Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Corporate pc infected with backdoor trojan


  • This topic is locked This topic is locked
15 replies to this topic

#1 warob

warob

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:12 AM

Posted 03 December 2010 - 12:49 PM

My corporate pc was infected with a backdoor trojan from an email on Facebook. I tried cleaning it with Malewarebytes, and it seems to have done some good, but I wanted to make sure it was gone. Soon after this infection, my pc was going though a continuous booting loop, and I sent the pc into our IT dept for repair. I believe all they did was use the Windows XP Pro to run chdsk and claimed it was repaired. I told them about the trojan, and they claimed that they saw no evidence that it is still infected, but I don't have much confidence in our IT dept. Anyway, here are my scans, and thank you for any help you can give. I do have two issues, I don't know how to shut down the Forefront antivirus because that option is greyed out and it won't allow me to run the defogger program, it says that I am not authorized.

DDS:

DDS (Ver_10-11-27.01) - NTFSx86
Run by ROBERTWA at 12:24:21.28 on Wed 12/01/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3536.2873 [GMT -6:00]

AV: Microsoft Forefront Client Security *On-access scanning enabled* (Updated) {926A3D4F-E4E7-4F47-9902-4EDD55FFE1AF}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINNT\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe
C:\WINNT\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINNT\system32\spoolsv.exe
c:\program files\idt\dellxpm09b_6017v022\wdm\stacsv.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
svchost.exe
C:\Program Files\CyberGatekeeper Agent\cgasvc.exe
C:\PROGRA~1\CYBERG~1\cgagent.exe
C:\PROGRA~1\CYBERG~1\nicman.exe
C:\Program Files\Common Files\Apricorn\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\Program Files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe
C:\Program Files\Option\GlobeTrotter Connect\GtDetectSc.exe
C:\WINNT\system32\HPZipm12.exe
C:\Program Files\P-Synch\Clients\service\psginasvc.exe
C:\WINNT\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINNT\system32\CCM\CcmExec.exe
c:\Program Files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe
C:\WINNT\system32\mqsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\AESTFltr.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINNT\system32\igfxsrvc.exe
C:\WINNT\system32\igfxpers.exe
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\Program Files\Apricorn\EZ Gig II\EZGigMonitor.exe
C:\Program Files\Apricorn\EZ Gig II\TimounterMonitor.exe
C:\Program Files\Common Files\Apricorn\Schedule2\schedhlp.exe
C:\Program Files\CyberGatekeeper Agent\cgav.exe
C:\Program Files\CyberGatekeeper Agent\cgahelp.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Belkin\F1U201.401\usbshare.exe
C:\Program Files\Option\GlobeTrotter Connect\GlobeTrotter Connect.exe
C:\WINNT\system32\mqtgsvc.exe
C:\WINNT\system32\msiexec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\robertwa\Desktop\pc tools\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://aponline.apci.com
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 9\SnagitBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Plugin Class: {56cd20f0-7c09-11d5-a768-0050042307ce} - c:\program files\sap\sap tutor\PlayerIE.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagitIEAddin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [WhlCach3.exe] c:\program files\microsoft forefront uag\endpoint components\3.1.0\WhlCach3.exe
mRun: [IMJPMIG8.1] "c:\winnt\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\winnt\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\winnt\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\winnt\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [IgfxTray] c:\winnt\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\winnt\system32\hkcmd.exe
mRun: [Persistence] c:\winnt\system32\igfxpers.exe
mRun: [Communicator] "c:\program files\microsoft office communicator\communicator.exe" /fromrunkey
mRun: [8e6Authentication] wscript.exe "c:\program files\airproducts\8e6auth\auth.wsf"
mRun: [CfgDownload] c:\program files\ixos\bin\CfgDownload.exe
mRun: [AT&T Communication Manager] "c:\program files\at&t\communication manager\ATTCM.exe" -a
mRun: [EZGigMonitor.exe] c:\program files\apricorn\ez gig ii\EZGigMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\apricorn\ez gig ii\TimounterMonitor.exe
mRun: [Apricorn Scheduler Service] "c:\program files\common files\apricorn\schedule2\schedhlp.exe"
mRun: [CgaViewer] c:\program files\cybergatekeeper agent\cgav.exe -check
mRun: [CgaHelper] c:\program files\cybergatekeeper agent\cgahelp.exe -check
mRun: [Microsoft Forefront Client Security Antimalware Service] "c:\program files\microsoft forefront\client security\client\antimalware\MSASCui.exe" -hide
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\f1u201~1.lnk - c:\program files\belkin\f1u201.401\usbshare.exe
uPolicies-explorer: NoWindowsUpdate = 1 (0x1)
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
uPolicies-explorer: NoAutoUpdate = 1 (0x1)
uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)
uPolicies-explorer: DisallowCpl = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-system: HideLogonScripts = 1 (0x1)
mPolicies-explorer: NoMSAppLogo5ChannelNotify = 1 (0x1)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://download.macromedia.com/pub/shockwave/cabs/authorware/awswax70.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} - hxxps://vpn-am.airproducts.com/InternalSite/WhlCompMgr.cab
DPF: {A67EE2D0-D7C7-4ADE-96E5-7AE17AFBEDE2} - hxxp://meup1/softwarerequest/srsinstall.cab
DPF: {CAFEEFAC-0014-0002-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {684C4958-94DF-4942-8076-32279C40A2B7} = 209.183.50.151 209.183.50.151
Handler: qvp - {4BA78E3D-CA25-4BFF-B8F0-8A3359E4B520} - c:\program files\qlikview\qvprotocol\Qvp.dll
Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL
Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
Notify: PCANotify - PCANotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\winnt\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5} - rundll32.exe advpack.dll,LaunchINFSectionEx c:\winnt\inf\wmactedp.inf,PerUserStub,,4

============= SERVICES / DRIVERS ===============

R0 vmscsi;vmscsi;c:\winnt\system32\drivers\vmscsi.sys [2009-1-14 10880]
R1 awlegacy;awlegacy;c:\winnt\system32\drivers\AWLEGACY.sys [2003-11-17 11165]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 CafeDrv;CafeDrv NDIS Protocol Driver;c:\winnt\system32\drivers\CafeDrv.sys [2009-10-28 29568]
R2 CGAgent;CyberGatekeeper Agent;c:\program files\cybergatekeeper agent\cgasvc.exe [2010-2-16 81982]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostControlService.exe [2008-7-31 808296]
R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostStorageService.exe [2008-7-31 21352]
R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\microsoft forefront\client security\client\antimalware\MsMpEng.exe [2010-1-19 16880]
R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\microsoft forefront\client security\client\ssa\FcsSas.exe [2009-10-22 69512]
R2 GtDetectSc;GtDetectSc;c:\program files\option\globetrotter connect\GtDetectSc.exe [2008-4-30 200704]
R2 MOM;MOM;c:\program files\microsoft forefront\client security\client\microsoft operations manager 2005\MOMService.exe [2005-7-21 134656]
R2 psginasvc;Password Manager Logon Management Service;c:\program files\p-synch\clients\service\psginasvc.exe [2009-7-8 585728]
R3 AESTAud;AE Audio Service;c:\winnt\system32\drivers\AESTAud.sys [2009-12-1 108160]
R3 cvusbdrv;Broadcom USH CV;c:\winnt\system32\drivers\cvusbdrv.sys [2009-12-1 32808]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\winnt\system32\drivers\e1y5132.sys [2008-11-12 244368]
R3 GT72NDISIPXP;GT 72 IP NDIS;c:\winnt\system32\drivers\Gt51Ip.sys [2008-7-7 106112]
R3 GT72UBUS;GT 72 U BUS;c:\winnt\system32\drivers\gt72ubus.sys [2008-8-20 59008]
R3 Iexim;Infoexpress Generic Network Filter Service;c:\winnt\system32\drivers\iexim.sys [2009-12-8 31232]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\winnt\system32\drivers\IntcHdmi.sys [2009-12-1 110080]
R3 MpFilter;Microsoft Malware Protection Driver;c:\winnt\system32\drivers\MpFilter.sys [2010-8-26 69616]
R3 whlva;SSL Network Tunneling;c:\winnt\system32\drivers\whlva.sys [2010-11-5 21384]
S1 qpulsrwv;qpulsrwv;\??\c:\winnt\system32\drivers\qpulsrwv.sys --> c:\winnt\system32\drivers\qpulsrwv.sys [?]
S2 gupdate;Google Update Service (gupdate);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\at&t\communication manager\RcAppSvc.exe [2009-10-9 121416]
S3 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2005-5-20 106496]
S3 DMService;Microsoft Forefront UAG Endpoint Component Manager;c:\winnt\downlo~1\DMService.exe [2010-11-5 468368]
S3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);c:\winnt\system32\drivers\swnc8u56.sys [2009-4-7 190080]
S3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);c:\winnt\system32\drivers\swumx56.sys [2009-4-7 148096]
S3 whliocsv;Microsoft Forefront UAG SSL Network Tunneling Client;c:\program files\microsoft forefront uag\endpoint components\3.1.0\whliocsv.exe [2010-11-5 156048]
S3 WinRM;Windows Remote Management (WS-Management);c:\winnt\system32\svchost.exe -k WINRM [2009-1-13 14336]
S4 AW_HOST;AW_HOST;c:\winnt\system32\drivers\AW_HOST5.sys [2003-10-23 16984]
S4 uagqecsvc;Microsoft Forefront UAG Quarantine Enforcement Client;c:\program files\microsoft forefront uag\endpoint components\3.1.0\uagqecsvc.exe [2010-11-5 149904]

=============== File Associations ===============

JSEFile=c:\winnt\system32\Notepad.exe "%1" %*
vbsfile\shell\edit\command=c:\winnt\system32\Notepad.exe %1

=============== Created Last 30 ================

2010-12-01 18:14:12 -------- d-s---w- C:\ComboFixnew
2010-11-30 18:50:37 -------- d-----w- c:\program files\iPod
2010-11-30 18:50:32 -------- d-----w- c:\program files\iTunes
2010-11-24 16:16:57 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft forefront\client security\client\antimalware\definition updates\{cd3d48ff-c0fe-4387-a4c1-f922cdc3d8e4}\mpengine.dll
2010-11-10 20:15:22 -------- d-----w- c:\program files\ESET
2010-11-10 16:48:12 -------- d-sha-r- C:\cmdcons
2010-11-10 15:09:32 -------- d-----w- c:\docume~1\robertwa\applic~1\whitesmoketoolbar
2010-11-06 17:37:34 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2010-11-06 01:18:22 89088 ----a-w- c:\winnt\MBR.exe
2010-11-06 01:18:22 256512 ----a-w- c:\winnt\PEV.exe
2010-11-06 01:18:21 98816 ----a-w- c:\winnt\sed.exe
2010-11-06 01:18:21 161792 ----a-w- c:\winnt\SWREG.exe
2010-11-05 19:37:35 -------- d-----w- c:\winnt\system32\%APPDATA%
2010-11-05 17:26:20 21384 ---ha-w- c:\winnt\system32\drivers\whlva.sys
2010-11-05 12:58:13 -------- d-----w- c:\docume~1\robertwa\applic~1\SUPERAntiSpyware.com
2010-11-05 12:58:00 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-11-05 11:53:02 -------- d-----w- c:\winnt\LMIF.tmp
2010-11-05 10:10:52 6146896 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft forefront\client security\client\antimalware\definition updates\updates\mpengine.dll
2010-11-05 00:26:44 -------- d-----w- c:\docume~1\robertwa\applic~1\Malwarebytes
2010-11-05 00:26:36 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2010-11-05 00:26:35 20952 ----a-w- c:\winnt\system32\drivers\mbam.sys
2010-11-05 00:26:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-05 00:26:35 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-11-04 22:40:55 -------- d-----w- c:\docume~1\robertwa\applic~1\Liuvtu
2010-11-04 20:27:24 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-11-04 18:49:03 -------- d-----w- c:\docume~1\robertwa\locals~1\applic~1\IsolatedStorage
2010-11-03 22:13:38 -------- d-----w- c:\docume~1\robertwa\locals~1\applic~1\PCHealth
2010-11-02 19:10:40 -------- d-----w- c:\winnt\ms

==================== Find3M ====================

2010-10-19 16:41:44 222080 ------w- c:\winnt\system32\MpSigStub.exe
2010-09-29 17:43:45 2035 ----a-w- c:\winnt\system32\WhlNSPBackup_1.reg
2010-09-29 17:43:45 117002 ----a-w- c:\winnt\system32\WhlLSPBackup_1.reg
2010-09-28 21:44:52 4184352 ----a-w- c:\winnt\system32\usbaaplrc.dll
2010-09-18 17:23:26 974848 ----a-w- c:\winnt\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\winnt\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\winnt\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\winnt\system32\mfc40u.dll
2010-09-09 13:36:37 841216 ----a-w- c:\winnt\system32\wininet.dll
2010-09-09 13:36:36 1830912 ----a-w- c:\winnt\system32\inetcpl.cpl
2010-09-09 13:36:35 78336 ----a-w- c:\winnt\system32\ieencode.dll
2010-09-09 13:36:35 17408 ----a-w- c:\winnt\system32\corpol.dll
2010-09-08 16:17:46 94208 ----a-w- c:\winnt\system32\QuickTimeVR.qtx
2010-09-08 16:17:46 69632 ----a-w- c:\winnt\system32\QuickTime.qts
2010-09-08 15:48:44 389120 ----a-w- c:\winnt\system32\html.iec
2008-10-08 17:18:38 626688 ----a-w- c:\program files\common files\sapconsaccess.dll
2008-10-08 17:18:38 40960 -c--a-w- c:\program files\common files\DigitalSignature.ocx
2008-10-08 17:18:38 3125248 ----a-w- c:\program files\common files\sapxlhelper.dll
2008-10-08 17:18:38 192512 ----a-w- c:\program files\common files\sapconsr3.dll

============= FINISH: 12:25:32.70 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:02:12 AM

Posted 11 December 2010 - 01:51 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
Download DDS by sUBs from one of the following links. Save it to your desktop.
DDS.scr
DDS.pif
Double click on the DDS icon, allow it to run.
A small box will open, with an explaination about the tool. No input is needed, the scan is running.
Notepad will open with the results.
Follow the instructions that pop up for posting the results.
Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:


Why we request you disable CD Emulation when receiving Malware Removal Advice

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.

Best Regards,
oneof4.

Best Regards,
oneof4.


