Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

svchost.exe and possible virus (WORM_RORPIAN.D)?


  • This topic is locked This topic is locked
26 replies to this topic

#1 aquadeath2

aquadeath2

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 21 August 2011 - 06:49 PM

Hello,

I was receiving help in the "Am I infected? What do I do?" forum under topic #414813 and I was instructed to create a topic in this forum. My initial problem was that after a half hour or so my internet seemed to stop working and I noticed that the memory usage of an svchost.exe process in task manager was over a million. After some help and running several tools, that -seems- to have been resolved but I'm not 100% positive. However, I believe something is still wrong with my computer. Trend seems to take longer to load when my computer boots up (several minutes instead of 1 or 2) and my internet will not work until a couple minutes longer after when Trend finishes loading. Also, every 15 seconds or so, Trend will quarantine the file srvB2C.tmp saying it's the virus WORM_RORPIAN.D. Below and attached are the initial logs required in this forum. Thank you very much for your help.

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Run by Jason Reinhard at 15:20:52 on 2011-08-21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1070 [GMT -4:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Trend Micro Internet Security *Enabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *Enabled*
.
============== Running Processes ===============
.
C:\Program Files\Emsisoft Anti-Malware\a2service.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uSearch Page = hxxp://google.com
uDefault_Page_URL = about:blank
uDefault_Search_URL = hxxp://google.com
mDefault_Page_URL = about:blank
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: Developer Tools: {1a6fe369-f28c-4ad9-a3e6-2bcb50807cf1} - c:\program files\internet explorer\iedvtool.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
mPolicies-system: NoDispAppearancePage = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194497498187
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1194497457718
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 204.186.110.76 216.144.187.37
TCP: Interfaces\{CF77A641-00D6-4676-BFC7-345F3518F17B} : DhcpNameServer = 204.186.110.76 216.144.187.37
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\jason reinhard\application data\mozilla\firefox\profiles\2hqnyucz.default\
FF - prefs.js: browser.startup.homepage - hxxp://sports.yahoo.com/fantasy
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\web platform installer\NPWPIDetector.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-8-19 64512]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 a2AntiMalware;Emsisoft Anti-Malware 5.1 - Service;c:\program files\emsisoft anti-malware\a2service.exe [2011-8-20 3029208]
R2 MsDepSvc;Web Deployment Agent Service;c:\program files\iis\microsoft web deploy\MsDepSvc.exe [2011-4-1 67400]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-7-31 50256]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-2-15 36368]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R2 wwEngineSvc;Window Washer Engine;c:\program files\webroot\washer\WasherSvc.exe [2007-11-8 598856]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-2-15 333328]
R3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~3\TmPfw.exe [2008-7-31 488768]
R3 tmproxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2008-7-31 648456]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-7-21 2151640]
S2 mswyvfrlqork;mswyvfrlqork;\??\c:\windows\system32\drivers\zrisyepxcdozcp.sys --> c:\windows\system32\drivers\zrisyepxcdozcp.sys [?]
S2 srv1EC;srv1EC;c:\windows\system32\svchost.exe -k netsvcs [2002-9-3 14336]
S2 srvB2C;srvB2C;c:\windows\system32\svchost.exe -k netsvcs [2002-9-3 14336]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\magix\common\database\bin\fbserver.exe [2009-9-7 1527900]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 WsAudioDevice_383;WsAudioDevice_383;c:\windows\system32\drivers\WsAudioDevice_383.sys [2010-6-19 16640]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2010-4-3 44896]
S4 RsFx0150;RsFx0150 Driver;c:\windows\system32\drivers\RsFx0150.sys [2010-4-3 240608]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10_50.sqlexpress\mssql\binn\SQLAGENT.EXE [2010-4-3 367456]
.
=============== Created Last 30 ================
.
2011-08-20 07:25:15 7152464 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{1ab99c90-9762-46a7-a1ae-43a86026dc0d}\mpengine.dll
2011-08-20 07:15:36 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2011-08-20 00:47:56 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-08-19 19:10:21 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-08-19 19:05:44 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-08-19 19:05:31 -------- d-----w- c:\program files\Lavasoft
2011-08-18 01:41:55 -------- d-----w- c:\documents and settings\all users\application data\SUPERSetup
2011-08-17 20:02:52 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-08-17 20:02:50 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-08-17 20:02:50 785368 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-08-17 20:02:50 478168 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-08-17 20:02:50 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-08-17 20:02:50 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-08-17 20:02:50 1846232 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-08-17 20:02:50 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-08-17 02:56:53 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2011-08-17 02:51:25 -------- d-----w- c:\windows\ERUNT
2011-08-16 02:49:06 -------- d-----w- c:\program files\ProcessExplorer
2011-08-11 10:38:20 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-11 10:37:40 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
==================== Find3M ====================
.
2011-08-21 18:37:42 10752 -c--a-w- c:\windows\DCEBoot.exe
2011-08-18 01:31:59 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-06 23:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-24 23:14:10 222080 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 15:21:20.87 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:39 AM

