Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect, backdoor access, trojan, no safe mode


  • This topic is locked This topic is locked
20 replies to this topic

#1 dwbeyer

dwbeyer

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Jersey
  • Local time:10:17 PM

Posted 26 July 2011 - 04:33 PM

I have "1001 searches" redirecting my google & yahoo searches. When I try to run spybot, Malwarebytes Anti-Malware or any other removal tools
I get the following message:

"WINDOWS CANNOT ACCESS THE SPECIFIC DEVICE, PATH, OR FILE. YOU MAY NOT HAVE APPROPRIATE PERMISSIONS TO ACCESS THE FILE"

I can't boot into safe mode.


Kaspersky online scan found but could not remove the following:

c:\windows\system32\assembly\Gac_msik\desktop.ini
backtoor.win32.zaccess.dg
trojian.win32.patched.mf


Thanks in advance for your time.

David



DDS.TXT
.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Run by Administrator at 16:02:07 on 2011-07-26
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2857 [GMT -4:00]
.
.
============== Running Processes ===============
.
"\\.\globalroot\Device\svchost.exe\svchost.exe"
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\WINDOWS\twain_32\Fjscan32\FJLaunch.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\5228256.exe
C:\WINDOWS\system32\cidaemon.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [nwiz] nwiz.exe /install
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\_unins~1.lnk - c:\documents and settings\administrator\local settings\temp\_uninst_71187880.bat
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\_unins~2.lnk - c:\documents and settings\administrator\local settings\temp\_uninst_81008598.bat
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\fujits~1.lnk - c:\windows\twain_32\fjscan32\FJLaunch.exe
mPolicies-explorer: <NO NAME> =
mPolicies-system: LogonType = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: mswsock.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1234291755812
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.0/jinstall-1_4_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} - hxxp://taxwebwlbs2.trendmls.com/RR/Resources/webpublisher/installer/fileopen.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {FFFFFFFF-19EB-49E8-BB30-8DE03499D2F0} - hxxp://192.168.10.4/NetVideo.cab
TCP: DhcpNameServer = 68.87.64.150 68.87.75.198
TCP: Interfaces\{DA58CED4-F72C-4E1F-9353-8AC3C1543248} : DhcpNameServer = 68.87.64.150 68.87.75.198
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\xw0mq01i.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R0 20698820;20698820;c:\windows\system32\drivers\20698820.sys [2011-7-26 133208]
R0 65321429;65321429;c:\windows\system32\drivers\65321429.sys [2011-7-26 133208]
R0 81008598;81008598;c:\windows\system32\drivers\81008598.sys [2011-7-26 133208]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-12 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [2009-2-10 11520]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2009-2-18 874240]
RUnknown 5228256drv;5228256drv; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-9-4 136176]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [2009-2-11 10368]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-9-4 136176]
S3 Samsung UPD Service;Samsung UPD Service;c:\windows\system32\SUPDSvc.exe [2010-9-8 132464]
S3 TD4408F10;TD4408F10;c:\windows\system32\drivers\TD4408F10AV.sys [2010-9-14 13227]
.
=============== Created Last 30 ================
.
2011-07-26 16:53:26 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-07-26 16:53:26 -------- d-----w- c:\documents and settings\administrator\application data\SUPERAntiSpyware.com
2011-07-26 16:53:18 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-07-26 16:50:24 -------- d--h--w- c:\windows\PIF
2011-07-26 16:38:56 133208 ----a-w- c:\windows\system32\drivers\81008598.sys
2011-07-26 15:10:59 133208 ----a-w- c:\windows\system32\drivers\20698820.sys
2011-07-26 15:07:28 133208 ----a-w- c:\windows\system32\drivers\65321429.sys
2011-07-22 06:28:34 6881616 ------w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{e9877e92-d0fe-44de-969f-9c2bbe9f3859}\mpengine.dll
2011-07-09 18:09:09 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Help
2011-07-04 02:42:00 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-07-04 02:42:00 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
.
==================== Find3M ====================
.
2011-07-26 17:05:04 44032 ----a-w- c:\windows\system32\CTSVCCDA.EXE
2011-06-19 12:06:42 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-24 23:14:10 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-05-11 16:21:54 1409 ----a-w- c:\windows\QTFont.for
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
1998-12-09 02:53:54 99840 ----a-w- c:\program files\common files\IRAABOUT.DLL
1998-12-09 02:53:54 70144 ----a-w- c:\program files\common files\IRAMDMTR.DLL
1998-12-09 02:53:54 48640 ----a-w- c:\program files\common files\IRALPTTR.DLL
1998-12-09 02:53:54 31744 ----a-w- c:\program files\common files\IRAWEBTR.DLL
1998-12-09 02:53:54 186368 ----a-w- c:\program files\common files\IRAREG.DLL
1998-12-09 02:53:54 17920 ----a-w- c:\program files\common files\IRASRIAL.DLL
.
============= FINISH: 16:02:44.30 ===============

Edited by Orange Blossom, 26 July 2011 - 08:39 PM.
Moved to log forum. ~ OB


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:17 PM

Posted 29 July 2011 - 07:32 PM

Hi,

Please do the following:

  • Please download aswMBR.exe and save it to your desktop.
  • Double click aswMBR.exe to start the tool. (Vista/Windows 7 users - right click to run as administrator)
  • Click Scan

  • Upon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet.
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.



NEXT


Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)


If TDSSKiller wont run, try the following:

Download FixTDSS and save it to your desktop.

Double click on the FixTDSS.exe icon to run it.

Click the "I Accept" button, then the "Proceed" button to begin

The tool will restart your computer automatically - click OK to allow it to do so

The tool will begin it's scan on reboot > click "run" to begin

It will report if an infected MBR is found > click the "repair" button

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:17 PM

Posted 02 August 2011 - 07:37 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:17 PM

Posted 03 August 2011 - 09:26 AM

This topic has been re-opened at the request of the person who originally posted.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 dwbeyer

dwbeyer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Jersey
  • Local time:10:17 PM

Posted 03 August 2011 - 12:10 PM

Thanks
sawMBR.txt File

aswMBR version 0.9.8.978 Copyright© 2011 AVAST Software
Run date: 2011-08-03 07:59:16
-----------------------------
07:59:16.671 OS Version: Windows 5.1.2600 Service Pack 3
07:59:16.671 Number of processors: 2 586 0x170A
07:59:16.671 ComputerName: DAVID-XNH8X9DMZ UserName: Administrator
07:59:18.125 Initialize success
07:59:55.546 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T1L0-9
07:59:55.546 Disk 0 Vendor: SAMSUNG_HD204UI 1AQ10001 Size: 1907729MB BusType: 3
07:59:55.546 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP5T0L0-1f
07:59:55.546 Disk 1 Vendor: ST31000333AS SD15 Size: 953869MB BusType: 3
07:59:57.578 Disk 1 MBR read successfully
07:59:57.578 Disk 1 MBR scan
07:59:57.578 Disk 1 Windows XP default MBR code
07:59:57.578 Disk 1 scanning sectors +1953504000
07:59:57.625 Disk 1 scanning C:\WINDOWS\system32\drivers
08:00:02.359 Service scanning
08:00:03.281 Modules scanning
08:00:05.156 Module: C:\WINDOWS\System32\DRIVERS\ipsec.sys **SUSPICIOUS**
08:00:07.000 Disk 1 trace - called modules:
08:00:07.015 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xba25ff00]<<
08:00:07.015 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0x8b745ab8]
08:00:07.015 3 CLASSPNP.SYS[ba118fd7] -> nt!IofCallDriver -> [0x8ad12030]
08:00:07.015 \Driver\00001683[0x8acfc968] -> IRP_MJ_CREATE -> 0xba25ff00
08:00:07.015 Scan finished successfully
08:00:38.718 Disk 1 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
08:00:38.718 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"