#3 warob

warob
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:12 AM

Posted 13 December 2010 - 11:09 AM

Thanks again for any help you can offer.
Here are the new logs:


DDS (Ver_10-12-12.02) - NTFSx86
Run by ROBERTWA at 7:31:00.38 on Mon 12/13/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3536.2817 [GMT -6:00]

AV: Microsoft Forefront Client Security *Enabled/Updated* {926A3D4F-E4E7-4F47-9902-4EDD55FFE1AF}
FW: Symantec Endpoint Protection *Disabled*

============== Running Processes ===============

C:\WINNT\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe
C:\WINNT\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINNT\system32\spoolsv.exe
c:\program files\idt\dellxpm09b_6017v022\wdm\stacsv.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
svchost.exe
C:\Program Files\CyberGatekeeper Agent\cgasvc.exe
C:\PROGRA~1\CYBERG~1\cgagent.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\CYBERG~1\nicman.exe
C:\Program Files\Common Files\Apricorn\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\Program Files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe
C:\WINNT\system32\AESTFltr.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Option\GlobeTrotter Connect\GtDetectSc.exe
C:\WINNT\system32\igfxpers.exe
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\system32\igfxsrvc.exe
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\Program Files\P-Synch\Clients\service\psginasvc.exe
C:\WINNT\system32\svchost.exe -k imgsvc
C:\Program Files\Apricorn\EZ Gig II\EZGigMonitor.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Apricorn\EZ Gig II\TimounterMonitor.exe
C:\Program Files\Common Files\Apricorn\Schedule2\schedhlp.exe
C:\Program Files\CyberGatekeeper Agent\cgav.exe
C:\Program Files\CyberGatekeeper Agent\cgahelp.exe
C:\WINNT\system32\mqsvc.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe
C:\WINNT\system32\CCM\CcmExec.exe
c:\Program Files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Belkin\F1U201.401\usbshare.exe
C:\WINNT\system32\mqtgsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Option\GlobeTrotter Connect\GlobeTrotter Connect.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\DOWNLO~1\DMService.exe
C:\Program Files\Microsoft Forefront UAG\Endpoint Components\3.1.0\WhlCach3.exe
C:\Program Files\Microsoft Forefront UAG\Endpoint Components\3.1.0\WhlClnt3.exe
C:\Program Files\Microsoft Forefront UAG\Endpoint Components\3.1.0\whlioc.exe
C:\Program Files\Microsoft Forefront UAG\Endpoint Components\3.1.0\whliocsv.exe
C:\PROGRA~1\CYBERG~1\cgahelp.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Documents and Settings\robertwa\Desktop\pc tools\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://aponline.apci.com
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 9\SnagitBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Plugin Class: {56cd20f0-7c09-11d5-a768-0050042307ce} - c:\program files\sap\sap tutor\PlayerIE.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagitIEAddin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [WhlCach3.exe] c:\program files\microsoft forefront uag\endpoint components\3.1.0\WhlCach3.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [IMJPMIG8.1] "c:\winnt\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\winnt\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\winnt\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\winnt\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [IgfxTray] c:\winnt\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\winnt\system32\hkcmd.exe
mRun: [Persistence] c:\winnt\system32\igfxpers.exe
mRun: [Communicator] "c:\program files\microsoft office communicator\communicator.exe" /fromrunkey
mRun: [8e6Authentication] wscript.exe "c:\program files\airproducts\8e6auth\auth.wsf"
mRun: [CfgDownload] c:\program files\ixos\bin\CfgDownload.exe
mRun: [AT&T Communication Manager] "c:\program files\at&t\communication manager\ATTCM.exe" -a
mRun: [EZGigMonitor.exe] c:\program files\apricorn\ez gig ii\EZGigMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\apricorn\ez gig ii\TimounterMonitor.exe
mRun: [Apricorn Scheduler Service] "c:\program files\common files\apricorn\schedule2\schedhlp.exe"
mRun: [CgaViewer] c:\program files\cybergatekeeper agent\cgav.exe -check
mRun: [CgaHelper] c:\program files\cybergatekeeper agent\cgahelp.exe -check
mRun: [Microsoft Forefront Client Security Antimalware Service] "c:\program files\microsoft forefront\client security\client\antimalware\MSASCui.exe" -hide
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\f1u201~1.lnk - c:\program files\belkin\f1u201.401\usbshare.exe
uPolicies-explorer: NoWindowsUpdate = 1 (0x1)
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
uPolicies-explorer: NoAutoUpdate = 1 (0x1)
uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)
uPolicies-explorer: DisallowCpl = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-system: HideLogonScripts = 1 (0x1)
mPolicies-explorer: NoMSAppLogo5ChannelNotify = 1 (0x1)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\progra~1\mic3c8~1\endpoi~1\31265d~1.0\WhlLSP.dll
DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://download.macromedia.com/pub/shockwave/cabs/authorware/awswax70.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} - hxxps://vpn-am.airproducts.com/InternalSite/WhlCompMgr.cab
DPF: {A67EE2D0-D7C7-4ADE-96E5-7AE17AFBEDE2} - hxxp://meup1/softwarerequest/srsinstall.cab
DPF: {CAFEEFAC-0014-0002-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {684C4958-94DF-4942-8076-32279C40A2B7} = 209.183.50.151 209.183.50.151
Handler: qvp - {4BA78E3D-CA25-4BFF-B8F0-8A3359E4B520} - c:\program files\qlikview\qvprotocol\Qvp.dll
Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL
Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
Notify: PCANotify - PCANotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\winnt\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5} - rundll32.exe advpack.dll,LaunchINFSectionEx c:\winnt\inf\wmactedp.inf,PerUserStub,,4

============= SERVICES / DRIVERS ===============

R0 vmscsi;vmscsi;c:\winnt\system32\drivers\vmscsi.sys [2009-1-14 10880]
R1 awlegacy;awlegacy;c:\winnt\system32\drivers\AWLEGACY.sys [2003-11-17 11165]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 CafeDrv;CafeDrv NDIS Protocol Driver;c:\winnt\system32\drivers\CafeDrv.sys [2009-10-28 29568]
R2 CGAgent;CyberGatekeeper Agent;c:\program files\cybergatekeeper agent\cgasvc.exe [2010-2-16 81982]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostControlService.exe [2008-7-31 808296]
R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostStorageService.exe [2008-7-31 21352]
R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\microsoft forefront\client security\client\antimalware\MsMpEng.exe [2010-1-19 16880]
R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\microsoft forefront\client security\client\ssa\FcsSas.exe [2009-10-22 69512]
R2 GtDetectSc;GtDetectSc;c:\program files\option\globetrotter connect\GtDetectSc.exe [2008-4-30 200704]
R2 MOM;MOM;c:\program files\microsoft forefront\client security\client\microsoft operations manager 2005\MOMService.exe [2005-7-21 134656]
R2 psginasvc;Password Manager Logon Management Service;c:\program files\p-synch\clients\service\psginasvc.exe [2009-7-8 585728]
R3 AESTAud;AE Audio Service;c:\winnt\system32\drivers\AESTAud.sys [2009-12-1 108160]
R3 cvusbdrv;Broadcom USH CV;c:\winnt\system32\drivers\cvusbdrv.sys [2009-12-1 32808]
R3 DMService;Microsoft Forefront UAG Endpoint Component Manager;c:\winnt\downlo~1\DMService.exe [2010-11-5 468368]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\winnt\system32\drivers\e1y5132.sys [2008-11-12 244368]
R3 GT72NDISIPXP;GT 72 IP NDIS;c:\winnt\system32\drivers\Gt51Ip.sys [2008-7-7 106112]
R3 GT72UBUS;GT 72 U BUS;c:\winnt\system32\drivers\gt72ubus.sys [2008-8-20 59008]
R3 Iexim;Infoexpress Generic Network Filter Service;c:\winnt\system32\drivers\iexim.sys [2009-12-8 31232]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\winnt\system32\drivers\IntcHdmi.sys [2009-12-1 110080]
R3 MpFilter;Microsoft Malware Protection Driver;c:\winnt\system32\drivers\MpFilter.sys [2010-8-26 69616]
R3 whliocsv;Microsoft Forefront UAG SSL Network Tunneling Client;c:\program files\microsoft forefront uag\endpoint components\3.1.0\whliocsv.exe [2010-11-5 156048]
R3 whlva;SSL Network Tunneling;c:\winnt\system32\drivers\whlva.sys [2010-11-5 21384]
S1 qpulsrwv;qpulsrwv;\??\c:\winnt\system32\drivers\qpulsrwv.sys --> c:\winnt\system32\drivers\qpulsrwv.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-2 136176]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\at&t\communication manager\RcAppSvc.exe [2009-10-9 121416]
S3 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2005-5-20 106496]
S3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);c:\winnt\system32\drivers\swnc8u56.sys [2009-4-7 190080]
S3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);c:\winnt\system32\drivers\swumx56.sys [2009-4-7 148096]
S3 WinRM;Windows Remote Management (WS-Management);c:\winnt\system32\svchost.exe -k WINRM [2009-1-13 14336]
S4 AW_HOST;AW_HOST;c:\winnt\system32\drivers\AW_HOST5.sys [2003-10-23 16984]
S4 uagqecsvc;Microsoft Forefront UAG Quarantine Enforcement Client;c:\program files\microsoft forefront uag\endpoint components\3.1.0\uagqecsvc.exe [2010-11-5 149904]

=============== File Associations ===============

JSEFile=c:\winnt\system32\Notepad.exe "%1" %*
vbsfile\shell\edit\command=c:\winnt\system32\Notepad.exe %1

=============== Created Last 30 ================

2010-12-10 17:00:16 2035 ----a-w- c:\winnt\system32\WhlNSPBackup_2.reg
2010-12-10 17:00:16 108035 ----a-w- c:\winnt\system32\WhlLSPBackup_2.reg
2010-12-08 22:22:52 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft forefront\client security\client\antimalware\definition updates\{cadcc2bd-73de-4a0c-8910-d2213968c34a}\mpengine.dll
2010-12-08 21:53:58 -------- d-----w- c:\winnt\LMI35.tmp
2010-12-01 18:14:12 -------- d-s---w- C:\ComboFixnew
2010-11-30 18:50:37 -------- d-----w- c:\program files\iPod
2010-11-30 18:50:32 -------- d-----w- c:\program files\iTunes

==================== Find3M ====================

2010-11-08 07:20:24 89088 ----a-w- c:\winnt\MBR.exe
2010-10-19 16:41:44 222080 ------w- c:\winnt\system32\MpSigStub.exe
2010-09-29 17:43:45 2035 ----a-w- c:\winnt\system32\WhlNSPBackup_1.reg
2010-09-29 17:43:45 117002 ----a-w- c:\winnt\system32\WhlLSPBackup_1.reg
2010-09-28 21:44:52 4184352 ----a-w- c:\winnt\system32\usbaaplrc.dll
2010-09-18 17:23:26 974848 ----a-w- c:\winnt\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\winnt\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\winnt\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\winnt\system32\mfc40u.dll
2008-10-08 17:18:38 626688 ----a-w- c:\program files\common files\sapconsaccess.dll
2008-10-08 17:18:38 40960 -c--a-w- c:\program files\common files\DigitalSignature.ocx
2008-10-08 17:18:38 3125248 ----a-w- c:\program files\common files\sapxlhelper.dll
2008-10-08 17:18:38 192512 ----a-w- c:\program files\common files\sapconsr3.dll

============= FINISH: 7:31:53.80 ===============

Attached Files



#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:12 AM

Posted 14 December 2010 - 05:14 PM

Hello.

Your logs appear to be clean, although their are signs of leftover inactive malware. Are there any symptoms at the moment?

Please post the contents of this file, if it exists:
C:\ComboFix.txt

With Regards,
The Panda

#5 warob

warob
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:12 AM

Posted 15 December 2010 - 10:50 AM

No symptoms as of now, I just wanted to make sure that the pc is clean enough to use safely. I did locate the old combo fix file, and thank you for your assistance!

ComboFix 10-11-09.03 - ROBERTWA 11/10/2010 10:54:26.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3536.2913 [GMT -6:00]
Running from: c:\documents and settings\robertwa\Desktop\pc tools\ComboFixnew.exe
AV: Microsoft Forefront Client Security *On-access scanning enabled* (Updated) {926A3D4F-E4E7-4F47-9902-4EDD55FFE1AF}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\robertwa\Application Data\Ovcyw
c:\documents and settings\robertwa\Application Data\Ovcyw\quyb.tmp
c:\documents and settings\robertwa\Application Data\Ovcyw\quyb.ukc
c:\winnt\null

----- BITS: Possible infected sites -----

hxxp://US1019SMSP.america.apci.com:80
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IAS
-------\Service_Ias


((((((((((((((((((((((((( Files Created from 2010-10-10 to 2010-11-10 )))))))))))))))))))))))))))))))
.

2010-11-10 15:10 . 2010-11-10 15:10 -------- d-----w- c:\documents and settings\LocalService\Application Data\WhiteSmokeTranslator
2010-11-10 15:09 . 2010-11-10 16:10 -------- d-----w- c:\documents and settings\robertwa\Application Data\whitesmoketoolbar
2010-11-10 15:06 . 2010-11-10 15:06 -------- d-----w- c:\documents and settings\LocalService\Application Data\whitesmoketoolbar
2010-11-10 14:29 . 2010-10-18 14:41 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{43B3D682-C58C-4923-88BB-E3E095486790}\mpengine.dll
2010-11-05 19:37 . 2010-11-10 16:22 -------- d-----w- c:\winnt\system32\%APPDATA%
2010-11-05 19:37 . 2010-11-05 19:37 -------- d-----w- c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar
2010-11-05 17:26 . 2010-11-05 17:26 21384 ---ha-w- c:\winnt\system32\drivers\whlva.sys
2010-11-05 12:58 . 2010-11-05 12:58 -------- d-----w- c:\documents and settings\robertwa\Application Data\SUPERAntiSpyware.com
2010-11-05 12:58 . 2010-11-05 12:58 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-11-05 11:53 . 2010-11-05 12:50 -------- d-----w- c:\winnt\LMIF.tmp
2010-11-05 10:10 . 2010-10-18 14:41 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\Updates\mpengine.dll
2010-11-05 04:06 . 2010-11-05 04:06 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-11-05 00:26 . 2010-11-05 00:26 -------- d-----w- c:\documents and settings\robertwa\Application Data\Malwarebytes
2010-11-05 00:26 . 2010-04-29 20:39 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2010-11-05 00:26 . 2010-11-05 00:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-05 00:26 . 2010-11-05 00:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-11-05 00:26 . 2010-04-29 20:39 20952 ----a-w- c:\winnt\system32\drivers\mbam.sys
2010-11-04 22:40 . 2010-11-05 02:04 -------- d-----w- c:\documents and settings\robertwa\Application Data\Liuvtu
2010-11-04 20:27 . 2010-11-04 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-11-04 20:06 . 2010-11-04 20:07 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-11-04 18:49 . 2010-11-04 18:49 -------- d-----w- c:\documents and settings\robertwa\Local Settings\Application Data\IsolatedStorage
2010-11-03 22:13 . 2010-11-03 22:13 -------- d-----w- c:\documents and settings\robertwa\Local Settings\Application Data\PCHealth
2010-11-02 19:10 . 2010-11-02 19:10 -------- d-----w- c:\winnt\ms
2010-10-18 18:40 . 2010-08-23 16:12 617472 -c----w- c:\winnt\system32\dllcache\comctl32.dll
2010-10-18 18:40 . 2010-09-18 06:53 974848 -c----w- c:\winnt\system32\dllcache\mfc42.dll
2010-10-18 18:40 . 2010-09-18 06:53 953856 -c----w- c:\winnt\system32\dllcache\mfc40u.dll
2010-10-18 18:40 . 2010-07-16 12:05 1288192 -c----w- c:\winnt\system32\dllcache\ole32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 16:41 . 2010-08-26 18:46 222080 ------w- c:\winnt\system32\MpSigStub.exe
2010-10-18 14:41 . 2010-08-26 18:46 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\Backup\mpengine.dll
2010-09-29 17:43 . 2010-09-29 17:43 2035 ----a-w- c:\winnt\system32\WhlNSPBackup_1.reg
2010-09-29 17:43 . 2010-09-29 17:43 117002 ----a-w- c:\winnt\system32\WhlLSPBackup_1.reg
2010-09-18 17:23 . 2009-01-14 02:04 974848 ----a-w- c:\winnt\system32\mfc42u.dll
2010-09-18 06:53 . 2009-01-14 02:04 974848 ----a-w- c:\winnt\system32\mfc42.dll
2010-09-18 06:53 . 2009-01-14 02:04 954368 ----a-w- c:\winnt\system32\mfc40.dll
2010-09-18 06:53 . 2009-01-14 02:04 953856 ----a-w- c:\winnt\system32\mfc40u.dll
2010-09-09 13:36 . 2009-01-14 02:04 841216 ----a-w- c:\winnt\system32\wininet.dll
2010-09-09 13:36 . 2009-01-14 02:04 1830912 ----a-w- c:\winnt\system32\inetcpl.cpl
2010-09-09 13:36 . 2009-01-14 02:04 78336 ----a-w- c:\winnt\system32\ieencode.dll
2010-09-09 13:36 . 2009-01-14 02:04 17408 ----a-w- c:\winnt\system32\corpol.dll
2010-09-08 16:17 . 2010-09-08 16:17 94208 ----a-w- c:\winnt\system32\QuickTimeVR.qtx
2010-09-08 16:17 . 2010-09-08 16:17 69632 ----a-w- c:\winnt\system32\QuickTime.qts
2010-09-08 15:48 . 2009-01-14 02:04 389120 ----a-w- c:\winnt\system32\html.iec
2010-09-01 11:51 . 2009-01-14 02:04 285824 ----a-w- c:\winnt\system32\atmfd.dll
2010-08-31 13:42 . 2009-01-14 02:04 1852800 ----a-w- c:\winnt\system32\win32k.sys
2010-08-27 08:02 . 2009-01-14 02:04 119808 ----a-w- c:\winnt\system32\t2embed.dll
2010-08-23 16:12 . 2009-01-14 02:04 617472 ----a-w- c:\winnt\system32\comctl32.dll
2010-08-17 13:17 . 2009-01-14 02:04 58880 ----a-w- c:\winnt\system32\spoolsv.exe
2010-08-16 08:45 . 2009-01-14 02:04 590848 ----a-w- c:\winnt\system32\rpcrt4.dll
2010-08-13 12:53 . 2009-12-02 23:05 5120 ----a-w- c:\winnt\system32\xpsp4res.dll
2008-10-08 17:18 . 2009-12-01 15:06 3125248 ----a-w- c:\program files\Common Files\sapxlhelper.dll
2008-10-08 17:18 . 2009-12-01 15:06 626688 ----a-w- c:\program files\Common Files\sapconsaccess.dll
2008-10-08 17:18 . 2009-12-01 15:06 192512 ----a-w- c:\program files\Common Files\sapconsr3.dll
2008-10-08 17:18 . 2009-12-01 15:06 40960 -c--a-w- c:\program files\Common Files\DigitalSignature.ocx
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\winnt\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\winnt\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\winnt\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\winnt\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-06-07 319488]
"MsmqIntCert"="mqrt.dll" [2008-04-14 177152]
"AESTFltr"="c:\winnt\system32\AESTFltr.exe" [2008-05-20 466944]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-05-22 442467]
"IgfxTray"="c:\winnt\system32\igfxtray.exe" [2008-09-15 150040]
"HotKeysCmds"="c:\winnt\system32\hkcmd.exe" [2008-09-15 178712]
"Persistence"="c:\winnt\system32\igfxpers.exe" [2008-09-15 150040]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2010-04-11 5116256]
"8e6Authentication"="wscript.exe" [2008-04-14 155648]
"CfgDownload"="c:\program files\IXOS\bin\CfgDownload.exe" [2007-05-29 184320]
"AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2009-10-09 883272]
"EZGigMonitor.exe"="c:\program files\Apricorn\EZ Gig II\EZGigMonitor.exe" [2007-10-09 1169264]
"AcronisTimounterMonitor"="c:\program files\Apricorn\EZ Gig II\TimounterMonitor.exe" [2007-10-09 1949480]
"Apricorn Scheduler Service"="c:\program files\Common Files\Apricorn\Schedule2\schedhlp.exe" [2007-10-09 148712]
"CgaViewer"="c:\program files\CyberGatekeeper Agent\cgav.exe" [2010-02-16 163898]
"CgaHelper"="c:\program files\CyberGatekeeper Agent\cgahelp.exe" [2010-02-16 106560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Microsoft Forefront Client Security Antimalware Service"="c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe" [2010-01-19 1033600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
F1U201.401.lnk - c:\program files\Belkin\F1U201.401\usbshare.exe [2009-12-3 135168]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLogonScripts"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
"NoAutoUpdate"= 1 (0x1)
"DisablePersonalDirChange"= 1 (0x1)
"DisallowCpl"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-12-03 15:04 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2005-05-20 15:51 8704 ----a-w- c:\winnt\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2072974133-1425365782-667646791-35529\Scripts\Logoff\0\0]
"Script"=DelWhlCach3.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2072974133-1425365782-667646791-35529\Scripts\Logon\0\0]
"Script"=InterfaceMetric.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2072974133-1425365782-667646791-35529\Scripts\Logon\1\0]
"Script"=EFS_LS.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2072974133-1425365782-667646791-35529\Scripts\Logon\2\0]
"Script"=DelWhlCach3.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FCSAM]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\winnt\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=c:\winnt\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GlobeTrotter Connect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\GlobeTrotter Connect.lnk
backup=c:\winnt\pss\GlobeTrotter Connect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\winnt\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\winnt\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2006-10-23 05:24 620152 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT&T Communication Manager]
2009-10-09 23:58 883272 ----a-w- c:\program files\AT&T\Communication Manager\ATTCM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2008-12-08 21:50 54576 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
2009-09-21 21:34 1206544 ----a-w- c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
2009-09-21 21:49 1392640 ----a-w- c:\program files\Intel\WiFi\bin\ZCfgSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINNT\\system32\\mqsvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\AT&T\\Communication Manager\\SwiApiMux.exe"=
"c:\\Program Files\\Microsoft Forefront UAG\\Endpoint Components\\3.1.0\\WhlClnt3.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\WINNT\\system32\\mmc.exe"=

