Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect similar to TDSS


  • This topic is locked This topic is locked
29 replies to this topic

#1 DEC10

DEC10

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 PM

Posted 20 November 2012 - 05:13 PM

Hi, thanx in advance for your help. Definite infection resembling TDSS symptoms. Intermittent (~33%) google redirect for at least 6 months. Sometimes scour.com sometimes others. Also a persistent unwanted Yahoo! search tool in my firefox browser. No antivirus, antimalware, rootkit tool, or other advice to date has been effective. Also been having keyboard driver problems and it took me a long time to realize it might be related such as a key logging feature? I likely have already run combofix at some point where the preparation guide explicitly describes not to.

Happy Thanksgiving!

My DDS.txt log:

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_32
Run by Frugal Fetta dcra cu at 16:52:43 on 2012-11-20
.
============== Running Processes ================
.
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Application Updater\ApplicationUpdater.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\AVS4YOU\AVSVideoConverter\AVSVideoConverter.exe
C:\Program Files\Common Files\AVSMedia\ActiveX\AVSVideoConverterHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.yahoo.com?type=937811&fr=spigot-yhp-ie
uInternet Connection Wizard,ShellNext = ftp://[email protected]:2121/
uURLSearchHooks: {F3FEE66E-E034-436a-86E4-9690573BEE8A} - <orphaned>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned>
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [IMJPMIG8.1] c:\windows\ime\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [SearchSettings] "c:\program files\common files\spigot\search settings\SearchSettings.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - c:\program files\winhttrack\WinHTTrackIEBar.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.1.66.0.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
TCP: NameServer = 192.168.3.1
TCP: Interfaces\{C62096FC-00F7-4F96-AEF5-FF3232E58B2C} : DHCPNameServer = 192.168.3.1
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\frugal fetta dcra cu\application data\mozilla\firefox\profiles\aj4dhknu.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=937811&p=
FF - plugin: c:\documents and settings\frugal fetta dcra cu\application data\mozilla\firefox\profiles\aj4dhknu.default\extensions\{ab91efd4-6975-4081-8552-1b3922ed79e2}\plugins\npAclmPlugin.dll
FF - plugin: c:\documents and settings\frugal fetta dcra cu\application data\mozilla\firefox\profiles\aj4dhknu.default\extensions\{ab91efd4-6975-4081-8552-1b3922ed79e2}\plugins\npProductDetectPlugin.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_402_287.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - ExtSQL: 2012-11-03 19:11; [email protected]; c:\program files\ytd toolbar\FF
.
============= SERVICES / DRIVERS ===============
.
R? appliand;Applian Network Service
R? AvgArCln;Avg Anti-Rootkit Clean Driver
R? BTCFilterService;USB Networking Driver Filter Service
R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
R? cpudrv;cpudrv
R? mbamchameleon;mbamchameleon
R? motccgp;Motorola USB Composite Device Driver
R? motccgpfl;MotCcgpFlService
R? Motousbnet;Motorola USB Networking Driver Service
R? motusbdevice;Motorola USB Dev Driver
R? SABKUTIL;SABKUTIL
R? SBRE;SBRE
R? WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0
R? ZD1201U(ZyDAS);ZyDAS ZD1201 IEEE 802.11b Wireless LAN Driver (USB)(ZyDAS)
R? ZD1201U;ZyDAS ZD1201 IEEE 802.11b Wireless LAN Driver (USB)
R? ZDNDIS5;ZDNDIS5 Protocol Driver
S? !SASCORE;SAS Core Service
S? appliandMP;appliandMP
S? Application Updater;Application Updater
S? aswFsBlk;aswFsBlk
S? aswKbd;aswKbd
S? aswSnx;aswSnx
S? aswSP;aswSP
S? avast! Antivirus;avast! Antivirus
S? AVG Anti-Rootkit;AVG Anti-Rootkit
S? SASDIFSV;SASDIFSV
S? SASKUTIL;SASKUTIL
.
=============== Created Last 30 ================
.
2012-11-18 16:00:25 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys
2012-11-13 01:08:22 58904 ----a-w- c:\windows\system32\sysfolderazipcnt.dll
2012-11-13 01:08:22 58904 ----a-w- c:\windows\system32\azipcontmn.dll
2012-11-13 01:07:59 -------- d-----w- c:\program files\AlphaZIP
2012-11-13 01:01:04 -------- d-----w- c:\documents and settings\frugal fetta dcra cu\local settings\application data\FileTypeAssistant
2012-11-13 01:00:49 -------- d-----w- c:\program files\File Type Assistant
2012-11-13 00:29:22 -------- d-----w- c:\documents and settings\all users\application data\ConeXware
2012-11-04 13:06:37 -------- d-----w- c:\documents and settings\frugal fetta dcra cu\application data\YTD
2012-11-03 22:34:00 -------- d-----w- c:\documents and settings\frugal fetta dcra cu\application data\Search Settings
2012-11-03 22:31:42 -------- d-----w- c:\program files\Application Updater
2012-11-03 22:31:23 -------- d-----w- c:\program files\YTD Toolbar
2012-11-03 22:31:23 -------- d-----w- c:\program files\common files\Spigot
2012-10-27 01:19:02 14676448 ----a-w- c:\program files\mozilla firefox\xul.dll
2012-10-27 01:19:01 96224 ----a-w- c:\program files\mozilla firefox\webapprt-stub.exe
2012-10-27 01:19:01 270816 ----a-w- c:\program files\mozilla firefox\updater.exe
2012-10-27 01:19:01 19424 ----a-w- c:\program files\mozilla firefox\xpcom.dll
2012-10-27 01:19:01 157272 ----a-w- c:\program files\mozilla firefox\webapp-uninstaller.exe
2012-10-27 01:19:00 889848 ----a-w- c:\program files\mozilla firefox\uninstall\helper.exe
.
==================== Find3M ====================
.
2012-10-30 23:51:58 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-10-30 23:51:07 41224 ----a-w- c:\windows\avastSS.scr
2012-10-22 08:37:31 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-10-09 00:23:36 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-09 00:23:36 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-02 18:04:21 58368 ----a-w- c:\windows\system32\synceng.dll
2012-09-30 00:54:26 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-28 15:14:53 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14:53 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14:52 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07:15 385024 ----a-w- c:\windows\system32\html.iec
2012-08-24 13:53:22 177664 ----a-w- c:\windows\system32\wintrust.dll
.
============= FINISH: 16:59:38.65 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,474 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:37 PM

Posted 20 November 2012 - 09:17 PM

Please run the following:

  • Please download aswMBR.exe and save it to your desktop.
  • Double click aswMBR.exe to start the tool.
  • When asked if you want to download Avast's virus definitions please select Yes.
  • Click Scan

  • Upon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet.
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.


NEXT



Please post any ComboFix log(s) you may have
The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#3 DEC10

DEC10
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 PM

Posted 22 November 2012 - 12:12 PM

Hi, Thanx. I assume aswMBR QuickScan. I don't have the ComboFix log anymore.



aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2012-11-22 10:56:53
-----------------------------
10:56:53.343 OS Version: Windows 5.1.2600 Service Pack 3
10:56:53.343 Number of processors: 1 586 0x207
10:56:53.359 ComputerName: RASPERRYPI UserName:
10:56:58.531 Initialize success
10:56:59.718 AVAST engine defs: 12112200
10:57:05.312 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
10:57:05.328 Disk 0 Vendor: Maxtor_2F020J0 VAM51JJ0 Size: 19092MB BusType: 3
10:57:05.390 Disk 0 MBR read successfully
10:57:05.406 Disk 0 MBR scan
10:57:05.406 Disk 0 Windows XP default MBR code
10:57:05.406 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 19084 MB offset 63
10:57:05.515 Disk 0 scanning sectors +39085200
10:57:05.875 Disk 0 scanning C:\WINDOWS\system32\drivers
10:58:45.140 Service scanning
10:59:45.625 Modules scanning
11:01:22.718 Disk 0 trace - called modules:
11:01:22.750 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
11:01:22.750 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86363ab8]
11:01:23.265 3 CLASSPNP.SYS[f7616fd7] -> nt!IofCallDriver -> \Device\00000062[0x8630c828]
11:01:23.265 5 ACPI.sys[f758d620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x863e0d98]
11:01:25.531 AVAST engine scan C:\WINDOWS
11:02:00.312 AVAST engine scan C:\WINDOWS\system32
11:14:04.609 AVAST engine scan C:\WINDOWS\system32\drivers
11:14:52.406 AVAST engine scan C:\Documents and Settings\Frugal Fetta dcra cu
11:19:21.796 AVAST engine scan C:\Documents and Settings\All Users
11:22:45.250 Scan finished successfully
11:58:53.546 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Frugal Fetta dcra cu\Desktop\MBR.dat"
11:58:53.578 The log file has been saved successfully to "C:\Documents and Settings\Frugal Fetta dcra cu\Desktop\aswMBR.txt"

Attached Files

  • Attached File  MBR.zip   499bytes   0 downloads

Edited by DEC10, 22 November 2012 - 12:14 PM.


