Solve : really strange virus?

1.	Solve : really strange virus?
Answer» ComboFix 09-02-24.02 - Dave 2009-02-24 22:48:54.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1455 [GMT 0:00] Running from: c:\documents and settings\Dave\Desktop\ComboFix.exe AV: AVG Anti-Virus Free On-access scanning enabled (Updated) * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\init32.exe c:\windows\system32\JRAccMoq.ini c:\windows\system32\JRAccMoq.ini2 c:\windows\system32\oratpkjb.ini c:\windows\system32\pqlkpsmr.ini c:\windows\system32\rktjpart.ini c:\windows\system32\uniq.tll c:\windows\system32\win32hlp.cnf c:\windows\Tasks\phnbqqru.job c:\windows\Tasks\pojygpgt.job Infected copy of c:\windows\system32\userinit.exe was found and disinfected Restored copy from - c:\i386\userinit.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_seneka ((((((((((((((((((((((((( Files Created from 2009-01-24 to 2009-02-24 ))))))))))))))))))))))))))))))) . 2009-02-24 22:17 . 2009-02-24 22:17d--------c:\program files\Malwarebytes' Anti-Malware 2009-02-24 22:17 . 2009-02-24 22:17d--------c:\documents and settings\Dave\Application Data\Malwarebytes 2009-02-24 22:17 . 2009-02-24 22:17d--------c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes 2009-02-24 22:17 . 2009-02-11 10:1938,496--a------c:\windows\system32\drivers\mbamswissarmy.sys 2009-02-24 22:17 . 2009-02-11 10:1915,504--a------c:\windows\system32\drivers\mbam.sys 2009-02-24 16:50 . 2009-02-24 16:50d--------c:\documents and settings\Webex.DELLD620\Application Data\SUPERAntiSpyware.com 2009-02-06 09:25 . 2009-02-06 09:25d--------c:\documents and settings\Dave\Application Data\U3 2009-02-05 17:32 . 2009-02-05 17:32d--------c:\program files\iTunes 2009-02-05 17:32 . 2009-02-05 17:32d--------c:\program files\iPod 2009-02-05 17:32 . 2009-02-05 17:32d--------c:\documents and settings\All Users.WINDOWS\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2009-02-05 17:32 . 2008-04-17 13:12107,368--a------c:\windows\system32\GEARAspi.dll 2009-02-05 17:32 . 2008-04-17 13:1215,464--a------c:\windows\system32\drivers\GEARAspiWDM.sys 2009-02-05 17:04 . 2009-02-05 17:04d--------c:\program files\Bonjour 2009-02-05 17:04 . 2009-02-24 21:20d--------c:\documents and settings\Dave\Application Data\Apple Computer 2009-02-05 17:03 . 2009-02-05 17:03d--------c:\program files\Apple Software Update 2009-02-05 17:03 . 2009-02-05 17:03d--------c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer 2009-02-05 17:02 . 2009-02-05 17:02d--------c:\documents and settings\All Users.WINDOWS\Application Data\Apple 2009-02-05 17:02 . 2008-11-07 14:2332,000--a------c:\windows\system32\drivers\usbaapl.sys 2009-02-05 17:01 . 2009-02-05 17:0169,076,264--a------C:\iTunesSetup.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-02-24 20:11---------d-----wc:\documents and settings\All Users.WINDOWS\Application Data\avg8 2009-02-24 16:50---------d-----wc:\program files\SUPERAntiSpyware 2009-02-05 17:32---------d-----wc:\program files\Common Files\Apple 2009-02-05 17:03---------d-----wc:\program files\QuickTime 2009-02-05 15:48325,128----a-wc:\windows\system32\drivers\avgldx86.sys 2009-02-05 15:48107,272----a-wc:\windows\system32\drivers\avgtdix.sys 2009-01-17 16:59---------d-----wc:\documents and settings\Dave\Application Data\SUPERAntiSpyware.com 2009-01-17 16:59---------d-----wc:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com 2009-01-17 16:40---------d-----wc:\program files\CCleaner 2009-01-09 20:35102,664----a-wc:\windows\system32\drivers\tmcomm.sys 2009-01-09 19:46---------d-----wc:\program files\Common Files\Wise Installation Wizard 2009-01-09 09:18737,280----a-wc:\windows\iun6002.exe 2009-01-08 20:29---------d---a-wc:\documents and settings\All Users.WINDOWS\Application Data\TEMP 2009-01-08 20:23---------d-----wc:\program files\SmartPCTools 2008-12-30 16:11---------d-----wc:\documents and settings\Dave\Application Data\AVGTOOLBAR 2007-08-23 12:3660,968----a-wc:\documents and settings\win user\GoToAssistDownloadHelper.exe 2008-09-19 13:1127,976----a-wc:\program files\mozilla firefox\plugins\atgpcdec.dll 2008-09-19 13:11125,848----a-wc:\program files\mozilla firefox\plugins\atgpcext.dll 2008-09-19 13:1298,712----a-wc:\program files\mozilla firefox\plugins\ieatgpc.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-22 1830128] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-19 7401472] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 995328] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-05 1601304] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088] "nwiz"="nwiz.exe" [2006-01-19 c:\windows\system32\nwiz.exe] "NVHotkey"="nvHotkey.dll" [2006-01-19 c:\windows\system32\nvhotkey.dll] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0X1) "NoActiveDesktopChanges"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-02-05 15:48 10520 c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=avgrsstx.dll HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0] --a------ 2008-01-11 18:54 623992 c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE] --a------ 2004-08-04 10:00 15360 c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor] --a------ 2006-10-26 23:47 31016 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IRIScan 2 button manager] --a------ 2008-02-26 10:17 2319024 c:\program files\iriscn2i\bmanm12.