Topic: HJT Log Check Please (strange issues) (Read 108 times)

shinneh · « **on:** July 15, 2010, 08:29:18 PM »

Of course, I have run malwarebytes and super anti spyware along with ATF cleaner before and after each program. And the problem is still there. Problem: randomly "commercials" will play on my speakers but with no pop up windows to close, also randomly the wave in volume control will be moved to the 0 position (no sound). Checking task manager displays numerous internet explorer processes...but no one uses internet explorer on this lap top as far as I know (not my lap top, family member's).
The HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:15:06 PM, on 7/15/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SYSTEM32\ATIPTAXX.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\D-Link AirPlus G\AirPlus.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\WINDOWS\SYSTEM32\ATIPTAXX.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim] "C:\Program Files\AIM\aim.exe" /d locale=en-US
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O13 - Gopher Prefix:
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 5725 bytes

Man, I really need to learn about this program and how to use it.

Kevin · « **Reply #1 on:** July 18, 2010, 12:14:08 PM »

Go to http://www.bleepingcomputer.com/combofix/how-to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.

shinneh · « **Reply #2 on:** July 23, 2010, 11:51:07 PM »

Ok, finally got the chance to run combofix, work and router problems =x. Here's the comobofix log:

ComboFix 10-07-23.02 - Owner 07/23/2010 23:22:00.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.690 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Internet Explorer\IEXPLOR.EXE
c:\windows\xpsp1hfm.log

.
MBR is infected with the Whistler Bootkit !!

((((((((((((((((((((((((( Files Created from 2010-06-24 to 2010-07-24 )))))))))))))))))))))))))))))))
.

2010-07-17 05:40 . 2010-07-17 05:40   --------   d-----w-   c:\program files\Common Files\Java
2010-07-17 05:40 . 2010-07-17 05:40   503808   ----a-w-   c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-37097e98-n\msvcp71.dll
2010-07-17 05:40 . 2010-07-17 05:40   499712   ----a-w-   c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-37097e98-n\jmc.dll
2010-07-17 05:40 . 2010-07-17 05:40   348160   ----a-w-   c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-37097e98-n\msvcr71.dll
2010-07-17 05:40 . 2010-07-17 05:40   61440   ----a-w-   c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-727a4bee-n\decora-sse.dll
2010-07-17 05:40 . 2010-07-17 05:40   12800   ----a-w-   c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-727a4bee-n\decora-d3d.dll
2010-07-17 05:40 . 2010-04-12 21:29   411368   ----a-w-   c:\windows\system32\deployJava1.dll
2010-07-16 03:18 . 2010-07-16 03:26   --------   d-----w-   c:\windows\SxsCaPendDel
2010-07-16 00:13 . 2010-07-16 00:13   --------   d-sh--w-   c:\documents and settings\NetworkService\PrivacIE
2010-07-15 06:36 . 2010-07-15 06:36   --------   d-sh--w-   c:\windows\system32\config\systemprofile\PrivacIE
2010-07-14 00:34 . 2010-07-14 00:34   63488   ----a-w-   c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-07-14 00:34 . 2010-07-14 00:34   52224   ----a-w-   c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-07-14 00:34 . 2010-07-14 00:34   117760   ----a-w-   c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-14 00:34 . 2010-07-14 00:34   --------   d-----w-   c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2010-07-14 00:34 . 2010-07-14 00:34   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-07-14 00:09 . 2010-07-14 00:34   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-07-14 00:07 . 2010-07-14 00:07   --------   d-----w-   c:\documents and settings\Owner\Application Data\Malwarebytes
2010-07-14 00:07 . 2010-04-29 19:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-14 00:07 . 2010-07-14 00:07   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-14 00:07 . 2010-07-14 00:07   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-07-14 00:07 . 2010-04-29 19:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-07-13 23:46 . 2010-06-14 14:31   744448   ------w-   c:\windows\system32\dllcache\helpsvc.exe
2010-07-13 00:20 . 2010-07-13 00:20   --------   d-----w-   c:\windows\system32\wbem\Repository
2010-07-12 06:31 . 2010-07-12 06:31   768   ----a-w-   c:\windows\system32\d3d8caps.dat
2010-07-12 02:25 . 2010-07-15 06:31   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-11 10:08 . 2010-07-11 10:08   --------   d-sh--w-   c:\documents and settings\LocalService\PrivacIE
2010-06-25 07:44 . 2010-06-25 07:44   33972   ---ha-w-   c:\windows\system32\mlfcache.dat
2010-06-25 06:53 . 2010-06-25 06:53   --------   d-----w-   c:\documents and settings\Owner\Application Data\Apple Computer
2010-06-25 06:53 . 2010-06-25 06:53   --------   d-----w-   c:\documents and settings\Owner\Local Settings\Application Data\Apple Computer
2010-06-25 06:53 . 2010-06-25 06:53   --------   d-----w-   c:\program files\Safari
2010-06-25 06:51 . 2010-06-25 06:51   --------   d-----w-   c:\documents and settings\Owner\Local Settings\Application Data\Apple
2010-06-25 06:51 . 2010-06-25 06:51   --------   d-----w-   c:\program files\Apple Software Update
2010-06-25 06:51 . 2010-06-25 06:51   --------   d-----w-   c:\documents and settings\All Users\Application Data\Apple
2010-06-25 06:24 . 2010-06-25 06:25   --------   d-----w-   c:\documents and settings\Owner\Application Data\acccore
2010-06-25 06:24 . 2010-06-25 06:25   --------   d-----w-   c:\documents and settings\Owner\Local Settings\Application Data\AIM
2010-06-25 06:24 . 2010-06-25 06:24   --------   d-----w-   c:\documents and settings\Owner\Local Settings\Application Data\AOL
2010-06-25 06:24 . 2010-06-25 06:24   --------   d-----w-   c:\documents and settings\All Users\Application Data\AIM
2010-06-25 06:24 . 2010-06-25 06:24   --------   d-----w-   c:\program files\AIM
2010-06-25 06:24 . 2010-06-25 06:24   --------   d-----w-   c:\program files\Common Files\Software Update Utility
2010-06-25 06:24 . 2010-06-25 06:24   --------   d-----w-   c:\program files\Common Files\AOL
2010-06-25 04:40 . 2010-06-25 04:40   --------   d-----w-   c:\program files\NOS
2010-06-25 04:40 . 2010-03-29 12:53   32576   ----a-w-   c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\oyvx6hzc.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2010-06-25 04:40 . 2010-03-29 12:53   29984   ----a-w-   c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\oyvx6hzc.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2010-06-25 01:24 . 2010-07-01 09:44   --------   d-----w-   c:\program files\Opera 10.60 Beta
2010-06-24 09:15 . 2010-06-25 01:25   --------   d-----w-   c:\documents and settings\Owner\Local Settings\Application Data\Opera
2010-06-24 09:15 . 2010-06-24 09:15   --------   d-----w-   c:\program files\Opera