#4 DEC10

DEC10
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 PM

Posted 22 November 2012 - 01:02 PM

Correction, I did find these ComboFix logs (ComboFix.txt & ComboFix-quarantined-files.txt) created 11-17-12 this infection remained un-affected:


ComboFix.txt
============

ComboFix 12-11-16.02 - Frugal Fetta dcra cu 11/17/2012 19:01:23.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.589 [GMT -5:00]
Running from: c:\documents and settings\Frugal Fetta dcra cu\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: avast! Antivirus *Enabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((( Files Created from 2012-10-18 to 2012-11-18 )))))))))))))))))))))))))))))))
.
.
2012-11-13 01:08 . 2012-11-13 01:08 58904 ----a-w- c:\windows\system32\sysfolderazipcnt.dll
2012-11-13 01:08 . 2012-11-13 01:08 58904 ----a-w- c:\windows\system32\azipcontmn.dll
2012-11-13 01:07 . 2012-11-17 14:04 -------- d-----w- c:\program files\AlphaZIP
2012-11-13 01:01 . 2012-11-13 01:11 -------- d-----w- c:\documents and settings\Frugal Fetta dcra cu\Local Settings\Application Data\FileTypeAssistant
2012-11-13 01:00 . 2012-11-13 01:01 -------- d-----w- c:\program files\File Type Assistant
2012-11-13 00:29 . 2012-11-13 00:29 -------- d-----w- c:\documents and settings\All Users\Application Data\ConeXware
2012-11-04 13:06 . 2012-11-04 13:06 -------- d-----w- c:\documents and settings\Frugal Fetta dcra cu\Application Data\YTD
2012-11-03 22:34 . 2012-11-03 22:40 -------- d-----w- c:\documents and settings\Frugal Fetta dcra cu\Application Data\Search Settings
2012-11-03 22:31 . 2012-11-03 22:32 -------- d-----w- c:\program files\Application Updater
2012-11-03 22:31 . 2012-11-03 22:32 -------- d-----w- c:\program files\YTD Toolbar
2012-11-03 22:31 . 2012-11-03 22:31 -------- d-----w- c:\program files\Common Files\Spigot
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-30 23:51 . 2012-07-14 18:35 361032 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-10-30 23:51 . 2012-07-14 18:35 35928 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-10-30 23:51 . 2012-07-14 18:35 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-10-30 23:51 . 2012-07-14 18:35 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-10-30 23:51 . 2012-07-14 18:35 97608 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2012-10-30 23:51 . 2012-07-14 18:35 89752 ----a-w- c:\windows\system32\drivers\aswmon.sys
2012-10-30 23:51 . 2012-07-14 18:35 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-10-30 23:51 . 2012-07-14 18:35 25256 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2012-10-30 23:51 . 2012-07-14 18:34 41224 ----a-w- c:\windows\avastSS.scr
2012-10-30 23:50 . 2012-07-14 18:34 227648 ----a-w- c:\windows\system32\aswBoot.exe
2012-10-22 08:37 . 2001-08-18 14:00 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-10-09 00:23 . 2012-05-17 15:40 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-09 00:23 . 2012-05-17 15:40 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-02 18:04 . 2001-08-18 14:00 58368 ----a-w- c:\windows\system32\synceng.dll
2012-09-30 00:54 . 2012-07-13 03:22 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-28 15:14 . 2001-08-18 14:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14 . 2001-08-18 14:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14 . 2001-08-18 14:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07 . 2010-03-18 06:15 385024 ----a-w- c:\windows\system32\html.iec
2012-08-24 13:53 . 2001-08-18 14:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-08-21 13:29 . 2001-08-18 14:00 2192896 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-21 12:58 . 2001-08-17 13:48 2069632 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-10-27 01:19 . 2012-10-27 01:18 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-10-30 23:50 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-07-09 4777856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2011-03-07 89456]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-10-30 4297136]
"SearchSettings"="c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe" [2012-10-16 1111432]
.
c:\documents and settings\Pauper\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [N/A]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\File Type Assistant\\tsassist.exe"=
.
R1 aswKbd;aswKbd;c:\windows\system32\drivers\aswKbd.sys [8/7/2012 2:29 PM 18544]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [7/14/2012 1:35 PM 738504]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/14/2012 1:35 PM 361032]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 6:38 PM 116608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/14/2012 1:35 PM 21256]
R3 appliandMP;appliandMP;c:\windows\system32\drivers\appliand.sys [4/20/2012 2:50 PM 28256]
S1 SABKUTIL;SABKUTIL;\??\c:\documents and settings\Frugal Fetta dcra cu\Desktop\SASKUTIL.SYS --> c:\documents and settings\Frugal Fetta dcra cu\Desktop\SASKUTIL.SYS [?]
S1 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [10/9/2012 3:44 PM 799112]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [11/17/2012 9:04 AM 399432]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/12/2012 10:22 PM 676936]
S3 appliand;Applian Network Service;c:\windows\system32\drivers\appliand.sys [4/20/2012 2:50 PM 28256]
S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\DRIVERS\motfilt.sys --> c:\windows\system32\DRIVERS\motfilt.sys [?]
S3 cpudrv;cpudrv;\??\c:\program files\SystemRequirementsLab\cpudrv.sys --> c:\program files\SystemRequirementsLab\cpudrv.sys [?]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [7/12/2012 10:21 PM 32072]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/12/2012 10:22 PM 22856]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys --> c:\windows\system32\DRIVERS\motccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys --> c:\windows\system32\DRIVERS\motccgpfl.sys [?]
S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\DRIVERS\Motousbnet.sys --> c:\windows\system32\DRIVERS\Motousbnet.sys [?]
S3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\DRIVERS\motusbdevice.sys --> c:\windows\system32\DRIVERS\motusbdevice.sys [?]
S3 ZD1201U(ZyDAS);ZyDAS ZD1201 IEEE 802.11b Wireless LAN Driver (USB)(ZyDAS);c:\windows\system32\drivers\ZD1201U.sys [4/13/2012 5:45 PM 55040]
S3 ZD1201U;ZyDAS ZD1201 IEEE 802.11b Wireless LAN Driver (USB);c:\windows\system32\drivers\ZD1201U.sys [4/13/2012 5:45 PM 55040]
S3 ZDNDIS5;ZDNDIS5 Protocol Driver;c:\windows\system32\ZDNDIS5.sys [4/13/2012 7:21 PM 15872]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMSCHEDULER
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-17 00:23]
.
2012-11-17 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2012-07-14 23:50]
.
2012-11-17 c:\windows\Tasks\ProgramUpdateCheck.job
- c:\program files\File Type Assistant\tsassist.exe [2012-11-13 16:44]
.
2012-11-17 c:\windows\Tasks\User_Feed_Synchronization-{6C86F955-03C2-4F6E-9F27-529A3369A9C9}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.yahoo.com?type=937811&fr=spigot-yhp-ie
uInternet Connection Wizard,ShellNext = ftp://[email protected]:2121/
TCP: DhcpNameServer = 192.168.3.1
FF - ProfilePath - c:\documents and settings\Frugal Fetta dcra cu\Application Data\Mozilla\Firefox\Profiles\aj4dhknu.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - google.com
FF - ExtSQL: 2012-11-03 19:11; [email protected]; c:\program files\YTD Toolbar\FF
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-11-17 19:11
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(952)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(2184)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-11-17 19:15:08
ComboFix-quarantined-files.txt 2012-11-18 00:14
ComboFix2.txt 2012-07-15 20:49
.
Pre-Run: 1,167,773,696 bytes free
Post-Run: 1,199,751,168 bytes free
.
- - End Of File - - E0E6B10D9A2892872EF4281FEF66C250

----------------------------------------------------------------------------------------------------------

