Whistler@mbr infection and other odd behavior

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

5 Pages
1
2
3
→
Last »

You cannot start a new topic
This topic is locked

Whistler@mbr infection and other odd behavior

#1 spazz22

Member

Group: Members
Posts: 86
Joined: 27-May 09

Posted 03 October 2011 - 08:03 PM

Hello,

I've used this forum for Malware removal help in the past and was beyond impressed with the service. I'm posting on behalf of a friend who has some issues with his PC.

I will be completely honest and tell you that, before I was asked to assist, he executed an unsupervised ComboFix scan. I have confirmed he downloaded a legit version from bleepingcomputer.com

To summarize the issues:

- Whistler@mbr was detected in the GMER scan.

- Often after reboot his PC Tools Firewall detects a program named "vrjvdhae" attempting to connect to the internet via Internet Explorer (which is manually blocked at the prompt). This program is located here: C:\Documents and Settings\<user>\Start Menu\Programs\Startup

- PC Tools Firewall recently detected the Opera Web Browser attempting to contact numberous unknown IP addresses (even though Opera was not in use at the time).

- During the unsupervised ComboFix scan, ComboFix detected an removed the following files:
c:\documents and settings\<user>\Local Settings\Application Data\swankkra.log
c:\program files\Setup.exe
c:\windows\system32\d3d9caps.dat
c:\windows\system32\qtplugin.exe

******** DDS SCAN **********

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_22
Run by <user> at 19:09:51 on 2011-10-03
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2039.1453 [GMT -4:00]
.
FW: PC Tools Firewall Plus *Enabled*
.
============== Running Processes ===============
.
"C:\WINDOWS\system32\svchost.exe"
C:\Program Files\Emsisoft Anti-Malware\a2service.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
"C:\WINDOWS\system32\svchost.exe"
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: H - No File
mWinlogon: Userinit=c:\windows\system32\userinit.exe,,c:\program files\norjpeqn\vrjvdhae.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: {5CA3D70E-1895-11CF-8E15-001234567890} - No File
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: SysShield IE Popup Blocker: {9a23b8a4-c6c9-4a68-8fa6-5f905dc8ff80} - PopKiller Class
BHO: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [00PCTFW] "c:\program files\pc tools firewall plus\FirewallGUI.exe" -s
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10l_ActiveX.exe -update activex
StartupFolder: c:\documents and settings\<user>\start menu\programs\startup\vrjvdhae.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\firefo~1.lnk - c:\program files\firefoxpreloader\FirefoxPreloader.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537}
DPF: {5EDB10D9-7E95-4833-A218-62F375DAFCF1}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
TCP: DhcpNameServer = 64.71.255.198
TCP: Interfaces\{66C1E131-1F0D-4F0E-A00C-9926A3D0D15F} : DhcpNameServer = 64.71.255.198
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\<user>\application data\mozilla\firefox\profiles\y5got11x.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - www.google.ca
FF - plugin: c:\documents and settings\<user>\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\<user>\local settings\application data\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.2432.1652\npCIDetect14.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPCARDS.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
.
============= SERVICES / DRIVERS ===============
.
R0 DwProt;DrWeb Protection;c:\windows\system32\drivers\dwprot.sys [2010-11-4 125304]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2009-6-18 159600]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-5-26 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2010-8-18 116608]
R2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\emsisoft anti-malware\a2service.exe [2010-10-23 2806000]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [2009-6-18 73840]
R2 PCToolsFirewallPlus;PC Tools Firewall Plus;c:\program files\pc tools firewall plus\FWService.exe [2009-6-18 146800]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [2009-6-18 95640]
R4 Micorsoft Windows Service;Micorsoft Windows Service;\??\c:\docume~1\<user>\locals~1\temp\dgkddevq.sys --> c:\docume~1\<user>\locals~1\temp\dgkddevq.sys [?]
S2 gupdate1c9e21bf3528ca;Google Update Service (gupdate1c9e21bf3528ca);c:\program files\google\update\GoogleUpdate.exe [2009-5-31 133104]
S3 a2acc;a2acc;c:\program files\emsisoft anti-malware\a2accx86.sys [2010-10-23 72808]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-5-31 133104]
S3 mamotou;mamotou;c:\windows\system32\drivers\mamotou.sys [2008-4-15 49399]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\eed.tmp --> c:\windows\system32\EED.tmp [?]
S3 NgFilter;Aventail VPN Filter;c:\windows\system32\drivers\ngfilter.sys [2007-11-19 20632]
S3 NgLog;Aventail VPN Logging;c:\windows\system32\drivers\nglog.sys [2007-11-19 25240]
S3 NgVpn;Aventail VPN Adapter;c:\windows\system32\drivers\ngvpn.sys [2007-11-19 76440]
S3 NgWfp;Aventail VPN Callout;c:\windows\system32\drivers\ngwfp.sys [2007-11-19 21656]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-6-17 12648]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 12872]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
S4 NgVpnMgr;Aventail VPN Client;c:\windows\system32\ngvpnmgr.exe [2007-11-19 205381]
S4 V;V;c:\docume~1\<user>\locals~1\temp\v.exe --> c:\docume~1\<user>\locals~1\temp\V.exe [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-1-5 24652]
.
=============== Created Last 30 ================
.
2011-10-03 03:43:32 -------- d-----w- c:\program files\norjpeqn
2011-09-11 21:44:54 -------- d-s---w- c:\windows\Cookies
.
==================== Find3M ====================
.
2011-07-06 23:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
.
Disk trace:
called modules: ntkrnlpa.exe >>UNKNOWN [0x88D2F616]<<
_asm { MOV EDI, EDI; PUSH EBP; MOV EBP, ESP; PUSH EBX; MOV EBX, [EBP+0xc]; MOV EAX, [EBX+0x60]; MOV ECX, [EAX+0xc]; OR ECX, [EAX+0x10]; PUSH ESI; JNZ 0x94; MOV ESI, 0x200; CMP [EAX+0x4], ESI; JB 0x94; }
1 ntkrnlpa!IofCallDriver[0x804EE00A] -> \Device\Harddisk0\DR0[0x89D7CAB8]
\Driver\Disk[0x89DF8A08] -> IRP_MJ_READ -> 0x88D2F616
kernel: MBR read successfully
_asm { NOP ; XOR AX, AX; NOP ; MOV DS, AX; MOV ES, AX; NOP ; MOV SS, AX; MOV SP, 0x7c00; MOV SI, 0x7c00; NOP ; MOV DI, 0x600; NOP ; MOV CX, 0x80; NOP ; CLD ; REP MOVSD ; NOP ; JMP FAR 0x0:0x626; }
user != kernel MBR !!!
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 19:10:18.79 ===============

attach.txt and ark.txt are attached

Attached File(s)

attach.txt (20.48K)
Number of downloads: 2
ark.txt (4.92K)
Number of downloads: 0

This post has been edited by spazz22: 03 October 2011 - 08:07 PM

#2 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,515
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 08 October 2011 - 03:49 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

Do not run any other tool untill instructed to do so!
please Do not Attach logs or put in code boxes.
Tell me about any problems that have occurred during the fix.
Tell me of any other symptoms you may be having as these can help also.
Do not run anything while running a fix.
Do not run any other tool untill instructed to do so!

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.

Link 1

Link 2

Link 3

1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

Log from Combofix
let me know of any problems you may have had
How is the computer doing now?

Gringo

I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->

<-- Don't worry every little bit helps.

#3 spazz22

Member

Group: Members
Posts: 86
Joined: 27-May 09

Posted 08 October 2011 - 07:49 PM

Hi Gringo,

As per your request I just finished running combofix. There were no problems encountered while scanning. My computer is generally running well but my firewall (PC Tools Firewall) is still detecting and blocking Opera from contacting unknown IP addresses when Opera is not currently even launhed/in use.

Here is the ComboFix log:

