Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with I don't know what!


  • This topic is locked This topic is locked
29 replies to this topic

#1 jwilliams

jwilliams

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 01 June 2011 - 07:42 PM

I originally posted my problem in the Am I Infected forrum. After several attempts to remove whatever I have, they recommended I follow the Preparation Guide and post in Virus, Trojan, Spyware, and Removal forum.

The system takes ten minutes or more to boot up, very slow. Also, unable to run some of the virus, spyware, and malware removal tools.

I've attached the DDS and Attach files.
While running GMER, I received the BSOD and had to shutdown. Error Message: BAD POOL HEADER.

.
DDS (Ver_2011-06-01.06) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Run by Janet at 18:58:52 on 2011-06-01
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.558 [GMT -5:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: ZoneAlarm Spy Blocker BHO: {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
TB: ZoneAlarm Spy Blocker: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1 68.238.96.12
TCP: Interfaces\{2367C039-11C6-40EA-A52B-16D3A8C18752} : DhcpNameServer = 192.168.1.1 68.238.96.12
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 192.168.49.2 Srv01.crsti.local
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\janet\application data\mozilla\firefox\profiles\7gi9o6gi.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-1-25 28552]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-8 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-8-8 29584]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-8-8 243152]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-8-8 353672]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-8-29 308136]
S0 egytqwlb;egytqwlb;c:\windows\system32\drivers\meqhqne.sys --> c:\windows\system32\drivers\meqhqne.sys [?]
S1 ShldDrv;Panda File Shield Driver;c:\windows\system32\drivers\shldrv51.sys --> c:\windows\system32\drivers\ShlDrv51.sys [?]
S2 PavProc;Panda Process Protection Driver;\??\c:\windows\system32\drivers\pavproc.sys --> c:\windows\system32\drivers\PavProc.sys [?]
S2 PavPrSrv;Panda Process Protection Service;"c:\program files\common files\panda software\pavshld\pavprsrv.exe" --> c:\program files\common files\panda software\pavshld\pavprsrv.exe [?]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
.
=============== Created Last 30 ================
.
2011-06-01 23:49:52 -------- d-sh--w- C:\found.002
2011-06-01 03:05:50 -------- d-sh--w- C:\found.001
2011-05-31 17:42:09 -------- d-----w- C:\TDSSKiller_Quarantine
2011-05-31 14:58:21 -------- d-----w- c:\documents and settings\janet\local settings\application data\PCHealth
2011-05-30 05:18:25 -------- d-----w- C:\e3c32ff4404127706f0ed6c3
2011-05-30 04:50:25 -------- d-----w- c:\windows\system32\LogFiles
2011-05-28 04:03:44 -------- d-----w- c:\program files\ESET
2011-05-28 02:44:37 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-05-26 02:56:14 -------- d-----w- C:\1ffb0a381da0a77ab9ece8e993efc851
2011-05-25 02:51:19 -------- d-sh--w- C:\found.000
2011-05-25 02:28:44 -------- d-----w- c:\documents and settings\janet\application data\uTorrent
2011-05-24 03:09:37 69714 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\ctor.dll
2011-05-24 03:09:37 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\DotNetInstaller.exe
2011-05-24 03:09:37 274432 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\iscript.dll
2011-05-24 03:09:37 184320 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\iuser.dll
2011-05-24 03:09:36 753664 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\iKernel.dll
2011-05-24 03:09:31 200836 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\iGdi.dll
2011-05-24 03:09:29 331908 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\setup.dll
.
==================== Find3M ====================
.
2011-05-28 01:27:57 243152 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
============= FINISH: 19:00:11.20 ===============

Just wondering...how long should I wait for a response? Thanks!

EDIT: The current average wait time to receive help is 9 days. ~Budapest

Attached Files


Edited by Budapest, 09 June 2011 - 05:07 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:29 AM

Posted 09 June 2011 - 07:13 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 jwilliams

jwilliams
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 10 June 2011 - 08:36 PM

Hello m0le -

I'm watching this topic and waiting for instructions.

Thanks,
J

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:29 AM

Posted 11 June 2011 - 03:22 AM

There's definitely a bad driver in that log so let's run Combofix

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#5 jwilliams

jwilliams
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 12 June 2011 - 04:37 PM

While trying to run ComboFix, received message that it couldn't run with AVG antivirus install (although it was disabled). Tried to uninstall AVG and received message "Access is denied" so it will not uninstall. I will try again and post results when I get ComboFix to run. Thanks.

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:29 AM

Posted 12 June 2011 - 07:06 PM

Sometimes you need the AVG uninstaller

AVG 32 bit

http://download.avg.com/filedir/util/avg_arm_sup_____.dir/avgremover.exe

64 bit

http://www.avg.com/filedir/util/avg_arv_sup_____.dir/avgremoverx64.exe
Posted Image
m0le is a proud member of UNITE

#7 jwilliams

jwilliams
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 13 June 2011 - 10:53 PM

I'm still having problems with AVG. Not certian if it is uninstall...it appears to be. While running the avgremover, the system restarted but I didn't see a message indicating it was finished. Now, when I boot in normal mode to remove AVG files and run ComboFix, I get a BSOD. Should I try ComboFix in Safe Mode. Thanks. J

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:29 AM

Posted 14 June 2011 - 02:57 PM

Is AVG still shwoing in the add/remove programs section? (Start > Control Panel and under Programs is "Uninstall a program")
Posted Image
m0le is a proud member of UNITE

#9 jwilliams

jwilliams
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 14 June 2011 - 07:32 PM

Avg is uninstalled...no longer in the Add/Remove Programs. But I'm unable to do "anything" in Normal Boot.
After uninstalling AVG, I began having problems. When I boot into Normal mode, the hard drive constantly runs. After about 5 minutes, I get the BSOD with the message "A process or thread crucial to system operation has unexpectedly exited or been terminated". Not sure what is going on now!

