Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer virus on XP


  • This topic is locked This topic is locked
20 replies to this topic

#1 tryhard

tryhard

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brisbane Qld Oz
  • Local time:09:30 AM

Posted 17 September 2011 - 03:08 AM

Hi Guys, I have a real problem with my laptop. It seems that I have downloaded some sort of virus onto my machine and I am unable to remove it or find it for that matter. I have downloaded superanti spyware and malwarebyes and although they have identified various trojans and other baddies the problem persists.

Generally when I think that I have the problem sorted and the machine starts to work properly the problem seems to connect with the internet and re-establishes itself in the system. I am at a total loss as to what to do about this, I have scanned and removed so much stuff that maybe the system will become unstable.

I have taken the liberty of downloading combofix and have run a scan which I will attach for your info and possible suggestions.

Thanking you in advance for any help you may be able to offer.

Cheers

Dave

Attached File  log.txt17.9.11 2nd.txt   18.59KB   3 downloads

Edited by Orange Blossom, 17 September 2011 - 08:48 PM.
Moved from XP to Malware Removal Logs. ~ hamluis


BC AdBot (Login to Remove)

 


#2 tryhard

tryhard
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brisbane Qld Oz
  • Local time:09:30 AM

Posted 17 September 2011 - 05:33 PM

Oops, loooks like I got a ahead of myself yesterday. Now I have had a chance to read some of the info on this site I guess that I am better prepared to advise on my specific problems. Sri about that.

Ok, symptoms are flashing on the black screen at start-up and re-directing of internet explorer (looping it back to google), also notice flashing on screen but very fast and unable to see message (if any ?). As I mentioned in earlier post, I seem to have it under control until I connect to the internet and then it seems to re-infect the system. Very frustrating.

Anyway logs posted and look forward to any assistance that may be provided.

Cheers

Dave

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.2180
Run by 026465 at 7:59:08 on 2011-09-18
Microsoft Windows XP Professional 5.1.2600.2.1252.61.1033.18.2027.1401 [GMT 10:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\Program Files\Fingerprint Sensor\AtService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\system32\iprntlgn.exe
C:\WINDOWS\system32\AccelerometerSt.Exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\CClient.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\TSUsage32.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com.au/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
mRun: [ZENRC Tray Icon] c:\windows\system32\zentray.exe
mRun: [iPrint Tray] c:\windows\system32\iprntctl.exe TRAY_ICON
mRun: [iPrint Event Monitor] c:\windows\system32\iprntlgn.exe
mRun: [DesktopInfo] c:\windows\options\bginfo.exe c:\windows\options\desktop.bgi /timer:0
mRun: [AccelerometerSysTrayApplet] c:\windows\system32\AccelerometerSt.Exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
uPolicies-explorer: NoSMMyDocs = 1 (0x1)
uPolicies-explorer: NoSMMyPictures = 1 (0x1)
uPolicies-explorer: NoStartMenuMyMusic = 1 (0x1)
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: GreyMSIAds = 1 (0x1)
uPolicies-explorer: NoSMBalloonTip = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
uPolicies-explorer: DisallowCpl = 1 (0x1)
uPolicies-system: DisableChangePassword = 1 (0x1)
mPolicies-explorer: NoSMBalloonTip = 1 (0x1)
mPolicies-system: CompatibleRUPSecurity = 1 (0x1)
mPolicies-system: DisableChangePassword = 1 (0x1)
dPolicies-system: DisableChangePassword = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {C1994287-422F-47aa-8E5E-6323E210A125} - {4B5F7606-8666-4D5A-9780-DB92A9D8812B} - c:\program files\novell\zenworks\AxNalServer.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {5e2a3510-4371-11d6-b64c-00c04faedb18}
DPF: {88D969C0-F192-11D4-A65F-0040963251E5}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18}
DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 10.0.0.138
TCP: Interfaces\{42694FD7-D1BE-4D37-B78E-5BD3BE6761CD} : DhcpNameServer = 10.0.0.138
Notify: AtiExtEvent - Ati2evxx.dll
Notify: ckpNotify - ckpNotify.dll
Notify: NetIdentity Notification - c:\windows\system32\novell\XtNotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {763370c4-268e-4308-a60c-d8da0342be32} - c:\program files\novell\zenworks\NalShell.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
mASetup: {5bd419c2-b827-4f2d-96d6-9e1b836602d2} - reg add /f "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles" /v DefaultProfile /t REG_SZ /d "Novell Groupwise"
mASetup: {EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5} - rundll32.exe advpack.dll,LaunchINFSectionEx c:\windows\inf\wmactedp.inf,PerUserStub,,4
.
============= SERVICES / DRIVERS ===============
.
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2008-10-31 24064]
R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [2007-5-24 34671]
R2 ATService;AuthenTec Fingerprint Service;c:\program files\fingerprint sensor\AtService.exe [2008-6-12 1164536]
R2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [2005-5-23 6899]
R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\novell\zenworks\remotemanagement\rmagent\ZenRem32.exe [2006-5-9 167936]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-10-14 122056]
R2 Scap;SecureClient Application Policy Module;c:\windows\system32\drivers\scap.sys [2009-7-2 17456]
R2 TSCensus Collection Client;ZENworks Asset Management - Collection Client;c:\program files\novell\zenworks\asset management\bin\CClientSvc.exe [2009-3-12 49152]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [2009-7-2 670128]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R2 WNTHW;WNTHW;c:\windows\system32\drivers\WNTHW.SYS [2009-3-12 9176]
R2 XTAgent;Novell XTier Agent Services;c:\windows\system32\novell\xtagent.exe [2011-9-1 61440]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2008-6-12 477696]
R3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [2005-5-23 2773]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2008-10-31 243856]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-30 102448]
R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [2009-7-2 2041904]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2008-10-31 41216]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100512.005\NAVENG.SYS [2010-5-20 85552]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100512.005\NAVEX15.SYS [2010-5-20 1347504]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [2008-10-31 47616]
S2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccApp.exe [2006-10-13 95848]
S2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccApp.exe [2006-10-13 95848]
S2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-10-14 1956552]
S3 EraserUtilDrv10621;EraserUtilDrv10621;\??\c:\program files\common files\symantec shared\eengine\eraserutildrv10621.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrv10621.sys [?]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2009-10-21 113664]
S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [2009-7-2 14924]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2010-2-13 194304]
S3 SWNC8U52;Sierra Wireless MUX NDIS Driver (UMTS52);c:\windows\system32\drivers\swnc8u52.sys [2007-9-21 164480]
S3 SWUMX52;Sierra Wireless USB MUX Driver (UMTS52);c:\windows\system32\drivers\swumx52.sys [2007-9-21 140672]
.
=============== Created Last 30 ================
.
2011-09-17 07:31:42 208896 ----a-w- c:\windows\MBR.exe
2011-09-17 07:31:41 98816 ----a-w- c:\windows\sed.exe
2011-09-17 07:31:41 518144 ----a-w- c:\windows\SWREG.exe
2011-09-17 07:31:41 256000 ----a-w- c:\windows\PEV.exe
2011-09-16 22:40:15 -------- d-----w- c:\program files\Auslogics
2011-09-15 04:45:58 -------- d-----w- C:\GWARCH
2011-09-12 07:12:28 -------- d-sha-r- C:\cmdcons
2011-09-12 06:23:17 158720 ----a-w- c:\program files\internet explorer\mui\0409\mscorier.dll
2011-09-10 07:56:36 -------- d-----w- c:\documents and settings\026465\application data\Auslogics
2011-09-05 21:56:34 -------- d-----w- c:\documents and settings\026465\.java
2011-09-02 23:46:44 93184 ----a-w- c:\program files\internet explorer\iexplore.exe
2011-09-02 23:46:44 38912 ----a-w- c:\program files\internet explorer\hmmapi.dll
2011-09-02 23:46:44 18432 ----a-w- c:\program files\internet explorer\iedw.exe
2011-09-02 23:41:17 86016 ----a-w- c:\program files\internet explorer\connection wizard\icwconn2.exe
2011-09-02 23:41:17 73728 ----a-w- c:\program files\internet explorer\connection wizard\icwtutor.exe
2011-09-02 23:41:17 61440 ----a-w- c:\program files\internet explorer\connection wizard\icwres.dll
2011-09-02 23:41:17 61440 ----a-w- c:\program files\internet explorer\connection wizard\icwconn.dll
2011-09-02 23:41:17 49152 ----a-w- c:\program files\internet explorer\connection wizard\icwutil.dll
2011-09-02 23:41:17 40960 ----a-w- c:\program files\internet explorer\connection wizard\trialoc.dll
2011-09-02 23:41:17 32768 ----a-w- c:\program files\internet explorer\connection wizard\icwdl.dll
2011-09-02 23:41:17 24576 ----a-w- c:\program files\internet explorer\connection wizard\icwrmind.exe
2011-09-02 23:41:17 214528 ----a-w- c:\program files\internet explorer\connection wizard\icwconn1.exe
2011-09-02 23:41:17 20480 ----a-w- c:\program files\internet explorer\connection wizard\inetwiz.exe
2011-09-02 23:41:17 172032 ----a-w- c:\program files\internet explorer\connection wizard\icwhelp.dll
2011-09-02 23:41:17 16384 ----a-w- c:\program files\internet explorer\connection wizard\isignup.exe
2011-09-01 05:23:42 32866 -c--a-w- c:\windows\system32\dllcache\slrundll.exe
2011-09-01 05:23:42 32866 ----a-w- c:\windows\slrundll.exe
2011-08-27 22:59:44 -------- d-----w- c:\documents and settings\026465\application data\Malwarebytes
2011-08-27 22:59:36 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-08-27 06:24:17 -------- d-----w- c:\windows\system32\AppLogs
2011-08-25 21:19:22 -------- d--h--w- c:\windows\PIF
.
==================== Find3M ====================
.
2011-08-12 07:20:08 0 ----a-w- c:\documents and settings\all users\application data\qdlv.exe
2011-08-12 07:20:08 0 ----a-w- c:\documents and settings\all users\application data\pvfr.exe
2011-08-12 07:20:08 0 ----a-w- c:\documents and settings\all users\application data\jocs.exe
2011-08-12 07:20:08 0 ----a-w- c:\documents and settings\all users\application data\jlsg.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: FUJITSU_MHZ2120BH_G2 rev.8909 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-16
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys hpdskflt.sys hal.dll ACPI.sys >>UNKNOWN [0x8AB376D0]<<
c:\windows\system32\drivers\hpdskflt.sys Hewlett-Packard Corporation Hewlett-Packard Corporation Mobile Data Protection System
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8ab3d9d0]; MOV EAX, [0x8ab3da4c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF0BC] -> \Device\Harddisk0\DR0[0x8ABC5AB8]
3 CLASSPNP[0xBA16905B] -> ntkrnlpa!IofCallDriver[0x804EF0BC] -> [0x8AB89D58]
5 hpdskflt[0xBA3994E6] -> ntkrnlpa!IofCallDriver[0x804EF0BC] -> \Device\000000d4[0x8AB769E8]
7 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF0BC] -> [0x8AB87D98]
\Driver\atapi[0x8AB883B8] -> IRP_MJ_CREATE -> 0x8AB376D0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { CLI ; XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV SI, SP; PUSH AX; POP ES; PUSH AX; POP DS; STI ; CLD ; MOV DI, 0x600; MOV CX, 0x100; REPNZ MOVSW ; JMP FAR 0x0:0x61d; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8AB3751B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 7:59:32.18 ===============
Attached File  ark.txt   4.63KB   1 downloadsAttached File  attach.txt   15.54KB   0 downloads