ComboFix-quarantined-files.txt
==============================

2012-07-15 20:48:03 . 2012-07-15 20:48:03 249 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}.reg.dat
2012-07-15 20:48:02 . 2012-07-15 20:48:02 173 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Toolbar-Locked.reg.dat
2012-07-15 20:31:07 . 2012-11-18 00:08:58 9,869 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2012-07-15 20:14:42 . 2012-11-17 23:56:45 102 ----a-w- C:\Qoobox\Quarantine\catchme.log
2012-07-10 00:16:01 . 2012-07-10 00:15:43 11,070 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\cache\eb851b4353458e16.fb.vir
2012-06-13 22:01:17 . 2012-07-10 00:15:43 668 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\cache\6d03dad1035885d3.fb.vir
2012-06-13 22:01:17 . 2012-07-10 00:15:42 663 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\cache\c1fa887b03019701.fb.vir
2012-06-13 22:01:17 . 2012-07-10 00:15:43 661 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\cache\32c84fe32bb74d60.fb.vir
2012-06-13 22:01:17 . 2012-07-10 00:15:42 1,071 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\cache\f998975c9cc711ee.fb.vir
2012-06-13 22:01:17 . 2012-07-10 00:15:43 1,072 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\cache\31a0997e9a5b5eb3.fb.vir
2012-06-13 22:01:17 . 2012-06-13 22:00:20 11,070 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\cache\5b6b5d613df7e1d2.fb.vir
2012-05-23 16:24:15 . 2012-05-23 16:24:16 60,304 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Frugal Fetta dcra cu\g2mdlhlpx.exe.vir
2012-05-18 19:44:30 . 2012-06-01 23:47:27 2,134 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\searchplugins\search.xml.vir
2012-04-20 18:44:28 . 2012-04-20 18:46:27 28,455 ----a-w- C:\Qoobox\Quarantine\C\Documents.vir
2012-04-13 17:05:49 . 2012-07-10 00:15:43 639 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\cache\590ba23ce359fd0c.fb.vir
2012-04-13 17:05:49 . 2012-07-10 00:15:43 630 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\cache\272512937d9e61a4.fb.vir
2012-04-13 17:05:48 . 2012-07-10 00:15:42 398 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\cache\6c59ac5e7e7a3ad0.fb.vir
2012-04-13 17:05:48 . 2012-07-10 00:15:43 669 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\cache\a8556537add6dfc5.fb.vir
2012-04-13 17:05:48 . 2012-07-10 00:15:42 627 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\cache\651c5d3cdbfb8bd1.fb.vir
2012-04-13 17:05:48 . 2012-07-10 00:15:43 1,045 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\cache\d201ef9910cd39de.fb.vir
2012-04-13 17:05:47 . 2012-07-10 00:15:42 586 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\cache\c4d28dca2e7648be.fb.vir
2012-04-13 17:05:47 . 2012-04-13 17:05:18 1,062 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\cache\e0de16f883bea794.fb.vir
2012-04-13 17:05:47 . 2012-07-10 00:15:43 366 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\cache\ad10a52aff5e038d.fb.vir
2012-04-13 17:05:47 . 2012-07-10 00:15:42 622 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\cache\287204568329e189.fb.vir
2012-04-13 17:05:47 . 2012-07-10 00:15:42 365 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\cache\610289e025a3ee9a.fb.vir
2012-04-13 17:05:46 . 2012-07-10 00:15:42 627 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\cache\d79b9dfe81484ec4.fb.vir
2012-04-13 17:05:46 . 2012-07-10 00:15:42 567 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\cache\d2e94710a5708128.fb.vir
2012-04-13 17:05:46 . 2012-07-10 00:15:42 1,022 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\cache\3917078cb68ec657.fb.vir
2012-04-13 17:05:46 . 2012-07-10 00:15:43 633 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\cache\2c53092c95605355.fb.vir
2012-04-13 17:05:46 . 2012-07-10 00:15:42 1,291 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\cache\28bc8f716fd76a47.fb.vir
2012-04-13 17:05:45 . 2012-04-13 17:05:18 7,902 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\cache\8562bf6656aef78b.fb.vir
2010-03-18 21:23:59 . 2008-04-14 10:42:18 294,912 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\dllcache\dlimport.exe.vir
2010-03-18 06:30:16 . 2012-03-09 01:48:08 44 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\msssc.dll.vir
2010-03-18 04:58:54 . 2004-08-04 05:56:46 245,248 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET2A6.tmp.vir
2010-03-18 04:58:53 . 2004-08-04 05:56:46 1,236,480 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET2A1.tmp.vir
2010-03-18 04:58:53 . 2004-08-04 05:56:46 66,560 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET29F.tmp.vir
2010-03-18 04:58:53 . 2004-08-04 05:56:46 90,112 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET29E.tmp.vir
2010-03-18 04:58:53 . 2004-08-04 05:56:46 36,352 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET29B.tmp.vir
2010-03-18 04:58:53 . 2004-08-04 05:56:46 17,920 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET29A.tmp.vir
2010-03-18 04:58:52 . 2004-08-04 05:56:58 56,832 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET297.tmp.vir
2010-03-18 04:58:52 . 2004-08-04 05:56:46 332,288 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET294.tmp.vir
2010-03-18 04:58:52 . 2004-08-04 05:56:46 622,080 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET293.tmp.vir
2010-03-18 04:58:51 . 2004-08-04 05:56:46 407,040 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET290.tmp.vir
2010-03-18 04:58:51 . 2004-08-04 05:56:46 198,144 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET28F.tmp.vir
2010-03-18 04:58:50 . 2004-08-04 05:56:46 12,288 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET28D.tmp.vir
2010-03-18 04:58:50 . 2004-08-04 05:56:46 1,708,032 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET28A.tmp.vir
2010-03-18 04:58:49 . 2004-08-04 05:56:46 80,896 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET288.tmp.vir
2010-03-18 04:58:49 . 2004-08-04 05:56:46 245,760 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET287.tmp.vir
2010-03-18 04:58:49 . 2004-08-04 05:56:46 248,832 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET286.tmp.vir
2010-03-18 04:58:49 . 2004-08-04 05:56:56 69,120 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET283.tmp.vir
2010-03-18 04:58:49 . 2004-08-04 05:56:46 67,072 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET281.tmp.vir
2010-03-18 04:58:48 . 2004-08-04 05:56:46 43,520 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET27B.tmp.vir
2010-03-18 04:58:48 . 2004-08-04 05:56:46 118,784 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET27A.tmp.vir
2010-03-18 04:58:47 . 2004-08-04 05:56:46 143,872 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET275.tmp.vir
2010-03-18 04:58:47 . 2004-08-04 05:56:46 266,752 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET273.tmp.vir
2010-03-18 04:58:47 . 2004-08-04 05:56:46 249,856 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET270.tmp.vir
2010-03-18 04:58:46 . 2004-08-04 05:56:46 16,384 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET26F.tmp.vir
2010-03-18 04:58:46 . 2004-08-04 05:56:56 32,768 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET26E.tmp.vir
2010-03-18 04:58:46 . 2004-08-04 05:56:46 24,576 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET26D.tmp.vir
2010-03-18 04:58:46 . 2004-08-04 05:56:46 135,168 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET26C.tmp.vir
2010-03-18 04:58:46 . 2004-08-04 05:56:56 69,632 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET26B.tmp.vir
2010-03-18 04:58:46 . 2004-08-04 05:56:58 32,768 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET269.tmp.vir
2010-03-18 04:58:46 . 2004-08-04 05:56:46 106,496 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET268.tmp.vir
2010-03-18 04:58:46 . 2004-08-04 05:56:46 65,536 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET267.tmp.vir
2010-03-18 04:58:46 . 2004-08-04 05:56:46 65,536 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET266.tmp.vir
2010-03-18 04:58:46 . 2004-08-04 05:56:24 94,208 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET265.tmp.vir
2010-03-18 04:58:46 . 2004-08-04 05:56:24 12,288 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET262.tmp.vir
2010-03-18 04:58:46 . 2004-08-04 05:56:46 147,456 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET261.tmp.vir
2010-03-18 04:58:44 . 2004-08-04 05:56:46 1,281,536 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET25A.tmp.vir
2010-03-18 04:58:43 . 2004-08-04 05:56:46 15,360 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET24A.tmp.vir
2010-03-18 04:58:42 . 2004-08-04 05:56:46 17,408 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET246.tmp.vir
2010-03-18 04:58:42 . 2004-08-04 05:56:46 27,648 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET244.tmp.vir
2010-03-18 04:58:42 . 2004-08-04 05:56:46 23,040 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET241.tmp.vir
2010-03-18 04:58:42 . 2004-08-04 05:56:46 96,768 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET240.tmp.vir
2010-03-18 04:58:42 . 2004-08-04 05:56:46 34,304 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET23E.tmp.vir
2010-03-18 04:58:40 . 2004-08-04 05:56:46 8,192 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET232.tmp.vir
2010-03-18 04:58:40 . 2004-08-04 05:56:46 69,632 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET231.tmp.vir
2010-03-18 04:58:39 . 2004-08-04 05:56:46 174,080 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET230.tmp.vir
2010-03-18 04:58:39 . 2004-08-04 05:56:46 206,336 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET22E.tmp.vir
2010-03-18 04:58:39 . 2004-08-04 05:56:46 112,128 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET22C.tmp.vir
2010-03-18 04:58:38 . 2004-08-04 05:56:46 49,664 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET21F.tmp.vir
2010-03-18 04:58:37 . 2004-08-04 05:56:46 58,880 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET219.tmp.vir
2010-03-18 04:58:37 . 2004-08-04 05:56:46 581,120 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET216.tmp.vir
2010-03-18 04:58:37 . 2004-08-04 05:56:46 395,776 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET215.tmp.vir
2010-03-18 04:58:36 . 2004-08-04 03:31:44 152,576 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET214.tmp.vir
2010-03-18 04:58:36 . 2004-08-04 05:56:46 44,032 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET20F.tmp.vir
2010-03-18 04:58:35 . 2004-08-04 05:56:46 180,224 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET206.tmp.vir
2010-03-18 04:58:35 . 2004-08-04 05:56:46 313,856 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET205.tmp.vir
2010-03-18 04:58:35 . 2004-08-04 05:56:46 190,976 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET204.tmp.vir
2010-03-18 04:58:34 . 2004-08-04 05:56:46 18,944 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET1FE.tmp.vir
2010-03-18 04:58:34 . 2004-08-04 05:56:46 55,808 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET1FD.tmp.vir
2010-03-18 04:58:33 . 2004-08-04 05:56:46 38,912 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET1F9.tmp.vir
2010-03-18 04:58:33 . 2004-08-04 05:56:46 5,120 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET1F4.tmp.vir
2010-03-18 04:58:33 . 2004-08-04 05:56:46 140,288 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET1F3.tmp.vir
2010-03-18 04:58:32 . 2004-08-04 05:56:46 1,483,264 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET1F0.tmp.vir
2010-03-18 04:58:30 . 2004-08-04 05:56:46 8,384,000 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET1EF.tmp.vir
2010-03-18 04:58:29 . 2004-08-04 05:56:46 65,536 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET1EC.tmp.vir
2010-03-18 04:58:29 . 2004-08-04 05:56:46 473,600 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET1EA.tmp.vir
2010-03-18 04:58:28 . 2004-08-04 05:56:46 134,656 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET1E5.tmp.vir
2010-03-18 04:58:26 . 2004-08-04 05:56:46 74,752 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET1D5.tmp.vir
2010-03-18 04:58:26 . 2004-08-04 05:56:58 57,856 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET1D4.tmp.vir
2010-03-18 04:58:26 . 2004-08-04 05:56:46 442,368 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET1D3.tmp.vir
2010-03-18 04:58:26 . 2004-08-04 03:21:48 90,112 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET1D2.tmp.vir
2010-03-18 04:58:26 . 2004-08-04 05:56:46 180,800 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET1D1.tmp.vir
2010-03-18 04:58:26 . 2004-08-04 05:56:46 170,496 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET1CE.tmp.vir
2010-03-18 04:58:25 . 2004-08-04 05:56:46 34,816 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET1CB.tmp.vir
2010-03-18 04:58:25 . 2004-08-04 05:56:46 71,680 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET1CA.tmp.vir
2010-03-18 04:58:24 . 2004-08-04 05:56:46 121,856 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET1BF.tmp.vir
2010-03-18 04:58:23 . 2004-08-04 05:56:58 14,336 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET1BC.tmp.vir
2010-03-18 04:58:23 . 2004-08-04 05:56:48 713,216 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET1BB.tmp.vir
2010-03-18 04:58:22 . 2004-08-04 05:56:48 181,760 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET1B4.tmp.vir
2010-03-18 04:58:22 . 2004-08-04 05:56:48 246,272 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET1B3.tmp.vir
2010-03-18 04:58:21 . 2004-08-04 05:56:48 45,568 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET1B0.tmp.vir
2010-03-18 04:58:21 . 2004-08-04 05:56:48 295,424 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET1AB.tmp.vir
2010-03-18 04:58:20 . 2004-08-04 05:56:48 385,536 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET1AA.tmp.vir
2010-03-18 04:58:20 . 2004-08-04 05:56:48 90,624 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET1A6.tmp.vir
2010-03-18 04:58:19 . 2004-08-04 05:56:48 118,272 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET19F.tmp.vir
2010-03-18 04:58:19 . 2004-08-04 05:56:58 206,848 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET19E.tmp.vir
2010-03-18 04:58:19 . 2004-08-04 05:56:48 74,240 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET19D.tmp.vir
2010-03-18 04:58:19 . 2004-08-04 05:56:48 13,824 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET19C.tmp.vir
2010-03-18 04:58:19 . 2004-08-04 05:56:48 132,608 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET19B.tmp.vir
2010-03-18 04:58:19 . 2004-08-04 05:56:48 37,888 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET196.tmp.vir
2010-03-18 04:58:18 . 2004-08-04 05:56:48 601,088 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET195.tmp.vir
2010-03-18 04:58:18 . 2004-08-04 05:56:48 16,896 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET194.tmp.vir
2010-03-18 04:58:18 . 2004-08-04 05:56:48 577,024 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET192.tmp.vir
2010-03-18 04:58:18 . 2004-08-04 05:56:48 723,456 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET191.tmp.vir
2010-03-18 04:58:18 . 2004-08-04 05:56:48 218,624 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET18E.tmp.vir
2010-03-18 04:58:17 . 2004-08-04 05:56:48 18,944 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET188.tmp.vir
2010-03-18 04:58:17 . 2004-08-04 05:56:48 430,592 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET187.tmp.vir
2010-03-18 04:58:16 . 2004-08-04 05:56:48 174,592 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET185.tmp.vir
2010-03-18 04:58:16 . 2004-08-04 05:56:48 49,152 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET183.tmp.vir
2010-03-18 04:58:16 . 2004-08-04 05:56:48 276,480 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET181.tmp.vir
2010-03-18 04:58:16 . 2004-08-04 05:56:48 67,584 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET180.tmp.vir
2010-03-18 04:58:14 . 2004-08-04 05:56:48 656,384 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET175.tmp.vir
2010-03-18 04:58:14 . 2004-08-04 05:56:48 32,768 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET174.tmp.vir
2010-03-18 04:58:13 . 2004-08-04 05:56:58 502,272 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET173.tmp.vir
2010-03-18 04:58:13 . 2004-08-04 05:56:48 176,128 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET172.tmp.vir
2010-03-18 04:58:13 . 2004-08-04 05:56:48 16,896 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET170.tmp.vir
2010-03-18 04:58:13 . 2004-08-04 05:56:48 99,328 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET16F.tmp.vir
2010-03-18 04:58:13 . 2004-08-04 05:56:48 290,816 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET16E.tmp.vir
2010-03-18 04:58:13 . 2004-08-04 05:56:48 53,760 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET16D.tmp.vir
2010-03-18 04:58:12 . 2004-08-04 05:56:48 176,640 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET16C.tmp.vir
2010-03-18 04:58:12 . 2004-08-04 05:56:48 172,032 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET16A.tmp.vir
2010-03-18 04:58:12 . 2004-08-04 05:56:48 92,672 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET169.tmp.vir
2010-03-18 04:58:11 . 2004-08-04 05:56:36 5,632 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET163.tmp.vir
2010-03-18 04:58:08 . 2004-08-04 05:56:48 264,192 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET154.tmp.vir
2010-03-18 04:58:07 . 2004-08-04 05:56:48 82,944 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET151.tmp.vir
2010-03-18 04:58:07 . 2004-08-04 05:56:48 19,968 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET150.tmp.vir
2010-03-18 04:58:07 . 2004-08-04 05:56:48 19,968 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET149.tmp.vir
2010-03-18 04:58:06 . 2004-08-04 05:56:48 22,528 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET147.tmp.vir
2010-03-18 04:58:06 . 2004-08-04 05:56:48 18,432 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET145.tmp.vir
2010-03-18 04:58:06 . 2004-08-04 05:56:48 359,936 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET142.tmp.vir
2010-03-16 04:29:08 . 2001-08-18 14:00:00 520,192 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\dllcache\wmpvis.dll.vir
2006-08-25 02:30:26 . 2006-08-25 02:30:26 2,450,944 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET13D.tmp.vir
2006-08-25 02:30:22 . 2006-08-25 02:30:22 222,208 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET131.tmp.vir
2001-08-18 14:00:00 . 2001-08-18 14:00:00 153,600 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_003298_.tmp.dll.vir
2001-08-18 14:00:00 . 2001-08-18 14:00:00 47,104 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_003304_.tmp.dll.vir
2001-08-18 14:00:00 . 2001-08-18 14:00:00 120,832 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_003444_.tmp.dll.vir
2001-08-18 14:00:00 . 2001-08-18 14:00:00 131,584 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_003445_.tmp.dll.vir
2001-08-18 14:00:00 . 2001-08-18 14:00:00 95,232 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_003446_.tmp.dll.vir
2001-08-18 14:00:00 . 2001-08-18 14:00:00 1,799,552 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_003447_.tmp.dll.vir
2001-08-18 14:00:00 . 2001-08-18 14:00:00 87,040 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_003454_.tmp.dll.vir
2001-08-18 14:00:00 . 2001-08-18 14:00:00 21,116 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_003455_.tmp.dll.vir
2001-08-18 14:00:00 . 2001-08-18 14:00:00 45,568 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_003456_.tmp.dll.vir
2001-08-18 14:00:00 . 2001-08-18 14:00:00 922,624 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_003457_.tmp.dll.vir
2001-08-18 14:00:00 . 2001-08-18 14:00:00 101,376 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_003459_.tmp.dll.vir
2001-08-18 14:00:00 . 2001-08-18 14:00:00 133,632 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_003460_.tmp.dll.vir

