Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Disinfected Trojan.Bubnix and Rootkit.Win32.TDSS.tdl4. Still have Win32.Palevo


  • This topic is locked This topic is locked
18 replies to this topic

#1 jeffreyj

jeffreyj

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 21 January 2011 - 01:07 AM

Hi

Wanted to start off by saying you guys in this forum are awesome. Thanks for all your help and expertise, you guys are honestly a godsend. I say this because following someone else's case in the forums has helped me. I was on the verge of formatting and re-installing and now my computer is usable. :)

Beginning with viruses that have been causing blue screens for the last three days, they have pretty much all stopped now. The only issue I have now is sometimes my computer would slow right down. Watching videos or listening to audio it would drag, stagger, pause. I have not used any other programs yet, so I haven't seen the effects in anything other than my internet browser. Perhaps the GMER scan took longer as well. Task manager shows cpu and mem usage as quite normal and not peaking.

The steps I have used up to this point:
1. Scanned with Microsoft Security Essentials. Detected Trojan:Win32.RimecudA
2. Scanned with Kaspersky Rescue Disk. Removed quite a few things. I think I have logs.
3. Scanned with Malwarebyte's Anti-Malware.
It couldn't remove Trojan.Bubnix which appeared as a chmnoti.sys file in my Windows/System32/drivers folder. It would say it needed to restart the computer and upon restarting the file would still be in there.
I moved it onto my Ubuntu desktop and it's still there atm. Probably not the best way to do it, but I'm going to assume it's not going to do anything sitting there for now.

After this, the blue screens would still appear whenever I opened an explorer window. So whenever I tried to browse files, it would crash. It said it was due to iaStor.sys

4. Used TDSSKiller.
It picked up and cured Rootkit.Win32.TDSS.tdl4.
I've got logs.

5. Used ComboFix.
I've got logs.
I followed someone else's case on the use of TDSSKiller and ComboFix.

6. Installed and used Spybot S&D.
It says it needs to restart to delete Win32.Palevo. I thought I would check here first.

I've never been stung so bad so I'm wary now and going to be much more careful. But lastly I had a question about firewalls. Is the Microsoft Firewall enough? Or should I install something like Comodo as well?

Kind of done things backwards. My DDS file is below. Thanks heaps

---

DDS (Ver_10-12-12.02) - NTFSx86
Run by Jeffrey at 19:02:10.67 on Fri 21/01/2011
Internet Explorer: 9.0.7930.16406
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.64.1033.18.1912.473 [GMT 13:00]

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Hpservice.exe
C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\AEADISRV.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\NeoSmart Technologies\iReboot\iRebootd.exe
C:\Program Files\Intel\AMT\LMS.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Scrybe\Service\ScrybeUpdater.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe
C:\Windows\System32\igfxtray.exe
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Workrave\lib\Workrave.exe
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\Program Files\RescueTime\RescueTime.exe
C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe
C:\Program Files\Hewlett-Packard\Shared\hpqToaster.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskhost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\explorer.exe
C:\Program Files\Opera 11.00 alpha\opera.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Jeffrey\Desktop\dds.scr
C:\Windows\system32\conhost.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Veoh Video Compass: {52836eb0-631a-47b1-94a6-61f9d9112dae} - c:\program files\veoh networks\veoh video compass\SearchRecsPlugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [Workrave] c:\program files\workrave\lib\workrave.exe
uRun: [PTT] "c:\program files\true time tracker\ttt.exe" silent
uRun: [Google Update] "c:\users\jeffrey\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [WordWeb] "c:\program files\wordweb\wweb32.exe" -startup
mRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startup
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [WirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\users\jeffrey\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office14\ONENOTEM.EXE
StartupFolder: c:\users\jeffrey\appdata\roaming\micros~1\windows\startm~1\programs\startup\spoons~1.lnk - c:\users\jeffrey\appdata\local\spoon\3.24.0.1\Spoon-Sandbox-Native.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\google~1.lnk - c:\program files\google\google calendar sync\GoogleCalendarSync.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\rescue~1.lnk - c:\program files\rescuetime\RescueTime.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: QQ - c:\program files\tencent\qqintl\bin\AddEmotion.htm
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
LSP: c:\windows\system32\idmmbc.dll
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\jeffrey\appdata\roaming\mozilla\firefox\profiles\rn1paafc.default\
FF - component: c:\program files\google\google gears\firefox\lib\ff36\gears.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - component: c:\users\jeffrey\appdata\roaming\idm\idmmzcc3\components\idmmzcc.dll
FF - component: c:\users\jeffrey\appdata\roaming\mozilla\firefox\profiles\rn1paafc.default\extensions\firesheep@codebutler.com\platform\winnt_x86-msvc\components\mozpopen.dll
FF - component: c:\users\jeffrey\appdata\roaming\mozilla\firefox\profiles\rn1paafc.default\extensions\jsobrier@zscaler.com\platform\winnt_x86-msvc\components\mozpopen.dll
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\photosynth\npPhotosynthMozilla.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\jeffrey\appdata\local\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\users\jeffrey\appdata\local\spoon\3.24.0.1\npMozillaSpoonPlugin.dll
FF - plugin: c:\users\jeffrey\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\jeffrey\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Firesheep: firesheep@codebutler.com - %profile%\extensions\firesheep@codebutler.com
FF - Ext: HTTPS-Everywhere: https-everywhere@eff.org - %profile%\extensions\https-everywhere@eff.org
FF - Ext: BlackSheep: jsobrier@zscaler.com - %profile%\extensions\jsobrier@zscaler.com
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: Better Facebook!: betterfacebook@mattkruse.com - %profile%\extensions\betterfacebook@mattkruse.com
FF - Ext: Google Gears: {000a9d1c-beef-4f90-9363-039d445309b8} - c:\program files\google\google gears\Firefox
FF - Ext: IDM CC: mozilla_cc@internetdownloadmanager.com - c:\users\jeffrey\appdata\roaming\idm\idmmzcc3

============= SERVICES / DRIVERS ===============

R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R2 DisplayLinkService;DisplayLinkManager;c:\program files\displaylink core software\DisplayLinkManager.exe [2010-3-30 5096808]
R2 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2010-2-26 26168]
R2 iReboot;iReboot Background Service;c:\program files\neosmart technologies\ireboot\iRebootd.exe [2009-9-15 17408]
R2 ScrybeUpdater;Scrybe Updater;c:\program files\scrybe\service\ScrybeUpdater.exe [2010-3-4 1300992]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2010-4-12 2058776]
R3 ATSwpWDF;AuthenTec TruePrint USB WBF WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2009-12-3 625224]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2010-3-24 228408]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y6232.sys [2009-6-13 221912]
R3 NETw5s32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETw5s32.sys [2010-1-13 6755840]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-13 135664]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\drivers\ivusb.sys [2010-3-10 25112]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-3-25 30969208]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-11 4231168]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-14 14336]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-6 1343400]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]