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-17 05:39 . 2009-11-30 03:59   --------   d-----w-   c:\program files\Java
2010-07-15 06:39 . 2009-12-06 04:56   --------   d-----w-   c:\program files\Steam
2010-06-28 17:52 . 2009-12-08 07:58   --------   d-----w-   c:\documents and settings\Owner\Application Data\uTorrent
2010-06-25 06:53 . 2009-11-30 04:01   --------   d-----w-   c:\documents and settings\All Users\Application Data\Apple Computer
2010-06-25 04:44 . 2010-03-18 22:33   --------   d-----w-   c:\documents and settings\All Users\Application Data\NOS
2010-06-23 23:59 . 2010-06-18 04:34   --------   d-----w-   c:\program files\RebirthRO
2010-06-22 23:16 . 2010-05-25 22:21   --------   d-----w-   c:\documents and settings\Owner\Application Data\Skype
2010-06-22 23:13 . 2010-05-25 22:23   --------   d-----w-   c:\documents and settings\Owner\Application Data\skypePM
2010-06-22 23:10 . 2010-05-25 10:57   --------   d-----w-   c:\program files\Digsby
2010-06-14 14:31 . 2009-11-30 03:42   744448   ----a-w-   c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-11 16:13 . 2010-06-11 16:13   503808   ----a-w-   c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-35d521e7-n\msvcp71.dll
2010-06-11 16:13 . 2010-06-11 16:13   499712   ----a-w-   c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-35d521e7-n\jmc.dll
2010-06-11 16:13 . 2010-06-11 16:13   348160   ----a-w-   c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-35d521e7-n\msvcr71.dll
2010-06-09 02:28 . 2010-06-09 02:28   --------   d-----w-   c:\program files\Common Files\Windows Live
2010-06-09 02:27 . 2009-12-31 13:41   35760   ----a-w-   c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-07 23:43 . 2009-11-30 03:39   --------   d-----w-   c:\program files\Microsoft Silverlight
2010-06-04 16:29 . 2010-06-04 16:29   71992   ----a-w-   c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.16.0\SetupAdmin.exe
2010-06-03 02:41 . 2010-06-03 02:41   3600384   ----a-w-   c:\windows\system32\GPhotos.scr
2010-06-02 04:19 . 2010-06-02 04:19   4096   ----a-w-   c:\windows\d3dx.dat
2010-05-30 03:31 . 2010-05-17 09:01   --------   d-----w-   c:\program files\Counter-Strike 1.6
2010-05-25 22:23 . 2010-05-25 22:23   56   ---ha-w-   c:\windows\system32\ezsidmv.dat
2010-05-25 22:21 . 2010-05-25 22:21   --------   d-----r-   c:\program files\Skype
2010-05-25 22:21 . 2010-05-25 22:21   --------   d-----w-   c:\program files\Common Files\Skype
2010-05-25 22:21 . 2010-05-25 22:21   --------   d-----w-   c:\documents and settings\All Users\Application Data\Skype
2010-05-06 10:36 . 2009-10-19 08:27   919040   ----a-w-   c:\windows\system32\wininet.dll
2010-05-02 16:04 . 2009-10-19 08:27   1860352   ----a-w-   c:\windows\system32\win32k.sys
.