Thanks,
J

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:29 AM

Posted 14 June 2011 - 07:50 PM

It might be that this is partly a system issue.

I would still like to clear out the malware that's there so see if you are able to boot into safe mode with networking and run Combofix
Posted Image
m0le is a proud member of UNITE

#11 jwilliams

jwilliams
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 14 June 2011 - 08:12 PM

Running ComboFix in Safe Mode...received error message "Error opening file for writing: C:\32788R22FWJFW\DPF.str Options: Abort, Retry, Ignore...Retry doesn't work.

#12 jwilliams

jwilliams
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 14 June 2011 - 09:39 PM

After several tries, I was able to boot in Normal mode and run ComboFix. I received a Runtime Error (twice) while running the program...but it continued to run after clicking OK. Log is below...

ComboFix 11-06-14.01 - Janet 06/14/2011 20:49:05.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.567 [GMT -5:00]
Running from: c:\documents and settings\Janet\Desktop\comfix.exe
FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((( Files Created from 2011-05-15 to 2011-06-15 )))))))))))))))))))))))))))))))
.
.
2011-06-12 20:26 . 2011-06-12 20:26 -------- d-----w- C:\d472a11a16fab55c4fc84d6997
2011-06-01 23:49 . 2011-06-01 23:49 -------- d-----w- C:\found.002
2011-06-01 03:05 . 2011-06-01 03:05 -------- d-----w- C:\found.001
2011-05-31 17:42 . 2011-05-31 17:42 -------- d-----w- C:\TDSSKiller_Quarantine
2011-05-31 14:58 . 2011-05-31 14:58 -------- d-----w- c:\documents and settings\Janet\Local Settings\Application Data\PCHealth
2011-05-30 05:18 . 2011-05-30 05:18 -------- d-----w- C:\e3c32ff4404127706f0ed6c3
2011-05-30 04:50 . 2011-05-30 04:50 -------- d-----w- c:\windows\system32\LogFiles
2011-05-28 04:03 . 2011-05-28 04:03 -------- d-----w- c:\program files\ESET
2011-05-28 02:44 . 2011-05-28 02:44 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-05-26 02:56 . 2011-05-26 02:56 -------- d-----w- C:\1ffb0a381da0a77ab9ece8e993efc851
2011-05-25 02:51 . 2011-05-25 02:51 -------- d-----w- C:\found.000
2011-05-25 02:28 . 2011-05-25 02:28 -------- d-----w- c:\documents and settings\Janet\Application Data\uTorrent
2011-05-24 03:09 . 2005-04-04 04:02 69714 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\ctor.dll
2011-05-24 03:09 . 2005-04-04 04:01 274432 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iscript.dll
2011-05-24 03:09 . 2005-04-04 04:00 184320 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iuser.dll
2011-05-24 03:09 . 2005-04-04 03:59 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\DotNetInstaller.exe
2011-05-24 03:09 . 2005-04-04 04:02 753664 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iKernel.dll
2011-05-24 03:09 . 2011-05-24 03:09 200836 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iGdi.dll
2011-05-24 03:09 . 2011-05-24 03:09 331908 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\setup.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-25 03:14 . 2011-04-05 03:48 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-04-14 . 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 . 185856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\upnphost.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-27 434528]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 22:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-09-16 20:04 1164584 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2005-03-16 10:33 127037 ----a-w- c:\windows\system32\dla\tfswctrl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-12-13 22:41 77824 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-12-13 22:45 118784 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2005-12-13 22:44 98304 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 21:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 21:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-01-25 21:08 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 23:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-01-10 00:33 417792 ----a-w- c:\windows\stsystra.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-08-15 04:43 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-05-23 15:00 2424192 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [1/25/2010 10:15 PM 28552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
S0 egytqwlb;egytqwlb;c:\windows\system32\drivers\meqhqne.sys --> c:\windows\system32\drivers\meqhqne.sys [?]
S1 ShldDrv;Panda File Shield Driver;c:\windows\system32\DRIVERS\ShlDrv51.sys --> c:\windows\system32\DRIVERS\ShlDrv51.sys [?]
S2 PavProc;Panda Process Protection Driver;\??\c:\windows\system32\DRIVERS\PavProc.sys --> c:\windows\system32\DRIVERS\PavProc.sys [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/22/2011 2:03 PM 691696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1 68.238.96.12
FF - ProfilePath - c:\documents and settings\Janet\Application Data\Mozilla\Firefox\Profiles\7gi9o6gi.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
.
- - - - ORPHANS REMOVED - - - -
.
Notify-avgrsstarter - avgrsstx.dll
MSConfigStartUp-AVG9_TRAY - c:\progra~1\AVG\AVG9\avgtray.exe
MSConfigStartUp-LanzarP2006 - c:\docume~1\Janet\LOCALS~1\Temp\P2006tmp\Install.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-14 21:05
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1332)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2011-06-14 21:32:55
ComboFix-quarantined-files.txt 2011-06-15 02:32
.
Pre-Run: 33,262,460,928 bytes free
Post-Run: 37,412,089,856 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - E94FE2D49789845D60FD6EC291CB2CF8

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:29 AM

Posted 15 June 2011 - 05:11 PM

This is a strange situation that it now runs. I do need to now remove the stopped service linked with the malicious driver so we are going to try running Combofix again. If you have further problems we will use a differnet tool to remove it.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

File::
c:\windows\system32\drivers\meqhqne.sys

Driver::
egytqwlb


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#14 jwilliams

jwilliams
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 15 June 2011 - 11:39 PM

Performed instructions above...log is attached. After log was displayed, received the following message: cmd.exe Corrupt file. The file or directory \comfix25122c\MoveIt.bat is corrupt and unreadable. Please run Chkdsk utility.

