Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Intermittent google redirects


  • This topic is locked This topic is locked
24 replies to this topic

#1 Schwagg

Schwagg

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 17 February 2011 - 03:19 PM

Many (but not all) of my google searches are being redirected to hxxp://66-230-188-67/* or hxxp://pda(dot)mv(dot)bidsystem(dot)com/*. I have run mbam and superantispyware in safe mode, but the redirects continue. I also ran combofix (before I read the warning not to), but that didn't seem to help either. I would appreciate any help you experts can provide.

Here is dds.txt:

DDS (Ver_10-12-12.02) - NTFSx86
Run by Administrator at 12:10:54.36 on Thu 02/17/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2013.1432 [GMT -6:00]

AV: Trend Micro Client/Server Security Agent Antivirus *Enabled/Updated* {94A080DC-5CB5-4D7C-982D-F707ACC904D2}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Program Files\Trend Micro\Client Server Security Agent\CNTAoSMgr.exe
C:\Program Files\Trend Micro\Client Server Security Agent\TmProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
\\frg-fs1\public\it\Applications and ISOs\Malware Repair Tools\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: TmIEPlugInBHO Class: {1ca1377b-dc1d-4a52-9585-6e06050fac53} - c:\program files\trend micro\client server security agent\bho\1009\TmIEPlg.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\client server security agent\pccntmon.exe" -HideWindow
mRun: [Communicator] "c:\program files\microsoft office communicator\communicator.exe" /fromrunkey
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\google~1.lnk - c:\program files\google\google calendar sync\GoogleCalendarSync.exe
uPolicies-explorer: NoSMMyPictures = 01000000
uPolicies-explorer: NoSimpleStartMenu = 1 (0x1)
uPolicies-explorer: NoTaskGrouping = 1 (0x1)
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxps://192.168.0.17:4343/officescan/console/ClientInstall/WinNTChk.cab
DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} - hxxps://192.168.0.17:4343/officescan/console/ClientInstall/setup.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1264552283609
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1264552269309
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {9BBB3919-F518-4D06-8209-299FC243FC44} - hxxps://192.168.0.17:4343/SMB/console/html/root/AtxEnc.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\program files\trend micro\client server security agent\bho\1009\TmIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-9-29 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-8-11 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-1-26 47640]
R2 RtNdPt5x;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt5x.sys [2010-1-26 22016]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\client server security agent\TmXPFlt.sys [2009-9-30 230928]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\client server security agent\tmpreflt.sys [2009-9-30 36368]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2010-1-25 110080]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
R3 TmProxy;Trend Micro Client/Server Security Agent Proxy Service;c:\program files\trend micro\client server security agent\TmProxy.exe [2009-7-15 689416]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-1-25 1684736]
S3 RTLTEAMING;Realtek Intermediate Driver for Ethernet Extended Features;c:\windows\system32\drivers\RTLTEAMING.SYS [2010-1-26 28800]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [2010-1-26 17536]
S3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2010-2-1 50704]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-25 14336]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2011-02-16 17:48:53 -------- d-sha-r- C:\cmdcons
2011-02-14 22:19:14 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-02-14 22:19:14 -------- d-----w- c:\docume~1\admini~1.for\applic~1\SUPERAntiSpyware.com
2011-02-14 22:19:09 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-02-03 17:55:35 -------- d-----w- c:\docume~1\admini~1.for\applic~1\Malwarebytes
2011-02-03 15:45:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-03 15:45:36 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-02-03 15:45:33 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-03 15:45:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2010-12-08 19:12:02 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-12-08 19:11:52 53632 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2010-12-08 19:11:46 29568 ----a-w- c:\windows\system32\LMIport.dll
2010-12-08 19:11:44 87424 ----a-w- c:\windows\system32\LMIinit.dll

============= FINISH: 12:11:14.17 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:20 AM

Posted 21 February 2011 - 03:08 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.


We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply





Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".


information and logs:

  • In your next post I need the following

  • .logs from DDS
  • log from RKUnHooker
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Schwagg

Schwagg
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 21 February 2011 - 03:25 PM

Thank you so much for your help. We are still having google redirects. Here are the logs you requested:

DDS.txt:

DDS (Ver_10-12-12.02) - NTFSx86
Run by Administrator at 14:08:16.05 on Mon 02/21/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2013.1554 [GMT -6:00]

AV: Trend Micro Client/Server Security Agent Antivirus *Disabled/Outdated* {94A080DC-5CB5-4D7C-982D-F707ACC904D2}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\Program Files\Trend Micro\Client Server Security Agent\Misc\xpupg.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntupd.exe
\\frg-fs1\public\it\Applications and ISOs\Malware Repair Tools\2-21-2011\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: TmIEPlugInBHO Class: {1ca1377b-dc1d-4a52-9585-6e06050fac53} - c:\program files\trend micro\client server security agent\bho\1009\TmIEPlg.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\client server security agent\pccntmon.exe" -HideWindow
mRun: [Communicator] "c:\program files\microsoft office communicator\communicator.exe" /fromrunkey
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\google~1.lnk - c:\program files\google\google calendar sync\GoogleCalendarSync.exe
uPolicies-explorer: NoSMMyPictures = 01000000
uPolicies-explorer: NoSimpleStartMenu = 1 (0x1)
uPolicies-explorer: NoTaskGrouping = 1 (0x1)
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxps://192.168.0.17:4343/officescan/console/ClientInstall/WinNTChk.cab
DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} - hxxps://192.168.0.17:4343/officescan/console/ClientInstall/setup.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1264552283609
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1264552269309
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {9BBB3919-F518-4D06-8209-299FC243FC44} - hxxps://192.168.0.17:4343/SMB/console/html/root/AtxEnc.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\program files\trend micro\client server security agent\bho\1009\TmIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-9-29 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-8-11 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-1-26 47640]
R2 RtNdPt5x;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt5x.sys [2010-1-26 22016]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\client server security agent\tmpreflt.sys [2009-9-30 36368]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2010-1-25 110080]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S2 TmFilter;Trend Micro Filter;c:\program files\trend micro\client server security agent\TmXPFlt.sys [2009-9-30 230928]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-1-25 1684736]
S3 RTLTEAMING;Realtek Intermediate Driver for Ethernet Extended Features;c:\windows\system32\drivers\RTLTEAMING.SYS [2010-1-26 28800]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [2010-1-26 17536]
S3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2010-2-1 50704]
S3 TmProxy;Trend Micro Client/Server Security Agent Proxy Service;c:\program files\trend micro\client server security agent\TmProxy.exe [2009-7-15 689416]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-25 14336]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2011-02-16 17:48:53 -------- d-sha-r- C:\cmdcons
2011-02-14 22:19:14 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-02-14 22:19:14 -------- d-----w- c:\docume~1\admini~1.for\applic~1\SUPERAntiSpyware.com
2011-02-14 22:19:09 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-02-03 17:55:35 -------- d-----w- c:\docume~1\admini~1.for\applic~1\Malwarebytes
2011-02-03 15:45:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-03 15:45:36 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-02-03 15:45:33 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-03 15:45:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2010-12-08 19:12:02 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-12-08 19:11:52 53632 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2010-12-08 19:11:46 29568 ----a-w- c:\windows\system32\LMIport.dll
2010-12-08 19:11:44 87424 ----a-w- c:\windows\system32\LMIinit.dll