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:30 PM

Posted 21 September 2011 - 08:54 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".

information and logs:

  • In your next post I need the following

  • .logs from DDS
  • log from RKUnHooker
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 tryhard

tryhard
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brisbane Qld Oz
  • Local time:09:30 AM

Posted 21 September 2011 - 07:05 PM

Hello Gringo

Thank you very much for replying to my reqest for help. I have run the 3 progs as requested and did not encounter any problems only thing is that Superantispyware appears to have been dissabled by the virus and I was unable to uninstall it.

Reports are attached for your info.

Cheers

Dave

Attached Files



#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:30 PM

Posted 21 September 2011 - 07:21 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 tryhard

tryhard
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brisbane Qld Oz
  • Local time:09:30 AM

Posted 21 September 2011 - 10:02 PM

Hey Gringo

Have now run the combofix and log is attached.

Just a couple of issues prior to running combofix, could not dissable Symantec due to Windows installer box popping up at every attemp to work on prog, so I figgured that maybe virus had interfered with it and disabled it. Still cant get SAS to open or delete no dobt affected by virus and also disabled.

After running DDS scans I left machine in hibernation and was unble to regain screen, had to do hard re-boot to get working again.

Seems to be working better now, even got a couple of items back in the tray that I thought I had lost for good.

Thank you again for all you help

Cheers

Dave

Attached Files

  • Attached File  log.txt   22.9KB   3 downloads


#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:30 PM

Posted 21 September 2011 - 10:08 PM

Hello

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 tryhard

tryhard
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brisbane Qld Oz
  • Local time:09:30 AM