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp] --a------ 2007-05-10 09:22 405504 c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent] --a------ 2004-08-04 10:00 110592 c:\windows\system32\bthprops.cpl [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "ose"=3 (0x3) "odserv"=3 (0x3) "Microsoft Office Groove Audit Service"=3 (0x3) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\CCleaner\\CCleaner.exe"= "c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Readiris Pro 11\\readiris.exe"= "c:\\Program Files\\SUPERAntiSpyware\\RUNSAS.EXE"= "c:\\Program Files\\Hewlett-Packard\\HP Deskjet 1280\\WebReg\\WebReg.exe"= R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-06-20 325128] R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-06-20 107272] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024] R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-08-30 903960] R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-10 298264] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E] \Shell\AutoRun\command - E:\LaunchU3.exe -a . - - - - ORPHANS REMOVED - - - - BHO-{3828d8e6-35cf-4934-88c3-8fbf600b3cf9} - (no file) Notify-jkkHXrqN - jkkHXrqN.dll MSConfigStartUp-545aa7bd - c:\windows\system32\trapjtkr.dll MSConfigStartUp-Dell QuickSet - c:\program files\Dell\QuickSet\quickset.exe . ------- Supplementary Scan ------- . uInternet Settings,ProxyOverride = .local IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Dave\Application Data\Mozilla\Firefox\Profiles\3ybwg2a8.default\ FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll . *********************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-24 22:52:28 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(628) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\netprovcredman.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Intel\Wireless\Bin\S24EvMon.exe c:\windows\system32\scardsvr.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\windows\system32\nvsvc32.exe c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\program files\Intel\Wireless\Bin\WLKEEPER.exe c:\program files\AVG\AVG8\avgrsx.exe c:\progra~1\AVG\AVG8\avgnsx.exe c:\program files\AVG\AVG8\avgcsrvx.exe c:\windows\system32\wscntfy.exe c:\windows\system32\rundll32.exe c:\program files\iPod\bin\iPodService.exe c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe . ********************************************************************** . Completion time: 2009-02-24 22:55:32 - machine was rebooted ComboFix-quarantined-files.txt 2009-02-24 22:55:29 Pre-Run: 56,493,228,032 bytes free Post-Run: 56,971,677,696 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 216--- E O F ---2008-12-18 17:38:19 combo fix logLooks good. How is the computer running now? Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to infect your system. First install the new Sun Java Runtime Environment Be sure to close all browser windows before beginning the install. Remove the old version(s) Download JavaRa Unzip the file and open the JavaRa.exe Click Remove Older Versions JavaRa will search for and remove any outdated version of Java and remove any that are found. Click Additional Tasks Place a check next to Remove Useless JRE Files and click Go Exit JavaRa Delete the JavaRa files from the Desktop . Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.seems to be running a lot faster, everything seems to be working as well now which is a massive improvement from before. thank you so much for all of your help, really appreciate it all willSounds good. Let's clear out the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally. These steps will also help secure the work you have done. . Click START then RUN Now TYPE Combofix /u in the runbox Make sure there's a space between Combofix and /u Then hit Enter. . . The above procedure will: Delete: ComboFix and its associated files and folders. VundoFix backups, if present The C:\Deckard folder, if present The C:_OtMoveIt folder, if present Reset the clock settings. Hide file extensions, if required. Hide System/Hidden files, if required. Set a new, clean Restore Point. . ---------- Use the Secunia Software Inspector to check for out of date software. Click Start Now Check the box next to Enable thorough system inspection. Click Start Allow the scan to FINISH and scroll down to see if any updates are needed. Update anything listed. . ---------- Go to Microsoft Windows Update and get all critical updates. ---------- Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.** I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free. SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also STOP certain cookies from being added to your computer when running Mozilla based browsers like Firefox. * Using SpywareBlaster to protect your computer from Spyware and Malware * If you don't know what ActiveX controls are, see here Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future. Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

