Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I have a trojan which stops programs working.


  • This topic is locked This topic is locked
23 replies to this topic

#1 Omenicity

Omenicity

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 02 August 2011 - 11:36 AM

Hi , Please could someone offer me some advice? I visited a website which downloaded two generic trojan viruses to my computer, according to my AVG-free anti-virus software. The AVG has always been good (I think) but it reported that it couldn't fully remove one of the trojans. I would have made a better note of the report but AVG has always dealt with these fully in the past (well, so it told me). Since then, AVG always showed that the identity protection was disabled. I spoke to them and they told me my AVG was now compromised, and I have now removed it. I tried the trial AVG version, and have tried various other programs downloaded from the net (Stopzilla, Superantispyware, Malwarebytes, Spyware Doctor) and all are beaten. As was the gmer I downloaded. Further, Windows defender doesn't work ("Application failed to initialize: 0x800106ba. A problem caused this service to stop. to start the service restart your computer, or search help and support for how to start a service manually"), and I've uninstalled my APC Powerchute software as that stopped working too (something about associated path names and my not being authorized). My computer tells me that my Windows firewall in on, as are updates. I probably have remnants of antivirus software running, but nothing I can rely on.

During one AVG scan (after infection, usually it finished without scanning anything) I noticed it stopped on "\\.\Globalroot\device\scvhost.exe\svchost.exe", and it was a google search for this that led me to your website. Any idea if this is really the problem? Is this something that will send all my passwords to crooks? Can anyone please tell me how to get rid of my problem? I would really appreciate your help, this is a beggar of an infection. The dds log file is below.

Many thanks in advance.

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Mr West at 16:52:37 on 2011-08-02
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.576 [GMT 1:00]
.
AV: Spyware Doctor with AntiVirus *Disabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
FW: AVG Firewall *Disabled*
.
============== Running Processes ===============
.
"\\.\globalroot\Device\svchost.exe\svchost.exe"
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = localhost
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: STOBHO: {d4fa4714-3bbe-11de-8d2b-91a355d89593} - c:\program files\rebate catcher\RC.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\b733794c-5962-4abe-aba1-418c8e4c2d3b.com
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [EPSON Stylus DX4800 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIADE.EXE /P26 "EPSON Stylus DX4800 Series" /O6 "USB001" /M "Stylus DX4800"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=QUFTWUwtR0pSVzItTlFIWEMtUVQ3T0otMlk0VEstOQ"&"inst=NzYtODg4NDYzNjkwLUlETUFSSytYQSsxLVQ1LVU4NSsxLUtWMys3LUJBKzEtWEwrMS1GUDkyKzYtQkFSOUcrMS1UQjkrMi1GTCs5LUYxME0rNS1RSVgxKzQtWDIwMTArMi1GMTBNMTBDKzItTElDKzc3LUZMMTArMS1TUDErMS1TUDFUQisxLVNQMVMyKzEtU1VEKzEtUzFJKzEtU1UzKzEtRERUKzAtTFNEKzI"&"prod=92"&"ver=10.0.1390
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/Dcode/ActiveX/MSDcode.cab
DPF: {0972B098-DEE9-4279-AC7E-4BAAA029102D} - hxxp://assets.photobox.com/assets/aurigma/ImageUploader5.cab?20091023104836
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} - hxxp://sell.autotrader.co.uk/uk-ola/common/TraderMediaX.cab
DPF: {3B5E9B23-7537-4601-A9E8-FA0D956DEA16} - hxxp://www.couponreport.net/ftp/v3123/csauie1.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} - hxxp://quickscan.bitdefender.com/qsax/qsax.cab
DPF: {4F912770-A045-4603-951E-9B8377084354} - hxxp://a19.g.akamai.net/7/19/7125/1450/uk.coupons.com/pmgr/r3302/cpbrukie2.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162769633703
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxp://offers.e-centives.com/cif/download/bin/actxcab.cab
DPF: {BF6BBE9A-0656-4598-A0CD-32DAC03959B5} - hxxp://www.tescophoto.com/wpp/tesco/app/opcuploader.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} - hxxp://static.photobox.co.uk/sg/common/uploader_uni.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://driveragent.com/files/driveragent.cab
DPF: {FC4CAF5F-91BD-4DD9-ADC1-F3C737E37BC4} - hxxp://www.shockwave.com/content/sweetopia/sis/Sweetopia.1.0.0.22.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{9574E056-66F6-4EF6-9A54-BA5E026BB8D9} : DhcpNameServer = 192.168.0.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: TPSvc - TPSvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - Microsoft AntiMalware ShellExecuteHook
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-12 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R3 hcw88rc5;Hauppauge WinTV 88x IR Decoder;c:\windows\system32\drivers\HCW88rc5.sys [2006-2-8 11719]
R3 HCW88TUNE;Hauppauge WinTV 88x Tuner;c:\windows\system32\drivers\HCW88tun.sys [2006-2-8 128577]
R3 hcw88vid;Hauppauge WinTV 88x Video;c:\windows\system32\drivers\HCW88vid.sys [2006-2-8 579004]
R3 HCW88XBAR;Hauppauge WinTV 88x Crossbar;c:\windows\system32\drivers\HCW88bar.sys [2006-2-8 26972]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 DSIR620;DS USB Infrared Miniport Adapter;c:\windows\system32\drivers\DSIR620.sys [2006-8-29 14336]
S3 KS-959;Kingsun KS-959 USB Infrared Adapter;c:\windows\system32\drivers\KS-959.sys [2006-11-23 19034]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2011-6-13 267568]
S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [2006-4-7 31872]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S3 SlowDownCPU;SlowDownCPU;c:\windows\inf\msi\slowdowncpu\NTGLM7X.SYS [2006-1-16 23424]
.
=============== Created Last 30 ================
.
2011-08-02 11:32:46 -------- d-----w- C:\Unsorted Photos
2011-08-01 20:04:32 -------- d-----w- c:\documents and settings\mr west\application data\SUPERAntiSpyware.com
2011-08-01 20:04:32 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-08-01 20:04:25 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-08-01 19:41:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-28 18:48:35 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2011-07-28 17:09:58 -------- d-----w- c:\program files\ESET
2011-07-28 16:29:02 -------- d-----w- c:\documents and settings\mr west\application data\QuickScan
2011-07-28 15:51:57 -------- d-----w- c:\program files\common files\iS3
2011-07-28 15:51:56 -------- d-----w- c:\documents and settings\all users\application data\STOPzilla!
2011-07-28 12:35:39 -------- d-----w- c:\documents and settings\mr west\application data\Malwarebytes
2011-07-28 12:35:30 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-07-26 19:31:23 -------- d-----w- c:\documents and settings\mr west\local settings\application data\FixItCenter
2011-07-26 19:28:39 -------- d-----w- c:\windows\MATS
2011-07-26 19:28:38 -------- d-----w- c:\program files\Microsoft Fix it Center
2011-07-26 19:21:13 -------- d-----w- c:\documents and settings\mr west\application data\ElevatedDiagnostics
2011-07-15 19:10:37 -------- d-----w- c:\windows\system32\drivers\AVG
2011-07-13 10:37:37 -------- d-----w- c:\program files\Eusing Free System Cleaner
2011-07-12 11:15:59 15872 ----a-w- c:\windows\system32\drivers\1137405652.sys
2011-07-12 10:46:33 -------- d-----w- c:\documents and settings\mr west\application data\Vima
2011-07-12 10:46:33 -------- d-----w- c:\documents and settings\mr west\application data\Idhe
.
==================== Find3M ====================
.
2011-06-13 21:09:22 65328 ----a-w- c:\windows\apppatch\matsshim.dll
2011-06-13 08:16:02 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-24 18:14:10 222080 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 16:53:40.31 ===============

BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:57 PM

Posted 09 August 2011 - 11:40 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resouce! To tell me this, please click on http://www.bleepingcomputer.com/logreply/412510 and follow the instructions there. If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 Omenicity

Omenicity
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 09 August 2011 - 12:07 PM

Hi, there is no change in the problem, though I'm keen to get it resolved as I'm wary of using the internet in case my data is sent somewhere it shouldn't.

I am running Microsoft Windows XP Home Edition, Version 2002, Service Pack 3. I assume it's a 32-bit system.
I do have the original windows disc.

Gmer stopped worikng when I first tried it, now it won't even start and I get the error meggage:
"Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

Here is the latest DDS:

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Mr West at 17:57:03 on 2011-08-09
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.608 [GMT 1:00]
.
AV: Spyware Doctor with AntiVirus *Disabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
FW: AVG Firewall *Disabled*
.
============== Running Processes ===============
.
"\\.\globalroot\Device\svchost.exe\svchost.exe"
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = localhost
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: STOBHO: {d4fa4714-3bbe-11de-8d2b-91a355d89593} - c:\program files\rebate catcher\RC.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\b733794c-5962-4abe-aba1-418c8e4c2d3b.com
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [EPSON Stylus DX4800 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIADE.EXE /P26 "EPSON Stylus DX4800 Series" /O6 "USB001" /M "Stylus DX4800"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=QUFTWUwtR0pSVzItTlFIWEMtUVQ3T0otMlk0VEstOQ"&"inst=NzYtODg4NDYzNjkwLUlETUFSSytYQSsxLVQ1LVU4NSsxLUtWMys3LUJBKzEtWEwrMS1GUDkyKzYtQkFSOUcrMS1UQjkrMi1GTCs5LUYxME0rNS1RSVgxKzQtWDIwMTArMi1GMTBNMTBDKzItTElDKzc3LUZMMTArMS1TUDErMS1TUDFUQisxLVNQMVMyKzEtU1VEKzEtUzFJKzEtU1UzKzEtRERUKzAtTFNEKzI"&"prod=92"&"ver=10.0.1390
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/Dcode/ActiveX/MSDcode.cab
DPF: {0972B098-DEE9-4279-AC7E-4BAAA029102D} - hxxp://assets.photobox.com/assets/aurigma/ImageUploader5.cab?20091023104836
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} - hxxp://sell.autotrader.co.uk/uk-ola/common/TraderMediaX.cab
DPF: {3B5E9B23-7537-4601-A9E8-FA0D956DEA16} - hxxp://www.couponreport.net/ftp/v3123/csauie1.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} - hxxp://quickscan.bitdefender.com/qsax/qsax.cab
DPF: {4F912770-A045-4603-951E-9B8377084354} - hxxp://a19.g.akamai.net/7/19/7125/1450/uk.coupons.com/pmgr/r3302/cpbrukie2.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162769633703
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxp://offers.e-centives.com/cif/download/bin/actxcab.cab
DPF: {BF6BBE9A-0656-4598-A0CD-32DAC03959B5} - hxxp://www.tescophoto.com/wpp/tesco/app/opcuploader.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} - hxxp://static.photobox.co.uk/sg/common/uploader_uni.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://driveragent.com/files/driveragent.cab
DPF: {FC4CAF5F-91BD-4DD9-ADC1-F3C737E37BC4} - hxxp://www.shockwave.com/content/sweetopia/sis/Sweetopia.1.0.0.22.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{9574E056-66F6-4EF6-9A54-BA5E026BB8D9} : DhcpNameServer = 192.168.0.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: TPSvc - TPSvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - Microsoft AntiMalware ShellExecuteHook
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-12 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R3 hcw88rc5;Hauppauge WinTV 88x IR Decoder;c:\windows\system32\drivers\HCW88rc5.sys [2006-2-8 11719]
R3 HCW88TUNE;Hauppauge WinTV 88x Tuner;c:\windows\system32\drivers\HCW88tun.sys [2006-2-8 128577]
R3 hcw88vid;Hauppauge WinTV 88x Video;c:\windows\system32\drivers\HCW88vid.sys [2006-2-8 579004]
R3 HCW88XBAR;Hauppauge WinTV 88x Crossbar;c:\windows\system32\drivers\HCW88bar.sys [2006-2-8 26972]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 DSIR620;DS USB Infrared Miniport Adapter;c:\windows\system32\drivers\DSIR620.sys [2006-8-29 14336]
S3 KS-959;Kingsun KS-959 USB Infrared Adapter;c:\windows\system32\drivers\KS-959.sys [2006-11-23 19034]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2011-6-13 267568]
S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [2006-4-7 31872]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S3 SlowDownCPU;SlowDownCPU;c:\windows\inf\msi\slowdowncpu\NTGLM7X.SYS [2006-1-16 23424]
.
=============== Created Last 30 ================
.
2011-08-08 18:48:23 -------- d-----w- C:\U Folders To File
2011-08-02 11:32:46 -------- d-----w- C:\Unsorted Photos
2011-08-01 20:04:32 -------- d-----w- c:\documents and settings\mr west\application data\SUPERAntiSpyware.com
2011-08-01 20:04:32 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-08-01 20:04:25 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-08-01 19:41:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-28 18:48:35 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2011-07-28 17:09:58 -------- d-----w- c:\program files\ESET
2011-07-28 16:29:02 -------- d-----w- c:\documents and settings\mr west\application data\QuickScan
2011-07-28 15:51:57 -------- d-----w- c:\program files\common files\iS3
2011-07-28 15:51:56 -------- d-----w- c:\documents and settings\all users\application data\STOPzilla!
2011-07-28 12:35:39 -------- d-----w- c:\documents and settings\mr west\application data\Malwarebytes
2011-07-28 12:35:30 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-07-26 19:31:23 -------- d-----w- c:\documents and settings\mr west\local settings\application data\FixItCenter
2011-07-26 19:28:39 -------- d-----w- c:\windows\MATS
2011-07-26 19:28:38 -------- d-----w- c:\program files\Microsoft Fix it Center
2011-07-26 19:21:13 -------- d-----w- c:\documents and settings\mr west\application data\ElevatedDiagnostics
2011-07-15 19:10:37 -------- d-----w- c:\windows\system32\drivers\AVG
2011-07-13 10:37:37 -------- d-----w- c:\program files\Eusing Free System Cleaner
2011-07-12 11:15:59 15872 ----a-w- c:\windows\system32\drivers\1137405652.sys
2011-07-12 10:46:33 -------- d-----w- c:\documents and settings\mr west\application data\Vima
2011-07-12 10:46:33 -------- d-----w- c:\documents and settings\mr west\application data\Idhe
.
==================== Find3M ====================
.
2011-06-13 21:09:22 65328 ----a-w- c:\windows\apppatch\matsshim.dll
2011-06-13 08:16:02 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-24 18:14:10 222080 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 17:58:09.96 ===============

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,321 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:57 AM

Posted 10 August 2011 - 04:01 AM

Hello, my name is Elise and I'll be assisting you with this issue.
Unfortunately you have a nasty rootkit on your computer. Please read the following first.