Posted 21 September 2011 - 11:02 PM

Hello Gringo

TDSS log file is attached

Cheers

Dave

2011/09/22 13:47:37.0796 2588 TDSS rootkit removing tool 2.5.23.0 Sep 20 2011 08:53:10
2011/09/22 13:47:38.0906 2588 ================================================================================
2011/09/22 13:47:38.0906 2588 SystemInfo:
2011/09/22 13:47:38.0906 2588
2011/09/22 13:47:38.0906 2588 OS Version: 5.1.2600 ServicePack: 2.0
2011/09/22 13:47:38.0906 2588 Product type: Workstation
2011/09/22 13:47:38.0906 2588 ComputerName: N108345
2011/09/22 13:47:38.0906 2588 UserName: 026465
2011/09/22 13:47:38.0906 2588 Windows directory: C:\WINDOWS
2011/09/22 13:47:38.0906 2588 System windows directory: C:\WINDOWS
2011/09/22 13:47:38.0906 2588 Processor architecture: Intel x86
2011/09/22 13:47:38.0906 2588 Number of processors: 2
2011/09/22 13:47:38.0906 2588 Page size: 0x1000
2011/09/22 13:47:38.0906 2588 Boot type: Normal boot
2011/09/22 13:47:38.0906 2588 ================================================================================
2011/09/22 13:47:40.0781 2588 Initialize success
2011/09/22 13:48:10.0765 3616 ================================================================================
2011/09/22 13:48:10.0765 3616 Scan started
2011/09/22 13:48:10.0765 3616 Mode: Manual;
2011/09/22 13:48:10.0765 3616 ================================================================================
2011/09/22 13:48:11.0171 3616 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2011/09/22 13:48:11.0218 3616 Accelerometer (a0baabb7d3549460e3f8c5ad6f778683) C:\WINDOWS\system32\DRIVERS\Accelerometer.sys
2011/09/22 13:48:11.0250 3616 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/09/22 13:48:11.0250 3616 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/09/22 13:48:11.0296 3616 ADIHdAudAddService (52cc84e612c283f774f9cb196ccef6fb) C:\WINDOWS\system32\drivers\ADIHdAud.sys
2011/09/22 13:48:11.0312 3616 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2011/09/22 13:48:11.0328 3616 AEAudio (fff87a9b1ab36ee4b7bec98a4cb01b79) C:\WINDOWS\system32\drivers\AEAudio.sys
2011/09/22 13:48:11.0359 3616 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
2011/09/22 13:48:11.0406 3616 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
2011/09/22 13:48:11.0546 3616 AgereSoftModem (38325c6aa8eae011897d61ce48ec6435) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
2011/09/22 13:48:11.0671 3616 agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/09/22 13:48:11.0687 3616 agpCPQ (67288b07d6aba6c1267b626e67bc56fd) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2011/09/22 13:48:11.0718 3616 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2011/09/22 13:48:11.0734 3616 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2011/09/22 13:48:11.0765 3616 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/09/22 13:48:11.0796 3616 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2011/09/22 13:48:11.0812 3616 alim1541 (f312b7cef21eff52fa23056b9d815fad) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2011/09/22 13:48:11.0828 3616 amdagp (675c16a3c1f8482f85ee4a97fc0dde3d) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2011/09/22 13:48:11.0859 3616 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2011/09/22 13:48:11.0875 3616 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/09/22 13:48:11.0906 3616 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2011/09/22 13:48:11.0921 3616 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2011/09/22 13:48:11.0937 3616 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2011/09/22 13:48:11.0984 3616 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/09/22 13:48:12.0000 3616 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/09/22 13:48:12.0125 3616 ati2mtag (7e57c60cc3e819c5031020ded9cd92e0) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/09/22 13:48:12.0187 3616 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/09/22 13:48:12.0312 3616 ATSwpWDF (c74e3d37625166c8a81fc07f796bc1ac) C:\WINDOWS\system32\Drivers\ATSwpWDF.sys
2011/09/22 13:48:12.0359 3616 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/09/22 13:48:12.0390 3616 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/09/22 13:48:12.0406 3616 BlankScr (0d266f08aed52d9b17b3c61be01dd576) C:\WINDOWS\system32\drivers\BlankScr.sys
2011/09/22 13:48:12.0437 3616 BTWUSB (053dc5be74621b63bb48c2b86bafc7b0) C:\WINDOWS\system32\Drivers\btwusb.sys
2011/09/22 13:48:12.0468 3616 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2011/09/22 13:48:12.0484 3616 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/09/22 13:48:12.0500 3616 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2011/09/22 13:48:12.0515 3616 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/09/22 13:48:12.0531 3616 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/09/22 13:48:12.0562 3616 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/09/22 13:48:12.0593 3616 CmBatt (4266be808f85826aedf3c64c1e240203) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/09/22 13:48:12.0625 3616 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2011/09/22 13:48:12.0640 3616 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/09/22 13:48:12.0656 3616 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2011/09/22 13:48:12.0687 3616 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2011/09/22 13:48:12.0750 3616 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2011/09/22 13:48:12.0765 3616 Darpan (566cca06fb1b98dff3e9eea563b6334e) C:\WINDOWS\system32\DRIVERS\Darpan.sys
2011/09/22 13:48:12.0796 3616 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/09/22 13:48:12.0890 3616 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2011/09/22 13:48:12.0968 3616 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
2011/09/22 13:48:13.0000 3616 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/09/22 13:48:13.0062 3616 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2011/09/22 13:48:13.0093 3616 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2011/09/22 13:48:13.0125 3616 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/09/22 13:48:13.0156 3616 e1yexpress (6a738bee58ff3d2f237157082e799de8) C:\WINDOWS\system32\DRIVERS\e1y5132.sys
2011/09/22 13:48:13.0250 3616 eeCtrl (96bcd90ed9235a21629effde5e941fb1) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2011/09/22 13:48:13.0296 3616 EraserUtilRebootDrv (392c86f6b45c0bc696c32c27f51e749f) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2011/09/22 13:48:13.0406 3616 es1371 (a55dd7d8ced5d2624a9ee2dda7be0319) C:\WINDOWS\system32\drivers\es1371mp.sys
2011/09/22 13:48:13.0468 3616 ewusbnet (97aaad1e796f53546d1d0bc4f763cce7) C:\WINDOWS\system32\DRIVERS\ewusbnet.sys
2011/09/22 13:48:13.0500 3616 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/09/22 13:48:13.0546 3616 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/09/22 13:48:13.0562 3616 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2011/09/22 13:48:13.0593 3616 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/09/22 13:48:13.0640 3616 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/09/22 13:48:13.0671 3616 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/09/22 13:48:13.0734 3616 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/09/22 13:48:13.0890 3616 FW1 (7441f96680ac1fad27ae34ff8076d594) C:\WINDOWS\system32\DRIVERS\fw.sys
2011/09/22 13:48:14.0015 3616 gameenum (5f92fd09e5610a5995da7d775eadcd12) C:\WINDOWS\system32\DRIVERS\gameenum.sys
2011/09/22 13:48:14.0078 3616 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/09/22 13:48:14.0156 3616 HBtnKey (407e41ddb2bfece109132aec296e0d98) C:\WINDOWS\system32\DRIVERS\cpqbttn.sys
2011/09/22 13:48:14.0265 3616 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/09/22 13:48:14.0312 3616 HECI (2df64415a28ce036ac6acec7645a996f) C:\WINDOWS\system32\DRIVERS\HECI.sys
2011/09/22 13:48:14.0390 3616 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/09/22 13:48:14.0453 3616 hpdskflt (9f620e11b80b74f4dab50a81a5df357f) C:\WINDOWS\system32\DRIVERS\hpdskflt.sys
2011/09/22 13:48:14.0500 3616 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2011/09/22 13:48:14.0578 3616 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/09/22 13:48:14.0671 3616 hwdatacard (008ada74e3028fced5145f4f74230d4b) C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys
2011/09/22 13:48:14.0718 3616 i2omgmt (8f09f91b5c91363b77bcd15599570f2c) C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/09/22 13:48:14.0734 3616 i2omp (ed6bf9e441fdea13292a6d30a64a24c3) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2011/09/22 13:48:14.0765 3616 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/09/22 13:48:14.0812 3616 IFXTPM (667cfdb801df771f47b7c39373c2d850) C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS
2011/09/22 13:48:14.0859 3616 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/09/22 13:48:14.0906 3616 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2011/09/22 13:48:14.0937 3616 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/09/22 13:48:14.0968 3616 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/09/22 13:48:15.0000 3616 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/09/22 13:48:15.0046 3616 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/09/22 13:48:15.0109 3616 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/09/22 13:48:15.0140 3616 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/09/22 13:48:15.0171 3616 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/09/22 13:48:15.0218 3616 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/09/22 13:48:15.0281 3616 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/09/22 13:48:15.0328 3616 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/09/22 13:48:15.0375 3616 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/09/22 13:48:15.0437 3616 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
2011/09/22 13:48:15.0500 3616 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/09/22 13:48:15.0593 3616 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/09/22 13:48:15.0640 3616 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2011/09/22 13:48:15.0687 3616 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/09/22 13:48:15.0734 3616 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/09/22 13:48:15.0796 3616 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/09/22 13:48:15.0812 3616 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2011/09/22 13:48:15.0843 3616 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/09/22 13:48:15.0906 3616 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/09/22 13:48:15.0953 3616 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2011/09/22 13:48:16.0031 3616 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/09/22 13:48:16.0093 3616 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/09/22 13:48:16.0125 3616 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/09/22 13:48:16.0156 3616 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/09/22 13:48:16.0171 3616 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2011/09/22 13:48:16.0328 3616 NAVENG (83518e6cc82bdc3c3db0c12d1c9a2275) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100512.005\NAVENG.SYS
2011/09/22 13:48:16.0390 3616 NAVEX15 (85cf37740fe06c7a2eaa7f6c81f0819c) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100512.005\NAVEX15.SYS
2011/09/22 13:48:16.0468 3616 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2011/09/22 13:48:16.0546 3616 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/09/22 13:48:16.0593 3616 Ndisuio (5146c3d286e66c72328f6ce6e4d983a8) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/09/22 13:48:16.0640 3616 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/09/22 13:48:16.0671 3616 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/09/22 13:48:16.0718 3616 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/09/22 13:48:16.0812 3616 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/09/22 13:48:17.0062 3616 NETw5x32 (cfe1981a47a2f7650a1ef8917dc4d1c3) C:\WINDOWS\system32\DRIVERS\NETw5x32.sys