TDSSKiller Log File

2011/08/03 08:01:21.0109 2764 TDSS rootkit removing tool 2.5.13.0 Jul 29 2011 17:24:11
2011/08/03 08:01:21.0484 2764 ================================================================================
2011/08/03 08:01:21.0484 2764 SystemInfo:
2011/08/03 08:01:21.0484 2764
2011/08/03 08:01:21.0484 2764 OS Version: 5.1.2600 ServicePack: 3.0
2011/08/03 08:01:21.0484 2764 Product type: Workstation
2011/08/03 08:01:21.0484 2764 ComputerName: DAVID-XNH8X9DMZ
2011/08/03 08:01:21.0484 2764 UserName: Administrator
2011/08/03 08:01:21.0484 2764 Windows directory: C:\WINDOWS
2011/08/03 08:01:21.0484 2764 System windows directory: C:\WINDOWS
2011/08/03 08:01:21.0484 2764 Processor architecture: Intel x86
2011/08/03 08:01:21.0484 2764 Number of processors: 2
2011/08/03 08:01:21.0484 2764 Page size: 0x1000
2011/08/03 08:01:21.0484 2764 Boot type: Normal boot
2011/08/03 08:01:21.0484 2764 ================================================================================
2011/08/03 08:01:22.0515 2764 Initialize success
2011/08/03 08:01:27.0000 4068 ================================================================================
2011/08/03 08:01:27.0000 4068 Scan started
2011/08/03 08:01:27.0000 4068 Mode: Manual;
2011/08/03 08:01:27.0000 4068 ================================================================================
2011/08/03 08:01:28.0171 4068 20698820 (186b54479d98e48aee0e9ada4b3c4d31) C:\WINDOWS\system32\DRIVERS\20698820.sys
2011/08/03 08:01:28.0218 4068 81008598 (186b54479d98e48aee0e9ada4b3c4d31) C:\WINDOWS\system32\DRIVERS\81008598.sys
2011/08/03 08:01:28.0296 4068 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/08/03 08:01:28.0343 4068 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/08/03 08:01:28.0609 4068 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/08/03 08:01:28.0656 4068 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/08/03 08:01:28.0687 4068 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/08/03 08:01:28.0734 4068 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/08/03 08:01:28.0812 4068 Aspi32 (b979979ab8027f7f53fb16ec4229b7db) C:\WINDOWS\system32\drivers\Aspi32.sys
2011/08/03 08:01:28.0812 4068 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/08/03 08:01:28.0828 4068 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/08/03 08:01:28.0859 4068 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/08/03 08:01:28.0906 4068 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/08/03 08:01:28.0953 4068 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/08/03 08:01:28.0968 4068 Bridge (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys
2011/08/03 08:01:28.0984 4068 BridgeMP (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys
2011/08/03 08:01:29.0015 4068 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/08/03 08:01:29.0062 4068 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/08/03 08:01:29.0078 4068 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/08/03 08:01:29.0093 4068 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/08/03 08:01:29.0187 4068 ctac32k (69a0e7f9eebd0f0979dad9cd3dde585c) C:\WINDOWS\system32\drivers\ctac32k.sys
2011/08/03 08:01:29.0203 4068 ctaud2k (71bd994f33013e8e44b95bef8b329f0d) C:\WINDOWS\system32\drivers\ctaud2k.sys
2011/08/03 08:01:29.0265 4068 ctdvda2k (18fa14912729744be13561bca1243915) C:\WINDOWS\system32\drivers\ctdvda2k.sys
2011/08/03 08:01:29.0281 4068 ctgame (4bb3c27e5fc9e538d1ae41e57cd7bf03) C:\WINDOWS\system32\DRIVERS\ctgame.sys
2011/08/03 08:01:29.0296 4068 ctprxy2k (7c879881068e9a24f99cfc42cd95104d) C:\WINDOWS\system32\drivers\ctprxy2k.sys
2011/08/03 08:01:29.0312 4068 ctsfm2k (4d66ed05c93c31c4168dfcd2dfc79ff1) C:\WINDOWS\system32\drivers\ctsfm2k.sys
2011/08/03 08:01:29.0375 4068 DgivEcp (d514b430e2989f846137828c90370c16) C:\WINDOWS\system32\Drivers\DgivEcp.Sys
2011/08/03 08:01:29.0406 4068 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/08/03 08:01:29.0437 4068 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/08/03 08:01:29.0484 4068 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/08/03 08:01:29.0484 4068 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/08/03 08:01:29.0500 4068 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/08/03 08:01:29.0515 4068 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/08/03 08:01:29.0531 4068 emupia (7222d8fb8a47dc01c7e7506ba6510808) C:\WINDOWS\system32\drivers\emupia2k.sys
2011/08/03 08:01:29.0546 4068 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/08/03 08:01:29.0562 4068 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/08/03 08:01:29.0578 4068 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/08/03 08:01:29.0593 4068 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/08/03 08:01:29.0625 4068 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/08/03 08:01:29.0625 4068 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/08/03 08:01:29.0640 4068 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/08/03 08:01:29.0671 4068 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/08/03 08:01:29.0703 4068 ha10kx2k (1ffee28967c17c599b9e58da4a14f957) C:\WINDOWS\system32\drivers\ha10kx2k.sys
2011/08/03 08:01:29.0750 4068 hap16v2k (518c9a47bf999b5cb7e3b87fbd8b54b2) C:\WINDOWS\system32\drivers\hap16v2k.sys
2011/08/03 08:01:29.0781 4068 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/08/03 08:01:29.0812 4068 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/08/03 08:01:29.0890 4068 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/08/03 08:01:29.0906 4068 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/08/03 08:01:29.0921 4068 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/08/03 08:01:29.0968 4068 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/08/03 08:01:29.0968 4068 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/08/03 08:01:30.0000 4068 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/08/03 08:01:30.0031 4068 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/08/03 08:01:30.0046 4068 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/08/03 08:01:30.0062 4068 IPSec (0b8623c57aec12ab17755817cd1a4067) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/08/03 08:01:30.0078 4068 IPSec - detected Rootkit.Win32.ZAccess.c (0)
2011/08/03 08:01:30.0093 4068 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/08/03 08:01:30.0093 4068 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/08/03 08:01:30.0109 4068 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/08/03 08:01:30.0109 4068 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/08/03 08:01:30.0140 4068 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/08/03 08:01:30.0171 4068 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/08/03 08:01:30.0203 4068 MBAMProtector (eca00eed9ab95489007b0ef84c7149de) C:\WINDOWS\system32\drivers\mbam.sys
2011/08/03 08:01:30.0250 4068 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/08/03 08:01:30.0265 4068 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/08/03 08:01:30.0343 4068 monfilt (9fa7207d1b1adead88ae8eed9cdbbaa5) C:\WINDOWS\system32\drivers\monfilt.sys
2011/08/03 08:01:30.0437 4068 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/08/03 08:01:30.0453 4068 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/08/03 08:01:30.0453 4068 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/08/03 08:01:30.0484 4068 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/08/03 08:01:30.0500 4068 MRxSmb (0dc719e9b15e902346e87e9dcd5751fa) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/08/03 08:01:30.0531 4068 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/08/03 08:01:30.0546 4068 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/08/03 08:01:30.0562 4068 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/08/03 08:01:30.0562 4068 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/08/03 08:01:30.0578 4068 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/08/03 08:01:30.0609 4068 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
2011/08/03 08:01:30.0640 4068 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/08/03 08:01:30.0656 4068 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/08/03 08:01:30.0671 4068 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/08/03 08:01:30.0687 4068 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/08/03 08:01:30.0703 4068 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/08/03 08:01:30.0734 4068 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/08/03 08:01:30.0750 4068 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/08/03 08:01:30.0750 4068 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/08/03 08:01:30.0796 4068 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/08/03 08:01:30.0796 4068 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/08/03 08:01:30.0828 4068 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/08/03 08:01:30.0859 4068 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/08/03 08:01:31.0015 4068 nv (6350e7b41c7b6ee630ab1b011ffd4ce2) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/08/03 08:01:31.0125 4068 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/08/03 08:01:31.0125 4068 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/08/03 08:01:31.0140 4068 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/08/03 08:01:31.0156 4068 ossrv (83bf51d7e6569877251d34edc7bb99cb) C:\WINDOWS\system32\drivers\ctoss2k.sys
2011/08/03 08:01:31.0171 4068 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/08/03 08:01:31.0187 4068 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/08/03 08:01:31.0234 4068 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/08/03 08:01:31.0265 4068 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/08/03 08:01:31.0296 4068 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/08/03 08:01:31.0328 4068 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/08/03 08:01:31.0406 4068 PfModNT (5c125deac835c9927f7ab3e8a270fde7) C:\WINDOWS\system32\PfModNT.sys
2011/08/03 08:01:31.0484 4068 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/08/03 08:01:31.0500 4068 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/08/03 08:01:31.0515 4068 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/08/03 08:01:31.0531 4068 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/08/03 08:01:31.0578 4068 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/08/03 08:01:31.0593 4068 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/08/03 08:01:31.0609 4068 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/08/03 08:01:31.0625 4068 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/08/03 08:01:31.0640 4068 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/08/03 08:01:31.0671 4068 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/08/03 08:01:31.0703 4068 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/08/03 08:01:31.0718 4068 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/08/03 08:01:31.0734 4068 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/08/03 08:01:31.0765 4068 RTLE8023xp (b52b25f41bf3511071a0e7d10d659c56) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
2011/08/03 08:01:31.0843 4068 SASDIFSV (4bfbb868c869a4f8486d4c36849d59cf) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/08/03 08:01:31.0859 4068 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/08/03 08:01:31.0890 4068 scsiscan (089870dab7aa277585c475ae09ee4c63) C:\WINDOWS\system32\DRIVERS\scsiscan.sys
2011/08/03 08:01:31.0937 4068 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/08/03 08:01:31.0953 4068 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2011/08/03 08:01:31.0968 4068 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/08/03 08:01:32.0015 4068 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/08/03 08:01:32.0062 4068 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/08/03 08:01:32.0109 4068 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/08/03 08:01:32.0125 4068 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/08/03 08:01:32.0140 4068 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/08/03 08:01:32.0234 4068 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/08/03 08:01:32.0281 4068 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/08/03 08:01:32.0328 4068 TD4408F10 (d7d605bdf90284331b89774b293af2ff) C:\WINDOWS\system32\drivers\TD4408F10AV.SYS
2011/08/03 08:01:32.0343 4068 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/08/03 08:01:32.0421 4068 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/08/03 08:01:32.0437 4068 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/08/03 08:01:32.0484 4068 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/08/03 08:01:32.0515 4068 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/08/03 08:01:32.0531 4068 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/08/03 08:01:32.0546 4068 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/08/03 08:01:32.0546 4068 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/08/03 08:01:32.0578 4068 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/08/03 08:01:32.0609 4068 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/08/03 08:01:32.0625 4068 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/08/03 08:01:32.0640 4068 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/08/03 08:01:32.0671 4068 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/08/03 08:01:32.0750 4068 VIAHdAudAddService (b9a4233c99d35c3bfcc367d8b4d1b499) C:\WINDOWS\system32\drivers\viahduaa.sys
2011/08/03 08:01:32.0781 4068 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/08/03 08:01:32.0796 4068 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/08/03 08:01:32.0812 4068 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/08/03 08:01:32.0875 4068 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/08/03 08:01:32.0906 4068 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/08/03 08:01:32.0921 4068 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/08/03 08:01:32.0937 4068 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR1
2011/08/03 08:01:33.0015 4068 Boot (0x1200) (509d50af3faf39dc81a40cd007626052) \Device\Harddisk0\DR0\Partition0
2011/08/03 08:01:33.0015 4068 Boot (0x1200) (712efc5a04dc2c1501cb8e47f4b686d5) \Device\Harddisk1\DR1\Partition0
2011/08/03 08:01:33.0015 4068 ================================================================================
2011/08/03 08:01:33.0015 4068 Scan finished
2011/08/03 08:01:33.0015 4068 ================================================================================
2011/08/03 08:01:33.0015 2600 Detected object count: 1
2011/08/03 08:01:33.0015 2600 Actual detected object count: 1
2011/08/03 08:02:37.0046 2600 IPSec (0b8623c57aec12ab17755817cd1a4067) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/08/03 08:02:37.0062 2600 VerifyFileNameVersionInfo: GetFileVersionInfoSizeW(C:\WINDOWS\system32\drivers\ipsec.sys) error 1813
2011/08/03 08:02:38.0375 2600 Backup copy found, using it..
2011/08/03 08:02:38.0375 2600 C:\WINDOWS\system32\DRIVERS\ipsec.sys - will be cured after reboot
2011/08/03 08:02:38.0375 2600 Rootkit.Win32.ZAccess.c(IPSec) - User select action: Cure
2011/08/03 08:02:44.0343 3464 Deinitialize success


Thanks for all your help!