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Omenicity

Omenicity
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 10 August 2011 - 05:28 AM

Hi Elise, many thanks for helping me.

I decided to go through with the cleanup, and combofix told me that Rootkit.ZeroAccess! inserted itself into tcp/ip stack. Sounds painful.

I have noted your warning about the backdoor problem - it it really very likely that my computer is compromised? Should I really wipe everything and start again? Also, what files can I carry forward - I have pre-infection backups of documents and photos, but these are only taken every two or three weeks. My wife has recently put loads of photos on the computer - could these be infected, or is it only a certain kind of file which is affected? I'm sorry Elise, but I really don't know much about computer infections.

As requested, below is the combofix log. Many thanks again, I really appreciate the help and time you have given me.

ComboFix 11-08-10.01 - Mr West 10/08/2011 11:01:24.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.500 [GMT 1:00]
Running from: c:\documents and settings\Mr West\Desktop\ComboFix.exe
AV: Spyware Doctor with AntiVirus *Disabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Start Menu\Internet Explorer.lnk
c:\documents and settings\Mr West\WINDOWS
c:\windows\$NtUninstallKB5907$
c:\windows\$NtUninstallKB5907$\1417837843
c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\iun6002.exe
c:\windows\system\oeminfo.ini
c:\windows\system32\BSTIEPrintCtl1.dll
c:\windows\system32\drivers\1137405652.sys
c:\windows\system32\tmp.reg
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_1137405652
.
.
((((((((((((((((((((((((( Files Created from 2011-07-10 to 2011-08-10 )))))))))))))))))))))))))))))))
.
.
2011-08-10 06:50 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 06:48 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-08 18:48 . 2011-08-08 18:48 -------- d-----w- C:\U Folders To File
2011-08-02 11:32 . 2011-08-07 17:59 -------- d-----w- C:\Unsorted Photos
2011-08-01 20:04 . 2011-08-01 20:04 -------- d-----w- c:\documents and settings\Mr West\Application Data\SUPERAntiSpyware.com
2011-08-01 20:04 . 2011-08-01 20:04 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-08-01 20:04 . 2011-08-01 20:33 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-08-01 19:41 . 2011-08-01 19:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-28 18:48 . 2011-08-01 19:55 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-07-28 17:09 . 2011-07-28 17:09 -------- d-----w- c:\program files\ESET
2011-07-28 16:29 . 2011-07-28 16:29 -------- d-----w- c:\documents and settings\Mr West\Application Data\QuickScan
2011-07-28 15:51 . 2011-07-28 15:51 -------- d-----w- c:\program files\Common Files\iS3
2011-07-28 15:51 . 2011-08-01 20:33 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2011-07-28 12:35 . 2011-07-28 12:35 -------- d-----w- c:\documents and settings\Mr West\Application Data\Malwarebytes
2011-07-28 12:35 . 2011-07-28 12:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-07-26 19:31 . 2011-07-26 19:31 -------- d-----w- c:\documents and settings\Mr West\Local Settings\Application Data\FixItCenter
2011-07-26 19:28 . 2011-07-26 19:28 -------- d-----w- c:\windows\MATS
2011-07-26 19:28 . 2011-07-26 19:28 -------- d-----w- c:\program files\Microsoft Fix it Center
2011-07-26 19:21 . 2011-07-26 19:21 -------- d-----w- c:\documents and settings\Mr West\Application Data\ElevatedDiagnostics
2011-07-15 19:10 . 2011-08-01 19:30 -------- d-----w- c:\windows\system32\drivers\AVG
2011-07-13 10:37 . 2011-07-14 11:39 -------- d-----w- c:\program files\Eusing Free System Cleaner
2011-07-12 10:46 . 2011-07-12 10:47 -------- d-----w- c:\documents and settings\Mr West\Application Data\Vima
2011-07-12 10:46 . 2011-07-12 10:46 -------- d-----w- c:\documents and settings\Mr West\Application Data\Idhe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-15 13:29 . 2004-08-04 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2004-08-04 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2006-01-16 10:13 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2004-08-04 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-13 21:09 . 2011-06-13 21:09 65328 ----a-w- c:\windows\apppatch\matsshim.dll
2011-06-13 08:16 . 2011-05-14 06:29 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 14:02 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-24 18:14 . 2009-10-02 20:07 222080 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\b733794c-5962-4abe-aba1-418c8e4c2d3b.com" [2011-08-01 2424192]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]
"EPSON Stylus DX4800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE" [2005-02-02 98304]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736]
"nwiz"="nwiz.exe" [2009-03-27 1657376]
"SMSERIAL"="sm56hlpr.exe" [2004-12-29 544768]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 86016]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=QUFTWUwtR0pSVzItTlFIWEMtUVQ3T0otMlk0VEstOQ&inst=NzYtODg4NDYzNjkwLUlETUFSSytYQSsxLVQ1LVU4NSsxLUtWMys3LUJBKzEtWEwrMS1GUDkyKzYtQkFSOUcrMS1UQjkrMi1GTCs5LUYxME0rNS1RSVgxKzQtWDIwMTArMi1GMTBNMTBDKzItTElDKzc3LUZMMTArMS1TUDErMS1TUDFUQisxLVNQMVMyKzEtU1VEKzEtUzFJKzEtU1UzKzEtRERUKzAtTFNEKzI&prod=92&ver=10.0.1390" [?]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ExifLauncher2.lnk]
backup=c:\windows\pss\ExifLauncher2.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
2004-06-01 10:03 217088 ----a-w- c:\program files\Logitech\Video\LogiTray.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/07/2011 22:55 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/07/2011 22:55 67664]
R3 hcw88rc5;Hauppauge WinTV 88x IR Decoder;c:\windows\system32\drivers\HCW88rc5.sys [08/02/2006 16:18 11719]
R3 HCW88TUNE;Hauppauge WinTV 88x Tuner;c:\windows\system32\drivers\HCW88tun.sys [08/02/2006 16:18 128577]
R3 hcw88vid;Hauppauge WinTV 88x Video;c:\windows\system32\drivers\HCW88vid.sys [08/02/2006 16:18 579004]
R3 HCW88XBAR;Hauppauge WinTV 88x Crossbar;c:\windows\system32\drivers\HCW88bar.sys [08/02/2006 16:18 26972]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 18:19 13592]
S3 DSIR620;DS USB Infrared Miniport Adapter;c:\windows\system32\drivers\DSIR620.sys [29/08/2006 21:19 14336]
S3 KS-959;Kingsun KS-959 USB Infrared Adapter;c:\windows\system32\drivers\KS-959.sys [23/11/2006 21:45 19034]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [13/06/2011 22:09 267568]
S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [07/04/2006 20:36 31872]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S3 SlowDownCPU;SlowDownCPU;c:\windows\inf\MSI\SlowDownCPU\NTGLM7X.SYS [16/01/2006 11:44 23424]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = localhost
TCP: DhcpNameServer = 192.168.0.1
DPF: {0972B098-DEE9-4279-AC7E-4BAAA029102D} - hxxp://assets.photobox.com/assets/aurigma/ImageUploader5.cab?20091023104836
DPF: {3B5E9B23-7537-4601-A9E8-FA0D956DEA16} - hxxp://www.couponreport.net/ftp/v3123/csauie1.cab
DPF: {4F912770-A045-4603-951E-9B8377084354} - hxxp://a19.g.akamai.net/7/19/7125/1450/uk.coupons.com/pmgr/r3302/cpbrukie2.cab
.
- - - - ORPHANS REMOVED - - - -
.
Notify-TPSvc - TPSvc.dll
AddRemove-Scooby-Doo™, Jinx At The Sphinx™ - c:\program files\The Learning Company\Scooby-Doo™
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-10 11:10
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\.avgldx86]
"ImagePath"="\*"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(720)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(1984)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\program files\Rebate Catcher\RC.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2011-08-10 11:16:03 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-10 10:16
.
Pre-Run: 144,639,791,104 bytes free
Post-Run: 145,153,159,168 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
Current=2 Default=2 Failed=4 LastKnownGood=3 Sets=1,2,3,4
- - End Of File - - 6A5B28D04CB26EB431A5F33A2FCA8A6F