Answer»

ComboFix 09-02-24.02 - Dave 2009-02-24 22:48:54.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1455 [GMT 0:00]
Running from: c:\documents and settings\Dave\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\init32.exe
c:\windows\system32\JRAccMoq.ini
c:\windows\system32\JRAccMoq.ini2
c:\windows\system32\oratpkjb.ini
c:\windows\system32\pqlkpsmr.ini
c:\windows\system32\rktjpart.ini
c:\windows\system32\uniq.tll
c:\windows\system32\win32hlp.cnf
c:\windows\Tasks\phnbqqru.job
c:\windows\Tasks\pojygpgt.job

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\i386\userinit.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_seneka

((((((((((((((((((((((((( Files Created from 2009-01-24 to 2009-02-24 )))))))))))))))))))))))))))))))
.

2009-02-24 22:17 . 2009-02-24 22:17d--------c:\program files\Malwarebytes' Anti-Malware
2009-02-24 22:17 . 2009-02-24 22:17d--------c:\documents and settings\Dave\Application Data\Malwarebytes
2009-02-24 22:17 . 2009-02-24 22:17d--------c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-02-24 22:17 . 2009-02-11 10:1938,496--a------c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-24 22:17 . 2009-02-11 10:1915,504--a------c:\windows\system32\drivers\mbam.sys
2009-02-24 16:50 . 2009-02-24 16:50d--------c:\documents and settings\Webex.DELLD620\Application Data\SUPERAntiSpyware.com
2009-02-06 09:25 . 2009-02-06 09:25d--------c:\documents and settings\Dave\Application Data\U3
2009-02-05 17:32 . 2009-02-05 17:32d--------c:\program files\iTunes
2009-02-05 17:32 . 2009-02-05 17:32d--------c:\program files\iPod
2009-02-05 17:32 . 2009-02-05 17:32d--------c:\documents and settings\All Users.WINDOWS\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-05 17:32 . 2008-04-17 13:12107,368--a------c:\windows\system32\GEARAspi.dll
2009-02-05 17:32 . 2008-04-17 13:1215,464--a------c:\windows\system32\drivers\GEARAspiWDM.sys
2009-02-05 17:04 . 2009-02-05 17:04d--------c:\program files\Bonjour
2009-02-05 17:04 . 2009-02-24 21:20d--------c:\documents and settings\Dave\Application Data\Apple Computer
2009-02-05 17:03 . 2009-02-05 17:03d--------c:\program files\Apple Software Update
2009-02-05 17:03 . 2009-02-05 17:03d--------c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer
2009-02-05 17:02 . 2009-02-05 17:02d--------c:\documents and settings\All Users.WINDOWS\Application Data\Apple
2009-02-05 17:02 . 2008-11-07 14:2332,000--a------c:\windows\system32\drivers\usbaapl.sys
2009-02-05 17:01 . 2009-02-05 17:0169,076,264--a------C:\iTunesSetup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-24 20:11---------d-----wc:\documents and settings\All Users.WINDOWS\Application Data\avg8
2009-02-24 16:50---------d-----wc:\program files\SUPERAntiSpyware
2009-02-05 17:32---------d-----wc:\program files\Common Files\Apple
2009-02-05 17:03---------d-----wc:\program files\QuickTime
2009-02-05 15:48325,128----a-wc:\windows\system32\drivers\avgldx86.sys
2009-02-05 15:48107,272----a-wc:\windows\system32\drivers\avgtdix.sys
2009-01-17 16:59---------d-----wc:\documents and settings\Dave\Application Data\SUPERAntiSpyware.com
2009-01-17 16:59---------d-----wc:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2009-01-17 16:40---------d-----wc:\program files\CCleaner
2009-01-09 20:35102,664----a-wc:\windows\system32\drivers\tmcomm.sys
2009-01-09 19:46---------d-----wc:\program files\Common Files\Wise Installation Wizard
2009-01-09 09:18737,280----a-wc:\windows\iun6002.exe
2009-01-08 20:29---------d---a-wc:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2009-01-08 20:23---------d-----wc:\program files\SmartPCTools
2008-12-30 16:11---------d-----wc:\documents and settings\Dave\Application Data\AVGTOOLBAR
2007-08-23 12:3660,968----a-wc:\documents and settings\win user\GoToAssistDownloadHelper.exe
2008-09-19 13:1127,976----a-wc:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-09-19 13:11125,848----a-wc:\program files\mozilla firefox\plugins\atgpcext.dll