Attached Files

  • Attached File  MBR.zip   499bytes   0 downloads


#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:17 PM

Posted 03 August 2011 - 06:38 PM

Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 dwbeyer

dwbeyer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Jersey
  • Local time:10:17 PM

Posted 05 August 2011 - 08:54 AM

Thanks

ComboFix 11-08-05.01 - Administrator 08/05/2011 9:44.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2541 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\David Beyer\WINDOWS
c:\program files\messenger\msmsgsin.exe
c:\windows\$NtUninstallKB47183$
c:\windows\$NtUninstallKB47183$\2874246747
c:\windows\$NtUninstallKB47183$\4255955484\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
c:\windows\$NtUninstallKB47183$\4255955484\click.tlb
c:\windows\$NtUninstallKB47183$\4255955484\L\kkkgezco
c:\windows\$NtUninstallKB47183$\4255955484\loader.tlb
c:\windows\$NtUninstallKB47183$\4255955484\U\@00000001
c:\windows\$NtUninstallKB47183$\4255955484\U\@000000c0
c:\windows\$NtUninstallKB47183$\4255955484\U\@000000cb
c:\windows\$NtUninstallKB47183$\4255955484\U\@000000cf
c:\windows\$NtUninstallKB47183$\4255955484\U\@80000000
c:\windows\$NtUninstallKB47183$\4255955484\U\@800000c0
c:\windows\$NtUninstallKB47183$\4255955484\U\@800000cb
c:\windows\$NtUninstallKB47183$\4255955484\U\@800000cf
c:\windows\assembly\GAC_MSIL\desktop.ini
c:\windows\system32\spool\prtprocs\w32x86\clpa1pc(2).dll
c:\windows\system32\spool\prtprocs\w32x86\clpa1pc(3).dll
c:\windows\system32\spool\prtprocs\w32x86\clpa1pc(4).dll
c:\windows\system32\spool\prtprocs\w32x86\clpa1pc(5).dll
c:\windows\system32\spool\prtprocs\w32x86\clpa1pc(6).dll
.
.
((((((((((((((((((((((((( Files Created from 2011-07-05 to 2011-08-05 )))))))))))))))))))))))))))))))
.
.
2011-08-03 12:04 . 2011-08-03 12:13 44560 --sha-w- c:\windows\system32\c_17046.nl_
2011-07-27 06:28 . 2011-07-20 13:44 6881616 ------w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Updates\mpengine.dll
2011-07-26 17:22 . 2011-07-26 17:22 -------- d-----r- c:\documents and settings\David Beyer\My Videos
2011-07-26 16:53 . 2011-07-26 16:53 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-07-26 16:53 . 2011-07-26 16:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2011-07-26 16:53 . 2011-07-26 16:53 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-07-26 16:50 . 2011-07-26 16:50 -------- d--h--w- c:\windows\PIF
2011-07-26 16:38 . 2011-07-26 23:24 133208 ----a-w- c:\windows\system32\drivers\81008598.sys
2011-07-26 15:10 . 2011-07-26 21:25 133208 ----a-w- c:\windows\system32\drivers\20698820.sys
2011-07-22 06:28 . 2011-07-13 03:39 6881616 ------w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{E9877E92-D0FE-44DE-969F-9C2BBE9F3859}\mpengine.dll
2011-07-09 18:09 . 2011-07-09 18:09 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Help
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-03 13:09 . 2009-02-11 02:19 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-08-03 12:04 . 2003-03-31 12:00 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-07-26 17:05 . 2009-02-10 19:55 44032 ----a-w- c:\windows\system32\CTSVCCDA.EXE
2011-07-08 11:55 . 2010-05-01 21:56 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-08 11:55 . 2010-05-01 21:56 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-19 12:06 . 2011-05-24 20:32 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-07 15:55 . 2011-04-27 13:19 7074640 ------w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-06-02 14:02 . 2003-03-31 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-24 23:14 . 2011-04-27 13:19 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-05-11 16:21 . 2011-05-11 16:21 1409 ----a-w- c:\windows\QTFont.for
1998-12-09 02:53 . 1998-12-09 02:53 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 . 1998-12-09 02:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL
1998-12-09 02:53 . 1998-12-09 02:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL
2011-07-04 02:42 . 2011-05-17 12:25 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-06-30 2424192]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2008-07-26 1657376]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-07-26 13570048]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-08 449584]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
_uninst_71187880.lnk - c:\documents and settings\Administrator\Local Settings\Temp\_uninst_71187880.bat [N/A]
_uninst_81008598.lnk - c:\documents and settings\Administrator\Local Settings\Temp\_uninst_81008598.bat [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Fujitsu Scanner Control Center.lnk - c:\windows\twain_32\Fjscan32\FJLaunch.exe [2009-2-10 114688]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"LogonType"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^desktop.ini]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\desktop.ini
backup=c:\windows\pss\desktop.iniStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Application Director 11.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Desktop Application Director 11.lnk
backup=c:\windows\pss\Desktop Application Director 11.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^desktop.ini]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\desktop.ini
backup=c:\windows\pss\desktop.iniCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" -hide
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\SUPDSvc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\Program Files\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Windows Live\\Toolbar\\wltuser.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\JetAudio\\JetAudio.exe"=
"c:\\Documents and Settings\\David Beyer\\Downloads\\aswMBR.exe"=
.
R0 20698820;20698820;c:\windows\system32\drivers\20698820.sys [7/26/2011 11:10 AM 133208]
R0 81008598;81008598;c:\windows\system32\drivers\81008598.sys [7/26/2011 12:38 PM 133208]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/12/2011 5:55 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/1/2010 5:56 PM 366640]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/1/2010 5:56 PM 22712]
R3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [2/10/2009 3:52 PM 11520]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2/18/2009 8:17 AM 874240]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/4/2010 8:14 AM 136176]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [2/11/2009 1:24 PM 10368]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [9/4/2010 8:14 AM 136176]
S3 Samsung UPD Service;Samsung UPD Service;c:\windows\system32\SUPDSvc.exe [9/8/2010 8:26 AM 132464]
S3 TD4408F10;TD4408F10;c:\windows\system32\drivers\TD4408F10AV.sys [9/14/2010 4:03 PM 13227]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 19:42]
.
2011-08-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cc0433d9ad2cb0.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-04 12:14]
.
2011-08-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA1cc0433d9f4b33c.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-04 12:14]
.
2011-08-05 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
TCP: DhcpNameServer = 68.87.64.150 68.87.75.198
DPF: {FFFFFFFF-19EB-49E8-BB30-8DE03499D2F0} - hxxp://192.168.10.4/NetVideo.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\xw0mq01i.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-19975536.sys
SafeBoot-23171807.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-05 09:48
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-220523388-842925246-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,38,8b,d7,be,32,6d,0e,4d,ab,97,48,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,38,8b,d7,be,32,6d,0e,4d,ab,97,48,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(672)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(1776)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\netdde.exe
.
**************************************************************************
.
Completion time: 2011-08-05 09:51:32 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-05 13:51
.
Pre-Run: 494,088,192 bytes free
Post-Run: 899,408,998,400 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 8A15C1AB8CC0301ED5755103CCBDA87F

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:17 PM

Posted 05 August 2011 - 09:45 AM

Hi

Please do the following:

Please go to Virus Total
  • Copy paste the following full path into the empty box under 'Upload a file'

    c:\windows\system32\drivers\81008598.sys

  • Click 'Send File'
  • If a pop-up appears saying the file has been scanned already, please select ReScan
Copy/paste the results into Notepad and save it to your desktop. Please post the results in your next reply.


Please do the same for the following files:

c:\windows\system32\drivers\20698820.sys
c:\windows\system32\c_17046.nl_

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 dwbeyer

dwbeyer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Jersey
  • Local time:10:17 PM

Posted 06 August 2011 - 08:38 AM

81008598.sys
Submission date:
2011-08-06 13:12:28 (UTC)
Current status:
finished
Result:
0/ 43 (0.0%)