2011/09/22 13:48:17.0234 3616 NetwareWorkstation (9152b3a38ad0147eae4342281ae65883) C:\WINDOWS\system32\NetWare\nwfs.sys
2011/09/22 13:48:17.0375 3616 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/09/22 13:48:17.0437 3616 NICM (c501404558ea82e8a875de6331f0748d) C:\WINDOWS\system32\drivers\nicm.sys
2011/09/22 13:48:17.0500 3616 nipplpt2 (8eaf2b2095e93b884ca9909cd5449a4c) C:\WINDOWS\system32\drivers\nipplpt.sys
2011/09/22 13:48:17.0562 3616 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2011/09/22 13:48:17.0640 3616 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/09/22 13:48:17.0765 3616 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/09/22 13:48:17.0812 3616 NWDHCP (a4b071419e0ea596ffb3da89c1f04e61) C:\WINDOWS\system32\NetWare\nwdhcp.sys
2011/09/22 13:48:17.0906 3616 NWDNS (5fe8761fe5fa3761f778fb8d7c0a6763) C:\WINDOWS\system32\NetWare\nwdns.sys
2011/09/22 13:48:17.0937 3616 NWFILTER (7bbf493e2b4979312fa5b350fcf5a4c4) C:\WINDOWS\system32\NetWare\nwfilter.sys
2011/09/22 13:48:17.0984 3616 NWHOST (baa75acf404bebce7065663664a7c3e4) C:\WINDOWS\system32\NetWare\NWHOST.sys
2011/09/22 13:48:18.0031 3616 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/09/22 13:48:18.0109 3616 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/09/22 13:48:18.0187 3616 NWSAP (2726a6792bbb080ff345ed9a8111360f) C:\WINDOWS\system32\NetWare\NWSAP.sys
2011/09/22 13:48:18.0203 3616 NWSIPX32 (0c19ea7bf54f23ef37d8a14c61f64891) C:\WINDOWS\system32\NetWare\nwsipx32.sys
2011/09/22 13:48:18.0218 3616 NWSLP (0b5c354bebc5381b59a196bd7e517814) C:\WINDOWS\system32\NetWare\nwslp.sys
2011/09/22 13:48:18.0250 3616 NWSNS (172308996609da67e99c87fa784df8bc) C:\WINDOWS\system32\NetWare\NWSNS.sys
2011/09/22 13:48:18.0328 3616 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/09/22 13:48:18.0375 3616 OMVA (73c74eb8b231974b7a961fddd878ae01) C:\WINDOWS\system32\DRIVERS\OMVA.sys
2011/09/22 13:48:18.0406 3616 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/09/22 13:48:18.0484 3616 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/09/22 13:48:18.0546 3616 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/09/22 13:48:18.0656 3616 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/09/22 13:48:18.0718 3616 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/09/22 13:48:18.0750 3616 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/09/22 13:48:18.0843 3616 PCnet (7bc8027d56fab153a987c56ae9835664) C:\WINDOWS\system32\DRIVERS\pcntpci5.sys
2011/09/22 13:48:19.0078 3616 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2011/09/22 13:48:19.0140 3616 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2011/09/22 13:48:19.0281 3616 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/09/22 13:48:19.0343 3616 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/09/22 13:48:19.0375 3616 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/09/22 13:48:19.0468 3616 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2011/09/22 13:48:19.0500 3616 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2011/09/22 13:48:19.0546 3616 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2011/09/22 13:48:19.0578 3616 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2011/09/22 13:48:19.0671 3616 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2011/09/22 13:48:19.0718 3616 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/09/22 13:48:19.0765 3616 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/09/22 13:48:19.0812 3616 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/09/22 13:48:19.0843 3616 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/09/22 13:48:19.0890 3616 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/09/22 13:48:19.0984 3616 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/09/22 13:48:20.0031 3616 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/09/22 13:48:20.0078 3616 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/09/22 13:48:20.0140 3616 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/09/22 13:48:20.0218 3616 RESMGR (16c27d650113b0aa0c8255c561a71cd4) C:\WINDOWS\system32\NetWare\resmgr.sys
2011/09/22 13:48:20.0312 3616 rimmptsk (ded01a389926a89540b82373e4c550ee) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
2011/09/22 13:48:20.0343 3616 rimsptsk (c398bca91216755b098679a8da8a2300) C:\WINDOWS\system32\DRIVERS\rimsptsk.sys
2011/09/22 13:48:20.0375 3616 rismc32 (7c21554942bef51cbd84fd7d4e62cb9a) C:\WINDOWS\system32\DRIVERS\rismc32.sys
2011/09/22 13:48:20.0437 3616 rismxdp (2a2554cb24506e0a0508fc395c4a1b42) C:\WINDOWS\system32\DRIVERS\rixdptsk.sys
2011/09/22 13:48:20.0515 3616 RTLWUSB (55ef6cfbebf2e54a7fe2330eb9624d2f) C:\WINDOWS\system32\DRIVERS\wg111v2.sys
2011/09/22 13:48:20.0593 3616 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/09/22 13:48:20.0640 3616 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/09/22 13:48:20.0703 3616 Scap (8c3d61bb8f35264e14fb76856fefad62) C:\WINDOWS\system32\DRIVERS\Scap.sys
2011/09/22 13:48:20.0765 3616 sdbus (02fc71b020ec8700ee8a46c58bc6f276) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2011/09/22 13:48:20.0843 3616 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/09/22 13:48:20.0890 3616 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/09/22 13:48:20.0937 3616 Serial (3f340aa42b363ff40eee05e263421d7b) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/09/22 13:48:21.0046 3616 SFAUDIO (b6401608579b6431994425ba7653f774) C:\WINDOWS\system32\drivers\sfaudio.sys
2011/09/22 13:48:21.0125 3616 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/09/22 13:48:21.0203 3616 sisagp (732d859b286da692119f286b21a2a114) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2011/09/22 13:48:21.0265 3616 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
2011/09/22 13:48:21.0296 3616 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2011/09/22 13:48:21.0390 3616 SPBBCDrv (905782bcf15b6e5af9905b77923c7fa2) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
2011/09/22 13:48:21.0531 3616 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
2011/09/22 13:48:21.0593 3616 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/09/22 13:48:21.0656 3616 SRTSP (8b938345e1d2e49465cc9c11ae410438) C:\WINDOWS\system32\Drivers\SRTSP.SYS
2011/09/22 13:48:21.0718 3616 SRTSPL (f1eb4f77241ddf0bc11f5d638402a788) C:\WINDOWS\system32\Drivers\SRTSPL.SYS
2011/09/22 13:48:21.0781 3616 SRTSPX (be24052f4173bb6fe5badc032b6bc978) C:\WINDOWS\system32\Drivers\SRTSPX.SYS
2011/09/22 13:48:21.0906 3616 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/09/22 13:48:21.0984 3616 SRVLOC (21d0242d37ab7b275261ed030adaaad5) C:\WINDOWS\system32\NetWare\srvloc.sys
2011/09/22 13:48:22.0125 3616 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/09/22 13:48:22.0187 3616 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2011/09/22 13:48:22.0265 3616 swmsflt (a184a1bab187809b144ba32509b9e731) C:\WINDOWS\System32\drivers\swmsflt.sys
2011/09/22 13:48:22.0328 3616 SWNC8U52 (ac41c4005f0f9c327719d945c62d16b2) C:\WINDOWS\system32\DRIVERS\swnc8u52.sys
2011/09/22 13:48:22.0468 3616 SWUMX52 (d1930779033657480cc1d3cf92b52400) C:\WINDOWS\system32\DRIVERS\swumx52.sys
2011/09/22 13:48:22.0609 3616 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2011/09/22 13:48:22.0656 3616 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2011/09/22 13:48:22.0734 3616 SymEvent (d430a5fa6a82d0b53db969067535c92b) C:\Program Files\Symantec\SYMEVENT.SYS
2011/09/22 13:48:22.0796 3616 SYMREDRV (90a15cd58994ceaf7697f03ab4b304a0) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
2011/09/22 13:48:22.0859 3616 SYMTDI (169cc67cc03c1c7195787c49d200e232) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
2011/09/22 13:48:22.0953 3616 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2011/09/22 13:48:23.0000 3616 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2011/09/22 13:48:23.0062 3616 SynTP (f08667f79bbd339547f477c75c3ed0b9) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2011/09/22 13:48:23.0109 3616 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/09/22 13:48:23.0171 3616 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/09/22 13:48:23.0296 3616 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/09/22 13:48:23.0343 3616 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/09/22 13:48:23.0406 3616 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/09/22 13:48:23.0453 3616 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2011/09/22 13:48:23.0578 3616 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2011/09/22 13:48:23.0656 3616 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2011/09/22 13:48:23.0703 3616 Update (ced744117e91bdc0beb810f7d8608183) C:\WINDOWS\system32\DRIVERS\update.sys
2011/09/22 13:48:23.0781 3616 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/09/22 13:48:23.0875 3616 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/09/22 13:48:23.0921 3616 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/09/22 13:48:23.0984 3616 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/09/22 13:48:24.0015 3616 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/09/22 13:48:24.0031 3616 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/09/22 13:48:24.0062 3616 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2011/09/22 13:48:24.0109 3616 viaagp (d92e7c8a30cfd14d8e15b5f7f032151b) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2011/09/22 13:48:24.0140 3616 ViaIde (59cb1338ad3654417bea49636457f65d) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/09/22 13:48:24.0187 3616 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/09/22 13:48:24.0265 3616 VPN-1 (793b9aed2fc908fdfc93f0afa07f59cf) C:\WINDOWS\System32\drivers\vpn.sys
2011/09/22 13:48:24.0375 3616 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/09/22 13:48:24.0421 3616 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/09/22 13:48:24.0484 3616 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/09/22 13:48:24.0609 3616 WmiAcpi (ae2c8544e747c20062db27456ea2d67a) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2011/09/22 13:48:24.0671 3616 WNTHW (c214dd6d6905f01fe3e0a2c334e2244e) C:\WINDOWS\system32\DRIVERS\WNTHW.SYS
2011/09/22 13:48:24.0750 3616 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2011/09/22 13:48:24.0890 3616 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/09/22 13:48:24.0953 3616 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/09/22 13:48:25.0140 3616 MBR (0x1B8) (035ce1c0bf49cb716bd6db7a4cf480b7) \Device\Harddisk0\DR0
2011/09/22 13:48:25.0140 3616 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/09/22 13:48:25.0140 3616 MBR (0x1B8) (671b81004fdd1588fa9ed1331c9ceca9) \Device\Harddisk1\DR5
2011/09/22 13:48:39.0046 3616 Boot (0x1200) (fc8066d8d608fa85a235261b56c2d9fc) \Device\Harddisk0\DR0\Partition0
2011/09/22 13:48:39.0109 3616 Boot (0x1200) (794e6740dd23b79a00b9b04ed505b5cf) \Device\Harddisk0\DR0\Partition1
2011/09/22 13:48:39.0125 3616 Boot (0x1200) (7203a719aec2ed1aa7c2d08a32f8f12d) \Device\Harddisk1\DR5\Partition0
2011/09/22 13:48:39.0125 3616 ================================================================================
2011/09/22 13:48:39.0125 3616 Scan finished
2011/09/22 13:48:39.0125 3616 ================================================================================
2011/09/22 13:48:39.0156 3584 Detected object count: 1
2011/09/22 13:48:39.0156 3584 Actual detected object count: 1
2011/09/22 13:49:19.0531 3584 \Device\Harddisk0\DR0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/09/22 13:49:19.0531 3584 \Device\Harddisk0\DR0 - ok
2011/09/22 13:49:19.0531 3584 Rootkit.Win32.TDSS.tdl4(\Device\Harddisk0\DR0) - User select action: Cure
2011/09/22 13:50:02.0046 3856 Deinitialize success