R0 vmscsi;vmscsi;c:\winnt\system32\drivers\vmscsi.sys [1/14/2009 9:28 AM 10880]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 12:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 12:41 PM 67656]
R2 CafeDrv;CafeDrv NDIS Protocol Driver;c:\winnt\system32\drivers\CafeDrv.sys [10/28/2009 11:36 AM 29568]
R2 CGAgent;CyberGatekeeper Agent;c:\program files\CyberGatekeeper Agent\cgasvc.exe [2/16/2010 5:07 PM 81982]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [7/31/2008 8:41 PM 808296]
R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [7/31/2008 8:41 PM 21352]
R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe [1/19/2010 3:49 PM 16880]
R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe [10/22/2009 6:31 PM 69512]
R2 GtDetectSc;GtDetectSc;c:\program files\Option\GlobeTrotter Connect\GtDetectSc.exe [4/30/2008 5:52 PM 200704]
R2 MOM;MOM;c:\program files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe [7/21/2005 10:14 AM 134656]
R2 psginasvc;Password Manager Logon Management Service;c:\program files\P-Synch\Clients\service\psginasvc.exe [7/8/2009 1:50 PM 585728]
R3 AESTAud;AE Audio Service;c:\winnt\system32\drivers\AESTAud.sys [12/1/2009 7:47 AM 108160]
R3 cvusbdrv;Broadcom USH CV;c:\winnt\system32\drivers\cvusbdrv.sys [12/1/2009 7:52 AM 32808]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\winnt\system32\drivers\e1y5132.sys [11/12/2008 9:33 AM 244368]
R3 Iexim;Infoexpress Generic Network Filter Service;c:\winnt\system32\drivers\iexim.sys [12/8/2009 10:17 AM 31232]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\winnt\system32\drivers\IntcHdmi.sys [12/1/2009 7:49 AM 110080]
R3 whlva;SSL Network Tunneling;c:\winnt\system32\drivers\whlva.sys [11/5/2010 11:26 AM 21384]
S1 qpulsrwv;qpulsrwv;\??\c:\winnt\system32\drivers\qpulsrwv.sys --> c:\winnt\system32\drivers\qpulsrwv.sys [?]
S2 gupdate;Google Update Service (gupdate);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [10/9/2009 5:59 PM 121416]
S3 DMService;Microsoft Forefront UAG Endpoint Component Manager;c:\winnt\DOWNLO~1\DMService.exe [11/5/2010 11:24 AM 468368]
S3 GT72NDISIPXP;GT 72 IP NDIS;c:\winnt\system32\drivers\Gt51Ip.sys [7/7/2008 2:29 PM 106112]
S3 GT72UBUS;GT 72 U BUS;c:\winnt\system32\drivers\gt72ubus.sys [8/20/2008 3:49 PM 59008]
S3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);c:\winnt\system32\drivers\swnc8u56.sys [4/7/2009 11:37 AM 190080]
S3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);c:\winnt\system32\drivers\swumx56.sys [4/7/2009 11:37 AM 148096]
S3 whliocsv;Microsoft Forefront UAG SSL Network Tunneling Client;c:\program files\Microsoft Forefront UAG\Endpoint Components\3.1.0\whliocsv.exe [11/5/2010 11:26 AM 156048]
S3 WinRM;Windows Remote Management (WS-Management);c:\winnt\system32\svchost.exe -k WINRM [1/13/2009 8:04 PM 14336]
S4 uagqecsvc;Microsoft Forefront UAG Quarantine Enforcement Client;c:\program files\Microsoft Forefront UAG\Endpoint Components\3.1.0\uagqecsvc.exe [11/5/2010 11:25 AM 149904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
2010-09-09 13:36 124928 ----a-w- c:\winnt\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-11-10 c:\winnt\Tasks\MP Scheduled Quick Scan.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 21:49]

2010-11-10 c:\winnt\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 21:49]

2010-11-10 c:\winnt\Tasks\MP Scheduled Signature Update.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 21:49]

2010-11-10 c:\winnt\Tasks\User_Feed_Synchronization-{5DB2A058-6A4B-4593-80F8-C95C73691C34}.job
- c:\winnt\system32\msfeedssync.exe [2007-08-13 23:36]

2010-11-10 c:\winnt\Tasks\User_Feed_Synchronization-{67B1C9E0-7BD3-4FD7-9AE6-D0A287583655}.job
- c:\winnt\system32\msfeedssync.exe [2007-08-13 23:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://aponline.apci.com
uInternet Settings,ProxyOverride = <local>
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Handler: qvp - {4BA78E3D-CA25-4BFF-B8F0-8A3359E4B520} - c:\program files\QlikView\QvProtocol\Qvp.dll
DPF: {A67EE2D0-D7C7-4ADE-96E5-7AE17AFBEDE2} - hxxp://meup1/softwarerequest/srsinstall.cab
.
.
------- File Associations -------
.
JSEFile=c:\winnt\system32\Notepad.exe "%1" %*
vbsfile\shell\edit\command=c:\winnt\system32\Notepad.exe %1
.
- - - - ORPHANS REMOVED - - - -

BHO-{52794457-af6c-4c50-9def-f2e24f4c8889} - c:\program files\whitesmoketoolbar\whitesmoketoolbarX.dll
Toolbar-{52794457-af6c-4c50-9def-f2e24f4c8889} - c:\program files\whitesmoketoolbar\whitesmoketoolbarX.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-10 11:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINNT\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINNT\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1644)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\winnt\system32\WININET.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\winnt\system32\netprovcredman.dll
c:\program files\P-Synch\Clients\service\ginasvc.dll

- - - - - - - > 'explorer.exe'(2004)
c:\winnt\system32\WININET.dll
c:\winnt\system32\ieframe.dll
c:\winnt\system32\WPDShServiceObj.dll
c:\winnt\system32\PortableDeviceTypes.dll
c:\winnt\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\idt\dellxpm09b_6017v022\wdm\stacsv.exe
c:\winnt\System32\SCardSvr.exe
c:\progra~1\CYBERG~1\cgagent.exe
c:\winnt\system32\msdtc.exe
c:\progra~1\CYBERG~1\nicman.exe
c:\progra~1\CYBERG~1\cgahelp.exe
c:\program files\Common Files\Apricorn\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\winnt\system32\HPZipm12.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\winnt\system32\mqsvc.exe
c:\winnt\system32\CCM\CcmExec.exe
c:\winnt\system32\mqtgsvc.exe
c:\winnt\system32\igfxsrvc.exe
c:\winnt\system32\msiexec.exe
c:\progra~1\AirProducts\8e6auth\authenticat.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-11-10 11:08:51 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-10 17:08
ComboFix2.txt 2010-11-06 01:52

Pre-Run: 111,243,018,240 bytes free
Post-Run: 111,142,846,464 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 47C8202F142A09D7C1FB4B80714F69BA

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:12 AM

Posted 15 December 2010 - 08:00 PM

Hello.

Let's remove those leftovers.

Download and Run ComboFix with CFScript
If you already have a copy of ComboFix, please delete it and download a new copy.

Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    Driver::
    qpulsrwv
    
    Folder::
    c:\docume~1\robertwa\applic~1\Liuvtu
    
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe. You will not recieve the prompts below if you are not using Windows XP.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select Critical Areas.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.


Please tell me if you run into any problems.

With Regards,
The Panda

#7 warob

warob
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:12 AM

Posted 15 December 2010 - 10:56 PM

Ok, I ran the combofix file with no problems and have posted below. The Kaspersky scanner will not work, I get this error message: "Launch of the Java application is interrupted! Please establish an uninterrupted Internet connection for work with this program." although I have a continuous internet connection.

ComboFix 10-12-15.04 - ROBERTWA 12/15/2010 21:06:07.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3536.2945 [GMT -6:00]
Running from: c:\documents and settings\robertwa\Desktop\pc tools\combofix\ComboFix.exe
Command switches used :: c:\documents and settings\robertwa\Desktop\pc tools\combofix\CFScript.txt
AV: Microsoft Forefront Client Security *Enabled/Updated* {926A3D4F-E4E7-4F47-9902-4EDD55FFE1AF}
FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\robertwa\applic~1\Liuvtu
c:\winnt\null

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_qpulsrwv


((((((((((((((((((((((((( Files Created from 2010-11-16 to 2010-12-16 )))))))))))))))))))))))))))))))
.