=============== File Associations ===============

.txt=

=============== Created Last 30 ================

2011-01-21 03:31:03 -------- d-----w- C:\TDSSKiller_Quarantine
2011-01-21 02:50:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-01-21 02:50:56 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2011-01-20 22:55:55 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2011-01-20 22:55:55 -------- d-----w- c:\program files\EULAlyzer
2011-01-20 22:09:59 -------- d-sh--w- C:\$RECYCLE.BIN
2011-01-20 10:07:47 -------- d-----w- c:\windows\system32\drivers\New folder
2011-01-20 09:10:25 -------- d-----w- c:\users\jeffrey\appdata\roaming\Malwarebytes
2011-01-20 09:10:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-20 09:10:06 -------- d-----w- c:\progra~2\Malwarebytes
2011-01-20 09:10:03 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-20 09:10:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-19 17:32:45 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2011-01-19 00:41:41 -------- d-----w- c:\windows\system32\%LocalAppData%
2011-01-18 10:45:41 141824 --sha-r- c:\windows\system32\pnrpsvci.dll
2011-01-18 10:45:30 763392 ----a-w- c:\windows\system32\drivers\new folder\chmnoti.sys
2011-01-18 09:40:16 -------- d-----w- C:\found.000
2011-01-17 21:16:06 -------- d-----w- c:\progra~2\Datos de programa

==================== Find3M ====================

2011-01-03 07:16:41 2828 --sha-w- c:\progra~2\KGyGaAvL.sys
2010-11-02 04:41:36 442880 ----a-w- c:\windows\system32\XpsPrint.dll
2010-11-02 04:41:36 283648 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2010-11-02 04:41:36 135168 ----a-w- c:\windows\system32\XpsRasterService.dll
2010-11-02 04:41:12 351232 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-11-02 04:40:36 496128 ----a-w- c:\windows\system32\taskschd.dll
2010-11-02 04:40:36 305152 ----a-w- c:\windows\system32\taskcomp.dll
2010-11-02 04:39:32 749056 ----a-w- c:\windows\system32\schedsvc.dll
2010-11-02 04:34:44 192000 ----a-w- c:\windows\system32\taskeng.exe
2010-11-02 04:34:33 179712 ----a-w- c:\windows\system32\schtasks.exe
2010-11-02 04:26:21 804864 ----a-w- c:\windows\system32\FntCache.dll
2010-11-02 04:26:00 1076736 ----a-w- c:\windows\system32\DWrite.dll
2010-11-02 04:25:43 218624 ----a-w- c:\windows\system32\d3d10_1core.dll
2010-11-02 04:25:43 161792 ----a-w- c:\windows\system32\d3d10_1.dll
2010-11-02 04:25:43 1170944 ----a-w- c:\windows\system32\d3d10warp.dll
2010-11-02 04:25:42 739840 ----a-w- c:\windows\system32\d2d1.dll
2010-11-02 04:23:44 107520 ----a-w- c:\windows\system32\cdd.dll
2010-11-01 23:03:02 1448448 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-01 22:59:07 2381824 ----a-w- c:\windows\system32\mshtml.tlb
2010-10-27 04:32:36 2048 ----a-w- c:\windows\system32\tzres.dll

============= FINISH: 19:03:30.47 ===============

Forgot to attach my attach.txt to my first post so it's attached to this one.