ComboFix 11-10-08.05 - Rams 08/10/2011 20:16:02.24.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2039.1394 [GMT -4:00]
Running from: c:\documents and settings\<user>\Desktop\ComboFix.exe
FW: PC Tools Firewall Plus *Enabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Rams\Local Settings\Application Data\wvmnbgfa.log
c:\windows\system32\d3d9caps.dat
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MICORSOFT_WINDOWS_SERVICE
.
.
((((((((((((((((((((((((( Files Created from 2011-09-09 to 2011-10-09 )))))))))))))))))))))))))))))))
.
.
2011-10-03 03:43 . 2011-10-09 00:33 -------- d-----w- c:\program files\norjpeqn
2011-09-11 21:44 . 2011-09-11 21:44 -------- d-s---w- c:\windows\Cookies
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2011-07-30_04.33.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-09 00:22 . 2011-10-09 00:22 16384 c:\windows\Temp\Perflib_Perfdata_71c.dat
+ 2011-08-25 03:56 . 2011-08-25 03:56 16384 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT
+ 2011-08-25 03:56 . 2011-10-09 00:23 81920 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2011-09-08 19:09 . 2011-09-08 19:09 22016 c:\windows\Installer\2d656efd.msi
+ 2011-09-11 21:44 . 2011-09-11 18:19 16384 c:\windows\Cookies\index.dat
+ 2006-06-09 03:40 . 2011-10-09 00:23 1081344 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2011-09-21 23:29 . 2011-10-09 00:23 16171008 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"LVCOMSX"="c:\windows\System32\LVCOMSX.EXE" [2005-07-19 221184]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-09-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-09-15 118784]
"00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2009-02-23 2652056]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe" [2010-11-27 233936]
.
c:\documents and settings\<user>\Start Menu\Programs\Startup\
vrjvdhae.exe [2011-10-2 75674]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Firefox Preloader.lnk - c:\program files\FirefoxPreloader\FirefoxPreloader.exe [2009-5-31 98304]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-25 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\program files\norjpeqn\vrjvdhae.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-12-08 00:31 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Post-it® Software Notes Lite.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Post-it® Software Notes Lite.lnk
backup=c:\windows\pss\Post-it® Software Notes Lite.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^<user>^Start Menu^Programs^Startup^AbsoluteShield Internet Eraser.lnk]
path=c:\documents and settings\<user>\Start Menu\Programs\Startup\AbsoluteShield Internet Eraser.lnk
backup=c:\windows\pss\AbsoluteShield Internet Eraser.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^<user>^Start Menu^Programs^Startup^Secunia PSI.lnk]
path=c:\documents and settings\<user>\Start Menu\Programs\Startup\Secunia PSI.lnk
backup=c:\windows\pss\Secunia PSI.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-02-23 20:19 53248 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-09-03 00:52 133104 ----atw- c:\documents and settings\<user>\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-02-15 23:07 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-10-03 04:16 4611456 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-03-08 19:14 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Documents and Settings\\<user>\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\<user>\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12676:TCP"= 12676:TCP:BitComet 12676 TCP
"12676:UDP"= 12676:UDP:BitComet 12676 UDP
"18319:TCP"= 18319:TCP:BitComet 18319 TCP
"18319:UDP"= 18319:UDP:BitComet 18319 UDP
"50000:TCP"= 50000:TCP:BitComet 50000 TCP
"50000:UDP"= 50000:UDP:BitComet 50000 UDP
"1720:TCP"= 1720:TCP:BitComet 1720 TCP
"1720:UDP"= 1720:UDP:BitComet 1720 UDP
.
R0 DwProt;DrWeb Protection;c:\windows\system32\drivers\dwprot.sys [04/11/2010 11:39 PM 125304]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [18/06/2009 6:27 PM 159600]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [26/05/2009 10:05 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [26/05/2009 10:05 AM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [18/08/2010 7:22 PM 116608]
R2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [23/10/2010 2:02 PM 2806000]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [25/06/2010 1:07 PM 35088]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [18/06/2009 6:27 PM 73840]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [18/06/2009 6:26 PM 95640]
R4 Micorsoft Windows Service;Micorsoft Windows Service;\??\c:\docume~1\<user>\LOCALS~1\Temp\dgkddevq.sys --> c:\docume~1\<user>\LOCALS~1\Temp\dgkddevq.sys [?]
S2 gupdate1c9e21bf3528ca;Google Update Service (gupdate1c9e21bf3528ca);c:\program files\Google\Update\GoogleUpdate.exe [31/05/2009 2:10 PM 133104]
S3 a2acc;a2acc;c:\program files\Emsisoft Anti-Malware\a2accx86.sys [23/10/2010 2:02 PM 72808]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [31/05/2009 2:10 PM 133104]
S3 mamotou;mamotou;c:\windows\system32\drivers\mamotou.sys [15/04/2008 9:52 PM 49399]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\EED.tmp --> c:\windows\system32\EED.tmp [?]
S3 NgFilter;Aventail VPN Filter;c:\windows\system32\drivers\ngfilter.sys [19/11/2007 3:20 PM 20632]
S3 NgLog;Aventail VPN Logging;c:\windows\system32\drivers\nglog.sys [19/11/2007 3:19 PM 25240]
S3 NgVpn;Aventail VPN Adapter;c:\windows\system32\drivers\ngvpn.sys [19/11/2007 3:20 PM 76440]
S3 NgWfp;Aventail VPN Callout;c:\windows\system32\drivers\ngwfp.sys [19/11/2007 3:20 PM 21656]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [08/04/2008 7:07 PM 47360]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [17/06/2009 8:20 AM 12648]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [26/05/2009 10:05 AM 12872]
S4 NgVpnMgr;Aventail VPN Client;c:\windows\system32\ngvpnmgr.exe [19/11/2007 3:21 PM 205381]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [09/03/2008 12:50 PM 716272]
S4 V;V;c:\docume~1\<user>\LOCALS~1\Temp\V.exe --> c:\docume~1\<user>\LOCALS~1\Temp\V.exe [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [05/01/2009 7:46 PM 24652]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MICORSOFT_WINDOWS_SERVICE
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-31 18:10]
.
2011-10-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-31 18:10]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 64.71.255.198
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\<user>\Application Data\Mozilla\Firefox\Profiles\y5got11x.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - www.google.ca
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-08 20:33
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
c:\program files\Internet Explorer\iexplore.exe [2872] 0x89BB3C00
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
kernel: MBR read successfully
user != kernel MBR !!!
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\fSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\EED.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-682003330-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F30CB7B1-3F4A-1F86-2B99-A89F3DF04268}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-682003330-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\UnreadMail\<removed>@hotmail.com]
@Denied: (Full) (LocalSystem)
"MessageCount"=dword:0000000c
"TimeStamp"=hex:10,9a,4f,4a,79,a7,c6,01
"Application"="http://www.hotmail.com/"
.
[HKEY_USERS\S-1-5-21-682003330-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\UnreadMail\<removed>@hotmail.com]
@Denied: (Full) (LocalSystem)
"MessageCount"=dword:00000012
"TimeStamp"=hex:d0,2a,10,23,cd,8a,c8,01
"Application"="http://www.hotmail.com/"
.
[HKEY_USERS\S-1-5-21-682003330-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\UnreadMail\<removed>@rogers.com]
@Denied: (Full) (LocalSystem)
"MessageCount"=dword:00000005
"TimeStamp"=hex:f2,d3,eb,8f,4b,ef,c7,01
"Application"="msimn"
.
[HKEY_USERS\S-1-5-21-682003330-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\UnreadMail\<removed>@hotmail.com]
@Denied: (Full) (LocalSystem)
"MessageCount"=dword:00000018
"TimeStamp"=hex:c2,9f,9c,f8,d4,83,cc,01
"Application"="http://www.hotmail.com/"
.
[HKEY_USERS\S-1-5-21-682003330-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\UnreadMail\<removed>@hotmail.com]
@Denied: (Full) (LocalSystem)
"MessageCount"=dword:00000000
"TimeStamp"=hex:f6,77,bb,1e,8d,2c,ca,01
"Application"="http://www.hotmail.com/"
.
[HKEY_USERS\S-1-5-21-682003330-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\UnreadMail\<removed>@live.com]
@Denied: (Full) (LocalSystem)
"MessageCount"=dword:00000001
"TimeStamp"=hex:46,3b,da,18,c1,83,cc,01
"Application"="http://www.hotmail.com/"
.
[HKEY_USERS\S-1-5-21-682003330-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\UnreadMail\<removed>@live.com]
@Denied: (Full) (LocalSystem)
"MessageCount"=dword:00000009
"TimeStamp"=hex:8a,8a,c2,a6,0e,b1,ca,01
"Application"="http://www.hotmail.com/"
.
[HKEY_USERS\S-1-5-21-682003330-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\UnreadMail\<removed>@hotmail.com]
@Denied: (Full) (LocalSystem)
"MessageCount"=dword:00000002
"TimeStamp"=hex:b6,4f,5f,72,88,d6,c7,01
"Application"="http://www.hotmail.com/"
.
[HKEY_USERS\S-1-5-21-682003330-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\UnreadMail\<removed>@hotmail.com]
@Denied: (Full) (LocalSystem)
"MessageCount"=dword:0000000a
"TimeStamp"=hex:40,6f,99,4a,95,58,c8,01
"Application"="http://www.hotmail.com/"
.
[HKEY_USERS\S-1-5-21-682003330-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\UnreadMail\<removed>@yahoo.ca]
@Denied: (Full) (LocalSystem)
"MessageCount"=dword:00000000
"TimeStamp"=hex:ec,97,d6,ce,b2,31,c8,01
"Application"="WindowsLiveMail"
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
@=""
"Installed"="1"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
@=""
"Installed"="1"
"NoChange"="1"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
@=""
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(144)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
- - - - - - - > 'explorer.exe'(3056)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\PC Tools Firewall Plus\FWService.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2011-10-08 20:41:38 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-09 00:41
ComboFix2.txt 2011-10-03 16:57
ComboFix3.txt 2011-10-03 13:13
ComboFix4.txt 2011-09-11 21:43
ComboFix5.txt 2011-10-07 05:18
.
Pre-Run: 28,104,794,112 bytes free
Post-Run: 28,079,628,288 bytes free
.
- - End Of File - - F8F74C07F9323BA2CB4A8894241863BB

#4 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,515
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 08 October 2011 - 09:44 PM

Hello

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.

Download TDSSKiller and save it to your Desktop.
doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo

<-- Don't worry every little bit helps.

#5 spazz22

Member

Group: Members
Posts: 86
Joined: 27-May 09

Posted 08 October 2011 - 10:00 PM

TDSSKiller Log:

