CiD Popups and other things...

**Hybr!d** · #1 20th Mar 2008, 17:19

Evilfantasy,

Am working on a customers PC and got a bit stumped.

Need it ready for the morning so after a bit of help please.

Got some really annoying popups along with a slow machine.

Run various scanners and removed most of it but these CiD popups keep comming and the machine is still a bit sluggish.

Let me know where to start mate.

**evilfantasy** · #2 20th Mar 2008, 17:45

Go to add/remove programs and look for CID.

It may also be sort of disguised, like in the middle of the program name or at the end.
EXAMPLE: Messenger Plus! Live & Sponsor (CiD)

Also run this, it is a fairly quick scanner (20 minutes or so) but is very effective at finding rouges.

Please download Malwarebytes' Anti-Malware (MBAM) to your desktop from either of these two links.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
Click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad.
Please copy and paste the log into your next reply

Note: If you accidentally close the log it can be retrieved at any time from the Malwarebytes' Anti-Malware main screen.

Launch Malwarebytes' Anti-Malware.
Click the Logs tab.
Double-click log-mm.dd.yyyy [xxxxxx].txt

**evilfantasy** · #3 20th Mar 2008, 17:50

Also if they have Messenger Plus! Live installed, it may not have CID in the name but the program is considered malware because it contains adware popups. See HERE

Let me know.

**Hybr!d** · #4 20th Mar 2008, 18:11

All done, thanks for the help mate.

Malwarebytes' Anti-Malware 1.09
Database version: 515
Scan type: Full Scan (C:\|F:\|G:\|H:\|I:\|)
Objects scanned: 147717
Time elapsed: 22 minute(s), 3 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Ext\PreApproved\{2eff3cf7-99c1-4c29-bc2b-68e057e22340} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Ext\PreApproved\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\W MPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Program Files\MSN Messenger\riched20.dll (Adware.MyWeb.FunWeb) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ollie\results.txt (Malware.Trace) -> Quarantined and deleted successfully.

**Hybr!d** · #5 20th Mar 2008, 18:12

Quote:

Originally Posted by evilfantasy

Also if they have Messenger Plus! Live installed, it may not have CID in the name but the program is considered malware because it contains adware popups. See HERE

Let me know.

They did, i removed it hours ago but it didn't seem to make much difference.

Thanks.

**evilfantasy** · #6 20th Mar 2008, 18:13

Any improvement?

**Hybr!d** · #7 20th Mar 2008, 18:14

I'll give it a few mins and a reboot.

BRB.

**evilfantasy** · #8 20th Mar 2008, 18:15

Quote:

Originally Posted by Dave Hybrid

They did, i removed it hours ago but it didn't seem to make much difference.

Thanks.

OK. lets get a CF log to see what it gets and so we can get a good look at the registry entries.

Please download Combofix by sUBs from one of the below links.
(Try all three if necessary)

Important! Combofix.exe MUST be saved to and ran from the Desktop.

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting Combofix.
Important! Temporarily disable your antivirus, script blocking and any antispyware real time protection before performing a scan.
- Click this link to see a list of security programs that should be disabled and how to disable them.
- If yours is not listed and you don't know how to disable it, please ask.
Warning: Combofix disconnects your computer from the internet. The connection is automatically restored before Combofix completes its run.
Double click combofix.exe & follow the prompts.
- From the keyboard select 1 and press Enter
When finished, it will produce a log for you.
Post that log in your next reply.

Warning: Do not mouseclick combofix's window while it is running. That may cause it to stall

If Combofix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.
Important: Remember to re-enable your antivirus and antispyware before reconnecting to the Internet.

**Hybr!d** · #9 20th Mar 2008, 18:22

Quote:

Originally Posted by evilfantasy

Any improvement?

Nope, there still there and the PC is slow still.

Am following the new instructions.

Thanks.