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,321 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:57 AM

Posted 10 August 2011 - 07:44 AM

Hi again, ZeroAccess was what I saw also. Personal data is not affected by this infection, but the safety/security of your iwndows installation might be compromised; it is not known what this infection altered when it was active. Even after we clean the infection, a "hole" may remain in your windows installation that can be used by future malware.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Omenicity

Omenicity
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 10 August 2011 - 12:12 PM

Hi Elise, I did as you asked and TDSKiller took 12 seconds to scan 224 objects and reported no infections found.

I assume that this is good news! I also assume from your last response that I can back up all my personal data on disc before I wipe my computer without fear of re-infecting it when I put it back after the wipe. If my assumption is correct, then this is good too.

Is there anything else that needs to be done?

Below is the log file you requested:

2011/08/10 18:00:08.0968 1720 TDSS rootkit removing tool 2.5.14.0 Aug 5 2011 16:09:29
2011/08/10 18:00:09.0218 1720 ================================================================================
2011/08/10 18:00:09.0218 1720 SystemInfo:
2011/08/10 18:00:09.0218 1720
2011/08/10 18:00:09.0218 1720 OS Version: 5.1.2600 ServicePack: 3.0
2011/08/10 18:00:09.0218 1720 Product type: Workstation
2011/08/10 18:00:09.0218 1720 ComputerName: HOME-5BEF313A69
2011/08/10 18:00:09.0218 1720 UserName: Mr West
2011/08/10 18:00:09.0218 1720 Windows directory: C:\WINDOWS
2011/08/10 18:00:09.0218 1720 System windows directory: C:\WINDOWS
2011/08/10 18:00:09.0218 1720 Processor architecture: Intel x86
2011/08/10 18:00:09.0218 1720 Number of processors: 2
2011/08/10 18:00:09.0218 1720 Page size: 0x1000
2011/08/10 18:00:09.0218 1720 Boot type: Normal boot
2011/08/10 18:00:09.0218 1720 ================================================================================
2011/08/10 18:00:10.0859 1720 Initialize success
2011/08/10 18:00:17.0078 0388 ================================================================================
2011/08/10 18:00:17.0078 0388 Scan started
2011/08/10 18:00:17.0078 0388 Mode: Manual;
2011/08/10 18:00:17.0078 0388 ================================================================================
2011/08/10 18:00:17.0734 0388 61883 (914a9709fc3bf419ad2f85547f2a4832) C:\WINDOWS\system32\DRIVERS\61883.sys
2011/08/10 18:00:17.0812 0388 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/08/10 18:00:17.0875 0388 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/08/10 18:00:17.0953 0388 aeaudio (6803453f3ff53cf353cdbef5ffaa8b7e) C:\WINDOWS\system32\drivers\aeaudio.sys
2011/08/10 18:00:18.0109 0388 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/08/10 18:00:18.0171 0388 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/08/10 18:00:18.0296 0388 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/08/10 18:00:18.0390 0388 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/08/10 18:00:18.0437 0388 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/08/10 18:00:18.0593 0388 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/08/10 18:00:18.0625 0388 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/08/10 18:00:18.0656 0388 Avc (f8e6956a614f15a0860474c5e2a7de6b) C:\WINDOWS\system32\DRIVERS\avc.sys
2011/08/10 18:00:18.0703 0388 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/08/10 18:00:18.0828 0388 BVRPMPR5 (248dfa5762dde38dfddbbd44149e9d7a) C:\WINDOWS\system32\drivers\BVRPMPR5.SYS
2011/08/10 18:00:18.0875 0388 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/08/10 18:00:18.0906 0388 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/08/10 18:00:18.0953 0388 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/08/10 18:00:19.0031 0388 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/08/10 18:00:19.0078 0388 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/08/10 18:00:19.0156 0388 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/08/10 18:00:19.0265 0388 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/08/10 18:00:19.0312 0388 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/08/10 18:00:19.0437 0388 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/08/10 18:00:19.0484 0388 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/08/10 18:00:19.0531 0388 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/08/10 18:00:19.0609 0388 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/08/10 18:00:19.0656 0388 DSIR620 (a04c6df490405a306d92a2c42ec55dea) C:\WINDOWS\system32\DRIVERS\DSIR620.sys
2011/08/10 18:00:19.0812 0388 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/08/10 18:00:19.0859 0388 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/08/10 18:00:19.0890 0388 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/08/10 18:00:19.0906 0388 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/08/10 18:00:19.0968 0388 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/08/10 18:00:20.0093 0388 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/08/10 18:00:20.0109 0388 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/08/10 18:00:20.0156 0388 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/08/10 18:00:20.0203 0388 hcw88rc5 (d6b40af685d38b1ec6948edd7b991bef) C:\WINDOWS\system32\Drivers\hcw88rc5.sys
2011/08/10 18:00:20.0234 0388 HCW88TUNE (8cc83e761515240061fe6c248e3cfa66) C:\WINDOWS\system32\drivers\hcw88tun.sys
2011/08/10 18:00:20.0343 0388 hcw88vid (c85ee7b5c2a2c57ed850e943124d2cdb) C:\WINDOWS\system32\drivers\hcw88vid.sys
2011/08/10 18:00:20.0375 0388 HCW88XBAR (e717f35d64f08d2808c893140d12c148) C:\WINDOWS\system32\drivers\HCW88BAR.sys
2011/08/10 18:00:20.0406 0388 HidBatt (748031ff4fe45ccc47546294905feab8) C:\WINDOWS\system32\DRIVERS\HidBatt.sys
2011/08/10 18:00:20.0437 0388 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/08/10 18:00:20.0578 0388 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/08/10 18:00:20.0656 0388 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/08/10 18:00:20.0687 0388 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/08/10 18:00:20.0781 0388 IntelC51 (874db5e07fe2a7f1b22f7c760736f6f4) C:\WINDOWS\system32\DRIVERS\IntelC51.sys
2011/08/10 18:00:20.0921 0388 IntelC52 (4c0f190119ebc5ce728c9d060d8ae3e7) C:\WINDOWS\system32\DRIVERS\IntelC52.sys
2011/08/10 18:00:21.0046 0388 IntelC53 (85b36bc9e8fa579c64de88ffececce6c) C:\WINDOWS\system32\DRIVERS\IntelC53.sys
2011/08/10 18:00:21.0093 0388 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/08/10 18:00:21.0156 0388 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/08/10 18:00:21.0171 0388 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/08/10 18:00:21.0281 0388 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/08/10 18:00:21.0312 0388 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/08/10 18:00:21.0343 0388 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/08/10 18:00:21.0375 0388 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/08/10 18:00:21.0390 0388 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINDOWS\system32\DRIVERS\irda.sys
2011/08/10 18:00:21.0500 0388 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/08/10 18:00:21.0562 0388 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/08/10 18:00:21.0609 0388 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/08/10 18:00:21.0640 0388 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/08/10 18:00:21.0703 0388 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/08/10 18:00:21.0828 0388 KS-959 (2ae47a0b7e05e9695f8c19b7d4e3f4c0) C:\WINDOWS\system32\DRIVERS\KS-959.sys
2011/08/10 18:00:21.0906 0388 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/08/10 18:00:22.0000 0388 lusbaudio (081caf42d5db1fcf8794fd77befd1b11) C:\WINDOWS\system32\drivers\OVSound2.sys
2011/08/10 18:00:22.0062 0388 MidiSyn (8c7d037a53b495e7c250fd70b158b581) C:\WINDOWS\system32\drivers\MidiSyn.sys
2011/08/10 18:00:22.0187 0388 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/08/10 18:00:22.0234 0388 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/08/10 18:00:22.0250 0388 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2011/08/10 18:00:22.0281 0388 mohfilt (f2cc6273e7de087dc0fd701f753461ca) C:\WINDOWS\system32\DRIVERS\mohfilt.sys
2011/08/10 18:00:22.0375 0388 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/08/10 18:00:22.0406 0388 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/08/10 18:00:22.0468 0388 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/08/10 18:00:22.0500 0388 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/08/10 18:00:22.0562 0388 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/08/10 18:00:22.0687 0388 MSDV (1477849772712bac69c144dcf2c9ce81) C:\WINDOWS\system32\DRIVERS\msdv.sys