22:53:11.0671 3912 TDSS rootkit removing tool 2.6.6.0 Oct 7 2011 12:45:24
22:53:13.0671 3912 ============================================================
22:53:13.0671 3912 Current date / time: 2011/10/08 22:53:13.0671
22:53:13.0671 3912 SystemInfo:
22:53:13.0671 3912
22:53:13.0671 3912 OS Version: 5.1.2600 ServicePack: 2.0
22:53:13.0671 3912 Product type: Workstation
22:53:13.0671 3912 ComputerName: LT-1234
22:53:13.0671 3912 UserName: <user>
22:53:13.0671 3912 Windows directory: C:\WINDOWS
22:53:13.0671 3912 System windows directory: C:\WINDOWS
22:53:13.0671 3912 Processor architecture: Intel x86
22:53:13.0671 3912 Number of processors: 1
22:53:13.0671 3912 Page size: 0x1000
22:53:13.0671 3912 Boot type: Normal boot
22:53:13.0671 3912 ============================================================
22:53:15.0187 3912 Initialize success
22:53:37.0640 2416 ============================================================
22:53:37.0640 2416 Scan started
22:53:37.0640 2416 Mode: Manual;
22:53:37.0640 2416 ============================================================
22:53:39.0203 2416 a2acc (2d1e1a70041319338035c3df51bfd200) C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2accx86.sys
22:53:39.0203 2416 a2acc - ok
22:53:39.0343 2416 Abiosdsk - ok
22:53:39.0468 2416 abp480n5 - ok
22:53:39.0625 2416 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
22:53:39.0625 2416 ACPI - ok
22:53:39.0718 2416 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
22:53:39.0718 2416 ACPIEC - ok
22:53:39.0734 2416 adpu160m - ok
22:53:39.0796 2416 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
22:53:39.0796 2416 aec - ok
22:53:39.0875 2416 AegisP (375eb0b97e3950adef3633c27a82438b) C:\WINDOWS\system32\DRIVERS\AegisP.sys
22:53:39.0875 2416 AegisP - ok
22:53:39.0921 2416 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
22:53:39.0921 2416 AFD - ok
22:53:39.0937 2416 Aha154x - ok
22:53:39.0968 2416 aic78u2 - ok
22:53:39.0984 2416 aic78xx - ok
22:53:40.0000 2416 AliIde - ok
22:53:40.0015 2416 amsint - ok
22:53:40.0062 2416 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
22:53:40.0062 2416 Arp1394 - ok
22:53:40.0078 2416 asc - ok
22:53:40.0093 2416 asc3350p - ok
22:53:40.0109 2416 asc3550 - ok
22:53:40.0140 2416 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
22:53:40.0156 2416 AsyncMac - ok
22:53:40.0296 2416 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
22:53:40.0296 2416 atapi - ok
22:53:40.0343 2416 Atdisk - ok
22:53:40.0437 2416 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
22:53:40.0437 2416 Atmarpc - ok
22:53:40.0562 2416 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
22:53:40.0562 2416 audstub - ok
22:53:40.0656 2416 bcm4sbxp (c768c8a463d32c219ce291645a0621a4) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
22:53:40.0656 2416 bcm4sbxp - ok
22:53:40.0687 2416 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
22:53:40.0687 2416 Beep - ok
22:53:40.0750 2416 Bridge (e4e6a0922e3d983728c9ad4e8d466954) C:\WINDOWS\system32\DRIVERS\bridge.sys
22:53:40.0750 2416 Bridge - ok
22:53:40.0765 2416 BridgeMP (e4e6a0922e3d983728c9ad4e8d466954) C:\WINDOWS\system32\DRIVERS\bridge.sys
22:53:40.0765 2416 BridgeMP - ok
22:53:40.0843 2416 CamDrL (cba8bce5bf67a3c619d5ce540bed9cf7) C:\WINDOWS\system32\DRIVERS\Camdrl.sys
22:53:40.0843 2416 CamDrL - ok
22:53:40.0843 2416 catchme - ok
22:53:40.0921 2416 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
22:53:40.0921 2416 cbidf2k - ok
22:53:41.0109 2416 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
22:53:41.0109 2416 CCDECODE - ok
22:53:41.0125 2416 cd20xrnt - ok
22:53:41.0156 2416 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
22:53:41.0156 2416 Cdaudio - ok
22:53:41.0218 2416 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
22:53:41.0218 2416 Cdfs - ok
22:53:41.0281 2416 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
22:53:41.0281 2416 Cdrom - ok
22:53:41.0296 2416 Changer - ok
22:53:41.0328 2416 CmBatt (4266be808f85826aedf3c64c1e240203) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
22:53:41.0328 2416 CmBatt - ok
22:53:41.0343 2416 CmdIde - ok
22:53:41.0437 2416 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys
22:53:41.0437 2416 Compbatt - ok
22:53:41.0453 2416 Cpqarray - ok
22:53:41.0515 2416 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\WINDOWS\system32\DRIVERS\CVirtA.sys
22:53:41.0515 2416 CVirtA - ok
22:53:41.0593 2416 CVPNDRVA (1c2999966f0f36aa44eaecbee70cf770) C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
22:53:41.0609 2416 CVPNDRVA - ok
22:53:41.0625 2416 dac2w2k - ok
22:53:41.0640 2416 dac960nt - ok
22:53:41.0671 2416 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
22:53:41.0671 2416 Disk - ok
22:53:41.0718 2416 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
22:53:41.0734 2416 dmboot - ok
22:53:41.0796 2416 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
22:53:41.0796 2416 dmio - ok
22:53:42.0125 2416 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
22:53:42.0125 2416 dmload - ok
22:53:42.0265 2416 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
22:53:42.0265 2416 DMusic - ok
22:53:42.0328 2416 DNE (7b4fdfbe97c047175e613aa96f3de987) C:\WINDOWS\system32\DRIVERS\dne2000.sys
22:53:42.0328 2416 DNE - ok
22:53:42.0375 2416 dpti2o - ok
22:53:42.0421 2416 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
22:53:42.0421 2416 drmkaud - ok
22:53:42.0562 2416 DwProt (28cd50265b55f5f8b4432450d021446e) C:\WINDOWS\system32\drivers\dwprot.sys
22:53:42.0562 2416 DwProt - ok
22:53:42.0671 2416 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
22:53:42.0671 2416 Fastfat - ok
22:53:42.0796 2416 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys
22:53:42.0796 2416 Fdc - ok
22:53:42.0828 2416 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
22:53:42.0828 2416 Fips - ok
22:53:42.0843 2416 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
22:53:42.0843 2416 Flpydisk - ok
22:53:42.0937 2416 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\drivers\fltmgr.sys
22:53:42.0937 2416 FltMgr - ok
22:53:43.0000 2416 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
22:53:43.0000 2416 Fs_Rec - ok
22:53:43.0046 2416 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
22:53:43.0046 2416 Ftdisk - ok
22:53:43.0125 2416 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
22:53:43.0125 2416 GEARAspiWDM - ok
22:53:43.0203 2416 giveio (77ebf3e9386daa51551af429052d88d0) C:\WINDOWS\system32\giveio.sys
22:53:43.0203 2416 giveio - ok
22:53:43.0281 2416 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
22:53:43.0281 2416 Gpc - ok
22:53:43.0390 2416 HDAudBus (e31363d186b3e1d7c4e9117884a6aee5) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
22:53:43.0390 2416 HDAudBus - ok
22:53:43.0578 2416 hpn - ok
22:53:43.0687 2416 HSFHWAZL (1c8caa80e91fb71864e9426f9eed048d) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
22:53:43.0687 2416 HSFHWAZL - ok
22:53:43.0796 2416 HSF_DPV (698204d9c2832e53633e53a30a53fc3d) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
22:53:43.0812 2416 HSF_DPV - ok
22:53:43.0937 2416 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
22:53:43.0937 2416 HTTP - ok
22:53:43.0984 2416 i2omgmt - ok
22:53:44.0031 2416 i2omp - ok
22:53:44.0140 2416 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
22:53:44.0140 2416 i8042prt - ok
22:53:44.0312 2416 ialm (643162fbc619e35d3f1a90a095a5bb42) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
22:53:44.0375 2416 ialm - ok
22:53:44.0406 2416 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
22:53:44.0406 2416 Imapi - ok
22:53:44.0453 2416 ini910u - ok
22:53:44.0484 2416 IntelIde - ok
22:53:44.0578 2416 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
22:53:44.0593 2416 intelppm - ok
22:53:44.0625 2416 ip6fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\drivers\ip6fw.sys
22:53:44.0625 2416 ip6fw - ok
22:53:44.0687 2416 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
22:53:44.0687 2416 IpFilterDriver - ok
22:53:44.0703 2416 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
22:53:44.0703 2416 IpInIp - ok
22:53:44.0765 2416 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
22:53:44.0765 2416 IpNat - ok
22:53:44.0828 2416 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
22:53:44.0828 2416 IPSec - ok
22:53:44.0843 2416 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
22:53:44.0843 2416 IRENUM - ok
22:53:44.0937 2416 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
22:53:44.0937 2416 isapnp - ok
22:53:45.0218 2416 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
22:53:45.0218 2416 Kbdclass - ok
22:53:45.0296 2416 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
22:53:45.0296 2416 kmixer - ok
22:53:45.0375 2416 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
22:53:45.0375 2416 KSecDD - ok
22:53:45.0390 2416 lbrtfdc - ok
22:53:45.0484 2416 LVUSBSta (c5efbd05a5195402121711a6ebbb271f) C:\WINDOWS\system32\drivers\lvusbsta.sys
22:53:45.0484 2416 LVUSBSta - ok
22:53:45.0578 2416 mamotou (406ea3b1bd43a2c14eeee06c49df0d5d) C:\WINDOWS\system32\DRIVERS\mamotou.sys
22:53:45.0578 2416 mamotou - ok
22:53:45.0656 2416 MaVctrl (1b467fb39d6ee0e7f1970eee5fc07121) C:\WINDOWS\system32\DRIVERS\MaVc2K.sys
22:53:45.0656 2416 MaVctrl - ok
22:53:45.0687 2416 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
22:53:45.0687 2416 mdmxsdk - ok
22:53:45.0703 2416 MEMSWEEP2 - ok
22:53:45.0859 2416 Micorsoft Windows Service - ok
22:53:46.0015 2416 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
22:53:46.0015 2416 mnmdd - ok
22:53:46.0328 2416 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
22:53:46.0328 2416 Modem - ok
22:53:46.0390 2416 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
22:53:46.0390 2416 Mouclass - ok
22:53:46.0437 2416 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
22:53:46.0437 2416 MountMgr - ok
22:53:46.0484 2416 mraid35x - ok
22:53:46.0578 2416 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
22:53:46.0578 2416 MRxDAV - ok
22:53:46.0750 2416 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
22:53:46.0765 2416 MRxSmb - ok
22:53:46.0828 2416 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
22:53:46.0828 2416 Msfs - ok
22:53:46.0968 2416 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
22:53:46.0968 2416 MSKSSRV - ok
22:53:47.0093 2416 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
22:53:47.0093 2416 MSPCLOCK - ok
22:53:47.0156 2416 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
22:53:47.0156 2416 MSPQM - ok
22:53:47.0218 2416 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
22:53:47.0218 2416 mssmbios - ok
22:53:47.0312 2416 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys
22:53:47.0312 2416 MSTEE - ok
22:53:47.0390 2416 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
22:53:47.0390 2416 Mup - ok
22:53:47.0515 2416 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
22:53:47.0515 2416 NABTSFEC - ok
22:53:47.0578 2416 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
22:53:47.0578 2416 NDIS - ok
22:53:47.0625 2416 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
22:53:47.0625 2416 NdisIP - ok
22:53:47.0796 2416 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
22:53:47.0796 2416 NdisTapi - ok
22:53:47.0906 2416 Ndisuio (5146c3d286e66c72328f6ce6e4d983a8) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
22:53:47.0906 2416 Ndisuio - ok
22:53:48.0015 2416 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
22:53:48.0015 2416 NdisWan - ok
22:53:48.0125 2416 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
22:53:48.0125 2416 NDProxy - ok
22:53:48.0156 2416 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
22:53:48.0156 2416 NetBIOS - ok
22:53:48.0187 2416 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