2010-12-10 17:00 . 2010-12-10 17:00 2035 ----a-w- c:\winnt\system32\WhlNSPBackup_2.reg
2010-12-10 17:00 . 2010-12-10 17:00 108035 ----a-w- c:\winnt\system32\WhlLSPBackup_2.reg
2010-12-08 22:22 . 2010-11-16 18:01 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{CADCC2BD-73DE-4A0C-8910-D2213968C34A}\mpengine.dll
2010-12-08 21:53 . 2010-12-08 23:39 -------- d-----w- c:\winnt\LMI35.tmp
2010-11-30 18:53 . 2010-11-30 18:53 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2010-11-30 18:50 . 2010-11-30 18:50 -------- d-----w- c:\program files\iPod
2010-11-30 18:50 . 2010-11-30 18:51 -------- d-----w- c:\program files\iTunes
2010-11-30 18:48 . 2010-11-30 18:48 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-16 18:01 . 2010-08-26 18:46 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\Backup\mpengine.dll
2010-11-05 17:26 . 2010-11-05 17:26 21384 ---ha-w- c:\winnt\system32\drivers\whlva.sys
2010-10-19 16:41 . 2010-08-26 18:46 222080 ------w- c:\winnt\system32\MpSigStub.exe
2010-10-18 14:41 . 2010-11-05 10:10 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\Updates\mpengine.dll
2010-09-29 17:43 . 2010-09-29 17:43 2035 ----a-w- c:\winnt\system32\WhlNSPBackup_1.reg
2010-09-29 17:43 . 2010-09-29 17:43 117002 ----a-w- c:\winnt\system32\WhlLSPBackup_1.reg
2010-09-28 21:44 . 2010-03-10 16:52 41984 ----a-w- c:\winnt\system32\drivers\usbaapl.sys
2010-09-28 21:44 . 2010-03-10 16:52 4184352 ----a-w- c:\winnt\system32\usbaaplrc.dll
2010-09-18 17:23 . 2009-01-14 02:04 974848 ----a-w- c:\winnt\system32\mfc42u.dll
2010-09-18 06:53 . 2009-01-14 02:04 974848 ----a-w- c:\winnt\system32\mfc42.dll
2010-09-18 06:53 . 2009-01-14 02:04 954368 ----a-w- c:\winnt\system32\mfc40.dll
2010-09-18 06:53 . 2009-01-14 02:04 953856 ----a-w- c:\winnt\system32\mfc40u.dll
2008-10-08 17:18 . 2009-12-01 15:06 3125248 ----a-w- c:\program files\Common Files\sapxlhelper.dll
2008-10-08 17:18 . 2009-12-01 15:06 626688 ----a-w- c:\program files\Common Files\sapconsaccess.dll
2008-10-08 17:18 . 2009-12-01 15:06 192512 ----a-w- c:\program files\Common Files\sapconsr3.dll
2008-10-08 17:18 . 2009-12-01 15:06 40960 -c--a-w- c:\program files\Common Files\DigitalSignature.ocx
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WhlCach3.exe"="c:\program files\Microsoft Forefront UAG\Endpoint Components\3.1.0\WhlCach3.exe" [2009-12-14 300944]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-11-11 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\winnt\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\winnt\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\winnt\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\winnt\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-06-07 319488]
"MsmqIntCert"="mqrt.dll" [2008-04-14 177152]
"AESTFltr"="c:\winnt\system32\AESTFltr.exe" [2008-05-20 466944]
"IgfxTray"="c:\winnt\system32\igfxtray.exe" [2008-09-15 150040]
"HotKeysCmds"="c:\winnt\system32\hkcmd.exe" [2008-09-15 178712]
"Persistence"="c:\winnt\system32\igfxpers.exe" [2008-09-15 150040]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2010-04-11 5116256]
"8e6Authentication"="wscript.exe" [2008-04-14 155648]
"CfgDownload"="c:\program files\IXOS\bin\CfgDownload.exe" [2007-05-29 184320]
"AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2009-10-09 883272]
"EZGigMonitor.exe"="c:\program files\Apricorn\EZ Gig II\EZGigMonitor.exe" [2007-10-09 1169264]
"AcronisTimounterMonitor"="c:\program files\Apricorn\EZ Gig II\TimounterMonitor.exe" [2007-10-09 1949480]
"Apricorn Scheduler Service"="c:\program files\Common Files\Apricorn\Schedule2\schedhlp.exe" [2007-10-09 148712]
"CgaViewer"="c:\program files\CyberGatekeeper Agent\cgav.exe" [2010-02-16 163898]
"CgaHelper"="c:\program files\CyberGatekeeper Agent\cgahelp.exe" [2010-02-16 106560]
"Microsoft Forefront Client Security Antimalware Service"="c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe" [2010-01-19 1033600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-18 421160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
F1U201.401.lnk - c:\program files\Belkin\F1U201.401\usbshare.exe [2009-12-3 135168]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLogonScripts"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
"NoAutoUpdate"= 1 (0x1)
"DisablePersonalDirChange"= 1 (0x1)
"DisallowCpl"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-12-03 15:04 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2005-05-20 15:51 8704 ----a-w- c:\winnt\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2072974133-1425365782-667646791-35529\Scripts\Logon\0\0]
"Script"=InterfaceMetric.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2072974133-1425365782-667646791-35529\Scripts\Logon\1\0]
"Script"=EFS_LS.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2072974133-1425365782-667646791-35529\Scripts\Logon\2\0]
"Script"=DelWhlCach3.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FCSAM]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\winnt\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=c:\winnt\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GlobeTrotter Connect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\GlobeTrotter Connect.lnk
backup=c:\winnt\pss\GlobeTrotter Connect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\winnt\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\winnt\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2006-10-23 05:24 620152 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 10:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT&T Communication Manager]
2009-10-09 23:58 883272 ----a-w- c:\program files\AT&T\Communication Manager\ATTCM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2008-12-08 21:50 54576 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
2009-09-21 21:34 1206544 ----a-w- c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
2009-09-21 21:49 1392640 ----a-w- c:\program files\Intel\WiFi\bin\ZCfgSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINNT\\system32\\mqsvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\AT&T\\Communication Manager\\SwiApiMux.exe"=
"c:\\Program Files\\Microsoft Forefront UAG\\Endpoint Components\\3.1.0\\WhlClnt3.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\WINNT\\system32\\mmc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 vmscsi;vmscsi;c:\winnt\system32\drivers\vmscsi.sys [1/14/2009 9:28 AM 10880]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 12:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 12:41 PM 67656]
R2 CafeDrv;CafeDrv NDIS Protocol Driver;c:\winnt\system32\drivers\CafeDrv.sys [10/28/2009 11:36 AM 29568]
R2 CGAgent;CyberGatekeeper Agent;c:\program files\CyberGatekeeper Agent\cgasvc.exe [2/16/2010 5:07 PM 81982]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [7/31/2008 8:41 PM 808296]
R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [7/31/2008 8:41 PM 21352]
R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe [1/19/2010 3:49 PM 16880]
R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe [10/22/2009 6:31 PM 69512]
R2 GtDetectSc;GtDetectSc;c:\program files\Option\GlobeTrotter Connect\GtDetectSc.exe [4/30/2008 5:52 PM 200704]
R2 MOM;MOM;c:\program files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe [7/21/2005 10:14 AM 134656]
R2 psginasvc;Password Manager Logon Management Service;c:\program files\P-Synch\Clients\service\psginasvc.exe [7/8/2009 1:50 PM 585728]
R3 AESTAud;AE Audio Service;c:\winnt\system32\drivers\AESTAud.sys [12/1/2009 7:47 AM 108160]
R3 cvusbdrv;Broadcom USH CV;c:\winnt\system32\drivers\cvusbdrv.sys [12/1/2009 7:52 AM 32808]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\winnt\system32\drivers\e1y5132.sys [11/12/2008 9:33 AM 244368]
R3 Iexim;Infoexpress Generic Network Filter Service;c:\winnt\system32\drivers\iexim.sys [12/8/2009 10:17 AM 31232]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\winnt\system32\drivers\IntcHdmi.sys [12/1/2009 7:49 AM 110080]
R3 whlva;SSL Network Tunneling;c:\winnt\system32\drivers\whlva.sys [11/5/2010 11:26 AM 21384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/2/2010 2:41 PM 136176]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [10/9/2009 5:59 PM 121416]
S3 DMService;Microsoft Forefront UAG Endpoint Component Manager;c:\winnt\DOWNLO~1\DMService.exe [11/5/2010 11:24 AM 468368]
S3 GT72NDISIPXP;GT 72 IP NDIS;c:\winnt\system32\drivers\Gt51Ip.sys [7/7/2008 2:29 PM 106112]
S3 GT72UBUS;GT 72 U BUS;c:\winnt\system32\drivers\gt72ubus.sys [8/20/2008 3:49 PM 59008]
S3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);c:\winnt\system32\drivers\swnc8u56.sys [4/7/2009 11:37 AM 190080]
S3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);c:\winnt\system32\drivers\swumx56.sys [4/7/2009 11:37 AM 148096]
S3 whliocsv;Microsoft Forefront UAG SSL Network Tunneling Client;c:\program files\Microsoft Forefront UAG\Endpoint Components\3.1.0\whliocsv.exe [11/5/2010 11:26 AM 156048]
S3 WinRM;Windows Remote Management (WS-Management);c:\winnt\system32\svchost.exe -k WINRM [1/13/2009 8:04 PM 14336]
S4 uagqecsvc;Microsoft Forefront UAG Quarantine Enforcement Client;c:\program files\Microsoft Forefront UAG\Endpoint Components\3.1.0\uagqecsvc.exe [11/5/2010 11:25 AM 149904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
2010-09-09 13:36 124928 ----a-w- c:\winnt\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-12-16 c:\winnt\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-02 20:41]

2010-12-15 c:\winnt\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-02 20:41]

2010-12-16 c:\winnt\Tasks\MP Scheduled Quick Scan.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 21:49]

2010-12-16 c:\winnt\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 21:49]

2010-12-16 c:\winnt\Tasks\MP Scheduled Signature Update.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 21:49]

2010-12-16 c:\winnt\Tasks\User_Feed_Synchronization-{5DB2A058-6A4B-4593-80F8-C95C73691C34}.job
- c:\winnt\system32\msfeedssync.exe [2007-08-13 23:36]

2010-12-16 c:\winnt\Tasks\User_Feed_Synchronization-{67B1C9E0-7BD3-4FD7-9AE6-D0A287583655}.job
- c:\winnt\system32\msfeedssync.exe [2007-08-13 23:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://aponline.apci.com
uInternet Settings,ProxyOverride = <local>
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}
LSP: c:\progra~1\MIC3C8~1\ENDPOI~1\31265D~1.0\WhlLSP.dll
Handler: qvp - {4BA78E3D-CA25-4BFF-B8F0-8A3359E4B520} - c:\program files\QlikView\QvProtocol\Qvp.dll
DPF: {A67EE2D0-D7C7-4ADE-96E5-7AE17AFBEDE2} - hxxp://meup1/softwarerequest/srsinstall.cab
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SysTrayApp - %ProgramFiles%\IDT\WDM\sttray.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-15 21:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINNT\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINNT\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1644)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\winnt\system32\WININET.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\program files\P-Synch\Clients\service\ginasvc.dll
c:\winnt\system32\netprovcredman.dll

- - - - - - - > 'explorer.exe'(3428)
c:\winnt\system32\WININET.dll
c:\winnt\system32\ieframe.dll
c:\winnt\system32\WPDShServiceObj.dll
c:\winnt\system32\PortableDeviceTypes.dll
c:\winnt\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\idt\dellxpm09b_6017v022\wdm\stacsv.exe
c:\winnt\System32\SCardSvr.exe
c:\progra~1\CYBERG~1\cgagent.exe
c:\winnt\system32\msdtc.exe
c:\progra~1\CYBERG~1\nicman.exe
c:\program files\Common Files\Apricorn\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\winnt\system32\HPZipm12.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\winnt\system32\mqsvc.exe
c:\winnt\system32\CCM\CcmExec.exe
c:\program files\IDT\WDM\sttray.exe
c:\program files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMHost.exe
c:\winnt\system32\igfxsrvc.exe
c:\progra~1\AirProducts\8e6auth\authenticat.exe
c:\winnt\system32\mqtgsvc.exe
c:\winnt\system32\msiexec.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-12-15 21:17:23 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-16 03:17
ComboFix2.txt 2010-11-10 17:08
ComboFix3.txt 2010-11-06 01:52

Pre-Run: 110,583,570,432 bytes free
Post-Run: 110,598,225,920 bytes free

- - End Of File - - 40DB331B2AD1CC4F34D2D9998EACF6BF

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:12 AM

Posted 16 December 2010 - 07:31 PM

Hello.

That look good. Let's try ESET instead of Kaspersky.

Run ESET Online Scan
  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start. If you see a "Security Warning" that asks if you want to install and run a file called "OnlineScanner.cab", click Yes.
  • Click Start. The online scanner will now prepare itself for running on your pc.
  • To do a full-scan, tick: Remove found threats and Scan potentially unwanted applications.
  • Press Scan. The Onlinescan will now start and scan your computer. Please be patient as this a while.
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window.
  • Click Start, then Run.... The the box that appears type with the quotes:
    "C:\Program Files\EsetOnlineScanner\log.txt"
  • The scan results will now open in Notepad
  • Click into the text area, right-click and chose select all. Right-click again and chose Copy.
  • Post back with the log.txt in your next reply.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

With Regards,
The Panda

#9 warob

warob
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:12 AM

Posted 17 December 2010 - 09:37 AM

Ok, the ESET scanner found no threats

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.21293 (vista_ldr.100824-1500)
# OnlineScanner.ocx=1.0.0.6415
# api_version=3.0.2
# EOSSerial=17f9f49f6f764042b3d5f0771a188997
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-12-17 04:21:04
# local_time=2010-12-16 10:21:04 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8192 67108863 100 0 3053271 3053271 0 0
# scanned=134310
# found=0
# cleaned=0
# scan_time=3471

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:12 AM

Posted 17 December 2010 - 05:51 PM

Hello.

That looks good. Unless there are any issues at the moment, we can wrap up.

Uninstall ComboFix
Remove Combofix now that we're done with it.
  • Click on your Start Menu, then Run....
  • Now type the following into the runbox and click OK. Notice the space between the "x" and "/".
    ComboFix /uninstall

    Posted Image

    Please re-enable any antimalware programs that were disabled during the fix.

    Preventing Malware Infection in the Future
    Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: [list]
  • So How did I get infected?
  • Microsoft - 'Security at home'
For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.
 Do you have any questions or concerns?

With Regards,
The Panda

#11 warob

warob
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:12 AM

Posted 20 December 2010 - 03:46 PM

Ok,just when I thought this pc was clean, it has been reinfected with the same trojan again. The only thing I can think that I may have done, is that I signed back into my Facebook account which was the site that the original infection came from. I couldn't get back on the internet, so I re ran combofix. I didn't open any messages from facebook, the only thing I did while at the site was accepted a friend request, which is someone I know. Should I just avoid Facebook from this pc forever? Thank you for all of your help, here is the new Combofix log file:

ComboFix 10-12-15.04 - ROBERTWA 12/20/2010 14:19:25.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3536.2930 [GMT -6:00]
Running from: c:\documents and settings\robertwa\Desktop\pc tools\combofix\ComboFix.exe
AV: Microsoft Forefront Client Security *Enabled/Updated* {926A3D4F-E4E7-4F47-9902-4EDD55FFE1AF}
FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\whitesmoketoolbar\whITesmoketoolbarx.dll
c:\winnt\null

.
((((((((((((((((((((((((( Files Created from 2010-11-20 to 2010-12-20 )))))))))))))))))))))))))))))))
.

2010-12-20 20:02 . 2010-12-20 20:02 -------- d-----w- c:\program files\WhiteSmoke Translator
2010-12-20 20:02 . 2010-12-20 20:02 -------- d-----w- c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar
2010-12-20 20:02 . 2010-12-20 20:28 -------- d-----w- c:\program files\whitesmoketoolbar
2010-12-16 03:38 . 2010-12-16 03:37 73728 ----a-w- c:\winnt\system32\javacpl.cpl
2010-12-16 03:38 . 2010-12-16 03:37 472808 ----a-w- c:\winnt\system32\deployJava1.dll
2010-12-10 17:00 . 2010-12-10 17:00 2035 ----a-w- c:\winnt\system32\WhlNSPBackup_2.reg
2010-12-10 17:00 . 2010-12-10 17:00 108035 ----a-w- c:\winnt\system32\WhlLSPBackup_2.reg
2010-12-08 22:22 . 2010-11-16 18:01 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{CADCC2BD-73DE-4A0C-8910-D2213968C34A}\mpengine.dll
2010-12-08 21:53 . 2010-12-08 23:39 -------- d-----w- c:\winnt\LMI35.tmp
2010-11-30 18:53 . 2010-11-30 18:53 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2010-11-30 18:50 . 2010-11-30 18:50 -------- d-----w- c:\program files\iPod
2010-11-30 18:50 . 2010-11-30 18:51 -------- d-----w- c:\program files\iTunes
2010-11-30 18:48 . 2010-11-30 18:48 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-16 18:01 . 2010-08-26 18:46 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\Backup\mpengine.dll
2010-11-05 17:26 . 2010-11-05 17:26 21384 ---ha-w- c:\winnt\system32\drivers\whlva.sys
2010-10-19 16:41 . 2010-08-26 18:46 222080 ------w- c:\winnt\system32\MpSigStub.exe
2010-10-18 14:41 . 2010-11-05 10:10 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\Updates\mpengine.dll
2010-09-29 17:43 . 2010-09-29 17:43 2035 ----a-w- c:\winnt\system32\WhlNSPBackup_1.reg
2010-09-29 17:43 . 2010-09-29 17:43 117002 ----a-w- c:\winnt\system32\WhlLSPBackup_1.reg
2010-09-28 21:44 . 2010-03-10 16:52 41984 ----a-w- c:\winnt\system32\drivers\usbaapl.sys
2010-09-28 21:44 . 2010-03-10 16:52 4184352 ----a-w- c:\winnt\system32\usbaaplrc.dll
2008-10-08 17:18 . 2009-12-01 15:06 3125248 ----a-w- c:\program files\Common Files\sapxlhelper.dll
2008-10-08 17:18 . 2009-12-01 15:06 626688 ----a-w- c:\program files\Common Files\sapconsaccess.dll
2008-10-08 17:18 . 2009-12-01 15:06 192512 ----a-w- c:\program files\Common Files\sapconsr3.dll
2008-10-08 17:18 . 2009-12-01 15:06 40960 -c--a-w- c:\program files\Common Files\DigitalSignature.ocx
.