Posted 21 August 2011 - 07:25 PM

Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 aquadeath2

aquadeath2
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 22 August 2011 - 06:35 AM

Is it safe to disable my AntiVirus protection? It's continuously quarantining a file (hundreds of times) claiming it's the virus mentioned in my initial post...

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:39 AM

Posted 22 August 2011 - 07:13 AM

Yes, you need to disable your antivirus in order for our tools to run properly and clean your machine

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 aquadeath2

aquadeath2
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 22 August 2011 - 04:33 PM

Attached is the requested log.

Attached Files



#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:39 AM

Posted 22 August 2011 - 06:08 PM

Hi

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic415503.html/page__pid__2382179#entry2382179

Collect::
c:\windows\system32\drivers\zrisyepxcdozcp.sys

Driver::
mswyvfrlqork
srv1EC
srvB2C

NetSvc::
srvB2C
srv1EC

Registry::
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\srv1EC]
"servicedll"=-
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\srvB2C]
"servicedll"=-

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



NEXT



Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 aquadeath2

aquadeath2
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 22 August 2011 - 06:59 PM

ComboFix 11-08-22.04 - Jason Reinhard 08/22/2011 19:35:09.7.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1378 [GMT -4:00]
Running from: c:\documents and settings\Jason Reinhard\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jason Reinhard\Desktop\CFScript.txt
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Trend Micro Internet Security *Disabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *Disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MSWYVFRLQORK
-------\Legacy_SRV1EC
-------\Legacy_SRVB2C
-------\Service_mswyvfrlqork
-------\Service_srv1EC
-------\Service_srvB2C
.
.
((((((((((((((((((((((((( Files Created from 2011-07-22 to 2011-08-22 )))))))))))))))))))))))))))))))
.
.
2011-08-20 07:25 . 2011-08-12 02:44 7152464 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{1AB99C90-9762-46A7-A1AE-43A86026DC0D}\mpengine.dll
2011-08-20 07:15 . 2011-08-20 11:50 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2011-08-20 00:47 . 2011-08-19 19:10 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-08-19 19:10 . 2011-08-19 19:10 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-08-19 19:05 . 2011-07-21 18:59 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-08-19 19:05 . 2011-08-19 19:05 -------- d-----w- c:\program files\Lavasoft
2011-08-19 19:05 . 2011-08-19 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2011-08-18 01:41 . 2011-08-18 01:41 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERSetup
2011-08-17 20:02 . 2011-08-12 05:57 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-08-17 20:02 . 2011-08-12 05:57 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-08-17 20:02 . 2011-08-12 05:57 785368 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-08-17 20:02 . 2011-08-12 05:57 478168 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-08-17 20:02 . 2011-08-12 05:57 1846232 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-08-17 20:02 . 2011-08-12 05:57 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-08-17 20:02 . 2011-08-12 03:16 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-08-17 20:02 . 2011-08-12 03:16 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-08-17 02:56 . 2011-08-17 02:56 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2011-08-17 02:51 . 2011-08-17 02:51 -------- d-----w- c:\windows\ERUNT
2011-08-16 02:49 . 2011-08-16 02:49 -------- d-----w- c:\program files\ProcessExplorer
2011-08-16 02:31 . 2011-08-16 02:31 -------- d-----w- c:\documents and settings\Administrator
2011-08-14 18:33 . 2011-08-14 18:34 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-08-13 16:55 . 2011-08-13 16:55 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-08-11 10:38 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-11 10:37 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-21 18:37 . 2010-01-02 19:47 10752 -c--a-w- c:\windows\DCEBoot.exe
2011-08-18 01:31 . 2011-05-24 22:06 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-12 02:44 . 2010-04-11 16:02 7152464 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-07-15 13:29 . 2002-09-03 16:42 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2002-09-03 16:47 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-06 23:52 . 2010-04-11 15:24 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52 . 2010-04-11 15:24 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-24 14:10 . 2007-11-08 04:11 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2006-06-23 16:33 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2002-09-03 16:39 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2002-09-03 16:35 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2002-09-03 17:12 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-19 04:47 . 2011-05-08 06:17 575296 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VWDExpress\10.0\1033\ResourceCache.dll
2011-06-19 04:43 . 2011-05-08 08:35 205984 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VBExpress\10.0\1033\ResourceCache.dll
2011-06-02 14:02 . 2002-09-03 17:11 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-12 05:57 . 2011-08-17 20:02 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-08-22_20.45.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-08-22 23:45 . 2011-08-22 23:45 16384 c:\windows\temp\Perflib_Perfdata_14c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 576320]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Nintendo Wi-Fi USB Connector Registration Tool.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Run Nintendo Wi-Fi USB Connector Registration Tool.lnk
backup=c:\windows\pss\Run Nintendo Wi-Fi USB Connector Registration Tool.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Registration Tool.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Run Registration Tool.lnk
backup=c:\windows\pss\Run Registration Tool.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Jason Reinhard^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Jason Reinhard\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SYSDLL]
SYSDLL [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\36X Raid Configurer]
2007-11-08 22:17 1953792 -c--a-w- c:\windows\system32\JMRaidSetup.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 03:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2007-03-01 15:37 2321600 ----a-r- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim]
2010-03-08 21:04 3972440 ----a-w- c:\program files\AIM7\aim.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 10:43 69632 -c----r- c:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AMTDeviceService]
2010-08-11 18:34 184320 ----a-w- c:\program files\AMT Media Manager\AMTDeviceService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2006-07-07 23:15 600896 -c--a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-07 19:33 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
2007-11-08 22:17 36864 -c--a-w- c:\windows\JM\JMInsIDE.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2011-07-06 23:52 1047656 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2011-07-06 23:52 1047656 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 02:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2007-12-05 06:41 8523776 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2007-12-05 06:41 81920 -c--a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2007-06-28 16:43 1626112 -c--a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 21:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-08-14 06:00 16050176 -c----r- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-16 10:04 2879488 -c----r- c:\windows\SkyTel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-12-17 23:48 1242448 ----a-w- c:\program files\Steam\Steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-08-12 21:37 4603264 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UfSeAgnt.exe]
2009-01-31 21:03 1398024 ----a-w- c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2006-11-03 23:20 866584 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2009-01-30 22:46 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Qnext\\qnextclient.exe"=
"c:\\Program Files\\Activision\\Call To Power 2\\ctp2_program\\ctp\\ctp2.exe"=
"c:\\Program Files\\EA GAMES\\The Battle for Middle-earth ™\\game.dat"=
"c:\\Program Files\\EA GAMES\\The Battle for Middle-earth ™\\patchget.dat"=
"c:\\Program Files\\Hasbro Interactive\\Stratego\\Stratego.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\AIM7\\aim.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Ubisoft\\Lost Via Domus\\Yeti_Final_Win32.exe"=
"c:\\Program Files\\Ubisoft\\Lost Via Domus\\gu.exe"=
"c:\\Program Files\\Ubisoft\\Lost Via Domus\\detection\\Launcher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead 2\\left4dead2.exe"=
"c:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\EA GAMES\\Command & Conquer Generals Zero Hour\\generals.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"67:UDP"= 67:UDP:DHCP Server
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/19/2011 3:05 PM 64512]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]
R2 a2AntiMalware;Emsisoft Anti-Malware 5.1 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [8/20/2011 3:15 AM 3029208]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/21/2011 2:59 PM 2151640]
R2 MsDepSvc;Web Deployment Agent Service;c:\program files\IIS\Microsoft Web Deploy\MsDepSvc.exe [4/1/2011 8:17 PM 67400]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [7/31/2008 7:37 PM 50256]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2/15/2008 11:39 PM 36368]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [11/8/2007 11:36 PM 598856]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2/15/2008 11:39 PM 333328]
R3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~3\TmPfw.exe [7/31/2008 7:37 PM 488768]
R3 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [7/31/2008 7:37 PM 648456]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [9/7/2009 2:47 PM 1527900]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S3 WsAudioDevice_383;WsAudioDevice_383;c:\windows\system32\drivers\WsAudioDevice_383.sys [6/19/2010 12:38 AM 16640]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [4/3/2010 2:56 PM 44896]
S4 RsFx0150;RsFx0150 Driver;c:\windows\system32\drivers\RsFx0150.sys [4/3/2010 11:02 AM 240608]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/10/2008 1:19 PM 611064]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [4/3/2010 2:56 PM 367456]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - LAVASOFT_KERNEXPLORER
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-22 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-07-21 18:59]
.
2010-12-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34]
.
2011-08-22 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://google.com
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 204.186.110.76 216.144.187.37
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Jason Reinhard\Application Data\Mozilla\Firefox\Profiles\2hqnyucz.default\
FF - prefs.js: browser.startup.homepage - hxxp://sports.yahoo.com/fantasy
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-22 19:47
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MsDepSvc]
"ImagePath"="\"c:\program files\IIS\Microsoft Web Deploy\MsDepSvc.exe\" -runService:MsDepSvc"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1454471165-602609370-839522115-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:ef,c1,7e,2b,06,1f,01,9a,77,d2,d8,23,48,b2,d0,77,c1,83,03,52,32,bf,30,
80,f4,b1,3d,c9,f0,0e,9e,3c,19,16,4a,99,3f,89,6e,bf,ee,ef,a2,50,b6,71,ef,83,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(976)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(2852)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2011-08-22 19:52:16 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-22 23:52
ComboFix2.txt 2011-08-22 20:47
.
Pre-Run: 141,598,793,728 bytes free
Post-Run: 141,581,029,376 bytes free
.
- - End Of File - - 9AC4E460AA068B0C94A3BE9905BE88AD