---

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-01-21 19:00:21
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 TOSHIBA_ rev.RS01
Running: gmer.exe; Driver: C:\Users\Jeffrey\AppData\Local\Temp\uwtdqaod.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 8365D599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 83681F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
? System32\Drivers\spkf.sys The system cannot find the path specified. !
.text USBPORT.SYS!DllUnload 9024CCA0 5 Bytes JMP 8715E1D8
.text avhma75x.SYS 90FA3000 12 Bytes [44, F8, A2, 83, EE, F6, A2, ...]
.text avhma75x.SYS 90FA300D 9 Bytes [D7, A2, 83, 48, FB, A2, 83, ...] {XLATB ; MOV [0xa2fb4883], AL; ADD DWORD [EAX], 0x0}
.text avhma75x.SYS 90FA3017 170 Bytes [00, DE, 67, 12, 89, E6, 65, ...]
.text avhma75x.SYS 90FA30C3 8 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL}
.text avhma75x.SYS 90FA30CE 4 Bytes [00, 00, 00, 00] {ADD [EAX], AL; ADD [EAX], AL}
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!LdrShutdownThread 779108E1 5 Bytes JMP 00707203
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtAreMappedFilesTheSame 779248B0 5 Bytes JMP 00702FC1
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtCancelIoFile 779248E0 5 Bytes JMP 0070A006
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtClose 77924930 5 Bytes JMP 007085F6
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtCompactKeys 77924980 5 Bytes JMP 00705A5D
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtCompressKey 779249B0 5 Bytes JMP 00705A03
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtCreateEvent 77924A10 5 Bytes JMP 00708859
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtCreateFile 77924A30 5 Bytes JMP 00709F6F
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtCreateKey 77924A70 5 Bytes JMP 00705974
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtCreateMailslotFile 77924AA0 5 Bytes JMP 00709F00
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtCreateMutant 77924AB0 5 Bytes JMP 0070890B
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtCreateNamedPipeFile 77924AC0 5 Bytes JMP 0070A279
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtCreatePagingFile 77924AD0 5 Bytes JMP 00709E9D
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtCreateProcess 77924B00 5 Bytes JMP 007064F0
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtCreateProcessEx 77924B10 5 Bytes JMP 0070647E
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtCreateSection 77924B50 5 Bytes JMP 007032FB
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtCreateSemaphore 77924B60 5 Bytes JMP 007087A7
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtCreateThread 77924B80 5 Bytes JMP 00706397
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtCreateUserProcess 77924BE0 5 Bytes JMP 00706406
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtDeleteFile 77924C70 5 Bytes JMP 00709E43
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtDeleteKey 77924C80 5 Bytes JMP 00705905
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtDeleteValueKey 77924CB0 5 Bytes JMP 007058A8
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtDeviceIoControlFile 77924CC0 5 Bytes JMP 00709DCE
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtDuplicateObject 77924D00 5 Bytes JMP 0070858A
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtEnumerateKey 77924D50 5 Bytes JMP 0070583F
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtEnumerateValueKey 77924D80 5 Bytes JMP 007057D6
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtExtendSection 77924D90 5 Bytes JMP 007030ED
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtFlushBuffersFile 77924DC0 5 Bytes JMP 00709D71
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtFlushKey 77924DF0 5 Bytes JMP 0070577C
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtFsControlFile 77924E70 5 Bytes JMP 00709CFC
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtLoadKey 77924FD0 5 Bytes JMP 0070571F
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtLoadKey2 77924FE0 5 Bytes JMP 007056BF
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtLoadKeyEx 77924FF0 5 Bytes JMP 0070565C
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtLockFile 77925000 5 Bytes JMP 00709C87
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtLockRegistryKey 77925020 5 Bytes JMP 00705602
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtMakeTemporaryObject 77925050 5 Bytes JMP 00708530
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtMapViewOfSection 77925090 5 Bytes JMP 007031CF
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtNotifyChangeDirectoryFile 779250C0 5 Bytes JMP 00709C15
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtNotifyChangeKey 779250D0 5 Bytes JMP 0070558D
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtNotifyChangeMultipleKeys 779250E0 5 Bytes JMP 00705512
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtOpenEvent 77925120 5 Bytes JMP 00708803
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtOpenFile 77925140 5 Bytes JMP 0070A0AB
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtOpenKey 77925170 5 Bytes JMP 007054B2
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtOpenKeyEx 77925180 5 Bytes JMP 0070544F
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtOpenMutant 779251C0 5 Bytes JMP 007088B5
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtOpenProcess 779251F0 5 Bytes JMP 0070655F
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtOpenSection 77925230 5 Bytes JMP 0070326E
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtOpenSemaphore 77925240 5 Bytes JMP 00708751
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtQueryAttributesFile 779253A0 5 Bytes JMP 00709BB8
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtQueryDirectoryFile 77925400 5 Bytes JMP 00709B40
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtQueryEaFile 77925430 5 Bytes JMP 00709ACE
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtQueryFullAttributesFile 77925450 5 Bytes JMP 00709A71
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtQueryInformationFile 77925480 5 Bytes JMP 00709A0B
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtQueryKey 77925550 5 Bytes JMP 007053E9
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtQueryMultipleValueKey 77925570 5 Bytes JMP 00705380
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtQueryObject 77925590 5 Bytes JMP 007084CA
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtQueryOpenSubKeys 779255A0 5 Bytes JMP 00705323
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtQueryOpenSubKeysEx 779255B0 5 Bytes JMP 007052C0
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtQueryQuotaInformationFile 779255E0 5 Bytes JMP 007095D6
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtQuerySection 779255F0 5 Bytes JMP 00703087
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtQuerySecurityObject 77925610 5 Bytes JMP 00708234
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtQueryValueKey 779256B0 5 Bytes JMP 00705257
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtQueryVirtualMemory 779256C0 5 Bytes JMP 0070301E
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtQueryVolumeInformationFile 779256D0 5 Bytes JMP 007099A5
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtReadFile 77925720 5 Bytes JMP 00709933
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtReadFileScatter 77925730 5 Bytes JMP 007098C1
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtRenameKey 77925830 5 Bytes JMP 007051FA
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtReplaceKey 77925850 5 Bytes JMP 0070519A
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtRestoreKey 779258F0 5 Bytes JMP 0070513A
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtSaveKey 77925960 5 Bytes JMP 007050DD
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtSaveKeyEx 77925970 5 Bytes JMP 0070507D
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtSaveMergedKeys 77925980 5 Bytes JMP 0070501D
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtSetEaFile 77925A30 5 Bytes JMP 0070985E
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtSetInformationFile 77925AA0 5 Bytes JMP 007097F8
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtSetInformationKey 77925AC0 5 Bytes JMP 00704FBA
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtSetInformationObject 77925AD0 5 Bytes JMP 00708467
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtSetInformationProcess 77925AE0 5 Bytes JMP 00706334
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtSetQuotaInformationFile 77925BB0 5 Bytes JMP 00709573
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtSetSecurityObject 77925BC0 5 Bytes JMP 007081D4
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtSetValueKey 77925C70 5 Bytes JMP 00704F3C
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtSetVolumeInformationFile 77925C80 5 Bytes JMP 00709792
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtSignalAndWaitForSingleObject 77925CB0 5 Bytes JMP 007083D9
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtTerminateProcess 77925D30 5 Bytes JMP 007071C2
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtTranslateFilePath 77925DA0 5 Bytes JMP 00709510
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtUnloadKey 77925DD0 5 Bytes JMP 00704EE2
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtUnloadKey2 77925DE0 5 Bytes JMP 00704E85
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtUnloadKeyEx 77925DF0 5 Bytes JMP 00704E28
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtUnlockFile 77925E00 5 Bytes JMP 0070972C
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtUnmapViewOfSection 77925E20 5 Bytes JMP 0070314A
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtWaitForMultipleObjects 77925E60 5 Bytes JMP 00708306
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtWaitForSingleObject 77925E80 5 Bytes JMP 0070829A
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtWriteFile 77925ED0 5 Bytes JMP 007096BA
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!NtWriteFileGather 77925EE0 5 Bytes JMP 00709648
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ntdll.dll!LdrGetDllHandle 7793E826 5 Bytes JMP 00706612
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] kernel32.dll!SetConsoleTitleW 764C375B 1 Byte [E9]
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] kernel32.dll!SetConsoleTitleW 764C375B 5 Bytes JMP 0070706C
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] kernel32.dll!QueryActCtxW 764C5AF8 5 Bytes JMP 00710CEB
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] kernel32.dll!CreateActCtxW 764C75A3 5 Bytes JMP 00710C14
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] kernel32.dll!ExitProcess 764D2AEF 5 Bytes JMP 00707186
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] kernel32.dll!CreateProcessInternalW 764D42CE 5 Bytes JMP 00707CB6
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] kernel32.dll!GetConsoleTitleW 764DF353 5 Bytes JMP 00706FCA
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] kernel32.dll!SetConsoleTitleA 7652B35F 5 Bytes JMP 00706F2F
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] kernel32.dll!GetConsoleTitleA 7652B909 5 Bytes JMP 00706E77
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] advapi32.dll!EnumDependentServicesW 76B71EC8 5 Bytes JMP 007021ED
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] advapi32.dll!QueryServiceStatusEx 76B78632 5 Bytes JMP 00701CBD
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] advapi32.dll!StartServiceW 76B78A9B 5 Bytes JMP 00701824
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] advapi32.dll!StartServiceCtrlDispatcherW 76B7AC43 5 Bytes JMP 00701916
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] advapi32.dll!RegisterServiceCtrlHandlerW 76B7AC73 5 Bytes JMP 00701BD7
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] advapi32.dll!RegisterServiceCtrlHandlerExW 76B7ACBE 5 Bytes JMP 00701AEB
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] advapi32.dll!SetServiceStatus 76B7B70C 5 Bytes JMP 007019FC
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] advapi32.dll!EnumServicesStatusExW 76B7BC43 5 Bytes JMP 0070160F
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] advapi32.dll!OpenSCManagerW 76B7D1F5 5 Bytes JMP 0070159F
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] advapi32.dll!OpenServiceW 76B7D20D 5 Bytes JMP 00701F96
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] advapi32.dll!QueryServiceConfigW 76B7D225 5 Bytes JMP 00701EA4
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] advapi32.dll!QueryServiceStatus 76B83A84 5 Bytes JMP 00701D39
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] advapi32.dll!OpenServiceA 76B83B15 5 Bytes JMP 007024E1
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] advapi32.dll!OpenSCManagerA 76B83B2D 5 Bytes JMP 007015D7
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] advapi32.dll!CloseServiceHandle 76B89A61 5 Bytes JMP 00702477
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] advapi32.dll!CreateServiceW 76B9DBC1 5 Bytes JMP 00701778
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] advapi32.dll!ControlService 76B9DC74 5 Bytes JMP 00702401
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] advapi32.dll!DeleteService 76B9DC8C 5 Bytes JMP 00701743
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] advapi32.dll!GetServiceKeyNameW 76B9DF7F 5 Bytes JMP 007020FB
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] advapi32.dll!GetServiceDisplayNameW 76B9E03B 5 Bytes JMP 00702009
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] advapi32.dll!QueryServiceConfigA 76B9F1FF 5 Bytes JMP 00701F1D
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] advapi32.dll!StartServiceA 76B9F217 5 Bytes JMP 0070189D
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] advapi32.dll!EnumServicesStatusExA 76B9F7BE 5 Bytes JMP 0070165F
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] advapi32.dll!ChangeServiceConfigA 76BB20B0 5 Bytes JMP 00702376
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] advapi32.dll!ChangeServiceConfigW 76BB20C0 5 Bytes JMP 007022EB
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] advapi32.dll!CreateServiceA 76BB2120 5 Bytes JMP 007017CE
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] advapi32.dll!QueryServiceConfig2A 76BB23B1 5 Bytes JMP 00701E28
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] advapi32.dll!QueryServiceConfig2W 76BB23C1 5 Bytes JMP 00701DAC
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] advapi32.dll!QueryServiceObjectSecurity 76BB23D1 5 Bytes JMP 0070155E
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] advapi32.dll!RegisterServiceCtrlHandlerA 76BB248B 5 Bytes JMP 00701C4A
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] advapi32.dll!RegisterServiceCtrlHandlerExA 76BB249B 5 Bytes JMP 00701B61
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] advapi32.dll!SetServiceObjectSecurity 76BB24FB 5 Bytes JMP 00701523
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] advapi32.dll!StartServiceCtrlDispatcherA 76BB250B 5 Bytes JMP 00701989
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] advapi32.dll!GetServiceKeyNameA 76BD0276 5 Bytes JMP 00702174
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] advapi32.dll!GetServiceDisplayNameA 76BD0319 5 Bytes JMP 00702082
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] advapi32.dll!EnumServicesStatusA 76BD0709 5 Bytes JMP 007016F9
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] advapi32.dll!EnumDependentServicesA 76BD07EC 5 Bytes JMP 0070226C
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] advapi32.dll!SetServiceBits 76BD08D3 5 Bytes JMP 00701A72
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] advapi32.dll!EnumServicesStatusW 76BD0909 5 Bytes JMP 007016AF
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] GDI32.dll!GdiAddFontResourceW 761CDDAA 5 Bytes JMP 0070762C
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] GDI32.dll!RemoveFontResourceExW 761EED34 5 Bytes JMP 007074F1
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] USER32.dll!GetWindowTextA 763B70ED 5 Bytes JMP 0071071B
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] USER32.dll!FindWindowExA 763B7184 5 Bytes JMP 0071063A
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] USER32.dll!FindWindowA 763BA818 5 Bytes JMP 007106D2
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] USER32.dll!FindWindowW 763BCF04 5 Bytes JMP 00710689
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] USER32.dll!GetWindowTextW 763BD9F6 5 Bytes JMP 007108C6
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] USER32.dll!SetWindowsHookExW 763C210A 5 Bytes JMP 007104D3
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] USER32.dll!SetWindowTextW 763C8267 5 Bytes JMP 00710988
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] USER32.dll!SetWindowTextA 763E236A 5 Bytes JMP 007107F3
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] USER32.dll!SetWindowsHookExA 763E6DFA 5 Bytes JMP 0071055F
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] USER32.dll!FindWindowExW 763E7069 5 Bytes JMP 007105EB
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ole32.dll!CoResumeClassObjects + 7 75E0E5F4 5 Bytes JMP 0070F42A
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ole32.dll!CoRegisterClassObject 75E1121D 5 Bytes JMP 0070F4BF
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ole32.dll!CoRevokeClassObject 75E12A9D 5 Bytes JMP 0070F453
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ole32.dll!CoGetClassObject 75E3A394 5 Bytes JMP 0070F56D
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ole32.dll!CoCreateInstance 75E5590C 3 Bytes JMP 0070F675
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ole32.dll!CoCreateInstance + 4 75E55910 1 Byte [8A]
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ole32.dll!CoCreateInstanceEx 75E5594F 3 Bytes JMP 0070F5EE
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ole32.dll!CoCreateInstanceEx + 4 75E55953 1 Byte [8A]
.text C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe[5080] ole32.dll!CoGetInstanceFromFile 75EC149A 5 Bytes JMP 0070F83E