((((((((((((((((((((((((((((( SnapShot@2010-11-06_01.50.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-12-20 20:17 . 2010-12-20 20:17 16384 c:\winnt\Temp\Perflib_Perfdata_874.dat
+ 2010-12-20 20:17 . 2010-12-20 20:17 16384 c:\winnt\Temp\Perflib_Perfdata_3a0.dat
+ 2009-01-14 15:16 . 2009-08-07 01:24 44768 c:\winnt\system32\wups2.dll
- 2009-01-14 15:16 . 2009-08-07 00:24 44768 c:\winnt\system32\wups2.dll
- 2009-01-13 23:15 . 2009-08-07 00:24 35552 c:\winnt\system32\wups.dll
+ 2009-01-13 23:15 . 2009-08-07 01:24 35552 c:\winnt\system32\wups.dll
- 2009-01-13 23:15 . 2009-08-07 00:24 53472 c:\winnt\system32\wuauclt.exe
+ 2009-01-13 23:15 . 2009-08-07 01:24 53472 c:\winnt\system32\wuauclt.exe
+ 2010-04-15 11:56 . 2009-08-07 01:24 44768 c:\winnt\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.4.7600.226\wups2.dll
- 2010-04-15 11:56 . 2009-08-07 00:24 44768 c:\winnt\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.4.7600.226\wups2.dll
- 2009-12-01 13:56 . 2008-01-23 23:34 44888 c:\winnt\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.1.6001.65\wups2.dll
+ 2009-12-01 13:56 . 2008-01-24 00:34 44888 c:\winnt\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.1.6001.65\wups2.dll
+ 2010-04-15 11:56 . 2009-08-07 01:24 35552 c:\winnt\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.226\wups.dll
- 2010-04-15 11:56 . 2009-08-07 00:24 35552 c:\winnt\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.226\wups.dll
- 2009-12-01 13:56 . 2008-01-23 23:34 36184 c:\winnt\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.1.6001.65\wups.dll
+ 2009-12-01 13:56 . 2008-01-24 00:34 36184 c:\winnt\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.1.6001.65\wups.dll
+ 2010-11-30 18:48 . 2010-04-20 01:47 41984 c:\winnt\system32\ReinstallBackups\0036\DriverFiles\usbaapl.sys
+ 2009-01-14 02:04 . 2010-11-08 20:55 79696 c:\winnt\system32\perfc009.dat
+ 2003-05-20 14:47 . 2003-05-20 14:47 36864 c:\winnt\system32\Macromed\AUTHORWA\NP32ASW\AW70\dvd.dll
+ 2010-11-30 18:48 . 2010-09-28 21:44 41984 c:\winnt\system32\DRVSTORE\usbaapl_DECA0B114863448FE4957E5F5676B09528A18C9F\usbaapl.sys
+ 2010-11-30 18:48 . 2010-04-20 01:29 18432 c:\winnt\system32\DRVSTORE\netaapl_A0C073C4137716F9478B8B08B2873A7AB3AECF72\netaapl.sys
+ 2009-01-13 23:15 . 2009-08-07 01:24 35552 c:\winnt\system32\dllcache\wups.dll
- 2009-01-13 23:15 . 2009-08-07 00:24 35552 c:\winnt\system32\dllcache\wups.dll
+ 2009-01-13 23:15 . 2009-08-07 01:24 53472 c:\winnt\system32\dllcache\wuauclt.exe
- 2009-01-13 23:15 . 2009-08-07 00:24 53472 c:\winnt\system32\dllcache\wuauclt.exe
- 2009-01-14 02:04 . 2009-08-07 00:24 96480 c:\winnt\system32\dllcache\cdm.dll
+ 2009-01-14 02:04 . 2009-08-07 01:24 96480 c:\winnt\system32\dllcache\cdm.dll
- 2009-01-14 02:04 . 2009-08-07 00:24 96480 c:\winnt\system32\cdm.dll
+ 2009-01-14 02:04 . 2009-08-07 01:24 96480 c:\winnt\system32\cdm.dll
+ 2010-11-11 16:23 . 2010-11-11 16:23 28160 c:\winnt\Installer\d3c038.msi
+ 2010-11-11 16:22 . 2010-11-11 16:22 24064 c:\winnt\Installer\d3c033.msi
+ 2010-12-17 21:56 . 2010-12-17 21:56 25214 c:\winnt\Installer\{C768790F-04FB-11E0-9B2C-001AA037B01E}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74_1.exe
+ 2010-12-17 21:56 . 2010-12-17 21:56 25214 c:\winnt\Installer\{C768790F-04FB-11E0-9B2C-001AA037B01E}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74.exe
+ 2010-12-17 21:56 . 2010-12-17 21:56 25214 c:\winnt\Installer\{C768790F-04FB-11E0-9B2C-001AA037B01E}\ShortcutOGL_EB071909B9884F8CBF3D6115D4ADEE5E.exe
+ 2010-12-17 21:56 . 2010-12-17 21:56 25214 c:\winnt\Installer\{C768790F-04FB-11E0-9B2C-001AA037B01E}\ShortcutDX_EB071909B9884F8CBF3D6115D4ADEE5E.exe
+ 2010-12-17 21:56 . 2010-12-17 21:56 25214 c:\winnt\Installer\{C768790F-04FB-11E0-9B2C-001AA037B01E}\googleearth.exe1_F6A848FB884248E6A4CDCBDCF41F6A74.exe
+ 2010-12-17 21:56 . 2010-12-17 21:56 25214 c:\winnt\Installer\{C768790F-04FB-11E0-9B2C-001AA037B01E}\googleearth.exe_F6A848FB884248E6A4CDCBDCF41F6A74.exe
+ 2010-12-17 21:56 . 2010-12-17 21:56 25214 c:\winnt\Installer\{C768790F-04FB-11E0-9B2C-001AA037B01E}\ARPPRODUCTICON.exe
+ 2009-01-13 23:15 . 2009-08-07 01:24 209632 c:\winnt\system32\wuweb.dll
- 2009-01-13 23:15 . 2009-08-07 00:24 209632 c:\winnt\system32\wuweb.dll
- 2009-01-13 23:15 . 2009-08-07 00:24 327896 c:\winnt\system32\wucltui.dll
+ 2009-01-13 23:15 . 2009-08-07 01:24 327896 c:\winnt\system32\wucltui.dll
- 2009-01-13 23:15 . 2009-08-07 00:23 575704 c:\winnt\system32\wuapi.dll
+ 2009-01-13 23:15 . 2009-08-07 01:23 575704 c:\winnt\system32\wuapi.dll
+ 2009-01-14 02:04 . 2010-11-08 20:55 475066 c:\winnt\system32\perfh009.dat
+ 1998-08-05 14:48 . 1998-08-05 14:48 270336 c:\winnt\system32\Macromed\AUTHORWA\NP32ASW\AW70\VCT32161.dll
+ 1999-05-22 06:37 . 1999-05-22 06:37 280576 c:\winnt\system32\Macromed\AUTHORWA\NP32ASW\AW70\msvcrt.dll
+ 2003-04-21 22:43 . 2003-04-21 22:43 385536 c:\winnt\system32\Macromed\AUTHORWA\NP32ASW\AW70\js32.dll
+ 1999-09-11 20:24 . 1999-09-11 20:24 276480 c:\winnt\system32\Macromed\AUTHORWA\NP32ASW\AW70\AWIML32.DLL
+ 2003-10-11 08:21 . 2003-10-11 08:21 170496 c:\winnt\system32\Macromed\AUTHORWA\np32asw.dll
+ 2010-12-16 03:38 . 2010-12-16 03:37 157472 c:\winnt\system32\javaws.exe
+ 2010-12-16 03:38 . 2010-12-16 03:37 145184 c:\winnt\system32\javaw.exe
+ 2010-12-16 03:38 . 2010-12-16 03:37 145184 c:\winnt\system32\java.exe
+ 2009-01-13 23:15 . 2009-08-07 01:24 209632 c:\winnt\system32\dllcache\wuweb.dll
- 2009-01-13 23:15 . 2009-08-07 00:24 209632 c:\winnt\system32\dllcache\wuweb.dll
- 2009-01-13 23:15 . 2009-08-07 00:24 327896 c:\winnt\system32\dllcache\wucltui.dll
+ 2009-01-13 23:15 . 2009-08-07 01:24 327896 c:\winnt\system32\dllcache\wucltui.dll
+ 2009-01-13 23:15 . 2009-08-07 01:23 575704 c:\winnt\system32\dllcache\wuapi.dll
- 2009-01-13 23:15 . 2009-08-07 00:23 575704 c:\winnt\system32\dllcache\wuapi.dll
+ 2010-12-20 20:02 . 2010-07-07 09:45 807744 c:\winnt\system32\%APPDATA%\WhiteSmokeSetup\setup.exe
- 2010-11-05 19:37 . 2010-07-07 09:45 807744 c:\winnt\system32\%APPDATA%\WhiteSmokeSetup\setup.exe
- 2010-11-05 19:37 . 2010-07-07 09:45 581440 c:\winnt\system32\%APPDATA%\WhiteSmokeSetup\ISSetup.dll
+ 2010-12-20 20:02 . 2010-07-07 09:45 581440 c:\winnt\system32\%APPDATA%\WhiteSmokeSetup\ISSetup.dll
+ 2010-11-06 05:24 . 2010-11-06 05:24 269824 c:\winnt\Installer\d05016.msi
+ 2010-12-16 03:38 . 2010-12-16 03:38 180224 c:\winnt\Installer\1780f3.msi
+ 2010-12-16 03:37 . 2010-12-16 03:37 675840 c:\winnt\Installer\1780ee.msi
+ 2010-11-30 18:47 . 2010-11-30 18:47 811008 c:\winnt\Installer\13be737.msi
+ 2010-11-30 18:51 . 2010-11-30 18:51 380928 c:\winnt\Installer\{FAE36873-1941-4076-A9A5-48812B5EA0B7}\iTunesIco.exe
+ 2010-09-23 00:10 . 2010-09-23 00:10 103864 c:\winnt\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\nppdf32.dll
- 2009-01-13 23:15 . 2009-08-07 00:23 1929952 c:\winnt\system32\wuaueng.dll
+ 2009-01-13 23:15 . 2009-08-07 01:23 1929952 c:\winnt\system32\wuaueng.dll
+ 2010-11-30 18:48 . 2010-04-20 01:47 3062048 c:\winnt\system32\ReinstallBackups\0036\DriverFiles\usbaaplrc.dll
+ 2003-10-11 12:12 . 2003-10-11 12:12 1756672 c:\winnt\system32\Macromed\AUTHORWA\NP32ASW\AW70\runa7w32.exe
+ 2010-11-30 18:48 . 2010-09-28 21:44 4184352 c:\winnt\system32\DRVSTORE\usbaapl_DECA0B114863448FE4957E5F5676B09528A18C9F\usbaaplrc.dll
+ 2010-11-30 18:48 . 2010-04-20 01:29 1461992 c:\winnt\system32\DRVSTORE\netaapl_A0C073C4137716F9478B8B08B2873A7AB3AECF72\wdfcoinstaller01009.dll
+ 2009-01-13 23:15 . 2009-08-07 01:23 1929952 c:\winnt\system32\dllcache\wuaueng.dll
- 2009-01-13 23:15 . 2009-08-07 00:23 1929952 c:\winnt\system32\dllcache\wuaueng.dll
+ 2010-11-11 16:25 . 2010-11-11 16:25 3940864 c:\winnt\Installer\d3c176.msi
+ 2010-12-17 21:56 . 2010-12-17 21:56 1164288 c:\winnt\Installer\40522dc.msi
+ 2010-11-08 07:14 . 2010-11-08 07:14 3402752 c:\winnt\Installer\2f60f.msp
+ 2010-11-30 18:51 . 2010-11-30 18:51 6237184 c:\winnt\Installer\13bf026.msi
+ 2010-11-30 18:48 . 2010-11-30 18:48 3085312 c:\winnt\Installer\13be784.msi
+ 2010-09-16 09:08 . 2010-09-16 09:08 6210560 c:\winnt\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\authplay.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-11-11 39408]
"WhlCach3.exe"="c:\program files\Microsoft Forefront UAG\Endpoint Components\3.1.0\WhlCach3.exe" [2009-12-14 300944]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\winnt\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\winnt\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\winnt\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\winnt\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-06-07 319488]
"MsmqIntCert"="mqrt.dll" [2008-04-14 177152]
"AESTFltr"="c:\winnt\system32\AESTFltr.exe" [2008-05-20 466944]
"IgfxTray"="c:\winnt\system32\igfxtray.exe" [2008-09-15 150040]
"HotKeysCmds"="c:\winnt\system32\hkcmd.exe" [2008-09-15 178712]
"Persistence"="c:\winnt\system32\igfxpers.exe" [2008-09-15 150040]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2010-04-11 5116256]
"8e6Authentication"="wscript.exe" [2008-04-14 155648]
"CfgDownload"="c:\program files\IXOS\bin\CfgDownload.exe" [2007-05-29 184320]
"AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2009-10-09 883272]
"EZGigMonitor.exe"="c:\program files\Apricorn\EZ Gig II\EZGigMonitor.exe" [2007-10-09 1169264]
"AcronisTimounterMonitor"="c:\program files\Apricorn\EZ Gig II\TimounterMonitor.exe" [2007-10-09 1949480]
"Apricorn Scheduler Service"="c:\program files\Common Files\Apricorn\Schedule2\schedhlp.exe" [2007-10-09 148712]
"CgaViewer"="c:\program files\CyberGatekeeper Agent\cgav.exe" [2010-02-16 163898]
"CgaHelper"="c:\program files\CyberGatekeeper Agent\cgahelp.exe" [2010-02-16 106560]
"Microsoft Forefront Client Security Antimalware Service"="c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe" [2010-01-19 1033600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-18 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
F1U201.401.lnk - c:\program files\Belkin\F1U201.401\usbshare.exe [2009-12-3 135168]
Launch Whitesmoke Translator.lnk - c:\program files\WhiteSmoke Translator\WSTrayDictMode.exe [2010-12-20 671744]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLogonScripts"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
"NoAutoUpdate"= 1 (0x1)
"DisablePersonalDirChange"= 1 (0x1)
"DisallowCpl"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-12-03 15:04 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2005-05-20 15:51 8704 ----a-w- c:\winnt\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2072974133-1425365782-667646791-35529\Scripts\Logon\0\0]
"Script"=InterfaceMetric.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2072974133-1425365782-667646791-35529\Scripts\Logon\1\0]
"Script"=EFS_LS.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2072974133-1425365782-667646791-35529\Scripts\Logon\2\0]
"Script"=DelWhlCach3.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FCSAM]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\winnt\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=c:\winnt\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GlobeTrotter Connect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\GlobeTrotter Connect.lnk
backup=c:\winnt\pss\GlobeTrotter Connect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\winnt\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\winnt\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2006-10-23 05:24 620152 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 10:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT&T Communication Manager]
2009-10-09 23:58 883272 ----a-w- c:\program files\AT&T\Communication Manager\ATTCM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2008-12-08 21:50 54576 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
2009-09-21 21:34 1206544 ----a-w- c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
2009-09-21 21:49 1392640 ----a-w- c:\program files\Intel\WiFi\bin\ZCfgSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINNT\\system32\\mqsvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\AT&T\\Communication Manager\\SwiApiMux.exe"=
"c:\\Program Files\\Microsoft Forefront UAG\\Endpoint Components\\3.1.0\\WhlClnt3.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\WINNT\\system32\\mmc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=