#5 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,474 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:37 PM

Posted 22 November 2012 - 07:12 PM

Please run the following:

Please download Malwarebytes Anti-Rootkit and save it to your desktop.
  • Be sure to print out and follow the instructions provided on that same page for performing a scan.
  • Caution: This is a beta version so also read the disclaimer and back up all your data before using.
  • When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
  • Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
  • Copy and paste the contents of these two log files in your next reply.
Note: Further documentation can be found in the ReadMe.rtf file which is located in the Malwarebytes Anti-Rootkit folder.


NEXT

Please download Junkware Removal Tool to your desktop.
  • Shutdown your antivirus to avoid any conflicts.
  • Right-mouse click JRT.exe and select Run as administrator
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message


NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#6 DEC10

DEC10
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 PM

Posted 23 November 2012 - 01:07 AM

MBAR pass 1:
============

mbar-log-2012-11-23 (01-03-22).txt
----------------------------------
Malwarebytes Anti-Rootkit 1.1.0.1009
www.malwarebytes.org

Database version: v2012.11.23.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Frugal Fetta dcra cu :: RASPERRYPI [administrator]

11/23/2012 1:03:22 AM
mbar-log-2012-11-23 (01-03-22).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: PUP | PUM | P2P
Objects scanned: 25805
Time elapsed: 1 hour(s), 1 minute(s), 48 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 4
C:\WINDOWS\Installer\{374ff3f8-57d8-bcd0-fc1c-ee9b8b99ca97}\L (Backdoor.0Access) -> Delete on reboot. [4f32f8c1114c4ee86e1317e9c8386898]
C:\WINDOWS\Installer\{374ff3f8-57d8-bcd0-fc1c-ee9b8b99ca97}\U (Backdoor.0Access) -> Delete on reboot. [136ec8f1fc612f073c4620e0c7391fe1]
C:\Documents and Settings\Frugal Fetta dcra cu\Local Settings\Application Data\{374ff3f8-57d8-bcd0-fc1c-ee9b8b99ca97}\U (Backdoor.0Access) -> Delete on reboot. [b3ce3c7d93ca4beb463f1ee219e78080]
C:\Documents and Settings\Frugal Fetta dcra cu\Local Settings\Application Data\{374ff3f8-57d8-bcd0-fc1c-ee9b8b99ca97}\L (Backdoor.0Access) -> Delete on reboot. [9fe2cceda1bc2e08642209f7d22e10f0]

Files Detected: 5
C:\WINDOWS\Installer\{374ff3f8-57d8-bcd0-fc1c-ee9b8b99ca97}\@ (Backdoor.0Access) -> Delete on reboot. [c0c115a456070135c79357a9e818af51]
C:\WINDOWS\Installer\{374ff3f8-57d8-bcd0-fc1c-ee9b8b99ca97}\L\00000004.@ (Backdoor.0Access) -> Delete on reboot. [d3aefabfca930e282236e61a2fd1a65a]
C:\Documents and Settings\Frugal Fetta dcra cu\Local Settings\Application Data\{374ff3f8-57d8-bcd0-fc1c-ee9b8b99ca97}\@ (Backdoor.0Access) -> Delete on reboot. [6a17baff0954b1859876ab5509f714ec]
C:\WINDOWS\Installer\{374ff3f8-57d8-bcd0-fc1c-ee9b8b99ca97}\L\1afb2d56 (Backdoor.0Access) -> Delete on reboot. [4f32f8c1114c4ee86e1317e9c8386898]
C:\WINDOWS\Installer\{374ff3f8-57d8-bcd0-fc1c-ee9b8b99ca97}\L\201d3dde (Backdoor.0Access) -> Delete on reboot. [4f32f8c1114c4ee86e1317e9c8386898]

(end)



system-log.txt
--------------

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1009

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

Java version: 1.6.0_32

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, F:\ DRIVE_FIXED
CPU speed: 1.894000 GHz
Memory total: 1064812544, free: 565706752