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8624A1F8
Device \FileSystem\fastfat \FatCdrom 85ED7500
Device \Driver\NetBT \Device\NetBT_Tcpip_{D73F0022-972C-4AF5-A630-2A512666317A} 86FEF1F8

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

Device \Driver\volmgr \Device\VolMgrControl 862441F8
Device \Driver\usbuhci \Device\USBPDO-0 871611F8
Device \Driver\usbuhci \Device\USBPDO-1 871611F8
Device \Driver\usbuhci \Device\USBPDO-2 871611F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{4D2BBDDB-91AD-459C-B4EB-BE67A6829E57} 86FEF1F8
Device \Driver\usbehci \Device\USBPDO-3 87176500
Device \Driver\usbuhci \Device\USBPDO-4 871611F8
Device \Driver\usbuhci \Device\USBPDO-5 871611F8
Device \Driver\usbuhci \Device\USBPDO-6 871611F8
Device \Driver\volmgr \Device\HarddiskVolume1 862441F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\usbehci \Device\USBPDO-7 87176500
Device \Driver\volmgr \Device\HarddiskVolume2 862441F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\cdrom \Device\CdRom0 820A8500
Device \Driver\iaStor \Device\Ide\iaStor0 [892CD620] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 862471F8
Device \Driver\atapi \Device\Ide\IdePort1 862471F8
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [892CD620] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\volmgr \Device\HarddiskVolume3 862441F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\cdrom \Device\CdRom1 820A8500
Device \Driver\NetBT \Device\NetBT_Tcpip_{C084C9A0-24FE-46A9-BD07-03074440DA58} 86FEF1F8
Device \Driver\USBSTOR \Device\000000a8 878A61F8
Device \Driver\USBSTOR \Device\000000a9 878A61F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 86FEF1F8
Device \Driver\sptd \Device\2664211061 spkf.sys
Device \Driver\ACPI_HAL \Device\0000005c halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
Device \Driver\USBSTOR \Device\00000097 878A61F8
Device \Driver\USBSTOR \Device\00000098 878A61F8
Device \Driver\usbuhci \Device\USBFDO-0 871611F8
Device \Driver\usbuhci \Device\USBFDO-1 871611F8
Device \Driver\usbuhci \Device\USBFDO-2 871611F8
Device \Driver\usbehci \Device\USBFDO-3 87176500
Device \Driver\PCI_PNP5058 \Device\0000006f spkf.sys
Device \Driver\usbuhci \Device\USBFDO-4 871611F8
Device \Driver\usbuhci \Device\USBFDO-5 871611F8
Device \Driver\usbuhci \Device\USBFDO-6 871611F8
Device \Driver\usbehci \Device\USBFDO-7 87176500
Device \Driver\avhma75x \Device\Scsi\avhma75x1Port3Path0Target0Lun0 872192F8
Device \Driver\avhma75x \Device\Scsi\avhma75x1 872192F8
Device \FileSystem\fastfat \Fat 85ED7500

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Processes - GMER 1.0.15 ----

Library C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\__Xenocode\x86\vmx.dll (*** hidden *** ) @ C:\Users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox.exe [5080] 0x10000000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00247e197185
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00247e197185@001d28afa1eb 0x9A 0xBB 0x6F 0x1F ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x99 0xF7 0x13 0x07 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x25 0x72 0x78 0x7F ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x18 0x5F 0x15 0x3F ...
Reg HKLM\SYSTEM\ControlSet004\services\BTHPORT\Parameters\Keys\00247e197185 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\services\BTHPORT\Parameters\Keys\00247e197185@001d28afa1eb 0x9A 0xBB 0x6F 0x1F ...
Reg HKLM\SYSTEM\ControlSet004\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet004\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet004\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x99 0xF7 0x13 0x07 ...
Reg HKLM\SYSTEM\ControlSet004\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x25 0x72 0x78 0x7F ...
Reg HKLM\SYSTEM\ControlSet004\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x18 0x5F 0x15 0x3F ...