22:53:48.0203 2416 NetBT - ok
22:53:48.0281 2416 NgFilter (744af3fbbae50175042da8ee3842c86b) C:\WINDOWS\system32\DRIVERS\ngfilter.sys
22:53:48.0281 2416 NgFilter - ok
22:53:48.0328 2416 NgLog (1b04005008676f6e885a2c065426e3e9) C:\WINDOWS\system32\DRIVERS\nglog.sys
22:53:48.0328 2416 NgLog - ok
22:53:48.0390 2416 NgVpn (cee69dfabc03246d11e7171aef19b389) C:\WINDOWS\system32\DRIVERS\ngvpn.sys
22:53:48.0390 2416 NgVpn - ok
22:53:48.0484 2416 NgWfp (d9d25f997c66986a0bd627e51b877024) C:\WINDOWS\system32\DRIVERS\ngwfp.sys
22:53:48.0484 2416 NgWfp - ok
22:53:48.0515 2416 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
22:53:48.0515 2416 NIC1394 - ok
22:53:48.0578 2416 nm (60cf8c7192b3614f240838ddbaa4a245) C:\WINDOWS\system32\DRIVERS\NMnt.sys
22:53:48.0578 2416 nm - ok
22:53:48.0703 2416 NPF (b48dc6abcd3aeff8618350ccbdc6b09a) C:\WINDOWS\system32\drivers\npf.sys
22:53:48.0703 2416 NPF - ok
22:53:48.0750 2416 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
22:53:48.0750 2416 Npfs - ok
22:53:48.0859 2416 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
22:53:48.0875 2416 Ntfs - ok
22:53:48.0906 2416 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
22:53:48.0906 2416 Null - ok
22:53:48.0968 2416 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
22:53:48.0968 2416 NwlnkFlt - ok
22:53:48.0984 2416 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
22:53:48.0984 2416 NwlnkFwd - ok
22:53:49.0046 2416 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
22:53:49.0046 2416 ohci1394 - ok
22:53:49.0109 2416 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\drivers\Parport.sys
22:53:49.0109 2416 Parport - ok
22:53:49.0140 2416 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
22:53:49.0156 2416 PartMgr - ok
22:53:49.0234 2416 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
22:53:49.0250 2416 ParVdm - ok
22:53:49.0312 2416 PCASp50 - ok
22:53:49.0359 2416 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
22:53:49.0375 2416 PCI - ok
22:53:49.0406 2416 PCIDump - ok
22:53:49.0484 2416 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
22:53:49.0484 2416 PCIIde - ok
22:53:49.0531 2416 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
22:53:49.0546 2416 Pcmcia - ok
22:53:49.0625 2416 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys
22:53:49.0625 2416 pcouffin - ok
22:53:49.0703 2416 PCTAppEvent (3379e7a840de135fb7a829e03bc9cc25) C:\WINDOWS\system32\drivers\PCTAppEvent.sys
22:53:49.0703 2416 PCTAppEvent - ok
22:53:49.0734 2416 pctgntdi (bf770a5817fa8fba1402b2286a7f394c) C:\WINDOWS\system32\drivers\pctgntdi.sys
22:53:49.0734 2416 pctgntdi - ok
22:53:49.0859 2416 pctplfw (0eec24affc5ab0a2bbe4a6a886230aa5) C:\WINDOWS\system32\drivers\pctplfw.sys
22:53:49.0859 2416 pctplfw - ok
22:53:49.0953 2416 PDCOMP - ok
22:53:50.0000 2416 PDFRAME - ok
22:53:50.0062 2416 PDRELI - ok
22:53:50.0093 2416 PDRFRAME - ok
22:53:50.0140 2416 perc2 - ok
22:53:50.0187 2416 perc2hib - ok
22:53:50.0390 2416 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
22:53:50.0390 2416 PptpMiniport - ok
22:53:50.0453 2416 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys
22:53:50.0453 2416 Processor - ok
22:53:50.0500 2416 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
22:53:50.0500 2416 PSched - ok
22:53:50.0671 2416 PSI (365622e1f0b6d5f9871d76e89bf0501a) C:\WINDOWS\system32\DRIVERS\psi_mf.sys
22:53:50.0671 2416 PSI - ok
22:53:50.0796 2416 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
22:53:50.0796 2416 Ptilink - ok
22:53:50.0875 2416 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
22:53:50.0875 2416 PxHelp20 - ok
22:53:50.0890 2416 ql1080 - ok
22:53:50.0906 2416 Ql10wnt - ok
22:53:50.0937 2416 ql12160 - ok
22:53:50.0953 2416 ql1240 - ok
22:53:50.0968 2416 ql1280 - ok
22:53:51.0015 2416 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
22:53:51.0015 2416 RasAcd - ok
22:53:51.0046 2416 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
22:53:51.0062 2416 Rasl2tp - ok
22:53:51.0109 2416 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
22:53:51.0109 2416 RasPppoe - ok
22:53:51.0125 2416 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
22:53:51.0125 2416 Raspti - ok
22:53:51.0203 2416 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
22:53:51.0203 2416 Rdbss - ok
22:53:51.0218 2416 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
22:53:51.0218 2416 RDPCDD - ok
22:53:51.0312 2416 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
22:53:51.0312 2416 rdpdr - ok
22:53:51.0406 2416 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
22:53:51.0406 2416 RDPWD - ok
22:53:51.0484 2416 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
22:53:51.0484 2416 redbook - ok
22:53:51.0640 2416 rimmptsk (d85e3fa9f5b1f29bb4ed185c450d1470) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
22:53:51.0640 2416 rimmptsk - ok
22:53:51.0703 2416 rimsptsk (db8eb01c58c9fada00c70b1775278ae0) C:\WINDOWS\system32\DRIVERS\rimsptsk.sys
22:53:51.0703 2416 rimsptsk - ok
22:53:51.0750 2416 rismxdp (6c1f93c0760c9f79a1869d07233df39d) C:\WINDOWS\system32\DRIVERS\rixdptsk.sys
22:53:51.0750 2416 rismxdp - ok
22:53:51.0890 2416 s24trans (e2c6abcbefb1d44f6aaeb1cd5d6062d4) C:\WINDOWS\system32\DRIVERS\s24trans.sys
22:53:51.0890 2416 s24trans - ok
22:53:52.0015 2416 SABProcEnum - ok
22:53:52.0093 2416 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
22:53:52.0093 2416 SASDIFSV - ok
22:53:52.0156 2416 SASENUM (7ce61c25c159f50f9eaf6d77fc83fa35) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
22:53:52.0156 2416 SASENUM - ok
22:53:52.0187 2416 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
22:53:52.0187 2416 SASKUTIL - ok
22:53:52.0406 2416 sdbus (02fc71b020ec8700ee8a46c58bc6f276) C:\WINDOWS\system32\DRIVERS\sdbus.sys
22:53:52.0406 2416 sdbus - ok
22:53:52.0500 2416 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
22:53:52.0515 2416 Secdrv - ok
22:53:52.0640 2416 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\drivers\Serial.sys
22:53:52.0640 2416 Serial - ok
22:53:52.0703 2416 sffdisk (1d9f1bec651815741f088a8fb88e17ee) C:\WINDOWS\system32\DRIVERS\sffdisk.sys
22:53:52.0703 2416 sffdisk - ok
22:53:52.0765 2416 sffp_sd (586499fd312ffd7f78553f408e71682e) C:\WINDOWS\system32\DRIVERS\sffp_sd.sys
22:53:52.0765 2416 sffp_sd - ok
22:53:52.0875 2416 SFilter (975f4e44fd48c36beed30c96a115b2b8) C:\WINDOWS\system32\DRIVERS\pctfw.sys
22:53:52.0875 2416 SFilter - ok
22:53:52.0984 2416 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
22:53:52.0984 2416 Sfloppy - ok
22:53:53.0093 2416 Simbad - ok
22:53:53.0203 2416 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
22:53:53.0203 2416 SLIP - ok
22:53:53.0328 2416 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
22:53:53.0328 2416 SONYPVU1 - ok
22:53:53.0375 2416 Sparrow - ok
22:53:53.0500 2416 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
22:53:53.0500 2416 splitter - ok
22:53:53.0625 2416 sptd (7f1b7c4d446cd3f926af45b8c48bd593) C:\WINDOWS\system32\Drivers\sptd.sys
22:53:53.0671 2416 sptd - ok
22:53:53.0843 2416 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
22:53:53.0859 2416 sr - ok
22:53:53.0953 2416 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
22:53:53.0984 2416 Srv - ok
22:53:54.0125 2416 STHDA (3ad78e22210d3fbd9f76de84a8df19b5) C:\WINDOWS\system32\drivers\sthda.sys
22:53:54.0140 2416 STHDA - ok
22:53:54.0203 2416 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
22:53:54.0203 2416 streamip - ok
22:53:54.0250 2416 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
22:53:54.0250 2416 swenum - ok
22:53:54.0328 2416 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
22:53:54.0328 2416 swmidi - ok
22:53:54.0359 2416 symc810 - ok
22:53:54.0375 2416 symc8xx - ok
22:53:54.0390 2416 sym_hi - ok
22:53:54.0421 2416 sym_u3 - ok
22:53:54.0468 2416 SynTP (fa2daa32bed908023272a0f77d625dae) C:\WINDOWS\system32\DRIVERS\SynTP.sys
22:53:54.0484 2416 SynTP - ok
22:53:54.0515 2416 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
22:53:54.0515 2416 sysaudio - ok
22:53:54.0671 2416 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
22:53:54.0671 2416 Tcpip - ok
22:53:54.0734 2416 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
22:53:54.0734 2416 TDPIPE - ok
22:53:54.0843 2416 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
22:53:54.0843 2416 TDTCP - ok
22:53:54.0906 2416 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
22:53:54.0906 2416 TermDD - ok
22:53:55.0000 2416 tmcomm (df8444a8fa8fd38d8848bdd40a8403b3) C:\WINDOWS\system32\drivers\tmcomm.sys
22:53:55.0000 2416 tmcomm - ok
22:53:55.0031 2416 TosIde - ok
22:53:55.0062 2416 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
22:53:55.0062 2416 Udfs - ok
22:53:55.0093 2416 UIUSys - ok
22:53:55.0109 2416 ultra - ok
22:53:55.0203 2416 Update (ced744117e91bdc0beb810f7d8608183) C:\WINDOWS\system32\DRIVERS\update.sys
22:53:55.0203 2416 Update - ok
22:53:55.0312 2416 usbaudio (45a0d14b26c35497ad93bce7e15c9941) C:\WINDOWS\system32\drivers\usbaudio.sys
22:53:55.0312 2416 usbaudio - ok
22:53:55.0406 2416 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
22:53:55.0406 2416 usbccgp - ok
22:53:55.0484 2416 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
22:53:55.0484 2416 usbehci - ok
22:53:55.0609 2416 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
22:53:55.0609 2416 usbhub - ok
22:53:55.0671 2416 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
22:53:55.0671 2416 USBSTOR - ok
22:53:55.0750 2416 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
22:53:55.0750 2416 usbuhci - ok
22:53:55.0828 2416 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
22:53:55.0843 2416 VgaSave - ok
22:53:55.0906 2416 ViaIde - ok
22:53:56.0046 2416 VirtualFD - ok
22:53:56.0187 2416 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
22:53:56.0187 2416 VolSnap - ok
22:53:56.0312 2416 vsdatant (27b3dd12a19eec50220df15b64913dda) C:\WINDOWS\system32\vsdatant.sys
22:53:56.0312 2416 vsdatant - ok
22:53:56.0578 2416 w29n51 (d6006de6a6ed423d8016a03bc50cbe6b) C:\WINDOWS\system32\DRIVERS\w29n51.sys
22:53:56.0703 2416 w29n51 - ok
22:53:56.0843 2416 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
22:53:56.0843 2416 Wanarp - ok
22:53:56.0859 2416 WDICA - ok
22:53:56.0921 2416 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
22:53:56.0921 2416 wdmaud - ok
22:53:57.0000 2416 winachsf (74cf3f2e4e40c4a2e18d39d6300a5c24) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
22:53:57.0046 2416 winachsf - ok
22:53:57.0234 2416 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
22:53:57.0234 2416 WSTCODEC - ok
22:53:57.0359 2416 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
22:53:57.0359 2416 WudfPf - ok
22:53:57.0484 2416 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
22:53:57.0484 2416 WudfRd - ok
22:53:57.0593 2416 MBR (0x1B8) (9c603bc3977968c891de319283e1e7af) \Device\Harddisk0\DR0
22:53:57.0625 2416 \Device\Harddisk0\DR0 ( Trojan-Clicker.Win32.Wistler.c ) - infected
22:53:57.0625 2416 \Device\Harddisk0\DR0 - detected Trojan-Clicker.Win32.Wistler.c (0)
22:53:57.0640 2416 Boot (0x1200) (dd27fa4df01059f0628fb09be6e2ec1f) \Device\Harddisk0\DR0\Partition0
22:53:57.0640 2416 \Device\Harddisk0\DR0\Partition0 - ok
22:53:57.0640 2416 ============================================================
22:53:57.0640 2416 Scan finished
22:53:57.0640 2416 ============================================================
22:53:57.0656 2360 Detected object count: 1
22:53:57.0656 2360 Actual detected object count: 1
22:54:14.0031 2360 \Device\Harddisk0\DR0 ( Trojan-Clicker.Win32.Wistler.c ) - will be cured on reboot
22:54:14.0031 2360 \Device\Harddisk0\DR0 - ok
22:54:14.0031 2360 \Device\Harddisk0\DR0 ( Trojan-Clicker.Win32.Wistler.c ) - User select action: Cure
22:54:23.0328 0872 Deinitialize success