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:30 PM

Posted 22 September 2011 - 07:43 AM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

File::
c:\documents and settings\All Users\Application Data\qdlv.exe
c:\documents and settings\All Users\Application Data\pvfr.exe
c:\documents and settings\All Users\Application Data\jocs.exe
c:\documents and settings\All Users\Application Data\jlsg.exe

RenV::
c:\program files\Adobe\Reader 8.0\Reader\Reader_sl .exe
c:\program files\Analog Devices\Core\smax4pnp .exe
c:\program files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
c:\program files\Common Files\Symantec Shared\ccApp .exe
c:\program files\Novell\ZENworks\NalView .exe
c:\program files\Symantec AntiVirus\VPTray .exe
c:\program files\Synaptics\SynTP\SynTPEnh .exe
c:\program files\Windows Defender\MSASCui .exe
c:\windows\system32\NWTRAY .exe


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 tryhard

tryhard
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brisbane Qld Oz
  • Local time:09:30 AM

Posted 22 September 2011 - 04:51 PM

Hello Gringo

Report attached
No apparent problems
Those annoying pop ups are all gone, the only problem that I seem to have is that I have lost the scroll function on the touch pad, any suggestions ?

Cheers

Dave

ComboFix 11-09-22.03 - 026465 23/09/2011 7:25.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.61.1033.18.2027.1295 [GMT 10:00]
Running from: E:\ComboFix.exe
Command switches used :: c:\documents and settings\026465\Desktop\CFscript.txt
.
FILE ::
"c:\documents and settings\All Users\Application Data\jlsg.exe"
"c:\documents and settings\All Users\Application Data\jocs.exe"
"c:\documents and settings\All Users\Application Data\pvfr.exe"
"c:\documents and settings\All Users\Application Data\qdlv.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\jlsg.exe
c:\documents and settings\All Users\Application Data\jocs.exe
c:\documents and settings\All Users\Application Data\pvfr.exe
c:\documents and settings\All Users\Application Data\qdlv.exe
C:\RECYCLER(2)
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc10.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc100.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc101.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc102.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc103.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc104.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc105.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc106.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc107.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc108.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc109.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc11.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc110.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc111.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc112.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc113.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc12.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc13.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc14.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc15.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc16.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc17.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc18.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc19.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc2.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc20.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc21.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc22.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc23.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc24.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc25.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc26.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc27.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc28.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc29.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc3.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc30.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc31.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc32.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc33.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc34.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc35.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc36.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc37.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc38.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc39.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc4.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc40.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc41.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc42.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc43.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc44.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc45.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc46.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc47.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc48.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc49.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc5.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc50.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc51.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc52.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc53.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc54.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc55.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc56.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc57.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc58.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc59.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc6.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc60.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc61.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc62.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc63.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc64.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc65.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc66.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc67.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc68.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc69.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc7.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc70.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc71.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc72.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc73.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc74.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc75.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc76.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc77.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc78.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc79.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc8.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc80.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc81.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc82.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc83.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc84.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc85.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc86.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc87.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc88.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc89.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc9.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc90.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc91.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc92.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc93.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc94.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc95.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc96.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc97.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc98.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\Dc99.txt
c:\recycler(2)\S-1-5-21-185431370-872621613-1041720472-18663(2)\INFO2
c:\windows\system32\d3d9caps.dat
.
.
((((((((((((((((((((((((( Files Created from 2011-08-22 to 2011-09-22 )))))))))))))))))))))))))))))))
.
.
2011-09-20 13:32 . 2011-09-20 13:32 -------- d-----w- c:\windows\system32\wbem\Repository
2011-09-20 13:32 . 2011-09-20 13:32 -------- d-----w- c:\program files\Auslogics
2011-09-20 13:31 . 2011-09-20 13:31 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-09-20 13:31 . 2011-09-20 13:31 -------- d-----w- c:\documents and settings\026465\Application Data\SUPERAntiSpyware.com
2011-09-20 13:31 . 2011-09-22 01:26 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-09-20 13:31 . 2011-09-22 01:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-15 04:45 . 2011-09-15 04:45 -------- d-----w- C:\GWARCH
2011-09-12 06:23 . 2008-07-25 01:16 158720 ----a-w- c:\program files\Internet Explorer\MUI\0409\mscorier.dll
2011-09-10 07:56 . 2011-09-10 07:56 -------- d-----w- c:\documents and settings\026465\Application Data\Auslogics
2011-09-05 21:56 . 2011-09-05 21:56 -------- d-----w- c:\documents and settings\026465\.java
2011-09-02 23:46 . 2008-04-13 19:42 93184 ----a-w- c:\program files\Internet Explorer\iexplore.exe
2011-09-02 23:46 . 2008-04-13 19:42 18432 ----a-w- c:\program files\Internet Explorer\iedw.exe
2011-09-02 23:46 . 2008-04-13 19:41 38912 ----a-w- c:\program files\Internet Explorer\hmmapi.dll
2011-09-02 23:41 . 2008-04-13 19:42 86016 ----a-w- c:\program files\Internet Explorer\Connection Wizard\icwconn2.exe
2011-09-02 23:41 . 2008-04-13 19:42 24576 ----a-w- c:\program files\Internet Explorer\Connection Wizard\icwrmind.exe
2011-09-02 23:41 . 2008-04-13 19:42 214528 ----a-w- c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe
2011-09-02 23:41 . 2008-04-13 19:42 20480 ----a-w- c:\program files\Internet Explorer\Connection Wizard\inetwiz.exe
2011-09-02 23:41 . 2008-04-13 19:41 61440 ----a-w- c:\program files\Internet Explorer\Connection Wizard\icwconn.dll
2011-09-02 23:41 . 2008-04-13 19:41 49152 ----a-w- c:\program files\Internet Explorer\Connection Wizard\icwutil.dll
2011-09-02 23:41 . 2008-04-13 19:41 32768 ----a-w- c:\program files\Internet Explorer\Connection Wizard\icwdl.dll
2011-09-02 23:41 . 2008-04-13 19:41 172032 ----a-w- c:\program files\Internet Explorer\Connection Wizard\icwhelp.dll
2011-09-02 23:41 . 2004-08-05 05:00 73728 ----a-w- c:\program files\Internet Explorer\Connection Wizard\icwtutor.exe
2011-09-02 23:41 . 2004-08-05 05:00 61440 ----a-w- c:\program files\Internet Explorer\Connection Wizard\icwres.dll
2011-09-02 23:41 . 2004-08-05 05:00 40960 ----a-w- c:\program files\Internet Explorer\Connection Wizard\trialoc.dll
2011-09-02 23:41 . 2004-08-05 05:00 16384 ----a-w- c:\program files\Internet Explorer\Connection Wizard\isignup.exe
2011-09-02 21:58 . 2011-09-02 21:58 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-09-01 05:23 . 2004-08-03 14:56 32866 -c--a-w- c:\windows\system32\dllcache\slrundll.exe
2011-09-01 05:23 . 2004-08-03 14:56 32866 ----a-w- c:\windows\slrundll.exe
2011-08-31 06:11 . 2011-08-31 06:11 -------- d-s---w- c:\documents and settings\LocalService\UserData
2011-08-27 22:59 . 2011-08-27 22:59 -------- d-----w- c:\documents and settings\026465\Application Data\Malwarebytes
2011-08-27 22:59 . 2011-08-27 22:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-08-27 06:24 . 2011-08-27 06:24 -------- d-----w- c:\windows\system32\AppLogs
2011-08-25 23:23 . 2011-08-25 23:23 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2011-08-25 21:19 . 2011-08-25 21:19 -------- d--h--w- c:\windows\PIF
2011-08-25 08:02 . 2011-08-25 23:24 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-13 03:39 . 2011-08-05 21:18 6881616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{8EB2335F-84C4-4670-8927-F30924D041BB}\mpengine.dll
2011-07-13 03:39 . 2009-03-12 23:29 6881616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-09-22_02.33.55 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-05-24 16:05 . 2011-09-22 03:58 71912 c:\windows\system32\perfc009.dat
- 2007-05-24 16:05 . 2011-09-22 02:17 71912 c:\windows\system32\perfc009.dat
+ 2007-05-24 16:07 . 2002-03-12 16:37 28672 c:\windows\system32\NWTRAY.exe
+ 2007-05-24 16:05 . 2011-09-22 03:58 442334 c:\windows\system32\perfh009.dat
- 2007-05-24 16:05 . 2011-09-22 02:17 442334 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-09-21 0]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZENRC Tray Icon"="c:\windows\system32\zentray.exe" [2005-05-18 40960]
"iPrint Tray"="c:\windows\system32\iprntctl.exe" [2006-10-18 40960]
"iPrint Event Monitor"="c:\windows\system32\iprntlgn.exe" [2006-10-18 45056]
"DesktopInfo"="c:\windows\options\bginfo.exe" [2005-09-06 741421]
"AccelerometerSysTrayApplet"="c:\windows\system32\AccelerometerSt.Exe" [2008-06-18 82224]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-05 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)
"DisableChangePassword"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyDocs"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoStartMenuMyMusic"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"GreyMSIAds"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"DisallowCpl"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{763370C4-268E-4308-A60C-D8DA0342BE32}"= "c:\program files\Novell\ZENworks\NalShell.dll" [2006-06-28 446464]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2005-03-01 09:49 24672 ----a-w- c:\windows\system32\ckpNotify.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
2006-05-01 23:17 24576 ----a-w- c:\windows\system32\novell\xtnotify.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-185431370-872621613-1041720472-18663\Scripts\Logoff\0\0]
"Script"=c:\windows\Options\SOEUpdates\System\SOEUpdate.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-185431370-872621613-1041720472-18663\Scripts\Logoff\0\1]
"Script"=c:\windows\Options\Profile\Profile.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-185431370-872621613-1041720472-18663\Scripts\Logon\0\0]
"Script"=c:\windows\Options\Profile\Profile.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-185431370-872621613-1041720472-52154\Scripts\Logoff\0\0]
"Script"=c:\windows\Options\SOEUpdates\System\SOEUpdate.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-185431370-872621613-1041720472-52154\Scripts\Logoff\0\1]
"Script"=c:\windows\Options\Profile\Profile.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-185431370-872621613-1041720472-52154\Scripts\Logon\0\0]
"Script"=c:\windows\Options\Profile\Profile.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-185431370-872621613-1041720472-59701\Scripts\Logoff\0\0]
"Script"=c:\windows\Options\SOEUpdates\System\SOEUpdate.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-185431370-872621613-1041720472-59701\Scripts\Logoff\0\1]
"Script"=c:\windows\Options\Profile\Profile.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-185431370-872621613-1041720472-59701\Scripts\Logon\0\0]
"Script"=c:\windows\Options\Profile\Profile.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-185431370-872621613-1041720472-66300\Scripts\Logoff\0\0]
"Script"=c:\windows\Options\SOEUpdates\System\SOEUpdate.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-185431370-872621613-1041720472-66300\Scripts\Logoff\0\1]
"Script"=c:\windows\Options\Profile\Profile.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-185431370-872621613-1041720472-66300\Scripts\Logon\0\0]
"Script"=c:\windows\Options\Profile\Profile.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-185431370-872621613-1041720472-72873\Scripts\Logoff\0\0]
"Script"=c:\windows\Options\SOEUpdates\System\SOEUpdate.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-185431370-872621613-1041720472-72873\Scripts\Logoff\0\1]
"Script"=c:\windows\Options\Profile\Profile.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-185431370-872621613-1041720472-72873\Scripts\Logon\0\0]
"Script"=c:\windows\Options\Profile\Profile.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-185431370-872621613-1041720472-72912\Scripts\Logoff\0\0]
"Script"=c:\windows\Options\SOEUpdates\System\SOEUpdate.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-185431370-872621613-1041720472-72912\Scripts\Logoff\0\1]
"Script"=c:\windows\Options\Profile\Profile.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-185431370-872621613-1041720472-72912\Scripts\Logon\0\0]
"Script"=c:\windows\Options\Profile\Profile.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-185431370-872621613-1041720472-7728\Scripts\Logoff\0\0]
"Script"=c:\windows\Options\SOEUpdates\System\SOEUpdate.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-185431370-872621613-1041720472-7728\Scripts\Logoff\0\1]
"Script"=c:\windows\Options\Profile\Profile.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-185431370-872621613-1041720472-7728\Scripts\Logon\0\0]
"Script"=c:\windows\Options\Profile\Profile.vbs
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec AntiVirus\\Rtvscan.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Diagnostics.exe"=
"c:\\Novell\\GroupWise\\grpwise.exe"=
"c:\\Novell\\GroupWise\\notify.exe"=
.
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [31/10/2008 10:03 AM 24064]
R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [24/05/2007 10:12 AM 34671]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [23/07/2011 2:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [13/07/2011 7:55 AM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [12/08/2011 9:38 AM 116608]
R2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [12/06/2008 12:21 PM 1164536]
R2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [23/05/2005 2:47 PM 6899]
R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [9/05/2006 10:59 AM 167936]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [14/10/2006 6:02 AM 122056]
R2 Scap;SecureClient Application Policy Module;c:\windows\system32\drivers\scap.sys [2/07/2009 3:51 PM 17456]
R2 TSCensus Collection Client;ZENworks Asset Management - Collection Client;c:\program files\Novell\ZENworks\Asset Management\Bin\CClientSvc.exe [12/03/2009 1:07 PM 49152]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [2/07/2009 3:51 PM 670128]
R2 WNTHW;WNTHW;c:\windows\system32\drivers\WNTHW.SYS [12/03/2009 1:07 PM 9176]
R2 XTAgent;Novell XTier Agent Services;c:\windows\system32\novell\xtagent.exe [1/09/2011 5:01 PM 61440]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [12/06/2008 2:40 PM 477696]
R3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [23/05/2005 2:11 PM 2773]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [31/10/2008 10:00 AM 243856]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [30/09/2009 11:56 AM 102448]
R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [2/07/2009 3:51 PM 2041904]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [31/10/2008 10:04 AM 41216]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [31/10/2008 9:59 AM 47616]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [3/11/2006 6:19 PM 13592]
S3 EraserUtilDrv10621;EraserUtilDrv10621;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10621.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10621.sys [?]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [21/10/2009 3:57 PM 113664]
S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [2/07/2009 3:51 PM 14924]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [13/02/2010 7:32 AM 194304]
S3 SWNC8U52;Sierra Wireless MUX NDIS Driver (UMTS52);c:\windows\system32\drivers\swnc8u52.sys [21/09/2007 3:47 PM 164480]
S3 SWUMX52;Sierra Wireless USB MUX Driver (UMTS52);c:\windows\system32\drivers\swumx52.sys [21/09/2007 3:48 PM 140672]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
2004-08-05 05:00 99840 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-22 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 08:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com.au/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 10.0.0.138
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {5e2a3510-4371-11d6-b64c-00c04faedb18}
.
- - - - ORPHANS REMOVED - - - -
.
HKLM_ActiveSetup-{5bd419c2-b827-4f2d-96d6-9e1b836602d2} - reg add
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-23 07:29
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(888)
c:\windows\system32\MSGinaExtension.dll
c:\windows\system32\RestrictedBrowserDLL.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2011-09-23 07:30:36
ComboFix-quarantined-files.txt 2011-09-22 21:30
ComboFix2.txt 2011-09-22 02:36
ComboFix3.txt 2011-09-17 07:40
ComboFix4.txt 2011-09-16 22:54
ComboFix5.txt 2011-09-22 21:23
.
Pre-Run: 16,895,258,624 bytes free
Post-Run: 17,017,860,096 bytes free
.
- - End Of File - - CFDE07DA249D3D0C92F7AD25DD247E49