---- EOF - GMER 1.0.15 ----

EDIT: Posts merged ~BP

Attached Files


Edited by Budapest, 23 January 2011 - 04:22 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:51 PM

Posted 26 January 2011 - 07:50 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 jeffreyj

jeffreyj
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 27 January 2011 - 03:48 AM

Hi mole
I'm here and ready to go. Thanks heaps

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:51 PM

Posted 27 January 2011 - 11:51 AM

MBAm knows Palevo so let's start there.

Please download Posted Image Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    If MBAM won't update then download and update MBAM on a clean computer then save the rules.ref folder to a memory stick. This file is found here: 'C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware' then transfer it across to the infected computer.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.
Posted Image
m0le is a proud member of UNITE

#5 jeffreyj

jeffreyj
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 29 January 2011 - 07:55 PM

Here's my MBAM log. Last time it was only spybot that picked up palevo though.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5635

Windows 6.1.7600
Internet Explorer 9.0.7930.16406

30/01/2011 1:42:30 p.m.
mbam-log-2011-01-30 (13-42-30).txt

Scan type: Full scan (C:\|)
Objects scanned: 426474
Time elapsed: 2 hour(s), 40 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Jeffrey\downloads\keygen.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
c:\Users\Jeffrey\downloads\patch-serials\loquendo_tts_text-to-speech_no-license-key-needed_all-voices-patch_crack_serial_version_6-by_war_hammer.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
c:\Users\Jeffrey\downloads\patch-serials\_patch.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
c:\Users\Public\documents\keygen.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:51 PM

Posted 29 January 2011 - 08:18 PM

Next please run Combofix for me. Update if it requests it, and post the log.

5. Used ComboFix.
I've got logs.
I followed someone else's case on the use of TDSSKiller and ComboFix.


You should not use this program without assistance.

If you no longer have the Combofix program then download it from the links below

Please download ComboFix from one of these locations:
Posted Image
m0le is a proud member of UNITE

#7 jeffreyj

jeffreyj
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 29 January 2011 - 08:46 PM

Here's my combofix log.

ComboFix 11-01-28.03 - Jeffrey 30/01/2011 14:29:17.2.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.64.1033.18.1912.450 [GMT 13:00]
Running from: c:\users\Jeffrey\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-12-28 to 2011-01-30 )))))))))))))))))))))))))))))))
.

2011-01-30 01:41 . 2011-01-30 01:41 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-01-20 10:07 . 2011-01-20 10:19 -------- d-----w- c:\windows\system32\drivers\New folder
2011-01-20 09:10 . 2011-01-20 09:10 -------- d-----w- c:\users\Jeffrey\AppData\Roaming\Malwarebytes
2011-01-20 09:10 . 2010-12-20 05:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-20 09:10 . 2011-01-20 09:10 -------- d-----w- c:\programdata\Malwarebytes
2011-01-20 09:10 . 2010-12-20 05:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-20 09:10 . 2011-01-20 10:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-19 17:32 . 2011-01-21 08:27 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2011-01-19 00:41 . 2011-01-19 00:41 -------- d-----w- c:\windows\system32\%LocalAppData%
2011-01-18 10:45 . 2011-01-18 10:45 141824 --sha-r- c:\windows\system32\pnrpsvci.dll
2011-01-18 09:40 . 2011-01-18 09:40 -------- d-----w- C:\found.000
2011-01-17 21:16 . 2011-01-17 21:16 -------- d-----w- c:\programdata\Datos de programa

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-03 07:16 . 2010-04-25 23:22 2828 --sha-w- c:\programdata\KGyGaAvL.sys
2010-12-21 05:14 . 2010-10-09 01:02 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2010-11-10 04:33 . 2010-12-17 20:03 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C78EA807-08D7-4F98-AF42-4DA70DA5E1CC}\mpengine.dll
2010-11-02 04:41 . 2010-12-16 04:45 351232 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-11-02 04:40 . 2010-12-16 04:45 496128 ----a-w- c:\windows\system32\taskschd.dll
2010-11-02 04:40 . 2010-12-16 04:45 305152 ----a-w- c:\windows\system32\taskcomp.dll
2010-11-02 04:39 . 2010-12-16 04:45 749056 ----a-w- c:\windows\system32\schedsvc.dll
2010-11-02 04:34 . 2010-12-16 04:45 192000 ----a-w- c:\windows\system32\taskeng.exe
2010-11-02 04:34 . 2010-12-16 04:45 179712 ----a-w- c:\windows\system32\schtasks.exe
2010-11-01 23:03 . 2010-11-24 18:29 1448448 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-01 22:59 . 2010-11-24 18:29 2381824 ----a-w- c:\windows\system32\mshtml.tlb
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Jeffrey\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Jeffrey\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Jeffrey\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Syncplicity Icon Overlay (Folder)]
@="{02FCECC2-84DC-4FAA-A718-C41FFCA5B8D1}"
[HKEY_CLASSES_ROOT\CLSID\{02FCECC2-84DC-4FAA-A718-C41FFCA5B8D1}]
2010-01-28 05:44 38400 ----a-w- c:\program files\Syncplicity\SyncplicityShellExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Syncplicity Icon Overlay (Fully Synced)]
@="{CA4FCCBF-F4B7-4DD1-861E-1F42AAD396D1}"
[HKEY_CLASSES_ROOT\CLSID\{CA4FCCBF-F4B7-4DD1-861E-1F42AAD396D1}]
2010-01-28 05:44 38400 ----a-w- c:\program files\Syncplicity\SyncplicityShellExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Syncplicity Icon Overlay (Not Latest Version)]
@="{284C090F-EB1D-4A6E-872E-6DB72E417E24}"
[HKEY_CLASSES_ROOT\CLSID\{284C090F-EB1D-4A6E-872E-6DB72E417E24}]
2010-01-28 05:44 38400 ----a-w- c:\program files\Syncplicity\SyncplicityShellExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Syncplicity Icon Overlay (Shared Folder)]
@="{3DFC86AD-F2CC-4AdA-98DD-AC5DC84119CC}"
[HKEY_CLASSES_ROOT\CLSID\{3DFC86AD-F2CC-4AdA-98DD-AC5DC84119CC}]
2010-01-28 05:44 38400 ----a-w- c:\program files\Syncplicity\SyncplicityShellExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Workrave"="c:\program files\Workrave\lib\workrave.exe" [2009-10-24 3661312]
"PTT"="c:\program files\True Time Tracker\ttt.exe" [2010-09-01 5517312]
"Google Update"="c:\users\Jeffrey\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-06-15 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-11-23 349240]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-02-10 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-02-10 175640]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-02-10 167448]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-05-18 1314816]
"WordWeb"="c:\program files\WordWeb\wweb32.exe" [2009-11-08 65216]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2009-07-15 358936]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2010-01-08 186904]
"WirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2009-08-31 499768]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-05 500208]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-22 402432]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2010-06-19 38840]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-06-19 640440]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-08 976832]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]