============= FINISH: 14:08:30.63 ===============

Attach.txt:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 1/26/2010 4:15:05 PM
System Uptime: 2/21/2011 7:23:11 AM (7 hours ago)

Motherboard: Dell Inc. | | 0P301D
Processor: Intel® Core™2 Duo CPU E7400 @ 2.80GHz | Socket 775 | 2793/266mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 149 GiB total, 132.595 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 2/16/2011 12:03:24 PM - System Checkpoint
RP2: 2/17/2011 1:13:12 PM - System Checkpoint
RP3: 2/21/2011 9:05:51 AM - System Checkpoint

==== Installed Programs ======================

Accsys Restaurant Data Central
Adobe Flash Player 10 ActiveX
Adobe Reader 9.4.2
Compatibility Pack for the 2007 Office system
Crystal Reports 10 for Sage
Data Central Preview
Fifth Third Direct
FRx 6.7 Client (\\FRG-ACCT\SageSoftware\FRx67)
FRx 6.7 Supplemental Files
Google Calendar Sync
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB953955)
Hotfix for Windows XP (KB954434)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB958347)
Hotfix for Windows XP (KB959252)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB968764)
Hotfix for Windows XP (KB969084)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel® Graphics Media Accelerator Driver
Intel® Matrix Storage Manager
Java Auto Updater
Java™ 6 Update 18
LogMeIn
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft FRx 6.7 Programmability Support
Microsoft Office Communicator 2007 R2
Microsoft Office Excel MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Standard 2010
Microsoft Office Word MUI (English) 2010
Microsoft Software Update for Web Folders (English) 14
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser
OGA Notifier 2.0.0048.0
PDFCreator
QuickTime Alternative 3.1.1
Realtek Ethernet Diagnostic Utility
Realtek High Definition Audio Driver
Sage Components
Sage MAS 200 Workstation (C:\Program Files\Sage Software\MAS 200 Client\Version4\MAS90\)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
SUPERAntiSpyware
Trend Micro Client/Server Security Agent
Tweak UI
Unclaimed Property Reporting System - Ver. 4
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB978506)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Internet Explorer 8 (KB980302)
Update for Windows Internet Explorer 8 (KB982664)
Update for Windows XP (KB898461)
Update for Windows XP (KB943729)
Update for Windows XP (KB951618-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB978207)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Management Framework Core
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
WinRAR archiver
XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

2/14/2011 4:15:47 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
2/14/2011 4:12:53 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip tmtdi
2/14/2011 4:12:53 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
2/14/2011 4:12:53 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
2/14/2011 4:12:53 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
2/14/2011 4:12:53 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.

==== End Of File ===========================

Report.txt (from RKUnHooker):

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xA8480000 C:\WINDOWS\system32\drivers\RtkHDAud.sys 6074368 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)
0xB9685000 C:\WINDOWS\system32\DRIVERS\igxpmp32.sys 6045696 bytes (Intel Corporation, Intel Graphics Miniport Driver)
0xBF280000 C:\WINDOWS\System32\igxpdx32.DLL 3330048 bytes (Intel Corporation, DirectDraw® Driver for Intel® Graphics Technology)
0xBF04F000 C:\WINDOWS\System32\igxpdv32.DLL 2297856 bytes (Intel Corporation, Component GHAL Driver)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2150400 bytes
0x804D7000 RAW 2150400 bytes
0x804D7000 WMIxWDM 2150400 bytes
0xBF800000 Win32k 1863680 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1863680 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xA807C000 C:\WINDOWS\System32\Drivers\dump_iaStor.sys 892928 bytes
0xB9E49000 iaStor.sys 892928 bytes (Intel Corporation, Intel Matrix Storage Manager driver - ia32)
0xB9D60000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xA817E000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB94F4000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xA82C0000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xA79C6000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xA7442000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xA7160000 C:\WINDOWS\system32\DRIVERS\Dot4.sys 208896 bytes (Microsoft Corporation, One Cool Transport)
0xB957A000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xB95F5000 C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys 196608 bytes (Realtek Semiconductor Corporation , Realtek 10/100/1000 NDIS 5.1 Driver )
0xB9F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xA7AEC000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xB9D33000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xBF024000 C:\WINDOWS\System32\igxpgd32.dll 176128 bytes (Intel Corporation, Intel Graphics 2D Driver)
0xA4B03000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xA81EE000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB9625000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xA8272000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xB9F23000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xA829A000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xA845C000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB964D000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB95D2000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xA8250000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xA8219000 C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS 139264 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASKUTIL.SYS)
0x806E4000 ACPI_HAL 134528 bytes
0x806E4000 C:\WINDOWS\system32\hal.dll 134528 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB9E29000 fltMgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xA839C000 C:\WINDOWS\system32\drivers\IntcHdmi.sys 131072 bytes (Intel® Corporation, Intel® High Definition Audio HDMI)
0xB9F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB9D19000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xB9E00000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB95BB000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xA823B000 C:\WINDOWS\system32\DRIVERS\tmtdi.sys 86016 bytes (Trend Micro Inc., Trend Micro TDI Driver (i386-fre))
0xA7783000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB9671000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xA8319000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xB9DED000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xBF012000 C:\WINDOWS\System32\igxprd32.dll 73728 bytes (Intel Corporation, Intel Graphics 2D Rotation Driver)
0xB9E17000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xB9F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB95AA000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xA5D61000 C:\WINDOWS\System32\Drivers\Udfs.SYS 69632 bytes (Microsoft Corporation, UDF File System Driver)
0xBA2D8000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xBA1D8000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xBA1B8000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xBA278000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xBA1E8000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xA7946000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xBA248000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBA0E8000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBA1F8000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xBA118000 C:\Program Files\Trend Micro\Client Server Security Agent\TmPreFlt.sys 53248 bytes (Trend Micro Inc., Pre-Filter For XP)
0xBA0C8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xBA218000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xBA2A8000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xBA1C8000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xBA0B8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xBA208000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xBA0A8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xBA2F8000 C:\WINDOWS\system32\drivers\LMIRfsDriver.sys 40960 bytes (LogMeIn, Inc., LogMeIn Rfs Drivemap Driver)
0xBA258000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xBA238000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xBA0D8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xA784E000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xBA1A8000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xBA228000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xBA298000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xA5D92000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xBA288000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xBA398000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xBA430000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xBA368000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xBA458000 C:\DOCUME~1\ADMINI~1.FOR\LOCALS~1\Temp\mbr.sys 28672 bytes
0xBA4A8000 C:\WINDOWS\system32\DRIVERS\dot4usb.sys 24576 bytes (Microsoft Corporation, DOT4USB filter driver)
0xBA480000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xBA490000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xBA440000 C:\WINDOWS\system32\DRIVERS\RtNdPt5x.sys 24576 bytes (Realtek Semiconductor Corporation , Realtek NDIS Protocol Driver)
0xBA3B0000 C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS 24576 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASDIFSV.SYS)
0xBA400000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xBA378000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xBF5AD000 C:\WINDOWS\System32\lmimirr.dll 20480 bytes (LogMeIn, Inc., LogMeIn Mirror Driver)
0xBA388000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xBA328000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xBA420000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xBA438000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xBA3F0000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xBA3C8000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xA61EE000 C:\WINDOWS\system32\DRIVERS\asyncmac.sys 16384 bytes (Microsoft Corporation, MS Remote Access serial network driver)
0xA71C7000 C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys 16384 bytes (Microsoft Corporation, Dot4 Printer Driver)
0xA7412000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xB9CD5000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xA7D2D000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xBA58C000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xBA4B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xA832C000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xA73EE000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xBA590000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 12288 bytes (Microsoft Corporation, I2O Utility Filter)
0xA7C5D000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xBA5A0000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xB9CF5000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xBA5D2000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xBA5AC000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xBA5CE000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xBA5A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xBF5B2000 C:\WINDOWS\System32\lmimirr2.dll 8192 bytes (LogMeIn, Inc., LogMeIn Video Helper)
0xBA5D6000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xBA5B2000 C:\Program Files\LogMeIn\x86\RaInfo.sys 8192 bytes (LogMeIn, Inc., RemotelyAnywhere Kernel Information Provider)
0xBA5DA000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xBA5B8000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xBA5BC000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xBA5AA000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xBA7AD000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xBA790000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xBA7AA000 C:\WINDOWS\system32\DRIVERS\lmimirr.sys 4096 bytes (LogMeIn, Inc., LogMeIn Mirror Miniport Driver)
0xBA68A000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
==============================================
>Stealth
==============================================


