V9.1 Codec - c:\windows\system32\SpoonUninstall.exe
AddRemove-dMC Power Pack - c:\windows\system32\SpoonUninstall.exe
AddRemove-Easy-PhotoPrint EX - c:\program files\Canon\Easy-PhotoPrint EX\uninst.exe uninst.ini
AddRemove-Flash Video Save Adapter for FireFox - c:\documents and settings\Compaq_Owner\Desktop\Powerpoint templates\New Folder\Flash Video Save Adapter for Firefox\uninst.exe
AddRemove-PS2 - c:\windows\system32\ps2.exe uninstall
AddRemove-RealPlayer 12.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|12.0
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-25 21:00
Windows 5.1.2600 Service Pack 3 NTFS
scanning hȋdden processes ...
scanning hȋdden autostart entries ...
scanning hȋdden files ...
scan completed successfully
hȋdden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8614F369]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7674f28
\Driver\ACPI -> ACPI.sys @ 0xf74e7cb8
\Driver\atapi -> atapi.sys @ 0xf73ca852
\Driver\iaStor -> iaStor.sys @ 0xf73eeade
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a
NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf727cbd4
PacketIndicateHandler -> NDIS.sys @ 0xf7288a21
SendHandler -> NDIS.sys @ 0xf727cd44
user & kernel MBR OK
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(568)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(632)
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(2340)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\CTJBNS.DLL
c:\program files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\CTIntrfc.dll
c:\program files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\JBNSHK.dll
c:\program files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\JBNSRES.DLL
c:\program files\Microsoft Office\OFFICE11\msohev.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSvcCDA.EXE
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wdfmgr.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-11-25 21:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-26 02:23
Pre-Run: 24,173,797,376 bytes free
Post-Run: 30,378,586,112 bytes free
- - End Of File - - 4059A42AE11D20B0A8B71EAF46A7D72B