2011/08/22 19:58:03.0046 1312 TDSS rootkit removing tool 2.5.16.0 Aug 19 2011 17:48:17
2011/08/22 19:58:03.0296 1312 ================================================================================
2011/08/22 19:58:03.0296 1312 SystemInfo:
2011/08/22 19:58:03.0296 1312
2011/08/22 19:58:03.0296 1312 OS Version: 5.1.2600 ServicePack: 3.0
2011/08/22 19:58:03.0296 1312 Product type: Workstation
2011/08/22 19:58:03.0296 1312 ComputerName: REINYSCOMP
2011/08/22 19:58:03.0296 1312 UserName: Jason Reinhard
2011/08/22 19:58:03.0296 1312 Windows directory: C:\WINDOWS
2011/08/22 19:58:03.0296 1312 System windows directory: C:\WINDOWS
2011/08/22 19:58:03.0296 1312 Processor architecture: Intel x86
2011/08/22 19:58:03.0296 1312 Number of processors: 2
2011/08/22 19:58:03.0296 1312 Page size: 0x1000
2011/08/22 19:58:03.0296 1312 Boot type: Normal boot
2011/08/22 19:58:03.0296 1312 ================================================================================
2011/08/22 19:58:04.0390 1312 Initialize success
2011/08/22 19:58:10.0093 2164 ================================================================================
2011/08/22 19:58:10.0093 2164 Scan started
2011/08/22 19:58:10.0093 2164 Mode: Manual;
2011/08/22 19:58:10.0093 2164 ================================================================================
2011/08/22 19:58:11.0437 2164 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/08/22 19:58:11.0484 2164 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/08/22 19:58:11.0593 2164 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/08/22 19:58:11.0640 2164 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/08/22 19:58:11.0781 2164 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/08/22 19:58:12.0421 2164 ASPI32 (b979979ab8027f7f53fb16ec4229b7db) C:\WINDOWS\system32\drivers\ASPI32.sys
2011/08/22 19:58:12.0500 2164 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/08/22 19:58:12.0515 2164 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/08/22 19:58:12.0562 2164 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/08/22 19:58:12.0609 2164 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/08/22 19:58:12.0640 2164 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/08/22 19:58:12.0703 2164 Bridge (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys
2011/08/22 19:58:12.0718 2164 BridgeMP (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys
2011/08/22 19:58:12.0781 2164 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/08/22 19:58:13.0046 2164 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/08/22 19:58:13.0203 2164 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/08/22 19:58:13.0453 2164 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/08/22 19:58:13.0609 2164 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/08/22 19:58:13.0671 2164 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/08/22 19:58:13.0734 2164 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/08/22 19:58:13.0859 2164 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/08/22 19:58:13.0906 2164 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/08/22 19:58:13.0937 2164 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/08/22 19:58:14.0000 2164 dvd43llh (1fc1eed3ea0c3a0ecf8a95b97e1b4831) C:\WINDOWS\system32\DRIVERS\dvd43llh.sys
2011/08/22 19:58:14.0046 2164 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/08/22 19:58:14.0078 2164 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/08/22 19:58:14.0093 2164 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/08/22 19:58:14.0109 2164 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/08/22 19:58:14.0156 2164 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/08/22 19:58:14.0218 2164 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/08/22 19:58:14.0234 2164 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/08/22 19:58:14.0296 2164 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2011/08/22 19:58:14.0375 2164 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/08/22 19:58:14.0437 2164 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/08/22 19:58:14.0484 2164 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/08/22 19:58:14.0562 2164 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/08/22 19:58:14.0640 2164 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/08/22 19:58:14.0734 2164 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/08/22 19:58:14.0921 2164 IntcAzAudAddService (284bcb80391783d328a8d8163e97fd58) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/08/22 19:58:15.0031 2164 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/08/22 19:58:15.0062 2164 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/08/22 19:58:15.0093 2164 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/08/22 19:58:15.0125 2164 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/08/22 19:58:15.0171 2164 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/08/22 19:58:15.0234 2164 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/08/22 19:58:15.0265 2164 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/08/22 19:58:15.0296 2164 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/08/22 19:58:15.0343 2164 JGOGO (c995c0e8b4503fac38793bb0236ad246) C:\WINDOWS\system32\DRIVERS\JGOGO.sys
2011/08/22 19:58:15.0343 2164 JRAID (fc7cc3cfef56fdbb55d754b207326a15) C:\WINDOWS\system32\DRIVERS\jraid.sys
2011/08/22 19:58:15.0375 2164 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/08/22 19:58:15.0437 2164 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/08/22 19:58:15.0453 2164 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/08/22 19:58:15.0515 2164 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/08/22 19:58:15.0640 2164 Lavasoft Kernexplorer (6c4a3804510ad8e0f0c07b5be3d44ddb) C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys
2011/08/22 19:58:15.0781 2164 Lbd (336abe8721cbc3110f1c6426da633417) C:\WINDOWS\system32\DRIVERS\Lbd.sys
2011/08/22 19:58:15.0968 2164 Memctl (6dc926c53624755b07cfe254f3845afa) C:\Program Files\U-ABIT\FlashMenu\Memctl.sys
2011/08/22 19:58:16.0062 2164 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/08/22 19:58:16.0109 2164 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/08/22 19:58:16.0140 2164 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/08/22 19:58:16.0203 2164 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/08/22 19:58:16.0265 2164 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/08/22 19:58:16.0328 2164 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/08/22 19:58:16.0406 2164 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/08/22 19:58:16.0468 2164 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/08/22 19:58:16.0500 2164 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/08/22 19:58:16.0515 2164 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/08/22 19:58:16.0531 2164 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/08/22 19:58:16.0562 2164 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/08/22 19:58:16.0625 2164 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/08/22 19:58:16.0687 2164 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/08/22 19:58:16.0734 2164 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/08/22 19:58:16.0765 2164 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/08/22 19:58:16.0781 2164 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/08/22 19:58:16.0828 2164 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/08/22 19:58:16.0890 2164 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/08/22 19:58:16.0906 2164 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/08/22 19:58:16.0953 2164 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/08/22 19:58:16.0984 2164 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/08/22 19:58:17.0015 2164 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/08/22 19:58:17.0078 2164 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/08/22 19:58:17.0281 2164 nv (8c0456001b6900114bbb1c548bd8aaf5) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/08/22 19:58:17.0562 2164 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/08/22 19:58:17.0625 2164 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/08/22 19:58:17.0671 2164 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/08/22 19:58:17.0718 2164 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/08/22 19:58:17.0750 2164 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/08/22 19:58:17.0781 2164 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/08/22 19:58:17.0843 2164 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/08/22 19:58:17.0968 2164 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/08/22 19:58:18.0000 2164 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/08/22 19:58:18.0093 2164 Point32 (5c71f7cdd1b4ba5f00b87ca05e414aea) C:\WINDOWS\system32\DRIVERS\point32.sys
2011/08/22 19:58:18.0125 2164 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/08/22 19:58:18.0140 2164 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/08/22 19:58:18.0156 2164 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/08/22 19:58:18.0203 2164 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/08/22 19:58:18.0281 2164 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/08/22 19:58:18.0343 2164 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/08/22 19:58:18.0359 2164 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/08/22 19:58:18.0406 2164 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/08/22 19:58:18.0421 2164 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/08/22 19:58:18.0453 2164 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/08/22 19:58:18.0500 2164 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/08/22 19:58:18.0531 2164 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/08/22 19:58:18.0593 2164 RsFx0150 (a95840a95a9ff74b0009e5d848cddb39) C:\WINDOWS\system32\DRIVERS\RsFx0150.sys
2011/08/22 19:58:18.0625 2164 RT25USBAP (9c377dbf9d2d19098db935dc1e8361a3) C:\WINDOWS\system32\DRIVERS\rt25usbap.sys
2011/08/22 19:58:18.0671 2164 RTLE8023xp (038e5b050019e6ffbdb048c7fa51d592) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
2011/08/22 19:58:18.0812 2164 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/08/22 19:58:18.0828 2164 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/08/22 19:58:18.0984 2164 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/08/22 19:58:19.0062 2164 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2011/08/22 19:58:19.0093 2164 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/08/22 19:58:19.0140 2164 SI3132 (9604998d0c578608151b6e59266fcae1) C:\WINDOWS\system32\DRIVERS\SI3132.sys
2011/08/22 19:58:19.0156 2164 SiFilter (72cf151fb410e544904dbc7d7f29b796) C:\WINDOWS\system32\DRIVERS\SiWinAcc.sys
2011/08/22 19:58:19.0250 2164 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/08/22 19:58:19.0328 2164 sptd (090adc3d9b5730ac3b20bdd5a54e2d28) C:\WINDOWS\system32\Drivers\sptd.sys
2011/08/22 19:58:19.0406 2164 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/08/22 19:58:19.0453 2164 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/08/22 19:58:19.0484 2164 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/08/22 19:58:19.0500 2164 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/08/22 19:58:19.0640 2164 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/08/22 19:58:19.0718 2164 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/08/22 19:58:19.0781 2164 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/08/22 19:58:19.0906 2164 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/08/22 19:58:19.0953 2164 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/08/22 19:58:20.0015 2164 tmactmon (02ffe7402fb07f2f64d1ac6866345087) C:\WINDOWS\system32\drivers\tmactmon.sys
2011/08/22 19:58:20.0093 2164 tmcfw (81768f0e47d7597a64f7ad5ad5a08b31) C:\WINDOWS\system32\DRIVERS\TM_CFW.sys
2011/08/22 19:58:20.0156 2164 tmcomm (8762cb58a489b385feef2aea7f7718f3) C:\WINDOWS\system32\drivers\tmcomm.sys
2011/08/22 19:58:20.0171 2164 tmevtmgr (efe60b70fa964459dde55039c5b05be7) C:\WINDOWS\system32\drivers\tmevtmgr.sys
2011/08/22 19:58:20.0234 2164 tmpreflt (c7c7959ec0940e0eddfc881fed8ec214) C:\WINDOWS\system32\DRIVERS\tmpreflt.sys
2011/08/22 19:58:20.0296 2164 tmtdi (c9b16b4f9f063b527cddbb76fb946dfd) C:\WINDOWS\system32\DRIVERS\tmtdi.sys
2011/08/22 19:58:20.0375 2164 tmxpflt (3e615f370f0c7db414b6bcd1c18399d4) C:\WINDOWS\system32\DRIVERS\tmxpflt.sys
2011/08/22 19:58:20.0421 2164 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/08/22 19:58:20.0484 2164 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/08/22 19:58:20.0531 2164 USBAAPL (d4fb6ecc60a428564ba8768b0e23c0fc) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/08/22 19:58:20.0578 2164 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/08/22 19:58:20.0640 2164 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/08/22 19:58:20.0656 2164 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/08/22 19:58:20.0687 2164 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/08/22 19:58:20.0718 2164 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/08/22 19:58:20.0750 2164 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/08/22 19:58:20.0765 2164 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/08/22 19:58:20.0843 2164 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/08/22 19:58:20.0921 2164 vsapint (60dfbc34228ca36221b03460789f5d4e) C:\WINDOWS\system32\DRIVERS\vsapint.sys
2011/08/22 19:58:21.0000 2164 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/08/22 19:58:21.0031 2164 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/08/22 19:58:21.0156 2164 WINFLASH (01f2026f3c5b9c87cf77a9d233c2d39b) C:\Program Files\U-ABIT\FlashMenu\WinFlash.sys
2011/08/22 19:58:21.0296 2164 WmBEnum (f4beffb095457721f6e678fe4e87a676) C:\WINDOWS\system32\drivers\WmBEnum.sys
2011/08/22 19:58:21.0437 2164 WmFilter (f12a6785f34a321ae35762806b97f58c) C:\WINDOWS\system32\drivers\WmFilter.sys
2011/08/22 19:58:21.0531 2164 WmVirHid (8818190fb4c78d224b92ff4cd369868c) C:\WINDOWS\system32\drivers\WmVirHid.sys
2011/08/22 19:58:21.0578 2164 WmXlCore (e52708c4d0c8406b241260593ec60e0c) C:\WINDOWS\system32\drivers\WmXlCore.sys
2011/08/22 19:58:21.0609 2164 WsAudioDevice_383 (85ece26f326c2d07ba77a60343468272) C:\WINDOWS\system32\drivers\WsAudioDevice_383.sys
2011/08/22 19:58:21.0640 2164 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/08/22 19:58:21.0656 2164 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/08/22 19:58:21.0687 2164 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/08/22 19:58:21.0796 2164 Boot (0x1200) (f86c9a7644be229b5ecc6f34db51df79) \Device\Harddisk0\DR0\Partition0
2011/08/22 19:58:21.0796 2164 ================================================================================
2011/08/22 19:58:21.0796 2164 Scan finished
2011/08/22 19:58:21.0796 2164 ================================================================================
2011/08/22 19:58:21.0796 3432 Detected object count: 0
2011/08/22 19:58:21.0796 3432 Actual detected object count: 0

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:39 AM

Posted 22 August 2011 - 07:03 PM

Hi

Please do the following:

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 aquadeath2

aquadeath2
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 22 August 2011 - 07:49 PM

Just a head's up that the link for the online scanner is actually http://go.eset.com/us/online-scanner. Also, I wasn't able to run it. After accepting the terms it would load for a bit then display this message: "Internet Explorer has closed this webpage to help protect your computer"

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7539

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/22/2011 8:19:35 PM
mbam-log-2011-08-22 (20-19-35).txt

Scan type: Quick scan
Objects scanned: 180460
Time elapsed: 7 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:39 AM

Posted 22 August 2011 - 07:59 PM

Hi

Your log is showing that two AV's are installed

AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Trend Micro Internet Security *Disabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}

they may have interfered with the ESET scan

You should only have one antivirus on your machine at a time, more than one will cause system slow downs, conflicts and crashes, so you should uninstall one of them


please do the following:

Visit ADOBE and download the latest version of Acrobat Reader (version X)
Having the latest updates ensures there are no security vulnerabilities in your system.

NEXT

Posted Image
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 7 and save it to your desktop.
  • Scroll down to where it says JDK 7 (JDK or JRE)
  • Click the Download JDK button tunderneath
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "Oracle Binary Code License Agreement for Java SE ". Click on Continue. The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7-windows-i586.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.


NEXT

Please post a fresh DDS Log and Attach.txt and advise how your computer is running now and if there are any outstanding issues

(thanks for the updated link in ESET)

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 aquadeath2

aquadeath2
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 22 August 2011 - 08:53 PM

Hmm, even after uninstalling the Lavasoft software I still couldn't run the ESET scan. I've been on and using my computer for hours and the internet has been working just fine and all svchost.exe processes are under control. So behavior-wise, I think my computer is good to go. The only funky thing yet is that for a day or so, Trend was continuously (every 15-20 seconds) quarantining a file called srvB2C.tmp that was located in C:\WINDOWS\temp\. When I ran the one scan that took a couple hours, it was still quarantining that file, so there are now 960 copies of that file quarantined. However, when I try to delete it, I receive the error "Unable to delete the file. Your computer have have locked the file, or you may lack sufficient privileges to access the file." ....thoughts?