ComboFix 11-06-15.03 - Janet 06/15/2011 23:00:37.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.703 [GMT -5:00]
Running from: c:\documents and settings\Janet\Desktop\comfix.exe
Command switches used :: c:\documents and settings\Janet\Desktop\CFScript.txt
FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
FILE ::
"c:\windows\system32\drivers\meqhqne.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_egytqwlb
.
.
((((((((((((((((((((((((( Files Created from 2011-05-16 to 2011-06-16 )))))))))))))))))))))))))))))))
.
.
2011-06-16 03:55 . 2011-06-16 03:55 -------- d-----w- C:\comfix
2011-06-12 20:26 . 2011-06-12 20:26 -------- d-----w- C:\d472a11a16fab55c4fc84d6997
2011-06-01 23:49 . 2011-06-01 23:49 -------- d-----w- C:\found.002
2011-06-01 03:05 . 2011-06-01 03:05 -------- d-----w- C:\found.001
2011-05-31 17:42 . 2011-05-31 17:42 -------- d-----w- C:\TDSSKiller_Quarantine
2011-05-31 14:58 . 2011-05-31 14:58 -------- d-----w- c:\documents and settings\Janet\Local Settings\Application Data\PCHealth
2011-05-30 05:18 . 2011-05-30 05:18 -------- d-----w- C:\e3c32ff4404127706f0ed6c3
2011-05-30 04:50 . 2011-05-30 04:50 -------- d-----w- c:\windows\system32\LogFiles
2011-05-28 04:03 . 2011-05-28 04:03 -------- d-----w- c:\program files\ESET
2011-05-28 02:44 . 2011-05-28 02:44 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-05-26 02:56 . 2011-05-26 02:56 -------- d-----w- C:\1ffb0a381da0a77ab9ece8e993efc851
2011-05-25 02:51 . 2011-05-25 02:51 -------- d-----w- C:\found.000
2011-05-25 02:28 . 2011-05-25 02:28 -------- d-----w- c:\documents and settings\Janet\Application Data\uTorrent
2011-05-24 03:09 . 2005-04-04 04:02 69714 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\ctor.dll
2011-05-24 03:09 . 2005-04-04 04:01 274432 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iscript.dll
2011-05-24 03:09 . 2005-04-04 04:00 184320 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iuser.dll
2011-05-24 03:09 . 2005-04-04 03:59 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\DotNetInstaller.exe
2011-05-24 03:09 . 2005-04-04 04:02 753664 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iKernel.dll
2011-05-24 03:09 . 2011-05-24 03:09 200836 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iGdi.dll
2011-05-24 03:09 . 2011-05-24 03:09 331908 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\setup.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-25 03:14 . 2011-04-05 03:48 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 22:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-09-16 20:04 1164584 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2005-03-16 10:33 127037 ----a-w- c:\windows\system32\dla\tfswctrl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-12-13 22:41 77824 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-12-13 22:45 118784 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2005-12-13 22:44 98304 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 21:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 21:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-01-25 21:08 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 23:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-01-10 00:33 417792 ----a-w- c:\windows\stsystra.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-08-15 04:43 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-05-23 15:00 2424192 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 ACPI;Microsoft ACPI Driver;c:\windows\system32\drivers\acpi.sys [8/4/2004 7:00 AM 187776]
R0 atapi;Standard IDE/ESDI Hard Disk Controller;c:\windows\system32\drivers\atapi.sys [8/4/2004 7:00 AM 96512]
R0 Compbatt;Microsoft Composite Battery Driver;c:\windows\system32\drivers\compbatt.sys [8/8/2009 3:25 PM 10240]
R0 Disk;Disk Driver;c:\windows\system32\drivers\disk.sys [8/4/2004 7:00 AM 36352]
R0 dmio;Logical Disk Manager Driver;c:\windows\system32\drivers\dmio.sys [8/4/2004 7:00 AM 153344]
R0 dmload;dmload;c:\windows\system32\drivers\dmload.sys [8/4/2004 7:00 AM 5888]
R0 FltMgr;FltMgr;c:\windows\system32\drivers\fltmgr.sys [8/8/2009 8:34 PM 129792]
R0 Ftdisk;Volume Manager Driver;c:\windows\system32\drivers\ftdisk.sys [8/4/2004 7:00 AM 125056]
R0 isapnp;PnP ISA/EISA Bus Driver;c:\windows\system32\drivers\isapnp.sys [8/4/2004 7:00 AM 37248]
R0 KSecDD;KSecDD;c:\windows\system32\drivers\ksecdd.sys [8/4/2004 7:00 AM 92928]
R0 MountMgr;Mount Point Manager;c:\windows\system32\drivers\mountmgr.sys [8/4/2004 7:00 AM 42368]
R0 Mup;Mup;c:\windows\system32\drivers\mup.sys [8/4/2004 7:00 AM 105344]