#11 tryhard

tryhard
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brisbane Qld Oz
  • Local time:09:30 AM

Posted 23 September 2011 - 02:41 AM

Hi Gringo

I just want to say thanks mate for all the help and assistance you have given me to solve this problem, truly this is the first time in weeks that I am finally on top of this problem. Every time I thought I had it on the run it would just come back and haunt me and just get a bit more nasty along the way.

Sorted that problem with the touch pad, went to HP and downloaded the drivers and presto all fixed.

I am humbled by all the effort and work you guys put in help solving these problems. You know when the machine is on the blink its very easy to slip into panic mode and try just about anything and of course everyone on the net is an expert. Anyway enough of that, thanks again, and if that last scan was clear I will bid you farewell, cause there probably will be a next time.

Dave

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:30 PM

Posted 23 September 2011 - 02:59 AM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 tryhard

tryhard
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brisbane Qld Oz
  • Local time:09:30 AM

Posted 23 September 2011 - 06:12 AM

Hi Gringo

Log attached

No problems running scan

Machine seems to be running OK


omboFix 11-09-23.03 - 026465 23/09/2011 21:00:03.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.61.1033.18.2027.1315 [GMT 10:00]
Running from: E:\ComboFix.exe
Command switches used :: c:\documents and settings\026465\Desktop\CFscript.txt
.
.
((((((((((((((((((((((((( Files Created from 2011-08-23 to 2011-09-23 )))))))))))))))))))))))))))))))
.
.
2011-09-23 05:47 . 2008-11-07 08:55 16928 ------w- c:\windows\system32\spmsgXP_2k3.dll
2011-09-23 05:46 . 2011-09-23 05:46 -------- d-----w- c:\program files\Synaptics
2011-09-23 05:46 . 2010-06-03 09:18 1303728 ----a-w- c:\windows\system32\drivers\SynTP.sys
2011-09-23 05:46 . 2010-06-03 09:17 165160 ----a-w- c:\windows\system32\SynTPAPI.dll
2011-09-23 05:46 . 2010-06-03 09:17 120104 ----a-w- c:\windows\system32\SynTPCo4.dll
2011-09-23 05:46 . 2010-06-03 09:17 214312 ----a-w- c:\windows\system32\SynCtrl.dll
2011-09-23 05:46 . 2010-06-03 09:17 173352 ----a-w- c:\windows\system32\SynCOM.dll
2011-09-23 05:46 . 2009-08-06 23:49 1461992 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll
2011-09-20 13:32 . 2011-09-20 13:32 -------- d-----w- c:\windows\system32\wbem\Repository
2011-09-20 13:32 . 2011-09-20 13:32 -------- d-----w- c:\program files\Auslogics
2011-09-20 13:31 . 2011-09-20 13:31 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-09-20 13:31 . 2011-09-20 13:31 -------- d-----w- c:\documents and settings\026465\Application Data\SUPERAntiSpyware.com
2011-09-20 13:31 . 2011-09-22 01:26 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-09-20 13:31 . 2011-09-22 01:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-15 04:45 . 2011-09-15 04:45 -------- d-----w- C:\GWARCH
2011-09-12 06:23 . 2008-07-25 01:16 158720 ----a-w- c:\program files\Internet Explorer\MUI\0409\mscorier.dll
2011-09-10 07:56 . 2011-09-10 07:56 -------- d-----w- c:\documents and settings\026465\Application Data\Auslogics
2011-09-05 21:56 . 2011-09-05 21:56 -------- d-----w- c:\documents and settings\026465\.java
2011-09-02 23:46 . 2008-04-13 19:42 93184 ----a-w- c:\program files\Internet Explorer\iexplore.exe
2011-09-02 23:46 . 2008-04-13 19:42 18432 ----a-w- c:\program files\Internet Explorer\iedw.exe
2011-09-02 23:46 . 2008-04-13 19:41 38912 ----a-w- c:\program files\Internet Explorer\hmmapi.dll
2011-09-02 23:41 . 2008-04-13 19:42 86016 ----a-w- c:\program files\Internet Explorer\Connection Wizard\icwconn2.exe
2011-09-02 23:41 . 2008-04-13 19:42 24576 ----a-w- c:\program files\Internet Explorer\Connection Wizard\icwrmind.exe
2011-09-02 23:41 . 2008-04-13 19:42 214528 ----a-w- c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe
2011-09-02 23:41 . 2008-04-13 19:42 20480 ----a-w- c:\program files\Internet Explorer\Connection Wizard\inetwiz.exe
2011-09-02 23:41 . 2008-04-13 19:41 61440 ----a-w- c:\program files\Internet Explorer\Connection Wizard\icwconn.dll
2011-09-02 23:41 . 2008-04-13 19:41 49152 ----a-w- c:\program files\Internet Explorer\Connection Wizard\icwutil.dll
2011-09-02 23:41 . 2008-04-13 19:41 32768 ----a-w- c:\program files\Internet Explorer\Connection Wizard\icwdl.dll
2011-09-02 23:41 . 2008-04-13 19:41 172032 ----a-w- c:\program files\Internet Explorer\Connection Wizard\icwhelp.dll
2011-09-02 23:41 . 2004-08-05 05:00 73728 ----a-w- c:\program files\Internet Explorer\Connection Wizard\icwtutor.exe
2011-09-02 23:41 . 2004-08-05 05:00 61440 ----a-w- c:\program files\Internet Explorer\Connection Wizard\icwres.dll
2011-09-02 23:41 . 2004-08-05 05:00 40960 ----a-w- c:\program files\Internet Explorer\Connection Wizard\trialoc.dll
2011-09-02 23:41 . 2004-08-05 05:00 16384 ----a-w- c:\program files\Internet Explorer\Connection Wizard\isignup.exe
2011-09-02 21:58 . 2011-09-02 21:58 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-09-01 05:23 . 2004-08-03 14:56 32866 -c--a-w- c:\windows\system32\dllcache\slrundll.exe
2011-09-01 05:23 . 2004-08-03 14:56 32866 ----a-w- c:\windows\slrundll.exe
2011-08-31 06:11 . 2011-08-31 06:11 -------- d-s---w- c:\documents and settings\LocalService\UserData
2011-08-27 22:59 . 2011-08-27 22:59 -------- d-----w- c:\documents and settings\026465\Application Data\Malwarebytes
2011-08-27 22:59 . 2011-08-27 22:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-08-27 06:24 . 2011-08-27 06:24 -------- d-----w- c:\windows\system32\AppLogs
2011-08-25 23:23 . 2011-08-25 23:23 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2011-08-25 21:19 . 2011-08-25 21:19 -------- d--h--w- c:\windows\PIF
2011-08-25 08:02 . 2011-08-25 23:24 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-13 03:39 . 2011-08-05 21:18 6881616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{8EB2335F-84C4-4670-8927-F30924D041BB}\mpengine.dll
2011-07-13 03:39 . 2009-03-12 23:29 6881616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-09-22_02.33.55 )))))))))))))))))))))))))))))))))))))))))
.
- 2011-09-01 06:38 . 2009-05-12 05:12 26144 c:\windows\system32\spupdsvc.exe
+ 2011-09-01 06:38 . 2008-11-07 08:55 26144 c:\windows\system32\spupdsvc.exe
+ 2011-09-23 05:46 . 2004-08-03 12:58 23040 c:\windows\system32\ReinstallBackups\0001\DriverFiles\i386\mouclass.sys
+ 2011-09-23 05:46 . 2004-08-05 05:00 52736 c:\windows\system32\ReinstallBackups\0001\DriverFiles\i386\i8042prt.sys
+ 2007-05-24 16:05 . 2011-09-23 10:49 71912 c:\windows\system32\perfc009.dat
- 2007-05-24 16:05 . 2011-09-22 02:17 71912 c:\windows\system32\perfc009.dat
+ 2007-05-24 16:07 . 2002-03-12 16:37 28672 c:\windows\system32\NWTRAY.exe
+ 2006-11-01 21:22 . 2009-07-14 00:35 37608 c:\windows\system32\drivers\wdfldr.sys
- 2004-08-03 23:14 . 2004-08-05 05:00 52736 c:\windows\system32\drivers\i8042prt.sys
+ 2004-08-03 23:14 . 2004-08-03 13:14 52736 c:\windows\system32\drivers\i8042prt.sys
+ 2004-08-03 23:14 . 2004-08-03 13:14 52736 c:\windows\system32\dllcache\i8042prt.sys
- 2007-05-23 23:40 . 2011-07-15 07:29 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2007-05-23 23:40 . 2011-09-23 05:39 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2007-05-23 23:40 . 2011-07-15 07:29 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2007-05-23 23:40 . 2011-09-23 05:39 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2007-05-23 23:40 . 2011-07-15 07:29 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2007-05-23 23:40 . 2011-09-23 05:39 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2007-05-23 23:40 . 2011-07-15 07:29 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2007-05-23 23:40 . 2011-09-23 05:39 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2007-05-23 23:40 . 2011-09-23 05:39 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2007-05-23 23:40 . 2011-07-15 07:29 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2007-05-23 23:40 . 2011-07-15 07:29 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2007-05-23 23:40 . 2011-09-23 05:39 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2011-09-23 05:39 . 2011-09-23 05:39 4372 c:\windows\SoftwareDistribution\EventCache\{4FFAFDBF-EB9A-4D86-B8B6-F963F99ACF8B}.bin
- 2007-05-23 23:40 . 2011-07-15 07:29 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2007-05-23 23:40 . 2011-09-23 05:39 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2007-05-24 16:05 . 2011-09-22 02:17 442334 c:\windows\system32\perfh009.dat
+ 2007-05-24 16:05 . 2011-09-23 10:49 442334 c:\windows\system32\perfh009.dat
+ 2011-09-23 05:46 . 2010-06-03 09:17 337192 c:\windows\system32\DRVSTORE\synpd_925BCF877E08868EF0F35498F73AC5F6ABD81CEE\Tutorial.exe
+ 2011-09-23 05:46 . 2010-06-03 09:17 247080 c:\windows\system32\DRVSTORE\synpd_925BCF877E08868EF0F35498F73AC5F6ABD81CEE\SynZMetr.exe
+ 2011-09-23 05:46 . 2010-06-03 09:17 103720 c:\windows\system32\DRVSTORE\synpd_925BCF877E08868EF0F35498F73AC5F6ABD81CEE\SynTPHelper.exe
+ 2011-09-23 05:46 . 2010-06-03 09:17 107816 c:\windows\system32\DRVSTORE\synpd_925BCF877E08868EF0F35498F73AC5F6ABD81CEE\SynTPCOM.dll
+ 2011-09-23 05:46 . 2010-06-03 09:17 120104 c:\windows\system32\DRVSTORE\synpd_925BCF877E08868EF0F35498F73AC5F6ABD81CEE\SynTPCo4.dll
+ 2011-09-23 05:46 . 2010-06-03 09:17 165160 c:\windows\system32\DRVSTORE\synpd_925BCF877E08868EF0F35498F73AC5F6ABD81CEE\SynTPAPI.dll
+ 2011-09-23 05:46 . 2010-06-03 09:17 238888 c:\windows\system32\DRVSTORE\synpd_925BCF877E08868EF0F35498F73AC5F6ABD81CEE\SynMood.exe
+ 2011-09-23 05:46 . 2010-06-03 09:17 218408 c:\windows\system32\DRVSTORE\synpd_925BCF877E08868EF0F35498F73AC5F6ABD81CEE\SynISDLL.dll
+ 2011-09-23 05:46 . 2010-06-03 09:17 214312 c:\windows\system32\DRVSTORE\synpd_925BCF877E08868EF0F35498F73AC5F6ABD81CEE\SynCtrl.dll
+ 2011-09-23 05:46 . 2010-06-03 09:17 173352 c:\windows\system32\DRVSTORE\synpd_925BCF877E08868EF0F35498F73AC5F6ABD81CEE\SynCOM.dll
+ 2011-09-23 05:46 . 2010-06-03 09:17 124200 c:\windows\system32\DRVSTORE\synpd_925BCF877E08868EF0F35498F73AC5F6ABD81CEE\InstNT.exe
+ 2006-11-01 21:22 . 2009-07-14 00:35 444136 c:\windows\system32\drivers\wdf01000.sys