Thanks again for any help you can provide. Please let me know if you need any other logs.

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:20 AM

Posted 21 February 2011 - 03:29 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Schwagg

Schwagg
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 21 February 2011 - 03:46 PM

I ran combofix and rebooted (even though it didn't tell me to). It's hard to tell whether or not the redirects have stopped since it seems to be intermittent. Can you check out my combofix logs to see if there is anything else hidden that could come back?


ComboFix 11-02-20.03 - Administrator 02/21/2011 14:35:56.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2013.1534 [GMT -6:00]
Running from: \\frg-fs1\public\it\Applications and ISOs\Malware Repair Tools\2-21-2011\ComboFix.exe
AV: Trend Micro Client/Server Security Agent Antivirus *Disabled/Outdated* {94A080DC-5CB5-4D7C-982D-F707ACC904D2}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\lbanks\Local Settings\Application Data\{66127FAA-3299-4893-970B-EBBA5A02EFBE}
c:\documents and settings\lbanks\Local Settings\Application Data\{66127FAA-3299-4893-970B-EBBA5A02EFBE}\chrome.manifest
c:\documents and settings\lbanks\Local Settings\Application Data\{66127FAA-3299-4893-970B-EBBA5A02EFBE}\chrome\content\_cfg.js
c:\documents and settings\lbanks\Local Settings\Application Data\{66127FAA-3299-4893-970B-EBBA5A02EFBE}\chrome\content\overlay.xul
c:\documents and settings\lbanks\Local Settings\Application Data\{66127FAA-3299-4893-970B-EBBA5A02EFBE}\install.rdf

.
((((((((((((((((((((((((( Files Created from 2011-01-21 to 2011-02-21 )))))))))))))))))))))))))))))))
.

2011-02-16 17:40 . 2011-02-16 17:40 -------- d-----w- c:\windows\Sun
2011-02-15 19:02 . 2011-02-15 19:02 -------- d-----w- c:\documents and settings\lbanks\Local Settings\Application Data\Identities
2011-02-14 22:19 . 2011-02-14 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-02-14 22:19 . 2011-02-14 22:19 -------- d-----w- c:\documents and settings\administrator.FORDRESTGRP\Application Data\SUPERAntiSpyware.com
2011-02-14 22:19 . 2011-02-14 22:19 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-02-14 22:11 . 2011-02-14 22:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-02-03 17:55 . 2011-02-03 17:55 -------- d-----w- c:\documents and settings\administrator.FORDRESTGRP\Application Data\Malwarebytes
2011-02-03 15:46 . 2011-02-03 15:46 -------- d-----w- c:\documents and settings\lbanks\Application Data\Malwarebytes
2011-02-03 15:45 . 2011-02-03 15:45 -------- d-----w- c:\documents and settings\msanders\Application Data\Malwarebytes
2011-02-03 15:45 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-03 15:45 . 2011-02-03 15:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-02-03 15:45 . 2011-02-03 15:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-03 15:45 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-31 16:52 . 2011-02-21 13:25 0 ----a-w- c:\documents and settings\lbanks\Local Settings\Application Data\Sripofulohoqu.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-08 19:12 . 2010-01-27 02:03 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-12-08 19:11 . 2010-01-27 02:03 53632 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2010-12-08 19:11 . 2010-01-27 02:03 29568 ----a-w- c:\windows\system32\LMIport.dll
2010-12-08 19:11 . 2010-01-27 02:03 87424 ----a-w- c:\windows\system32\LMIinit.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-01-13 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-08-14 18702336]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-18 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-18 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-18 150040]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-08-07 186904]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\Client Server Security Agent\pccntmon.exe" [2010-03-30 959784]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2010-04-11 5116256]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Google Calendar Sync.lnk - c:\program files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2008-10-2 546288]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 01000000
"NoSimpleStartMenu"= 1 (0x1)
"NoTaskGrouping"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-12-08 19:11 87424 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
"45371:TCP"= 45371:TCP:Trend Micro Client/Server Security Agent Listener