#6 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,515
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 08 October 2011 - 11:23 PM

Greetings

How are things running now?

I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

In your next post I need the following

report from Combofix
let me know of any problems you may have had
How is the computer doing now after running the script?

Gringo

<-- Don't worry every little bit helps.

#7 spazz22

Member

Group: Members
Posts: 86
Joined: 27-May 09

Posted 08 October 2011 - 11:51 PM

No problems running this scan either.

After rebooting, my firewall detected C:\Windows\Temp\5.tmp attempting to connect to the internet using Internet Explorer. I selected to block the request

ComboFix log using CFScript.txt:

ComboFix 11-10-08.05 - <user> 09/10/2011 0:27.25.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2039.1558 [GMT -4:00]
Running from: c:\documents and settings\<user>\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\<user>\Desktop\CFScript.txt
FW: PC Tools Firewall Plus *Enabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\d3d9caps.dat
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MICORSOFT_WINDOWS_SERVICE
-------\Service_Micorsoft Windows Service
.
.
((((((((((((((((((((((((( Files Created from 2011-09-09 to 2011-10-09 )))))))))))))))))))))))))))))))
.
.
2011-10-09 04:37 . 2011-10-09 04:37 75674 --s---w- C:\vrjvdhae.exe
2011-10-03 03:43 . 2011-10-09 04:37 -------- d-----w- c:\program files\norjpeqn
2011-09-11 21:44 . 2011-09-11 21:44 -------- d-s---w- c:\windows\Cookies
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-09 04:39 . 2011-10-09 04:39 0 ---ha-w- c:\documents and settings\<user>\Local Settings\Application Data\BITC.tmp
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2011-07-30_04.33.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-09 04:37 . 2011-10-09 04:37 16384 c:\windows\Temp\Perflib_Perfdata_6d8.dat
+ 2011-08-25 03:56 . 2011-08-25 03:56 16384 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT
+ 2011-08-25 03:56 . 2011-10-09 00:23 81920 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2011-09-08 19:09 . 2011-09-08 19:09 22016 c:\windows\Installer\2d656efd.msi
+ 2011-09-11 21:44 . 2011-09-11 18:19 16384 c:\windows\Cookies\index.dat
+ 2006-06-09 03:40 . 2011-10-09 01:20 1097728 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"LVCOMSX"="c:\windows\System32\LVCOMSX.EXE" [2005-07-19 221184]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-09-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-09-15 118784]
"00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2009-02-23 2652056]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe" [2010-11-27 233936]
.
c:\documents and settings\<user>\Start Menu\Programs\Startup\
vrjvdhae.exe [2011-10-2 75674]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Firefox Preloader.lnk - c:\program files\FirefoxPreloader\FirefoxPreloader.exe [2009-5-31 98304]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-25 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\program files\norjpeqn\vrjvdhae.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-12-08 00:31 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Post-it® Software Notes Lite.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Post-it® Software Notes Lite.lnk
backup=c:\windows\pss\Post-it® Software Notes Lite.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^<user>^Start Menu^Programs^Startup^AbsoluteShield Internet Eraser.lnk]
path=c:\documents and settings\<user>\Start Menu\Programs\Startup\AbsoluteShield Internet Eraser.lnk
backup=c:\windows\pss\AbsoluteShield Internet Eraser.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^<user>^Start Menu^Programs^Startup^Secunia PSI.lnk]
path=c:\documents and settings\<user>\Start Menu\Programs\Startup\Secunia PSI.lnk
backup=c:\windows\pss\Secunia PSI.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-02-23 20:19 53248 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-09-03 00:52 133104 ----atw- c:\documents and settings\<user>\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-02-15 23:07 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-10-03 04:16 4611456 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-03-08 19:14 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Documents and Settings\\<user>\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\<user>\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12676:TCP"= 12676:TCP:BitComet 12676 TCP
"12676:UDP"= 12676:UDP:BitComet 12676 UDP
"18319:TCP"= 18319:TCP:BitComet 18319 TCP
"18319:UDP"= 18319:UDP:BitComet 18319 UDP
"50000:TCP"= 50000:TCP:BitComet 50000 TCP
"50000:UDP"= 50000:UDP:BitComet 50000 UDP
"1720:TCP"= 1720:TCP:BitComet 1720 TCP
"1720:UDP"= 1720:UDP:BitComet 1720 UDP
.
R0 DwProt;DrWeb Protection;c:\windows\system32\drivers\dwprot.sys [04/11/2010 11:39 PM 125304]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [18/06/2009 6:27 PM 159600]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [26/05/2009 10:05 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [26/05/2009 10:05 AM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [18/08/2010 7:22 PM 116608]
R2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [23/10/2010 2:02 PM 2806000]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [25/06/2010 1:07 PM 35088]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [18/06/2009 6:27 PM 73840]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [18/06/2009 6:26 PM 95640]
S2 gupdate1c9e21bf3528ca;Google Update Service (gupdate1c9e21bf3528ca);c:\program files\Google\Update\GoogleUpdate.exe [31/05/2009 2:10 PM 133104]
S3 a2acc;a2acc;c:\program files\Emsisoft Anti-Malware\a2accx86.sys [23/10/2010 2:02 PM 72808]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [31/05/2009 2:10 PM 133104]
S3 mamotou;mamotou;c:\windows\system32\drivers\mamotou.sys [15/04/2008 9:52 PM 49399]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\EED.tmp --> c:\windows\system32\EED.tmp [?]
S3 NgFilter;Aventail VPN Filter;c:\windows\system32\drivers\ngfilter.sys [19/11/2007 3:20 PM 20632]
S3 NgLog;Aventail VPN Logging;c:\windows\system32\drivers\nglog.sys [19/11/2007 3:19 PM 25240]
S3 NgVpn;Aventail VPN Adapter;c:\windows\system32\drivers\ngvpn.sys [19/11/2007 3:20 PM 76440]
S3 NgWfp;Aventail VPN Callout;c:\windows\system32\drivers\ngwfp.sys [19/11/2007 3:20 PM 21656]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [08/04/2008 7:07 PM 47360]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [17/06/2009 8:20 AM 12648]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [26/05/2009 10:05 AM 12872]
S4 NgVpnMgr;Aventail VPN Client;c:\windows\system32\ngvpnmgr.exe [19/11/2007 3:21 PM 205381]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [09/03/2008 12:50 PM 716272]
S4 V;V;c:\docume~1\<user>\LOCALS~1\Temp\V.exe --> c:\docume~1\<user>\LOCALS~1\Temp\V.exe [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [05/01/2009 7:46 PM 24652]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MICORSOFT_WINDOWS_SERVICE
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-31 18:10]
.
2011-10-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-31 18:10]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 64.71.255.198
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\<user>\Application Data\Mozilla\Firefox\Profiles\y5got11x.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - www.google.ca
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-09 00:37
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\EED.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-682003330-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F30CB7B1-3F4A-1F86-2B99-A89F3DF04268}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-682003330-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\UnreadMail\<user>@hotmail.com]
@Denied: (Full) (LocalSystem)
"MessageCount"=dword:0000000c
"TimeStamp"=hex:10,9a,4f,4a,79,a7,c6,01
"Application"="http://www.hotmail.com/"
.
[HKEY_USERS\S-1-5-21-682003330-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\UnreadMail\<user>@hotmail.com]
@Denied: (Full) (LocalSystem)
"MessageCount"=dword:00000012
"TimeStamp"=hex:d0,2a,10,23,cd,8a,c8,01
"Application"="http://www.hotmail.com/"
.
[HKEY_USERS\S-1-5-21-682003330-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\UnreadMail\<user>@rogers.com]
@Denied: (Full) (LocalSystem)
"MessageCount"=dword:00000005
"TimeStamp"=hex:f2,d3,eb,8f,4b,ef,c7,01
"Application"="msimn"
.
[HKEY_USERS\S-1-5-21-682003330-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\UnreadMail\<user>@hotmail.com]
@Denied: (Full) (LocalSystem)
"MessageCount"=dword:00000018
"TimeStamp"=hex:c2,9f,9c,f8,d4,83,cc,01
"Application"="http://www.hotmail.com/"
.
[HKEY_USERS\S-1-5-21-682003330-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\UnreadMail\<user>@hotmail.com]
@Denied: (Full) (LocalSystem)
"MessageCount"=dword:00000000
"TimeStamp"=hex:f6,77,bb,1e,8d,2c,ca,01
"Application"="http://www.hotmail.com/"
.
[HKEY_USERS\S-1-5-21-682003330-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\UnreadMail\<user>@live.com]
@Denied: (Full) (LocalSystem)
"MessageCount"=dword:00000001
"TimeStamp"=hex:46,3b,da,18,c1,83,cc,01
"Application"="http://www.hotmail.com/"
.
[HKEY_USERS\S-1-5-21-682003330-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\UnreadMail\<user>@live.com]
@Denied: (Full) (LocalSystem)
"MessageCount"=dword:00000009
"TimeStamp"=hex:8a,8a,c2,a6,0e,b1,ca,01
"Application"="http://www.hotmail.com/"
.
[HKEY_USERS\S-1-5-21-682003330-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\UnreadMail\<user>@hotmail.com]
@Denied: (Full) (LocalSystem)
"MessageCount"=dword:00000002
"TimeStamp"=hex:b6,4f,5f,72,88,d6,c7,01
"Application"="http://www.hotmail.com/"
.
[HKEY_USERS\S-1-5-21-682003330-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\UnreadMail\<user>@hotmail.com]
@Denied: (Full) (LocalSystem)
"MessageCount"=dword:0000000a
"TimeStamp"=hex:40,6f,99,4a,95,58,c8,01
"Application"="http://www.hotmail.com/"
.
[HKEY_USERS\S-1-5-21-682003330-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\UnreadMail\<user>@yahoo.ca]
@Denied: (Full) (LocalSystem)
"MessageCount"=dword:00000000
"TimeStamp"=hex:ec,97,d6,ce,b2,31,c8,01
"Application"="WindowsLiveMail"
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
@=""
"Installed"="1"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
@=""
"Installed"="1"
"NoChange"="1"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
@=""
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(2044)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
- - - - - - - > 'explorer.exe'(3804)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\PC Tools Firewall Plus\FWService.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2011-10-09 00:45:09 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-09 04:45
ComboFix2.txt 2011-10-09 00:41
ComboFix3.txt 2011-10-03 16:57
ComboFix4.txt 2011-10-03 13:13
ComboFix5.txt 2011-10-09 04:26
.
Pre-Run: 28,156,059,648 bytes free
Post-Run: 28,192,129,024 bytes free
.
- - End Of File - - 5B803A31914DB0F65E0D034F91B43480