R0 vmscsi;vmscsi;c:\winnt\system32\drivers\vmscsi.sys [1/14/2009 9:28 AM 10880]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 12:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 12:41 PM 67656]
R2 CafeDrv;CafeDrv NDIS Protocol Driver;c:\winnt\system32\drivers\CafeDrv.sys [10/28/2009 11:36 AM 29568]
R2 CGAgent;CyberGatekeeper Agent;c:\program files\CyberGatekeeper Agent\cgasvc.exe [2/16/2010 5:07 PM 81982]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [7/31/2008 8:41 PM 808296]
R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [7/31/2008 8:41 PM 21352]
R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe [1/19/2010 3:49 PM 16880]
R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe [10/22/2009 6:31 PM 69512]
R2 GtDetectSc;GtDetectSc;c:\program files\Option\GlobeTrotter Connect\GtDetectSc.exe [4/30/2008 5:52 PM 200704]
R2 MOM;MOM;c:\program files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe [7/21/2005 10:14 AM 134656]
R2 psginasvc;Password Manager Logon Management Service;c:\program files\P-Synch\Clients\service\psginasvc.exe [7/8/2009 1:50 PM 585728]
R3 AESTAud;AE Audio Service;c:\winnt\system32\drivers\AESTAud.sys [12/1/2009 7:47 AM 108160]
R3 cvusbdrv;Broadcom USH CV;c:\winnt\system32\drivers\cvusbdrv.sys [12/1/2009 7:52 AM 32808]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\winnt\system32\drivers\e1y5132.sys [11/12/2008 9:33 AM 244368]
R3 GT72NDISIPXP;GT 72 IP NDIS;c:\winnt\system32\drivers\Gt51Ip.sys [7/7/2008 2:29 PM 106112]
R3 GT72UBUS;GT 72 U BUS;c:\winnt\system32\drivers\gt72ubus.sys [8/20/2008 3:49 PM 59008]
R3 Iexim;Infoexpress Generic Network Filter Service;c:\winnt\system32\drivers\iexim.sys [12/8/2009 10:17 AM 31232]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\winnt\system32\drivers\IntcHdmi.sys [12/1/2009 7:49 AM 110080]
R3 whlva;SSL Network Tunneling;c:\winnt\system32\drivers\whlva.sys [11/5/2010 11:26 AM 21384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/2/2010 2:41 PM 136176]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [10/9/2009 5:59 PM 121416]
S3 DMService;Microsoft Forefront UAG Endpoint Component Manager;c:\winnt\DOWNLO~1\DMService.exe [11/5/2010 11:24 AM 468368]
S3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);c:\winnt\system32\drivers\swnc8u56.sys [4/7/2009 11:37 AM 190080]
S3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);c:\winnt\system32\drivers\swumx56.sys [4/7/2009 11:37 AM 148096]
S3 whliocsv;Microsoft Forefront UAG SSL Network Tunneling Client;c:\program files\Microsoft Forefront UAG\Endpoint Components\3.1.0\whliocsv.exe [11/5/2010 11:26 AM 156048]
S3 WinRM;Windows Remote Management (WS-Management);c:\winnt\system32\svchost.exe -k WINRM [1/13/2009 8:04 PM 14336]
S4 uagqecsvc;Microsoft Forefront UAG Quarantine Enforcement Client;c:\program files\Microsoft Forefront UAG\Endpoint Components\3.1.0\uagqecsvc.exe [11/5/2010 11:25 AM 149904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
2010-09-09 13:36 124928 ----a-w- c:\winnt\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-12-20 c:\winnt\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-02 20:41]

2010-12-20 c:\winnt\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-02 20:41]

2010-12-20 c:\winnt\Tasks\MP Scheduled Quick Scan.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 21:49]

2010-12-20 c:\winnt\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 21:49]

2010-12-20 c:\winnt\Tasks\MP Scheduled Signature Update.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 21:49]

2010-12-20 c:\winnt\Tasks\User_Feed_Synchronization-{5DB2A058-6A4B-4593-80F8-C95C73691C34}.job
- c:\winnt\system32\msfeedssync.exe [2007-08-13 23:36]

2010-12-20 c:\winnt\Tasks\User_Feed_Synchronization-{67B1C9E0-7BD3-4FD7-9AE6-D0A287583655}.job
- c:\winnt\system32\msfeedssync.exe [2007-08-13 23:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://aponline.apci.com
uInternet Settings,ProxyOverride = <local>
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}
LSP: c:\progra~1\MIC3C8~1\ENDPOI~1\31265D~1.0\WhlLSP.dll
Handler: qvp - {4BA78E3D-CA25-4BFF-B8F0-8A3359E4B520} - c:\program files\QlikView\QvProtocol\Qvp.dll
DPF: {A67EE2D0-D7C7-4ADE-96E5-7AE17AFBEDE2} - hxxp://meup1/softwarerequest/srsinstall.cab
.
.
------- File Associations -------
.
JSEFile=c:\winnt\system32\Notepad.exe "%1" %*
vbsfile\shell\edit\command=c:\winnt\system32\Notepad.exe %1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-20 14:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST9160412ASG rev.0003SDM1 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8B0F2555]<<
c:\docume~1\robertwa\LOCALS~1\Temp\catchme.sys
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8b0f87b0]; MOV EAX, [0x8b0f882c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8B11B5C8]
3 CLASSPNP[0xBA168FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8B0CE8F8]
\Driver\atapi[0x8B118AE8] -> IRP_MJ_CREATE -> 0x8B0F2555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST9160412ASG____________________________0003SDM1#5&2de4fdb&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8B0F239B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINNT\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINNT\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1820)
c:\winnt\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\winnt\system32\netprovcredman.dll
c:\program files\P-Synch\Clients\service\ginasvc.dll

- - - - - - - > 'lsass.exe'(1880)
c:\winnt\system32\WININET.dll
.
Completion time: 2010-12-20 14:32:38
ComboFix-quarantined-files.txt 2010-12-20 20:32
ComboFix2.txt 2010-12-16 03:17
ComboFix3.txt 2010-11-10 17:08
ComboFix4.txt 2010-11-06 01:52

Pre-Run: 110,165,372,928 bytes free
Post-Run: 110,317,289,472 bytes free

- - End Of File - - BA530631857FB190C092AC32549A02C3

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:12 AM

Posted 20 December 2010 - 04:28 PM

Hello.

It does look like you got reinfected somehow.

Download and Run Kaspersky TDSSKiller
  • Go to Kaspersky and Download TDSSKiller.exe.

  • Click Start >> Run then copy and paste the following bold command line into the Run box and click OK.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • Follow the instructions to type in "delete" when it asks you what to do when if finds something.
  • When done, a log file should be created on your C: drive called TDSSKiller.txt please post this log in your next reply.

After, please run ComboFix again just clicking it. Also grab a new GMER log.

With Regards,
The Panda

#13 warob

warob
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:12 AM

Posted 20 December 2010 - 10:57 PM

Here are all three logs:

2010/12/20 15:35:00.0359 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46
2010/12/20 15:35:00.0359 ================================================================================
2010/12/20 15:35:00.0359 SystemInfo:
2010/12/20 15:35:00.0359
2010/12/20 15:35:00.0359 OS Version: 5.1.2600 ServicePack: 3.0
2010/12/20 15:35:00.0359 Product type: Workstation
2010/12/20 15:35:00.0359 ComputerName: US24751
2010/12/20 15:35:00.0359 UserName: ROBERTWA
2010/12/20 15:35:00.0359 Windows directory: C:\WINNT
2010/12/20 15:35:00.0359 System windows directory: C:\WINNT
2010/12/20 15:35:00.0359 Processor architecture: Intel x86
2010/12/20 15:35:00.0359 Number of processors: 2
2010/12/20 15:35:00.0359 Page size: 0x1000
2010/12/20 15:35:00.0359 Boot type: Normal boot
2010/12/20 15:35:00.0359 ================================================================================
2010/12/20 15:35:00.0750 Initialize success
2010/12/20 15:39:38.0593 ================================================================================
2010/12/20 15:39:38.0593 Scan started
2010/12/20 15:39:38.0593 Mode: Manual;
2010/12/20 15:39:38.0593 ================================================================================
2010/12/20 15:39:40.0078 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINNT\system32\DRIVERS\ABP480N5.SYS
2010/12/20 15:39:40.0250 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINNT\system32\DRIVERS\ACPI.sys
2010/12/20 15:39:40.0312 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINNT\system32\DRIVERS\ACPIEC.sys
2010/12/20 15:39:40.0359 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINNT\system32\DRIVERS\adpu160m.sys
2010/12/20 15:39:40.0406 aec (8bed39e3c35d6a489438b8141717a557) C:\WINNT\system32\drivers\aec.sys
2010/12/20 15:39:40.0468 AESTAud (fde8ed2c9280afb8975894aa78eef59f) C:\WINNT\system32\drivers\AESTAud.sys
2010/12/20 15:39:40.0531 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINNT\System32\drivers\afd.sys
2010/12/20 15:39:40.0562 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINNT\system32\DRIVERS\agp440.sys
2010/12/20 15:39:40.0593 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINNT\system32\DRIVERS\agpCPQ.sys
2010/12/20 15:39:40.0609 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINNT\system32\DRIVERS\aha154x.sys
2010/12/20 15:39:40.0656 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINNT\system32\DRIVERS\aic78u2.sys
2010/12/20 15:39:40.0703 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINNT\system32\DRIVERS\aic78xx.sys
2010/12/20 15:39:40.0765 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINNT\system32\DRIVERS\aliide.sys
2010/12/20 15:39:40.0843 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINNT\system32\DRIVERS\alim1541.sys
2010/12/20 15:39:40.0875 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINNT\system32\DRIVERS\amdagp.sys
2010/12/20 15:39:40.0890 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINNT\system32\DRIVERS\amsint.sys
2010/12/20 15:39:40.0937 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINNT\system32\DRIVERS\arp1394.sys
2010/12/20 15:39:40.0968 asc (62d318e9a0c8fc9b780008e724283707) C:\WINNT\system32\DRIVERS\asc.sys
2010/12/20 15:39:41.0000 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINNT\system32\DRIVERS\asc3350p.sys
2010/12/20 15:39:41.0015 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINNT\system32\DRIVERS\asc3550.sys
2010/12/20 15:39:41.0062 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINNT\system32\DRIVERS\asyncmac.sys
2010/12/20 15:39:41.0109 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINNT\system32\DRIVERS\atapi.sys
2010/12/20 15:39:41.0203 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINNT\system32\DRIVERS\atmarpc.sys
2010/12/20 15:39:41.0265 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINNT\system32\DRIVERS\audstub.sys
2010/12/20 15:39:41.0312 avpnnic (84632bb018cdb66b366ead809bb0a426) C:\WINNT\system32\DRIVERS\avpnnic.sys
2010/12/20 15:39:41.0343 awecho (7305e36433ae7ce4a878ccc900bcf2a8) C:\WINNT\system32\drivers\awechomd.sys
2010/12/20 15:39:41.0375 awlegacy (1464f3daf223e7a204baf1b556ee7769) C:\WINNT\System32\Drivers\awlegacy.sys
2010/12/20 15:39:41.0390 AW_HOST (71c32536b50136e9e439306a2e9296e2) C:\WINNT\system32\drivers\aw_host5.sys
2010/12/20 15:39:41.0437 b57w2k (3a3a82ffd268bcfb7ae6a48cecf00ad9) C:\WINNT\system32\DRIVERS\b57xp32.sys
2010/12/20 15:39:41.0468 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINNT\system32\drivers\Beep.sys
2010/12/20 15:39:41.0531 CafeDrv (7b66aafdf4caf1da68fc030d3c502830) C:\WINNT\system32\DRIVERS\CafeDrv.sys
2010/12/20 15:39:41.0718 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINNT\system32\DRIVERS\cbidf2k.sys
2010/12/20 15:39:41.0734 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINNT\system32\drivers\cbidf2k.sys
2010/12/20 15:39:41.0812 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINNT\system32\DRIVERS\CCDECODE.sys
2010/12/20 15:39:41.0875 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINNT\system32\DRIVERS\cd20xrnt.sys
2010/12/20 15:39:41.0921 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINNT\system32\drivers\Cdaudio.sys
2010/12/20 15:39:41.0968 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINNT\system32\drivers\Cdfs.sys
2010/12/20 15:39:42.0015 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINNT\system32\DRIVERS\cdrom.sys
2010/12/20 15:39:42.0093 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINNT\system32\DRIVERS\CmBatt.sys
2010/12/20 15:39:42.0125 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINNT\system32\DRIVERS\cmdide.sys
2010/12/20 15:39:42.0156 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINNT\system32\DRIVERS\compbatt.sys
2010/12/20 15:39:42.0203 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINNT\system32\DRIVERS\cpqarray.sys
2010/12/20 15:39:42.0296 cvusbdrv (6fdbd7618935247d24a84d673d796ad0) C:\WINNT\system32\Drivers\cvusbdrv.sys
2010/12/20 15:39:42.0343 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINNT\system32\DRIVERS\dac2w2k.sys
2010/12/20 15:39:42.0390 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINNT\system32\DRIVERS\dac960nt.sys
2010/12/20 15:39:42.0421 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINNT\system32\DRIVERS\disk.sys
2010/12/20 15:39:42.0453 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINNT\system32\drivers\dmboot.sys
2010/12/20 15:39:42.0484 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINNT\system32\drivers\dmio.sys
2010/12/20 15:39:42.0531 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINNT\system32\drivers\dmload.sys
2010/12/20 15:39:42.0562 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINNT\system32\drivers\DMusic.sys
2010/12/20 15:39:42.0609 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINNT\system32\DRIVERS\dpti2o.sys
2010/12/20 15:39:42.0640 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINNT\system32\drivers\drmkaud.sys
2010/12/20 15:39:42.0703 e1yexpress (10cbd2b278ce365b41de378632cb5ddb) C:\WINNT\system32\DRIVERS\e1y5132.sys
2010/12/20 15:39:42.0781 Fastfat (38d332a6d56af32635675f132548343e) C:\WINNT\system32\drivers\Fastfat.sys
2010/12/20 15:39:42.0890 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINNT\system32\drivers\Fdc.sys
2010/12/20 15:39:42.0921 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINNT\system32\drivers\Fips.sys
2010/12/20 15:39:42.0937 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINNT\system32\drivers\Flpydisk.sys
2010/12/20 15:39:43.0000 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINNT\system32\drivers\fltmgr.sys
2010/12/20 15:39:43.0046 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINNT\system32\drivers\Fs_Rec.sys
2010/12/20 15:39:43.0109 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINNT\system32\DRIVERS\ftdisk.sys
2010/12/20 15:39:43.0156 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINNT\system32\DRIVERS\GEARAspiWDM.sys
2010/12/20 15:39:43.0203 Gernuwa (fd25177ced6751c14de170d8282ced90) C:\WINNT\system32\drivers\Gernuwa.sys
2010/12/20 15:39:43.0281 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINNT\system32\DRIVERS\msgpc.sys
2010/12/20 15:39:43.0343 GT72NDISIPXP (19ad11dba7f1a302008332a3ad360b3c) C:\WINNT\system32\DRIVERS\Gt51Ip.sys
2010/12/20 15:39:43.0390 GT72UBUS (0aecf7b4b784c6257287fe9230d1163e) C:\WINNT\system32\DRIVERS\gt72ubus.sys
2010/12/20 15:39:43.0406 GTPTSER (4b915d813b7892ba0a08620f82991a82) C:\WINNT\system32\DRIVERS\gtptser.sys
2010/12/20 15:39:43.0468 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINNT\system32\DRIVERS\HDAudBus.sys
2010/12/20 15:39:43.0531 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINNT\system32\DRIVERS\hidusb.sys
2010/12/20 15:39:43.0578 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINNT\system32\DRIVERS\hpn.sys
2010/12/20 15:39:43.0609 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINNT\system32\DRIVERS\HPZid412.sys
2010/12/20 15:39:43.0640 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) C:\WINNT\system32\DRIVERS\HPZipr12.sys
2010/12/20 15:39:43.0671 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINNT\system32\DRIVERS\HPZius12.sys
2010/12/20 15:39:43.0750 HSFHWAZL (7290fb97535c317a237d4c73149c7e2c) C:\WINNT\system32\DRIVERS\HSFHWAZL.sys
2010/12/20 15:39:43.0812 HSF_DPV (f362c0b442337da8ab0608dfaa4ca076) C:\WINNT\system32\DRIVERS\HSF_DPV.sys
2010/12/20 15:39:43.0953 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINNT\system32\Drivers\HTTP.sys
2010/12/20 15:39:43.0984 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINNT\system32\drivers\i2omgmt.sys
2010/12/20 15:39:44.0015 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINNT\system32\DRIVERS\i2omp.sys
2010/12/20 15:39:44.0046 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINNT\system32\DRIVERS\i8042prt.sys
2010/12/20 15:39:44.0218 ialm (4f3139829f1ac202ff0d29c2fd6c15b6) C:\WINNT\system32\DRIVERS\igxpmp32.sys
2010/12/20 15:39:44.0453 iaStor (707c1692214b1c290271067197f075f6) C:\WINNT\system32\DRIVERS\iaStor.sys
2010/12/20 15:39:44.0515 Iexim (99de69f6f9987c641faa1aea12568043) C:\WINNT\system32\DRIVERS\iexim.sys
2010/12/20 15:39:44.0562 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINNT\system32\DRIVERS\imapi.sys
2010/12/20 15:39:44.0593 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINNT\system32\DRIVERS\ini910u.sys
2010/12/20 15:39:44.0625 IntcHdmiAddService (64c301d73db18ebdc8680ca82d82af2d) C:\WINNT\system32\drivers\IntcHdmi.sys
2010/12/20 15:39:44.0656 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINNT\system32\DRIVERS\intelide.sys
2010/12/20 15:39:44.0687 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINNT\system32\DRIVERS\intelppm.sys
2010/12/20 15:39:44.0734 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINNT\system32\drivers\ip6fw.sys
2010/12/20 15:39:44.0765 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINNT\system32\DRIVERS\ipfltdrv.sys
2010/12/20 15:39:44.0796 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINNT\system32\DRIVERS\ipinip.sys
2010/12/20 15:39:44.0859 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINNT\system32\DRIVERS\ipnat.sys
2010/12/20 15:39:44.0921 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINNT\system32\DRIVERS\ipsec.sys
2010/12/20 15:39:44.0968 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINNT\system32\DRIVERS\irda.sys
2010/12/20 15:39:45.0000 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINNT\system32\DRIVERS\irenum.sys
2010/12/20 15:39:45.0062 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINNT\system32\DRIVERS\isapnp.sys
2010/12/20 15:39:45.0109 Iviaspi (94a8c9436c36cd9657cfed0043066b9c) C:\WINNT\system32\drivers\iviaspi.sys
2010/12/20 15:39:45.0156 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINNT\system32\DRIVERS\kbdclass.sys
2010/12/20 15:39:45.0187 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINNT\system32\DRIVERS\kbdhid.sys
2010/12/20 15:39:45.0234 kmixer (692bcf44383d056aed41b045a323d378) C:\WINNT\system32\drivers\kmixer.sys
2010/12/20 15:39:45.0296 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINNT\system32\drivers\KSecDD.sys
2010/12/20 15:39:45.0375 MBAMSwissArmy (e74dc2f3f9675a6025a4aa020edd4341) C:\WINNT\system32\drivers\mbamswissarmy.sys
2010/12/20 15:39:45.0406 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINNT\system32\DRIVERS\mdmxsdk.sys
2010/12/20 15:39:45.0421 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINNT\system32\drivers\mnmdd.sys
2010/12/20 15:39:45.0453 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINNT\system32\drivers\Modem.sys
2010/12/20 15:39:45.0515 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINNT\system32\DRIVERS\mouclass.sys
2010/12/20 15:39:45.0562 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINNT\system32\DRIVERS\mouhid.sys
2010/12/20 15:39:45.0609 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINNT\system32\drivers\MountMgr.sys
2010/12/20 15:39:45.0656 MpFilter (fbc56c853814eaa196e22edf596a4ebd) C:\WINNT\system32\DRIVERS\MpFilter.sys
2010/12/20 15:39:45.0718 MQAC (70c14f5cca5cf73f8a645c73a01d8726) C:\WINNT\system32\drivers\mqac.sys
2010/12/20 15:39:45.0765 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINNT\system32\DRIVERS\mraid35x.sys
2010/12/20 15:39:45.0828 MRxDAV (65e818c473e220b6ab762e1966296fd1) C:\WINNT\system32\DRIVERS\mrxdav.sys
2010/12/20 15:39:45.0906 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINNT\system32\DRIVERS\mrxsmb.sys
2010/12/20 15:39:45.0953 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINNT\system32\drivers\Msfs.sys
2010/12/20 15:39:45.0968 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINNT\system32\drivers\MSKSSRV.sys
2010/12/20 15:39:46.0000 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINNT\system32\drivers\MSPCLOCK.sys
2010/12/20 15:39:46.0015 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINNT\system32\drivers\MSPQM.sys
2010/12/20 15:39:46.0062 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINNT\system32\DRIVERS\mssmbios.sys
2010/12/20 15:39:46.0109 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINNT\system32\drivers\MSTEE.sys
2010/12/20 15:39:46.0171 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINNT\system32\drivers\Mup.sys
2010/12/20 15:39:46.0203 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINNT\system32\DRIVERS\NABTSFEC.sys
2010/12/20 15:39:46.0296 NDIS (1df7f42665c94b825322fae71721130d) C:\WINNT\system32\drivers\NDIS.sys
2010/12/20 15:39:46.0328 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINNT\system32\DRIVERS\NdisIP.sys
2010/12/20 15:39:46.0375 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINNT\system32\DRIVERS\ndistapi.sys
2010/12/20 15:39:46.0421 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINNT\system32\DRIVERS\ndisuio.sys
2010/12/20 15:39:46.0484 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINNT\system32\DRIVERS\ndiswan.sys
2010/12/20 15:39:46.0500 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINNT\system32\drivers\NDProxy.sys
2010/12/20 15:39:46.0546 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINNT\system32\DRIVERS\netbios.sys
2010/12/20 15:39:46.0593 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINNT\system32\DRIVERS\netbt.sys
2010/12/20 15:39:46.0796 NETw5x32 (580207a7c9bde8ba65401f51f9ba9741) C:\WINNT\system32\DRIVERS\NETw5x32.sys
2010/12/20 15:39:46.0984 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINNT\system32\DRIVERS\nic1394.sys
2010/12/20 15:39:47.0031 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINNT\system32\drivers\Npfs.sys
2010/12/20 15:39:47.0078 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINNT\system32\drivers\Ntfs.sys
2010/12/20 15:39:47.0109 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINNT\system32\drivers\Null.sys
2010/12/20 15:39:47.0156 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINNT\system32\DRIVERS\nwlnkflt.sys
2010/12/20 15:39:47.0171 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINNT\system32\DRIVERS\nwlnkfwd.sys
2010/12/20 15:39:47.0234 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINNT\system32\DRIVERS\ohci1394.sys
2010/12/20 15:39:47.0281 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINNT\system32\DRIVERS\parport.sys
2010/12/20 15:39:47.0312 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINNT\system32\drivers\PartMgr.sys
2010/12/20 15:39:47.0359 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINNT\system32\drivers\ParVdm.sys
2010/12/20 15:39:47.0390 PBADRV (4088c1ecd1f54281a92fa663b0fdc36f) C:\WINNT\system32\DRIVERS\PBADRV.sys
2010/12/20 15:39:47.0437 PCASp50 (1961590aa191b6b7dcf18a6a693af7b8) C:\WINNT\system32\Drivers\PCASp50.sys
2010/12/20 15:39:47.0484 PCI (a219903ccf74233761d92bef471a07b1) C:\WINNT\system32\DRIVERS\pci.sys
2010/12/20 15:39:47.0531 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINNT\system32\DRIVERS\pciide.sys
2010/12/20 15:39:47.0593 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINNT\system32\DRIVERS\pcmcia.sys
2010/12/20 15:39:47.0625 PCTINDIS5 (1e715247efffdda938c085913045d599) C:\WINNT\system32\PCTINDIS5.SYS
2010/12/20 15:39:47.0765 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINNT\system32\DRIVERS\perc2.sys
2010/12/20 15:39:47.0781 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINNT\system32\DRIVERS\perc2hib.sys
2010/12/20 15:39:47.0875 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINNT\system32\DRIVERS\raspptp.sys
2010/12/20 15:39:47.0921 prepdrvr (2a4514a9233d35a355f569ff8b8f6240) C:\WINNT\system32\CCM\prepdrv.sys
2010/12/20 15:39:47.0968 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINNT\system32\DRIVERS\psched.sys
2010/12/20 15:39:48.0000 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINNT\system32\DRIVERS\ptilink.sys
2010/12/20 15:39:48.0031 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINNT\system32\DRIVERS\ql1080.sys
2010/12/20 15:39:48.0062 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINNT\system32\DRIVERS\ql10wnt.sys
2010/12/20 15:39:48.0093 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINNT\system32\DRIVERS\ql12160.sys
2010/12/20 15:39:48.0125 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINNT\system32\DRIVERS\ql1240.sys
2010/12/20 15:39:48.0140 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINNT\system32\DRIVERS\ql1280.sys
2010/12/20 15:39:48.0171 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINNT\system32\DRIVERS\rasacd.sys
2010/12/20 15:39:48.0218 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINNT\system32\DRIVERS\rasirda.sys
2010/12/20 15:39:48.0234 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINNT\system32\DRIVERS\rasl2tp.sys
2010/12/20 15:39:48.0265 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINNT\system32\DRIVERS\raspppoe.sys
2010/12/20 15:39:48.0328 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINNT\system32\DRIVERS\raspti.sys
2010/12/20 15:39:48.0406 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINNT\system32\DRIVERS\rdbss.sys
2010/12/20 15:39:48.0500 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINNT\system32\DRIVERS\RDPCDD.sys
2010/12/20 15:39:48.0609 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINNT\system32\DRIVERS\rdpdr.sys
2010/12/20 15:39:48.0656 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINNT\system32\drivers\RDPWD.sys
2010/12/20 15:39:48.0718 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINNT\system32\DRIVERS\redbook.sys
2010/12/20 15:39:48.0796 rimmptsk (355aac141b214bef1dbc1483afd9bd50) C:\WINNT\system32\DRIVERS\rimmptsk.sys
2010/12/20 15:39:48.0828 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\WINNT\system32\DRIVERS\RimSerial.sys
2010/12/20 15:39:48.0875 RMCAST (96f7a9a7bf0c9c0440a967440065d33c) C:\WINNT\system32\drivers\RMCast.sys
2010/12/20 15:39:48.0906 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINNT\system32\Drivers\RootMdm.sys
2010/12/20 15:39:48.0953 s24trans (e7958e8acda7ca20127ef5f2235f25cc) C:\WINNT\system32\DRIVERS\s24trans.sys
2010/12/20 15:39:49.0093 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2010/12/20 15:39:49.0109 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2010/12/20 15:39:49.0187 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINNT\system32\DRIVERS\sdbus.sys
2010/12/20 15:39:49.0218 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINNT\system32\DRIVERS\secdrv.sys
2010/12/20 15:39:49.0281 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINNT\system32\DRIVERS\serenum.sys
2010/12/20 15:39:49.0359 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINNT\system32\DRIVERS\serial.sys
2010/12/20 15:39:49.0390 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINNT\system32\drivers\Sfloppy.sys
2010/12/20 15:39:49.0437 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINNT\system32\DRIVERS\sisagp.sys
2010/12/20 15:39:49.0484 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINNT\system32\DRIVERS\SLIP.sys
2010/12/20 15:39:49.0515 SMCIRDA (707647a1aa0edb6cbef61b0c75c28ed3) C:\WINNT\system32\DRIVERS\smcirda.sys
2010/12/20 15:39:49.0593 smsmdd (4b4ab78e866bbecf93f6eabc3270178a) C:\WINNT\system32\DRIVERS\smsmdm.sys
2010/12/20 15:39:49.0656 snapman (692141d5ac9d48647fec63ac859ecd69) C:\WINNT\system32\DRIVERS\snapman.sys
2010/12/20 15:39:49.0687 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINNT\system32\DRIVERS\sparrow.sys
2010/12/20 15:39:49.0734 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINNT\system32\drivers\splitter.sys
2010/12/20 15:39:49.0796 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINNT\system32\DRIVERS\sr.sys
2010/12/20 15:39:49.0859 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINNT\system32\DRIVERS\srv.sys
2010/12/20 15:39:49.0953 STHDA (503a4536c83e041ddcdf75b38cd5ecf7) C:\WINNT\system32\drivers\sthda.sys
2010/12/20 15:39:50.0031 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINNT\system32\DRIVERS\StreamIP.sys
2010/12/20 15:39:50.0078 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINNT\system32\DRIVERS\swenum.sys
2010/12/20 15:39:50.0093 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINNT\system32\drivers\swmidi.sys
2010/12/20 15:39:50.0156 swmsflt (57bbaef27dc790160245b43eb6dcd576) C:\WINNT\System32\drivers\swmsflt.sys
2010/12/20 15:39:50.0187 SWNC8U56 (384b7805c856b92bb6662fca26acdb4d) C:\WINNT\system32\DRIVERS\swnc8u56.sys
2010/12/20 15:39:50.0281 SWUMX56 (086f352446a171acd850ccdef6632310) C:\WINNT\system32\DRIVERS\swumx56.sys
2010/12/20 15:39:50.0328 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINNT\system32\DRIVERS\symc810.sys
2010/12/20 15:39:50.0359 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINNT\system32\DRIVERS\symc8xx.sys
2010/12/20 15:39:50.0406 SymEvent (e03ee3ef1037099554d17bed99545a5e) C:\WINNT\system32\Drivers\SYMEVENT.SYS
2010/12/20 15:39:50.0437 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINNT\system32\DRIVERS\sym_hi.sys
2010/12/20 15:39:50.0468 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINNT\system32\DRIVERS\sym_u3.sys
2010/12/20 15:39:50.0515 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINNT\system32\drivers\sysaudio.sys
2010/12/20 15:39:50.0625 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINNT\system32\DRIVERS\tcpip.sys
2010/12/20 15:39:50.0656 tcpipBM (c779befc948e365cdb271b98cade6b29) C:\WINNT\system32\drivers\tcpipBM.sys
2010/12/20 15:39:50.0687 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINNT\system32\drivers\TDPIPE.sys
2010/12/20 15:39:50.0718 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINNT\system32\drivers\TDTCP.sys
2010/12/20 15:39:50.0781 TermDD (88155247177638048422893737429d9e) C:\WINNT\system32\DRIVERS\termdd.sys
2010/12/20 15:39:50.0843 tifsfilter (1d4e8d7041ca9069f65e132249a81b6d) C:\WINNT\system32\DRIVERS\tifsfilt.sys
2010/12/20 15:39:50.0906 timounter (f86ff17a6f9ebd4d8c2fec4b6d0a4787) C:\WINNT\system32\DRIVERS\timntr.sys
2010/12/20 15:39:50.0921 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINNT\system32\DRIVERS\toside.sys
2010/12/20 15:39:50.0968 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINNT\system32\drivers\Udfs.sys
2010/12/20 15:39:51.0000 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINNT\system32\DRIVERS\ultra.sys
2010/12/20 15:39:51.0046 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINNT\system32\DRIVERS\update.sys
2010/12/20 15:39:51.0125 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINNT\system32\Drivers\usbaapl.sys
2010/12/20 15:39:51.0171 usbaudio (e919708db44ed8543a7c017953148330) C:\WINNT\system32\drivers\usbaudio.sys
2010/12/20 15:39:51.0218 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINNT\system32\DRIVERS\usbccgp.sys
2010/12/20 15:39:51.0296 USBCCID (6b5e4d5e6e5ecd6acd14aed59768ce5c) C:\WINNT\system32\DRIVERS\usbccid.sys
2010/12/20 15:39:51.0359 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINNT\system32\DRIVERS\usbehci.sys
2010/12/20 15:39:51.0375 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINNT\system32\DRIVERS\usbhub.sys
2010/12/20 15:39:51.0406 usbprint (a717c8721046828520c9edf31288fc00) C:\WINNT\system32\DRIVERS\usbprint.sys
2010/12/20 15:39:51.0437 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINNT\system32\DRIVERS\usbscan.sys
2010/12/20 15:39:51.0468 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINNT\system32\DRIVERS\USBSTOR.SYS
2010/12/20 15:39:51.0515 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINNT\system32\DRIVERS\usbuhci.sys
2010/12/20 15:39:51.0546 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINNT\system32\Drivers\usbvideo.sys
2010/12/20 15:39:51.0578 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINNT\System32\drivers\vga.sys
2010/12/20 15:39:51.0625 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINNT\system32\DRIVERS\viaagp.sys
2010/12/20 15:39:51.0656 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINNT\system32\DRIVERS\viaide.sys
2010/12/20 15:39:51.0671 vmscsi (55a928c40c11870df5b90300ba329878) C:\WINNT\system32\DRIVERS\vmscsi.sys
2010/12/20 15:39:51.0718 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINNT\system32\drivers\VolSnap.sys
2010/12/20 15:39:51.0765 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINNT\system32\DRIVERS\wanarp.sys
2010/12/20 15:39:51.0843 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINNT\system32\DRIVERS\Wdf01000.sys
2010/12/20 15:39:51.0890 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINNT\system32\drivers\wdmaud.sys
2010/12/20 15:39:51.0953 whlva (1868bf76e2745f733b0fe5cdd2c6a81c) C:\WINNT\system32\DRIVERS\whlva.sys
2010/12/20 15:39:52.0031 winachsf (92ce6497076eac3083185c44157b3a46) C:\WINNT\system32\DRIVERS\HSF_CNXT.sys
2010/12/20 15:39:52.0109 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINNT\system32\DRIVERS\wmiacpi.sys
2010/12/20 15:39:52.0125 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINNT\System32\drivers\ws2ifsl.sys
2010/12/20 15:39:52.0171 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINNT\system32\DRIVERS\WSTCODEC.SYS
2010/12/20 15:39:52.0218 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINNT\system32\DRIVERS\WudfPf.sys
2010/12/20 15:39:52.0234 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINNT\system32\DRIVERS\wudfrd.sys
2010/12/20 15:39:52.0359 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/12/20 15:39:52.0359 ================================================================================
2010/12/20 15:39:52.0359 Scan finished
2010/12/20 15:39:52.0359 ================================================================================
2010/12/20 15:39:52.0375 Detected object count: 1
2010/12/20 15:40:15.0484 \HardDisk0 - will be cured after reboot
2010/12/20 15:40:15.0484 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2010/12/20 15:40:57.0343 Deinitialize success


ComboFix 10-12-15.04 - ROBERTWA 12/20/2010 16:46:13.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3536.2932 [GMT -6:00]
Running from: c:\documents and settings\robertwa\Desktop\pc tools\combofix\ComboFix.exe
AV: Microsoft Forefront Client Security *Enabled/Updated* {926A3D4F-E4E7-4F47-9902-4EDD55FFE1AF}
FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.