2011/08/10 18:00:22.0734 0388 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/08/10 18:00:22.0796 0388 MSIRCOMM (95c6432151ccff8617352f8e616a1aa4) C:\WINDOWS\system32\DRIVERS\MSIRCOMM.sys
2011/08/10 18:00:22.0859 0388 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/08/10 18:00:22.0875 0388 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/08/10 18:00:22.0984 0388 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/08/10 18:00:23.0015 0388 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/08/10 18:00:23.0046 0388 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/08/10 18:00:23.0109 0388 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/08/10 18:00:23.0218 0388 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/08/10 18:00:23.0281 0388 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/08/10 18:00:23.0343 0388 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/08/10 18:00:23.0375 0388 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/08/10 18:00:23.0390 0388 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/08/10 18:00:23.0500 0388 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/08/10 18:00:23.0546 0388 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/08/10 18:00:23.0593 0388 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/08/10 18:00:23.0859 0388 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/08/10 18:00:23.0906 0388 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/08/10 18:00:23.0984 0388 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/08/10 18:00:24.0031 0388 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/08/10 18:00:24.0109 0388 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/08/10 18:00:24.0359 0388 nv (23b95a09677e62ec8d1641ecf39b9bfb) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/08/10 18:00:24.0578 0388 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/08/10 18:00:24.0593 0388 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/08/10 18:00:24.0656 0388 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/08/10 18:00:24.0703 0388 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/08/10 18:00:24.0718 0388 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/08/10 18:00:24.0750 0388 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/08/10 18:00:24.0765 0388 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/08/10 18:00:24.0843 0388 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/08/10 18:00:24.0937 0388 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/08/10 18:00:25.0109 0388 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/08/10 18:00:25.0140 0388 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/08/10 18:00:25.0187 0388 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/08/10 18:00:25.0281 0388 QCEmerald (90849934d37133e069f31f3e9a66c9bc) C:\WINDOWS\system32\DRIVERS\OVCE.sys
2011/08/10 18:00:25.0406 0388 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/08/10 18:00:25.0437 0388 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
2011/08/10 18:00:25.0484 0388 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/08/10 18:00:25.0500 0388 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/08/10 18:00:25.0609 0388 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/08/10 18:00:25.0656 0388 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/08/10 18:00:25.0703 0388 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/08/10 18:00:25.0750 0388 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/08/10 18:00:25.0875 0388 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/08/10 18:00:25.0937 0388 RTL8023xp (7f0413bdd7d53eb4c7a371e7f6f84df1) C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys
2011/08/10 18:00:26.0031 0388 RushTopDevice (bbcbacb41bfba28c95e98f5c5a6ebc9e) C:\WINDOWS\INF\MSI\SlowDownCPU\RushTop.sys
2011/08/10 18:00:26.0187 0388 SASDIFSV (4bfbb868c869a4f8486d4c36849d59cf) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/08/10 18:00:26.0203 0388 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/08/10 18:00:26.0312 0388 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/08/10 18:00:26.0406 0388 senfilt (9a4c4a4b191200f12085d188be70e4e3) C:\WINDOWS\system32\drivers\senfilt.sys
2011/08/10 18:00:26.0468 0388 Ser2pl (2ec41a96d0dc98bd119bf325e0b9f392) C:\WINDOWS\system32\DRIVERS\ser2pl.sys
2011/08/10 18:00:26.0500 0388 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/08/10 18:00:26.0609 0388 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/08/10 18:00:26.0671 0388 sfdrv01 (4c0d673281178cb496011a2e28571fc8) C:\WINDOWS\system32\drivers\sfdrv01.sys
2011/08/10 18:00:26.0703 0388 sfhlp02 (15be2b5e4dc5b8623cf167720682abc9) C:\WINDOWS\system32\drivers\sfhlp02.sys
2011/08/10 18:00:26.0750 0388 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/08/10 18:00:26.0812 0388 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/08/10 18:00:26.0921 0388 SlowDownCPU (bcfbb5fbbe110c4df79b1293b01fd589) C:\WINDOWS\INF\MSI\SlowDownCPU\NTGLM7X.sys
2011/08/10 18:00:27.0078 0388 smwdm (db74141bbcbe8f22acfb53215e8af0d1) C:\WINDOWS\system32\drivers\smwdm.sys
2011/08/10 18:00:27.0187 0388 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/08/10 18:00:27.0218 0388 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/08/10 18:00:27.0265 0388 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/08/10 18:00:27.0390 0388 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/08/10 18:00:27.0406 0388 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/08/10 18:00:27.0468 0388 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/08/10 18:00:27.0593 0388 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/08/10 18:00:27.0656 0388 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/08/10 18:00:27.0765 0388 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/08/10 18:00:27.0781 0388 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/08/10 18:00:27.0812 0388 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/08/10 18:00:27.0906 0388 TVICHW32 (e266683fc95abdec17cd378564e1b54b) C:\WINDOWS\system32\DRIVERS\TVICHW32.SYS
2011/08/10 18:00:28.0000 0388 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/08/10 18:00:28.0062 0388 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/08/10 18:00:28.0109 0388 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/08/10 18:00:28.0140 0388 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/08/10 18:00:28.0250 0388 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/08/10 18:00:28.0265 0388 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/08/10 18:00:28.0296 0388 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/08/10 18:00:28.0343 0388 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/08/10 18:00:28.0359 0388 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/08/10 18:00:28.0390 0388 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/08/10 18:00:28.0468 0388 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/08/10 18:00:28.0562 0388 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/08/10 18:00:28.0609 0388 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/08/10 18:00:28.0671 0388 WmBEnum (38932c4649f8baad6ce1000ac6503d5b) C:\WINDOWS\system32\drivers\WmBEnum.sys
2011/08/10 18:00:28.0703 0388 WmFilter (58b3adab903fa1a78c86e6a42b80fe76) C:\WINDOWS\system32\drivers\WmFilter.sys
2011/08/10 18:00:28.0828 0388 WmVirHid (e45f01f4014d7ab13b8a0c41ebf48a3d) C:\WINDOWS\system32\drivers\WmVirHid.sys
2011/08/10 18:00:28.0875 0388 WmXlCore (0398265dd65aae2ece180fa9d1e7b5bb) C:\WINDOWS\system32\drivers\WmXlCore.sys
2011/08/10 18:00:28.0921 0388 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/08/10 18:00:28.0953 0388 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/08/10 18:00:29.0031 0388 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/08/10 18:00:29.0078 0388 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/08/10 18:00:29.0203 0388 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR1
2011/08/10 18:00:29.0281 0388 Boot (0x1200) (fac19222453bac779d6c39eafaf52e04) \Device\Harddisk0\DR0\Partition0
2011/08/10 18:00:29.0296 0388 Boot (0x1200) (7b2ff14ec62e0bac519573c581c01395) \Device\Harddisk1\DR1\Partition0
2011/08/10 18:00:29.0296 0388 ================================================================================
2011/08/10 18:00:29.0296 0388 Scan finished
2011/08/10 18:00:29.0296 0388 ================================================================================
2011/08/10 18:00:29.0328 0464 Detected object count: 0
2011/08/10 18:00:29.0328 0464 Actual detected object count: 0
2011/08/10 18:01:04.0328 4088 Deinitialize success