VT Community

not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.08.06.00 2011.08.06 -
AntiVir 7.11.12.233 2011.08.05 -
Antiy-AVL 2.0.3.7 2011.08.06 -
Avast 4.8.1351.0 2011.08.06 -
Avast5 5.0.677.0 2011.08.06 -
AVG 10.0.0.1190 2011.08.06 -
BitDefender 7.2 2011.08.06 -
CAT-QuickHeal 11.00 2011.08.06 -
ClamAV 0.97.0.0 2011.08.06 -
Commtouch 5.3.2.6 2011.08.06 -
Comodo 9650 2011.08.06 -
DrWeb 5.0.2.03300 2011.08.06 -
Emsisoft 5.1.0.8 2011.08.06 -
eSafe 7.0.17.0 2011.08.04 -
eTrust-Vet 36.1.8486 2011.08.05 -
F-Prot 4.6.2.117 2011.08.06 -
F-Secure 9.0.16440.0 2011.08.06 -
Fortinet 4.2.257.0 2011.08.06 -
GData 22 2011.08.06 -
Ikarus T3.1.1.104.0 2011.08.06 -
Jiangmin 13.0.900 2011.08.05 -
K7AntiVirus 9.109.4973 2011.08.02 -
Kaspersky 9.0.0.837 2011.08.06 -
McAfee 5.400.0.1158 2011.08.06 -
McAfee-GW-Edition 2010.1D 2011.08.06 -
Microsoft 1.7104 2011.08.06 -
NOD32 6355 2011.08.06 -
Norman 6.07.10 2011.08.06 -
nProtect 2011-08-06.01 2011.08.06 -
Panda 10.0.3.5 2011.08.06 -
PCTools 8.0.0.5 2011.08.06 -
Prevx 3.0 2011.08.06 -
Rising 23.69.03.03 2011.08.04 -
Sophos 4.67.0 2011.08.06 -
SUPERAntiSpyware 4.40.0.1006 2011.08.06 -
Symantec 20111.2.0.82 2011.08.06 -
TheHacker 6.7.0.1.272 2011.08.06 -
TrendMicro 9.200.0.1012 2011.08.06 -
TrendMicro-HouseCall 9.200.0.1012 2011.08.06 -
VBA32 3.12.16.4 2011.08.06 -
VIPRE 10083 2011.08.06 -
ViRobot 2011.8.6.4609 2011.08.06 -
VirusBuster 14.0.154.0 2011.08.05 -
Additional information
MD5 : 186b54479d98e48aee0e9ada4b3c4d31
SHA1 : bbf664068f0613d864b9107ce48a70b5f9171076
SHA256: a8c1577876cf16186610f26d7d859f8fda4057aafc33e8212339f56da6a5f874
ssdeep: 1536:mRsWc6M6h7eKmRi66uk1yRjRIRorRe2VCN3CgHx4NqctXos+pk1ilC2DP:mRsXnKv1yRjK
+FCVTx4McposQk+D
File size : 133208 bytes
First seen: 2011-03-18 19:50:19
Last seen : 2011-08-06 13:12:28
TrID:
Win64 Executable Generic (95.5%)
Generic Win/DOS Executable (2.2%)
DOS Executable Generic (2.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Kaspersky Lab ZAO
copyright....: © 1997-2011 Kaspersky Lab ZAO.
product......: Kaspersky Anti-Virus
description..: Kaspersky Unified Driver
original name: KL1.SYS
internal name: KL1
file version.: 6.6.0.10
comments.....: n/a
signers......: Kaspersky Lab
VeriSign Class 3 Code Signing 2009-2 CA
Class 3 Public Primary Certification Authority
signing date.: 11:23 04/03/2011
verified.....: -
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x36F0
timedatestamp....: 0x4D70AE22 (Fri Mar 04 09:17:22 2011)
machinetype......: 0x14c (I386)

[[ 6 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x1789C, 0x17A00, 6.40, 794a5360eb4e20ccf239c18c6451d366
.4lulz, 0x19000, 0x500000, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e
.data, 0x519000, 0x2F3C, 0x3000, 2.63, 9f754f34e66ff10b7e03246ee06345fe
INIT, 0x51C000, 0x5B8, 0x600, 5.25, 833bad5a3134fabc3763390213dcc1f8
.rsrc, 0x51D000, 0x410, 0x600, 2.47, 580c3fbc5f2ab30735cbbaf4a984bb42
.reloc, 0x51E000, 0x3360, 0x3400, 1.48, 962b9d130a712fd5ee4585bda528e896

[[ 2 import(s) ]]
ntoskrnl.exe: _purecall, sprintf, ExFreePool, ExAllocatePoolWithTag, ZwClose, ZwCreateFile, RtlInitUnicodeString, swprintf, ZwReadFile, ZwQueryInformationFile, memcpy, RtlAnsiStringToUnicodeString, RtlInitAnsiString, RtlAppendUnicodeStringToString, RtlFreeUnicodeString, strncmp, KeWaitForSingleObject, ObfDereferenceObject, ObReferenceObjectByHandle, PsCreateSystemThread, RtlFreeAnsiString, RtlUnicodeStringToAnsiString, InitSafeBootMode, RtlEqualUnicodeString, RtlCopyUnicodeString, RtlAppendUnicodeToString, KeReleaseMutex, PsSetLoadImageNotifyRoutine, IoRegisterBootDriverReinitialization, memset, IoDeleteDevice, IoCreateSymbolicLink, IoCreateDevice, PsGetVersion, _except_handler3, ZwQueryValueKey, RtlPrefixUnicodeString, _stricmp, strchr, IoAllocateIrp, _strnicmp, ZwQuerySystemInformation, IoGetRelatedDeviceObject, KeInitializeSpinLock, InterlockedIncrement, InterlockedDecrement, ZwOpenKey, ZwSetValueKey, ZwEnumerateValueKey, DbgPrint, IofCompleteRequest, KeInitializeMutex, rand, srand, memmove
HAL.dll: KfAcquireSpinLock, HalGetAdapter, KfReleaseSpinLock

VT Community

This file has never been reviewed by any VT Community member. Be the first one to comment on it!



20698820.sys
Submission date:
2011-08-06 13:04:06 (UTC)
Current status:
finished
Result:
0/ 43 (0.0%)

VT Community

not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.08.06.00 2011.08.06 -
AntiVir 7.11.12.233 2011.08.05 -
Antiy-AVL 2.0.3.7 2011.08.06 -
Avast 4.8.1351.0 2011.08.06 -
Avast5 5.0.677.0 2011.08.06 -
AVG 10.0.0.1190 2011.08.06 -
BitDefender 7.2 2011.08.06 -
CAT-QuickHeal 11.00 2011.08.06 -
ClamAV 0.97.0.0 2011.08.06 -
Commtouch 5.3.2.6 2011.08.06 -
Comodo 9650 2011.08.06 -
DrWeb 5.0.2.03300 2011.08.06 -
Emsisoft 5.1.0.8 2011.08.06 -
eSafe 7.0.17.0 2011.08.04 -
eTrust-Vet 36.1.8486 2011.08.05 -
F-Prot 4.6.2.117 2011.08.06 -
F-Secure 9.0.16440.0 2011.08.06 -
Fortinet 4.2.257.0 2011.08.06 -
GData 22 2011.08.06 -
Ikarus T3.1.1.104.0 2011.08.06 -
Jiangmin 13.0.900 2011.08.05 -
K7AntiVirus 9.109.4973 2011.08.02 -
Kaspersky 9.0.0.837 2011.08.06 -
McAfee 5.400.0.1158 2011.08.06 -
McAfee-GW-Edition 2010.1D 2011.08.06 -
Microsoft 1.7104 2011.08.06 -
NOD32 6355 2011.08.06 -
Norman 6.07.10 2011.08.06 -
nProtect 2011-08-06.01 2011.08.06 -
Panda 10.0.3.5 2011.08.06 -
PCTools 8.0.0.5 2011.08.06 -
Prevx 3.0 2011.08.06 -
Rising 23.69.03.03 2011.08.04 -
Sophos 4.67.0 2011.08.06 -
SUPERAntiSpyware 4.40.0.1006 2011.08.06 -
Symantec 20111.2.0.82 2011.08.06 -
TheHacker 6.7.0.1.272 2011.08.06 -
TrendMicro 9.200.0.1012 2011.08.06 -
TrendMicro-HouseCall 9.200.0.1012 2011.08.06 -
VBA32 3.12.16.4 2011.08.06 -
VIPRE 10083 2011.08.06 -
ViRobot 2011.8.6.4609 2011.08.06 -
VirusBuster 14.0.154.0 2011.08.05 -
Additional information
MD5 : 186b54479d98e48aee0e9ada4b3c4d31
SHA1 : bbf664068f0613d864b9107ce48a70b5f9171076
SHA256: a8c1577876cf16186610f26d7d859f8fda4057aafc33e8212339f56da6a5f874
ssdeep: 1536:mRsWc6M6h7eKmRi66uk1yRjRIRorRe2VCN3CgHx4NqctXos+pk1ilC2DP:mRsXnKv1yRjK
+FCVTx4McposQk+D
File size : 133208 bytes
First seen: 2011-03-18 19:50:19
Last seen : 2011-08-06 13:04:06
TrID:
Win64 Executable Generic (95.5%)
Generic Win/DOS Executable (2.2%)
DOS Executable Generic (2.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Kaspersky Lab ZAO
copyright....: © 1997-2011 Kaspersky Lab ZAO.
product......: Kaspersky Anti-Virus
description..: Kaspersky Unified Driver
original name: KL1.SYS
internal name: KL1
file version.: 6.6.0.10
comments.....: n/a
signers......: Kaspersky Lab
VeriSign Class 3 Code Signing 2009-2 CA
Class 3 Public Primary Certification Authority
signing date.: 11:23 04/03/2011
verified.....: -
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x36F0
timedatestamp....: 0x4D70AE22 (Fri Mar 04 09:17:22 2011)
machinetype......: 0x14c (I386)

[[ 6 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x1789C, 0x17A00, 6.40, 794a5360eb4e20ccf239c18c6451d366
.4lulz, 0x19000, 0x500000, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e
.data, 0x519000, 0x2F3C, 0x3000, 2.63, 9f754f34e66ff10b7e03246ee06345fe
INIT, 0x51C000, 0x5B8, 0x600, 5.25, 833bad5a3134fabc3763390213dcc1f8
.rsrc, 0x51D000, 0x410, 0x600, 2.47, 580c3fbc5f2ab30735cbbaf4a984bb42
.reloc, 0x51E000, 0x3360, 0x3400, 1.48, 962b9d130a712fd5ee4585bda528e896

[[ 2 import(s) ]]
ntoskrnl.exe: _purecall, sprintf, ExFreePool, ExAllocatePoolWithTag, ZwClose, ZwCreateFile, RtlInitUnicodeString, swprintf, ZwReadFile, ZwQueryInformationFile, memcpy, RtlAnsiStringToUnicodeString, RtlInitAnsiString, RtlAppendUnicodeStringToString, RtlFreeUnicodeString, strncmp, KeWaitForSingleObject, ObfDereferenceObject, ObReferenceObjectByHandle, PsCreateSystemThread, RtlFreeAnsiString, RtlUnicodeStringToAnsiString, InitSafeBootMode, RtlEqualUnicodeString, RtlCopyUnicodeString, RtlAppendUnicodeToString, KeReleaseMutex, PsSetLoadImageNotifyRoutine, IoRegisterBootDriverReinitialization, memset, IoDeleteDevice, IoCreateSymbolicLink, IoCreateDevice, PsGetVersion, _except_handler3, ZwQueryValueKey, RtlPrefixUnicodeString, _stricmp, strchr, IoAllocateIrp, _strnicmp, ZwQuerySystemInformation, IoGetRelatedDeviceObject, KeInitializeSpinLock, InterlockedIncrement, InterlockedDecrement, ZwOpenKey, ZwSetValueKey, ZwEnumerateValueKey, DbgPrint, IofCompleteRequest, KeInitializeMutex, rand, srand, memmove
HAL.dll: KfAcquireSpinLock, HalGetAdapter, KfReleaseSpinLock