**Hybr!d** · #10 20th Mar 2008, 18:29

ComboFix 08-03-20.5 - Jacqui 2008-03-21 1:28:41.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.199 [GMT 0:00]
Running from: C:\Documents and Settings\Jacqui\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-02-21 to 2008-03-21 )))))))))))))))))))))))))))))))
.
2008-03-21 01:28 . 2008-03-21 01:28 <DIR> d-------- C:\WINDOWS\LastGood
2008-03-21 01:28 . 2003-08-27 10:29 65,536 --a------ C:\WINDOWS\wanmpsvc.exe
2008-03-21 01:26 . 2008-03-21 01:28 411 --ah----- C:\IPH.PH
2008-03-21 00:51 . 2008-03-21 00:51 <DIR> d-------- C:\Documents and Settings\Jacqui\Application Data\Malwarebytes
2008-03-21 00:50 . 2008-03-21 00:50 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-21 00:50 . 2008-03-21 00:50 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-03-21 00:50 . 2008-03-21 00:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-21 00:09 . 2008-03-21 00:14 <DIR> d-------- C:\Program Files\AOL Companion
2008-03-21 00:09 . 2004-02-25 14:58 173,184 --a------ C:\WINDOWS\system32\ygpss.scr
2008-03-21 00:06 . 2004-02-25 14:58 153,088 --a------ C:\WINDOWS\system32\jgdwmie.dll
2008-03-21 00:04 . 2008-03-21 00:08 <DIR> d-------- C:\Program Files\Common Files\aolshare
2008-03-21 00:04 . 2008-03-21 01:27 <DIR> d-------- C:\Program Files\AOL 9.0
2008-03-20 19:15 . 2008-03-21 00:03 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-20 19:15 . 2008-03-20 19:15 <DIR> d-------- C:\Documents and Settings\Jacqui\Application Data\SUPERAntiSpyware.com
2008-03-20 19:15 . 2008-03-20 19:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-20 18:58 . 2008-03-20 18:58 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-03-20 18:56 . 2008-03-20 18:56 <DIR> d-------- C:\Documents and Settings\Administrator.STUDY-COMPUTER\Application Data\Apple Computer
2008-03-20 18:54 . 2008-03-20 18:54 <DIR> d-------- C:\Documents and Settings\Administrator.STUDY-COMPUTER\Application Data\MSNInstaller
2008-03-20 18:46 . 2008-03-20 18:46 2 --a------ C:\WINDOWS\msoffice.ini
2008-03-20 18:43 . 2008-03-20 18:44 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-20 14:44 . 2006-12-06 01:30 <DIR> d-------- C:\Documents and Settings\Administrator.STUDY-COMPUTER\Application Data\Symantec
2008-03-20 14:44 . 2006-12-06 01:28 <DIR> d-------- C:\Documents and Settings\Administrator.STUDY-COMPUTER\Application Data\IBM
2008-03-12 20:25 . 2008-03-12 20:25 <DIR> d-------- C:\Documents and Settings\Chaz\Application Data\Apple Computer
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-03-21 01:28 --------- d-----w C:\Program Files\Common Files\AOL
2008-03-21 01:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-03-21 01:14 --------- d-----w C:\Program Files\MSN Messenger
2008-03-21 00:07 --------- d-----w C:\Program Files\Common Files\Nullsoft
2008-03-20 18:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-20 18:52 --------- d-----w C:\Program Files\KWorld Multimedia
2008-03-20 18:51 --------- d-----w C:\Program Files\ThinkVantage
2008-03-20 18:51 --------- d-----w C:\Program Files\QuickTime
2008-03-20 18:51 --------- d-----w C:\Program Files\Apple Software Update
2008-03-20 17:27 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-20 17:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-20 15:40 --------- d-----w C:\Program Files\Lenovo