c:\users\Jeffrey\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Jeffrey\AppData\Roaming\Dropbox\bin\Dropbox.exe [2010-12-17 23343848]
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2010-3-29 227712]
Spoon Sandbox Manager 3.24.lnk - c:\users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox-Native.exe [2010-12-10 268536]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Google Calendar Sync.lnk - c:\program files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2010-7-27 546360]
RescueTime.lnk - c:\program files\RescueTime\RescueTime.exe [2010-7-24 2401792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-05-06 09:29 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^BumpTop.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\BumpTop.lnk
backup=c:\windows\pss\BumpTop.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^DRSpawner.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\DRSpawner.lnk
backup=c:\windows\pss\DRSpawner.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^iReboot 1.1.1.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\iReboot 1.1.1.lnk
backup=c:\windows\pss\iReboot 1.1.1.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^OfficeSAS.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\OfficeSAS.lnk
backup=c:\windows\pss\OfficeSAS.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Scrybe.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Scrybe.lnk
backup=c:\windows\pss\Scrybe.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Jeffrey^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\users\Jeffrey\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-03-13 01:54 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2010-04-01 09:16 357696 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-03-05 15:32 1135912 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EvtMgr6]
2010-06-26 00:15 1311312 ----a-w- c:\program files\Logitech\SetPointP\SetPoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-06-15 21:19 136176 ----atw- c:\users\Jeffrey\AppData\Local\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
2010-06-05 09:48 3220912 ----a-w- c:\program files\Internet Download Manager\IDMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-12-11 00:10 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeSyncProcess]
2010-03-15 13:58 718208 ----a-w- c:\program files\Microsoft Office\Office14\MSOSYNC.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QQIntl]
2010-04-01 01:25 144712 ----a-w- c:\program files\Tencent\QQIntl\Bin\QQ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-12-10 22:56 286720 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RESTART_STICKY_NOTES]
2009-07-14 01:14 354304 ----a-w- c:\windows\System32\StikyNot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Syncplicity]
2010-01-28 05:51 655360 ----a-w- c:\program files\Syncplicity\Syncplicity.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeohPlugin]
2010-04-28 18:15 2633976 ----a-w- c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe

R0 chmnoti;chmnoti; [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-04-13 135664]
R3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys [2010-03-09 25112]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-03-24 30969208]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
R3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-06 1343400]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-04-30 691696]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 DisplayLinkService;DisplayLinkManager;c:\program files\DisplayLink Core Software\DisplayLinkManager.exe [2010-03-30 5096808]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2010-02-26 26168]
S2 iReboot;iReboot Background Service;c:\program files\NeoSmart Technologies\iReboot\iRebootd.exe [2009-09-15 17408]
S2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-07-16 35088]
S2 ScrybeUpdater;Scrybe Updater;c:\program files\Scrybe\Service\ScrybeUpdater.exe [2010-03-03 1300992]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2009-07-15 2058776]
S3 ATSwpWDF;AuthenTec TruePrint USB WBF WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [2009-12-03 625224]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-05-04 228408]
S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6232.sys [2009-06-12 221912]
S3 NETw5s32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2010-01-13 6755840]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]

.
Contents of the 'Scheduled Tasks' folder

2011-01-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-13 03:09]

2011-01-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-13 03:09]

2011-01-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3391761166-2221013143-1072058866-1001Core.job
- c:\users\Jeffrey\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-13 21:19]

2011-01-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3391761166-2221013143-1072058866-1001UA.job
- c:\users\Jeffrey\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-13 21:19]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
IE: QQ - c:\program files\Tencent\QQIntl\Bin\AddEmotion.htm
LSP: c:\windows\system32\idmmbc.dll
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
FF - ProfilePath - c:\users\Jeffrey\AppData\Roaming\Mozilla\Firefox\Profiles\rn1paafc.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Firesheep: firesheep@codebutler.com - %profile%\extensions\firesheep@codebutler.com
FF - Ext: HTTPS-Everywhere: https-everywhere@eff.org - %profile%\extensions\https-everywhere@eff.org
FF - Ext: BlackSheep: jsobrier@zscaler.com - %profile%\extensions\jsobrier@zscaler.com
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: Better Facebook!: betterfacebook@mattkruse.com - %profile%\extensions\betterfacebook@mattkruse.com
FF - Ext: Google Gears: {000a9d1c-beef-4f90-9363-039d445309b8} - c:\program files\Google\Google Gears\Firefox
FF - Ext: IDM CC: mozilla_cc@internetdownloadmanager.com - c:\users\Jeffrey\AppData\Roaming\IDM\idmmzcc3
.
.
------- File Associations -------
.
.txt=
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3391761166-2221013143-1072058866-1001_Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):c5,22,9b,cd,0f,77,7b,28,42,a1,58,82,ca,3d,96,f9,92,b8,fb,3b,13,
22,f5,d0,2d,54,c9,3c,0b,b6,b3,30,00,07,ad,0b,2f,09,0a,03,00,00,00,00,00,00,\

[HKEY_USERS\S-1-5-21-3391761166-2221013143-1072058866-1001_Classes\CLSID\{97c30fb0-16ff-45c9-a66d-98a6f8366c81}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:000000db
"Therad"=dword:00000009
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a,
1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\

[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-01-30 14:44:11
ComboFix-quarantined-files.txt 2011-01-30 01:44
ComboFix2.txt 2011-01-20 22:09

Pre-Run: 3,305,480,192 bytes free
Post-Run: 3,372,417,024 bytes free

- - End Of File - - AEF4D5068A902EC9D2F8EC6933E16F78

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:51 PM

Posted 29 January 2011 - 09:06 PM

Please rerun Combofix as shown below

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

Driver::
chmnoti


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#9 jeffreyj

jeffreyj
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 29 January 2011 - 11:04 PM

Man you're real quick. How did you get started in doing this?

ComboFix 11-01-28.03 - Jeffrey 30/01/2011 15:39:14.3.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.64.1033.18.1912.822 [GMT 13:00]
Running from: c:\users\Jeffrey\Desktop\ComboFix.exe
Command switches used :: c:\users\Jeffrey\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CHMNOTI
-------\Service_chmnoti


((((((((((((((((((((((((( Files Created from 2010-12-28 to 2011-01-30 )))))))))))))))))))))))))))))))
.

2011-01-30 02:47 . 2011-01-30 02:47 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-01-23 21:09 . 2011-01-23 21:09 401408 ----a-w- c:\windows\system32\wget.exe
2011-01-21 08:30 . 2011-01-21 08:30 -------- d-----w- c:\users\Jeffrey\AppData\Roaming\WordWeb
2011-01-21 03:31 . 2011-01-21 03:31 -------- d-----w- C:\TDSSKiller_Quarantine
2011-01-21 02:50 . 2011-01-21 03:33 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-01-21 02:50 . 2011-01-21 02:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-01-20 22:55 . 2011-01-20 22:55 -------- d-----w- c:\program files\EULAlyzer
2011-01-20 22:55 . 2005-08-25 05:18 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2011-01-20 10:07 . 2011-01-20 10:19 -------- d-----w- c:\windows\system32\drivers\New folder
2011-01-20 09:10 . 2011-01-20 09:10 -------- d-----w- c:\users\Jeffrey\AppData\Roaming\Malwarebytes
2011-01-20 09:10 . 2010-12-20 05:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-20 09:10 . 2011-01-20 09:10 -------- d-----w- c:\programdata\Malwarebytes
2011-01-20 09:10 . 2010-12-20 05:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-20 09:10 . 2011-01-20 10:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-19 17:32 . 2011-01-21 08:27 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2011-01-19 00:41 . 2011-01-19 00:41 -------- d-----w- c:\windows\system32\%LocalAppData%
2011-01-18 10:45 . 2011-01-18 10:45 141824 --sha-r- c:\windows\system32\pnrpsvci.dll
2011-01-18 09:40 . 2011-01-18 09:40 -------- d-----w- C:\found.000
2011-01-17 21:16 . 2011-01-17 21:16 -------- d-----w- c:\programdata\Datos de programa