#8 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,515
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 09 October 2011 - 12:31 AM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

File::
C:\vrjvdhae.exe
c:\documents and settings\<user>\Start Menu\Programs\Startup\vrjvdhae.exe

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image

<-- Don't worry every little bit helps.

#9 spazz22

Member

Group: Members
Posts: 86
Joined: 27-May 09

Posted 09 October 2011 - 08:34 AM

Hi Gringo,

This scan also finished without error; however, after rebooting my firewall once again detected C:\Windows\Temp\5.tmp attempting to connect to the internet using Internet Explorer (Internet Explorer is not launched/ in use at the time).

Also, what is "vrjvdhae.exe"? I ask because about a week ago or so this program was detected by my firewall attempting to connect via Internet Explorer and I mistakenly clicked "Allow" instead of "Block" on the PC Tools Firewall prompt.

ComboFix Log with custom CFScript.txt:

ComboFix 11-10-09.01 - <user> 09/10/2011 9:05.27.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2039.1570 [GMT -4:00]
Running from: c:\documents and settings\<user>\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\<user>\Desktop\CFScript.txt
FW: PC Tools Firewall Plus *Enabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}
.
FILE ::
"c:\documents and settings\<user>\Start Menu\Programs\Startup\vrjvdhae.exe"
"C:\vrjvdhae.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\<user>\Start Menu\Programs\Startup\vrjvdhae.exe
C:\vrjvdhae.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MICORSOFT_WINDOWS_SERVICE
-------\Service_Micorsoft Windows Service
.
.
((((((((((((((((((((((((( Files Created from 2011-09-09 to 2011-10-09 )))))))))))))))))))))))))))))))
.
.
2011-10-09 13:18 . 2011-10-09 13:19 75674 ----a-w- C:\vrjvdhae.exe
2011-10-03 03:43 . 2011-10-09 13:18 -------- d-----w- c:\program files\norjpeqn
2011-09-11 21:44 . 2011-09-11 21:44 -------- d-s---w- c:\windows\Cookies
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2011-07-30_04.33.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-09 13:11 . 2011-10-09 13:11 16384 c:\windows\Temp\Perflib_Perfdata_6f8.dat
+ 2011-08-25 03:56 . 2011-08-25 03:56 16384 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT
+ 2011-09-08 19:09 . 2011-09-08 19:09 22016 c:\windows\Installer\2d656efd.msi
+ 2011-09-11 21:44 . 2011-09-11 18:19 16384 c:\windows\Cookies\index.dat
+ 2006-06-09 03:40 . 2011-10-09 01:20 1097728 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"LVCOMSX"="c:\windows\System32\LVCOMSX.EXE" [2005-07-19 221184]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-09-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-09-15 118784]
"00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2009-02-23 2652056]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe" [2010-11-27 233936]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Firefox Preloader.lnk - c:\program files\FirefoxPreloader\FirefoxPreloader.exe [2009-5-31 98304]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-25 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\program files\norjpeqn\vrjvdhae.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-12-08 00:31 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Post-it® Software Notes Lite.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Post-it® Software Notes Lite.lnk
backup=c:\windows\pss\Post-it® Software Notes Lite.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^<user>^Start Menu^Programs^Startup^AbsoluteShield Internet Eraser.lnk]
path=c:\documents and settings\<user>\Start Menu\Programs\Startup\AbsoluteShield Internet Eraser.lnk
backup=c:\windows\pss\AbsoluteShield Internet Eraser.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^<user>^Start Menu^Programs^Startup^Secunia PSI.lnk]
path=c:\documents and settings\<user>\Start Menu\Programs\Startup\Secunia PSI.lnk
backup=c:\windows\pss\Secunia PSI.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-02-23 20:19 53248 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-09-03 00:52 133104 ----atw- c:\documents and settings\<user>\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-02-15 23:07 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-10-03 04:16 4611456 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-03-08 19:14 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Documents and Settings\\<user>\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\<user>\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12676:TCP"= 12676:TCP:BitComet 12676 TCP
"12676:UDP"= 12676:UDP:BitComet 12676 UDP
"18319:TCP"= 18319:TCP:BitComet 18319 TCP
"18319:UDP"= 18319:UDP:BitComet 18319 UDP
"50000:TCP"= 50000:TCP:BitComet 50000 TCP
"50000:UDP"= 50000:UDP:BitComet 50000 UDP
"1720:TCP"= 1720:TCP:BitComet 1720 TCP
"1720:UDP"= 1720:UDP:BitComet 1720 UDP
.
R0 DwProt;DrWeb Protection;c:\windows\system32\drivers\dwprot.sys [04/11/2010 11:39 PM 125304]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [18/06/2009 6:27 PM 159600]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [26/05/2009 10:05 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [26/05/2009 10:05 AM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [18/08/2010 7:22 PM 116608]
R2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [23/10/2010 2:02 PM 2806000]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [25/06/2010 1:07 PM 35088]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [18/06/2009 6:27 PM 73840]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [18/06/2009 6:26 PM 95640]
S2 gupdate1c9e21bf3528ca;Google Update Service (gupdate1c9e21bf3528ca);c:\program files\Google\Update\GoogleUpdate.exe [31/05/2009 2:10 PM 133104]
S3 a2acc;a2acc;c:\program files\Emsisoft Anti-Malware\a2accx86.sys [23/10/2010 2:02 PM 72808]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [31/05/2009 2:10 PM 133104]
S3 mamotou;mamotou;c:\windows\system32\drivers\mamotou.sys [15/04/2008 9:52 PM 49399]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\EED.tmp --> c:\windows\system32\EED.tmp [?]
S3 NgFilter;Aventail VPN Filter;c:\windows\system32\drivers\ngfilter.sys [19/11/2007 3:20 PM 20632]
S3 NgLog;Aventail VPN Logging;c:\windows\system32\drivers\nglog.sys [19/11/2007 3:19 PM 25240]
S3 NgVpn;Aventail VPN Adapter;c:\windows\system32\drivers\ngvpn.sys [19/11/2007 3:20 PM 76440]
S3 NgWfp;Aventail VPN Callout;c:\windows\system32\drivers\ngwfp.sys [19/11/2007 3:20 PM 21656]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [08/04/2008 7:07 PM 47360]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [17/06/2009 8:20 AM 12648]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [26/05/2009 10:05 AM 12872]
S4 NgVpnMgr;Aventail VPN Client;c:\windows\system32\ngvpnmgr.exe [19/11/2007 3:21 PM 205381]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [09/03/2008 12:50 PM 716272]
S4 V;V;c:\docume~1\<user>\LOCALS~1\Temp\V.exe --> c:\docume~1\<user>\LOCALS~1\Temp\V.exe [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [05/01/2009 7:46 PM 24652]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MICORSOFT_WINDOWS_SERVICE
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-31 18:10]
.
2011-10-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-31 18:10]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 64.71.255.198
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\<user>\Application Data\Mozilla\Firefox\Profiles\y5got11x.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - www.google.ca
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-09 09:18
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\EED.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-682003330-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F30CB7B1-3F4A-1F86-2B99-A89F3DF04268}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-682003330-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\UnreadMail\<user>@hotmail.com]
@Denied: (Full) (LocalSystem)
"MessageCount"=dword:0000000c
"TimeStamp"=hex:10,9a,4f,4a,79,a7,c6,01
"Application"="http://www.hotmail.com/"
.
[HKEY_USERS\S-1-5-21-682003330-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\UnreadMail\<user>@hotmail.com]
@Denied: (Full) (LocalSystem)
"MessageCount"=dword:00000012
"TimeStamp"=hex:d0,2a,10,23,cd,8a,c8,01
"Application"="http://www.hotmail.com/"
.
[HKEY_USERS\S-1-5-21-682003330-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\UnreadMail\<user>@rogers.com]
@Denied: (Full) (LocalSystem)
"MessageCount"=dword:00000005
"TimeStamp"=hex:f2,d3,eb,8f,4b,ef,c7,01
"Application"="msimn"
.
[HKEY_USERS\S-1-5-21-682003330-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\UnreadMail\<user>@hotmail.com]
@Denied: (Full) (LocalSystem)
"MessageCount"=dword:00000018
"TimeStamp"=hex:c2,9f,9c,f8,d4,83,cc,01
"Application"="http://www.hotmail.com/"
.
[HKEY_USERS\S-1-5-21-682003330-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\UnreadMail\<user>@hotmail.com]
@Denied: (Full) (LocalSystem)
"MessageCount"=dword:00000000
"TimeStamp"=hex:f6,77,bb,1e,8d,2c,ca,01
"Application"="http://www.hotmail.com/"
.
[HKEY_USERS\S-1-5-21-682003330-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\UnreadMail\<user>@live.com]
@Denied: (Full) (LocalSystem)
"MessageCount"=dword:00000001
"TimeStamp"=hex:46,3b,da,18,c1,83,cc,01
"Application"="http://www.hotmail.com/"
.
[HKEY_USERS\S-1-5-21-682003330-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\UnreadMail\<user>@live.com]
@Denied: (Full) (LocalSystem)
"MessageCount"=dword:00000009
"TimeStamp"=hex:8a,8a,c2,a6,0e,b1,ca,01
"Application"="http://www.hotmail.com/"
.
[HKEY_USERS\S-1-5-21-682003330-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\UnreadMail\<user>@hotmail.com]
@Denied: (Full) (LocalSystem)
"MessageCount"=dword:00000002
"TimeStamp"=hex:b6,4f,5f,72,88,d6,c7,01
"Application"="http://www.hotmail.com/"
.
[HKEY_USERS\S-1-5-21-682003330-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\UnreadMail\<user>@hotmail.com]
@Denied: (Full) (LocalSystem)
"MessageCount"=dword:0000000a
"TimeStamp"=hex:40,6f,99,4a,95,58,c8,01
"Application"="http://www.hotmail.com/"
.
[HKEY_USERS\S-1-5-21-682003330-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\UnreadMail\<user>@yahoo.ca]
@Denied: (Full) (LocalSystem)
"MessageCount"=dword:00000000
"TimeStamp"=hex:ec,97,d6,ce,b2,31,c8,01
"Application"="WindowsLiveMail"
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
@=""
"Installed"="1"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
@=""
"Installed"="1"
"NoChange"="1"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
@=""
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(136)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
- - - - - - - > 'explorer.exe'(1528)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\PC Tools Firewall Plus\FWService.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2011-10-09 09:25:53 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-09 13:25
ComboFix2.txt 2011-10-09 12:59
ComboFix3.txt 2011-10-09 04:45
ComboFix4.txt 2011-10-09 00:41
ComboFix5.txt 2011-10-09 13:04
.
Pre-Run: 28,190,339,072 bytes free
Post-Run: 28,169,400,320 bytes free
.
- - End Of File - - 82788E86B0DD8B71656445F7803CBEDE

