Free Malware Removal Forum

[Shaba]

Please try to run it in safe mode then.

[yanksrcool05]

Shaba, I never used safe mode before. I pressed F5, chose safe mode, chose my XP machine, and I got a list of files. I was absolutely panicking, thinking I somehow messed up the computer. Then, I hold down the power down button again and I get a new screen that asks me whether I want to boot in safe mode. I said yes. In order to avoid this dilemma again, can you tell me the right way to boot in safe mode. Also, when I got back into to regular mode, it told me I had a corrupt msnmsgr tmp IE5 file with a whole lot of letters and numbers. I decided to run a MalwareBytes Scan. I found a trojan.

Malwarebytes' Anti-Malware 1.36
Database version: 1979
Windows 5.1.2600 Service Pack 3

4/24/2009 5:30:35 PM
mbam-log-2009-04-24 (17-30-35).txt

Scan type: Full Scan (C:\|)
Objects scanned: 182637
Time elapsed: 1 hour(s), 14 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\{NSINAME} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Hopefully, this is what's causing the random tmp files. I have not forgotten the Dr. Web Cure-It scan though. I just need thorough, idiot-proof instructions to boot in safe mode .

Thank you for sticking with my difficult computer and I. This is a wonderful site and I trust your expertise to solve my computer related problems .

[Shaba]

Having list of files in the bottom of screen is totally normal as windows shows which drivers are loaded.

So it was correct what you did first, please do that again

[yanksrcool05]

Shaba, I'm very busy at the moment, so I'll have this done in a few days. One more question about Safe Mode. When it shows me the list of drivers, what do I do? I try holding down the "power off" button, but it booted up normally.

[Shaba]

Well when it shows list of drivers, just let it finish.

It should boot after that to safe mode. When in safe mode, it says safe mode in desktop background in corners.

[yanksrcool05]

Shaba, I suffered a setback .

When I entered safe mode, I couldn't run the scanner because the file was corrupted. Now, when I go into MSN, my icon changed from a soccer ball to a picture of Earth. Those tmp files returned, and now Verizon Internet Security Suite won't work because of a "ZKChunkReader" virus. I am very afraid right now. There's a virus on my computer corrupting files

[Shaba]

"Now, when I go into MSN, my icon changed from a soccer ball to a picture of Earth."

That can be changed back from settings, not related to infection.

"There's a virus on my computer corrupting files "

Yes it is possible and not really good if so.

Running this should tell more:

We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

[yanksrcool05]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:12:48 AM, on 4/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://shell.windows.com/fileassoc/0409 ... sp?Ext=pdf
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Verizon\Verizon Internet Security Suite\pkR.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_ind.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 2062053250
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/f ... wflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/ ... taller.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Verizon Internet Security Suite (Radialpoint Security Services) - Verizon - C:\Program Files\Verizon\Verizon Internet Security Suite\RpsSecurityAwareR.exe
O23 - Service: Verizon Internet Security Suite Firewall (RP_FWS) - Verizon - C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 6834 bytes

ComboFix 09-04-29.03 - Mom 04/29/2009 23:50.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.224 [GMT -4:00]
Running from: c:\documents and settings\Mom\Desktop\ComboFix.exe
AV: Verizon Internet Security Suite Anti-Virus *On-access scanning disabled* (Updated)
FW: Verizon Internet Security Suite Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\install.exe
c:\program files\ystem3~1
c:\temp\0b9
c:\temp\0b9\tmpTF.log
c:\temp\tn3
c:\windows\SYSTEM32\abeeg.bak2
c:\windows\SYSTEM32\abeeg.ini
c:\windows\SYSTEM32\abeeg.tmp
c:\windows\system32\comrepl.exe
c:\windows\system32\cthbentr.ini
c:\windows\system32\fnts~1
c:\windows\system32\ggupflqp.ini
c:\windows\system32\hcrlkaex.ini
c:\windows\system32\kmefwacw.ini
c:\windows\system32\mbols~1
c:\windows\system32\sembly~1
c:\windows\system32\T3
c:\windows\system32\T4
c:\windows\system32\T6
c:\windows\system32\T7
c:\windows\system32\T9
c:\windows\system32\wnsxs~1
c:\windows\system32\yupyytik.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ZESOFT


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-30 )))))))))))))))))))))))))))))))
.