VT Community

This file has never been reviewed by any VT Community member. Be the first one to comment on it!





c_17046.nl_
Submission date:
2011-08-06 13:16:32 (UTC)
Current status:
finished
Result:
21/ 43 (48.8%)

VT Community

not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.08.06.00 2011.08.06 Trojan/Win32.Zeroaccess
AntiVir 7.11.12.233 2011.08.05 TR/ATRAPS.Gen2
Antiy-AVL 2.0.3.7 2011.08.06 Trojan/win32.agent.gen
Avast 4.8.1351.0 2011.08.06 Win32:Sirefef-F [Drp]
Avast5 5.0.677.0 2011.08.06 Win32:Sirefef-F [Drp]
AVG 10.0.0.1190 2011.08.06 -
BitDefender 7.2 2011.08.06 Gen:Trojan.Heur.Hype.cqW@amPT8Jn
CAT-QuickHeal 11.00 2011.08.06 Backdoor.Smadow.BB4
ClamAV 0.97.0.0 2011.08.06 Trojan.Rootkit-3011
Commtouch 5.3.2.6 2011.08.06 -
Comodo 9650 2011.08.06 -
DrWeb 5.0.2.03300 2011.08.06 BackDoor.Maxplus.17
Emsisoft 5.1.0.8 2011.08.06 Backdoor.Win32.Smadow!IK
eSafe 7.0.17.0 2011.08.04 -
eTrust-Vet 36.1.8486 2011.08.05 -
F-Prot 4.6.2.117 2011.08.06 -
F-Secure 9.0.16440.0 2011.08.06 Gen:Variant.Sirefef.2
Fortinet 4.2.257.0 2011.08.06 -
GData 22 2011.08.06 Gen:Trojan.Heur.Hype.cqW@amPT8Jn
Ikarus T3.1.1.104.0 2011.08.06 Backdoor.Win32.Smadow
Jiangmin 13.0.900 2011.08.05 -
K7AntiVirus 9.109.4973 2011.08.02 -
Kaspersky 9.0.0.837 2011.08.06 -
McAfee 5.400.0.1158 2011.08.06 -
McAfee-GW-Edition 2010.1D 2011.08.06 Heuristic.BehavesLike.Win32.Spyware.C
Microsoft 1.7104 2011.08.06 Backdoor:Win32/Smadow.gen!B
NOD32 6355 2011.08.06 -
Norman 6.07.10 2011.08.06 W32/ZAccess.G
nProtect 2011-08-06.01 2011.08.06 -
Panda 10.0.3.5 2011.08.06 Suspicious file
PCTools 8.0.0.5 2011.08.06 Trojan.Zeroaccess
Prevx 3.0 2011.08.06 -
Rising 23.69.03.03 2011.08.04 -
Sophos 4.67.0 2011.08.06 Sus/UnkPack-C
SUPERAntiSpyware 4.40.0.1006 2011.08.06 -
Symantec 20111.2.0.82 2011.08.06 Trojan.Zeroaccess
TheHacker 6.7.0.1.272 2011.08.06 -
TrendMicro 9.200.0.1012 2011.08.06 -
TrendMicro-HouseCall 9.200.0.1012 2011.08.06 -
VBA32 3.12.16.4 2011.08.06 SScope.Rootkit.ZAccess.01340
VIPRE 10083 2011.08.06 -
ViRobot 2011.8.6.4609 2011.08.06 -
VirusBuster 14.0.154.0 2011.08.05 -
Additional information
MD5 : 727281086ac6b89a3a142744360be00e
SHA1 : fde788840c57ea2c83f1c99a42d0e7bc0fa83115
SHA256: dfa99db7e1ba43dcbbda2db1eb0fa6f03d6ec5abd3cb32a4a27aa0545a03dcc8
ssdeep: 768:QrFY2zY5sa69btyetuSBsxudu8+M9rEuAelJ0Ey1A:QrFFa69DtuKsxuX39rEu3H3
File size : 44560 bytes
First seen: 2011-08-06 13:09:43
Last seen : 2011-08-06 13:16:32
TrID:
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x1604
timedatestamp....: 0x4E3035E9 (Wed Jul 27 15:59:37 2011)
machinetype......: 0x14c (I386)

[[ 4 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x280, 0x90DB, 0x90E0, 7.84, 73eb702e7561da72bcb8254984152ad4
.rdata, 0x9360, 0x1036, 0x1040, 5.00, a63d63de522b7dd0996ed4630fe9edc4
.data, 0xA3A0, 0x198, 0x1A0, 2.20, 44a9e56b726399a766e9d26bfb5e1ec0
.rsrc, 0xA540, 0x8D0, 0x8D0, 6.19, 2444df1987e17de6b29a38d737f25ab3

[[ 5 import(s) ]]
ntdll.dll: RtlAdjustPrivilege, ZwImpersonateThread, ZwOpenThreadTokenEx, ZwAdjustPrivilegesToken, strcmp, strcpy, sprintf, memcmp, RtlQueryProcessDebugInformation, LdrFindResource_U, LdrAccessResource, RtlImageNtHeader, ZwEnumerateKey, RtlIpv4AddressToStringA, RtlIpv4StringToAddressA, RtlNtStatusToDosError, ZwMapViewOfSection, ZwSetInformationFile, ZwFsControlFile, ZwOpenFile, ZwSetValueKey, ZwCreateKey, ZwQueryValueKey, RtlInitUnicodeString, ZwOpenKey, _wcsicmp, wcsrchr, swprintf, strlen, RtlCreateQueryDebugBuffer, RtlEqualUnicodeString, ZwQuerySystemInformation, ZwClose, ZwSuspendThread, ZwQueryInformationThread, ZwOpenThread, wcslen, ZwQueryVolumeInformationFile, ZwWriteFile, ZwCreateFile, strrchr, ZwQueryInformationFile, ZwReadFile, ZwSetSecurityObject, ZwQueryKey, ZwResumeThread, ZwLoadDriver, ZwCreateSymbolicLinkObject, ZwUnmapViewOfSection, ZwCreateSection, ZwFlushVirtualMemory, RtlIpv4StringToAddressW, RtlDestroyQueryDebugBuffer, _stricmp, memset, strchr, memcpy
KERNEL32.dll: Sleep, VirtualAlloc, CreateTimerQueueTimer, DeleteTimerQueueTimer, GetLastError, BindIoCompletionCallback, LocalAlloc, GetVersion, ExitProcess, GetTickCount, GetSystemTimeAsFileTime, LocalFree
ADVAPI32.dll: EnumServicesStatusW, MD5Update, MD5Final, CloseServiceHandle, MD5Init, OpenSCManagerW
WS2_32.dll: WSASendTo, -, WSASend, WSARecv, WSAIoctl, -, -, -, WSASocketW, -, -, WSARecvFrom
Cabinet.dll: -, -, -

VT Community

This file has never been reviewed by any VT Community member. Be the first one to comment on it!

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:17 PM

Posted 06 August 2011 - 11:01 AM

OK,

we'll need to get rid of that one file

please do the following:

Hi,

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic411385.html/page__pid__2361265#entry2361265

Collect::
c:\windows\system32\c_17046.nl_ 


Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish



Please advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 dwbeyer

dwbeyer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Jersey
  • Local time:10:17 PM