R0 NDIS;NDIS System Driver;c:\windows\system32\drivers\ndis.sys [8/4/2004 7:00 AM 182656]
R0 ohci1394;OHCI Compliant IEEE 1394 Host Controller;c:\windows\system32\drivers\ohci1394.sys [8/4/2004 7:00 AM 61696]
R0 PartMgr;Partition Manager;c:\windows\system32\drivers\partmgr.sys [8/4/2004 7:00 AM 19712]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [1/25/2010 10:15 PM 28552]
R0 PCI;PCI Bus Driver;c:\windows\system32\drivers\pci.sys [8/4/2004 7:00 AM 68224]
R0 PCIIde;PCIIde;c:\windows\system32\drivers\pciide.sys [8/4/2004 7:00 AM 3328]
R0 PxHelp20;PxHelp20;c:\windows\system32\drivers\pxhelp20.sys [1/26/2005 2:03 AM 45648]
R0 sr;System Restore Filter Driver;c:\windows\system32\drivers\sr.sys [8/8/2009 8:34 PM 73472]
R0 VolSnap;VolSnap;c:\windows\system32\drivers\volsnap.sys [8/4/2004 7:00 AM 52352]
R1 AFD;AFD;c:\windows\system32\drivers\afd.sys [8/4/2004 7:00 AM 138496]
R1 Beep;Beep;c:\windows\system32\drivers\beep.sys [8/4/2004 7:00 AM 4224]
R1 Cdrom;CD-ROM Driver;c:\windows\system32\drivers\cdrom.sys [8/4/2004 7:00 AM 62976]
R1 Fips;Fips;c:\windows\system32\drivers\fips.sys [8/4/2004 7:00 AM 44544]
R1 i8042prt;i8042 Keyboard and PS/2 Mouse Port Driver;c:\windows\system32\drivers\i8042prt.sys [8/4/2004 7:00 AM 52480]
R1 Imapi;CD-Burning Filter Driver;c:\windows\system32\drivers\imapi.sys [8/4/2004 7:00 AM 42112]
R1 intelppm;Intel Processor Driver;c:\windows\system32\drivers\intelppm.sys [8/4/2004 7:00 AM 36352]
R1 IPSec;IPSEC driver;c:\windows\system32\drivers\ipsec.sys [8/4/2004 7:00 AM 75264]
R1 Kbdclass;Keyboard Class Driver;c:\windows\system32\drivers\kbdclass.sys [8/4/2004 7:00 AM 24576]
R1 mnmdd;mnmdd;c:\windows\system32\drivers\mnmdd.sys [8/4/2004 7:00 AM 4224]
R1 Mouclass;Mouse Class Driver;c:\windows\system32\drivers\mouclass.sys [8/3/2004 5:58 PM 23040]
R1 MRxSmb;MRXSMB;c:\windows\system32\drivers\mrxsmb.sys [8/4/2004 7:00 AM 455936]
R1 Msfs;Msfs;c:\windows\system32\drivers\msfs.sys [8/4/2004 7:00 AM 19072]
R1 NetBIOS;NetBIOS Interface;c:\windows\system32\drivers\netbios.sys [8/4/2004 7:00 AM 34688]
R1 NetBT;NetBios over Tcpip;c:\windows\system32\drivers\netbt.sys [8/4/2004 7:00 AM 162816]
R1 Npfs;Npfs;c:\windows\system32\drivers\npfs.sys [8/4/2004 7:00 AM 30848]
R1 Null;Null;c:\windows\system32\drivers\null.sys [8/4/2004 7:00 AM 2944]
R1 RasAcd;Remote Access Auto Connection Driver;c:\windows\system32\drivers\rasacd.sys [8/4/2004 7:00 AM 8832]
R1 Rdbss;Rdbss;c:\windows\system32\drivers\rdbss.sys [8/4/2004 7:00 AM 175744]
R1 RDPCDD;RDPCDD;c:\windows\system32\drivers\rdpcdd.sys [8/4/2004 7:00 AM 4224]
R1 redbook;Digital CD Audio Playback Filter Driver;c:\windows\system32\drivers\redbook.sys [8/8/2009 3:26 PM 57600]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R1 Tcpip;TCP/IP Protocol Driver;c:\windows\system32\drivers\tcpip.sys [8/4/2004 7:00 AM 361600]
R1 TermDD;Terminal Device Driver;c:\windows\system32\drivers\termdd.sys [8/8/2009 8:31 PM 40840]
R1 VgaSave;VGA Display Controller.;c:\windows\system32\drivers\vga.sys [8/4/2004 7:00 AM 20992]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [8/8/2009 8:51 PM 353672]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.4.9.0;c:\windows\system32\drivers\AegisP.sys [8/8/2009 9:21 PM 21275]
R2 AudioSrv;Windows Audio;c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]
R2 Bonjour Service;Bonjour Service;c:\program files\Bonjour\mDNSResponder.exe [7/27/2010 6:44 PM 345376]
R2 Browser;Computer Browser;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]
R2 CryptSvc;CryptSvc;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]
R2 DcomLaunch;DCOM Server Process Launcher;c:\windows\system32\svchost.exe -k DcomLaunch [8/4/2004 7:00 AM 14336]
R2 Dhcp;DHCP Client;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]
R2 dmserver;Logical Disk Manager;c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]
R2 Dnscache;DNS Client;c:\windows\system32\svchost.exe -k NetworkService [8/4/2004 7:00 AM 14336]
R2 ERSvc;Error Reporting Service;c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]
R2 Eventlog;Event Log;c:\windows\system32\services.exe [8/4/2004 7:00 AM 110592]
R2 EvtEng;Intel® PROSet/Wireless Event Log;c:\program files\Intel\Wireless\Bin\EvtEng.exe [12/28/2005 11:45 AM 114753]
R2 helpsvc;Help and Support;c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]
R2 lanmanserver;Server;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]
R2 lanmanworkstation;Workstation;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]