------------ Kernel report ------------
11/23/2012 00:00:03
------------ Loaded modules -----------
\WINDOWS\system32\ntoskrnl.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\System32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
avgarkt.sys
pciide.sys
\WINDOWS\System32\DRIVERS\PCIIDEX.SYS
MountMgr.sys
ftdisk.sys
PartMgr.sys
VolSnap.sys
atapi.sys
disk.sys
\WINDOWS\System32\DRIVERS\CLASSPNP.SYS
fltmgr.sys
sr.sys
PxHelp20.sys
KSecDD.sys
Ntfs.sys
NDIS.sys
Mup.sys
\SystemRoot\system32\DRIVERS\ialmnt5.sys
\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\System32\DRIVERS\usbuhci.sys
\SystemRoot\System32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\e100b325.sys
\SystemRoot\system32\drivers\smwdm.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\drivers\aeaudio.sys
\SystemRoot\System32\DRIVERS\intelppm.sys
\SystemRoot\System32\DRIVERS\audstub.sys
\SystemRoot\System32\DRIVERS\rasl2tp.sys
\SystemRoot\System32\DRIVERS\ndistapi.sys
\SystemRoot\System32\DRIVERS\ndiswan.sys
\SystemRoot\System32\DRIVERS\raspppoe.sys
\SystemRoot\System32\DRIVERS\raspptp.sys
\SystemRoot\System32\DRIVERS\TDI.SYS
\SystemRoot\System32\DRIVERS\psched.sys
\SystemRoot\System32\DRIVERS\msgpc.sys
\SystemRoot\System32\DRIVERS\ptilink.sys
\SystemRoot\System32\DRIVERS\raspti.sys
\SystemRoot\system32\DRIVERS\appliand.sys
\SystemRoot\System32\DRIVERS\termdd.sys
\SystemRoot\System32\DRIVERS\kbdclass.sys
\SystemRoot\System32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\VClone.sys
\SystemRoot\system32\DRIVERS\SCSIPORT.SYS
\SystemRoot\System32\DRIVERS\swenum.sys
\SystemRoot\System32\DRIVERS\update.sys
\SystemRoot\System32\DRIVERS\mssmbios.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\System32\DRIVERS\usbhub.sys
\SystemRoot\System32\DRIVERS\USBD.SYS
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\DRIVERS\AvgArCln.sys
\SystemRoot\System32\Drivers\aswKbd.SYS
\SystemRoot\System32\DRIVERS\HIDPARSE.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\System32\DRIVERS\tcpip.sys
\SystemRoot\System32\Drivers\aswTdi.SYS
\SystemRoot\System32\DRIVERS\ipnat.sys
\SystemRoot\System32\DRIVERS\wanarp.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\System32\Drivers\AswRdr.SYS
\SystemRoot\System32\drivers\ws2ifsl.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbios.sys
\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
\SystemRoot\System32\DRIVERS\rdbss.sys
\SystemRoot\System32\DRIVERS\mrxsmb.sys
\SystemRoot\System32\Drivers\Fips.SYS
\SystemRoot\System32\Drivers\ElbyCDIO.sys
\SystemRoot\System32\Drivers\aswSP.SYS
\SystemRoot\System32\Drivers\aswSnx.SYS
\SystemRoot\System32\DRIVERS\USBSTOR.SYS
\SystemRoot\System32\Drivers\Aavmker4.SYS
\SystemRoot\System32\DRIVERS\usbprint.sys
\SystemRoot\System32\DRIVERS\hidusb.sys
\SystemRoot\System32\DRIVERS\HIDCLASS.SYS
\SystemRoot\System32\DRIVERS\mouhid.sys
\SystemRoot\System32\DRIVERS\usbccgp.sys
\SystemRoot\System32\DRIVERS\kbdhid.sys
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_WMILIB.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\ialmdnt5.dll
\SystemRoot\System32\ialmrnt5.dll
\SystemRoot\System32\ialmdev5.DLL
\SystemRoot\System32\ialmdd5.DLL
\SystemRoot\System32\Drivers\aswFsBlk.SYS
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\System32\DRIVERS\ndisuio.sys
\SystemRoot\System32\Drivers\aswMon2.SYS
\SystemRoot\System32\DRIVERS\mrxdav.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\drivers\wdmaud.sys
\SystemRoot\system32\drivers\sysaudio.sys
\SystemRoot\System32\Drivers\HTTP.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR2
Upper Device Object: 0xffffffff86127148
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\0000006a\
Lower Device Object: 0xffffffff862d6b10
Lower Device Driver Name: \Driver\USBSTOR\
Driver name found: USBSTOR
DriverEntry returned 0x0
Function returned 0x0
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff86327ab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-3\
Lower Device Object: 0xffffffff863c8d98
Lower Device Driver Name: \Driver\atapi\
Driver name found: atapi
DriverEntry returned 0x0
Function returned 0x0
Downloaded database version: v2012.11.23.01
Downloaded database version: v2012.11.19.01
Initializing...
Done!
Scanning directory: C:\WINDOWS\system32\drivers...
<<<2>>>
Device number: 0, partition: 1
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff86327ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8634c900, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff86327ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff863e1e00, DeviceName: \Device\00000063\, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff863c8d98, DeviceName: \Device\Ide\IdeDeviceP0T0L0-3\, DriverName: \Driver\atapi\
------------ End ----------
Upper DeviceData: 0xffffffffe2767d80, 0xffffffff86327ab8, 0xffffffff85341ab8
Lower DeviceData: 0xffffffffe271f188, 0xffffffff863c8d98, 0xffffffff861aac40
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 79F079E

Partition information:

Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 63 Numsec = 39085137
Partition file system is NTFS
Partition is bootable

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 20020396032 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-39082336-39102336)...
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xffffffff86127148, DeviceName: \Device\Harddisk1\DR2\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff86158470, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff86127148, DeviceName: \Device\Harddisk1\DR2\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff862d6b10, DeviceName: \Device\0000006a\, DriverName: \Driver\USBSTOR\
------------ End ----------
Upper DeviceData: 0xffffffffe24b7f90, 0xffffffff86127148, 0xffffffff8525eab8
Lower DeviceData: 0xffffffffe25b88c8, 0xffffffff862d6b10, 0xffffffff85897970
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 1873E31D

Partition information:

Partition 0 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 63 Numsec = 1953520002

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 1000204886016 bytes
Sector size: 512 bytes

Done!
Performing system, memory and registry scan...
Infected: C:\WINDOWS\Installer\{374ff3f8-57d8-bcd0-fc1c-ee9b8b99ca97}\@ --> [Backdoor.0Access]
Infected: C:\WINDOWS\Installer\{374ff3f8-57d8-bcd0-fc1c-ee9b8b99ca97}\L\00000004.@ --> [Backdoor.0Access]
Infected: C:\Documents and Settings\Frugal Fetta dcra cu\Local Settings\Application Data\{374ff3f8-57d8-bcd0-fc1c-ee9b8b99ca97}\@ --> [Backdoor.0Access]
Infected: C:\WINDOWS\Installer\{374ff3f8-57d8-bcd0-fc1c-ee9b8b99ca97}\L --> [Backdoor.0Access]
Infected: C:\WINDOWS\Installer\{374ff3f8-57d8-bcd0-fc1c-ee9b8b99ca97}\L\1afb2d56 --> [Backdoor.0Access]
Infected: C:\WINDOWS\Installer\{374ff3f8-57d8-bcd0-fc1c-ee9b8b99ca97}\L\201d3dde --> [Backdoor.0Access]
Infected: C:\WINDOWS\Installer\{374ff3f8-57d8-bcd0-fc1c-ee9b8b99ca97}\U --> [Backdoor.0Access]
Infected: C:\Documents and Settings\Frugal Fetta dcra cu\Local Settings\Application Data\{374ff3f8-57d8-bcd0-fc1c-ee9b8b99ca97}\U --> [Backdoor.0Access]
Infected: C:\Documents and Settings\Frugal Fetta dcra cu\Local Settings\Application Data\{374ff3f8-57d8-bcd0-fc1c-ee9b8b99ca97}\L --> [Backdoor.0Access]
Done!
Scan finished

#7 DEC10

DEC10
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 PM

Posted 23 November 2012 - 06:05 AM

MBAR pass 2 No Malware Detected :]

mbar-log-2012-11-23 (02-06-38).txt
==================================

Malwarebytes Anti-Rootkit 1.1.0.1009
www.malwarebytes.org

Database version: v2012.11.23.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Frugal Fetta dcra cu :: RASPERRYPI [administrator]

11/23/2012 2:06:38 AM
mbar-log-2012-11-23 (02-06-38).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: PUP | PUM | P2P
Objects scanned: 25762
Time elapsed: 47 minute(s), 23 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


system-log.txt
==============

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1009

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

Java version: 1.6.0_32

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, F:\ DRIVE_FIXED
CPU speed: 1.894000 GHz
Memory total: 1064812544, free: 565706752

------------ Kernel report ------------
11/23/2012 00:00:03
------------ Loaded modules -----------
\WINDOWS\system32\ntoskrnl.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\System32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
avgarkt.sys
pciide.sys
\WINDOWS\System32\DRIVERS\PCIIDEX.SYS
MountMgr.sys
ftdisk.sys
PartMgr.sys
VolSnap.sys
atapi.sys
disk.sys
\WINDOWS\System32\DRIVERS\CLASSPNP.SYS
fltmgr.sys
sr.sys
PxHelp20.sys
KSecDD.sys
Ntfs.sys
NDIS.sys
Mup.sys
\SystemRoot\system32\DRIVERS\ialmnt5.sys
\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\System32\DRIVERS\usbuhci.sys
\SystemRoot\System32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\e100b325.sys
\SystemRoot\system32\drivers\smwdm.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\drivers\aeaudio.sys
\SystemRoot\System32\DRIVERS\intelppm.sys
\SystemRoot\System32\DRIVERS\audstub.sys
\SystemRoot\System32\DRIVERS\rasl2tp.sys
\SystemRoot\System32\DRIVERS\ndistapi.sys
\SystemRoot\System32\DRIVERS\ndiswan.sys
\SystemRoot\System32\DRIVERS\raspppoe.sys
\SystemRoot\System32\DRIVERS\raspptp.sys
\SystemRoot\System32\DRIVERS\TDI.SYS
\SystemRoot\System32\DRIVERS\psched.sys
\SystemRoot\System32\DRIVERS\msgpc.sys
\SystemRoot\System32\DRIVERS\ptilink.sys
\SystemRoot\System32\DRIVERS\raspti.sys
\SystemRoot\system32\DRIVERS\appliand.sys
\SystemRoot\System32\DRIVERS\termdd.sys
\SystemRoot\System32\DRIVERS\kbdclass.sys
\SystemRoot\System32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\VClone.sys
\SystemRoot\system32\DRIVERS\SCSIPORT.SYS
\SystemRoot\System32\DRIVERS\swenum.sys
\SystemRoot\System32\DRIVERS\update.sys
\SystemRoot\System32\DRIVERS\mssmbios.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\System32\DRIVERS\usbhub.sys
\SystemRoot\System32\DRIVERS\USBD.SYS
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\DRIVERS\AvgArCln.sys
\SystemRoot\System32\Drivers\aswKbd.SYS
\SystemRoot\System32\DRIVERS\HIDPARSE.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\System32\DRIVERS\tcpip.sys
\SystemRoot\System32\Drivers\aswTdi.SYS
\SystemRoot\System32\DRIVERS\ipnat.sys
\SystemRoot\System32\DRIVERS\wanarp.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\System32\Drivers\AswRdr.SYS
\SystemRoot\System32\drivers\ws2ifsl.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbios.sys
\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
\SystemRoot\System32\DRIVERS\rdbss.sys
\SystemRoot\System32\DRIVERS\mrxsmb.sys
\SystemRoot\System32\Drivers\Fips.SYS
\SystemRoot\System32\Drivers\ElbyCDIO.sys
\SystemRoot\System32\Drivers\aswSP.SYS
\SystemRoot\System32\Drivers\aswSnx.SYS
\SystemRoot\System32\DRIVERS\USBSTOR.SYS
\SystemRoot\System32\Drivers\Aavmker4.SYS
\SystemRoot\System32\DRIVERS\usbprint.sys
\SystemRoot\System32\DRIVERS\hidusb.sys
\SystemRoot\System32\DRIVERS\HIDCLASS.SYS
\SystemRoot\System32\DRIVERS\mouhid.sys
\SystemRoot\System32\DRIVERS\usbccgp.sys
\SystemRoot\System32\DRIVERS\kbdhid.sys
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_WMILIB.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\ialmdnt5.dll
\SystemRoot\System32\ialmrnt5.dll
\SystemRoot\System32\ialmdev5.DLL
\SystemRoot\System32\ialmdd5.DLL
\SystemRoot\System32\Drivers\aswFsBlk.SYS
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\System32\DRIVERS\ndisuio.sys
\SystemRoot\System32\Drivers\aswMon2.SYS
\SystemRoot\System32\DRIVERS\mrxdav.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\drivers\wdmaud.sys
\SystemRoot\system32\drivers\sysaudio.sys
\SystemRoot\System32\Drivers\HTTP.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR2
Upper Device Object: 0xffffffff86127148
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\0000006a\
Lower Device Object: 0xffffffff862d6b10
Lower Device Driver Name: \Driver\USBSTOR\
Driver name found: USBSTOR
DriverEntry returned 0x0
Function returned 0x0
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff86327ab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-3\
Lower Device Object: 0xffffffff863c8d98
Lower Device Driver Name: \Driver\atapi\
Driver name found: atapi
DriverEntry returned 0x0
Function returned 0x0
Downloaded database version: v2012.11.23.01
Downloaded database version: v2012.11.19.01
Initializing...
Done!
Scanning directory: C:\WINDOWS\system32\drivers...
<<<2>>>
Device number: 0, partition: 1
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff86327ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8634c900, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff86327ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff863e1e00, DeviceName: \Device\00000063\, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff863c8d98, DeviceName: \Device\Ide\IdeDeviceP0T0L0-3\, DriverName: \Driver\atapi\
------------ End ----------
Upper DeviceData: 0xffffffffe2767d80, 0xffffffff86327ab8, 0xffffffff85341ab8
Lower DeviceData: 0xffffffffe271f188, 0xffffffff863c8d98, 0xffffffff861aac40
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 79F079E