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 12:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 12:41 PM 67656]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [9/29/2010 12:49 PM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 12:41 PM 12856]
R2 RtNdPt5x;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt5x.sys [1/26/2010 3:59 PM 22016]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\Client Server Security Agent\tmpreflt.sys [9/30/2009 2:37 PM 36368]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [1/25/2010 3:02 PM 110080]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 8:37 PM 4640000]
S2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\Client Server Security Agent\TmXPFlt.sys [9/30/2009 2:38 PM 230928]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [1/25/2010 3:02 PM 1684736]
S3 RTLTEAMING;Realtek Intermediate Driver for Ethernet Extended Features;c:\windows\system32\drivers\RTLTEAMING.SYS [1/26/2010 3:59 PM 28800]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [1/26/2010 3:59 PM 17536]
S3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2/1/2010 1:09 PM 50704]
S3 TmProxy;Trend Micro Client/Server Security Agent Proxy Service;c:\program files\Trend Micro\Client Server Security Agent\TmProxy.exe [7/15/2009 5:37 PM 689416]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/25/2008 10:16 AM 14336]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NORMANDY
*NewlyCreated* - UDFS
*Deregistered* - Normandy

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
DPF: {9BBB3919-F518-4D06-8209-299FC243FC44} - hxxps://192.168.0.17:4343/SMB/console/html/root/AtxEnc.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-21 14:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3821447715-1798685155-1639345383-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0b,ff,3a,9d,3e,a3,41,43,83,69,4c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0b,ff,3a,9d,3e,a3,41,43,83,69,4c,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\windows\system32\igfxdev.dll
.
Completion time: 2011-02-21 14:39:36
ComboFix-quarantined-files.txt 2011-02-21 20:39
ComboFix2.txt 2011-02-16 17:53

Pre-Run: 142,312,472,576 bytes free
Post-Run: 142,389,542,912 bytes free

- - End Of File - - 36E7676F84AF9654A9F6E59A68C91CA6

Thanks!!

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:20 AM

Posted 21 February 2011 - 06:35 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

File::
c:\documents and settings\lbanks\Local Settings\Application Data\Sripofulohoqu.bin


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Schwagg

Schwagg
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 22 February 2011 - 02:57 PM

Thanks so much for the help. My google results are still intermittently being redirected. I had to get the latest version of combofix after I loaded the CFScript into the old version, so hopefully it ran properly (I didn't get any errors). Here is combofix.txt:


ComboFix 11-02-22.01 - Administrator 02/22/2011 13:46:04.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2013.1618 [GMT -6:00]
Running from: c:\documents and settings\administrator.FORDRESTGRP\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\administrator.FORDRESTGRP\Desktop\CFScript.txt
AV: Trend Micro Client/Server Security Agent Antivirus *Disabled/Outdated* {94A080DC-5CB5-4D7C-982D-F707ACC904D2}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\lbanks\Local Settings\Application Data\{F5BF5616-2178-46B3-838D-74B6435E85D6}
c:\documents and settings\lbanks\Local Settings\Application Data\{F5BF5616-2178-46B3-838D-74B6435E85D6}\chrome.manifest
c:\documents and settings\lbanks\Local Settings\Application Data\{F5BF5616-2178-46B3-838D-74B6435E85D6}\chrome\content\_cfg.js
c:\documents and settings\lbanks\Local Settings\Application Data\{F5BF5616-2178-46B3-838D-74B6435E85D6}\chrome\content\overlay.xul
c:\documents and settings\lbanks\Local Settings\Application Data\{F5BF5616-2178-46B3-838D-74B6435E85D6}\install.rdf

.
((((((((((((((((((((((((( Files Created from 2011-01-22 to 2011-02-22 )))))))))))))))))))))))))))))))
.

2011-02-16 17:40 . 2011-02-16 17:40 -------- d-----w- c:\windows\Sun
2011-02-15 19:02 . 2011-02-15 19:02 -------- d-----w- c:\documents and settings\lbanks\Local Settings\Application Data\Identities
2011-02-14 22:19 . 2011-02-14 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-02-14 22:19 . 2011-02-14 22:19 -------- d-----w- c:\documents and settings\administrator.FORDRESTGRP\Application Data\SUPERAntiSpyware.com
2011-02-14 22:19 . 2011-02-14 22:19 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-02-14 22:11 . 2011-02-14 22:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-02-03 17:55 . 2011-02-03 17:55 -------- d-----w- c:\documents and settings\administrator.FORDRESTGRP\Application Data\Malwarebytes
2011-02-03 15:46 . 2011-02-03 15:46 -------- d-----w- c:\documents and settings\lbanks\Application Data\Malwarebytes
2011-02-03 15:45 . 2011-02-03 15:45 -------- d-----w- c:\documents and settings\msanders\Application Data\Malwarebytes
2011-02-03 15:45 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-03 15:45 . 2011-02-03 15:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-02-03 15:45 . 2011-02-03 15:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-03 15:45 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-31 16:52 . 2011-02-22 14:23 0 ----a-w- c:\documents and settings\lbanks\Local Settings\Application Data\Sripofulohoqu.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-08 19:12 . 2010-01-27 02:03 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-12-08 19:11 . 2010-01-27 02:03 53632 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2010-12-08 19:11 . 2010-01-27 02:03 29568 ----a-w- c:\windows\system32\LMIport.dll
2010-12-08 19:11 . 2010-01-27 02:03 87424 ----a-w- c:\windows\system32\LMIinit.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-01-13 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-08-14 18702336]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-18 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-18 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-18 150040]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-08-07 186904]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\Client Server Security Agent\pccntmon.exe" [2010-03-30 959784]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2010-04-11 5116256]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Google Calendar Sync.lnk - c:\program files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2008-10-2 546288]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 01000000
"NoSimpleStartMenu"= 1 (0x1)
"NoTaskGrouping"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-12-08 19:11 87424 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
"45371:TCP"= 45371:TCP:Trend Micro Client/Server Security Agent Listener

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 12:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 12:41 PM 67656]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [9/29/2010 12:49 PM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 12:41 PM 12856]
R2 RtNdPt5x;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt5x.sys [1/26/2010 3:59 PM 22016]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\Client Server Security Agent\tmpreflt.sys [9/30/2009 2:37 PM 36368]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [1/25/2010 3:02 PM 110080]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 8:37 PM 4640000]
S2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\Client Server Security Agent\TmXPFlt.sys [9/30/2009 2:38 PM 230928]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [1/25/2010 3:02 PM 1684736]
S3 RTLTEAMING;Realtek Intermediate Driver for Ethernet Extended Features;c:\windows\system32\drivers\RTLTEAMING.SYS [1/26/2010 3:59 PM 28800]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [1/26/2010 3:59 PM 17536]
S3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2/1/2010 1:09 PM 50704]
S3 TmProxy;Trend Micro Client/Server Security Agent Proxy Service;c:\program files\Trend Micro\Client Server Security Agent\TmProxy.exe [7/15/2009 5:37 PM 689416]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/25/2008 10:16 AM 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
DPF: {9BBB3919-F518-4D06-8209-299FC243FC44} - hxxps://192.168.0.17:4343/SMB/console/html/root/AtxEnc.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-22 13:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3821447715-1798685155-1639345383-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0b,ff,3a,9d,3e,a3,41,43,83,69,4c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0b,ff,3a,9d,3e,a3,41,43,83,69,4c,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\windows\system32\igfxdev.dll
.
Completion time: 2011-02-22 13:49:55
ComboFix-quarantined-files.txt 2011-02-22 19:49
ComboFix2.txt 2011-02-21 20:39
ComboFix3.txt 2011-02-16 17:53

Pre-Run: 142,317,522,944 bytes free
Post-Run: 142,363,836,416 bytes free

- - End Of File - - 1A1290E6E6A907A9220509BBF37D9216

Thanks again, Gringo!!