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-03 07:16 . 2010-04-25 23:22 2828 --sha-w- c:\programdata\KGyGaAvL.sys
2010-12-21 05:14 . 2010-10-09 01:02 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2010-11-10 04:33 . 2010-12-17 20:03 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C78EA807-08D7-4F98-AF42-4DA70DA5E1CC}\mpengine.dll
2010-11-02 04:41 . 2010-12-16 04:45 351232 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-11-02 04:40 . 2010-12-16 04:45 496128 ----a-w- c:\windows\system32\taskschd.dll
2010-11-02 04:40 . 2010-12-16 04:45 305152 ----a-w- c:\windows\system32\taskcomp.dll
2010-11-02 04:39 . 2010-12-16 04:45 749056 ----a-w- c:\windows\system32\schedsvc.dll
2010-11-02 04:34 . 2010-12-16 04:45 192000 ----a-w- c:\windows\system32\taskeng.exe
2010-11-02 04:34 . 2010-12-16 04:45 179712 ----a-w- c:\windows\system32\schtasks.exe
2010-11-01 23:03 . 2010-11-24 18:29 1448448 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-01 22:59 . 2010-11-24 18:29 2381824 ----a-w- c:\windows\system32\mshtml.tlb
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Jeffrey\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Jeffrey\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Jeffrey\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Syncplicity Icon Overlay (Folder)]
@="{02FCECC2-84DC-4FAA-A718-C41FFCA5B8D1}"
[HKEY_CLASSES_ROOT\CLSID\{02FCECC2-84DC-4FAA-A718-C41FFCA5B8D1}]
2010-01-28 05:44 38400 ----a-w- c:\program files\Syncplicity\SyncplicityShellExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Syncplicity Icon Overlay (Fully Synced)]
@="{CA4FCCBF-F4B7-4DD1-861E-1F42AAD396D1}"
[HKEY_CLASSES_ROOT\CLSID\{CA4FCCBF-F4B7-4DD1-861E-1F42AAD396D1}]
2010-01-28 05:44 38400 ----a-w- c:\program files\Syncplicity\SyncplicityShellExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Syncplicity Icon Overlay (Not Latest Version)]
@="{284C090F-EB1D-4A6E-872E-6DB72E417E24}"
[HKEY_CLASSES_ROOT\CLSID\{284C090F-EB1D-4A6E-872E-6DB72E417E24}]
2010-01-28 05:44 38400 ----a-w- c:\program files\Syncplicity\SyncplicityShellExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Syncplicity Icon Overlay (Shared Folder)]
@="{3DFC86AD-F2CC-4AdA-98DD-AC5DC84119CC}"
[HKEY_CLASSES_ROOT\CLSID\{3DFC86AD-F2CC-4AdA-98DD-AC5DC84119CC}]
2010-01-28 05:44 38400 ----a-w- c:\program files\Syncplicity\SyncplicityShellExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Workrave"="c:\program files\Workrave\lib\workrave.exe" [2009-10-24 3661312]
"PTT"="c:\program files\True Time Tracker\ttt.exe" [2010-09-01 5517312]
"Google Update"="c:\users\Jeffrey\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-06-15 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-11-23 349240]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-02-10 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-02-10 175640]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-02-10 167448]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-05-18 1314816]
"WordWeb"="c:\program files\WordWeb\wweb32.exe" [2009-11-08 65216]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2009-07-15 358936]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2010-01-08 186904]
"WirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2009-08-31 499768]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-05 500208]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-22 402432]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2010-06-19 38840]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-06-19 640440]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-08 976832]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]

c:\users\Jeffrey\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Jeffrey\AppData\Roaming\Dropbox\bin\Dropbox.exe [2010-12-17 23343848]
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2010-3-29 227712]
Spoon Sandbox Manager 3.24.lnk - c:\users\Jeffrey\AppData\Local\Spoon\3.24.0.1\Spoon-Sandbox-Native.exe [2010-12-10 268536]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Google Calendar Sync.lnk - c:\program files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2010-7-27 546360]
RescueTime.lnk - c:\program files\RescueTime\RescueTime.exe [2010-7-24 2401792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-05-06 09:29 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^BumpTop.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\BumpTop.lnk
backup=c:\windows\pss\BumpTop.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^DRSpawner.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\DRSpawner.lnk
backup=c:\windows\pss\DRSpawner.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^iReboot 1.1.1.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\iReboot 1.1.1.lnk
backup=c:\windows\pss\iReboot 1.1.1.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^OfficeSAS.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\OfficeSAS.lnk
backup=c:\windows\pss\OfficeSAS.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Scrybe.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Scrybe.lnk
backup=c:\windows\pss\Scrybe.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Jeffrey^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\users\Jeffrey\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-03-13 01:54 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2010-04-01 09:16 357696 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-03-05 15:32 1135912 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EvtMgr6]
2010-06-26 00:15 1311312 ----a-w- c:\program files\Logitech\SetPointP\SetPoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-06-15 21:19 136176 ----atw- c:\users\Jeffrey\AppData\Local\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
2010-06-05 09:48 3220912 ----a-w- c:\program files\Internet Download Manager\IDMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-12-11 00:10 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeSyncProcess]
2010-03-15 13:58 718208 ----a-w- c:\program files\Microsoft Office\Office14\MSOSYNC.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QQIntl]
2010-04-01 01:25 144712 ----a-w- c:\program files\Tencent\QQIntl\Bin\QQ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-12-10 22:56 286720 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RESTART_STICKY_NOTES]
2009-07-14 01:14 354304 ----a-w- c:\windows\System32\StikyNot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Syncplicity]
2010-01-28 05:51 655360 ----a-w- c:\program files\Syncplicity\Syncplicity.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeohPlugin]
2010-04-28 18:15 2633976 ----a-w- c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-04-13 135664]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-05-04 228408]
R3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys [2010-03-09 25112]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-03-24 30969208]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
R3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-06 1343400]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-04-30 691696]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 DisplayLinkService;DisplayLinkManager;c:\program files\DisplayLink Core Software\DisplayLinkManager.exe [2010-03-30 5096808]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2010-02-26 26168]
S2 iReboot;iReboot Background Service;c:\program files\NeoSmart Technologies\iReboot\iRebootd.exe [2009-09-15 17408]
S2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-07-16 35088]
S2 ScrybeUpdater;Scrybe Updater;c:\program files\Scrybe\Service\ScrybeUpdater.exe [2010-03-03 1300992]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2009-07-15 2058776]
S3 ATSwpWDF;AuthenTec TruePrint USB WBF WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [2009-12-03 625224]
S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6232.sys [2009-06-12 221912]
S3 NETw5s32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2010-01-13 6755840]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]

.
Contents of the 'Scheduled Tasks' folder

2011-01-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-13 03:09]