R2 LmHosts;TCP/IP NetBIOS Helper;c:\windows\system32\svchost.exe -k LocalService [8/4/2004 7:00 AM 14336]
R2 mdmxsdk;mdmxsdk;c:\windows\system32\drivers\mdmxsdk.sys [8/8/2009 9:25 PM 12544]
R2 PlugPlay;Plug and Play;c:\windows\system32\services.exe [8/4/2004 7:00 AM 110592]
R2 PolicyAgent;IPSEC Services;c:\windows\system32\lsass.exe [8/4/2004 7:00 AM 13312]
R2 ProtectedStorage;Protected Storage;c:\windows\system32\lsass.exe [8/4/2004 7:00 AM 13312]
R2 RemoteRegistry;Remote Registry;c:\windows\system32\svchost.exe -k LocalService [8/4/2004 7:00 AM 14336]
R2 RpcSs;Remote Procedure Call (RPC);c:\windows\system32\svchost.exe -k rpcss [8/4/2004 7:00 AM 14336]
R2 S24EventMonitor;Intel® PROSet/Wireless Service;c:\program files\Intel\Wireless\Bin\S24EvMon.exe [12/28/2005 11:47 AM 540745]
R2 SamSs;Security Accounts Manager;c:\windows\system32\lsass.exe [8/4/2004 7:00 AM 13312]
R2 Schedule;Task Scheduler;c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]
R2 seclogon;Secondary Logon;c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]
R2 SENS;System Event Notification;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]
R2 SharedAccess;Windows Firewall/Internet Connection Sharing (ICS);c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]
R2 ShellHWDetection;Shell Hardware Detection;c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]
R2 Spooler;Print Spooler;c:\windows\system32\spoolsv.exe [8/4/2004 7:00 AM 58880]
R2 srservice;System Restore Service;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]
R2 stisvc;Windows Image Acquisition (WIA);c:\windows\system32\svchost.exe -k imgsvc [8/4/2004 7:00 AM 14336]
R2 Themes;Themes;c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]
R2 TrkWks;Distributed Link Tracking Client;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]
R2 W32Time;Windows Time;c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]
R2 WebClient;WebClient;c:\windows\system32\svchost.exe -k LocalService [8/4/2004 7:00 AM 14336]
R2 winmgmt;Windows Management Instrumentation;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]
R2 WLANKEEPER;Intel® PROSet/Wireless SSO Service;c:\program files\Intel\Wireless\Bin\WLKEEPER.exe [12/28/2005 12:04 PM 262217]
R2 wscsvc;Security Center;c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]
R2 wuauserv;Automatic Updates;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]
R3 ALG;Application Layer Gateway Service;c:\windows\system32\alg.exe [8/4/2004 7:00 AM 44544]
R3 Arp1394;1394 ARP Client Protocol;c:\windows\system32\drivers\arp1394.sys [8/3/2004 5:58 PM 60800]
R3 audstub;Audio Stub Driver;c:\windows\system32\drivers\audstub.sys [8/8/2009 3:26 PM 3072]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver;c:\windows\system32\drivers\cmbatt.sys [8/8/2009 3:25 PM 13952]
R3 EventSystem;COM+ Event System;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]
R3 FastUserSwitchingCompatibility;Fast User Switching Compatibility;c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]
R3 GEARAspiWDM;GEAR ASPI Filter Driver;c:\windows\system32\drivers\GEARAspiWDM.sys [9/27/2010 3:24 AM 26600]
R3 Gpc;Generic Packet Classifier;c:\windows\system32\drivers\msgpc.sys [8/4/2004 7:00 AM 35072]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio;c:\windows\system32\drivers\hdaudbus.sys [1/7/2005 5:07 PM 144384]
R3 HTTP;HTTP;c:\windows\system32\drivers\http.sys [8/4/2004 7:00 AM 265728]
R3 HTTPFilter;HTTP SSL;c:\windows\System32\svchost.exe -k HTTPFilter [8/4/2004 7:00 AM 14336]
R3 ialm;ialm;c:\windows\system32\drivers\ialmnt5.sys [8/8/2009 9:23 PM 1364574]
R3 IpNat;IP Network Address Translator;c:\windows\system32\drivers\ipnat.sys [8/4/2004 7:00 AM 152832]
R3 Modem;Modem;c:\windows\system32\drivers\modem.sys [8/3/2004 6:08 PM 30080]
R3 MRxDAV;WebDav Client Redirector;c:\windows\system32\drivers\mrxdav.sys [8/4/2004 7:00 AM 180608]
R3 mssmbios;Microsoft System Management BIOS Driver;c:\windows\system32\drivers\mssmbios.sys [8/3/2004 6:07 PM 15488]
R3 NdisTapi;Remote Access NDIS TAPI Driver;c:\windows\system32\drivers\ndistapi.sys [8/4/2004 7:00 AM 10112]
R3 Ndisuio;NDIS Usermode I/O Protocol;c:\windows\system32\drivers\ndisuio.sys [8/3/2004 6:03 PM 14592]
R3 NdisWan;Remote Access NDIS WAN Driver;c:\windows\system32\drivers\ndiswan.sys [8/4/2004 7:00 AM 91520]
R3 NDProxy;NDIS Proxy;c:\windows\system32\drivers\ndproxy.sys [8/4/2004 7:00 AM 40960]
R3 Netman;Network Connections;c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]
R3 NIC1394;1394 Net Driver;c:\windows\system32\drivers\nic1394.sys [8/3/2004 5:58 PM 61824]