Partition information:

Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 63 Numsec = 39085137
Partition file system is NTFS
Partition is bootable

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 20020396032 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-39082336-39102336)...
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xffffffff86127148, DeviceName: \Device\Harddisk1\DR2\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff86158470, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff86127148, DeviceName: \Device\Harddisk1\DR2\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff862d6b10, DeviceName: \Device\0000006a\, DriverName: \Driver\USBSTOR\
------------ End ----------
Upper DeviceData: 0xffffffffe24b7f90, 0xffffffff86127148, 0xffffffff8525eab8
Lower DeviceData: 0xffffffffe25b88c8, 0xffffffff862d6b10, 0xffffffff85897970
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 1873E31D

Partition information:

Partition 0 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 63 Numsec = 1953520002

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 1000204886016 bytes
Sector size: 512 bytes

Done!
Performing system, memory and registry scan...
Infected: C:\WINDOWS\Installer\{374ff3f8-57d8-bcd0-fc1c-ee9b8b99ca97}\@ --> [Backdoor.0Access]
Infected: C:\WINDOWS\Installer\{374ff3f8-57d8-bcd0-fc1c-ee9b8b99ca97}\L\00000004.@ --> [Backdoor.0Access]
Infected: C:\Documents and Settings\Frugal Fetta dcra cu\Local Settings\Application Data\{374ff3f8-57d8-bcd0-fc1c-ee9b8b99ca97}\@ --> [Backdoor.0Access]
Infected: C:\WINDOWS\Installer\{374ff3f8-57d8-bcd0-fc1c-ee9b8b99ca97}\L --> [Backdoor.0Access]
Infected: C:\WINDOWS\Installer\{374ff3f8-57d8-bcd0-fc1c-ee9b8b99ca97}\L\1afb2d56 --> [Backdoor.0Access]
Infected: C:\WINDOWS\Installer\{374ff3f8-57d8-bcd0-fc1c-ee9b8b99ca97}\L\201d3dde --> [Backdoor.0Access]
Infected: C:\WINDOWS\Installer\{374ff3f8-57d8-bcd0-fc1c-ee9b8b99ca97}\U --> [Backdoor.0Access]
Infected: C:\Documents and Settings\Frugal Fetta dcra cu\Local Settings\Application Data\{374ff3f8-57d8-bcd0-fc1c-ee9b8b99ca97}\U --> [Backdoor.0Access]
Infected: C:\Documents and Settings\Frugal Fetta dcra cu\Local Settings\Application Data\{374ff3f8-57d8-bcd0-fc1c-ee9b8b99ca97}\L --> [Backdoor.0Access]
Done!
Scan finished
Creating System Restore point...
Scheduling clean up...
<<<2>>>
Device number: 0, partition: 1
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Removal scheduling successful. System shutdown needed.
System shutdown occured
=======================================


---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1009

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

Java version: 1.6.0_32

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, F:\ DRIVE_FIXED
CPU speed: 1.894000 GHz
Memory total: 1064812544, free: 814047232

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1009

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

Java version: 1.6.0_32

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, F:\ DRIVE_FIXED
CPU speed: 1.894000 GHz
Memory total: 1064812544, free: 718176256

------------ Kernel report ------------
11/23/2012 01:18:44
------------ Loaded modules -----------
\WINDOWS\system32\ntoskrnl.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\System32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
avgarkt.sys
pciide.sys
\WINDOWS\System32\DRIVERS\PCIIDEX.SYS
MountMgr.sys
ftdisk.sys
PartMgr.sys
VolSnap.sys
atapi.sys
disk.sys
\WINDOWS\System32\DRIVERS\CLASSPNP.SYS
fltmgr.sys
sr.sys
PxHelp20.sys
KSecDD.sys
Ntfs.sys
NDIS.sys
Mup.sys
\SystemRoot\system32\DRIVERS\ialmnt5.sys
\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\System32\DRIVERS\usbuhci.sys
\SystemRoot\System32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\e100b325.sys
\SystemRoot\system32\drivers\smwdm.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\drivers\aeaudio.sys
\SystemRoot\System32\DRIVERS\intelppm.sys
\SystemRoot\System32\DRIVERS\audstub.sys
\SystemRoot\System32\DRIVERS\rasl2tp.sys
\SystemRoot\System32\DRIVERS\ndistapi.sys
\SystemRoot\System32\DRIVERS\ndiswan.sys
\SystemRoot\System32\DRIVERS\raspppoe.sys
\SystemRoot\System32\DRIVERS\raspptp.sys
\SystemRoot\System32\DRIVERS\TDI.SYS
\SystemRoot\System32\DRIVERS\psched.sys
\SystemRoot\System32\DRIVERS\msgpc.sys
\SystemRoot\System32\DRIVERS\ptilink.sys
\SystemRoot\System32\DRIVERS\raspti.sys
\SystemRoot\system32\DRIVERS\appliand.sys
\SystemRoot\System32\DRIVERS\termdd.sys
\SystemRoot\System32\DRIVERS\kbdclass.sys
\SystemRoot\System32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\VClone.sys
\SystemRoot\system32\DRIVERS\SCSIPORT.SYS
\SystemRoot\System32\DRIVERS\swenum.sys
\SystemRoot\System32\DRIVERS\update.sys
\SystemRoot\System32\DRIVERS\mssmbios.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\System32\DRIVERS\usbhub.sys
\SystemRoot\System32\DRIVERS\USBD.SYS
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\DRIVERS\AvgArCln.sys
\SystemRoot\System32\Drivers\aswKbd.SYS
\SystemRoot\System32\DRIVERS\HIDPARSE.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\System32\DRIVERS\tcpip.sys
\SystemRoot\System32\Drivers\aswTdi.SYS
\SystemRoot\System32\DRIVERS\ipnat.sys
\SystemRoot\System32\DRIVERS\wanarp.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\System32\Drivers\AswRdr.SYS
\SystemRoot\System32\drivers\ws2ifsl.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbios.sys
\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
\SystemRoot\System32\DRIVERS\rdbss.sys
\SystemRoot\System32\DRIVERS\mrxsmb.sys
\SystemRoot\System32\Drivers\Fips.SYS
\SystemRoot\System32\Drivers\ElbyCDIO.sys
\SystemRoot\System32\Drivers\aswSP.SYS
\SystemRoot\System32\Drivers\aswSnx.SYS
\SystemRoot\System32\DRIVERS\USBSTOR.SYS
\SystemRoot\System32\Drivers\Aavmker4.SYS
\SystemRoot\System32\DRIVERS\usbprint.sys
\SystemRoot\System32\DRIVERS\hidusb.sys
\SystemRoot\System32\DRIVERS\HIDCLASS.SYS
\SystemRoot\System32\DRIVERS\mouhid.sys
\SystemRoot\System32\DRIVERS\usbccgp.sys
\SystemRoot\System32\DRIVERS\kbdhid.sys
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_WMILIB.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\ialmdnt5.dll
\SystemRoot\System32\ialmrnt5.dll
\SystemRoot\System32\ialmdev5.DLL
\SystemRoot\System32\ialmdd5.DLL
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\System32\Drivers\aswFsBlk.SYS
\SystemRoot\System32\DRIVERS\ndisuio.sys
\SystemRoot\System32\Drivers\aswMon2.SYS
\SystemRoot\system32\drivers\wdmaud.sys
\SystemRoot\system32\drivers\sysaudio.sys
\SystemRoot\System32\DRIVERS\mrxdav.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\System32\Drivers\HTTP.sys
\SystemRoot\system32\drivers\kmixer.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR2
Upper Device Object: 0xffffffff8625b030
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\0000006b\
Lower Device Object: 0xffffffff861e0640
Lower Device Driver Name: \Driver\USBSTOR\
Driver name found: USBSTOR
DriverEntry returned 0x0
Function returned 0x0
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff86387ab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-3\
Lower Device Object: 0xffffffff863e0030
Lower Device Driver Name: \Driver\atapi\
Driver name found: atapi
DriverEntry returned 0x0
Function returned 0x0
Initializing...
Done!
Scanning directory: C:\WINDOWS\system32\drivers...
<<<2>>>
Device number: 0, partition: 1
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff86387ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff86283900, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff86387ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff86398158, DeviceName: \Device\00000064\, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff863e0030, DeviceName: \Device\Ide\IdeDeviceP0T0L0-3\, DriverName: \Driver\atapi\
------------ End ----------
Upper DeviceData: 0xffffffffe1489b58, 0xffffffff86387ab8, 0xffffffff85993ab8
Lower DeviceData: 0xffffffffe14fbe98, 0xffffffff863e0030, 0xffffffff85cf66b0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 79F079E