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,321 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:57 AM

Posted 10 August 2011 - 12:47 PM

Yes, you can indeed safely back up personal data. Please let me know if you want to continue making sure everything is clean, or if you choose to reformat/reinstall now.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 Omenicity

Omenicity
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 10 August 2011 - 05:39 PM

Hi Elise, I really want to make sure everything is clean, as backing up everything and wiping and re-installing is a bit daunting. I have a second hard drive (F) in my computer, fot keeping home videos and back-ups etc. Is it safe enough to assume that the virus won't have moved to this drive? also, I tried to move the Gmer program from the desktop to another folder on the C drive but it wouldn't let me. I haven't tried re-installing or running any anti-virus or previously affected programs yet - should I try these to check all is ok?

Thanks again for your help, please let me know what to do next.

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,321 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:57 AM

Posted 11 August 2011 - 07:06 AM

To be sure, best is to scan the other drive as well (we can do that in the following steps). First however please rerun DDS and post me attach.txt (it will be minimized when the scan finishes).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 Omenicity

Omenicity
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 11 August 2011 - 03:00 PM

Hi Elise, below is attach.txt, pleae let me know if you want the DDS log too.

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 26/01/2008 13:48:39
System Uptime: 11/08/2011 07:18:45 (13 hours ago)
.
Motherboard: MICRO-STAR INTERNATIONAL CO., LTD | | MS-7140
Processor: Intel® Pentium® 4 CPU 3.00GHz | Socket 478 | 2992/200mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 233 GiB total, 135.258 GiB free.
D: is CDROM ()
F: is FIXED (NTFS) - 234 GiB total, 20.318 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1285: 14/05/2011 19:07:18 - System Checkpoint
RP1286: 16/05/2011 11:14:33 - System Checkpoint
RP1287: 17/05/2011 12:20:36 - System Checkpoint
RP1288: 18/05/2011 12:56:09 - System Checkpoint
RP1289: 19/05/2011 13:19:48 - System Checkpoint
RP1290: 20/05/2011 13:24:54 - System Checkpoint
RP1291: 21/05/2011 19:32:03 - System Checkpoint
RP1292: 21/05/2011 20:21:13 - Installed AVG 2011
RP1293: 21/05/2011 20:24:38 - Removed AVG 2011
RP1294: 22/05/2011 20:45:53 - System Checkpoint
RP1295: 24/05/2011 08:48:26 - System Checkpoint
RP1296: 25/05/2011 08:52:11 - System Checkpoint
RP1297: 26/05/2011 09:28:09 - System Checkpoint
RP1298: 27/05/2011 09:40:04 - System Checkpoint
RP1299: 28/05/2011 10:59:54 - System Checkpoint
RP1300: 29/05/2011 12:04:04 - System Checkpoint
RP1301: 30/05/2011 12:40:34 - System Checkpoint
RP1302: 31/05/2011 13:44:25 - System Checkpoint
RP1303: 01/06/2011 15:31:11 - System Checkpoint
RP1304: 02/06/2011 16:49:01 - System Checkpoint
RP1305: 03/06/2011 17:37:33 - System Checkpoint
RP1306: 04/06/2011 19:13:01 - System Checkpoint
RP1307: 05/06/2011 20:10:49 - System Checkpoint
RP1308: 06/06/2011 22:08:40 - System Checkpoint
RP1309: 07/06/2011 23:01:04 - System Checkpoint
RP1310: 12/06/2011 21:12:01 - System Checkpoint
RP1311: 14/06/2011 08:17:22 - System Checkpoint
RP1312: 15/06/2011 08:23:59 - System Checkpoint
RP1313: 16/06/2011 09:16:00 - System Checkpoint
RP1314: 16/06/2011 23:17:59 - Software Distribution Service 3.0
RP1315: 18/06/2011 09:39:00 - System Checkpoint
RP1316: 19/06/2011 10:45:53 - System Checkpoint
RP1317: 20/06/2011 12:09:41 - System Checkpoint
RP1318: 21/06/2011 17:22:48 - System Checkpoint
RP1319: 22/06/2011 17:53:20 - System Checkpoint
RP1320: 23/06/2011 19:13:14 - System Checkpoint
RP1321: 24/06/2011 20:32:41 - System Checkpoint
RP1322: 25/06/2011 20:36:14 - System Checkpoint
RP1323: 10/07/2011 22:00:22 - System Checkpoint
RP1324: 11/07/2011 00:30:32 - Software Distribution Service 3.0
RP1325: 12/07/2011 08:37:36 - System Checkpoint
RP1326: 13/07/2011 09:16:37 - System Checkpoint
RP1327: 13/07/2011 10:13:16 - Software Distribution Service 3.0
RP1328: 14/07/2011 10:14:02 - System Checkpoint
RP1329: 14/07/2011 12:26:36 - Software Distribution Service 3.0
RP1330: 14/07/2011 12:27:58 - Software Distribution Service 3.0
RP1331: 14/07/2011 12:28:36 - Software Distribution Service 3.0
RP1332: 14/07/2011 12:29:42 - Software Distribution Service 3.0
RP1333: 14/07/2011 12:39:38 - Software Distribution Service 3.0
RP1334: 14/07/2011 13:42:03 - Software Distribution Service 3.0
RP1335: 14/07/2011 17:56:54 - Software Distribution Service 3.0
RP1336: 14/07/2011 23:41:57 - Software Distribution Service 3.0
RP1337: 15/07/2011 09:23:54 - Software Distribution Service 3.0
RP1338: 15/07/2011 10:39:51 - Software Distribution Service 3.0
RP1339: 15/07/2011 10:49:02 - Removed Windows Defender
RP1340: 15/07/2011 10:54:52 - Installed Windows Defender
RP1341: 15/07/2011 11:09:22 - Installed Microsoft Fix it 50362
RP1342: 15/07/2011 12:56:25 - Software Distribution Service 3.0
RP1343: 15/07/2011 19:48:19 - Removed AVG 2011
RP1344: 15/07/2011 19:49:46 - Removed AVG 2011
RP1345: 15/07/2011 19:51:41 - Software Distribution Service 3.0
RP1346: 15/07/2011 20:09:44 - Installed AVG 2011
RP1347: 15/07/2011 20:10:17 - Installed AVG 2011
RP1348: 15/07/2011 21:41:14 - Software Distribution Service 3.0
RP1349: 15/07/2011 22:05:19 - Software Distribution Service 3.0
RP1350: 15/07/2011 23:27:29 - Software Distribution Service 3.0
RP1351: 17/07/2011 10:34:41 - System Checkpoint
RP1352: 18/07/2011 10:36:49 - System Checkpoint
RP1353: 19/07/2011 12:03:14 - System Checkpoint
RP1354: 20/07/2011 12:09:46 - System Checkpoint
RP1355: 21/07/2011 12:16:35 - System Checkpoint
RP1356: 23/07/2011 09:11:54 - System Checkpoint
RP1357: 24/07/2011 12:42:32 - System Checkpoint
RP1358: 25/07/2011 13:10:16 - System Checkpoint
RP1359: 26/07/2011 13:18:32 - System Checkpoint
RP1360: 26/07/2011 16:21:12 - Removed APC PowerChute Personal Edition
RP1361: 26/07/2011 16:39:09 - Installed APC PowerChute Personal Edition
RP1362: 26/07/2011 18:17:59 - Removed APC PowerChute Personal Edition
RP1363: 26/07/2011 18:18:44 - Installed APC PowerChute Personal Edition
RP1364: 26/07/2011 18:33:47 - Installed %1 %2.
RP1365: 27/07/2011 19:16:53 - System Checkpoint
RP1366: 28/07/2011 09:36:37 - Installed Windows Defender
RP1367: 28/07/2011 16:51:44 - Installed STOPzilla. Available with Windows Installer version 1.2 and later.
RP1368: 29/07/2011 18:15:28 - System Checkpoint
RP1369: 30/07/2011 23:19:30 - System Checkpoint
RP1370: 01/08/2011 00:50:44 - System Checkpoint
RP1371: 01/08/2011 19:17:56 - Removed APC PowerChute Personal Edition
RP1372: 01/08/2011 20:29:58 - Removed AVG 2011
RP1373: 01/08/2011 20:31:05 - Removed AVG 2011
RP1374: 01/08/2011 21:33:09 - Removed STOPzilla. Available with Windows Installer version 1.2 and later.
RP1375: 03/08/2011 10:30:57 - System Checkpoint
RP1376: 04/08/2011 21:08:31 - System Checkpoint
RP1377: 05/08/2011 21:10:20 - System Checkpoint
RP1378: 06/08/2011 22:05:16 - System Checkpoint
RP1379: 08/08/2011 08:34:16 - System Checkpoint
RP1380: 09/08/2011 09:41:58 - System Checkpoint
RP1381: 10/08/2011 08:20:26 - Software Distribution Service 3.0
RP1382: 10/08/2011 17:44:50 - Software Distribution Service 3.0
RP1383: 10/08/2011 18:15:51 - Software Distribution Service 3.0
RP1384: 11/08/2011 07:21:12 - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
.
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader X (10.1.0)
Adobe Shockwave Player 11.5
ArcSoft PhotoStudio 5.5
Camera Support Core Library
Camera Window DVC
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DSLR 5 for ZoomBrowser EX
Canon Camera Window MC 5 for ZoomBrowser EX
Canon EOS Kiss_N REBEL_XT 350D WIA Driver
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities Digital Photo Professional 2.0
Canon Utilities EOS Capture 1.5
Canon Utilities PhotoStitch 3.1
Canon ZoomBrowser EX (E)
Compatibility Pack for the 2007 Office system
Corel Applications
Coupon Printer
DVD Decrypter (Remove Only)
DVD Shrink 3.2
EPSON Attach To Email
EPSON Copy Utility 3
EPSON Easy Photo Print
EPSON File Manager
EPSON Image Clip Palette
EPSON Printer Software
EPSON Scan
EPSON Scan Assistant
EPSON Web-To-Page
ESDX4800_4200 User's Guide
ESET Online Scanner v3
Eusing Free Registry Cleaner
Eusing Free System Cleaner
FHM Gaming Casino
FinePix Studio
FinePixViewer Resource
FinePixViewer Ver.5.4
Fleetguard Master Catalog
FUJIFILM USB Driver
Galactic Civilizations II - Endless Universe
Gnostice ONEView Demo
GX20 COM-Handset Manager
Hauppauge English Help Files and Resources
Hauppauge WinTV Infrared Remote
Hauppauge WinTV Scheduler
Hauppauge WinTV Soft PVR
Hauppauge WinTV Source Selector
Hauppauge WinTV2000
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows XP (KB2443685)
IKEA Home Planner
Impulse
Intel® 537EP Modem
InterActual Player
Internet Explorer (Enable DEP)
IrfanView (remove only)
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
jamiroquai Screen Saver
Java™ 6 Update 19
Java™ 6 Update 2
Java™ 6 Update 3
Java™ SE Runtime Environment 6 Update 1
KONICA_MINOLTA DiMAGE remote camera driver
LEGO Digital Designer
LEGO Racers
Logitech Desktop Messenger
Logitech Gaming Software 5.02
Logitech Print Service
Logitech QuickCam
Logitech® Camera Driver
LucasArts' X-Wing vs. TIE Fighter Demo
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Automated Troubleshooting Services Shim
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Fix it Center
Microsoft Game Studios Common Redistributables Pack 1
Microsoft IntelliType Pro 5.2
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Excel Viewer 2003
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Visio Viewer 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Works 7.0
Microsoft XML Parser
Microsoft Zoo Tycoon
Monopoly
Motorola SM56 Speakerphone Modem
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
Nero Suite
NVIDIA Drivers
Online Manuals for WinTV (English)
Oz - IS
PhotoStitch
PIF DESIGNER
PowerDVD
Presto! Image Folio 4.2
Presto! Video Works 4.5
Professor Franklin
QuickTime
RAW Image Task 2.2
Rebate Catcher
Scooby-Doo™, Case File #1 The Glowing Bug Man
Screen Grab Pro
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB913433)
SHARP GSM GPRS Driver Ver1.1.1
SHARP GSM GPRS Wizard Ver2.0.0
Shockwave
Sid Meier's Pirates!
Skype Toolbars
Skype™ 5.3
SoundMAX
Space Empires V
SUPERAntiSpyware
Supreme Ruler 2010 Demo 4.00.11
TomTom HOME Visual Studio Merge Modules
TRS2004
Universal Extractor 1.6
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB971029)
Usb to Serial Driver 1.12.26
VTPlus32 for WinTV (English)
Windows Genuine Advantage v1.3.0254.0
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows PowerShell™ 1.0
Windows Presentation Foundation
Windows XP Service Pack 3
WinSTon Emulator v0.5
X3 Bonus Package 3.1.07
X3 Reunion
XML Paper Specification Shared Components Pack 1.0
.
==== Event Viewer Messages From Past Week ========
.
10/08/2011 17:48:10, error: Dhcp [1002] - The IP address lease 192.168.0.2 for the Network Card with network address 0013D33C8008 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
10/08/2011 10:57:06, error: PlugPlayManager [11] - The device Root\*PNPd2e0\0000 disappeared from the system without first being prepared for removal.
10/08/2011 10:48:32, error: Service Control Manager [7031] - The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
07/08/2011 11:29:30, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
07/08/2011 11:29:11, error: Dhcp [1002] - The IP address lease 192.168.0.3 for the Network Card with network address 0013D33C8008 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
04/08/2011 09:29:04, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: sfsync02
04/08/2011 09:29:04, error: Service Control Manager [7000] - The Windows Defender service failed to start due to the following error: Access is denied.
.
==== End Of File ===========================