R3 Nla;Network Location Awareness (NLA);c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]
R3 PptpMiniport;WAN Miniport (PPTP);c:\windows\system32\drivers\raspptp.sys [8/4/2004 7:00 AM 48384]
R3 PSched;QoS Packet Scheduler;c:\windows\system32\drivers\psched.sys [8/4/2004 7:00 AM 69120]
R3 Ptilink;Direct Parallel Link Driver;c:\windows\system32\drivers\ptilink.sys [8/4/2004 7:00 AM 17792]
R3 Rasl2tp;WAN Miniport (L2TP);c:\windows\system32\drivers\rasl2tp.sys [8/4/2004 7:00 AM 51328]
R3 RasMan;Remote Access Connection Manager;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]
R3 RasPppoe;Remote Access PPPOE Driver;c:\windows\system32\drivers\raspppoe.sys [8/4/2004 7:00 AM 41472]
R3 Raspti;Direct Parallel;c:\windows\system32\drivers\raspti.sys [8/4/2004 7:00 AM 16512]
R3 rdpdr;Terminal Server Device Redirector Driver;c:\windows\system32\drivers\rdpdr.sys [8/8/2009 8:31 PM 196224]
R3 Srv;Srv;c:\windows\system32\drivers\srv.sys [8/4/2004 7:00 AM 357888]
R3 SSDPSRV;SSDP Discovery Service;c:\windows\system32\svchost.exe -k LocalService [8/4/2004 7:00 AM 14336]
R3 swenum;Software Bus Driver;c:\windows\system32\drivers\swenum.sys [8/3/2004 5:58 PM 4352]
R3 sysaudio;Microsoft Kernel System Audio Device;c:\windows\system32\drivers\sysaudio.sys [8/8/2009 9:45 PM 60800]
R3 TapiSrv;Telephony;c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]
R3 TermService;Terminal Services;c:\windows\System32\svchost.exe -k DComLaunch [8/4/2004 7:00 AM 14336]
R3 Update;Microcode Update Driver;c:\windows\system32\drivers\update.sys [8/4/2004 7:00 AM 384768]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver;c:\windows\system32\drivers\usbehci.sys [8/4/2004 7:00 AM 30208]
R3 usbhub;USB2 Enabled Hub;c:\windows\system32\drivers\usbhub.sys [8/4/2004 7:00 AM 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver;c:\windows\system32\drivers\usbuhci.sys [8/4/2004 7:00 AM 20608]
R3 w39n51;Intel® PRO/Wireless 3945ABG Adapter Driver;c:\windows\system32\drivers\w39n51.sys [12/5/2005 12:55 AM 1428096]
R3 Wanarp;Remote Access IP ARP Driver;c:\windows\system32\drivers\wanarp.sys [8/4/2004 7:00 AM 34560]
R3 wdmaud;Microsoft WINMM WDM Audio Compatibility Driver;c:\windows\system32\drivers\wdmaud.sys [8/8/2009 9:45 PM 83072]
R3 winachsf;winachsf;c:\windows\system32\drivers\HSX_CNXT.sys [8/8/2009 9:24 PM 669696]
R4 Cdfs;Cdfs;c:\windows\system32\drivers\cdfs.sys [8/4/2004 7:00 AM 63744]
R4 Ntfs;Ntfs;c:\windows\system32\drivers\ntfs.sys [8/4/2004 7:00 AM 574976]
S1 Cdaudio;Cdaudio;c:\windows\system32\drivers\cdaudio.sys [8/17/2001 8:52 AM 18688]
S1 Changer;Changer; [x]
S1 Fdc;Fdc;c:\windows\system32\drivers\fdc.sys [8/4/2004 7:00 AM 27392]
S1 Flpydisk;Flpydisk;c:\windows\system32\drivers\flpydisk.sys [8/4/2004 7:00 AM 20480]
S1 i2omgmt;i2omgmt; [x]
S1 lbrtfdc;lbrtfdc; [x]
S1 PCIDump;PCIDump; [x]
S1 Sfloppy;Sfloppy;c:\windows\system32\drivers\sfloppy.sys [8/4/2004 7:00 AM 11392]
S1 ShldDrv;Panda File Shield Driver;c:\windows\system32\DRIVERS\ShlDrv51.sys --> c:\windows\system32\DRIVERS\ShlDrv51.sys [?]
S2 ParVdm;ParVdm;c:\windows\system32\drivers\parvdm.sys [8/4/2004 7:00 AM 6784]
S2 PavProc;Panda Process Protection Driver;\??\c:\windows\system32\DRIVERS\PavProc.sys --> c:\windows\system32\DRIVERS\PavProc.sys [?]
S2 PavPrSrv;Panda Process Protection Service;"c:\program files\Common Files\Panda Software\PavShld\pavprsrv.exe" --> c:\program files\Common Files\Panda Software\PavShld\pavprsrv.exe [?]
S2 Serial;Serial;c:\windows\system32\drivers\serial.sys [8/4/2004 7:00 AM 64512]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\ZoneLabs\vsmon.exe -service --> c:\windows\system32\ZoneLabs\vsmon.exe -service [?]
S2 WZCSVC;Wireless Zero Configuration;c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]
S3 aec;Microsoft Kernel Acoustic Echo Canceller;c:\windows\system32\drivers\aec.sys [8/8/2009 9:45 PM 142592]
S3 AppMgmt;Application Management;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]
S3 aspnet_state;ASP.NET State Service;c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [7/25/2008 11:16 AM 34312]
S3 AsyncMac;RAS Asynchronous Media Driver;c:\windows\system32\drivers\asyncmac.sys [8/4/2004 7:00 AM 14336]
S3 Atmarpc;ATM ARP Client Protocol;c:\windows\system32\drivers\atmarpc.sys [8/4/2004 7:00 AM 59904]
S3 BITS;Background Intelligent Transfer Service;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]
S3 catchme;catchme;\??\c:\docume~1\Janet\LOCALS~1\Temp\catchme.sys --> c:\docume~1\Janet\LOCALS~1\Temp\catchme.sys [?]