#10 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,515
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 09 October 2011 - 12:55 PM

Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realise. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter

File sharing infects 500,000 computers

USAToday

infoworld

These logs are looking alot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

start

settings

control panel

add/remove programs

Adobe Reader 9.4.1

remove

Update Adobe Reader

http://www.adobe.com/products/acrobat/readstep2.html

Adobe Reader

here

Note:

AskBar

Your Java is out of date.

It can be updated by the Java control panel

click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
An update should begin;
follow the prompts

Clear your Java Cache

click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
- On the General tab, under Temporary Internet Files, click the Settings button.
- Next, click on the Delete Files button
- There are two options in the window to clear the cache - Leave BOTH Checked
- Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
- Click OK to leave the Temporary Files Window
- Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):

Please download TFC to your desktop,
Save any unsaved work. TFC will close all open application windows.
Double-click TFC.exe to run the program.
If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

Double-click mbam icon
go to the update tab at the top
click on check for updates
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
- If you accidently close it, the log file is saved here and will be named like this:
- C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Download HijackThis

Go Here to download HijackThis Installer
Save HijackThis Installer to your desktop.
Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

If you have problems running Hijackthis.

sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator

"information and logs"

In your next post I need the following

Log From MBAM
report from Hijackthis
let me know of any problems you may have had
How is the computer doing now?

Gringo

<-- Don't worry every little bit helps.

#11 spazz22

Member

Group: Members
Posts: 86
Joined: 27-May 09

Posted 09 October 2011 - 02:44 PM

Gringo, Thanks for pointing out the P2P apps. To be honest I haven't used them in years and basically forgot that I had them installed. I will uninstall them after we are finished here.

Two issues with your last set of instructions:

1.) vrjvdhae.exe seems to be still a problem. After rebooting after running TFC, vrjvdhae.exe was detected by my firewall trying to connect using Internet Explorer. Also my firewall detected C:\Windows\Temp\2.tmp also attempting to connect using Internet Explorer. Both applications were blocked by me manually. The MBAM log also shows vrjvdhae.exe being detected as Spware.SpyEye

2.) I cannot uninstall Adobe Reader. When I attempt to, I get the following error/warning dialog:

"Error 1402.Coul not open key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionComponents\IMAIL.

Verify that you have sufficient access to that key, or contact your support personnel."

------------------------------------
MBAM Log:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7910

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

09/10/2011 3:24:27 PM
mbam-log-2011-10-09 (15-24-27).txt

Scan type: Quick scan
Objects scanned: 162470
Time elapsed: 4 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MICORSOFT_WINDOWS_SERVICE (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Micorsoft Windows Service (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\<user>\start menu\Programs\Startup\vrjvdhae.exe (Spyware.SpyEye) -> Quarantined and deleted successfully.

---------------------------------------

hijackthis log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:30:21 PM, on 09/10/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Emsisoft Anti-Malware\a2service.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\trend micro\HijackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Program Files\norjpeqn\vrjvdhae.exe,
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SysShield IE Popup Blocker - {9A23B8A4-C6C9-4A68-8FA6-5F905DC8FF80} - (no file)
O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe -update activex (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe -update activex (User 'Default user')
O4 - Startup: vrjvdhae.exe
O4 - Global Startup: AutorunsDisabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} -
O16 - DPF: {5EDB10D9-7E95-4833-A218-62F375DAFCF1} -
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.5.0_03) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} (Java Plug-in 1.6.0_07) -
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.6.0_11) -
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: Emsisoft Anti-Malware 5.0 - Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\Emsisoft Anti-Malware\a2service.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Update Service (gupdate1c9e21bf3528ca) (gupdate1c9e21bf3528ca) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - Unknown owner - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8798 bytes

#12 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,515
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 09 October 2011 - 08:43 PM

SystemLook:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:

:filefind
vrjvdhae.exe

Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

<-- Don't worry every little bit helps.

#13 spazz22

Member

Group: Members
Posts: 86
Joined: 27-May 09

Posted 09 October 2011 - 10:06 PM

Hi Gringo,

SystemLook log:

SystemLook 30.07.11 by jpshortstuff
Log created at 23:02 on 09/10/2011 by <user>
Administrator - Elevation successful

========== filefind ==========

Searching for "vrjvdhae.exe"
C:\vrjvdhae.exe ----s-- 75674 bytes [13:18 09/10/2011] [19:26 09/10/2011] (Unable to calculate MD5)
C:\Documents and Settings\<user>\Start Menu\Programs\Startup\vrjvdhae.exe ------- 75674 bytes [19:26 09/10/2011] [13:18 09/10/2011] (Unable to calculate MD5)
C:\Program Files\norjpeqn\vrjvdhae.exe ------- 75674 bytes [04:37 09/10/2011] [13:18 09/10/2011] (Unable to calculate MD5)

-= EOF =-

#14 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,515
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 10 October 2011 - 08:13 AM

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

File::
C:\vrjvdhae.exe 
C:\Documents and Settings\<user>\Start Menu\Programs\Startup\vrjvdhae.exe
C:\Program Files\norjpeqn\vrjvdhae.exe

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image

<-- Don't worry every little bit helps.

#15 spazz22

Member

Group: Members
Posts: 86
Joined: 27-May 09

Posted 10 October 2011 - 09:56 AM

Gringo,

After rebooting following the ComboFix scan, vrjvdhae.exe no longer was detected by my firewall trying to connect via Internet Explorer; however I have confirmed that c:\program files\norjpeqn\vrjvdhae.exe still exists on my file system. Also, following the reboot C:\Window\Temp\3.tmp did attempt to connect using Internet Explorer which I blocked manually. Also, and application "Pev" (which I think is associated with combofix???) was detected by my firewall after rebooting which I allowed. I hope I was right in doing so.