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:20 AM

Posted 22 February 2011 - 07:39 PM

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Schwagg

Schwagg
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 24 February 2011 - 10:49 AM

I will run TDSSKiller.exe today. Work has had me backed up for a few days, but I will post the logs later today.

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:20 AM

Posted 24 February 2011 - 04:51 PM

:thumbup2:
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Schwagg

Schwagg
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 25 February 2011 - 02:55 PM

The TDSSKiller scan came back clean, but we are still having issues with the google redirects. Here is the copy/paste of the log:


2011/02/25 13:50:20.0473 6120 TDSS rootkit removing tool 2.4.18.0 Feb 21 2011 11:08:08
2011/02/25 13:50:20.0973 6120 ================================================================================
2011/02/25 13:50:20.0973 6120 SystemInfo:
2011/02/25 13:50:20.0973 6120
2011/02/25 13:50:20.0973 6120 OS Version: 5.1.2600 ServicePack: 3.0
2011/02/25 13:50:20.0973 6120 Product type: Workstation
2011/02/25 13:50:20.0973 6120 ComputerName: FRG-ACCT-01
2011/02/25 13:50:20.0973 6120 UserName: Administrator
2011/02/25 13:50:20.0973 6120 Windows directory: C:\WINDOWS
2011/02/25 13:50:20.0973 6120 System windows directory: C:\WINDOWS
2011/02/25 13:50:20.0973 6120 Processor architecture: Intel x86
2011/02/25 13:50:20.0973 6120 Number of processors: 2
2011/02/25 13:50:20.0973 6120 Page size: 0x1000
2011/02/25 13:50:20.0973 6120 Boot type: Normal boot
2011/02/25 13:50:20.0973 6120 ================================================================================
2011/02/25 13:50:21.0144 6120 Initialize success
2011/02/25 13:50:29.0097 1196 ================================================================================
2011/02/25 13:50:29.0097 1196 Scan started
2011/02/25 13:50:29.0097 1196 Mode: Manual;
2011/02/25 13:50:29.0097 1196 ================================================================================
2011/02/25 13:50:29.0832 1196 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2011/02/25 13:50:29.0863 1196 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/02/25 13:50:29.0878 1196 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/02/25 13:50:29.0910 1196 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2011/02/25 13:50:29.0972 1196 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/02/25 13:50:30.0066 1196 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/02/25 13:50:30.0128 1196 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/02/25 13:50:30.0160 1196 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2011/02/25 13:50:30.0175 1196 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2011/02/25 13:50:30.0238 1196 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2011/02/25 13:50:30.0253 1196 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/02/25 13:50:30.0300 1196 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2011/02/25 13:50:30.0347 1196 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2011/02/25 13:50:30.0472 1196 Ambfilt (f6af59d6eee5e1c304f7f73706ad11d8) C:\WINDOWS\system32\drivers\Ambfilt.sys
2011/02/25 13:50:30.0550 1196 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2011/02/25 13:50:30.0660 1196 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2011/02/25 13:50:30.0707 1196 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2011/02/25 13:50:30.0722 1196 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2011/02/25 13:50:30.0738 1196 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2011/02/25 13:50:30.0769 1196 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/02/25 13:50:30.0800 1196 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/02/25 13:50:30.0863 1196 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/02/25 13:50:30.0910 1196 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/02/25 13:50:30.0957 1196 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/02/25 13:50:31.0113 1196 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2011/02/25 13:50:31.0160 1196 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/02/25 13:50:31.0175 1196 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2011/02/25 13:50:31.0191 1196 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/02/25 13:50:31.0222 1196 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/02/25 13:50:31.0238 1196 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/02/25 13:50:31.0331 1196 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2011/02/25 13:50:31.0378 1196 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2011/02/25 13:50:31.0394 1196 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2011/02/25 13:50:31.0425 1196 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2011/02/25 13:50:31.0472 1196 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/02/25 13:50:31.0519 1196 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/02/25 13:50:31.0566 1196 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/02/25 13:50:31.0660 1196 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/02/25 13:50:31.0722 1196 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/02/25 13:50:31.0816 1196 Dot4 (3e4b043f8bc6be1d4820cc6c9c500306) C:\WINDOWS\system32\DRIVERS\Dot4.sys
2011/02/25 13:50:31.0878 1196 Dot4Print (77ce63a8a34ae23d9fe4c7896d1debe7) C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
2011/02/25 13:50:31.0941 1196 dot4usb (6ec3af6bb5b30e488a0c559921f012e1) C:\WINDOWS\system32\DRIVERS\dot4usb.sys
2011/02/25 13:50:32.0003 1196 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2011/02/25 13:50:32.0097 1196 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/02/25 13:50:32.0160 1196 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/02/25 13:50:32.0269 1196 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/02/25 13:50:32.0300 1196 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/02/25 13:50:32.0378 1196 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/02/25 13:50:32.0441 1196 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/02/25 13:50:32.0503 1196 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/02/25 13:50:32.0519 1196 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/02/25 13:50:32.0550 1196 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/02/25 13:50:32.0597 1196 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/02/25 13:50:32.0628 1196 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/02/25 13:50:32.0660 1196 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2011/02/25 13:50:32.0691 1196 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/02/25 13:50:32.0722 1196 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/02/25 13:50:32.0738 1196 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2011/02/25 13:50:32.0847 1196 ialm (2da364ee62d4949620b6fae4ffea16a7) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2011/02/25 13:50:33.0003 1196 iaStor (01446278d4563b3013c92830ae6cbb26) C:\WINDOWS\system32\drivers\iaStor.sys
2011/02/25 13:50:33.0035 1196 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/02/25 13:50:33.0066 1196 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2011/02/25 13:50:33.0222 1196 IntcAzAudAddService (e8656858d8b2da7c9cf59fb4e5ce32ed) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/02/25 13:50:33.0410 1196 IntcHdmiAddService (c9ef68bee3b1a62f34125a9fbbaac10c) C:\WINDOWS\system32\drivers\IntcHdmi.sys
2011/02/25 13:50:33.0472 1196 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/02/25 13:50:33.0503 1196 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/02/25 13:50:33.0519 1196 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/02/25 13:50:33.0660 1196 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/02/25 13:50:33.0706 1196 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/02/25 13:50:33.0738 1196 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/02/25 13:50:33.0753 1196 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/02/25 13:50:33.0878 1196 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/02/25 13:50:33.0956 1196 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/02/25 13:50:33.0988 1196 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/02/25 13:50:34.0035 1196 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/02/25 13:50:34.0113 1196 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/02/25 13:50:34.0160 1196 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/02/25 13:50:34.0269 1196 LMIInfo (4f69faaabb7db0d43e327c0b6aab40fc) C:\Program Files\LogMeIn\x86\RaInfo.sys
2011/02/25 13:50:34.0331 1196 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\WINDOWS\system32\DRIVERS\lmimirr.sys
2011/02/25 13:50:34.0488 1196 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