S3 CiSvc;Indexing Service;c:\windows\system32\cisvc.exe [8/4/2004 7:00 AM 5632]
S3 ClipSrv;ClipBook;c:\windows\system32\clipsrv.exe [8/4/2004 7:00 AM 33280]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86;c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [7/25/2008 11:17 AM 69632]
S3 COMSysApp;COM+ System Application;c:\windows\system32\dllhost.exe [8/4/2004 7:00 AM 5120]
S3 dmadmin;Logical Disk Manager Administrative Service;c:\windows\system32\dmadmin.exe [8/4/2004 7:00 AM 224768]
S3 DMusic;Microsoft Kernel DLS Syntheiszer;c:\windows\system32\drivers\dmusic.sys [8/8/2009 9:45 PM 52864]
S3 Dot3svc;Wired AutoConfig;c:\windows\System32\svchost.exe -k dot3svc [8/4/2004 7:00 AM 14336]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler;c:\windows\system32\drivers\drmkaud.sys [8/8/2009 9:45 PM 2944]
S3 EapHost;Extensible Authentication Protocol Service;c:\windows\System32\svchost.exe -k eapsvcs [8/4/2004 7:00 AM 14336]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0;c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [7/29/2008 9:10 PM 46104]
S3 getPlusHelper;getPlus® Helper;c:\windows\System32\svchost.exe -k getPlusHelper [8/4/2004 7:00 AM 14336]
S3 hkmsvc;Health Key and Certificate Management Service;c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]
S3 idsvc;Windows CardSpace;c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [7/29/2008 7:24 PM 881664]
S3 ImapiService;IMAPI CD-Burning COM Service;c:\windows\system32\imapi.exe [8/4/2004 7:00 AM 150528]
S3 Ip6Fw;IPv6 Windows Firewall Driver;c:\windows\system32\drivers\ip6fw.sys [8/4/2004 7:00 AM 36608]
S3 IpFilterDriver;IP Traffic Filter Driver;c:\windows\system32\drivers\ipfltdrv.sys [8/4/2004 7:00 AM 32896]
S3 IpInIp;IP in IP Tunnel Driver;c:\windows\system32\drivers\ipinip.sys [8/4/2004 7:00 AM 20864]
S3 iPod Service;iPod Service;c:\program files\iPod\bin\iPodService.exe [1/25/2011 4:08 PM 820008]
S3 IRENUM;IR Enumerator Service;c:\windows\system32\drivers\irenum.sys [8/8/2009 3:23 PM 11264]
S3 kmixer;Microsoft Kernel Wave Audio Mixer;c:\windows\system32\drivers\kmixer.sys [8/8/2009 9:45 PM 172416]
S3 mnmsrvc;NetMeeting Remote Desktop Sharing;c:\windows\system32\mnmsrvc.exe [8/8/2009 8:34 PM 32768]
S3 MSDTC;Distributed Transaction Coordinator;c:\windows\system32\msdtc.exe [8/8/2009 8:31 PM 6144]
S3 MSIServer;Windows Installer;c:\windows\system32\msiexec.exe [8/4/2004 7:00 AM 78848]
S3 MSKSSRV;Microsoft Streaming Service Proxy;c:\windows\system32\drivers\mskssrv.sys [8/8/2009 9:45 PM 7552]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy;c:\windows\system32\drivers\mspclock.sys [8/8/2009 9:44 PM 5376]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy;c:\windows\system32\drivers\mspqm.sys [8/8/2009 9:45 PM 4992]
S3 napagent;Network Access Protection Agent;c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]
S3 Netlogon;Net Logon;c:\windows\system32\lsass.exe [8/4/2004 7:00 AM 13312]
S3 NtLmSsp;NT LM Security Support Provider;c:\windows\system32\lsass.exe [8/4/2004 7:00 AM 13312]
S3 NtmsSvc;Removable Storage;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]
S3 NwlnkFlt;IPX Traffic Filter Driver;c:\windows\system32\drivers\nwlnkflt.sys [8/4/2004 7:00 AM 12416]
S3 NwlnkFwd;IPX Traffic Forwarder Driver;c:\windows\system32\drivers\nwlnkfwd.sys [8/4/2004 7:00 AM 32512]
S3 ose;Office Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [10/26/2006 2:03 PM 145184]
S3 Parport;Parport;c:\windows\system32\drivers\parport.sys [8/3/2004 5:59 PM 80128]
S3 PDCOMP;PDCOMP; [x]
S3 PDFRAME;PDFRAME; [x]
S3 PDRELI;PDRELI; [x]
S3 PDRFRAME;PDRFRAME; [x]
S3 RasAuto;Remote Access Auto Connection Manager;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]
S3 RDPWD;RDPWD;c:\windows\system32\drivers\rdpwd.sys [8/8/2009 8:31 PM 139656]
S3 RDSessMgr;Remote Desktop Help Session Manager;c:\windows\system32\sessmgr.exe [8/8/2009 8:31 PM 141312]
S3 RpcLocator;Remote Procedure Call (RPC) Locator;c:\windows\system32\locator.exe [8/4/2004 7:00 AM 75264]
S3 RSVP;QoS RSVP;c:\windows\system32\rsvp.exe [8/4/2004 7:00 AM 132608]
S3 SCardSvr;Smart Card;c:\windows\system32\scardsvr.exe [8/4/2004 7:00 AM 95744]
S3 Secdrv;Secdrv;c:\windows\system32\drivers\secdrv.sys [8/4/2004 7:00 AM 20480]
S3 splitter;Microsoft Kernel Audio Splitter;c:\windows\system32\drivers\splitter.sys [8/8/2009 9:45 PM 6272]
S3 swmidi;Microsoft Kernel GS Wavetable Synthesizer;c:\windows\system32\drivers\swmidi.sys [8/8/2009 9:45 PM 56576]
S3 SwPrv;MS Software Shadow Copy Provider;c:\windows\system32\dllhost.exe [8/4/2004 7:00 AM 5120]