2009-04-23 18:50 . 2009-04-23 18:50 -------- d-----w c:\documents and settings\Mom\DoctorWeb
2009-04-20 18:44 . 2009-04-20 18:45 -------- d-----w C:\rsit
2009-04-16 15:52 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 15:52 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-16 15:51 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-16 15:51 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 15:51 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-16 15:51 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 15:51 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 15:51 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 15:51 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 15:51 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 15:51 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-14 04:57 . 2009-04-14 04:57 -------- d-sh--w c:\documents and settings\Mom\IECompatCache
2009-04-14 02:16 . 2009-04-14 02:16 -------- d-----w c:\program files\Trend Micro
2009-04-14 01:30 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-14 01:30 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-14 01:30 . 2009-04-14 01:32 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-30 03:54 . 2008-10-27 17:30 592672 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-04-30 03:54 . 2008-10-27 17:30 49244 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-04-30 03:54 . 2008-10-27 17:30 440984 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-30 03:54 . 2008-10-27 17:30 35141152 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-17 00:40 . 2009-03-08 16:13 4548 ----a-w c:\windows\system32\PerfStringBackup.TMP
2009-04-14 00:19 . 2009-02-26 04:04 -------- d-----w c:\program files\Astonsoft
2009-04-14 00:18 . 2008-12-24 16:25 -------- d-----w c:\program files\Maxis
2009-04-14 00:18 . 2004-05-17 18:52 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-13 19:23 . 2006-12-05 03:40 43520 ----a-w c:\windows\system32\CmdLineExt03.dll
2009-04-11 01:47 . 2008-09-01 03:33 -------- d-----w c:\program files\Bradbury Application Company
2009-04-11 01:46 . 2008-08-05 03:52 -------- d-----w c:\program files\MVPedit
2009-04-04 01:35 . 2009-01-30 22:13 -------- d-----w c:\program files\SUPERAntiSpyware
2009-03-14 17:50 . 2005-02-22 00:29 -------- d-----w c:\program files\Common Files\Adobe
2009-03-11 00:56 . 2004-06-03 00:39 99552 -c--a-w c:\documents and settings\Mom\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-11 00:53 . 2009-03-11 00:53 -------- d-----w c:\program files\Microsoft
2009-03-11 00:53 . 2009-03-11 00:52 -------- d-----w c:\program files\Windows Live
2009-03-11 00:53 . 2009-03-11 00:53 -------- d-----w c:\program files\Windows Live SkyDrive
2009-03-11 00:47 . 2009-03-11 00:47 -------- d-----w c:\program files\Common Files\Windows Live
2009-03-09 02:06 . 2009-03-09 02:06 -------- d-----w c:\program files\easetech
2009-03-08 16:29 . 2008-04-27 18:48 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-08 16:16 . 2009-03-08 16:16 -------- d-----w c:\program files\MSBuild
2009-03-08 16:16 . 2009-03-08 16:16 -------- d-----w c:\program files\Reference Assemblies
2009-03-08 08:34 . 2004-08-24 00:32 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 08:34 . 2002-08-29 10:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 08:33 . 2002-08-29 10:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 08:33 . 2002-08-29 10:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 08:32 . 2002-08-29 10:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 08:32 . 2002-08-29 10:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 08:31 . 2002-08-29 10:00 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 08:31 . 2002-08-29 10:00 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 08:31 . 2002-08-29 10:00 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 08:22 . 2002-08-29 10:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2002-08-29 10:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-05 20:31 . 2009-03-05 20:26 -------- d-----w c:\program files\ClearAll
2009-02-09 12:10 . 2004-03-30 01:48 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-03-06 02:16 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2002-08-29 10:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2002-08-29 10:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2003-07-15 21:01 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 23:02 . 1980-01-01 05:00 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 22:52 . 2009-02-06 22:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-06 11:11 . 2002-08-29 10:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 1980-01-01 05:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2002-08-29 10:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2002-08-29 10:00 56832 ----a-w c:\windows\system32\secur32.dll
2009-01-31 01:00 . 2009-01-31 00:54 59552072 ----a-w C:\Setup-VISS_Consumer_7.0.exe
2009-01-30 23:00 . 2002-09-03 13:59 67 --sha-w c:\windows\Fonts\DESKTOP.INI
2007-06-04 13:46 . 2007-06-04 13:46 1060386 --sh--w c:\windows\SYSTEM32\hcrlkaex.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-04-04 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-08-02 01:33 10536 ----a-w c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll
"wave2"= serwvdrv.dll
"wave3"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinDefend"=2 (0x2)
"usnjsvc"=3 (0x3)
"sprtsvc_dellsupportcenter"=2 (0x2)
"PDEngine"=3 (0x3)
"PDAgent"=2 (0x2)
"NetSvc"=3 (0x3)
"IDriverT"=3 (0x3)
"GoToAssist"=3 (0x3)
"getPlus(R) Helper"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Program Files\\EA SPORTS\\MVP Baseball 2004\\mvp2004.exe"=
"c:\\Program Files\\MSN\\MSNCoreFiles\\msn.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R3 Radialpoint Security Services;Verizon Internet Security Suite;c:\program files\Verizon\Verizon Internet Security Suite\RpsSecurityAwareR.exe [2008-10-24 96496]
R3 SNDMI13;Mega Pixel Camera (8105 SXGA);c:\windows\system32\DRIVERS\sndmi13.sys [2005-05-31 219520]
R4 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-06-26 31592]
R4 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-04-04 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-01-15 55024]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b604a53b-cfea-11db-a4ab-000cf1ce1004}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f3911f4f-f788-11db-a4c2-000cf1ce1004}]
\Shell\AutoRun\command - f:\system\viewer\Viewer.exe
\Shell\View your videos\command - f:\system\viewer\Viewer.exe
.
Contents of the 'Scheduled Tasks' folder