- 2007-05-23 23:40 . 2011-07-15 07:29 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2007-05-23 23:40 . 2011-09-23 05:39 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2007-05-23 23:40 . 2011-09-23 05:39 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2007-05-23 23:40 . 2011-07-15 07:29 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2007-05-23 23:40 . 2011-09-23 05:39 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2007-05-23 23:40 . 2011-07-15 07:29 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2007-05-23 23:40 . 2011-09-23 05:39 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2007-05-23 23:40 . 2011-07-15 07:29 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2007-05-23 23:40 . 2011-09-23 05:39 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2007-05-23 23:40 . 2011-07-15 07:29 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2007-05-23 23:40 . 2011-07-15 07:29 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2007-05-23 23:40 . 2011-09-23 05:39 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2011-09-23 05:46 . 2009-08-06 23:49 1461992 c:\windows\system32\DRVSTORE\synpd_925BCF877E08868EF0F35498F73AC5F6ABD81CEE\WdfCoInstaller01009.dll
+ 2011-09-23 05:46 . 2010-06-03 09:17 1791272 c:\windows\system32\DRVSTORE\synpd_925BCF877E08868EF0F35498F73AC5F6ABD81CEE\SynTPEnh.exe
+ 2011-09-23 05:46 . 2010-06-03 09:17 1213736 c:\windows\system32\DRVSTORE\synpd_925BCF877E08868EF0F35498F73AC5F6ABD81CEE\SynTPCpl.dll
+ 2011-09-23 05:46 . 2010-06-03 09:18 1303728 c:\windows\system32\DRVSTORE\synpd_925BCF877E08868EF0F35498F73AC5F6ABD81CEE\SynTP.sys
+ 2011-08-16 02:35 . 2011-08-16 02:35 5519872 c:\windows\Installer\c2424.msp
+ 2011-09-23 05:46 . 2010-06-03 09:17 10233128 c:\windows\system32\DRVSTORE\synpd_925BCF877E08868EF0F35498F73AC5F6ABD81CEE\SynTPRes.dll
+ 2008-08-13 04:49 . 2008-08-13 04:49 11816960 c:\windows\Installer\c240d.msp
+ 2007-07-26 23:03 . 2007-07-26 23:03 119977472 c:\windows\Installer\c2408.msp
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-09-21 0]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZENRC Tray Icon"="c:\windows\system32\zentray.exe" [2005-05-18 40960]
"iPrint Tray"="c:\windows\system32\iprntctl.exe" [2006-10-18 40960]
"iPrint Event Monitor"="c:\windows\system32\iprntlgn.exe" [2006-10-18 45056]
"DesktopInfo"="c:\windows\options\bginfo.exe" [2005-09-06 741421]
"AccelerometerSysTrayApplet"="c:\windows\system32\AccelerometerSt.Exe" [2008-06-18 82224]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-06-03 1791272]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-05 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)
"DisableChangePassword"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyDocs"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoStartMenuMyMusic"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"GreyMSIAds"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"DisallowCpl"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{763370C4-268E-4308-A60C-D8DA0342BE32}"= "c:\program files\Novell\ZENworks\NalShell.dll" [2006-06-28 446464]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2005-03-01 09:49 24672 ----a-w- c:\windows\system32\ckpNotify.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
2006-05-01 23:17 24576 ----a-w- c:\windows\system32\novell\xtnotify.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-185431370-872621613-1041720472-18663\Scripts\Logoff\0\0]
"Script"=c:\windows\Options\SOEUpdates\System\SOEUpdate.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-185431370-872621613-1041720472-18663\Scripts\Logoff\0\1]
"Script"=c:\windows\Options\Profile\Profile.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-185431370-872621613-1041720472-18663\Scripts\Logon\0\0]
"Script"=c:\windows\Options\Profile\Profile.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-185431370-872621613-1041720472-52154\Scripts\Logoff\0\0]
"Script"=c:\windows\Options\SOEUpdates\System\SOEUpdate.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-185431370-872621613-1041720472-52154\Scripts\Logoff\0\1]
"Script"=c:\windows\Options\Profile\Profile.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-185431370-872621613-1041720472-52154\Scripts\Logon\0\0]
"Script"=c:\windows\Options\Profile\Profile.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-185431370-872621613-1041720472-59701\Scripts\Logoff\0\0]
"Script"=c:\windows\Options\SOEUpdates\System\SOEUpdate.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-185431370-872621613-1041720472-59701\Scripts\Logoff\0\1]
"Script"=c:\windows\Options\Profile\Profile.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-185431370-872621613-1041720472-59701\Scripts\Logon\0\0]
"Script"=c:\windows\Options\Profile\Profile.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-185431370-872621613-1041720472-66300\Scripts\Logoff\0\0]
"Script"=c:\windows\Options\SOEUpdates\System\SOEUpdate.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-185431370-872621613-1041720472-66300\Scripts\Logoff\0\1]
"Script"=c:\windows\Options\Profile\Profile.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-185431370-872621613-1041720472-66300\Scripts\Logon\0\0]
"Script"=c:\windows\Options\Profile\Profile.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-185431370-872621613-1041720472-72873\Scripts\Logoff\0\0]
"Script"=c:\windows\Options\SOEUpdates\System\SOEUpdate.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-185431370-872621613-1041720472-72873\Scripts\Logoff\0\1]
"Script"=c:\windows\Options\Profile\Profile.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-185431370-872621613-1041720472-72873\Scripts\Logon\0\0]
"Script"=c:\windows\Options\Profile\Profile.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-185431370-872621613-1041720472-72912\Scripts\Logoff\0\0]
"Script"=c:\windows\Options\SOEUpdates\System\SOEUpdate.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-185431370-872621613-1041720472-72912\Scripts\Logoff\0\1]
"Script"=c:\windows\Options\Profile\Profile.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-185431370-872621613-1041720472-72912\Scripts\Logon\0\0]
"Script"=c:\windows\Options\Profile\Profile.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-185431370-872621613-1041720472-7728\Scripts\Logoff\0\0]
"Script"=c:\windows\Options\SOEUpdates\System\SOEUpdate.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-185431370-872621613-1041720472-7728\Scripts\Logoff\0\1]
"Script"=c:\windows\Options\Profile\Profile.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-185431370-872621613-1041720472-7728\Scripts\Logon\0\0]
"Script"=c:\windows\Options\Profile\Profile.vbs
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec AntiVirus\\Rtvscan.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Diagnostics.exe"=
"c:\\Novell\\GroupWise\\grpwise.exe"=
"c:\\Novell\\GroupWise\\notify.exe"=
.
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [31/10/2008 10:03 AM 24064]
R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [24/05/2007 10:12 AM 34671]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [23/07/2011 2:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [13/07/2011 7:55 AM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [12/08/2011 9:38 AM 116608]
R2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [12/06/2008 12:21 PM 1164536]
R2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [23/05/2005 2:47 PM 6899]
R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [9/05/2006 10:59 AM 167936]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [14/10/2006 6:02 AM 122056]
R2 Scap;SecureClient Application Policy Module;c:\windows\system32\drivers\scap.sys [2/07/2009 3:51 PM 17456]
R2 TSCensus Collection Client;ZENworks Asset Management - Collection Client;c:\program files\Novell\ZENworks\Asset Management\Bin\CClientSvc.exe [12/03/2009 1:07 PM 49152]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [2/07/2009 3:51 PM 670128]
R2 WNTHW;WNTHW;c:\windows\system32\drivers\WNTHW.SYS [12/03/2009 1:07 PM 9176]
R2 XTAgent;Novell XTier Agent Services;c:\windows\system32\novell\xtagent.exe [1/09/2011 5:01 PM 61440]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [12/06/2008 2:40 PM 477696]
R3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [23/05/2005 2:11 PM 2773]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [31/10/2008 10:00 AM 243856]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [30/09/2009 11:56 AM 102448]
R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [2/07/2009 3:51 PM 2041904]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [31/10/2008 10:04 AM 41216]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [31/10/2008 9:59 AM 47616]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [3/11/2006 6:19 PM 13592]
S3 EraserUtilDrv10621;EraserUtilDrv10621;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10621.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10621.sys [?]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [21/10/2009 3:57 PM 113664]
S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [2/07/2009 3:51 PM 14924]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [13/02/2010 7:32 AM 194304]
S3 SWNC8U52;Sierra Wireless MUX NDIS Driver (UMTS52);c:\windows\system32\drivers\swnc8u52.sys [21/09/2007 3:47 PM 164480]
S3 SWUMX52;Sierra Wireless USB MUX Driver (UMTS52);c:\windows\system32\drivers\swumx52.sys [21/09/2007 3:48 PM 140672]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
2004-08-05 05:00 99840 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-23 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 08:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com.au/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 10.0.0.138
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {5e2a3510-4371-11d6-b64c-00c04faedb18}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-23 21:04
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(880)
c:\windows\system32\MSGinaExtension.dll
c:\windows\system32\RestrictedBrowserDLL.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(3752)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-09-23 21:05:43
ComboFix-quarantined-files.txt 2011-09-23 11:05
ComboFix2.txt 2011-09-22 21:30
ComboFix3.txt 2011-09-22 02:36
ComboFix4.txt 2011-09-17 07:40
ComboFix5.txt 2011-09-23 10:59
.
Pre-Run: 16,479,670,272 bytes free
Post-Run: 16,600,350,720 bytes free
.
- - End Of File - - 3EE0EDF1473F4747E98D1C53B86FAEB5