2011-01-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-13 03:09]

2011-01-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3391761166-2221013143-1072058866-1001Core.job
- c:\users\Jeffrey\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-13 21:19]

2011-01-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3391761166-2221013143-1072058866-1001UA.job
- c:\users\Jeffrey\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-13 21:19]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
IE: QQ - c:\program files\Tencent\QQIntl\Bin\AddEmotion.htm
LSP: c:\windows\system32\idmmbc.dll
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
FF - ProfilePath - c:\users\Jeffrey\AppData\Roaming\Mozilla\Firefox\Profiles\rn1paafc.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Firesheep: firesheep@codebutler.com - %profile%\extensions\firesheep@codebutler.com
FF - Ext: HTTPS-Everywhere: https-everywhere@eff.org - %profile%\extensions\https-everywhere@eff.org
FF - Ext: BlackSheep: jsobrier@zscaler.com - %profile%\extensions\jsobrier@zscaler.com
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: Better Facebook!: betterfacebook@mattkruse.com - %profile%\extensions\betterfacebook@mattkruse.com
FF - Ext: Google Gears: {000a9d1c-beef-4f90-9363-039d445309b8} - c:\program files\Google\Google Gears\Firefox
FF - Ext: IDM CC: mozilla_cc@internetdownloadmanager.com - c:\users\Jeffrey\AppData\Roaming\IDM\idmmzcc3
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3391761166-2221013143-1072058866-1001_Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):c5,22,9b,cd,0f,77,7b,28,42,a1,58,82,ca,3d,96,f9,92,b8,fb,3b,13,
22,f5,d0,2d,54,c9,3c,0b,b6,b3,30,00,07,ad,0b,2f,09,0a,03,00,00,00,00,00,00,\

[HKEY_USERS\S-1-5-21-3391761166-2221013143-1072058866-1001_Classes\CLSID\{97c30fb0-16ff-45c9-a66d-98a6f8366c81}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:000000db
"Therad"=dword:00000009
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a,
1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\

[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2504)
c:\users\Jeffrey\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\WISPTIS.EXE
c:\program files\DisplayLink Core Software\DisplayLinkUserAgent.exe
c:\windows\system32\AEADISRV.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\taskhost.exe
c:\windows\SYSTEM32\WISPTIS.EXE
c:\program files\Common Files\microsoft shared\ink\TabTip.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\conhost.exe
c:\program files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2011-01-30 15:58:45 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-30 02:58
ComboFix2.txt 2011-01-30 01:44
ComboFix3.txt 2011-01-20 22:09

Pre-Run: 3,339,603,968 bytes free
Post-Run: 3,047,288,832 bytes free

- - End Of File - - DA96DFA0A3F3D314A6FF829B4C5D98EA

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:51 PM

Posted 30 January 2011 - 08:32 AM

Combofix shows nothing more. Removing the bubnix file from the driver's grasp actually worked really well. :clapping:

Please scan with ESET next

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Leave the top box checked and then check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
Posted Image
m0le is a proud member of UNITE

#11 jeffreyj

jeffreyj
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 30 January 2011 - 11:16 PM

oh sweet as. Here's my log from my ESET scan:

C:\Users\Jeffrey\Downloads\Apps\the.many.faces.of.go.version.12.010.include.keygen-tsrh.zip a variant of Win32/Keygen.AN application deleted - quarantined
C:\Windows\System32\drivers\New folder\chmnoti.sys a variant of Win32/Bubnix.BH trojan cleaned by deleting - quarantined

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:51 PM

Posted 31 January 2011 - 07:11 PM

The first entry is a keygen.

Someone on this system was trying to access cracks or a 'keygen'....this is a certain way to attract malware to your system. As well as being illegal, 'Cracks' and 'Keygens' are often associated or loaded with malware, and should be avoided (along with 'crack' sites).

The second is the chmnoti.sys driver file which has been playing hide and seek.


Please rerun MBAM, so that we can check that nothing has been replaced.
Posted Image
m0le is a proud member of UNITE

#13 jeffreyj

jeffreyj
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 02 February 2011 - 04:47 PM

Hey I think it's good, here's my log

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5661

Windows 6.1.7600
Internet Explorer 9.0.7930.16406

3/02/2011 10:32:29 a.m.
mbam-log-2011-02-03 (10-32-29).txt

Scan type: Full scan (C:\|)
Objects scanned: 428635
Time elapsed: 3 hour(s), 7 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:51 PM

Posted 02 February 2011 - 06:35 PM

I think we're good. How is the PC running?
Posted Image
m0le is a proud member of UNITE

#15 jeffreyj

jeffreyj
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 05 February 2011 - 06:11 AM

Hmmm things are pretty much normal. But I did a scan with spybot again, and it's still detecting Palevo. I've printed the results.
Should I just click fix selected problems?

Tencent.AdressBar: [SBI $58261404] Program directory (Directory, nothing done)
C:\Program Files\Tencent\
Fraud.Sysguard: [SBI $1D5B98D0] User settings (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\LowRiskFileTypes
Fraud.Sysguard: [SBI $1D5B98D0] User settings (Registry value, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\LowRiskFileTypes
Win32.Palevo: [SBI $067C0FA0] User settings (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\JP595IR86O
Win32.Palevo: [SBI $067C0FA0] User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-18\Software\JP595IR86O
HitBox: Tracking cookie (Internet Explorer: Jeffrey) (Cookie, nothing done)

HitBox: Tracking cookie (Internet Explorer: Jeffrey) (Cookie, nothing done)

DoubleClick: Tracking cookie (Internet Explorer: Jeffrey) (Cookie, nothing done)

DoubleClick: Tracking cookie (Firefox: Jeffrey (default)) (Cookie, nothing done)

--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-01-26 TeaTimer.exe (1.6.4.26)
2011-01-21 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2010-10-06 Includes\Adware.sbi (*)
2010-12-01 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-12-14 Includes\Dialer.sbi (*)
2010-12-14 Includes\DialerC.sbi (*)
2010-01-26 Includes\HeavyDuty.sbi (*)
2010-12-01 Includes\Hijackers.sbi (*)
2010-12-01 Includes\HijackersC.sbi (*)
2010-06-02 Includes\iPhone.sbi (*)
2010-12-14 Includes\Keyloggers.sbi (*)
2010-12-14 Includes\KeyloggersC.sbi (*)
2004-11-30 Includes\LSP.sbi (*)
2010-12-14 Includes\Malware.sbi (*)
2011-01-19 Includes\MalwareC.sbi (*)
2010-05-19 Includes\PUPS.sbi (*)
2010-12-14 Includes\PUPSC.sbi (*)
2010-01-26 Includes\Revision.sbi (*)
2009-01-14 Includes\Security.sbi (*)
2010-12-14 Includes\SecurityC.sbi (*)
2008-06-04 Includes\Spybots.sbi (*)
2008-06-04 Includes\SpybotsC.sbi (*)
2011-01-18 Includes\Spyware.sbi (*)
2011-01-18 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2010-12-29 Includes\Trojans.sbi (*)
2011-01-18 Includes\TrojansC-02.sbi (*)
2011-01-14 Includes\TrojansC-03.sbi (*)
2011-01-12 Includes\TrojansC-04.sbi (*)
2011-01-18 Includes\TrojansC-05.sbi (*)
2010-12-29 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users