2008-03-20 14:49 --------- d-----w C:\Program Files\Yahoo!
2008-03-16 14:27 5,427 ----a-w C:\WINDOWS\system32\EGATHDRV.SYS
2008-03-11 23:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-27 19:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Audio 4 part browse
2008-02-19 20:15 --------- d-----w C:\Documents and Settings\Jack\Application Data\Apple Computer
2008-02-16 11:48 --------- d-----w C:\Program Files\MSXML 6.0
2008-02-15 16:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-02-14 21:35 --------- d-----w C:\Documents and Settings\Ollie\Application Data\AdobeUM
2008-02-14 21:08 --------- d-----w C:\Documents and Settings\Ollie\Application Data\Apple Computer
2008-02-12 16:26 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-01-22 10:21 --------- d-----w C:\Documents and Settings\Jacqui\Application Data\AdobeUM
2007-02-27 12:23 32 ------r C:\Documents and Settings\All Users\hash.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"VTTimer"="VTTimer.exe" [2005-03-08 11:33 53248 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-08-03 23:32 163840 C:\WINDOWS\system32\VTTrayp.exe]
"Mouse Suite 98 Daemon"="ICO.EXE" [2005-04-13 22:34 49152 C:\WINDOWS\system32\ico.exe]
"SoundMan"="SOUNDMAN.EXE" [2006-01-11 23:08 577536 C:\WINDOWS\soundman.exe]
"ISUSPM Startup"="c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\I SUSPM.exe" [2004-07-28 00:50 221184]
"ISUSScheduler"="c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-28 00:50 81920]
"SKDaemon.exe"="C:\Program Files\Lenovo\Productivity Keyboard\SKDaemon.exe" [2006-02-06 22:39 262144]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp. exe" [2007-12-04 13:00 79224]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2007-12-07 15:30 71008]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 16:32 221184]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 14:24 458752]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 14:14 217088]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-14 23:43 286720]
"Part browse safe hold"="C:\Documents and Settings\All Users\Application Data\Audio 4 part browse\Pile Wipe.exe" [2008-03-21 01:23 9462784]
"HostManager"="C:\Program Files\Common Files\AOL\1206062825\ee\AOLSoftware.exe" [2006-09-26 00:52 50736]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce]
"AOLRebootNeeded"="regsvr32.exe" [2004-08-04 13:00 11776 C:\WINDOWS\system32\regsvr32.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 13:00 53760 C:\WINDOWS\system32\narrator.exe]
C:\Documents and Settings\Sarah\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54 98632]
C:\Documents and Settings\Jack\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54 98632]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"HideShutdownScripts"= 0 (0x0)
"RunStartupScriptSync"= 0 (0x0)
"HideStartupScripts"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
"DisableLockWorkstation"= 0 (0x0)
"DisableChangePassword"= 0 (0x0)
[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\system]
"NoDispCPL"= 0 (0x0)
"NoDispAppearancePage"= 0 (0x0)
"NoDispScrSavPage"= 0 (0x0)
"NoDispSettingsPage"= 0 (0x0)