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:30 PM

Posted 23 September 2011 - 07:34 AM

These logs are looking alot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add/remove programs
click on the following programs

Adobe Reader 8
Adobe Reader 8.1.2
Java 2 Runtime Environment, SE v1.4.2_05
Java Access Bridge


and click on remove

Update Adobe Reader

Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.
[/list]
Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close


Clear your Java Cache

  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


If you have problems running Hijackthis.

sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 tryhard

tryhard
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brisbane Qld Oz
  • Local time:09:30 AM

Posted 23 September 2011 - 04:46 PM

Hi Gringo

1.Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7784

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

24/09/2011 7:27:21 AM
mbam-log-2011-09-24 (07-27-21).txt

Scan type: Quick scan
Objects scanned: 260821
Time elapsed: 2 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

2.Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:34:07 AM, on 24/09/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINDOWS\system32\zentray.exe
O4 - HKLM\..\Run: [iPrint Tray] C:\WINDOWS\system32\iprntctl.exe TRAY_ICON
O4 - HKLM\..\Run: [iPrint Event Monitor] C:\WINDOWS\system32\iprntlgn.exe
O4 - HKLM\..\Run: [DesktopInfo] C:\WINDOWS\options\bginfo.exe C:\WINDOWS\options\desktop.bgi /timer:0
O4 - HKLM\..\Run: [AccelerometerSysTrayApplet] C:\WINDOWS\system32\AccelerometerSt.Exe
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://cityweb.bcc.qld.gov.au
O16 - DPF: {5e2a3510-4371-11d6-b64c-00c04faedb18} (Oracle JInitiator 1.1.8.18) -
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\WINDOWS\msxml4.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.bcc.qld.gov.au
O17 - HKLM\Software\..\Telephony: DomainName = ad.bcc.qld.gov.au
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AuthenTec Fingerprint Service (ATService) - AuthenTec, Inc. - C:\Program Files\Fingerprint Sensor\AtService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: Novell ZENworks Remote Management Agent (Remote Management Agent) - Novell, Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ZENworks Asset Management - Collection Client (TSCensus Collection Client) - Novell, Inc. - C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe
O23 - Service: User Profile Hive Cleanup (UPHClean) - Unknown owner - C:\Program Files\UPHClean\uphclean.exe (file missing)
O23 - Service: Windows Defender (WinDefend) - Unknown owner - C:\Program Files\Windows Defender\MsMpEng.exe
O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\System32\Novell\XTAgent.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, Inc. - C:\Program Files\Novell\ZENworks\wm.exe

--
End of file - 7328 bytes


3. Java Bridge did not want to give up without a fight. Have lost the scroll function on the laptop touchpad again.

4. Machine seems to be running just fine, probably a bit better than it has for a while.



Cheers

Dave




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users