S3 SysmonLog;Performance Logs and Alerts;c:\windows\system32\smlogsvc.exe [8/4/2004 7:00 AM 89600]
S3 TDPIPE;TDPIPE;c:\windows\system32\drivers\tdpipe.sys [8/8/2009 8:31 PM 12040]
S3 TDTCP;TDTCP;c:\windows\system32\drivers\tdtcp.sys [8/8/2009 8:31 PM 21896]
S3 TlntSvr;Telnet;c:\windows\system32\tlntsvr.exe [8/4/2004 7:00 AM 73216]
S3 upnphost;Universal Plug and Play Device Host;c:\windows\system32\svchost.exe -k LocalService [8/4/2004 7:00 AM 14336]
S3 UPS;Uninterruptible Power Supply;c:\windows\system32\ups.exe [8/4/2004 7:00 AM 18432]
S3 usbccgp;Microsoft USB Generic Parent Driver;c:\windows\system32\drivers\usbccgp.sys [11/22/2009 5:14 PM 32128]
S3 usbprint;Microsoft USB PRINTER Class;c:\windows\system32\drivers\usbprint.sys [8/22/2009 8:22 PM 25856]
S3 usbscan;USB Scanner Driver;c:\windows\system32\drivers\usbscan.sys [9/26/2010 10:46 PM 15104]
S3 USBSTOR;USB Mass Storage Driver;c:\windows\system32\drivers\usbstor.sys [8/8/2009 8:47 PM 26368]
S3 VSS;Volume Shadow Copy;c:\windows\system32\vssvc.exe [8/4/2004 7:00 AM 289792]
S3 WDICA;WDICA; [x]
S3 WmdmPmSN;Portable Media Serial Number Service;c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]
S3 Wmi;Windows Management Instrumentation Driver Extensions;c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]
S3 WmiApSrv;WMI Performance Adapter;c:\windows\system32\wbem\wmiapsrv.exe [8/8/2009 8:31 PM 126464]
S3 xmlprov;Network Provisioning Service;c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]
S4 Abiosdsk;Abiosdsk; [x]
S4 abp480n5;abp480n5; [x]
S4 ACPIEC;ACPIEC;c:\windows\system32\drivers\acpiec.sys [8/4/2004 7:00 AM 11648]
S4 adpu160m;adpu160m; [x]
S4 Aha154x;Aha154x; [x]
S4 aic78u2;aic78u2; [x]
S4 aic78xx;aic78xx; [x]
S4 Alerter;Alerter;c:\windows\system32\svchost.exe -k LocalService [8/4/2004 7:00 AM 14336]
S4 AliIde;AliIde; [x]
S4 amsint;amsint; [x]
S4 asc;asc; [x]
S4 asc3350p;asc3350p; [x]
S4 asc3550;asc3550; [x]
S4 Atdisk;Atdisk; [x]
S4 cbidf2k;cbidf2k;c:\windows\system32\drivers\cbidf2k.sys [8/4/2004 7:00 AM 13952]
S4 cd20xrnt;cd20xrnt; [x]
S4 CmdIde;CmdIde; [x]
S4 Cpqarray;Cpqarray; [x]
S4 dac960nt;dac960nt; [x]
S4 dmboot;dmboot;c:\windows\system32\drivers\dmboot.sys [8/4/2004 7:00 AM 799744]
S4 dpti2o;dpti2o; [x]
S4 Fastfat;Fastfat;c:\windows\system32\drivers\fastfat.sys [8/4/2004 7:00 AM 143744]
S4 HidServ;Human Interface Device Access;c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]
S4 hpn;hpn; [x]
S4 i2omp;i2omp; [x]
S4 ini910u;ini910u; [x]
S4 IntelIde;IntelIde; [x]
S4 Messenger;Messenger;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]
S4 mraid35x;mraid35x; [x]
S4 NetDDE;Network DDE;c:\windows\system32\netdde.exe [8/4/2004 7:00 AM 111104]
S4 NetDDEdsdm;Network DDE DSDM;c:\windows\system32\netdde.exe [8/4/2004 7:00 AM 111104]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service;"c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe" [7/29/2008 7:16 PM 132096]
S4 Pcmcia;Pcmcia;c:\windows\system32\drivers\pcmcia.sys [8/4/2004 7:00 AM 120192]
S4 perc2;perc2; [x]
S4 perc2hib;perc2hib; [x]
S4 ql1080;ql1080; [x]
S4 Ql10wnt;Ql10wnt; [x]
S4 ql12160;ql12160; [x]
S4 ql1240;ql1240; [x]
S4 ql1280;ql1280; [x]
S4 RemoteAccess;Routing and Remote Access;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]
S4 Simbad;Simbad; [x]
S4 Sparrow;Sparrow; [x]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/22/2011 2:03 PM 691696]
S4 sym_hi;sym_hi; [x]
S4 sym_u3;sym_u3; [x]
S4 symc810;symc810; [x]
S4 symc8xx;symc8xx; [x]
S4 TosIde;TosIde; [x]
S4 Udfs;Udfs;c:\windows\system32\drivers\udfs.sys [8/4/2004 7:00 AM 66048]
S4 ultra;ultra; [x]
S4 ViaIde;ViaIde; [x]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1 68.238.96.12
FF - ProfilePath - c:\documents and settings\Janet\Application Data\Mozilla\Firefox\Profiles\7gi9o6gi.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-15 23:22
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1328)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2011-06-15 23:29:59 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-16 04:29
ComboFix2.txt 2011-06-15 02:32
.
Pre-Run: 37,307,936,768 bytes free
Post-Run: 37,225,758,720 bytes free
.
- - End Of File - - A4AE523AEADB37704FD485B341BF806D

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:29 AM

Posted 16 June 2011 - 05:26 PM

That error will be specific to Combofix so don't worry about that.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
If no log is generated that means nothing was found. Please let me know if this happens.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users