Posted 08 August 2011 - 07:24 AM

ComboFix 11-08-07.03 - Administrator 08/07/2011 15:31:53.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2811 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
.
file zipped: c:\windows\system32\c_17046.nl_
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\c_17046.nl_
.
.
((((((((((((((((((((((((( Files Created from 2011-07-07 to 2011-08-07 )))))))))))))))))))))))))))))))
.
.
2011-07-27 06:28 . 2011-07-20 13:44 6881616 ------w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Updates\mpengine.dll
2011-07-26 17:22 . 2011-07-26 17:22 -------- d-----r- c:\documents and settings\David Beyer\My Videos
2011-07-26 16:53 . 2011-07-26 16:53 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-07-26 16:53 . 2011-07-26 16:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2011-07-26 16:53 . 2011-07-26 16:53 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-07-26 16:50 . 2011-07-26 16:50 -------- d--h--w- c:\windows\PIF
2011-07-26 16:38 . 2011-07-26 23:24 133208 ----a-w- c:\windows\system32\drivers\81008598.sys
2011-07-26 15:10 . 2011-07-26 21:25 133208 ----a-w- c:\windows\system32\drivers\20698820.sys
2011-07-22 06:28 . 2011-07-13 03:39 6881616 ------w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{E9877E92-D0FE-44DE-969F-9C2BBE9F3859}\mpengine.dll
2011-07-09 18:09 . 2011-07-09 18:09 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Help
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-03 13:09 . 2009-02-11 02:19 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-08-03 12:04 . 2003-03-31 12:00 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-07-26 17:05 . 2009-02-10 19:55 44032 ----a-w- c:\windows\system32\CTSVCCDA.EXE
2011-07-08 11:55 . 2010-05-01 21:56 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-08 11:55 . 2010-05-01 21:56 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-19 12:06 . 2011-05-24 20:32 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-07 15:55 . 2011-04-27 13:19 7074640 ------w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-06-02 14:02 . 2003-03-31 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-24 23:14 . 2011-04-27 13:19 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-05-11 16:21 . 2011-05-11 16:21 1409 ----a-w- c:\windows\QTFont.for
1998-12-09 02:53 . 1998-12-09 02:53 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 . 1998-12-09 02:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL
1998-12-09 02:53 . 1998-12-09 02:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL
2011-07-04 02:42 . 2011-05-17 12:25 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-06-30 2424192]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2008-07-26 1657376]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-07-26 13570048]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-08 449584]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
_uninst_71187880.lnk - c:\documents and settings\Administrator\Local Settings\Temp\_uninst_71187880.bat [N/A]
_uninst_81008598.lnk - c:\documents and settings\Administrator\Local Settings\Temp\_uninst_81008598.bat [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Fujitsu Scanner Control Center.lnk - c:\windows\twain_32\Fjscan32\FJLaunch.exe [2009-2-10 114688]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"LogonType"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^desktop.ini]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\desktop.ini
backup=c:\windows\pss\desktop.iniStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Application Director 11.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Desktop Application Director 11.lnk
backup=c:\windows\pss\Desktop Application Director 11.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^desktop.ini]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\desktop.ini
backup=c:\windows\pss\desktop.iniCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" -hide
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\SUPDSvc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\Program Files\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Windows Live\\Toolbar\\wltuser.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\JetAudio\\JetAudio.exe"=
"c:\\Documents and Settings\\David Beyer\\Downloads\\aswMBR.exe"=
.
R0 20698820;20698820;c:\windows\system32\drivers\20698820.sys [7/26/2011 11:10 AM 133208]
R0 81008598;81008598;c:\windows\system32\drivers\81008598.sys [7/26/2011 12:38 PM 133208]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/12/2011 5:55 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/1/2010 5:56 PM 366640]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/1/2010 5:56 PM 22712]
R3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [2/10/2009 3:52 PM 11520]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2/18/2009 8:17 AM 874240]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/4/2010 8:14 AM 136176]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [2/11/2009 1:24 PM 10368]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [9/4/2010 8:14 AM 136176]
S3 Samsung UPD Service;Samsung UPD Service;c:\windows\system32\SUPDSvc.exe [9/8/2010 8:26 AM 132464]
S3 TD4408F10;TD4408F10;c:\windows\system32\drivers\TD4408F10AV.sys [9/14/2010 4:03 PM 13227]
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 19:42]
.
2011-08-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cc0433d9ad2cb0.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-04 12:14]
.
2011-08-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA1cc0433d9f4b33c.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-04 12:14]
.
2011-08-07 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
TCP: DhcpNameServer = 68.87.64.150 68.87.75.198
DPF: {FFFFFFFF-19EB-49E8-BB30-8DE03499D2F0} - hxxp://192.168.10.4/NetVideo.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\xw0mq01i.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-07 15:36
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-220523388-842925246-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,38,8b,d7,be,32,6d,0e,4d,ab,97,48,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,38,8b,d7,be,32,6d,0e,4d,ab,97,48,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(672)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(1728)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\netdde.exe
.
**************************************************************************
.
Completion time: 2011-08-07 15:39:32 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-07 19:39
ComboFix2.txt 2011-08-05 13:51
.
Pre-Run: 899,206,074,368 bytes free
Post-Run: 899,202,899,968 bytes free
.
- - End Of File - - 2DBA6F50F97175C8DF79A4BF1066DE3D
Upload was successful


aswMBR version 0.9.8.978 Copyright© 2011 AVAST Software
Run date: 2011-08-03 07:59:16
-----------------------------
07:59:16.671 OS Version: Windows 5.1.2600 Service Pack 3
07:59:16.671 Number of processors: 2 586 0x170A
07:59:16.671 ComputerName: DAVID-XNH8X9DMZ UserName: Administrator
07:59:18.125 Initialize success
07:59:55.546 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T1L0-9
07:59:55.546 Disk 0 Vendor: SAMSUNG_HD204UI 1AQ10001 Size: 1907729MB BusType: 3
07:59:55.546 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP5T0L0-1f
07:59:55.546 Disk 1 Vendor: ST31000333AS SD15 Size: 953869MB BusType: 3
07:59:57.578 Disk 1 MBR read successfully
07:59:57.578 Disk 1 MBR scan
07:59:57.578 Disk 1 Windows XP default MBR code
07:59:57.578 Disk 1 scanning sectors +1953504000
07:59:57.625 Disk 1 scanning C:\WINDOWS\system32\drivers
08:00:02.359 Service scanning
08:00:03.281 Modules scanning
08:00:05.156 Module: C:\WINDOWS\System32\DRIVERS\ipsec.sys **SUSPICIOUS**
08:00:07.000 Disk 1 trace - called modules:
08:00:07.015 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xba25ff00]<<
08:00:07.015 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0x8b745ab8]
08:00:07.015 3 CLASSPNP.SYS[ba118fd7] -> nt!IofCallDriver -> [0x8ad12030]
08:00:07.015 \Driver\00001683[0x8acfc968] -> IRP_MJ_CREATE -> 0xba25ff00
08:00:07.015 Scan finished successfully
08:00:38.718 Disk 1 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
08:00:38.718 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"


aswMBR version 0.9.8.978 Copyright© 2011 AVAST Software
Run date: 2011-08-08 07:15:44
-----------------------------
07:15:44.093 OS Version: Windows 5.1.2600 Service Pack 3
07:15:44.093 Number of processors: 2 586 0x170A
07:15:44.093 ComputerName: DAVID-XNH8X9DMZ UserName: Administrator
07:15:45.187 Initialize success
07:15:52.125 AVAST engine defs: 11080701
07:16:08.671 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T1L0-9
07:16:08.687 Disk 0 Vendor: SAMSUNG_HD204UI 1AQ10001 Size: 1907729MB BusType: 3
07:16:08.687 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP5T0L0-1f
07:16:08.687 Disk 1 Vendor: ST31000333AS SD15 Size: 953869MB BusType: 3
07:16:10.718 Disk 1 MBR read successfully
07:16:10.718 Disk 1 MBR scan
07:16:10.765 Disk 1 Windows XP default MBR code
07:16:10.781 Disk 1 scanning sectors +1953504000
07:16:10.843 Disk 1 scanning C:\WINDOWS\system32\drivers
07:16:17.140 Service scanning
07:16:17.968 Modules scanning
07:16:20.937 Disk 1 trace - called modules:
07:16:20.953 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
07:16:20.953 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0x8b709ab8]
07:16:20.953 3 CLASSPNP.SYS[ba118fd7] -> nt!IofCallDriver -> \Device\00000076[0x8b7279e8]
07:16:20.953 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP5T0L0-1f[0x8b6d3d98]
07:16:22.000 AVAST engine scan C:\WINDOWS
07:16:36.437 AVAST engine scan C:\WINDOWS\system32
07:18:12.406 AVAST engine scan C:\WINDOWS\system32\drivers
07:18:23.437 AVAST engine scan C:\Documents and Settings\Administrator
07:18:58.328 AVAST engine scan C:\Documents and Settings\All Users
07:19:35.375 Scan finished successfully
07:19:59.953 Disk 1 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
07:19:59.968 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"

ESETSSCAN.TXT

C:\Documents and Settings\David Beyer\Application Data\Sun\Java\Deployment\cache\6.0\12\3cc664c-33707768 Java/TrojanDownloader.OpenStream.NBS trojan
C:\Documents and Settings\David Beyer\Application Data\Sun\Java\Deployment\cache\6.0\31\4be9825f-519f23dd multiple threats
C:\Documents and Settings\David Beyer\Application Data\Sun\Java\Deployment\cache\6.0\33\3cd2021-69b6831c multiple threats
C:\Documents and Settings\David Beyer\Application Data\Sun\Java\Deployment\cache\6.0\9\29b57749-57b75566 multiple threats
C:\Documents and Settings\David Beyer\My Documents\pmsetup63_e5[1].zip probably a variant of Win32/Agent.MZYNNXP trojan
C:\Documents and Settings\David Beyer\My Documents\My Pictures\560Z_D\cdrive\Program Files\Common Files\Kodak\HYDRA_DR\D122.TMP probably a variant of Win32/Agent.GZCOMKY trojan
C:\Documents and Settings\David Beyer\My Documents\My Pictures\560Z_D\cdrive\Program Files\Common Files\Kodak\HYDRA_DR\dcfssvc.exe probably a variant of Win32/Agent.GZCOMKY trojan
C:\Documents and Settings\David Beyer\My Documents\My Pictures\560Z_D\cdrive\Program Files\Internet Explorer\PLUGINS\nponflow.dll Win32/Adware.OnFlow.AA application
C:\Laptop\Local Settings\Application Data\Mozilla\Firefox\Profiles\a429o8fa.default\Cache(2)\94A33945d01 Win32/Delf.OWM trojan
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe Win32/Patched.HN trojan
Operating memory Win32/Patched.HN trojan


Thank Heaven for Bleeping Curls

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:17 PM

Posted 08 August 2011 - 11:00 AM

Hi,

Please do the following:


The infection has latched onto MalwareBytes,
  • Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
  • Restart your computer (very important).
  • Download and run this utility.mbam-clean.exe
  • It will ask to restart your computer (please allow it to).
  • install the latest version of Malwarebytes' Anti-Malware from here
  • NEXT
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
C:\Documents and Settings\David Beyer\Application Data\Sun\Java\Deployment\cache\6.0\12\3cc664c-33707768 C:\Documents and Settings\David Beyer\Application Data\Sun\Java\Deployment\cache\6.0\31\4be9825f-519f23dd C:\Documents and Settings\David Beyer\Application Data\Sun\Java\Deployment\cache\6.0\33\3cd2021-69b6831c C:\Documents and Settings\David Beyer\Application Data\Sun\Java\Deployment\cache\6.0\9\29b57749-57b75566 C:\Documents and Settings\David Beyer\My Documents\pmsetup63_e5[1].zip 
C:\Documents and Settings\David Beyer\My Documents\My Pictures\560Z_D\cdrive\Program Files\Internet Explorer\PLUGINS\nponflow.dll 
C:\Laptop\Local Settings\Application Data\Mozilla\Firefox\Profiles\a429o8fa.default\Cache(2)\94A33945d01 


Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image

  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 dwbeyer

dwbeyer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Jersey
  • Local time:10:17 PM

Posted 10 August 2011 - 06:30 AM

ComboFix 11-08-10.01 - Administrator 08/10/2011 7:09.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2961 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
.
FILE ::
"c:\documents and settings\David Beyer\Application Data\Sun\Java\Deployment\cache\6.0\12\3cc664c-33707768 c:\documents and settings\David Beyer\Application Data\Sun\Java\Deployment\cache\6.0\31\4be9825f-519f23dd c:\documents and settings\David Beyer\Application Data\Sun\Java\Deployment\cache\6.0\33\3cd2021-69b6831c c:\documents and settings\David Beyer\Application Data\Sun\Java\Deployment\cache\6.0\9\29b57749-57b75566 c:\documents and settings\David Beyer\My Documents\pmsetup63_e5[1].zip"
"c:\documents and settings\David Beyer\My Documents\My Pictures\560Z_D\cdrive\Program Files\Internet Explorer\PLUGINS\nponflow.dll"
"c:\laptop\Local Settings\Application Data\Mozilla\Firefox\Profiles\a429o8fa.default\Cache(2)\94A33945d01"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\David Beyer\My Documents\My Pictures\560Z_D\cdrive\Program Files\Internet Explorer\PLUGINS\nponflow.dll
c:\laptop\Local Settings\Application Data\Mozilla\Firefox\Profiles\a429o8fa.default\Cache(2)\94A33945d01
.
.
((((((((((((((((((((((((( Files Created from 2011-07-10 to 2011-08-10 )))))))))))))))))))))))))))))))
.
.
2011-08-10 11:05 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-10 11:05 . 2011-08-10 11:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-08-10 11:05 . 2011-08-10 11:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-10 11:05 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-09 19:44 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-09 19:43 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-08 11:22 . 2011-08-08 11:22 -------- d-----w- c:\program files\ESET
2011-07-27 06:28 . 2011-07-20 13:44 6881616 ------w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Updates\mpengine.dll
2011-07-26 17:22 . 2011-07-26 17:22 -------- d-----r- c:\documents and settings\David Beyer\My Videos
2011-07-26 16:53 . 2011-07-26 16:53 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-07-26 16:53 . 2011-07-26 16:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2011-07-26 16:53 . 2011-07-26 16:53 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-07-26 16:50 . 2011-07-26 16:50 -------- d--h--w- c:\windows\PIF
2011-07-26 16:38 . 2011-07-26 23:24 133208 ----a-w- c:\windows\system32\drivers\81008598.sys
2011-07-26 15:10 . 2011-07-26 21:25 133208 ----a-w- c:\windows\system32\drivers\20698820.sys
2011-07-22 06:28 . 2011-07-13 03:39 6881616 ------w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{E9877E92-D0FE-44DE-969F-9C2BBE9F3859}\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-10 11:00 . 2011-05-24 20:32 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-03 13:09 . 2009-02-11 02:19 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-08-03 12:04 . 2003-03-31 12:00 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-07-26 17:05 . 2009-02-10 19:55 44032 ----a-w- c:\windows\system32\CTSVCCDA.EXE
2011-07-15 13:29 . 2003-03-31 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2003-03-31 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2009-02-10 07:21 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2003-03-31 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2003-03-31 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2003-03-31 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2003-03-31 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-07 15:55 . 2011-04-27 13:19 7074640 ------w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-06-02 14:02 . 2003-03-31 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-24 23:14 . 2011-04-27 13:19 222080 ------w- c:\windows\system32\MpSigStub.exe
1998-12-09 02:53 . 1998-12-09 02:53 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 . 1998-12-09 02:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL
1998-12-09 02:53 . 1998-12-09 02:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL
2011-07-04 02:42 . 2011-05-17 12:25 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-08-05_13.48.48 )))))))))))))))))))))))))))))))))))))))))
.
- 2003-03-31 12:00 . 2011-04-25 16:11 66560 c:\windows\system32\mshtmled.dll
+ 2003-03-31 12:00 . 2011-06-23 18:36 66560 c:\windows\system32\mshtmled.dll
- 2007-08-13 23:54 . 2011-04-25 16:11 55296 c:\windows\system32\msfeedsbs.dll
+ 2007-08-13 23:54 . 2011-06-23 18:36 55296 c:\windows\system32\msfeedsbs.dll
+ 2003-03-31 12:00 . 2011-06-23 18:36 25600 c:\windows\system32\jsproxy.dll
- 2003-03-31 12:00 . 2011-04-25 16:11 25600 c:\windows\system32\jsproxy.dll
+ 2009-07-09 16:38 . 2011-06-23 18:36 12800 c:\windows\system32\dllcache\xpshims.dll
- 2009-07-09 16:38 . 2011-04-25 16:11 12800 c:\windows\system32\dllcache\xpshims.dll
+ 2007-08-13 23:54 . 2011-06-23 18:36 66560 c:\windows\system32\dllcache\mshtmled.dll
- 2007-08-13 23:54 . 2011-04-25 16:11 66560 c:\windows\system32\dllcache\mshtmled.dll
- 2009-02-10 22:03 . 2011-04-25 16:11 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2009-02-10 22:03 . 2011-06-23 18:36 55296 c:\windows\system32\dllcache\msfeedsbs.dll
- 2007-08-13 23:44 . 2011-04-25 16:11 43520 c:\windows\system32\dllcache\licmgr10.dll
+ 2007-08-13 23:44 . 2011-06-23 18:36 43520 c:\windows\system32\dllcache\licmgr10.dll
- 2007-08-13 23:54 . 2011-04-25 16:11 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2007-08-13 23:54 . 2011-06-23 18:36 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2011-08-10 07:00 . 2011-04-25 16:11 12800 c:\windows\ie8updates\KB2559049-IE8\xpshims.dll
+ 2011-08-10 07:00 . 2011-04-25 16:11 66560 c:\windows\ie8updates\KB2559049-IE8\mshtmled.dll
+ 2011-08-10 07:00 . 2011-04-25 16:11 55296 c:\windows\ie8updates\KB2559049-IE8\msfeedsbs.dll
+ 2011-08-10 07:00 . 2011-04-25 16:11 43520 c:\windows\ie8updates\KB2559049-IE8\licmgr10.dll
+ 2011-08-10 07:00 . 2011-04-25 16:11 25600 c:\windows\ie8updates\KB2559049-IE8\jsproxy.dll
- 2003-03-31 12:00 . 2009-03-08 08:34 105984 c:\windows\system32\url.dll
+ 2003-03-31 12:00 . 2011-06-23 18:36 105984 c:\windows\system32\url.dll
- 2003-03-31 12:00 . 2011-04-25 16:11 206848 c:\windows\system32\occache.dll
+ 2003-03-31 12:00 . 2011-06-23 18:36 206848 c:\windows\system32\occache.dll
+ 2003-03-31 12:00 . 2011-06-23 18:36 611840 c:\windows\system32\mstime.dll
- 2003-03-31 12:00 . 2011-04-25 16:11 611840 c:\windows\system32\mstime.dll
- 2007-08-13 23:54 . 2011-04-25 16:11 602112 c:\windows\system32\msfeeds.dll
+ 2007-08-13 23:54 . 2011-06-23 18:36 602112 c:\windows\system32\msfeeds.dll
+ 2011-08-10 11:00 . 2011-08-10 11:00 243360 c:\windows\system32\Macromed\Flash\FlashUtil10v_Plugin.exe
- 2003-03-31 12:00 . 2011-04-25 16:11 184320 c:\windows\system32\iepeers.dll
+ 2003-03-31 12:00 . 2011-06-23 18:36 184320 c:\windows\system32\iepeers.dll
- 2003-03-31 12:00 . 2011-04-25 16:11 387584 c:\windows\system32\iedkcs32.dll
+ 2003-03-31 12:00 . 2011-06-23 18:36 387584 c:\windows\system32\iedkcs32.dll
+ 2003-03-31 12:00 . 2011-06-23 12:05 173568 c:\windows\system32\ie4uinit.exe
- 2003-03-31 12:00 . 2011-04-25 12:01 173568 c:\windows\system32\ie4uinit.exe
- 2010-06-18 17:45 . 2011-04-26 11:07 293376 c:\windows\system32\dllcache\winsrv.dll
+ 2010-06-18 17:45 . 2011-06-20 17:44 293376 c:\windows\system32\dllcache\winsrv.dll
- 2007-08-13 23:54 . 2011-04-25 16:11 916480 c:\windows\system32\dllcache\wininet.dll
+ 2007-08-13 23:54 . 2011-06-23 18:36 916480 c:\windows\system32\dllcache\wininet.dll
+ 2007-08-13 23:44 . 2011-06-23 18:36 105984 c:\windows\system32\dllcache\url.dll
- 2007-08-13 23:44 . 2009-03-08 08:34 105984 c:\windows\system32\dllcache\url.dll
+ 2007-08-13 23:44 . 2011-06-23 18:36 206848 c:\windows\system32\dllcache\occache.dll
- 2007-08-13 23:44 . 2011-04-25 16:11 206848 c:\windows\system32\dllcache\occache.dll
- 2007-08-13 23:54 . 2011-04-25 16:11 611840 c:\windows\system32\dllcache\mstime.dll
+ 2007-08-13 23:54 . 2011-06-23 18:36 611840 c:\windows\system32\dllcache\mstime.dll
- 2009-02-10 22:03 . 2011-04-25 16:11 602112 c:\windows\system32\dllcache\msfeeds.dll
+ 2009-02-10 22:03 . 2011-06-23 18:36 602112 c:\windows\system32\dllcache\msfeeds.dll
- 2009-02-10 21:58 . 2011-04-29 16:19 456320 c:\windows\system32\dllcache\mrxsmb.sys
+ 2009-02-10 21:58 . 2011-07-15 13:29 456320 c:\windows\system32\dllcache\mrxsmb.sys
- 2009-07-09 16:38 . 2011-04-25 16:11 247808 c:\windows\system32\dllcache\ieproxy.dll
+ 2009-07-09 16:38 . 2011-06-23 18:36 247808 c:\windows\system32\dllcache\ieproxy.dll
+ 2007-08-13 23:54 . 2011-06-23 18:36 184320 c:\windows\system32\dllcache\iepeers.dll
- 2007-08-13 23:54 . 2011-04-25 16:11 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2010-06-09 05:16 . 2011-06-23 18:36 743424 c:\windows\system32\dllcache\iedvtool.dll
- 2010-06-09 05:16 . 2011-04-25 16:11 743424 c:\windows\system32\dllcache\iedvtool.dll
+ 2007-08-13 23:39 . 2011-06-23 18:36 387584 c:\windows\system32\dllcache\iedkcs32.dll
- 2007-08-13 23:39 . 2011-04-25 16:11 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2007-08-13 23:39 . 2011-06-23 12:05 173568 c:\windows\system32\dllcache\ie4uinit.exe
- 2007-08-13 23:39 . 2011-04-25 12:01 173568 c:\windows\system32\dllcache\ie4uinit.exe
+ 2011-08-10 10:55 . 2011-08-10 10:55 295606 c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A83000000003}\SC_Reader.exe
+ 2011-08-10 07:00 . 2011-04-25 16:11 916480 c:\windows\ie8updates\KB2559049-IE8\wininet.dll
+ 2011-08-10 07:00 . 2009-03-08 08:34 105984 c:\windows\ie8updates\KB2559049-IE8\url.dll
+ 2011-08-10 07:00 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2559049-IE8\spuninst\updspapi.dll
+ 2011-08-10 07:00 . 2010-07-05 13:15 231288 c:\windows\ie8updates\KB2559049-IE8\spuninst\spuninst.exe
+ 2011-08-10 07:00 . 2011-04-25 16:11 206848 c:\windows\ie8updates\KB2559049-IE8\occache.dll
+ 2011-08-10 07:00 . 2011-04-25 16:11 611840 c:\windows\ie8updates\KB2559049-IE8\mstime.dll
+ 2011-08-10 07:00 . 2011-04-25 16:11 602112 c:\windows\ie8updates\KB2559049-IE8\msfeeds.dll
+ 2011-08-10 07:00 . 2011-04-25 16:11 247808 c:\windows\ie8updates\KB2559049-IE8\ieproxy.dll
+ 2011-08-10 07:00 . 2011-04-25 16:11 184320 c:\windows\ie8updates\KB2559049-IE8\iepeers.dll
+ 2011-08-10 07:00 . 2011-04-25 16:11 743424 c:\windows\ie8updates\KB2559049-IE8\iedvtool.dll
+ 2011-08-10 07:00 . 2011-04-25 16:11 387584 c:\windows\ie8updates\KB2559049-IE8\iedkcs32.dll
+ 2011-08-10 07:00 . 2011-04-25 12:01 173568 c:\windows\ie8updates\KB2559049-IE8\ie4uinit.exe
- 2009-02-10 21:58 . 2011-04-29 16:19 456320 c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2009-02-10 21:58 . 2011-07-15 13:29 456320 c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2003-03-31 12:00 . 2011-06-23 18:36 1212416 c:\windows\system32\urlmon.dll
+ 2003-03-31 12:00 . 2011-07-25 15:17 5969920 c:\windows\system32\mshtml.dll
+ 2010-01-27 01:07 . 2011-08-10 11:00 6277280 c:\windows\system32\Macromed\Flash\NPSWF32.dll
- 2007-08-13 23:34 . 2011-04-25 16:11 1991680 c:\windows\system32\iertutil.dll
+ 2007-08-13 23:34 . 2011-06-23 18:36 1991680 c:\windows\system32\iertutil.dll
+ 2007-08-13 23:54 . 2011-06-23 18:36 1212416 c:\windows\system32\dllcache\urlmon.dll
+ 2007-08-13 23:54 . 2011-07-25 15:17 5969920 c:\windows\system32\dllcache\mshtml.dll
- 2009-02-10 22:03 . 2011-04-25 16:11 1991680 c:\windows\system32\dllcache\iertutil.dll
+ 2009-02-10 22:03 . 2011-06-23 18:36 1991680 c:\windows\system32\dllcache\iertutil.dll
+ 2011-08-10 10:55 . 2011-08-10 10:55 4272128 c:\windows\Installer\c75a1e.msi
+ 2011-08-10 07:00 . 2011-04-25 16:11 1211904 c:\windows\ie8updates\KB2559049-IE8\urlmon.dll
+ 2011-08-10 07:00 . 2011-05-30 22:19 5964800 c:\windows\ie8updates\KB2559049-IE8\mshtml.dll
+ 2011-08-10 07:00 . 2011-04-25 16:11 1991680 c:\windows\ie8updates\KB2559049-IE8\iertutil.dll
+ 2007-08-13 23:54 . 2011-06-23 18:36 11081728 c:\windows\system32\ieframe.dll
- 2007-08-13 23:54 . 2011-04-26 14:11 11081728 c:\windows\system32\ieframe.dll
- 2009-02-10 22:03 . 2011-04-26 14:11 11081728 c:\windows\system32\dllcache\ieframe.dll
+ 2009-02-10 22:03 . 2011-06-23 18:36 11081728 c:\windows\system32\dllcache\ieframe.dll
+ 2011-08-10 07:00 . 2011-04-26 14:11 11081728 c:\windows\ie8updates\KB2559049-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-06-30 2424192]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2008-07-26 1657376]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-07-26 13570048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-05-27 40368]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
_uninst_71187880.lnk - c:\documents and settings\Administrator\Local Settings\Temp\_uninst_71187880.bat [N/A]
_uninst_81008598.lnk - c:\documents and settings\Administrator\Local Settings\Temp\_uninst_81008598.bat [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Fujitsu Scanner Control Center.lnk - c:\windows\twain_32\Fjscan32\FJLaunch.exe [2009-2-10 114688]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"LogonType"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^desktop.ini]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\desktop.ini
backup=c:\windows\pss\desktop.iniStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Application Director 11.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Desktop Application Director 11.lnk
backup=c:\windows\pss\Desktop Application Director 11.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^desktop.ini]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\desktop.ini
backup=c:\windows\pss\desktop.iniCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" -hide
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\SUPDSvc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\Program Files\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Windows Live\\Toolbar\\wltuser.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\JetAudio\\JetAudio.exe"=
"c:\\Documents and Settings\\David Beyer\\Downloads\\aswMBR.exe"=
.
R0 20698820;20698820;c:\windows\system32\drivers\20698820.sys [7/26/2011 11:10 AM 133208]
R0 81008598;81008598;c:\windows\system32\drivers\81008598.sys [7/26/2011 12:38 PM 133208]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/12/2011 5:55 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [2/10/2009 3:52 PM 11520]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2/18/2009 8:17 AM 874240]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/4/2010 8:14 AM 136176]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [2/11/2009 1:24 PM 10368]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [9/4/2010 8:14 AM 136176]
S3 Samsung UPD Service;Samsung UPD Service;c:\windows\system32\SUPDSvc.exe [9/8/2010 8:26 AM 132464]
S3 TD4408F10;TD4408F10;c:\windows\system32\drivers\TD4408F10AV.sys [9/14/2010 4:03 PM 13227]
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 19:42]
.
2011-08-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cc0433d9ad2cb0.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-04 12:14]
.
2011-08-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA1cc0433d9f4b33c.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-04 12:14]
.
2011-08-10 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
TCP: DhcpNameServer = 68.87.64.150 68.87.75.198
DPF: {FFFFFFFF-19EB-49E8-BB30-8DE03499D2F0} - hxxp://192.168.10.4/NetVideo.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\xw0mq01i.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-10 07:13
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-220523388-842925246-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,38,8b,d7,be,32,6d,0e,4d,ab,97,48,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,38,8b,d7,be,32,6d,0e,4d,ab,97,48,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(672)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2011-08-10 07:14:17
ComboFix-quarantined-files.txt 2011-08-10 11:14
ComboFix2.txt 2011-08-07 19:53
ComboFix3.txt 2011-08-05 13:51
.
Pre-Run: 898,459,275,264 bytes free
Post-Run: 898,536,947,712 bytes free
.
- - End Of File - - 85C2995A9630D7803A9A696CB9A3C5CA