2008-09-19 13:1298,712----a-wc:\program files\mozilla firefox\plugins\ieatgpc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-22 1830128]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-19 7401472]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 995328]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-05 1601304]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"nwiz"="nwiz.exe" [2006-01-19 c:\windows\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2006-01-19 c:\windows\system32\nvhotkey.dll]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0X1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-05 15:48 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2008-01-11 18:54 623992 c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-04 10:00 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-26 23:47 31016 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IRIScan 2 button manager]
--a------ 2008-02-26 10:17 2319024 c:\program files\iriscn2i\bmanm12.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2007-05-10 09:22 405504 c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2004-08-04 10:00 110592 c:\windows\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\CCleaner\\CCleaner.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Readiris Pro 11\\readiris.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\RUNSAS.EXE"=
"c:\\Program Files\\Hewlett-Packard\\HP Deskjet 1280\\WebReg\\WebReg.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-06-20 325128]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-06-20 107272]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-08-30 903960]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-10 298264]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
- - - - ORPHANS REMOVED - - - -

BHO-{3828d8e6-35cf-4934-88c3-8fbf600b3cf9} - (no file)
Notify-jkkHXrqN - jkkHXrqN.dll
MSConfigStartUp-545aa7bd - c:\windows\system32\trapjtkr.dll
MSConfigStartUp-Dell QuickSet - c:\program files\Dell\QuickSet\quickset.exe

.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Dave\Application Data\Mozilla\Firefox\Profiles\3ybwg2a8.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-24 22:52:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(628)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\netprovcredman.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2009-02-24 22:55:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-24 22:55:29

Pre-Run: 56,493,228,032 bytes free
Post-Run: 56,971,677,696 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

216--- E O F ---2008-12-18 17:38:19

combo fix logLooks good.

How is the computer running now?

Your Java is out of date.

Older versions have vulnerabilities that malicious sites can use to infect your system.

First install the new Sun Java Runtime Environment

Be sure to close all browser windows before beginning the install.

Remove the old version(s)

Download JavaRa

Unzip the file and open the JavaRa.exe
Click Remove Older Versions
JavaRa will search for and remove any outdated version of Java and remove any that are found.
Click Additional Tasks
Place a check next to Remove Useless JRE Files and click Go
Exit JavaRa
Delete the JavaRa files from the Desktop

.
Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.seems to be running a lot faster, everything seems to be working as well now which is a massive improvement from before. thank you so much for all of your help, really appreciate it all

willSounds good.

Let's clear out the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally. These steps will also help secure the work you have done.
.

Click START then RUN
Now TYPE Combofix /u in the runbox
Make sure there's a space between Combofix and /u
Then hit Enter.

.
.
The above procedure will:

Delete:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present

Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

.
----------

Use the Secunia Software Inspector to check for out of date software.

Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to FINISH and scroll down to see if any updates are needed.
Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also STOP certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

Solve : really strange virus?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment