Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zentom System Guard Refused to Die


  • This topic is locked This topic is locked
66 replies to this topic

#1 zentomed

zentomed

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:07:52 AM

Posted 12 August 2011 - 12:16 PM

MOD EDIT: Merged 5 posts
Moved from here:
http://www.bleepingcomputer.com/forums/topic413981.html

Original Post:
I am trying to clean up a malware infested Windows XP (SP3) computer for a co-worker. It has the Zentom Security Guard program on it which was regularly displaying warnings in the system tray with a yellow triangle/exclamation point icon, and various pop-up windows with either "Error" messages or fake program windows or a fake Windows Update window. I followed the instructions here:

http://www.bleepingcomputer.com/virus-removal/remove-zentom-system-guard

Unfortunately, this did not work. The RKill program, no matter which named version I use, did kill the warnings/pop-ups but only temporarily. The warnings/pop-ups would start again within 30 seconds of RKill's completion. I continued anyway and installed Malwarebytes. The full scan did find quite a few issues which it cleaned up, but after a reboot the same malware behavior continued.

Next, I tried Combofix. This managed to clean up even more files, but the malware appeared to be interfering with it. During Combofix's run there were constant error messages about applications being forced to stop and other strange error messages, all of which I am 99% sure were Combofix related activities. Once Combofix completed, the fake program windows/Windows Update stopped, but the pop-up errors and system tray warnings continue.

Since then I have tried Malwarebytes, Combofix, and SuperAntiSpyware (all fully updated) in both Safe Mode and regular mode. Every time the software detects issues and cleans them up, but the malware behavior continues both before and after the reboot. The next scan finds the same issues but with different file names. RKill continues to be ineffective. I've run out of ideas.

Note that Task Manager can be started, but it closes/disappears after a few seconds. Also, the malware behavior is present both after a regular start up and in Safe Mode. I do not believe any of the three scanners found anything amiss in memory, despite the fact that there is typically a pop-up "Error" on the screen and a system tray warning active during its scans. The system tray icon immediately disappears by simply rolling the mouse over it.

Sample messages:

SYSTEM TRAY
Spyware protection is disabled. Your personal data is at high risk of being stolen and misused.

SYSTEM TRAY
System warning (exclamation point icon)
Keep your computer safe from viruses and malicious programs that can slow down or break your system

ERROR POP-UP
Surfing without protection tool installed may cause spyware intrusion through security holes in the Web browser or in other software.

ERROR POP-UP
Your computer is infected with Spyware! Detected malicious programs can damage your computer and compromise your privacy. It is strongly recommended to remove them immediately.

ERROR POP-UP
Internal conflict alert! Internal software conflict detected! Some application tries to get access to the system kernel.... (there is more, but I did not write it all down)

Any assistance is appreciated.

Updates and logs to follow.

UPDATE:
The situation on the computer has gotten worse. Something called "Security Protection" has now installed itself and refuses to allow any programs to run, throwing up all sorts of error messages in the system tray. Fortunately, RKill does kill it from memory and it stays killed until a reboot. I have not attempted a removal yet.

The Zentom related symptoms noted earlier also continue, though in an irony it appears that Security Protection is interfering with Zentom as well. Still, the system tray warning and pop-up messages from before are still there in addition to the Security Protection stuff (at least pre-RKill). RKill still does not work on these symptons, even in Safe Mode.

I attempted to do a DDS scan, but it failed. The window will appear and usually starts scanning (######), but then it disappears and never finishes. It appears to being shutdown like Task Manager. I even tried it in Safe Mode to no avail. Running RKill before DDS made no difference.

I did do the GMER scan, even though it was not necessary. That log will be posted shortly. It did find rootkit behavior.

Internet Explorer appears to be hijacked when running in normal mode with no menus, address bar, etc. and the Google search is producing a very not-Google results page. Runnning it without Add-Ons did work normally, at least for a while, but then Security Protection made its presence felt and it locked up.

The computer is also getting messages from "Just-in-Time Debugging", usually in bunches.

Logs to follow.

GMER LOG

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-08-12 13:08:42
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 ST380215A rev.3.AAD
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\fwtcraow.sys


---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\wuauclt.exe[544] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0100000A
.text C:\WINDOWS\system32\wuauclt.exe[544] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0293000A
.text C:\WINDOWS\system32\wuauclt.exe[544] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00FF000C
.text C:\WINDOWS\System32\svchost.exe[1084] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00DE000A
.text C:\WINDOWS\System32\svchost.exe[1084] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00DF000A
.text C:\WINDOWS\System32\svchost.exe[1084] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00DD000C
.text C:\WINDOWS\system32\wuauclt.exe[3980] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0160000A
.text C:\WINDOWS\system32\wuauclt.exe[3980] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0161000A
.text C:\WINDOWS\system32\wuauclt.exe[3980] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 015F000C

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 82F0431B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 82F0431B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 82F0431B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 82F0431B

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----

I ran Combofix three times over two days. I include all three logs, one per post. This was the first (oldest) run:

ComboFix 11-08-10.01 - Owner 08/10/2011 14:55:51.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.759.518 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Tarma Installer
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico
c:\documents and settings\All Users\Application Data\Toolbar4
c:\documents and settings\Owner\Application Data\58FFF78FD31F925EEDDC72D60A4278B9\upd_debug.exe
c:\documents and settings\Owner\Application Data\Adobe\plugs
c:\documents and settings\Owner\Application Data\Adobe\plugs\KB190642437.exe
c:\documents and settings\Owner\Application Data\Adobe\plugs\KB190642890.exe
c:\documents and settings\Owner\Application Data\Adobe\plugs\KB190655015.exe
c:\documents and settings\Owner\Application Data\Adobe\plugs\KB190655718.exe
c:\documents and settings\Owner\Application Data\Adobe\shed
c:\documents and settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Zentom System Guard.lnk
c:\documents and settings\Owner\Desktop\Zentom System Guard.lnk
c:\documents and settings\Owner\Start Menu\Programs\Startup\Zentom System Guard.lnk
c:\documents and settings\Owner\Start Menu\Programs\Zentom System Guard
c:\documents and settings\Owner\Start Menu\Programs\Zentom System Guard\Uninstall.lnk
c:\documents and settings\Owner\Start Menu\Programs\Zentom System Guard\Zentom System Guard.lnk
c:\documents and settings\Owner\Start Menu\Zentom System Guard.lnk
C:\install.exe
c:\program files\Search Toolbar
c:\program files\Search Toolbar\basis.xml
c:\program files\Search Toolbar\bg.bmp
c:\program files\Search Toolbar\bing_logo.png
c:\program files\Search Toolbar\celebrity.png
c:\program files\Search Toolbar\drop_images.png
c:\program files\Search Toolbar\drop_maps.png
c:\program files\Search Toolbar\drop_news.png
c:\program files\Search Toolbar\drop_videos.png
c:\program files\Search Toolbar\drop_web.png
c:\program files\Search Toolbar\facebook.png
c:\program files\Search Toolbar\favicon.png
c:\program files\Search Toolbar\games.png
c:\program files\Search Toolbar\hotmail.png
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\images.png
c:\program files\Search Toolbar\include.xml
c:\program files\Search Toolbar\info.txt
c:\program files\Search Toolbar\lifestyle.png
c:\program files\Search Toolbar\maps.png
c:\program files\Search Toolbar\messenger.png
c:\program files\Search Toolbar\msn.png
c:\program files\Search Toolbar\news.png
c:\program files\Search Toolbar\SearchToolbar.dll
c:\program files\Search Toolbar\SearchToolbarUninstall.exe
c:\program files\Search Toolbar\tbcore3.dll
c:\program files\Search Toolbar\tbhelper.dll
c:\program files\Search Toolbar\twitter.png
c:\program files\Search Toolbar\uninstall.exe
c:\program files\Search Toolbar\update.exe
c:\program files\Search Toolbar\version.txt
c:\program files\Search Toolbar\video.png
c:\program files\Search Toolbar\videos.png
c:\program files\Search Toolbar\weather.png
c:\program files\Search Toolbar\web.png
c:\program files\Shared
c:\program files\Shared\lib.sig
C:\Thumbs.db
c:\windows\igwmalat.dll
c:\windows\iun6002.exe
c:\windows\opolanahif.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-07-10 to 2011-08-10 )))))))))))))))))))))))))))))))
.
.
2011-08-10 19:05 . 2011-08-10 19:05 171008 ----a-w- c:\program files\coreobjsrv.exe
2011-08-10 17:04 . 2011-08-10 17:04 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2011-08-10 17:03 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-10 17:03 . 2011-08-10 17:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-08-10 17:03 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-10 17:03 . 2011-08-10 17:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-04 02:43 . 2011-08-04 02:43 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-08-03 20:41 . 2011-08-10 17:01 0 ----a-w- c:\windows\Pvoqec.bin
2011-08-03 20:41 . 2011-08-03 20:41 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{08F32473-E814-4733-B659-81E767CC0565}
2011-08-03 20:40 . 2011-08-03 20:40 -------- d-----w- c:\program files\Yontoo Layers Runtime
2011-08-03 20:39 . 2011-08-10 19:05 -------- d-----w- c:\documents and settings\Owner\Application Data\58FFF78FD31F925EEDDC72D60A4278B9
2011-07-24 01:34 . 2008-03-21 17:57 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2011-07-24 01:32 . 2008-03-27 20:49 1112288 ----a-w- c:\windows\system32\wdfcoinstaller01007.dll
2011-07-24 01:32 . 2011-07-24 01:32 -------- dc----w- c:\windows\system32\DRVSTORE
2011-07-24 01:32 . 2011-07-24 01:32 -------- d-----w- c:\program files\Common Files\Motorola Shared
2011-07-24 01:32 . 2011-07-24 01:32 -------- d-----w- C:\Temp
2011-07-24 01:32 . 2011-07-24 01:39 -------- d-----w- c:\program files\Motorola
2011-07-14 22:06 . 2008-04-14 02:14 2560 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\USMT\iconlib.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-25 00:40 . 2011-06-21 02:20 13667240 ----a-w- c:\documents and settings\Owner\Application Data\OptimumLinkSetup.exe
2011-06-02 14:02 . 2008-04-14 05:00 1858944 ----a-w- c:\windows\system32\win32k.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-07-29 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
2011-07-15 04:46 195360 ----a-w- c:\program files\Yontoo Layers Runtime\YontooIEClient.dll
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
OptimumLink.lnk - c:\program files\Optimum Link\OptimumLink.exe [2011-6-17 689624]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
hostadvmsg.exe [2011-8-10 68608]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
Prayer Call 4.0.lnk - c:\program files\Prayer Times 4\Adhnqq06.exe [N/A]
.
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"Load"=c:\docume~1\Owner\LOCALS~1\Temp\csrss.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Optimum Link\\OptimumLink.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"50000:UDP"= 50000:UDP:IHA_MessageCenter
.
R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [10/13/2010 5:06 PM 98304]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/7/2009 4:17 PM 133104]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/7/2009 4:17 PM 133104]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232]
S3 MOSUMAC;USB-Ethernet Driver;c:\windows\system32\drivers\MOSUMAC.SYS [10/7/2009 3:12 PM 44160]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys --> c:\windows\system32\DRIVERS\motccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys --> c:\windows\system32\DRIVERS\motccgpfl.sys [?]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys --> c:\windows\system32\DRIVERS\motport.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-07 20:17]
.
2011-08-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-07 20:17]
.
2011-08-10 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-329068152-448539723-1606980848-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
2011-08-10 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-329068152-448539723-1606980848-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
2011-08-10 c:\windows\Tasks\User_Feed_Synchronization-{9B9579AD-79DC-4425-A9E9-939F2CCA41B4}.job
- c:\windows\system32\msfeedssync.exe [2008-07-29 17:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
Filter: text/html - {04ab4c85-c0c0-4778-ad5e-6587dc5459db} -
DPF: vzTCPConfig - hxxp://my.verizon.com/micro/speedoptimizer/fios/vzTCPConfig.CAB
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{AFD4AD01-58C1-47DB-A404-FBE00A6C5486} - c:\program files\Shared\lib.dll
Toolbar-{0C8413C1-FAD1-446C-8584-BE50576F863E} - c:\program files\Search Toolbar\tbcore3.dll
Toolbar-Locked - (no file)
WebBrowser-{0C8413C1-FAD1-446C-8584-BE50576F863E} - c:\program files\Search Toolbar\tbcore3.dll
AddRemove-Athan - c:\windows\iun6002.exe
AddRemove-Search Toolbar - c:\program files\Search Toolbar\SearchToolbarUninstall.exe
AddRemove-{889DF117-14D1-44EE-9F31-C5FB5D47F68B} - c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-10 15:08
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST380215A rev.3.AAD -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x82F1A31B
user & kernel MBR OK
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.NET CLR Data]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.NET CLR Networking]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.NET Data Provider for Oracle]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.NET Data Provider for SqlServer]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.NETFramework]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Abiosdsk]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\abp480n5]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ACDaemon]
"ImagePath"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ACPI]
"ImagePath"="system32\DRIVERS\ACPI.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ACPIEC]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\adpu160m]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aeaudio]
"ImagePath"="system32\drivers\aeaudio.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aec]
"ImagePath"="system32\drivers\aec.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AFD]
"ImagePath"="\SystemRoot\System32\drivers\afd.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AFGMp50]
"ImagePath"="System32\Drivers\AFGMp50.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AFGSp50]
"ImagePath"="System32\Drivers\AFGSp50.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Aha154x]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aic78u2]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aic78xx]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Alerter]
"ServiceDll"="%SystemRoot%\system32\alrsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ALG]
"ImagePath"="%SystemRoot%\System32\alg.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AliIde]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\amsint]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AppMgmt]
"ServiceDll"="%SystemRoot%\System32\appmgmts.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\asc]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\asc3350p]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\asc3550]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASP.NET]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASP.NET_2.0.50727]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aspnet_state]
"ImagePath"="%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AsyncMac]
"ImagePath"="system32\DRIVERS\asyncmac.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\atapi]
"ImagePath"="system32\DRIVERS\atapi.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Atdisk]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Atmarpc]
"ImagePath"="system32\DRIVERS\atmarpc.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AudioSrv]
"ServiceDll"="%SystemRoot%\System32\audiosrv.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\audstub]
"ImagePath"="system32\DRIVERS\audstub.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BattC]
"MofImagePath"="System32\Drivers\battc.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Beep]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BITS]
"ServiceDll"="c:\windows\system32\qmgr.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Browser]
"ServiceDll"="%SystemRoot%\System32\browser.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme]
"ImagePath"="\??\c:\docume~1\Owner\LOCALS~1\Temp\catchme.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cbidf2k]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cd20xrnt]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cdaudio]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cdfs]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cdrom]
"ImagePath"="system32\DRIVERS\cdrom.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Changer]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CiSvc]
"ImagePath"="%SystemRoot%\system32\cisvc.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ClipSrv]
"ImagePath"="%SystemRoot%\system32\clipsrv.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\clr_optimization_v2.0.50727_32]
"ImagePath"="c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CmdIde]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\COMSysApp]
"ImagePath"="%SystemRoot%\system32\dllhost.exe /Processid1{02D4B3F1-FD88-11D1-960D-00805FC79235}"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ContentFilter]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ContentIndex]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cpqarray]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CryptSvc]
"ServiceDll"="%SystemRoot%\System32\cryptsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dac2w2k]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dac960nt]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DcomLaunch]
"ServiceDll"="%SystemRoot%\system32\rpcss.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dhcp]
"ServiceDll"="%SystemRoot%\System32\dhcpcsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Disk]
"ImagePath"="system32\DRIVERS\disk.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmadmin]
"ImagePath"="%SystemRoot%\System32\dmadmin.exe /com"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmboot]
"ImagePath"="System32\drivers\dmboot.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmio]
"ImagePath"="System32\drivers\dmio.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmload]
"ImagePath"="System32\drivers\dmload.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmserver]
"ServiceDll"="%SystemRoot%\System32\dmserver.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DMusic]
"ImagePath"="system32\drivers\DMusic.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dnscache]
"ServiceDll"="%SystemRoot%\System32\dnsrslvr.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dot3svc]
"ServiceDll"="%SystemRoot%\System32\dot3svc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dpti2o]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\drmkaud]
"ImagePath"="system32\drivers\drmkaud.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\E100B]
"ImagePath"="system32\DRIVERS\e100b325.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EapHost]
"ServiceDll"="%SystemRoot%\System32\eapsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ERSvc]
"ServiceDll"="%SystemRoot%\System32\ersvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Eventlog]
"ImagePath"="%SystemRoot%\system32\services.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EventSystem]
"ServiceDll"="c:\windows\system32\es.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fastfat]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FastUserSwitchingCompatibility]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fdc]
"ImagePath"="system32\DRIVERS\fdc.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fips]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Flpydisk]
"ImagePath"="system32\DRIVERS\flpydisk.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FltMgr]
"ImagePath"="system32\DRIVERS\fltMgr.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FontCache3.0.0.0]
"ImagePath"="c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fs_Rec]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ftdisk]
"ImagePath"="system32\DRIVERS\ftdisk.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Gpc]
"ImagePath"="system32\DRIVERS\msgpc.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gupdate]
"ImagePath"="c:\program files\Google\Update\GoogleUpdate.exe /svc"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gupdatem]
"ImagePath"="c:\program files\Google\Update\GoogleUpdate.exe /medsvc"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gusvc]
"ImagePath"="\"c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe\""
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\helpsvc]
"ServiceDll"="%WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HidServ]
"ServiceDll"="%SystemRoot%\System32\hidserv.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hidusb]
"ImagePath"="system32\DRIVERS\hidusb.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hkmsvc]
"ServiceDll"="%SystemRoot%\System32\kmsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hpn]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HTTP]
"ImagePath"="System32\Drivers\HTTP.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HTTPFilter]
"ServiceDll"="%SystemRoot%\System32\w3ssl.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i2omgmt]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i2omp]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i8042prt]
"ImagePath"="system32\DRIVERS\i8042prt.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ialm]
"ImagePath"="system32\DRIVERS\ialmnt5.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\iaStor]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IDriverT]
"ImagePath"="\"c:\program files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe\""
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\idsvc]
"ImagePath"="\"c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe\""
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IHA_MessageCenter]
"ImagePath"="\"c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe\""
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Imapi]
"ImagePath"="system32\DRIVERS\imapi.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ImapiService]
"ImagePath"="%systemroot%\system32\imapi.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\inetaccs]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ini910u]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Inport]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IntelIde]
"ImagePath"="system32\DRIVERS\intelide.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\intelppm]
"ImagePath"="system32\DRIVERS\intelppm.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ip6Fw]
"ImagePath"="system32\DRIVERS\Ip6Fw.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpFilterDriver]
"ImagePath"="system32\DRIVERS\ipfltdrv.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpInIp]
"ImagePath"="system32\DRIVERS\ipinip.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpNat]
"ImagePath"="system32\DRIVERS\ipnat.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IPSec]
"ImagePath"="system32\DRIVERS\ipsec.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IRENUM]
"ImagePath"="system32\DRIVERS\irenum.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ISAPISearch]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\isapnp]
"ImagePath"="system32\DRIVERS\isapnp.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\JavaQuickStarterService]
"ImagePath"="\"c:\program files\Java\jre6\bin\jqs.exe\" -service -config \"c:\program files\Java\jre6\lib\deploy\jqs\jqs.conf\""
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Kbdclass]
"ImagePath"="system32\DRIVERS\kbdclass.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kmixer]
"ImagePath"="system32\drivers\kmixer.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\KSecDD]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LanmanServer]
"ServiceDll"="%SystemRoot%\System32\srvsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lanmanworkstation]
"ServiceDll"="%SystemRoot%\System32\wkssvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lbrtfdc]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ldap]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LicenseService]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LmHosts]
"ServiceDll"="%SystemRoot%\System32\lmhsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\McComponentHostService]
"ImagePath"="\"c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe\""
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MDM]
"ImagePath"="\"c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE\""
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Messenger]
"ServiceDll"="%SystemRoot%\System32\msgsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mnmdd]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mnmsrvc]
"ImagePath"="c:\windows\system32\mnmsrvc.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Modem]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MOSUMAC]
"ImagePath"="system32\DRIVERS\MOSUMAC.SYS"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\motccgp]
"ImagePath"="system32\DRIVERS\motccgp.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\motccgpfl]
"ImagePath"="system32\DRIVERS\motccgpfl.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\motmodem]
"ImagePath"="system32\DRIVERS\motmodem.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\motport]
"ImagePath"="system32\DRIVERS\motport.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Mouclass]
"ImagePath"="system32\DRIVERS\mouclass.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mouhid]
"ImagePath"="system32\DRIVERS\mouhid.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MountMgr]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mraid35x]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MREMP50]
"ImagePath"="\??\c:\progra~1\COMMON~1\Motive\MREMP50.SYS"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MREMPR5]
"ImagePath"="\??\c:\progra~1\COMMON~1\Motive\MREMPR5.SYS"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MRENDIS5]
"ImagePath"="\??\c:\progra~1\COMMON~1\Motive\MRENDIS5.SYS"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MRESP50]
"ImagePath"="\??\c:\progra~1\COMMON~1\Motive\MRESP50.SYS"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MRxDAV]
"ImagePath"="system32\DRIVERS\mrxdav.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MRxSmb]
"ImagePath"="system32\DRIVERS\mrxsmb.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSDTC]
"ImagePath"="c:\windows\system32\msdtc.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSDTC Bridge 3.0.0.0]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Msfs]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSIServer]
"ImagePath"="c:\windows\system32\msiexec.exe /V"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSKSSRV]
"ImagePath"="system32\drivers\MSKSSRV.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSPCLOCK]
"ImagePath"="system32\drivers\MSPCLOCK.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSPQM]
"ImagePath"="system32\drivers\MSPQM.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mssmbios]
"ImagePath"="system32\DRIVERS\mssmbios.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Mup]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\napagent]
"ServiceDll"="%SystemRoot%\System32\qagentrt.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NDIS]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NdisTapi]
"ImagePath"="system32\DRIVERS\ndistapi.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ndisuio]
"ImagePath"="system32\DRIVERS\ndisuio.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NdisWan]
"ImagePath"="system32\DRIVERS\ndiswan.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NDProxy]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetBIOS]
"ImagePath"="system32\DRIVERS\netbios.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetBT]
"ImagePath"="system32\DRIVERS\netbt.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetDDE]
"ImagePath"="%SystemRoot%\system32\netdde.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetDDEdsdm]
"ImagePath"="%SystemRoot%\system32\netdde.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Netlogon]
"ImagePath"="%SystemRoot%\system32\lsass.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Netman]
"ServiceDll"="%SystemRoot%\System32\netman.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetTcpPortSharing]
"ImagePath"="\"c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe\""
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Nla]
"ServiceDll"="%SystemRoot%\System32\mswsock.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NMIndexingService]
"ImagePath"="\"c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe\""
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Npfs]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ntfs]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtLmSsp]
"ImagePath"="%SystemRoot%\system32\lsass.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtmsSvc]
"ServiceDll"="%SystemRoot%\system32\ntmssvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Null]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NwlnkFlt]
"ImagePath"="system32\DRIVERS\nwlnkflt.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NwlnkFwd]
"ImagePath"="system32\DRIVERS\nwlnkfwd.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ODBC]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ose]
"ImagePath"="\"c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE\""
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Parport]
"ImagePath"="system32\DRIVERS\parport.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PartMgr]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ParVdm]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCI]
"ImagePath"="system32\DRIVERS\pci.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCIDump]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCIIde]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Pcmcia]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDCOMP]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDFRAME]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDRELI]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDRFRAME]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\perc2]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\perc2hib]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfDisk]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfNet]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfOS]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfProc]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PlugPlay]
"ImagePath"="%SystemRoot%\system32\services.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PolicyAgent]
"ImagePath"="%SystemRoot%\system32\lsass.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PptpMiniport]
"ImagePath"="system32\DRIVERS\raspptp.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ProtectedStorage]
"ImagePath"="%SystemRoot%\system32\lsass.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSched]
"ImagePath"="system32\DRIVERS\psched.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ptilink]
"ImagePath"="system32\DRIVERS\ptilink.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1080]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ql10wnt]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql12160]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1240]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1280]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasAcd]
"ImagePath"="system32\DRIVERS\rasacd.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasAuto]
"ServiceDll"="%SystemRoot%\System32\rasauto.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Rasl2tp]
"ImagePath"="system32\DRIVERS\rasl2tp.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasMan]
"ServiceDll"="%SystemRoot%\System32\rasmans.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasPppoe]
"ImagePath"="system32\DRIVERS\raspppoe.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Raspti]
"ImagePath"="system32\DRIVERS\raspti.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Rdbss]
"ImagePath"="system32\DRIVERS\rdbss.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPCDD]
"ImagePath"="System32\DRIVERS\RDPCDD.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPDD]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPNP]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPWD]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDSessMgr]
"ImagePath"="c:\windows\system32\sessmgr.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\redbook]
"ImagePath"="system32\DRIVERS\redbook.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RemoteAccess]
"ServiceDll"="%SystemRoot%\System32\mprdim.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RimUsb]
"ImagePath"="System32\Drivers\RimUsb.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RimVSerPort]
"ImagePath"="system32\DRIVERS\RimSerial.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ROOTMODEM]
"ImagePath"="System32\Drivers\RootMdm.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RoxLiveShare9]
"ImagePath"="\"c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe\""
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RpcLocator]
"ImagePath"="%SystemRoot%\system32\locator.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RpcSs]
"ServiceDll"="%SystemRoot%\system32\rpcss.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RSVP]
"ImagePath"="%SystemRoot%\system32\rsvp.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SamSs]
"ImagePath"="%SystemRoot%\system32\lsass.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SCardSvr]
"ImagePath"="%SystemRoot%\System32\SCardSvr.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Schedule]
"ServiceDll"="%SystemRoot%\system32\schedsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sdauxservice]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sdcoreservice]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Secdrv]
"ImagePath"="system32\DRIVERS\secdrv.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\seclogon]
"ServiceDll"="%SystemRoot%\System32\seclogon.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SENS]
"ServiceDll"="%SystemRoot%\system32\sens.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\serenum]
"ImagePath"="system32\DRIVERS\serenum.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Serial]
"ImagePath"="system32\DRIVERS\serial.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ServiceModelEndpoint 3.0.0.0]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ServiceModelOperation 3.0.0.0]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ServiceModelService 3.0.0.0]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sfloppy]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess]
"ServiceDll"="%SystemRoot%\System32\ipnathlp.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ShellHWDetection]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Simbad]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SMSvcHost 3.0.0.0]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\smwdm]
"ImagePath"="system32\drivers\smwdm.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sparrow]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\splitter]
"ImagePath"="system32\drivers\splitter.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Spooler]
"ImagePath"="%SystemRoot%\system32\spoolsv.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sr]
"ImagePath"="system32\DRIVERS\sr.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\srservice]
"ServiceDll"="%SystemRoot%\system32\srsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Srv]
"ImagePath"="system32\DRIVERS\srv.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SSDPSRV]
"ServiceDll"="%SystemRoot%\System32\ssdpsrv.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\stisvc]
"ServiceDll"="%SystemRoot%\system32\wiaservc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\swenum]
"ImagePath"="system32\DRIVERS\swenum.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\swmidi]
"ImagePath"="system32\drivers\swmidi.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SwPrv]
"ImagePath"="c:\windows\system32\dllhost.exe /Processid:{B4165338-14AF-4763-8842-4CD2BC1AE5CE}"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\symc810]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\symc8xx]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sym_hi]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sym_u3]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sysaudio]
"ImagePath"="system32\drivers\sysaudio.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SysmonLog]
"ImagePath"="%SystemRoot%\system32\smlogsvc.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TapiSrv]
"ServiceDll"="%SystemRoot%\System32\tapisrv.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip]
"ImagePath"="system32\DRIVERS\tcpip.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDPIPE]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDTCP]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TermDD]
"ImagePath"="system32\DRIVERS\termdd.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TermService]
"ServiceDll"="%SystemRoot%\System32\termsrv.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Themes]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TlntSvr]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TosIde]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TrkWks]
"ServiceDll"="%SystemRoot%\system32\trkwks.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TSDDD]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Udfs]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ultra]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Update]
"ImagePath"="system32\DRIVERS\update.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\upnphost]
"ServiceDll"="%SystemRoot%\System32\upnphost.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UPS]
"ImagePath"="%SystemRoot%\System32\ups.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbccgp]
"ImagePath"="system32\DRIVERS\usbccgp.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbehci]
"ImagePath"="system32\DRIVERS\usbehci.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbhub]
"ImagePath"="system32\DRIVERS\usbhub.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbscan]
"ImagePath"="system32\DRIVERS\usbscan.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\USBSTOR]
"ImagePath"="system32\DRIVERS\USBSTOR.SYS"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbuhci]
"ImagePath"="system32\DRIVERS\usbuhci.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VgaSave]
"ImagePath"="\SystemRoot\System32\drivers\vga.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ViaIde]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VolSnap]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VSS]
"ImagePath"="%SystemRoot%\System32\vssvc.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\W32Time]
"ServiceDll"="%systemroot%\system32\w32time.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\W3SVC]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Wanarp]
"ImagePath"="system32\DRIVERS\wanarp.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Wdf01000]
"ImagePath"="System32\Drivers\wdf01000.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WDICA]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wdmaud]
"ImagePath"="system32\drivers\wdmaud.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WebClient]
"ServiceDll"="%SystemRoot%\System32\webclnt.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Windows Workflow Foundation 3.0.0.0]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\winmgmt]
"ServiceDll"="%SystemRoot%\system32\wbem\WMIsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Winsock]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinSock2]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinTrust]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmdmPmSN]
"ServiceDll"="C1\WINDOWS\system32\mspmsnsv.dll"
--
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmiApRpl]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmiApSrv]
"ImagePath"="c:\windows\system32\wbem\wmiapsrv.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WMPNetworkSvc]
"ImagePath"="\"c:\program files\Windows Media Player\WMPNetwk.exe\""
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WpdUsb]
"ImagePath"="system32\DRIVERS\wpdusb.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WS2IFSL]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wscsvc]
"ServiceDll"="%SYSTEMROOT%\system32\wscsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wuauserv]
"ServiceDll"="C1\WINDOWS\system32\wuauserv.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfPf]
"ImagePath"="system32\DRIVERS\WudfPf.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfRd]
"ImagePath"="system32\DRIVERS\wudfrd.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfSvc]
"ServiceDll"="%SystemRoot%\System32\WUDFSvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WZCSVC]
"ServiceDll"="%SystemRoot%\System32\wzcsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\xmlprov]
"ServiceDll"="%SystemRoot%\System32\xmlprov.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{3CBB61B2-CB2A-4706-84C3-C2B07E167A8E}]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{CE469044-C2C7-4433-8C68-8D93000B49A4}]
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(632)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(692)
c:\windows\system32\WININET.dll
.
Completion time: 2011-08-10 15:30:55
ComboFix-quarantined-files.txt 2011-08-10 19:30
.
Pre-Run: 59,364,290,560 bytes free
Post-Run: 60,647,485,440 bytes free
.
- - End Of File - - 5AF94294C4B79423E0A89F146BA1A2C8

SECOND RUN

ComboFix 11-08-10.01 - Owner 08/10/2011 18:20:35.2.1 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.759.618 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Owner\Application Data\Adobe\plugs
c:\documents and settings\Owner\Start Menu\Zentom System Guard.lnk
.
.
((((((((((((((((((((((((( Files Created from 2011-07-10 to 2011-08-10 )))))))))))))))))))))))))))))))
.
.
2011-08-10 21:54 . 2011-08-10 21:54 171008 ----a-w- c:\documents and settings\All Users\Application Data\coreresapp.exe
2011-08-10 17:04 . 2011-08-10 17:04 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2011-08-10 17:03 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-10 17:03 . 2011-08-10 17:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-08-10 17:03 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-10 17:03 . 2011-08-10 17:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-04 02:43 . 2011-08-04 02:43 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-08-03 20:41 . 2011-08-10 17:01 0 ----a-w- c:\windows\Pvoqec.bin
2011-08-03 20:41 . 2011-08-03 20:41 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{08F32473-E814-4733-B659-81E767CC0565}
2011-08-03 20:40 . 2011-08-03 20:40 -------- d-----w- c:\program files\Yontoo Layers Runtime
2011-08-03 20:39 . 2011-08-10 19:39 -------- d-----w- c:\documents and settings\Owner\Application Data\58FFF78FD31F925EEDDC72D60A4278B9
2011-07-24 01:34 . 2008-03-21 17:57 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2011-07-24 01:32 . 2008-03-27 20:49 1112288 ----a-w- c:\windows\system32\wdfcoinstaller01007.dll
2011-07-24 01:32 . 2011-07-24 01:32 -------- dc----w- c:\windows\system32\DRVSTORE
2011-07-24 01:32 . 2011-07-24 01:32 -------- d-----w- c:\program files\Common Files\Motorola Shared
2011-07-24 01:32 . 2011-07-24 01:32 -------- d-----w- C:\Temp
2011-07-24 01:32 . 2011-07-24 01:39 -------- d-----w- c:\program files\Motorola
2011-07-14 22:06 . 2008-04-14 02:14 2560 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\USMT\iconlib.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-25 00:40 . 2011-06-21 02:20 13667240 ----a-w- c:\documents and settings\Owner\Application Data\OptimumLinkSetup.exe
2011-06-02 14:02 . 2008-04-14 05:00 1858944 ----a-w- c:\windows\system32\win32k.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-07-29 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
2011-07-15 04:46 195360 ----a-w- c:\program files\Yontoo Layers Runtime\YontooIEClient.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-09 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-05-30 273544]
"Athan"="c:\program files\Athan\Athan.exe" [2011-03-19 1183744]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"*certpackcpl.exe"="c:\documents and settings\All Users\Start Menu\Programs\certpackcpl.exe" [2011-08-10 68608]
"*coreresapp.exe"="c:\documents and settings\All Users\Application Data\coreresapp.exe" [2011-08-10 171008]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
OptimumLink.lnk - c:\program files\Optimum Link\OptimumLink.exe [2011-6-17 689624]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
Prayer Call 4.0.lnk - c:\program files\Prayer Times 4\Adhnqq06.exe [N/A]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Optimum Link\\OptimumLink.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"50000:UDP"= 50000:UDP:IHA_MessageCenter
.
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/7/2009 4:17 PM 133104]
S2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [10/13/2010 5:06 PM 98304]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/7/2009 4:17 PM 133104]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [8/10/2011 1:03 PM 41272]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232]
S3 MOSUMAC;USB-Ethernet Driver;c:\windows\system32\drivers\MOSUMAC.SYS [10/7/2009 3:12 PM 44160]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys --> c:\windows\system32\DRIVERS\motccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys --> c:\windows\system32\DRIVERS\motccgpfl.sys [?]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys --> c:\windows\system32\DRIVERS\motport.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-07 20:17]
.
2011-08-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-07 20:17]
.
2011-08-10 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-329068152-448539723-1606980848-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
2011-08-10 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-329068152-448539723-1606980848-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
2011-08-10 c:\windows\Tasks\User_Feed_Synchronization-{9B9579AD-79DC-4425-A9E9-939F2CCA41B4}.job
- c:\windows\system32\msfeedssync.exe [2008-07-29 17:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
DPF: vzTCPConfig - hxxp://my.verizon.com/micro/speedoptimizer/fios/vzTCPConfig.CAB
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
HKCU-Run-Performance Center - c:\program files\Ascentive\Performance Center\ApcMain.exe
HKCU-Run-Ljujedoxirakipej - c:\windows\igwmalat.dll
HKLM-Run-Mkopuduqiy - c:\windows\opolanahif.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-10 18:34
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST380215A rev.3.AAD -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x82D0031B
user & kernel MBR OK
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(208)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(268)
c:\windows\system32\WININET.dll
.
Completion time: 2011-08-10 18:40:41
ComboFix-quarantined-files.txt 2011-08-10 22:40
ComboFix2.txt 2011-08-10 19:30
.
Pre-Run: 62,161,567,744 bytes free
Post-Run: 62,151,708,672 bytes free
.
- - End Of File - - CB80305A491A0FBFF95BBAB5E715EE20

THIRD RUN (MOST RECENT)

ComboFix 11-08-11.02 - Owner 08/11/2011 15:47:27.3.1 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.759.490 [GMT -4:00]
Running from: c:\combofix\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\appcatstream.exe
c:\documents and settings\All Users\Start Menu\Programs\Startup\catstreamapp.exe
c:\documents and settings\Owner\Application Data\OptimumLinkSetup.exe
c:\documents and settings\Owner\Local Settings\Application Data\{08F32473-E814-4733-B659-81E767CC0565}
c:\documents and settings\Owner\Local Settings\Application Data\{08F32473-E814-4733-B659-81E767CC0565}\chrome.manifest
c:\documents and settings\Owner\Local Settings\Application Data\{08F32473-E814-4733-B659-81E767CC0565}\chrome\content\_cfg.js
c:\documents and settings\Owner\Local Settings\Application Data\{08F32473-E814-4733-B659-81E767CC0565}\chrome\content\overlay.xul
c:\documents and settings\Owner\Local Settings\Application Data\{08F32473-E814-4733-B659-81E767CC0565}\install.rdf
.
.
((((((((((((((((((((((((( Files Created from 2011-07-11 to 2011-08-11 )))))))))))))))))))))))))))))))
.
.
2011-08-11 19:55 . 2011-08-11 19:55 68608 ----a-w- c:\program files\catscancpl.exe
2011-08-10 22:57 . 2011-08-10 22:57 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2011-08-10 22:57 . 2011-08-10 22:57 -------- d-----w- c:\documents and settings\All Users\Application Data\!SASCORE
2011-08-10 22:56 . 2011-08-11 18:20 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-08-10 22:56 . 2011-08-10 22:56 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-08-10 17:04 . 2011-08-10 17:04 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2011-08-10 17:03 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-10 17:03 . 2011-08-10 17:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-08-10 17:03 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-10 17:03 . 2011-08-10 17:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-04 02:43 . 2011-08-04 02:43 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-08-03 20:41 . 2011-08-10 17:01 0 ----a-w- c:\windows\Pvoqec.bin
2011-08-03 20:40 . 2011-08-03 20:40 -------- d-----w- c:\program files\Yontoo Layers Runtime
2011-07-24 01:34 . 2008-03-21 17:57 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2011-07-24 01:32 . 2008-03-27 20:49 1112288 ----a-w- c:\windows\system32\wdfcoinstaller01007.dll
2011-07-24 01:32 . 2011-07-24 01:32 -------- dc----w- c:\windows\system32\DRVSTORE
2011-07-24 01:32 . 2011-07-24 01:32 -------- d-----w- c:\program files\Common Files\Motorola Shared
2011-07-24 01:32 . 2011-07-24 01:32 -------- d-----w- C:\Temp
2011-07-24 01:32 . 2011-07-24 01:39 -------- d-----w- c:\program files\Motorola
2011-07-14 22:06 . 2008-04-14 02:14 2560 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\USMT\iconlib.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-02 14:02 . 2008-04-14 05:00 1858944 ----a-w- c:\windows\system32\win32k.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-07-29 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
2011-07-15 04:46 195360 ----a-w- c:\program files\Yontoo Layers Runtime\YontooIEClient.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-09 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-08-10 4600704]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-05-30 273544]
"Athan"="c:\program files\Athan\Athan.exe" [2011-03-19 1183744]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"*evtsmsgdiag.exe"="c:\documents and settings\All Users\Start Menu\Programs\evtsmsgdiag.exe" [2011-08-11 171008]
"*catscancpl.exe"="c:\program files\catscancpl.exe" [2011-08-11 68608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
OptimumLink.lnk - c:\program files\Optimum Link\OptimumLink.exe [2011-6-17 689624]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
Prayer Call 4.0.lnk - c:\program files\Prayer Times 4\Adhnqq06.exe [N/A]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Optimum Link\\OptimumLink.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"50000:UDP"= 50000:UDP:IHA_MessageCenter
.
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [8/8/2011 4:41 PM 116608]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/7/2009 4:17 PM 133104]
S2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [10/13/2010 5:06 PM 98304]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/7/2009 4:17 PM 133104]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232]
S3 MOSUMAC;USB-Ethernet Driver;c:\windows\system32\drivers\MOSUMAC.SYS [10/7/2009 3:12 PM 44160]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys --> c:\windows\system32\DRIVERS\motccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys --> c:\windows\system32\DRIVERS\motccgpfl.sys [?]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys --> c:\windows\system32\DRIVERS\motport.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-07 20:17]
.
2011-08-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-07 20:17]
.
2011-08-11 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-329068152-448539723-1606980848-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
2011-08-11 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-329068152-448539723-1606980848-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
2011-08-11 c:\windows\Tasks\User_Feed_Synchronization-{9B9579AD-79DC-4425-A9E9-939F2CCA41B4}.job
- c:\windows\system32\msfeedssync.exe [2008-07-29 17:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
TCP: Interfaces\{3CBB61B2-CB2A-4706-84C3-C2B07E167A8E}: NameServer = 71.250.0.12,68.237.161.12
DPF: vzTCPConfig - hxxp://my.verizon.com/micro/speedoptimizer/fios/vzTCPConfig.CAB
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-RunOnce-*appcatstream.exe - c:\documents and settings\All Users\Start Menu\Programs\Startup\appcatstream.exe
HKLM-RunOnce-*catstreamapp.exe - c:\documents and settings\All Users\Start Menu\Programs\Startup\catstreamapp.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-11 15:56
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST380215A rev.3.AAD -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x82F6F31B
user & kernel MBR OK
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(592)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
- - - - - - - > 'lsass.exe'(652)
c:\windows\system32\WININET.dll
.
Completion time: 2011-08-11 16:00:33
ComboFix-quarantined-files.txt 2011-08-11 20:00
ComboFix2.txt 2011-08-10 22:40
ComboFix3.txt 2011-08-10 19:30
.
Pre-Run: 61,933,596,672 bytes free
Post-Run: 61,914,157,056 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 79922C31D2699AAA6ADACD68566C0746

(I tried to put each log in its own post, but the forum combined the Combofix #2 and #3 runs. Everything should be there though.)

Edited by boopme, 12 August 2011 - 07:04 PM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,633 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:52 AM

Posted 17 August 2011 - 12:20 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resouce! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/414081 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 zentomed

zentomed
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:07:52 AM

Posted 18 August 2011 - 01:38 PM

Windows XP Home Edition, Version 2002, Service Pack 3. 32-bit. Version 5.1.2600. Note that that last part was hard to get. Command prompt windows disappear after a few seconds on the screen.

I do not have the XP CD in my possession. I can inquire with the owner of the computer. If he does not have it, I may be able to get one from somewhere else.

Computer status is the same as of the last post. I have done nothing to it and have not connected it to the Internet. As mentioned previously, the computer appears to have two competing malware infections.

DDS will not complete, either before or after running RKill, regular or safe mode. The command prompt box shows up for a few seconds and sometimes the "#" signs will start to go left to right to show some progress, but the window then abruptly closes and never produces the log file. Sometimes the command prompt window disappeared before the "#" signs and sometime it only flickers on the screen briefly. It varies. I believe it is related to the command prompt issues the computer has. For some reason RKill can work around it.

GMER will not run before RKill is run. Instead I get a system tray error along the lines that gmer.exe is infected with XXX. Blaster worm appears to be the favorite "infection" at the moment. That "error" happens a lot; I think any program that starts to run gets killed and the "error" appears. It even happens with startup programs. One of the programs that I think is part of the original Zentom infection also gets the same "error" treatment.

Note that the original Zentom infection runs in both regular and safe mode. The newcomer Security Protection only runs in regular mode.

The GMER log below is from regular mode, after RKill to allow it to run. As soon as it starts it detects a presence of a rootkit and at the end of the scan it pops up a window with "WARNING !!! GMER has found system modification caused by ROOTKIT activity."

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-08-18 14:22:43
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 ST380215A rev.3.AAD
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\fwtcraow.sys


---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1136] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D6000A
.text C:\WINDOWS\System32\svchost.exe[1136] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D7000A
.text C:\WINDOWS\System32\svchost.exe[1136] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D5000C
.text C:\WINDOWS\system32\wuauclt.exe[3700] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0160000A
.text C:\WINDOWS\system32\wuauclt.exe[3700] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0161000A
.text C:\WINDOWS\system32\wuauclt.exe[3700] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 015F000C

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 82EE731B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 82EE731B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 82EE731B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 82EE731B

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----

Edited by zentomed, 18 August 2011 - 01:47 PM.


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,986 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:52 PM

Posted 19 August 2011 - 03:40 AM

Hello, my name is Elise and I will assist you with this issue.

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 zentomed

zentomed
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:07:52 AM

Posted 19 August 2011 - 09:32 AM

I am going to try to clean this computer, but I will notify the owner of the warning.

I ran the TDSSKiller in Safe Mode as it was not running in regular mode. Perhaps if I ran RKill that would have made it possible in regular mode, but I figured I wanted as clean a run as possible. I am only posting the log for the Safe Mode run as the regular mode attempt log is rather short for obvious reasons.

2011/08/19 10:16:19.0546 1116 TDSS rootkit removing tool 2.5.15.0 Aug 11 2011 16:32:13
2011/08/19 10:16:19.0546 1116 ================================================================================
2011/08/19 10:16:19.0546 1116 SystemInfo:
2011/08/19 10:16:19.0546 1116
2011/08/19 10:16:19.0546 1116 OS Version: 5.1.2600 ServicePack: 3.0
2011/08/19 10:16:19.0546 1116 Product type: Workstation
2011/08/19 10:16:19.0546 1116 ComputerName: COMPAQPC-7C2E51
2011/08/19 10:16:19.0546 1116 UserName: Owner
2011/08/19 10:16:19.0546 1116 Windows directory: C:\WINDOWS
2011/08/19 10:16:19.0546 1116 System windows directory: C:\WINDOWS
2011/08/19 10:16:19.0546 1116 Processor architecture: Intel x86
2011/08/19 10:16:19.0546 1116 Number of processors: 1
2011/08/19 10:16:19.0546 1116 Page size: 0x1000
2011/08/19 10:16:19.0546 1116 Boot type: Safe boot
2011/08/19 10:16:19.0546 1116 ================================================================================
2011/08/19 10:16:24.0828 1116 Initialize success
2011/08/19 10:16:38.0875 1156 ================================================================================
2011/08/19 10:16:38.0875 1156 Scan started
2011/08/19 10:16:38.0875 1156 Mode: Manual;
2011/08/19 10:16:38.0875 1156 ================================================================================
2011/08/19 10:16:41.0468 1156 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/08/19 10:16:41.0828 1156 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/08/19 10:16:42.0453 1156 aeaudio (e696e749bedcda8b23757b8b5ea93780) C:\WINDOWS\system32\drivers\aeaudio.sys
2011/08/19 10:16:42.0890 1156 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/08/19 10:16:43.0343 1156 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/08/19 10:16:47.0250 1156 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/08/19 10:16:47.0984 1156 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/08/19 10:16:49.0000 1156 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/08/19 10:16:49.0609 1156 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/08/19 10:16:50.0234 1156 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/08/19 10:16:51.0109 1156 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/08/19 10:16:52.0000 1156 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/08/19 10:16:52.0531 1156 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/08/19 10:16:53.0093 1156 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/08/19 10:16:55.0890 1156 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/08/19 10:16:56.0734 1156 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/08/19 10:16:57.0421 1156 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/08/19 10:16:57.0796 1156 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/08/19 10:16:58.0156 1156 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/08/19 10:16:58.0859 1156 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/08/19 10:16:59.0250 1156 E100B (ac9cf17ee2ae003c98eb4f5336c38058) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/08/19 10:16:59.0859 1156 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/08/19 10:17:00.0218 1156 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/08/19 10:17:00.0578 1156 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/08/19 10:17:00.0890 1156 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/08/19 10:17:01.0218 1156 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/08/19 10:17:01.0593 1156 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/08/19 10:17:01.0953 1156 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/08/19 10:17:02.0421 1156 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/08/19 10:17:02.0859 1156 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/08/19 10:17:03.0671 1156 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/08/19 10:17:04.0765 1156 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/08/19 10:17:05.0406 1156 ialm (44b7d5a4f2bd9fe21aea0bb0bace38c4) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/08/19 10:17:06.0125 1156 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/08/19 10:17:06.0843 1156 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/08/19 10:17:07.0234 1156 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/08/19 10:17:07.0609 1156 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/08/19 10:17:07.0984 1156 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/08/19 10:17:08.0390 1156 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/08/19 10:17:09.0046 1156 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/08/19 10:17:09.0531 1156 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/08/19 10:17:09.0906 1156 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/08/19 10:17:10.0281 1156 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/08/19 10:17:10.0718 1156 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/08/19 10:17:11.0156 1156 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/08/19 10:17:11.0578 1156 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/08/19 10:17:12.0375 1156 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/08/19 10:17:12.0812 1156 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/08/19 10:17:13.0171 1156 MOSUMAC (851311359815de7482417ed78be9460b) C:\WINDOWS\system32\DRIVERS\MOSUMAC.SYS
2011/08/19 10:17:14.0796 1156 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/08/19 10:17:15.0156 1156 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/08/19 10:17:15.0578 1156 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/08/19 10:17:16.0843 1156 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/08/19 10:17:17.0421 1156 MRxSmb (0dc719e9b15e902346e87e9dcd5751fa) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/08/19 10:17:17.0953 1156 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/08/19 10:17:18.0328 1156 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/08/19 10:17:18.0718 1156 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/08/19 10:17:19.0031 1156 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/08/19 10:17:19.0421 1156 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/08/19 10:17:19.0890 1156 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/08/19 10:17:20.0500 1156 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/08/19 10:17:20.0921 1156 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/08/19 10:17:21.0406 1156 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/08/19 10:17:21.0812 1156 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/08/19 10:17:22.0203 1156 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/08/19 10:17:22.0578 1156 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/08/19 10:17:23.0015 1156 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/08/19 10:17:23.0562 1156 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/08/19 10:17:24.0125 1156 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/08/19 10:17:24.0703 1156 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/08/19 10:17:25.0015 1156 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/08/19 10:17:25.0375 1156 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/08/19 10:17:25.0828 1156 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/08/19 10:17:26.0187 1156 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/08/19 10:17:26.0515 1156 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/08/19 10:17:26.0921 1156 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/08/19 10:17:27.0593 1156 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
2011/08/19 10:17:27.0937 1156 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/08/19 10:17:30.0328 1156 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/08/19 10:17:30.0781 1156 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/08/19 10:17:31.0171 1156 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/08/19 10:17:33.0203 1156 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/08/19 10:17:33.0578 1156 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/08/19 10:17:33.0984 1156 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/08/19 10:17:34.0359 1156 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/08/19 10:17:34.0781 1156 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/08/19 10:17:35.0218 1156 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/08/19 10:17:35.0703 1156 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/08/19 10:17:36.0187 1156 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/08/19 10:17:36.0562 1156 RimUsb (f17713d108aca124a139fde877eef68a) C:\WINDOWS\system32\Drivers\RimUsb.sys
2011/08/19 10:17:36.0968 1156 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
2011/08/19 10:17:37.0359 1156 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2011/08/19 10:17:37.0625 1156 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/08/19 10:17:37.0843 1156 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/08/19 10:17:38.0234 1156 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/08/19 10:17:38.0609 1156 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/08/19 10:17:38.0968 1156 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/08/19 10:17:39.0406 1156 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/08/19 10:17:40.0281 1156 smwdm (fa3368a7039f5abaa4b933703ac34763) C:\WINDOWS\system32\drivers\smwdm.sys
2011/08/19 10:17:41.0109 1156 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/08/19 10:17:41.0500 1156 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/08/19 10:17:42.0062 1156 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/08/19 10:17:42.0531 1156 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/08/19 10:17:42.0937 1156 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/08/19 10:17:44.0546 1156 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/08/19 10:17:45.0140 1156 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/08/19 10:17:45.0656 1156 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/08/19 10:17:45.0984 1156 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/08/19 10:17:46.0281 1156 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/08/19 10:17:47.0046 1156 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/08/19 10:17:47.0859 1156 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/08/19 10:17:48.0328 1156 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/08/19 10:17:48.0703 1156 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/08/19 10:17:49.0031 1156 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/08/19 10:17:49.0406 1156 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/08/19 10:17:49.0796 1156 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/08/19 10:17:50.0140 1156 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/08/19 10:17:50.0531 1156 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/08/19 10:17:51.0218 1156 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/08/19 10:17:51.0625 1156 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/08/19 10:17:52.0187 1156 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys
2011/08/19 10:17:53.0031 1156 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/08/19 10:17:53.0609 1156 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2011/08/19 10:17:54.0046 1156 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/08/19 10:17:54.0453 1156 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/08/19 10:17:54.0656 1156 MBR (0x1B8) (2839639fa37b8353e792a2a30a12ced3) \Device\Harddisk0\DR0
2011/08/19 10:17:54.0687 1156 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/08/19 10:17:54.0718 1156 Boot (0x1200) (8a4540430d3436497a68be16f3078ab9) \Device\Harddisk0\DR0\Partition0
2011/08/19 10:17:54.0765 1156 ================================================================================
2011/08/19 10:17:54.0765 1156 Scan finished
2011/08/19 10:17:54.0765 1156 ================================================================================
2011/08/19 10:17:54.0812 1148 Detected object count: 1
2011/08/19 10:17:54.0812 1148 Actual detected object count: 1
2011/08/19 10:18:17.0421 1148 \Device\Harddisk0\DR0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/08/19 10:18:17.0421 1148 \Device\Harddisk0\DR0 - ok
2011/08/19 10:18:17.0421 1148 Rootkit.Win32.TDSS.tdl4(\Device\Harddisk0\DR0) - User select action: Cure
2011/08/19 10:18:24.0031 1084 Deinitialize success

Edited by zentomed, 19 August 2011 - 09:33 AM.


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,986 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:52 PM

Posted 19 August 2011 - 10:54 AM

Hi again, please delete any old copy of combofix you might still have before continuing.

COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 zentomed

zentomed
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:07:52 AM

Posted 19 August 2011 - 12:58 PM

I ran Combofix in regular mode after an RKill run, as it would not run in regular mode otherwise. During the run, roughly 5 pop-up windows appeared, all with the same message. They all occurred during stages 3 and 4.

---
pev.cfxxe has encountered a problem and need to close. We are sorry for the inconvenience.

If you were in the middle of something, the information you were working on might be lost.

DEBUG CLOSE
---

Combofix did complete and produce a log, which is posted below.

It appears that a SuperAntiSpyware DLL was present during the Combofix run, but there was nothing in the System Tray to indicate it was running. The only icons were the volume control, the network status (disconnected), and the fake "System Warnings". SuperAntiSpyware Real-time protection should not have been on as it is disabled in the software.

The fake pop-up warnings and system tray messages persist. I have not rebooted the computer yet.


ComboFix 11-08-18.03 - Owner 08/19/2011 13:34:15.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.759.433 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\defender.exe
c:\documents and settings\All Users\Desktop\Security Protection.lnk
c:\documents and settings\All Users\Start Menu\Programs\evtsmsgdiag.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-07-19 to 2011-08-19 )))))))))))))))))))))))))))))))
.
.
2011-08-19 17:43 . 2011-08-19 17:43 171008 ----a-w- c:\documents and settings\LocalService\editcscsvc.exe
2011-08-11 19:55 . 2011-08-11 19:55 68608 ----a-w- c:\program files\catscancpl.exe
2011-08-10 22:57 . 2011-08-10 22:57 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2011-08-10 22:57 . 2011-08-10 22:57 -------- d-----w- c:\documents and settings\All Users\Application Data\!SASCORE
2011-08-10 22:56 . 2011-08-11 18:20 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-08-10 22:56 . 2011-08-10 22:56 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-08-10 17:04 . 2011-08-10 17:04 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2011-08-10 17:03 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-10 17:03 . 2011-08-10 17:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-08-10 17:03 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-10 17:03 . 2011-08-10 17:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-04 02:43 . 2011-08-04 02:43 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-08-03 20:41 . 2011-08-10 17:01 0 ----a-w- c:\windows\Pvoqec.bin
2011-08-03 20:40 . 2011-08-03 20:40 -------- d-----w- c:\program files\Yontoo Layers Runtime
2011-07-24 01:34 . 2008-03-21 17:57 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2011-07-24 01:32 . 2008-03-27 20:49 1112288 ----a-w- c:\windows\system32\wdfcoinstaller01007.dll
2011-07-24 01:32 . 2011-07-24 01:32 -------- dc----w- c:\windows\system32\DRVSTORE
2011-07-24 01:32 . 2011-07-24 01:32 -------- d-----w- c:\program files\Common Files\Motorola Shared
2011-07-24 01:32 . 2011-07-24 01:32 -------- d-----w- C:\Temp
2011-07-24 01:32 . 2011-07-24 01:39 -------- d-----w- c:\program files\Motorola
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-02 14:02 . 2008-04-14 05:00 1858944 ----a-w- c:\windows\system32\win32k.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-07-29 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2011-08-10_19.09.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-08-19 14:20 . 2011-08-19 14:20 16384 c:\windows\temp\Perflib_Perfdata_710.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
2011-07-15 04:46 195360 ----a-w- c:\program files\Yontoo Layers Runtime\YontooIEClient.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-09 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-08-10 4600704]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-05-30 273544]
"Athan"="c:\program files\Athan\Athan.exe" [2011-03-19 1183744]
"catscancpl.exe"="c:\program files\catscancpl.exe" [2011-08-11 68608]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"*catscancpl.exe"="c:\program files\catscancpl.exe" [2011-08-11 68608]
"*editcscsvc.exe"="c:\documents and settings\LocalService\editcscsvc.exe" [2011-08-19 171008]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
OptimumLink.lnk - c:\program files\Optimum Link\OptimumLink.exe [2011-6-17 689624]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
Prayer Call 4.0.lnk - c:\program files\Prayer Times 4\Adhnqq06.exe [N/A]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Optimum Link\\OptimumLink.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"50000:UDP"= 50000:UDP:IHA_MessageCenter
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [8/8/2011 4:41 PM 116608]
R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [10/13/2010 5:06 PM 98304]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/7/2009 4:17 PM 133104]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/7/2009 4:17 PM 133104]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232]
S3 MOSUMAC;USB-Ethernet Driver;c:\windows\system32\drivers\MOSUMAC.SYS [10/7/2009 3:12 PM 44160]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys --> c:\windows\system32\DRIVERS\motccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys --> c:\windows\system32\DRIVERS\motccgpfl.sys [?]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys --> c:\windows\system32\DRIVERS\motport.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - fwtcraow
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-07 20:17]
.
2011-08-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-07 20:17]
.
2011-08-19 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-329068152-448539723-1606980848-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
2011-08-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-329068152-448539723-1606980848-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
2011-08-19 c:\windows\Tasks\User_Feed_Synchronization-{9B9579AD-79DC-4425-A9E9-939F2CCA41B4}.job
- c:\windows\system32\msfeedssync.exe [2008-07-29 17:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
TCP: Interfaces\{3CBB61B2-CB2A-4706-84C3-C2B07E167A8E}: NameServer = 71.250.0.12,68.237.161.12
DPF: vzTCPConfig - hxxp://my.verizon.com/micro/speedoptimizer/fios/vzTCPConfig.CAB
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-RunOnce-*evtsmsgdiag.exe - c:\documents and settings\All Users\Start Menu\Programs\evtsmsgdiag.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-19 13:44
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(692)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2011-08-19 13:48:28
ComboFix-quarantined-files.txt 2011-08-19 17:48
ComboFix2.txt 2011-08-11 20:00
ComboFix3.txt 2011-08-10 22:40
ComboFix4.txt 2011-08-10 19:30
.
Pre-Run: 61,497,356,288 bytes free
Post-Run: 61,631,610,880 bytes free
.
- - End Of File - - C8952108CA24D45B300DDE8A33A7E1FC

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,986 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:52 PM

Posted 19 August 2011 - 02:09 PM

Hi again,

CF-SCRIPT
-------------
Open notepad and copy/paste the text in the quotebox below into it:

<http://www.bleepingcomputer.com/forums/topic414081.html/page__view__findpost__p__2378352>

KillAll::

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"catscancpl.exe"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"*catscancpl.exe"=-
"*editcscsvc.exe"=-

Collect::
c:\program files\catscancpl.exe
c:\documents and settings\LocalService\editcscsvc.exe


Save this as CFScript.txt


Posted Image


Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 zentomed

zentomed
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:07:52 AM

Posted 19 August 2011 - 02:53 PM

Did as instructed. I had not rebooted the computer since the prior ComboFix run as the program had not requested it.

The "pev.cfxxe has encountered a problem..." messages appeared again during stages 3 & 4. However, this time there were new error messages. First, there was an Application Error for catscancpl.exe (The instruction at "0x0040bc02" referenced memory at....") Second, there were two more "encountered a problem" messages, but this time for catscancpl.exe and Gudware SoftWare. Again, after stage 4 there were no more errors. ComboFix rebooted the computer after stage 50. The pop-up boxes and system tray errors reappeared on the reboot, though Security Protection appears to be gone at least.

I did not have the computer connected to the Internet when ComboFix tried to submit the files, but I did reconnect it and used the CF-Submit.htm manual upload. Received a "Your file was successfully submitted" message. I have since disconnected the computer again.

Here's the log:

ComboFix 11-08-18.03 - Owner 08/19/2011 15:18:23.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.759.199 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
.
file zipped: c:\documents and settings\LocalService\editcscsvc.exe
file zipped: c:\program files\catscancpl.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\LocalService\editcscsvc.exe
c:\program files\catscancpl.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-07-19 to 2011-08-19 )))))))))))))))))))))))))))))))
.
.
2011-08-19 19:26 . 2011-08-19 19:26 68608 ----a-w- c:\documents and settings\All Users\Application Data\cplcacheboot.exe
2011-08-19 19:26 . 2011-08-19 19:26 171008 ----a-w- c:\windows\proxydnsaction.exe
2011-08-10 22:57 . 2011-08-10 22:57 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2011-08-10 22:57 . 2011-08-10 22:57 -------- d-----w- c:\documents and settings\All Users\Application Data\!SASCORE
2011-08-10 22:56 . 2011-08-11 18:20 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-08-10 22:56 . 2011-08-10 22:56 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-08-10 17:04 . 2011-08-10 17:04 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2011-08-10 17:03 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-10 17:03 . 2011-08-10 17:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-08-10 17:03 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-10 17:03 . 2011-08-10 17:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-04 02:43 . 2011-08-04 02:43 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-08-03 20:41 . 2011-08-10 17:01 0 ----a-w- c:\windows\Pvoqec.bin
2011-08-03 20:40 . 2011-08-03 20:40 -------- d-----w- c:\program files\Yontoo Layers Runtime
2011-07-24 01:34 . 2008-03-21 17:57 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2011-07-24 01:32 . 2008-03-27 20:49 1112288 ----a-w- c:\windows\system32\wdfcoinstaller01007.dll
2011-07-24 01:32 . 2011-07-24 01:32 -------- dc----w- c:\windows\system32\DRVSTORE
2011-07-24 01:32 . 2011-07-24 01:32 -------- d-----w- c:\program files\Common Files\Motorola Shared
2011-07-24 01:32 . 2011-07-24 01:32 -------- d-----w- C:\Temp
2011-07-24 01:32 . 2011-07-24 01:39 -------- d-----w- c:\program files\Motorola
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-02 14:02 . 2008-04-14 05:00 1858944 ----a-w- c:\windows\system32\win32k.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-07-29 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2011-08-10_19.09.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-08-19 19:30 . 2011-08-19 19:30 16384 c:\windows\temp\Perflib_Perfdata_720.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
2011-07-15 04:46 195360 ----a-w- c:\program files\Yontoo Layers Runtime\YontooIEClient.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-09 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-05-30 273544]
"Athan"="c:\program files\Athan\Athan.exe" [2011-03-19 1183744]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"*proxydnsaction.exe"="c:\windows\proxydnsaction.exe" [2011-08-19 171008]
"*cplcacheboot.exe"="c:\documents and settings\All Users\Application Data\cplcacheboot.exe" [2011-08-19 68608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
OptimumLink.lnk - c:\program files\Optimum Link\OptimumLink.exe [2011-6-17 689624]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
Prayer Call 4.0.lnk - c:\program files\Prayer Times 4\Adhnqq06.exe [N/A]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Optimum Link\\OptimumLink.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"50000:UDP"= 50000:UDP:IHA_MessageCenter
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [8/8/2011 4:41 PM 116608]
R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [10/13/2010 5:06 PM 98304]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/7/2009 4:17 PM 133104]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/7/2009 4:17 PM 133104]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232]
S3 MOSUMAC;USB-Ethernet Driver;c:\windows\system32\drivers\MOSUMAC.SYS [10/7/2009 3:12 PM 44160]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys --> c:\windows\system32\DRIVERS\motccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys --> c:\windows\system32\DRIVERS\motccgpfl.sys [?]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys --> c:\windows\system32\DRIVERS\motport.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-07 20:17]
.
2011-08-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-07 20:17]
.
2011-08-19 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-329068152-448539723-1606980848-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
2011-08-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-329068152-448539723-1606980848-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
2011-08-19 c:\windows\Tasks\User_Feed_Synchronization-{9B9579AD-79DC-4425-A9E9-939F2CCA41B4}.job
- c:\windows\system32\msfeedssync.exe [2008-07-29 17:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
TCP: Interfaces\{3CBB61B2-CB2A-4706-84C3-C2B07E167A8E}: NameServer = 71.250.0.12,68.237.161.12
DPF: vzTCPConfig - hxxp://my.verizon.com/micro/speedoptimizer/fios/vzTCPConfig.CAB
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-19 15:32
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(708)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(1424)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Google\Update\1.3.21.65\GoogleCrashHandler.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee Security Scan\2.0.181\McUICnt.exe
.
**************************************************************************
.
Completion time: 2011-08-19 15:40:53 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-19 19:40
ComboFix2.txt 2011-08-19 17:48
ComboFix3.txt 2011-08-11 20:00
ComboFix4.txt 2011-08-10 22:40
ComboFix5.txt 2011-08-19 19:16
.
Pre-Run: 61,636,726,784 bytes free
Post-Run: 61,657,305,088 bytes free
.
- - End Of File - - 1AFE4D684319D3500B605F38F468D98A

Edited by zentomed, 19 August 2011 - 02:55 PM.


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,986 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:52 PM

Posted 19 August 2011 - 03:27 PM

Hi again,

Please click HERE to download Kaspersky Virus Removal Tool (click on the Download link for Version 11).
NOTE. This is quite large file, so be patient.

  • Double click on the file you just downloaded and let it install.
  • It will install to your desktop (be patient; it may take a while).
  • Accept license agreement and click "Start" button.
  • Click on Settings button Posted Image
    • In Scan scope leave pre-checked items as they're and also checkmark My Computer
    • In Actions checkmark Select action: (disinfect; delete if disinfection fails) instead of preselected Prompt on detection
  • Click on Automatic Scan tab and then click on Start scanning button.
  • Before it is done it may prompt for action regardless of the setting so choose delete if prompted.
  • When the scan is done NO log will be produced.
  • Click on Report button Posted Image then on Automatic Scan report tab.
  • Right click anywhere within right pane, click Select All then right click again and click Copy.
  • This will copy the items that it found to the clipboard you can then open notepad (go to start then run then type in notepad) and choose paste to paste the contents into Notepad.
  • You can save this on the desktop.
  • Post the contents of the document in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 zentomed

zentomed
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:07:52 AM

Posted 19 August 2011 - 07:02 PM

I installed and ran the tool as instructed. In the middle of the scan (7% in, I believe), it found one active threat and prompted me whether to clean it, and that the fix would require a reboot. I clicked to continue and Kaspersky rebooted the machine. The pop-up errors and system tray warnings are gone.

Unfortunately, the Kaspersky client restarted with an unusable window - all the buttons were "invisible", revealing the desktop behind it - and I could not get to the report button. After I killed that window, I tried running the program again from the desktop which succeeded in starting up, but it had nothing in the reports. Upon a reboot, I am getting messages that it is trying to run a program, which I am pretty sure is Kaspersky, but cannot find it. So it appears that I cannot produce the log for the active threat.

After that, I re-ran Kaspersky since it did not complete the last time. It found additional threats, which were fixed automatically. That log is below.

Status: Deleted (events: 11)
8/19/2011 6:31:26 PM Deleted Trojan program Exploit.Java.CVE-2010-4452.a File C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\33\ 7d358f61-520e4519 High
8/19/2011 6:31:27 PM Deleted Trojan program Exploit.Java.CVE-2010-4452.a File C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\33\ 7d358f61-1117c518 High
8/19/2011 6:31:27 PM Deleted Trojan program Exploit.Java.CVE-2010-4452.a File C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\33\ 7d358f61-71c2ca14 High
8/19/2011 7:04:59 PM Deleted Trojan program Trojan.Win32.FakeAV.ehdj File C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\ defender.exe.vir High
8/19/2011 7:05:02 PM Deleted Trojan program Trojan-Downloader.Win32.Mufanom.boqe File C:\Qoobox\Quarantine\C\WINDOWS\ igwmalat.dll.vir High
8/19/2011 7:13:22 PM Deleted adware not-a-virus:AdWare.Win32.Gamevance.cwf File C:\System Volume Information\_restore{6C69749D-24E9-4902-B92D-BD58A51F7144}\RP340\ A0033045.exe Medium
8/19/2011 7:13:23 PM Deleted adware not-a-virus:AdWare.Win32.Gamevance.fey File C:\System Volume Information\_restore{6C69749D-24E9-4902-B92D-BD58A51F7144}\RP340\ A0033052.exe Medium
8/19/2011 7:13:22 PM Deleted adware not-a-virus:AdWare.Win32.Gamevance.dbt File C:\System Volume Information\_restore{6C69749D-24E9-4902-B92D-BD58A51F7144}\RP340\ A0033053.dll Medium
8/19/2011 7:25:50 PM Deleted Trojan program Trojan-Downloader.Win32.Mufanom.boqe File C:\System Volume Information\_restore{6C69749D-24E9-4902-B92D-BD58A51F7144}\RP370\ A0042694.dll High
8/19/2011 7:25:51 PM Deleted Trojan program Packed.Win32.Krap.hc File C:\System Volume Information\_restore{6C69749D-24E9-4902-B92D-BD58A51F7144}\RP370\ A0042766.dll High
8/19/2011 7:26:52 PM Deleted Trojan program Trojan.Win32.FakeAV.ehdj File C:\System Volume Information\_restore{6C69749D-24E9-4902-B92D-BD58A51F7144}\RP375\ A0046202.exe High
Status: Quarantined (events: 5)
8/19/2011 7:05:00 PM Quarantined virus HEUR:Trojan.Win32.Generic File C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Start Menu\Programs\Startup\ catstreamapp.exe.vir High
8/19/2011 7:04:43 PM Quarantined virus HEUR:Trojan.Win32.Generic File C:\Qoobox\Quarantine\[4]-Submit_2011-08-19_15.18.15.zip/ catscancpl.exe High
8/19/2011 7:25:51 PM Quarantined virus HEUR:Trojan.Win32.Generic File C:\System Volume Information\_restore{6C69749D-24E9-4902-B92D-BD58A51F7144}\RP371\ A0042930.exe High
8/19/2011 7:26:21 PM Quarantined virus HEUR:Trojan.Win32.Generic File C:\System Volume Information\_restore{6C69749D-24E9-4902-B92D-BD58A51F7144}\RP371\ A0043051.exe High
8/19/2011 7:32:57 PM Quarantined virus HEUR:Trojan.Win32.Generic File C:\System Volume Information\_restore{6C69749D-24E9-4902-B92D-BD58A51F7144}\RP375\ A0046280.exe High
Status: Disinfected (events: 1)
8/19/2011 7:04:43 PM Disinfected virus HEUR:Trojan.Win32.Generic File C:\Qoobox\Quarantine\ [4]-Submit_2011-08-19_15.18.15.zip High

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,986 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:52 PM

Posted 20 August 2011 - 02:08 AM

Please rerun Combofix now and post me the new log.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 zentomed

zentomed
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:07:52 AM

Posted 22 August 2011 - 09:21 AM

Rebooted the computer, downloaded the latest verson of ComboFix, and ran it in regular mode. No errors during the run this time.

ComboFix 11-08-22.03 - Owner 08/22/2011 10:01:18.6.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.759.504 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\proxydnsaction.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-07-22 to 2011-08-22 )))))))))))))))))))))))))))))))
.
.
2011-08-22 14:10 . 2011-08-22 14:10 171008 ----a-w- c:\documents and settings\All Users\Application Data\cachecryptaudit.exe
2011-08-19 21:56 . 2011-08-20 03:08 133208 ----a-w- c:\windows\system32\drivers\13513799.sys
2011-08-10 22:57 . 2011-08-10 22:57 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2011-08-10 22:57 . 2011-08-10 22:57 -------- d-----w- c:\documents and settings\All Users\Application Data\!SASCORE
2011-08-10 22:56 . 2011-08-11 18:20 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-08-10 22:56 . 2011-08-10 22:56 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-08-10 17:04 . 2011-08-10 17:04 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2011-08-10 17:03 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-10 17:03 . 2011-08-10 17:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-08-10 17:03 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-10 17:03 . 2011-08-10 17:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-04 02:43 . 2011-08-04 02:43 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-08-03 20:41 . 2011-08-10 17:01 0 ----a-w- c:\windows\Pvoqec.bin
2011-08-03 20:40 . 2011-08-03 20:40 -------- d-----w- c:\program files\Yontoo Layers Runtime
2011-07-24 01:34 . 2008-03-21 17:57 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2011-07-24 01:32 . 2008-03-27 20:49 1112288 ----a-w- c:\windows\system32\wdfcoinstaller01007.dll
2011-07-24 01:32 . 2011-07-24 01:32 -------- dc----w- c:\windows\system32\DRVSTORE
2011-07-24 01:32 . 2011-07-24 01:32 -------- d-----w- c:\program files\Common Files\Motorola Shared
2011-07-24 01:32 . 2011-07-24 01:32 -------- d-----w- C:\Temp
2011-07-24 01:32 . 2011-07-24 01:39 -------- d-----w- c:\program files\Motorola
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-02 14:02 . 2008-04-14 05:00 1858944 ----a-w- c:\windows\system32\win32k.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-07-29 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2011-08-10_19.09.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-08-22 13:55 . 2011-08-22 13:55 16384 c:\windows\temp\Perflib_Perfdata_6f4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
2011-07-15 04:46 195360 ----a-w- c:\program files\Yontoo Layers Runtime\YontooIEClient.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-09 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-05-30 273544]
"Athan"="c:\program files\Athan\Athan.exe" [2011-03-19 1183744]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"*cachecryptaudit.exe"="c:\documents and settings\All Users\Application Data\cachecryptaudit.exe" [2011-08-22 171008]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
OptimumLink.lnk - c:\program files\Optimum Link\OptimumLink.exe [2011-6-17 689624]
_uninst_13513799.lnk - c:\documents and settings\Owner\Local Settings\temp\_uninst_13513799.bat [N/A]
_uninst_21508886.lnk - c:\documents and settings\Owner\Local Settings\temp\_uninst_21508886.bat [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
Prayer Call 4.0.lnk - c:\program files\Prayer Times 4\Adhnqq06.exe [N/A]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Optimum Link\\OptimumLink.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"50000:UDP"= 50000:UDP:IHA_MessageCenter
.
R0 13513799;13513799;c:\windows\system32\drivers\13513799.sys [8/19/2011 5:56 PM 133208]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [8/8/2011 4:41 PM 116608]
R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [10/13/2010 5:06 PM 98304]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/7/2009 4:17 PM 133104]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/7/2009 4:17 PM 133104]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232]
S3 MOSUMAC;USB-Ethernet Driver;c:\windows\system32\drivers\MOSUMAC.SYS [10/7/2009 3:12 PM 44160]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys --> c:\windows\system32\DRIVERS\motccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys --> c:\windows\system32\DRIVERS\motccgpfl.sys [?]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys --> c:\windows\system32\DRIVERS\motport.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - 45912245
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-07 20:17]
.
2011-08-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-07 20:17]
.
2011-08-22 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-329068152-448539723-1606980848-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
2011-08-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-329068152-448539723-1606980848-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
2011-08-22 c:\windows\Tasks\User_Feed_Synchronization-{9B9579AD-79DC-4425-A9E9-939F2CCA41B4}.job
- c:\windows\system32\msfeedssync.exe [2008-07-29 17:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
TCP: Interfaces\{3CBB61B2-CB2A-4706-84C3-C2B07E167A8E}: NameServer = 71.250.0.12,68.237.161.12
DPF: vzTCPConfig - hxxp://my.verizon.com/micro/speedoptimizer/fios/vzTCPConfig.CAB
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-proxydnsaction.exe - c:\windows\proxydnsaction.exe
HKLM-Run-cplcacheboot.exe - c:\documents and settings\All Users\Application Data\cplcacheboot.exe
HKLM-RunOnce-*proxydnsaction.exe - c:\windows\proxydnsaction.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-22 10:12
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(696)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2011-08-22 10:18:43
ComboFix-quarantined-files.txt 2011-08-22 14:18
ComboFix2.txt 2011-08-19 19:40
ComboFix3.txt 2011-08-19 17:48
ComboFix4.txt 2011-08-11 20:00
ComboFix5.txt 2011-08-22 13:58
.
Pre-Run: 60,441,243,648 bytes free
Post-Run: 61,561,769,984 bytes free
.
- - End Of File - - 19FECD6BCAD40B6F12294E7B248D9D4E

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,986 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:52 PM

Posted 22 August 2011 - 10:17 AM

How are things running at this point? Do you have any problem left?

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"*cachecryptaudit.exe"=-

File::
c:\documents and settings\All Users\Application Data\cachecryptaudit.exe

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 zentomed

zentomed
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:07:52 AM

Posted 22 August 2011 - 02:34 PM

The computer appears to be functioning normally. There are no more pop-up warnings or system tray messages and even Task Manager is working again. I have not attached the computer back to the Internet yet though.

Now that the computer is functional, I can verify that the computer lacks any anti-virus software, or at least any functional anti-virus software. Fixing that issue will be the first priority once we are done here. It also helps to explain how this computer ended up in this mess in the first place.

Here's the log. No errors.

ComboFix 11-08-22.03 - Owner 08/22/2011 15:04:48.7.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.759.373 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
.
FILE ::
"c:\documents and settings\All Users\Application Data\cachecryptaudit.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\cachecryptaudit.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-07-22 to 2011-08-22 )))))))))))))))))))))))))))))))
.
.
2011-08-22 19:13 . 2011-08-22 19:13 171008 ----a-w- c:\documents and settings\LocalService\cryptevtsauto.exe
2011-08-19 21:56 . 2011-08-20 03:08 133208 ----a-w- c:\windows\system32\drivers\13513799.sys
2011-08-10 22:57 . 2011-08-10 22:57 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2011-08-10 22:57 . 2011-08-10 22:57 -------- d-----w- c:\documents and settings\All Users\Application Data\!SASCORE
2011-08-10 22:56 . 2011-08-11 18:20 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-08-10 22:56 . 2011-08-10 22:56 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-08-10 17:04 . 2011-08-10 17:04 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2011-08-10 17:03 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-10 17:03 . 2011-08-10 17:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-08-10 17:03 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-10 17:03 . 2011-08-10 17:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-04 02:43 . 2011-08-04 02:43 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-08-03 20:41 . 2011-08-10 17:01 0 ----a-w- c:\windows\Pvoqec.bin
2011-08-03 20:40 . 2011-08-03 20:40 -------- d-----w- c:\program files\Yontoo Layers Runtime
2011-07-24 01:34 . 2008-03-21 17:57 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2011-07-24 01:32 . 2008-03-27 20:49 1112288 ----a-w- c:\windows\system32\wdfcoinstaller01007.dll
2011-07-24 01:32 . 2011-07-24 01:32 -------- dc----w- c:\windows\system32\DRVSTORE
2011-07-24 01:32 . 2011-07-24 01:32 -------- d-----w- c:\program files\Common Files\Motorola Shared
2011-07-24 01:32 . 2011-07-24 01:32 -------- d-----w- C:\Temp
2011-07-24 01:32 . 2011-07-24 01:39 -------- d-----w- c:\program files\Motorola
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-02 14:02 . 2008-04-14 05:00 1858944 ----a-w- c:\windows\system32\win32k.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-07-29 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2011-08-10_19.09.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-08-22 13:55 . 2011-08-22 13:55 16384 c:\windows\temp\Perflib_Perfdata_6f4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
2011-07-15 04:46 195360 ----a-w- c:\program files\Yontoo Layers Runtime\YontooIEClient.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-09 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-05-30 273544]
"Athan"="c:\program files\Athan\Athan.exe" [2011-03-19 1183744]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"*cryptevtsauto.exe"="c:\documents and settings\LocalService\cryptevtsauto.exe" [2011-08-22 171008]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
OptimumLink.lnk - c:\program files\Optimum Link\OptimumLink.exe [2011-6-17 689624]
_uninst_13513799.lnk - c:\documents and settings\Owner\Local Settings\temp\_uninst_13513799.bat [N/A]
_uninst_21508886.lnk - c:\documents and settings\Owner\Local Settings\temp\_uninst_21508886.bat [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
Prayer Call 4.0.lnk - c:\program files\Prayer Times 4\Adhnqq06.exe [N/A]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Optimum Link\\OptimumLink.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"50000:UDP"= 50000:UDP:IHA_MessageCenter
.
R0 13513799;13513799;c:\windows\system32\drivers\13513799.sys [8/19/2011 5:56 PM 133208]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [8/8/2011 4:41 PM 116608]
R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [10/13/2010 5:06 PM 98304]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/7/2009 4:17 PM 133104]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/7/2009 4:17 PM 133104]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232]
S3 MOSUMAC;USB-Ethernet Driver;c:\windows\system32\drivers\MOSUMAC.SYS [10/7/2009 3:12 PM 44160]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys --> c:\windows\system32\DRIVERS\motccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys --> c:\windows\system32\DRIVERS\motccgpfl.sys [?]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys --> c:\windows\system32\DRIVERS\motport.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - 45912245
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-07 20:17]
.
2011-08-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-07 20:17]
.
2011-08-22 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-329068152-448539723-1606980848-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
2011-08-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-329068152-448539723-1606980848-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
2011-08-22 c:\windows\Tasks\User_Feed_Synchronization-{9B9579AD-79DC-4425-A9E9-939F2CCA41B4}.job
- c:\windows\system32\msfeedssync.exe [2008-07-29 17:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
TCP: Interfaces\{3CBB61B2-CB2A-4706-84C3-C2B07E167A8E}: NameServer = 71.250.0.12,68.237.161.12
DPF: vzTCPConfig - hxxp://my.verizon.com/micro/speedoptimizer/fios/vzTCPConfig.CAB
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-RunOnce-*proxydnsaction.exe - c:\windows\proxydnsaction.exe
HKLM-RunOnce-*cachecryptaudit.exe - c:\documents and settings\All Users\Application Data\cachecryptaudit.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-22 15:16
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(696)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2011-08-22 15:25:19
ComboFix-quarantined-files.txt 2011-08-22 19:25
ComboFix2.txt 2011-08-22 14:18
ComboFix3.txt 2011-08-19 19:40
ComboFix4.txt 2011-08-19 17:48
ComboFix5.txt 2011-08-22 19:02
.
Pre-Run: 61,567,942,656 bytes free
Post-Run: 61,561,257,984 bytes free
.
- - End Of File - - D59672BECA85F76F7D05791206824B7E




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users