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,321 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:57 AM

Posted 11 August 2011 - 03:08 PM

Hi again,

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
  • Download the latest version of Java Runtime Environment (JRE) Version 7.
  • Look for "JDK 7 (JDK or JRE).
  • Click the "Download JRE" button at the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Select "Windows x86 Offline" and click on jre-7-windows-i586.exe
  • Save it to your desktop
  • Close any programs you may have running - especially your web browser.
  • Uninstall all older versions of Java (any item with Java Runtime Environment, JRE or J2SE in the name).
  • Reboot your computer once all Java components are removed.
  • Install the newest version by double clicking (run as Administrator for Windows Vista/Seven) the downloaded file.


MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 Omenicity

Omenicity
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 12 August 2011 - 05:29 AM

Hi Elise,

Below is the MBAM log you requested. The stealth-fighter .log files are from an old PC game from about 20 years ago! I guess these are old types of files rather than infections, but you would know better than me!

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7441

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/08/2011 11:22:56
mbam-log-2011-08-12 (11-22-56).txt

Scan type: Full scan (C:\|F:\|)
Objects scanned: 336643
Time elapsed: 1 hour(s), 3 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\backup 02aug2011\games - extracted\stealth fighter\ASOUND.LOG (Extension.Mismatch) -> Quarantined and deleted successfully.
c:\backup 02aug2011\games - extracted\stealth fighter\ISOUND.LOG (Extension.Mismatch) -> Quarantined and deleted successfully.
c:\backup 02aug2011\games - extracted\stealth fighter\RSOUND.LOG (Extension.Mismatch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{7e11aaeb-a0d6-4f86-8440-1b517050b065}\RP1384\A0279989.exe (JokeApp.NotFunny) -> Quarantined and deleted successfully.
f:\backup 02aug2011\games - extracted\stealth fighter\ASOUND.LOG (Extension.Mismatch) -> Quarantined and deleted successfully.
f:\backup 02aug2011\games - extracted\stealth fighter\ISOUND.LOG (Extension.Mismatch) -> Quarantined and deleted successfully.
f:\backup 02aug2011\games - extracted\stealth fighter\RSOUND.LOG (Extension.Mismatch) -> Quarantined and deleted successfully.
f:\backup 25jun2011\games - extracted\stealth fighter\ASOUND.LOG (Extension.Mismatch) -> Quarantined and deleted successfully.
f:\backup 25jun2011\games - extracted\stealth fighter\ISOUND.LOG (Extension.Mismatch) -> Quarantined and deleted successfully.
f:\backup 25jun2011\games - extracted\stealth fighter\RSOUND.LOG (Extension.Mismatch) -> Quarantined and deleted successfully.
f:\system volume information\_restore{7e11aaeb-a0d6-4f86-8440-1b517050b065}\RP1384\A0279990.exe (JokeApp.NotFunny) -> Quarantined and deleted successfully.
f:\system volume information\_restore{7e11aaeb-a0d6-4f86-8440-1b517050b065}\RP1384\A0279991.exe (JokeApp.NotFunny) -> Quarantined and deleted successfully.

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,321 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:57 AM

Posted 12 August 2011 - 05:37 AM

Yes, these are extension mismatches, which means that they have an extension that does not correspond with the file structure. this is possible for older files.

Do you have any problem left?

ESET ONLINE SCANNER
----------------------------
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 Omenicity

Omenicity
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 12 August 2011 - 08:29 AM

Hi Elise, yes I do still have problems:

When I try to run Windows Defender, I get a red cross with the message: "Application failed to initialize: 0x800106ba. A problem caused this program's service to stop. To start the service, restart your computer or search Help and Support for how to start a service manually." I've been getting this message since the first infection.

Also, Windows Automatic updates keeps asking me to download and install a malware related tool August 2011 KB890830. This happened last month with the July 2011 version (after the infection) and I eventually hid it to stop the reminders. Do I need to "unhide" the July version now that the rootkit is gone, and try again?

I have just tried ESET scanner, and it stopped at step 2 of 4, 50% of the way through, with a red "Unexpected error 101" and in black underneath: "Note: ESET Online Scanner has already been run on this computer in the past. Only files necessary to update the current version will be downloaded". I think I did try this a week ot two agoe, but it either didn't work or didn't find anything.

Sorry!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users