------- Sigcheck -------

[-] 2009-10-19 . BA8C046D98345129723E6BCAA1E8AB99 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys

c:\windows\System32\wscntfy.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-12-13 135664]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-06-29 2403568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"ATIPTA"="c:\windows\SYSTEM32\ATIPTAXX.EXE" [2005-11-23 344064]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-10-19 128512]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
D-Link AirPlus G Configuration Utility.lnk - c:\program files\D-Link AirPlus G\AirPlus.exe [2010-3-18 294912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 18 (0x12)
"NoSMConfigurePrograms"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\ffxi\\SquareEnix\\PlayOnlineViewer\\pol.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Opera 10.60 Beta\\opera.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\ffxi\\SquareEnix\\FINAL FANTASY XI\\polboot.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\ffxi\\SquareEnix\\PlayOnlineViewer\\polcfg\\polcfg.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\ffxi\\SquareEnix\\FINAL FANTASY XI\\ToolsUS\\FINAL FANTASY XI Config.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [10/19/2009 4:29 AM 9472]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/27/2010 7:14 AM 136176]
S3 Alpham;Ideazon Merc Composite Keyboard Driver;c:\windows\system32\drivers\Alpham.sys [12/4/2005 5:55 PM 34944]
S3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);c:\windows\system32\drivers\ZD1211BU.sys [8/24/2006 5:44 AM 477696]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper   REG_MULTI_SZ     getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-07-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-27 00:12]

2010-07-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-27 00:12]

2010-07-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-813497703-854245398-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-13 06:19]

2010-07-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-813497703-854245398-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-13 06:19]

2010-07-24 c:\windows\Tasks\User_Feed_Synchronization-{D3B9814B-7A97-4489-AFDE-134E780E7053}.job
- c:\windows\system32\msfeedssync.exe [2009-10-19 08:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\oyvx6hzc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\oyvx6hzc.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Opera 10.60 Beta\program\plugins\np_gp.dll
FF - plugin: c:\program files\Opera 10.60 Beta\program\plugins\npdsplay.dll
FF - plugin: c:\program files\Opera 10.60 Beta\program\plugins\npwmsdrm.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere __temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-XPv3.8.205 - c:\windows\Radeon Omega Drivers v3.8.205

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-23 23:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1c,02,3a,62,43,8d,b4,42,a3,03,04,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1c,02,3a,62,43,8d,b4,42,a3,03,04,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(852)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-07-23 23:30:47
ComboFix-quarantined-files.txt 2010-07-24 03:30

Pre-Run: 5,853,749,248 bytes free
Post-Run: 5,937,549,312 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - EE2459E20EDFF81C76A1BD5788D0CF46

Kevin · « **Reply #3 on:** July 25, 2010, 04:07:26 PM »

Download the bootkit remover at:

http://www.esagelab.com/files/bootkit_remover.rar

Extract the contents of that file and run the tool. See if the problem still remains after doing that.

KRC Forum

News:

Author Topic: HJT Log Check Please (strange issues) (Read 108 times)

shinneh

HJT Log Check Please (strange issues)

Kevin

Re: HJT Log Check Please (strange issues)

shinneh

Re: HJT Log Check Please (strange issues)

Kevin

Re: HJT Log Check Please (strange issues)