"NoVisualStyleChoice"= 0 (0x0)
"NoColorChoice"= 0 (0x0)
"NoSizeChoice"= 0 (0x0)
"DisableLockWorkstation"= 0 (0x0)
"DisableChangePassword"= 0 (0x0)
"HideLogonScripts"= 0 (0x0)
"HideLogoffScripts"= 0 (0x0)
"HideLegacyLogonScripts"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer]
"NoWelcomeScreen"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"NoChangeKeyboardNavigationIndicators"= 0 (0x0)
"NoChangeAnimation"= 0 (0x0)
"NoAddPrinter"= 0 (0x0)
"NoDeletePrinter"= 0 (0x0)
"RestrictCpl"= 0 (0x0)
"DisallowCpl"= 0 (0x0)
"NoViewOnDrive"= 0 (0x0)
"RestrictRun"= 0 (0x0)
"NoRecycleFiles"= 0 (0x0)
"ForceRecycleBinSize"= 0 (0x0)
"NoCustomizeWebView"= 0 (0x0)
"NoWinKeys"= 0 (0x0)
"NoFileAssociate"= 0 (0x0)
"NoDFSTab"= 0 (0x0)
"NoInstrumentation"= 0 (0x0)
"NoCustomizeThisFolder"= 0 (0x0)
"NoWebView"= 0 (0x0)
"DontShowSuperHidden"= 0 (0x0)
"NoOnlinePrintsWizard"= 0 (0x0)
"NoPublishingWizard"= 0 (0x0)
"NoSMConfigurePrograms"= 0 (0x0)
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoHelp"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"NoStartMenuMFUprogramsList"= 0 (0x0)
"NoStartMenuPinnedList"= 0 (0x0)
"NoUserNameInStartMenu"= 0 (0x0)
"NoStartMenuMorePrograms"= 0 (0x0)
"NoStartMenuEjectPC"= 0 (0x0)
"NoSimpleStartMenu"= 0 (0x0)
"ForceStartMenuLogoff"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
"NoDisconnect"= 0 (0x0)
"NoNtSecurity"= 0 (0x0)
"GreyMSIAds"= 0 (0x0)
"ForceMaxRecentDocs"= 0 (0x0)
"NoSMBalloonTip"= 0 (0x0)
"NoSMBalloonTips"= 0 (0x0)
"LockTaskbar"= 0 (0x0)
"NoTaskGrouping"= 0 (0x0)
"NoWebServices"= 0 (0x0)
"NoFileUrl"= 0 (0x0)
"NoBandCustomize"= 0 (0x0)
"NoToolbarCustomize"= 0 (0x0)
"NoExpandedNewMenu"= 0 (0x0)
"SpecifyDefaultButtons"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"EnforceShellExtensionSecurity"= 0 (0x0)
"NoLogOff"= 0 (0x0)
"NoRunasInstallPrompt"= 0 (0x0)
"PromptRunasInstallNetPath"= 1 (0x1)
"NoResolveTrack"= 0 (0x0)
"NoResolveSearch"= 0 (0x0)
"NoDevMgrUpdate"= 0 (0x0)
"NoThumbnailCache"= 0 (0x0)
"ForceCopyAclwithFile"= 0 (0x0)
"StartRunNoHOMEPATH"= 0 (0x0)
[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\explorer]
"NoThemesTab"= 0 (0x0)
"NoChangeKeyboardNavigationIndicators"= 0 (0x0)
"NoChangeAnimation"= 0 (0x0)
"NoAddPrinter"= 0 (0x0)
"NoDeletePrinter"= 0 (0x0)
"RestrictCpl"= 0 (0x0)
"DisallowCpl"= 0 (0x0)
"NoViewOnDrive"= 0 (0x0)
"RestrictRun"= 0 (0x0)
"DisallowRun"= 0 (0x0)
"NoRecycleFiles"= 0 (0x0)
"ForceRecycleBinSize"= 0 (0x0)
"NoCustomizeWebView"= 0 (0x0)
"NoViewContextMenu"= 0 (0x0)
"NoWinKeys"= 0 (0x0)
"NoFileAssociate"= 0 (0x0)
"NoDFSTab"= 0 (0x0)
"NoInstrumentation"= 0 (0x0)
"NoCustomizeThisFolder"= 0 (0x0)
"NoWebView"= 0 (0x0)
"DontShowSuperHidden"= 0 (0x0)
"NoOnlinePrintsWizard"= 0 (0x0)
"NoPublishingWizard"= 0 (0x0)
"NoRun"= 0 (0x0)
"NoSMConfigurePrograms"= 0 (0x0)
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoHelp"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"NoFind"= 0 (0x0)
"NoStartMenuMFUprogramsList"= 0 (0x0)
"NoStartMenuPinnedList"= 0 (0x0)
"NoUserNameInStartMenu"= 0 (0x0)
"NoStartMenuMorePrograms"= 0 (0x0)
"NoStartMenuEjectPC"= 0 (0x0)
"NoSimpleStartMenu"= 0 (0x0)
"ForceStartMenuLogoff"= 0 (0x0)
"StartMenuLogoff"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
"NoDisconnect"= 0 (0x0)