Partition information:

Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 63 Numsec = 39085137
Partition file system is NTFS
Partition is bootable

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 20020396032 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-39082336-39102336)...
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xffffffff8625b030, DeviceName: \Device\Harddisk1\DR2\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff86306800, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8625b030, DeviceName: \Device\Harddisk1\DR2\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff861e0640, DeviceName: \Device\0000006b\, DriverName: \Driver\USBSTOR\
------------ End ----------
Upper DeviceData: 0xffffffffe2d1fa98, 0xffffffff8625b030, 0xffffffff858b42c8
Lower DeviceData: 0xffffffffe354fc10, 0xffffffff861e0640, 0xffffffff858f0520
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 1873E31D

Partition information:

Partition 0 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 63 Numsec = 1953520002

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 1000204886016 bytes
Sector size: 512 bytes

Done!
Performing system, memory and registry scan...
Done!
Scan finished
=======================================

#8 DEC10

DEC10
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 PM

Posted 23 November 2012 - 06:28 AM

JRT.txt:
========

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 3.4.8 (11.22.2012)
OS: Microsoft Windows XP x86
Ran by Frugal Fetta dcra cu on Fri 11/23/2012 at 6:08:37.07
Blog: http://thisisudax.blogspot.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services

Successfully stopped: [Service] Application Updater
Successfully deleted: [Service] Application Updater



~~~ Registry Values

Successfully deleted: [Registry Value] hkey_local_machine\software\microsoft\windows\currentversion\run\\SearchSettings
Successfully deleted: [Registry Value] hkey_current_user\software\microsoft\internet explorer\urlsearchhooks\\{f3fee66e-e034-436a-86e4-9690573bee8a}



~~~ Registry Keys

Successfully deleted: [Registry Key] "hkey_current_user\software\appdatalow\software\search settings"
Successfully deleted: [Registry Key] "hkey_local_machine\software\freeze.com"
Successfully deleted: [Registry Key] "hkey_local_machine\software\search settings"