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.0.0
Run by Jason Reinhard at 21:46:55 on 2011-08-22
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1233 [GMT -4:00]
.
AV: Trend Micro Internet Security *Enabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *Enabled*
.
============== Running Processes ===============
.
C:\Program Files\Emsisoft Anti-Malware\a2service.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://google.com
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
EB: Developer Tools: {1a6fe369-f28c-4ad9-a3e6-2bcb50807cf1} - c:\program files\internet explorer\iedvtool.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194497498187
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1194497457718
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 204.186.110.76 216.144.187.37
TCP: Interfaces\{CF77A641-00D6-4676-BFC7-345F3518F17B} : DhcpNameServer = 204.186.110.76 216.144.187.37
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\jason reinhard\application data\mozilla\firefox\profiles\2hqnyucz.default\
FF - prefs.js: browser.startup.homepage - hxxp://sports.yahoo.com/fantasy
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\web platform installer\NPWPIDetector.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 a2AntiMalware;Emsisoft Anti-Malware 5.1 - Service;c:\program files\emsisoft anti-malware\a2service.exe [2011-8-20 3029208]
R2 MsDepSvc;Web Deployment Agent Service;c:\program files\iis\microsoft web deploy\MsDepSvc.exe [2011-4-1 67400]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-7-31 50256]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-2-15 36368]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R2 wwEngineSvc;Window Washer Engine;c:\program files\webroot\washer\WasherSvc.exe [2007-11-8 598856]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-2-15 333328]
R3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~3\TmPfw.exe [2008-7-31 488768]
R3 tmproxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2008-7-31 648456]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\magix\common\database\bin\fbserver.exe [2009-9-7 1527900]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 WsAudioDevice_383;WsAudioDevice_383;c:\windows\system32\drivers\WsAudioDevice_383.sys [2010-6-19 16640]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2010-4-3 44896]
S4 RsFx0150;RsFx0150 Driver;c:\windows\system32\drivers\RsFx0150.sys [2010-4-3 240608]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10_50.sqlexpress\mssql\binn\SQLAGENT.EXE [2010-4-3 367456]
.
=============== Created Last 30 ================
.
2011-08-23 01:41:04 -------- d-----w- c:\documents and settings\jason reinhard\local settings\application data\Sun
2011-08-23 01:38:51 128000 ----a-w- c:\windows\system32\javacpl.cpl
2011-08-23 01:13:32 -------- d-----w- c:\documents and settings\jason reinhard\local settings\application data\Solid State Networks
2011-08-22 20:11:27 -------- d-sha-r- C:\cmdcons
2011-08-22 20:08:39 208896 ----a-w- c:\windows\MBR.exe
2011-08-22 20:08:38 98816 ----a-w- c:\windows\sed.exe
2011-08-22 20:08:38 518144 ----a-w- c:\windows\SWREG.exe
2011-08-20 07:25:15 7152464 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{1ab99c90-9762-46a7-a1ae-43a86026dc0d}\mpengine.dll
2011-08-20 07:15:36 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2011-08-19 19:10:21 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-08-19 19:05:31 -------- d-----w- c:\program files\Lavasoft
2011-08-18 01:41:55 -------- d-----w- c:\documents and settings\all users\application data\SUPERSetup
2011-08-17 20:02:52 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-08-17 20:02:50 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-08-17 20:02:50 785368 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-08-17 20:02:50 478168 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-08-17 20:02:50 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-08-17 20:02:50 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-08-17 20:02:50 1846232 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-08-17 20:02:50 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-08-17 02:56:53 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2011-08-17 02:51:25 -------- d-----w- c:\windows\ERUNT
2011-08-16 02:49:06 -------- d-----w- c:\program files\ProcessExplorer
2011-08-11 10:38:20 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-11 10:37:40 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
==================== Find3M ====================
.
2011-08-23 01:38:36 544656 ----a-w- c:\windows\system32\deployJava1.dll
2011-08-21 18:37:42 10752 -c--a-w- c:\windows\DCEBoot.exe
2011-08-18 01:31:59 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-06 23:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-26 06:45:56 256000 -c--a-w- c:\windows\PEV.exe
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 21:47:11.89 ===============

Attached Files



#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:39 AM

Posted 22 August 2011 - 09:09 PM

the driver that was protecting that file has now been deleted

(((((((((( Drivers/Services ))))))))))))

-------\Legacy_SRV1EC
-------\Legacy_SRVB2C
-------\Service_srv1EC
-------\Service_srvB2C

so you should be able to empty the quarantine now

The log looks clean now

we just need to clean up our tools



You can delete the TDSSKiller, DDS and GMER logs and programs from your desktop.


NEXT


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Click START then RUN
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:
    PC Safety and Security--What Do I Need?.


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 aquadeath2

aquadeath2
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 23 August 2011 - 03:13 PM

Hmm...Trend still will not let me delete them from the quarantine. Thoughts?

Thank you for the TFC application and WOT plugin.

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:39 AM

Posted 23 August 2011 - 04:46 PM

what is the exact message you are getting from trend?

please give me the entire path of the files you are wanting to delete.

Please run the following program:


  • Please download Junction.zip and save it to your desktop.
  • Unzip it and put junction.exe in the Windows directory (C:\Windows)
  • Now go to Start > Run to open a run box > Copy and paste the following command in the open run box and click OK:

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

  • A command window will open and the system will be scanned.
  • Wait until a log file opens.
  • Copy and paste or attach the content of it in your next reply

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 aquadeath2

aquadeath2
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 23 August 2011 - 06:05 PM

I'm getting the message "Unable to delete the file. Your computer have have locked the file, or you may lack sufficient privileges to access the file."

It says the file location is C:\WINDOWS\temp, but I don't see it in there (even with showing hidden files active).


Junction v1.06 - Windows junction creator and reparse point viewer
Copyright © 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com


Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.



\\?\c:\\WINDOWS\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492

.\\?\c:\\WINDOWS\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_Microsoft.Workflow.Compiler_31bf3856ad364e35_4.0.0.0_x-ww_97359ba5
Substitute Name: C:\WINDOWS\WinSxS\MSIL_Microsoft.Workflow.Compiler_31bf3856ad364e35_4.0.0.0_x-ww_97359ba5

Edited by hamluis, 26 August 2011 - 09:27 AM.
Removed excess blank lines.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users