2004-05-22 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 00:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{58154FDF-6406-4527-90E7-F58DDF89A878} - (no file)
Toolbar-{d51d388b-f5dc-471a-a1ce-5e2d671091c0} - (no file)
WebBrowser-{D51D388B-F5DC-471A-A1CE-5E2D671091C0} - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-ClearAllHistory - c:\program files\ClearAll\cah.exe


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uStart Page = hxxp://www.msn.com
uInternet Connection Wizard,ShellNext = hxxp://shell.windows.com/fileassoc/0409 ... sp?Ext=pdf
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-29 23:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1156)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(3832)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Verizon\Verizon Internet Security Suite\Fws.exe
c:\windows\SYSTEM32\LEXBCES.EXE
c:\windows\SYSTEM32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Raxco\PerfectDisk\PDAgent.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\program files\Raxco\PerfectDisk\PDEngine.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\windows\SYSTEM32\dwwin.exe
.
**************************************************************************
.
Completion time: 2009-04-30 0:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-30 04:02

Pre-Run: 48,879,112,192 bytes free
Post-Run: 49,018,990,592 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

241 --- E O F --- 2009-04-29 07:03

I was so afraid running a powerful tool like ComboFix. I kept getting those corrupt file messages. Simply ignored them and let ComboFix run. Please assure me that I'm safe and didn't do anything stupid By the way, I did turn off the real time VISS before the scan and after the reboot when it told me to disable it. Then I clicked OK. Hopefully, nothing bad happened. Strangely before I ran the scan, VISS started working again.

[Shaba]

What error message did ComboFix give?

Anything about virut?

[yanksrcool05]

When installing the Recovery Console, the ComboFix cmd had a couple of corrupt and unreadable messages. It still installed successfully. Then I got a popup from the task bar telling me of more corrupt tmp files (I think it said "Attrib.exe at the top) that I should use the chkdsk utility. I ignored it. Then whilst ComboFix deleting bad files, I got an XP error message of another corrupt file. I simply let ComboFix finish without touching anything. I also received a prompt that Windows Explorer must shut down. I wated until after it was finished. I really feel that we are fianlly makin progress, ridding my PC of all these files. Since there are so many corrupt tmp files, maybe I should run ATF Cleaner? I already have it. I'll wait until your response and orders. Thank you so much.

Oddly, the logo changed back to a soccer ball at the MSN Login Screen.

[Shaba]

Running atf cleaner and chkdsk next would be good idea.

Let me know how it works after that.

[yanksrcool05]

Shaba, should I place a check next to every option for ATF? Also, I have no idea what chkdsk is, where to find it, or how to use it.

[yanksrcool05]

Shaba, I deleted all tmp files with ATF. Now I have to learn about Chkdsk utility.

[Shaba]

Here is good thread about it

[yanksrcool05]

I haven't run the chkdsk utility yet. Still, no more random tmp files. Everthing's worth it. As of now, no more corrupt files.