((((((((((((((((((((((((( Files Created from 2010-11-20 to 2010-12-20 )))))))))))))))))))))))))))))))
.

2010-12-20 20:02 . 2010-12-20 20:02 -------- d-----w- c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar
2010-12-16 03:38 . 2010-12-16 03:37 73728 ----a-w- c:\winnt\system32\javacpl.cpl
2010-12-16 03:38 . 2010-12-16 03:37 472808 ----a-w- c:\winnt\system32\deployJava1.dll
2010-12-10 17:00 . 2010-12-10 17:00 2035 ----a-w- c:\winnt\system32\WhlNSPBackup_2.reg
2010-12-10 17:00 . 2010-12-10 17:00 108035 ----a-w- c:\winnt\system32\WhlLSPBackup_2.reg
2010-12-08 22:22 . 2010-11-16 18:01 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{CADCC2BD-73DE-4A0C-8910-D2213968C34A}\mpengine.dll
2010-12-08 21:53 . 2010-12-08 23:39 -------- d-----w- c:\winnt\LMI35.tmp
2010-11-30 18:53 . 2010-11-30 18:53 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2010-11-30 18:50 . 2010-11-30 18:50 -------- d-----w- c:\program files\iPod
2010-11-30 18:50 . 2010-11-30 18:51 -------- d-----w- c:\program files\iTunes
2010-11-30 18:48 . 2010-11-30 18:48 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 23:42 . 2010-11-05 00:26 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2010-11-29 23:42 . 2010-11-05 00:26 20952 ----a-w- c:\winnt\system32\drivers\mbam.sys
2010-11-16 18:01 . 2010-08-26 18:46 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\Backup\mpengine.dll
2010-11-05 17:26 . 2010-11-05 17:26 21384 ---ha-w- c:\winnt\system32\drivers\whlva.sys
2010-10-19 16:41 . 2010-08-26 18:46 222080 ------w- c:\winnt\system32\MpSigStub.exe
2010-10-18 14:41 . 2010-11-05 10:10 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\Updates\mpengine.dll
2010-09-29 17:43 . 2010-09-29 17:43 2035 ----a-w- c:\winnt\system32\WhlNSPBackup_1.reg
2010-09-29 17:43 . 2010-09-29 17:43 117002 ----a-w- c:\winnt\system32\WhlLSPBackup_1.reg
2010-09-28 21:44 . 2010-03-10 16:52 41984 ----a-w- c:\winnt\system32\drivers\usbaapl.sys
2010-09-28 21:44 . 2010-03-10 16:52 4184352 ----a-w- c:\winnt\system32\usbaaplrc.dll
2008-10-08 17:18 . 2009-12-01 15:06 3125248 ----a-w- c:\program files\Common Files\sapxlhelper.dll
2008-10-08 17:18 . 2009-12-01 15:06 626688 ----a-w- c:\program files\Common Files\sapconsaccess.dll
2008-10-08 17:18 . 2009-12-01 15:06 192512 ----a-w- c:\program files\Common Files\sapconsr3.dll
2008-10-08 17:18 . 2009-12-01 15:06 40960 -c--a-w- c:\program files\Common Files\DigitalSignature.ocx
.

((((((((((((((((((((((((((((( SnapShot_2010-12-20_20.29.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-12-20 22:37 . 2010-12-20 22:37 16384 c:\winnt\Temp\Perflib_Perfdata_5b0.dat
+ 2010-12-20 22:37 . 2010-12-20 22:37 16384 c:\winnt\Temp\Perflib_Perfdata_290.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-11-11 39408]
"WhlCach3.exe"="c:\program files\Microsoft Forefront UAG\Endpoint Components\3.1.0\WhlCach3.exe" [2009-12-14 300944]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\winnt\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\winnt\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\winnt\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\winnt\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-06-07 319488]
"MsmqIntCert"="mqrt.dll" [2008-04-14 177152]
"AESTFltr"="c:\winnt\system32\AESTFltr.exe" [2008-05-20 466944]
"IgfxTray"="c:\winnt\system32\igfxtray.exe" [2008-09-15 150040]
"HotKeysCmds"="c:\winnt\system32\hkcmd.exe" [2008-09-15 178712]
"Persistence"="c:\winnt\system32\igfxpers.exe" [2008-09-15 150040]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2010-04-11 5116256]
"8e6Authentication"="wscript.exe" [2008-04-14 155648]
"CfgDownload"="c:\program files\IXOS\bin\CfgDownload.exe" [2007-05-29 184320]
"AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2009-10-09 883272]
"EZGigMonitor.exe"="c:\program files\Apricorn\EZ Gig II\EZGigMonitor.exe" [2007-10-09 1169264]
"AcronisTimounterMonitor"="c:\program files\Apricorn\EZ Gig II\TimounterMonitor.exe" [2007-10-09 1949480]
"Apricorn Scheduler Service"="c:\program files\Common Files\Apricorn\Schedule2\schedhlp.exe" [2007-10-09 148712]
"CgaViewer"="c:\program files\CyberGatekeeper Agent\cgav.exe" [2010-02-16 163898]
"CgaHelper"="c:\program files\CyberGatekeeper Agent\cgahelp.exe" [2010-02-16 106560]
"Microsoft Forefront Client Security Antimalware Service"="c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe" [2010-01-19 1033600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-18 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
F1U201.401.lnk - c:\program files\Belkin\F1U201.401\usbshare.exe [2009-12-3 135168]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLogonScripts"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
"NoAutoUpdate"= 1 (0x1)
"DisablePersonalDirChange"= 1 (0x1)
"DisallowCpl"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-12-03 15:04 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2005-05-20 15:51 8704 ----a-w- c:\winnt\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2072974133-1425365782-667646791-35529\Scripts\Logon\0\0]
"Script"=InterfaceMetric.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2072974133-1425365782-667646791-35529\Scripts\Logon\1\0]
"Script"=EFS_LS.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2072974133-1425365782-667646791-35529\Scripts\Logon\2\0]
"Script"=DelWhlCach3.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FCSAM]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\winnt\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=c:\winnt\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GlobeTrotter Connect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\GlobeTrotter Connect.lnk
backup=c:\winnt\pss\GlobeTrotter Connect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\winnt\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\winnt\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2006-10-23 05:24 620152 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 10:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT&T Communication Manager]
2009-10-09 23:58 883272 ----a-w- c:\program files\AT&T\Communication Manager\ATTCM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2008-12-08 21:50 54576 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
2009-09-21 21:34 1206544 ----a-w- c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
2009-09-21 21:49 1392640 ----a-w- c:\program files\Intel\WiFi\bin\ZCfgSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINNT\\system32\\mqsvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\AT&T\\Communication Manager\\SwiApiMux.exe"=
"c:\\Program Files\\Microsoft Forefront UAG\\Endpoint Components\\3.1.0\\WhlClnt3.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\WINNT\\system32\\mmc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=

R0 vmscsi;vmscsi;c:\winnt\system32\drivers\vmscsi.sys [1/14/2009 9:28 AM 10880]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 12:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 12:41 PM 67656]
R2 CafeDrv;CafeDrv NDIS Protocol Driver;c:\winnt\system32\drivers\CafeDrv.sys [10/28/2009 11:36 AM 29568]
R2 CGAgent;CyberGatekeeper Agent;c:\program files\CyberGatekeeper Agent\cgasvc.exe [2/16/2010 5:07 PM 81982]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [7/31/2008 8:41 PM 808296]
R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [7/31/2008 8:41 PM 21352]
R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe [1/19/2010 3:49 PM 16880]
R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe [10/22/2009 6:31 PM 69512]
R2 GtDetectSc;GtDetectSc;c:\program files\Option\GlobeTrotter Connect\GtDetectSc.exe [4/30/2008 5:52 PM 200704]
R2 MOM;MOM;c:\program files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe [7/21/2005 10:14 AM 134656]
R2 psginasvc;Password Manager Logon Management Service;c:\program files\P-Synch\Clients\service\psginasvc.exe [7/8/2009 1:50 PM 585728]
R3 AESTAud;AE Audio Service;c:\winnt\system32\drivers\AESTAud.sys [12/1/2009 7:47 AM 108160]
R3 cvusbdrv;Broadcom USH CV;c:\winnt\system32\drivers\cvusbdrv.sys [12/1/2009 7:52 AM 32808]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\winnt\system32\drivers\e1y5132.sys [11/12/2008 9:33 AM 244368]
R3 GT72NDISIPXP;GT 72 IP NDIS;c:\winnt\system32\drivers\Gt51Ip.sys [7/7/2008 2:29 PM 106112]
R3 GT72UBUS;GT 72 U BUS;c:\winnt\system32\drivers\gt72ubus.sys [8/20/2008 3:49 PM 59008]
R3 Iexim;Infoexpress Generic Network Filter Service;c:\winnt\system32\drivers\iexim.sys [12/8/2009 10:17 AM 31232]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\winnt\system32\drivers\IntcHdmi.sys [12/1/2009 7:49 AM 110080]
R3 whlva;SSL Network Tunneling;c:\winnt\system32\drivers\whlva.sys [11/5/2010 11:26 AM 21384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/2/2010 2:41 PM 136176]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [10/9/2009 5:59 PM 121416]
S3 DMService;Microsoft Forefront UAG Endpoint Component Manager;c:\winnt\DOWNLO~1\DMService.exe [11/5/2010 11:24 AM 468368]
S3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);c:\winnt\system32\drivers\swnc8u56.sys [4/7/2009 11:37 AM 190080]
S3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);c:\winnt\system32\drivers\swumx56.sys [4/7/2009 11:37 AM 148096]
S3 whliocsv;Microsoft Forefront UAG SSL Network Tunneling Client;c:\program files\Microsoft Forefront UAG\Endpoint Components\3.1.0\whliocsv.exe [11/5/2010 11:26 AM 156048]
S3 WinRM;Windows Remote Management (WS-Management);c:\winnt\system32\svchost.exe -k WINRM [1/13/2009 8:04 PM 14336]
S4 uagqecsvc;Microsoft Forefront UAG Quarantine Enforcement Client;c:\program files\Microsoft Forefront UAG\Endpoint Components\3.1.0\uagqecsvc.exe [11/5/2010 11:25 AM 149904]

--- Other Services/Drivers In Memory ---

*Deregistered* - klmd25
*Deregistered* - uftdapob

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
2010-09-09 13:36 124928 ----a-w- c:\winnt\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-12-20 c:\winnt\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-02 20:41]

2010-12-20 c:\winnt\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-02 20:41]

2010-12-20 c:\winnt\Tasks\MP Scheduled Quick Scan.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 21:49]

2010-12-20 c:\winnt\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 21:49]

2010-12-20 c:\winnt\Tasks\MP Scheduled Signature Update.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 21:49]

2010-12-20 c:\winnt\Tasks\User_Feed_Synchronization-{5DB2A058-6A4B-4593-80F8-C95C73691C34}.job
- c:\winnt\system32\msfeedssync.exe [2007-08-13 23:36]

2010-12-20 c:\winnt\Tasks\User_Feed_Synchronization-{67B1C9E0-7BD3-4FD7-9AE6-D0A287583655}.job
- c:\winnt\system32\msfeedssync.exe [2007-08-13 23:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://aponline.apci.com
uInternet Settings,ProxyOverride = <local>
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}
LSP: c:\progra~1\MIC3C8~1\ENDPOI~1\31265D~1.0\WhlLSP.dll
Handler: qvp - {4BA78E3D-CA25-4BFF-B8F0-8A3359E4B520} - c:\program files\QlikView\QvProtocol\Qvp.dll
DPF: {A67EE2D0-D7C7-4ADE-96E5-7AE17AFBEDE2} - hxxp://meup1/softwarerequest/srsinstall.cab
.
.
------- File Associations -------
.
JSEFile=c:\winnt\system32\Notepad.exe "%1" %*
vbsfile\shell\edit\command=c:\winnt\system32\Notepad.exe %1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-20 16:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINNT\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINNT\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1828)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\winnt\system32\WININET.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\winnt\system32\netprovcredman.dll
c:\program files\P-Synch\Clients\service\ginasvc.dll

- - - - - - - > 'explorer.exe'(1700)
c:\winnt\system32\WININET.dll
c:\winnt\system32\ieframe.dll
c:\winnt\system32\WPDShServiceObj.dll
c:\winnt\system32\PortableDeviceTypes.dll
c:\winnt\system32\PortableDeviceApi.dll
.
Completion time: 2010-12-20 16:53:12
ComboFix-quarantined-files.txt 2010-12-20 22:53
ComboFix2.txt 2010-12-20 20:32
ComboFix3.txt 2010-12-16 03:17
ComboFix4.txt 2010-11-10 17:08
ComboFix5.txt 2010-12-20 22:45

Pre-Run: 110,304,919,552 bytes free
Post-Run: 110,305,284,096 bytes free

- - End Of File - - 6F025AE7595418A15E4CF00592FD50F7


GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-12-20 21:53:21
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST9160412ASG rev.0003SDM1
Running: 7k5rtd0g.exe; Driver: C:\DOCUME~1\robertwa\LOCALS~1\Temp\uftdapob.sys


---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp tcpipBM.SYS (Bytemobile Kernel Network Provider/Bytemobile, Inc.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Apricorn Snapshot API/Apricorn)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

#14 warob

warob
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:12 AM

Posted 21 December 2010 - 08:32 AM

I also ran Maleware Bytes. Here is that log:

Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5364

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

12/21/2010 7:26:46 AM
mbam-log-2010-12-21 (07-26-46).txt

Scan type: Full scan (C:\|)
Objects scanned: 323189
Time elapsed: 1 hour(s), 2 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\documents and settings\localservice\application data\whitesmoketoolbar (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmoketoolbar (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\localservice\application data\whitesmoketranslator (PUP.WhiteSmoke) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\localservice\application data\whitesmoketoolbar\dtx.ini (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\localservice\application data\whitesmoketoolbar\exeArgs.xml (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\localservice\application data\whitesmoketoolbar\guid.dat (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\localservice\application data\whitesmoketoolbar\preferences.dat (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\localservice\application data\whitesmoketoolbar\setupCfg.xml (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmoketoolbar\dtx.ini (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmoketoolbar\exeArgs.xml (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmoketoolbar\guid.dat (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmoketoolbar\setupCfg.xml (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\localservice\application data\whitesmoketranslator\stat.log (PUP.WhiteSmoke) -> Quarantined and deleted successfully.

#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:12 AM

Posted 21 December 2010 - 10:31 AM

Hello.

It looks like everything got cleaned again. Please re-enable your security programs.

Run your computer for a couple days and tell me if anything comes up.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users