"NoNtSecurity"= 0 (0x0)
"NoSetFolders"= 0 (0x0)
"GreyMSIAds"= 0 (0x0)
"ForceMaxRecentDocs"= 0 (0x0)
"NoSMBalloonTip"= 0 (0x0)
"NoSMBalloonTips"= 0 (0x0)
"NoTrayContextMenu"= 0 (0x0)
"LockTaskbar"= 0 (0x0)
"HideClock"= 0 (0x0)
"NoTaskGrouping"= 0 (0x0)
"NoActiveDesktopChanges"= 0 (0x0)
"NoWebServices"= 0 (0x0)
"NoFileUrl"= 0 (0x0)
"NoBandCustomize"= 0 (0x0)
"NoToolbarCustomize"= 0 (0x0)
"NoExpandedNewMenu"= 0 (0x0)
"SpecifyDefaultButtons"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"EnforceShellExtensionSecurity"= 0 (0x0)
"NoClose"= 0 (0x0)
"NoLogOff"= 0 (0x0)
"NoRunasInstallPrompt"= 0 (0x0)
"PromptRunasInstallNetPath"= 1 (0x1)
"NoResolveTrack"= 0 (0x0)
"NoResolveSearch"= 0 (0x0)
"NoDevMgrUpdate"= 0 (0x0)
"NoThumbnailCache"= 0 (0x0)
"ForceCopyAclwithFile"= 0 (0x0)
"StartRunNoHOMEPATH"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cssauthe]
--------- 2006-03-01 00:00 1992240 C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauthe.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DTVR Agent]
C:\Program Files\KWorld Multimedia\DVB-T PLUS\DTVR\Scheduled.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--------- 2006-10-27 00:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--------- 2007-11-15 13:11 267048 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
C:\Program Files\Picasa2\PicasaMediaDetector.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--------- 2007-03-22 13:00 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Documents and Settings\\Jack\\Application Data\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\AOL 9.0\\waol.exe"=
"C:\\Program Files\\Alwil Software\\Avast4\\ashAvast.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Common Files\\AOL\\1206062825\\ee\\aolsoftware.exe"=
R2 ibmfilter;ibmfilter;C:\WINDOWS\system32\drivers\ib mfilter.sys [2005-12-22 01:14]
R2 smi2;smi2;C:\Program Files\SMI2\smi2.sys [2005-12-22 00:45]
S0 ANCSQ;ANCSQ;C:\WINDOWS\system32\drivers\ANCSQ.sys []
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\DNINDIS5.SYS [2003-07-24 12:10]
S3 MODBDA2;KWorld MOD3000 TV receiver;C:\WINDOWS\system32\Drivers\modbda2.sys [2005-05-03 07:27]
S3 MODLOAD2;DVB-T USB2.0 adapter firmware loader;C:\WINDOWS\system32\DRIVERS\modload2.sys [2005-05-02 07:52]
S3 MODRC;KWorld Infrared Receiver;C:\WINDOWS\system32\DRIVERS\modrc.sys [2005-06-08 10:13]
S3 pelmouse;Mouse Suite Driver;C:\WINDOWS\system32\DRIVERS\pelmouse.sys [2003-01-10 21:55]
S3 pelusblf;USB Mouse Low Filter Driver;C:\WINDOWS\system32\DRIVERS\pelusblf.sys [2003-02-11 21:25]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;C:\WINDOWS\system32\DRIVERS\WPN111.sys [2005-09-26 15:02]
*Newly Created Service* - SASDIFSV
*Newly Created Service* - WANMINIPORTSERVICE
.
Contents of the 'Scheduled Tasks' folder
"2008-03-21 01:00:01 C:\WINDOWS\Tasks\A534C81C918B7B30.job"
- c:\docume~1\lucy\applic~1\bibmod~1\Defy debug axis.exe
"2008-03-04 23:13:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
************************************************** ************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-21 01:30:19
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
Completion time: 2008-03-21 1:31:19
.
2008-03-11 23:02:48 --- E O F ---