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\Documents and Settings\All Users\application data\blekko toolbars"
Successfully deleted: [Folder] "C:\Documents and Settings\All Users\application data\ytd video downloader"
Successfully deleted: [Folder] "C:\Documents and Settings\Frugal Fetta dcra cu\Application Data\search settings"
Failed to delete: [Folder] "C:\Program Files\Common Files\spigot"
Successfully deleted: [Folder] "C:\Program Files\application updater"
Successfully deleted: [Folder] "C:\Program Files\ytd toolbar"
Successfully deleted: [Folder] "C:\Documents and Settings\All Users\start menu\programs\ytd video downloader"



~~~ FireFox

Failed to delete: [Folder] C:\Documents and Settings\Frugal Fetta dcra cu\Application Data\Mozilla\Firefox\Profiles\aj4dhknu.default\extensions\[email protected]
Successfully deleted: [File] C:\Documents and Settings\Frugal Fetta dcra cu\Application Data\Mozilla\Firefox\Profiles\aj4dhknu.default\extensions\[email protected] [Tracur]





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 11/23/2012 at 6:25:36.57
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

#9 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,474 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:37 PM

Posted 23 November 2012 - 08:25 AM

please rerun ComboFix - allow it to update if it asks to do so - post the new log

then

re-run junkware removal Tool - make certain fireFox is closed while the tool is running - post the new log


Please advise how the computer is running now and if there are any outstanding issues
The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#10 DEC10

DEC10
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 PM

Posted 23 November 2012 - 05:32 PM

Hi, still 11 hours (78%) into eset scan with 21 infected files & a number of threats detected and counting. If/when that finishes I'll post that log and then catch up.

Edited by DEC10, 23 November 2012 - 05:32 PM.


#11 DEC10

DEC10
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 PM

Posted 24 November 2012 - 02:18 PM

ESET must be quite the deep scanner, it's literally crawling through my 8G dvd rips which should be clean anyway. It's almost done and I am tempted to stop it and move on. But, it has detected another 2 infections. @ 32 hours 80% w/ 23 infections. The ESET detected threats I can see listed are:

a variant of Win32/HackTool.Patcher.T application
multiple threats
a variant of Win32/Keygen.DY application
Win32/Toolbar.Zugo application
Win32/Toolbar.Zugo application
Win32/Somoto application

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,474 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:37 PM

Posted 24 November 2012 - 03:37 PM

it's very thorough

might as well let it complete now
The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#13 DEC10

DEC10
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 PM

Posted 24 November 2012 - 07:47 PM

ESETSCAN.txt

C:\bin\tftpd32.400.zip a variant of Win32/TFTPD32.A application
C:\bin\tftpd32.400\tftpd32.exe a variant of Win32/TFTPD32.A application
C:\Documents and Settings\Agent.01\Application Data\Mozilla\Firefox\Profiles\cgbukkbw.default\extensions\[email protected] JS/Redirector.NCA trojan
C:\Documents and Settings\Frugal Fetta dcra cu\My Documents\Downloads\WinZip165Multi-language.exe a variant of Win32/OpenInstall application
C:\Documents and Settings\Media Server\Application Data\Mozilla\Firefox\Profiles\caoahomo.default\extensions\[email protected] JS/Redirector.NCA trojan
C:\Documents and Settings\Media Server\Desktop\bin\tftpd32.400.zip a variant of Win32/TFTPD32.A application
C:\Documents and Settings\Media Server\Desktop\bin\tftpd32.400\tftpd32.exe a variant of Win32/TFTPD32.A application
C:\Documents and Settings\Media Server\My Documents\Downloads\Firefox Downloads\FreeAudioCDBurner.exe Win32/OpenCandy application
C:\Documents and Settings\Media Server\My Documents\Downloads\Firefox Downloads\winamp5623_full_emusic-7plus_en-us.exe Win32/OpenCandy application
C:\Documents and Settings\Pauper\Application Data\Mozilla\Firefox\Profiles\21zulsln.default\extensions\[email protected] JS/Redirector.NCA trojan
C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe a variant of Win32/Toolbar.Widgi application
C:\System Volume Information\_restore{D9938EF9-B7EF-4536-B856-2D73A53315BA}\RP789\A0086935.dll a variant of Win32/Toolbar.Widgi application
C:\System Volume Information\_restore{D9938EF9-B7EF-4536-B856-2D73A53315BA}\RP789\A0086940.dll a variant of Win32/Toolbar.Widgi application
C:\WINDOWS\Installer\2bf25039.msi probably a variant of Win32/Toolbar.Widgi application
C:\WINDOWS\Installer\MSI3C6.tmp probably a variant of Win32/Toolbar.Widgi application
F:\Temp\APPS\flash_player Android tablet vs.exe Win32/Somoto application
F:\Temp\APPS\swf_flv_player.exe Win32/Toolbar.Zugo application
F:\Temp\Downloads\swf_flv_player.exe Win32/Toolbar.Zugo application
F:\Temp\RECYCLER\S-1-5-21-1123561945-1364589140-725345543-1004\Dn2.iso multiple threats
F:\Temp\Temps\RMC 4.3.2\(Not Needed)RMC 4.3 Patcher.rar a variant of Win32/HackTool.Patcher.T application
F:\WD 10G 310200\Desktop\ptvLd.iso INF/Autorun.gen worm
Operating memory a variant of Win32/Toolbar.Widgi application

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,474 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:37 PM

Posted 24 November 2012 - 07:50 PM

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Press the WinKey + R to open a run box, type Notepad > click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
C:\bin\tftpd32.400.zip 
C:\bin\tftpd32.400\tftpd32.exe 
C:\Documents and Settings\Agent.01\Application Data\Mozilla\Firefox\Profiles\cgbukkbw.default\extensions\[email protected] 
C:\Documents and Settings\Frugal Fetta dcra cu\My Documents\Downloads\WinZip165Multi-language.exe 
C:\Documents and Settings\Media Server\Application Data\Mozilla\Firefox\Profiles\caoahomo.default\extensions\[email protected] 
C:\Documents and Settings\Media Server\Desktop\bin\tftpd32.400.zip 
C:\Documents and Settings\Media Server\Desktop\bin\tftpd32.400\tftpd32.exe 
C:\Documents and Settings\Media Server\My Documents\Downloads\Firefox Downloads\FreeAudioCDBurner.exe 
C:\Documents and Settings\Media Server\My Documents\Downloads\Firefox Downloads\winamp5623_full_emusic-7plus_en-us.exe 
C:\Documents and Settings\Pauper\Application Data\Mozilla\Firefox\Profiles\21zulsln.default\extensions\[email protected] 
C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe 
C:\System Volume Information\_restore{D9938EF9-B7EF-4536-B856-2D73A53315BA}\RP789\A0086935.dll  
C:\System Volume Information\_restore{D9938EF9-B7EF-4536-B856-2D73A53315BA}\RP789\A0086940.dll 
C:\WINDOWS\Installer\2bf25039.msi 
C:\WINDOWS\Installer\MSI3C6.tmp 
F:\Temp\APPS\flash_player Android tablet vs.exe 
F:\Temp\APPS\swf_flv_player.exe 
F:\Temp\Downloads\swf_flv_player.exe 
F:\Temp\RECYCLER\S-1-5-21-1123561945-1364589140-725345543-1004\Dn2.iso 
F:\Temp\Temps\RMC 4.3.2\(Not Needed)RMC 4.3 Patcher.rar 
F:\WD 10G 310200\Desktop\ptvLd.iso 

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT



Please advise how the computer is running now and if there are any outstanding issues
The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#15 DEC10

DEC10
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 PM

Posted 24 November 2012 - 09:43 PM

Hijacker appears to be neutralized, Yahoo search tool as well. The keyboard thing may very well be another issue after all. I tried refreshing the driver and switching keyboards. After two keyboards, I'll have to try a different USB port. The driver disengages often and sometimes all I have to do is breath on the keyboard to trigger it.

ComboFix 12-11-24.02 - Frugal Fetta dcra cu 11/24/2012 20:30:54.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.585 [GMT -5:00]
Running from: c:\documents and settings\Frugal Fetta dcra cu\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Frugal Fetta dcra cu\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: avast! Antivirus *Enabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
FILE ::
"c:\bin\tftpd32.400.zip"
"c:\bin\tftpd32.400\tftpd32.exe"
"c:\documents and settings\Agent.01\Application Data\Mozilla\Firefox\Profiles\cgbukkbw.default\extensions\[email protected]"
"c:\documents and settings\Frugal Fetta dcra cu\My Documents\Downloads\WinZip165Multi-language.exe"
"c:\documents and settings\Media Server\Application Data\Mozilla\Firefox\Profiles\caoahomo.default\extensions\[email protected]"
"c:\documents and settings\Media Server\Desktop\bin\tftpd32.400.zip"
"c:\documents and settings\Media Server\Desktop\bin\tftpd32.400\tftpd32.exe"
"c:\documents and settings\Media Server\My Documents\Downloads\Firefox Downloads\FreeAudioCDBurner.exe"
"c:\documents and settings\Media Server\My Documents\Downloads\Firefox Downloads\winamp5623_full_emusic-7plus_en-us.exe"
"c:\documents and settings\Pauper\Application Data\Mozilla\Firefox\Profiles\21zulsln.default\extensions\[email protected]"
"c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe"
"c:\system volume information\_restore{D9938EF9-B7EF-4536-B856-2D73A53315BA}\RP789\A0086935.dll"
"c:\system volume information\_restore{D9938EF9-B7EF-4536-B856-2D73A53315BA}\RP789\A0086940.dll"
"c:\windows\Installer\2bf25039.msi"
"c:\windows\Installer\MSI3C6.tmp"
"f:\temp\APPS\flash_player Android tablet vs.exe"
"f:\temp\APPS\swf_flv_player.exe"
"f:\temp\Downloads\swf_flv_player.exe"
"f:\temp\RECYCLER\S-1-5-21-1123561945-1364589140-725345543-1004\Dn2.iso"
"f:\temp\Temps\RMC 4.3.2\(Not Needed)RMC 4.3 Patcher.rar"
"f:\wd 10g 310200\Desktop\ptvLd.iso"
.
.
((((((((((((((((((((((((( Files Created from 2012-10-25 to 2012-11-25 )))))))))))))))))))))))))))))))
.
.
2012-11-23 11:30 . 2012-11-23 11:30 -------- d-----w- c:\program files\ESET
2012-11-23 11:08 . 2012-11-23 11:08 -------- d-----w- c:\windows\ERUNT
2012-11-23 11:07 . 2012-11-23 11:07 -------- d-----w- C:\JRT
2012-11-23 06:18 . 2012-11-23 06:18 35144 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-11-22 23:39 . 2011-05-10 18:37 655872 ----a-w- c:\windows\system32\msvcr90.dll
2012-11-22 23:39 . 2011-05-10 18:37 568832 ----a-w- c:\windows\system32\msvcp90.dll
2012-11-22 23:39 . 2011-05-10 18:37 224768 ----a-w- c:\windows\system32\msvcm90.dll
2012-11-22 23:39 . 2006-05-04 13:33 53248 ----a-w- c:\windows\system32\CommonDL.dll
2012-11-22 23:39 . 2005-10-04 06:39 44544 ----a-w- c:\windows\system32\msxml4a.dll
2012-11-22 23:39 . 2012-11-22 23:39 -------- d-----w- c:\documents and settings\All Users\Application Data\LGMOBILEAX
2012-11-22 20:30 . 2012-11-22 20:30 -------- d-----w- c:\documents and settings\Frugal Fetta dcra cu\Local Settings\Application Data\Intuit
2012-11-22 20:04 . 2012-11-22 20:04 -------- d-----w- c:\documents and settings\Frugal Fetta dcra cu\Application Data\Intuit
2012-11-22 19:48 . 2012-11-22 19:48 -------- d-----w- c:\documents and settings\Frugal Fetta dcra cu\Local Settings\Application Data\IsolatedStorage
2012-11-22 19:48 . 2012-11-22 19:51 -------- d-----w- c:\program files\Common Files\Intuit
2012-11-22 19:36 . 2012-11-22 19:36 -------- d-----w- c:\program files\TurboTax
2012-11-22 19:35 . 2012-11-22 19:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
2012-11-18 16:00 . 2007-01-18 12:00 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys
2012-11-13 01:08 . 2012-11-13 01:08 58904 ----a-w- c:\windows\system32\sysfolderazipcnt.dll
2012-11-13 01:08 . 2012-11-13 01:08 58904 ----a-w- c:\windows\system32\azipcontmn.dll
2012-11-13 01:07 . 2012-11-17 14:04 -------- d-----w- c:\program files\AlphaZIP
2012-11-13 01:01 . 2012-11-13 01:11 -------- d-----w- c:\documents and settings\Frugal Fetta dcra cu\Local Settings\Application Data\FileTypeAssistant
2012-11-13 01:00 . 2012-11-13 01:01 -------- d-----w- c:\program files\File Type Assistant
2012-11-13 00:29 . 2012-11-13 00:29 -------- d-----w- c:\documents and settings\All Users\Application Data\ConeXware
2012-11-04 13:06 . 2012-11-04 13:06 -------- d-----w- c:\documents and settings\Frugal Fetta dcra cu\Application Data\YTD
2012-11-03 22:31 . 2012-11-23 11:09 -------- d-----w- c:\program files\Common Files\Spigot
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-30 23:51 . 2012-07-14 18:35 361032 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-10-30 23:51 . 2012-07-14 18:35 35928 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-10-30 23:51 . 2012-07-14 18:35 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-10-30 23:51 . 2012-07-14 18:35 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-10-30 23:51 . 2012-07-14 18:35 97608 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2012-10-30 23:51 . 2012-07-14 18:35 89752 ----a-w- c:\windows\system32\drivers\aswmon.sys
2012-10-30 23:51 . 2012-07-14 18:35 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-10-30 23:51 . 2012-07-14 18:35 25256 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2012-10-30 23:51 . 2012-07-14 18:34 41224 ----a-w- c:\windows\avastSS.scr
2012-10-30 23:50 . 2012-07-14 18:34 227648 ----a-w- c:\windows\system32\aswBoot.exe
2012-10-22 08:37 . 2001-08-18 14:00 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-10-09 00:23 . 2012-05-17 15:40 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-09 00:23 . 2012-05-17 15:40 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-02 18:04 . 2001-08-18 14:00 58368 ----a-w- c:\windows\system32\synceng.dll
2012-09-30 00:54 . 2012-07-13 03:22 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-28 15:14 . 2001-08-18 14:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14 . 2001-08-18 14:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14 . 2001-08-18 14:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07 . 2010-03-18 06:15 385024 ----a-w- c:\windows\system32\html.iec
2012-10-27 01:19 . 2012-10-27 01:18 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-10-30 23:50 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-11-18 4763008]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2011-03-07 89456]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-10-30 4297136]
"B2C_AGENT"="c:\documents and settings\All Users\Application Data\LGMOBILEAX\B2C_Client\B2CNotiAgent.exe" [2012-03-28 404568]
.
c:\documents and settings\Pauper\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [N/A]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\File Type Assistant\\tsassist.exe"=
.
R1 aswKbd;aswKbd;c:\windows\system32\drivers\aswKbd.sys [8/7/2012 2:29 PM 18544]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [7/14/2012 1:35 PM 738504]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/14/2012 1:35 PM 361032]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [8/11/2011 6:38 PM 116608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/14/2012 1:35 PM 21256]
R3 appliandMP;appliandMP;c:\windows\system32\drivers\appliand.sys [4/20/2012 2:50 PM 28256]
R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [11/23/2012 1:18 AM 35144]
S1 SABKUTIL;SABKUTIL;\??\c:\documents and settings\Frugal Fetta dcra cu\Desktop\SASKUTIL.SYS --> c:\documents and settings\Frugal Fetta dcra cu\Desktop\SASKUTIL.SYS [?]
S1 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/25/2011 5:53 PM 13672]
S3 appliand;Applian Network Service;c:\windows\system32\drivers\appliand.sys [4/20/2012 2:50 PM 28256]
S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\DRIVERS\motfilt.sys --> c:\windows\system32\DRIVERS\motfilt.sys [?]
S3 cpudrv;cpudrv;\??\c:\program files\SystemRequirementsLab\cpudrv.sys --> c:\program files\SystemRequirementsLab\cpudrv.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys --> c:\windows\system32\DRIVERS\motccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys --> c:\windows\system32\DRIVERS\motccgpfl.sys [?]
S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\DRIVERS\Motousbnet.sys --> c:\windows\system32\DRIVERS\Motousbnet.sys [?]
S3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\DRIVERS\motusbdevice.sys --> c:\windows\system32\DRIVERS\motusbdevice.sys [?]
S3 ZD1201U(ZyDAS);ZyDAS ZD1201 IEEE 802.11b Wireless LAN Driver (USB)(ZyDAS);c:\windows\system32\drivers\ZD1201U.sys [4/13/2012 5:45 PM 55040]
S3 ZD1201U;ZyDAS ZD1201 IEEE 802.11b Wireless LAN Driver (USB);c:\windows\system32\drivers\ZD1201U.sys [4/13/2012 5:45 PM 55040]
S3 ZDNDIS5;ZDNDIS5 Protocol Driver;c:\windows\system32\ZDNDIS5.sys [4/13/2012 7:21 PM 15872]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMCHAMELEON
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-25 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-17 00:23]
.
2012-11-24 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2012-07-14 23:50]
.
2012-11-24 c:\windows\Tasks\ProgramUpdateCheck.job
- c:\program files\File Type Assistant\tsassist.exe [2012-11-13 16:44]
.
2012-11-25 c:\windows\Tasks\User_Feed_Synchronization-{6C86F955-03C2-4F6E-9F27-529A3369A9C9}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.yahoo.com?type=937811&fr=spigot-yhp-ie
uInternet Connection Wizard,ShellNext = ftp://[email protected]:2121/
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 192.168.3.1
FF - ProfilePath - c:\documents and settings\Frugal Fetta dcra cu\Application Data\Mozilla\Firefox\Profiles\aj4dhknu.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=937811&p=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-11-24 20:47
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_2F020J0 rev.VAM51JJ0 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x85869864
user & kernel MBR OK
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1992)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-11-24 20:51:06
ComboFix-quarantined-files.txt 2012-11-25 01:51
ComboFix2.txt 2012-11-25 01:20
ComboFix3.txt 2012-11-18 00:15
ComboFix4.txt 2012-07-15 20:49
.
Pre-Run: 1,869,979,648 bytes free
Post-Run: 1,890,226,176 bytes free
.
- - End Of File - - E13094EE28FC88313F25A9D54CED3AF2




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users