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:17 PM

Posted 10 August 2011 - 10:18 AM

OK, that looks better

please update your Malwarebytes definitions and do a quick scan, just to make sure it is functioning properly, post the resulting log

Also run the ESET on line scan again to make certain we have eliminated all the left over infected files


How is the computer running now? Are there any outstanding issues?


NEXT



Visit ADOBEand download the latest version of Acrobat Reader (version X)
Having the latest updates ensures there are no security vulnerabilities in your system.


NEXT



Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 6 and Save it to your Desktop.
  • Scroll down to where it says Java Runtime Environment (JRE) 6 Update 26 The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
  • Click the Download button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement
  • Click Continue The page will refresh.
  • Click on the link to download Windows Offline Installation and Save the file to your Desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start(or My Computer) > Control Panel and double-click on Add or Remove Programs and remove all older versions of Java.
  • Click (highlight) any item with Java Runtime Environment (JRE, J2SE, Java™ SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u26-windows-i586-p.exe to install the newest version.
  • After the install is complete, go back to your Control Panel(using Classic View) and click the Java icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button.
    • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
    • Trace and Log Files
  • Click OK on Delete Temporary Files Window. Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
  • Click OK to leave the Temporary Files Window.
  • Click OK to leave the Java Control Panel.
  • Delete jre-6u26-windows-i586-p.exe from your desktop.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 dwbeyer

dwbeyer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Jersey
  • Local time:10:17 PM

Posted 15 August 2011 - 07:27 AM

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7468

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/15/2011 7:04:27 AM
mbam-log-2011-08-15 (07-04-27).txt

Scan type: Quick scan
Objects scanned: 170470
Time elapsed: 2 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users