2011/02/25 13:50:34.0519 1196 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/02/25 13:50:34.0566 1196 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/02/25 13:50:34.0613 1196 Monfilt (9fa7207d1b1adead88ae8eed9cdbbaa5) C:\WINDOWS\system32\drivers\Monfilt.sys
2011/02/25 13:50:34.0784 1196 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/02/25 13:50:34.0831 1196 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/02/25 13:50:34.0863 1196 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/02/25 13:50:34.0878 1196 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2011/02/25 13:50:34.0894 1196 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/02/25 13:50:34.0941 1196 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/02/25 13:50:34.0972 1196 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/02/25 13:50:34.0988 1196 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/02/25 13:50:35.0003 1196 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/02/25 13:50:35.0019 1196 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/02/25 13:50:35.0050 1196 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/02/25 13:50:35.0066 1196 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/02/25 13:50:35.0081 1196 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/02/25 13:50:35.0113 1196 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/02/25 13:50:35.0144 1196 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/02/25 13:50:35.0175 1196 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/02/25 13:50:35.0238 1196 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/02/25 13:50:35.0253 1196 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/02/25 13:50:35.0269 1196 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/02/25 13:50:35.0300 1196 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/02/25 13:50:35.0347 1196 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/02/25 13:50:35.0394 1196 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/02/25 13:50:35.0441 1196 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/02/25 13:50:35.0456 1196 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/02/25 13:50:35.0488 1196 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/02/25 13:50:35.0534 1196 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/02/25 13:50:35.0566 1196 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/02/25 13:50:35.0581 1196 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/02/25 13:50:35.0613 1196 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/02/25 13:50:35.0644 1196 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/02/25 13:50:35.0691 1196 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2011/02/25 13:50:35.0691 1196 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2011/02/25 13:50:35.0769 1196 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/02/25 13:50:35.0784 1196 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/02/25 13:50:35.0800 1196 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/02/25 13:50:35.0816 1196 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2011/02/25 13:50:35.0816 1196 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2011/02/25 13:50:35.0831 1196 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2011/02/25 13:50:35.0831 1196 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2011/02/25 13:50:35.0847 1196 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2011/02/25 13:50:35.0863 1196 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/02/25 13:50:35.0863 1196 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/02/25 13:50:35.0878 1196 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/02/25 13:50:35.0894 1196 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/02/25 13:50:35.0909 1196 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/02/25 13:50:35.0941 1196 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/02/25 13:50:35.0956 1196 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/02/25 13:50:35.0972 1196 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/02/25 13:50:36.0003 1196 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/02/25 13:50:36.0050 1196 RTLE8023xp (ba7ced0f0799012b1f2bfda06d7506db) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
2011/02/25 13:50:36.0081 1196 RTLTEAMING (9f6b9f66223b1265ed66d005d93e539d) C:\WINDOWS\system32\DRIVERS\RTLTEAMING.SYS
2011/02/25 13:50:36.0097 1196 RTLVLAN (6ec43dc18746bb9b6ddec4c99b15b6fc) C:\WINDOWS\system32\DRIVERS\RTLVLAN.SYS
2011/02/25 13:50:36.0128 1196 RtNdPt5x (5ffd2aaf467b80fab34929afb7702060) C:\WINDOWS\system32\DRIVERS\RtNdPt5x.sys
2011/02/25 13:50:36.0222 1196 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/02/25 13:50:36.0238 1196 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/02/25 13:50:36.0331 1196 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/02/25 13:50:36.0378 1196 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/02/25 13:50:36.0394 1196 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/02/25 13:50:36.0425 1196 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/02/25 13:50:36.0441 1196 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2011/02/25 13:50:36.0456 1196 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2011/02/25 13:50:36.0488 1196 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/02/25 13:50:36.0519 1196 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/02/25 13:50:36.0534 1196 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/02/25 13:50:36.0566 1196 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/02/25 13:50:36.0597 1196 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/02/25 13:50:36.0628 1196 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2011/02/25 13:50:36.0644 1196 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2011/02/25 13:50:36.0659 1196 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2011/02/25 13:50:36.0675 1196 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2011/02/25 13:50:36.0691 1196 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/02/25 13:50:36.0738 1196 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/02/25 13:50:36.0753 1196 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/02/25 13:50:36.0769 1196 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/02/25 13:50:36.0784 1196 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/02/25 13:50:36.0816 1196 tmactmon (582f43830daa5d9aad7aa514843d8905) C:\WINDOWS\system32\drivers\tmactmon.sys
2011/02/25 13:50:36.0847 1196 tmcomm (c4ddce6124bf6a711ab14d8153eac61d) C:\WINDOWS\system32\drivers\tmcomm.sys
2011/02/25 13:50:36.0878 1196 tmevtmgr (9d38ac83d56f9b5274a65d2666da9779) C:\WINDOWS\system32\drivers\tmevtmgr.sys
2011/02/25 13:50:36.0941 1196 TmFilter (3e615f370f0c7db414b6bcd1c18399d4) C:\Program Files\Trend Micro\Client Server Security Agent\TmXPFlt.sys
2011/02/25 13:50:36.0956 1196 TmPreFilter (c7c7959ec0940e0eddfc881fed8ec214) C:\Program Files\Trend Micro\Client Server Security Agent\TmPreFlt.sys
2011/02/25 13:50:37.0066 1196 tmtdi (44c262c1b2412ded35078b6166d2acc2) C:\WINDOWS\system32\DRIVERS\tmtdi.sys
2011/02/25 13:50:37.0113 1196 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2011/02/25 13:50:37.0159 1196 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/02/25 13:50:37.0191 1196 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2011/02/25 13:50:37.0222 1196 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/02/25 13:50:37.0284 1196 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/02/25 13:50:37.0316 1196 usbehci (4bac8df07f1d8434fc640e677a62204e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/02/25 13:50:37.0347 1196 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/02/25 13:50:37.0363 1196 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/02/25 13:50:37.0394 1196 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/02/25 13:50:37.0425 1196 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2011/02/25 13:50:37.0441 1196 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/02/25 13:50:37.0456 1196 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/02/25 13:50:37.0519 1196 VSApiNt (60dfbc34228ca36221b03460789f5d4e) C:\Program Files\Trend Micro\Client Server Security Agent\VSApiNt.sys
2011/02/25 13:50:37.0613 1196 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/02/25 13:50:37.0691 1196 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/02/25 13:50:37.0753 1196 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2011/02/25 13:50:37.0784 1196 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2011/02/25 13:50:37.0831 1196 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/02/25 13:50:37.0847 1196 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/02/25 13:50:37.0878 1196 ================================================================================
2011/02/25 13:50:37.0878 1196 Scan finished
2011/02/25 13:50:37.0878 1196 ================================================================================
2011/02/25 13:51:15.0064 1440 Deinitialize success