Here is the ComboFix log:

ComboFix 11-10-10.01 - <user> 10/10/2011 10:30:28.28.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2039.1580 [GMT -4:00]
Running from: c:\documents and settings\<user>\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\<user>\Desktop\CFScript.txt
FW: PC Tools Firewall Plus *Enabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}
.
FILE ::
"c:\documents and settings\<user>\Start Menu\Programs\Startup\vrjvdhae.exe"
"c:\program files\norjpeqn\vrjvdhae.exe"
"C:\vrjvdhae.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\<user>\Local Settings\Application Data\wvmnbgfa.log
c:\documents and settings\<user>\Start Menu\Programs\Startup\vrjvdhae.exe
c:\program files\norjpeqn\vrjvdhae.exe
C:\vrjvdhae.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MICORSOFT_WINDOWS_SERVICE
-------\Service_Micorsoft Windows Service
.
.
((((((((((((((((((((((((( Files Created from 2011-09-10 to 2011-10-10 )))))))))))))))))))))))))))))))
.
.
2011-10-10 14:39 . 2011-10-10 14:40 75674 ----a-w- C:\vrjvdhae.exe
2011-10-09 19:29 . 2011-10-09 19:29 388096 ----a-r- c:\documents and settings\<user>\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-10-09 19:05 . 2011-10-09 19:05 -------- d-----w- c:\program files\Common Files\Java
2011-10-03 03:43 . 2011-10-10 14:39 -------- d-----w- c:\program files\norjpeqn
2011-09-11 21:44 . 2011-09-11 21:44 -------- d-s---w- c:\windows\Cookies
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-31 21:00 . 2009-05-28 02:41 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2011-07-30_04.33.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-10 14:39 . 2011-10-10 14:39 16384 c:\windows\Temp\Perflib_Perfdata_6fc.dat
+ 2011-08-25 03:56 . 2011-08-25 03:56 16384 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT
+ 2011-09-08 19:09 . 2011-09-08 19:09 22016 c:\windows\Installer\2d656efd.msi
+ 2011-09-11 21:44 . 2011-09-11 18:19 16384 c:\windows\Cookies\index.dat
+ 2011-10-09 19:05 . 2011-05-04 08:52 157472 c:\windows\system32\javaws.exe
- 2010-11-27 00:32 . 2010-11-27 00:31 145184 c:\windows\system32\javaw.exe
+ 2011-10-09 19:05 . 2011-05-04 08:52 145184 c:\windows\system32\javaw.exe
- 2010-11-27 00:32 . 2010-11-27 00:31 145184 c:\windows\system32\java.exe
+ 2011-10-09 19:05 . 2011-05-04 08:52 145184 c:\windows\system32\java.exe
+ 2010-07-04 16:12 . 2011-05-04 08:52 472808 c:\windows\system32\deployJava1.dll
- 2010-07-04 16:12 . 2010-11-27 00:31 472808 c:\windows\system32\deployJava1.dll
+ 2011-10-09 19:05 . 2011-10-09 19:05 203776 c:\windows\Installer\141db40.msi
+ 2006-06-09 03:40 . 2011-10-09 01:20 1097728 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2011-10-09 19:29 . 2011-10-09 19:29 1094656 c:\windows\Installer\33d3d.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"LVCOMSX"="c:\windows\System32\LVCOMSX.EXE" [2005-07-19 221184]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-09-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-09-15 118784]
"00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2009-02-23 2652056]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe" [2010-11-27 233936]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Firefox Preloader.lnk - c:\program files\FirefoxPreloader\FirefoxPreloader.exe [2009-5-31 98304]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-25 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\program files\norjpeqn\vrjvdhae.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-12-08 00:31 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Post-it® Software Notes Lite.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Post-it® Software Notes Lite.lnk
backup=c:\windows\pss\Post-it® Software Notes Lite.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^<user>^Start Menu^Programs^Startup^AbsoluteShield Internet Eraser.lnk]
path=c:\documents and settings\<user>\Start Menu\Programs\Startup\AbsoluteShield Internet Eraser.lnk
backup=c:\windows\pss\AbsoluteShield Internet Eraser.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^<user>^Start Menu^Programs^Startup^Secunia PSI.lnk]
path=c:\documents and settings\<user>\Start Menu\Programs\Startup\Secunia PSI.lnk
backup=c:\windows\pss\Secunia PSI.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-02-23 20:19 53248 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-09-03 00:52 133104 ----atw- c:\documents and settings\<user>\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-02-15 23:07 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-10-03 04:16 4611456 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-03-08 19:14 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Documents and Settings\\<user>\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\<user>\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12676:TCP"= 12676:TCP:BitComet 12676 TCP
"12676:UDP"= 12676:UDP:BitComet 12676 UDP
"18319:TCP"= 18319:TCP:BitComet 18319 TCP
"18319:UDP"= 18319:UDP:BitComet 18319 UDP
"50000:TCP"= 50000:TCP:BitComet 50000 TCP
"50000:UDP"= 50000:UDP:BitComet 50000 UDP
"1720:TCP"= 1720:TCP:BitComet 1720 TCP
"1720:UDP"= 1720:UDP:BitComet 1720 UDP
.
R0 DwProt;DrWeb Protection;c:\windows\system32\drivers\dwprot.sys [04/11/2010 11:39 PM 125304]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [18/06/2009 6:27 PM 159600]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [26/05/2009 10:05 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [26/05/2009 10:05 AM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [18/08/2010 7:22 PM 116608]
R2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [23/10/2010 2:02 PM 2806000]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [25/06/2010 1:07 PM 35088]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [18/06/2009 6:27 PM 73840]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [18/06/2009 6:26 PM 95640]
S2 gupdate1c9e21bf3528ca;Google Update Service (gupdate1c9e21bf3528ca);c:\program files\Google\Update\GoogleUpdate.exe [31/05/2009 2:10 PM 133104]
S3 a2acc;a2acc;c:\program files\Emsisoft Anti-Malware\a2accx86.sys [23/10/2010 2:02 PM 72808]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [31/05/2009 2:10 PM 133104]
S3 mamotou;mamotou;c:\windows\system32\drivers\mamotou.sys [15/04/2008 9:52 PM 49399]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\EED.tmp --> c:\windows\system32\EED.tmp [?]
S3 NgFilter;Aventail VPN Filter;c:\windows\system32\drivers\ngfilter.sys [19/11/2007 3:20 PM 20632]
S3 NgLog;Aventail VPN Logging;c:\windows\system32\drivers\nglog.sys [19/11/2007 3:19 PM 25240]
S3 NgVpn;Aventail VPN Adapter;c:\windows\system32\drivers\ngvpn.sys [19/11/2007 3:20 PM 76440]
S3 NgWfp;Aventail VPN Callout;c:\windows\system32\drivers\ngwfp.sys [19/11/2007 3:20 PM 21656]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [08/04/2008 7:07 PM 47360]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [17/06/2009 8:20 AM 12648]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [26/05/2009 10:05 AM 12872]
S4 NgVpnMgr;Aventail VPN Client;c:\windows\system32\ngvpnmgr.exe [19/11/2007 3:21 PM 205381]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [09/03/2008 12:50 PM 716272]
S4 V;V;c:\docume~1\<user>\LOCALS~1\Temp\V.exe --> c:\docume~1\<user>\LOCALS~1\Temp\V.exe [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [05/01/2009 7:46 PM 24652]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MICORSOFT_WINDOWS_SERVICE
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-31 18:10]
.
2011-10-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-31 18:10]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 64.71.255.198
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\<user>\Application Data\Mozilla\Firefox\Profiles\y5got11x.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - www.google.ca
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-10 10:40
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\EED.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-682003330-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F30CB7B1-3F4A-1F86-2B99-A89F3DF04268}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-682003330-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\UnreadMail\<user>@hotmail.com]
@Denied: (Full) (LocalSystem)
"MessageCount"=dword:0000000c
"TimeStamp"=hex:10,9a,4f,4a,79,a7,c6,01
"Application"="http://www.hotmail.com/"
.
[HKEY_USERS\S-1-5-21-682003330-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\UnreadMail\<user>@hotmail.com]
@Denied: (Full) (LocalSystem)
"MessageCount"=dword:00000012
"TimeStamp"=hex:d0,2a,10,23,cd,8a,c8,01
"Application"="http://www.hotmail.com/"
.
[HKEY_USERS\S-1-5-21-682003330-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\UnreadMail\<user>@rogers.com]
@Denied: (Full) (LocalSystem)
"MessageCount"=dword:00000005
"TimeStamp"=hex:f2,d3,eb,8f,4b,ef,c7,01
"Application"="msimn"
.
[HKEY_USERS\S-1-5-21-682003330-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\UnreadMail\<user>@hotmail.com]
@Denied: (Full) (LocalSystem)
"MessageCount"=dword:00000018
"TimeStamp"=hex:c2,9f,9c,f8,d4,83,cc,01
"Application"="http://www.hotmail.com/"
.
[HKEY_USERS\S-1-5-21-682003330-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\UnreadMail\<user>@hotmail.com]
@Denied: (Full) (LocalSystem)
"MessageCount"=dword:00000000
"TimeStamp"=hex:f6,77,bb,1e,8d,2c,ca,01
"Application"="http://www.hotmail.com/"
.
[HKEY_USERS\S-1-5-21-682003330-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\UnreadMail\<user>@live.com]
@Denied: (Full) (LocalSystem)
"MessageCount"=dword:00000001
"TimeStamp"=hex:46,3b,da,18,c1,83,cc,01
"Application"="http://www.hotmail.com/"
.
[HKEY_USERS\S-1-5-21-682003330-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\UnreadMail\<user>@live.com]
@Denied: (Full) (LocalSystem)
"MessageCount"=dword:00000009
"TimeStamp"=hex:8a,8a,c2,a6,0e,b1,ca,01
"Application"="http://www.hotmail.com/"
.
[HKEY_USERS\S-1-5-21-682003330-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\UnreadMail\<user>@hotmail.com]
@Denied: (Full) (LocalSystem)
"MessageCount"=dword:00000002
"TimeStamp"=hex:b6,4f,5f,72,88,d6,c7,01
"Application"="http://www.hotmail.com/"
.
[HKEY_USERS\S-1-5-21-682003330-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\UnreadMail\<user>@hotmail.com]
@Denied: (Full) (LocalSystem)
"MessageCount"=dword:0000000a
"TimeStamp"=hex:40,6f,99,4a,95,58,c8,01
"Application"="http://www.hotmail.com/"
.
[HKEY_USERS\S-1-5-21-682003330-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\UnreadMail\<user>@yahoo.ca]
@Denied: (Full) (LocalSystem)
"MessageCount"=dword:00000000
"TimeStamp"=hex:ec,97,d6,ce,b2,31,c8,01
"Application"="WindowsLiveMail"
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
@=""
"Installed"="1"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
@=""
"Installed"="1"
"NoChange"="1"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
@=""
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(2044)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
- - - - - - - > 'explorer.exe'(2140)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\PC Tools Firewall Plus\FWService.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2011-10-10 10:47:52 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-10 14:47
ComboFix2.txt 2011-10-09 13:25
ComboFix3.txt 2011-10-09 12:59
ComboFix4.txt 2011-10-09 04:45
ComboFix5.txt 2011-10-10 14:29
.
Pre-Run: 28,236,296,192 bytes free
Post-Run: 28,209,188,864 bytes free
.
- - End Of File - - C1C55B4B86109BD41D4C7FB5F2907FB0

This post has been edited by spazz22: 10 October 2011 - 10:02 AM