Thanks!!

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:20 AM

Posted 25 February 2011 - 03:54 PM

we are going to check the router

Create and Run Batch File
Open Notepad and copy/paste the entire contents of the codebox below, into Notepad:
@echo off
>Log1.txt (
ipconfig /all
nslookup google.com
nslookup yahoo.com
ping -n 2 google.com
ping -n 2 yahoo.com
route print
)
start Log1.txt
del %0
Save this as router.bat Choose to Save type as - All Files and where to save - Desktop - then close the Notepad file.

It should look like this: Posted Image <--XP
Double-click on router.bat to run it. it will open notepad when done please post back the results
gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 Schwagg

Schwagg
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 25 February 2011 - 04:04 PM

I ran router.bat from a different computer since the infected computer is currently in use. I figured it wouldn't matter since they are both using the same router. Here it is:




Windows IP Configuration



Host Name . . . . . . . . . . . . : frg-it-1

Primary Dns Suffix . . . . . . . : fordrestgrp.com

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : fordrestgrp.com

fordrestgrp.com



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . : fordrestgrp.com

Description . . . . . . . . . . . : Marvell Yukon 88E8038 PCI-E Fast Ethernet Controller

Physical Address. . . . . . . . . : 00-E0-B8-D3-F8-56

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.0.111

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.0.254

DHCP Server . . . . . . . . . . . : 192.168.0.11

DNS Servers . . . . . . . . . . . : 192.168.0.11

192.168.0.12

Lease Obtained. . . . . . . . . . : Friday, February 25, 2011 8:16:33 AM

Lease Expires . . . . . . . . . . : Saturday, March 05, 2011 8:16:33 AM



Ethernet adapter Wireless Network Connection:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter

Physical Address. . . . . . . . . : 00-C0-A8-DF-4F-91

Server: frg-dc2008.fordrestgrp.com
Address: 192.168.0.11

Name: google.com
Addresses: 74.125.67.105, 74.125.67.147, 74.125.67.99, 74.125.67.103
74.125.67.106, 74.125.67.104

Server: frg-dc2008.fordrestgrp.com
Address: 192.168.0.11

Name: yahoo.com
Addresses: 98.137.149.56, 209.191.122.70, 67.195.160.76, 69.147.125.65
72.30.2.43



Pinging google.com [74.125.67.105] with 32 bytes of data:



Reply from 74.125.67.105: bytes=32 time=41ms TTL=52

Reply from 74.125.67.105: bytes=32 time=42ms TTL=52



Ping statistics for 74.125.67.105:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 41ms, Maximum = 42ms, Average = 41ms



Pinging yahoo.com [98.137.149.56] with 32 bytes of data:



Reply from 98.137.149.56: bytes=32 time=59ms TTL=50

Reply from 98.137.149.56: bytes=32 time=72ms TTL=50



Ping statistics for 98.137.149.56:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 59ms, Maximum = 72ms, Average = 65ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 e0 b8 d3 f8 56 ...... Marvell Yukon 88E8038 PCI-E Fast Ethernet Controller
0x10004 ...00 c0 a8 df 4f 91 ...... Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.254 192.168.0.111 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 192.168.0.111 192.168.0.111 20
192.168.0.0 255.255.255.0 192.168.0.111 192.168.0.111 20
192.168.0.111 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.0.255 255.255.255.255 192.168.0.111 192.168.0.111 20
224.0.0.0 240.0.0.0 192.168.0.111 192.168.0.111 20
255.255.255.255 255.255.255.255 192.168.0.111 192.168.0.111 1
255.255.255.255 255.255.255.255 192.168.0.111 10004 1
Default Gateway: 192.168.0.254
===========================================================================
Persistent Routes:
None


Thanks again!

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:20 AM

Posted 26 February 2011 - 11:29 PM

update combofix

I would like you to download an updated virsion of combofix.

Delete the version of combofix you have now on your desktop and download a new one from here

Link 1
Link 2
Link 3
**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note:Do not mouseclick combofix's window while it's running. That may cause it to stall
[/list]
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 Schwagg

Schwagg
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 02 March 2011 - 01:31 PM

Here are the results of the latest combofix scan. We are still getting redirects, but it's mostly to yellowpages and adclick right now.


ComboFix 11-03-02.01 - Administrator 03/02/2011 12:17:18.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2013.1573 [GMT -6:00]
Running from: c:\documents and settings\administrator.FORDRESTGRP\Desktop\ComboFix.exe
AV: Trend Micro Client/Server Security Agent Antivirus *Disabled/Outdated* {94A080DC-5CB5-4D7C-982D-F707ACC904D2}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\lbanks\Local Settings\Application Data\{5C9D34C1-8C85-440D-B7AD-61794B508B59}
c:\documents and settings\lbanks\Local Settings\Application Data\{5C9D34C1-8C85-440D-B7AD-61794B508B59}\chrome.manifest
c:\documents and settings\lbanks\Local Settings\Application Data\{5C9D34C1-8C85-440D-B7AD-61794B508B59}\chrome\content\_cfg.js
c:\documents and settings\lbanks\Local Settings\Application Data\{5C9D34C1-8C85-440D-B7AD-61794B508B59}\chrome\content\overlay.xul
c:\documents and settings\lbanks\Local Settings\Application Data\{5C9D34C1-8C85-440D-B7AD-61794B508B59}\install.rdf

.
((((((((((((((((((((((((( Files Created from 2011-02-02 to 2011-03-02 )))))))))))))))))))))))))))))))
.

2011-02-16 17:40 . 2011-02-16 17:40 -------- d-----w- c:\windows\Sun
2011-02-15 19:02 . 2011-02-15 19:02 -------- d-----w- c:\documents and settings\lbanks\Local Settings\Application Data\Identities
2011-02-14 22:19 . 2011-02-14 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-02-14 22:19 . 2011-02-14 22:19 -------- d-----w- c:\documents and settings\administrator.FORDRESTGRP\Application Data\SUPERAntiSpyware.com
2011-02-14 22:19 . 2011-02-14 22:19 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-02-14 22:11 . 2011-02-14 22:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-02-03 17:55 . 2011-02-03 17:55 -------- d-----w- c:\documents and settings\administrator.FORDRESTGRP\Application Data\Malwarebytes
2011-02-03 15:46 . 2011-02-03 15:46 -------- d-----w- c:\documents and settings\lbanks\Application Data\Malwarebytes
2011-02-03 15:45 . 2011-02-03 15:45 -------- d-----w- c:\documents and settings\msanders\Application Data\Malwarebytes
2011-02-03 15:45 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-03 15:45 . 2011-02-03 15:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-02-03 15:45 . 2011-02-03 15:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-03 15:45 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-02 13:26 . 2011-01-31 16:52 0 ----a-w- c:\documents and settings\lbanks\Local Settings\Application Data\Sripofulohoqu.bin
2010-12-08 19:12 . 2010-01-27 02:03 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-12-08 19:11 . 2010-01-27 02:03 53632 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2010-12-08 19:11 . 2010-01-27 02:03 29568 ----a-w- c:\windows\system32\LMIport.dll
2010-12-08 19:11 . 2010-01-27 02:03 87424 ----a-w- c:\windows\system32\LMIinit.dll
.

((((((((((((((((((((((((((((( SnapShot@2011-02-21_20.38.55 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-12 18:39 . 2008-11-07 16:49 61440 c:\windows\system32\spool\drivers\w32x86\3\trackid.dll
+ 2009-11-12 18:39 . 2009-10-02 23:37 68608 c:\windows\system32\spool\drivers\w32x86\3\ricaz0pl.dll
+ 2009-11-12 18:39 . 2008-11-07 16:49 67044 c:\windows\system32\spool\drivers\w32x86\3\ricaz0lg.dat
+ 2009-11-12 18:39 . 2008-11-07 16:49 65536 c:\windows\system32\spool\drivers\w32x86\3\ricaz0hp.exe
+ 2008-04-25 16:16 . 2011-02-26 04:39 76776 c:\windows\system32\perfc009.dat
- 2008-04-25 16:16 . 2011-02-01 05:31 76776 c:\windows\system32\perfc009.dat
+ 2009-11-12 18:39 . 2008-06-11 05:11 221184 c:\windows\system32\spool\drivers\w32x86\3\ricjc32.dll
+ 2009-11-12 18:39 . 2008-11-07 16:49 962560 c:\windows\system32\spool\drivers\w32x86\3\ricipp.dll
+ 2009-11-12 18:39 . 2009-10-02 23:37 287744 c:\windows\system32\spool\drivers\w32x86\3\ricaz0gu.dll
+ 2009-11-12 18:39 . 2009-10-02 23:37 218112 c:\windows\system32\spool\drivers\w32x86\3\ricaz0gs.dll
+ 2009-11-12 18:39 . 2009-10-02 23:37 832512 c:\windows\system32\spool\drivers\w32x86\3\ricaz0gc.dll
+ 2009-11-12 18:39 . 2009-01-28 03:04 229376 c:\windows\system32\spool\drivers\w32x86\3\ricaz0cb.dll
- 2008-04-25 16:16 . 2011-02-01 05:31 457208 c:\windows\system32\perfh009.dat
+ 2008-04-25 16:16 . 2011-02-26 04:39 457208 c:\windows\system32\perfh009.dat
+ 2009-11-12 18:39 . 2009-10-02 23:37 2717696 c:\windows\system32\spool\drivers\w32x86\3\ricaz0us.dll
+ 2009-11-12 18:39 . 2009-10-02 23:37 1856512 c:\windows\system32\spool\drivers\w32x86\3\ricaz0ur.dll
+ 2009-11-12 18:39 . 2009-10-02 23:37 1038336 c:\windows\system32\spool\drivers\w32x86\3\ricaz0cd.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-01-13 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-08-14 18702336]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-18 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-18 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-18 150040]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-08-07 186904]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\Client Server Security Agent\pccntmon.exe" [2010-03-30 959784]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2010-04-11 5116256]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Google Calendar Sync.lnk - c:\program files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2008-10-2 546288]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 01000000
"NoSimpleStartMenu"= 1 (0x1)
"NoTaskGrouping"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-12-08 19:11 87424 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
"45371:TCP"= 45371:TCP:Trend Micro Client/Server Security Agent Listener

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 12:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 12:41 PM 67656]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [9/29/2010 12:49 PM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 12:41 PM 12856]
R2 RtNdPt5x;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt5x.sys [1/26/2010 3:59 PM 22016]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\Client Server Security Agent\tmpreflt.sys [9/30/2009 2:37 PM 36368]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [1/25/2010 3:02 PM 110080]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 8:37 PM 4640000]
S2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\Client Server Security Agent\TmXPFlt.sys [9/30/2009 2:38 PM 230928]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [1/25/2010 3:02 PM 1684736]
S3 RTLTEAMING;Realtek Intermediate Driver for Ethernet Extended Features;c:\windows\system32\drivers\RTLTEAMING.SYS [1/26/2010 3:59 PM 28800]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [1/26/2010 3:59 PM 17536]
S3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2/1/2010 1:09 PM 50704]
S3 TmProxy;Trend Micro Client/Server Security Agent Proxy Service;c:\program files\Trend Micro\Client Server Security Agent\TmProxy.exe [7/15/2009 5:37 PM 689416]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/25/2008 10:16 AM 14336]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMD25
*Deregistered* - klmd25

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
DPF: {9BBB3919-F518-4D06-8209-299FC243FC44} - hxxps://192.168.0.17:4343/SMB/console/html/root/AtxEnc.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-02 12:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3821447715-1798685155-1639345383-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0b,ff,3a,9d,3e,a3,41,43,83,69,4c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0b,ff,3a,9d,3e,a3,41,43,83,69,4c,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(764)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\windows\system32\igfxdev.dll
.
Completion time: 2011-03-02 12:21:00
ComboFix-quarantined-files.txt 2011-03-02 18:20
ComboFix2.txt 2011-02-22 19:49
ComboFix3.txt 2011-02-21 20:39
ComboFix4.txt 2011-02-16 17:53

Pre-Run: 142,444,023,808 bytes free
Post-Run: 142,467,203,072 bytes free

- - End Of File - - B92B31B2EC2B86BA10596C441276A725


Thanks again Gringo!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users