Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect virus rootkit.win32.zaccess.e


  • This topic is locked This topic is locked
21 replies to this topic

#1 jw621

jw621

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 19 October 2011 - 09:50 PM

I was having the typical google redirect issues, I have a hp mini netbook, I tried running a few antivirus programs to figure out the issue, most wouldnt run the scan at all or shut down and now cannot be accessed. I then ran the TDSS killer to find out what it is (shows up in the log as 123.com.exe since i had to rename it to get it to run). Came up as rootkit.win32.zaccess.e as the issue. It cannot cure the issue. I also tried to run the gmer scan, the program unzipped but mid scan shut down and then will not let me reopen, delete or run it now. I've used both links in the guide from this website. Please help!! Thanks so much.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Joanne at 21:13:22 on 2011-10-19
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.448 [GMT -5:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\4093146853:445187852.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Hewlett-Packard\HP CloudDrive\zumodrive.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Documents and Settings\Joanne\Desktop\123.com.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.bing.com
uSearch Bar = hxxp://www.bing.com/sphome.aspx?mkt={SUB_RFC1766}
uInternet Connection Wizard,ShellNext = iexplore
mSearchAssistant = hxxp://www.bing.com/sphome.aspx?mkt={SUB_RFC1766}
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [HPWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\delayedappstarter.exe 120 c:\program files\hewlett-packard\hp wireless assistant\HPWA_Main.exe /hidden
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [snp2uvc] rundll32.exe c:\windows\system32\csnp2uvc.dll,ResetCIDS
mRun: [DTRun] c:\program files\arcsoft\totalmedia theatre 3\uDTRun.exe
mRun: [ZumoDrive] "c:\program files\hewlett-packard\hp clouddrive\ZumoLauncher.lnk"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpmedi~1.lnk - c:\program files\hewlett-packard\hp media suite\home\ArcStart.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
LSP: mswsock.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
TCP: DhcpNameServer = 97.64.183.164 97.64.209.37
TCP: Interfaces\{D177DB0E-5623-457D-A111-5702B01A9B03} : DhcpNameServer = 97.64.183.164 97.64.209.37
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
mASetup: {4FB2AA7C-C8E4-BBC8-BB1C-FAAB2EF5914B} - c:\program files\hewlett-packard\hp media suite\home\quicklaunch.exe "c:\program files\hewlett-packard\hp media suite\home\HPMediaSuite.lnk" 2
.
============= SERVICES / DRIVERS ===============
.
R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [2010-6-2 21488]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [2010-6-2 15856]
R0 SysCow;SysCow;c:\windows\system32\drivers\syscow32x.sys [2009-12-28 106096]
R1 archlp;archlp;c:\windows\system32\drivers\ArcHlp.sys [2009-6-3 131584]
R1 DVMIO;DeviceVM IO Service;c:\windows\system32\drivers\dvmio.sys [2009-11-11 18136]
R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [2010-6-2 25584]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2010-6-2 113664]
S2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\roxio\backontrack\disaster recovery\saibsvc.exe --> c:\program files\roxio\backontrack\disaster recovery\SaibSVC.exe [?]
S2 Arcsoft Security Service;Arcsoft Security Service;c:\program files\arcsoft\totalmedia theatre 3\arcsecurity.exe --> c:\program files\arcsoft\totalmedia theatre 3\ArcSecurity.exe [?]
S2 BOTService;BOTService;c:\program files\roxio\backontrack\instant restore\BOTService.exe [2010-2-4 211440]
S2 DvmMDES;DeviceVM Meta Data Export Service;"c:\swsetup\quickweb\qw.sys\config\dvmexportservice.exe" --> c:\swsetup\quickweb\qw.sys\config\DVMExportService.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-24 136176]
S2 HP Wireless Assistant Service;HP Wireless Assistant Service;"c:\program files\hewlett-packard\hp wireless assistant\hpwa_service.exe" --> c:\program files\hewlett-packard\hp wireless assistant\HPWA_Service.exe [?]
S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-2-28 183560]
S3 Com4QLBEx;Com4QLBEx;"c:\program files\hewlett-packard\hp quick launch buttons\com4qlbex.exe" --> c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-12-24 136176]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2010-6-2 186912]
.
=============== Created Last 30 ================
.
2011-10-19 03:11:28 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-10-19 03:11:02 41184 ------w- c:\windows\avastSS.scr
2011-10-19 03:10:47 -------- d-----w- c:\program files\AVAST Software
2011-10-19 03:10:47 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
2011-10-19 02:55:47 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-10-19 02:55:37 -------- d-----w- c:\documents and settings\joanne\application data\Malwarebytes
2011-10-19 02:55:23 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-10-19 02:55:19 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-19 02:55:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-19 02:06:45 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-10-19 01:59:50 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2011-09-26 16:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41:20 220160 ------w- c:\windows\system32\dllcache\oleacc.dll
2011-09-26 16:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-26 16:41:14 20480 ------w- c:\windows\system32\dllcache\oleaccrc.dll
.
==================== Find3M ====================
.
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48:54 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56:39 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys
.
============= FINISH: 21:14:33.21 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:10 PM

Posted 21 October 2011 - 07:22 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 jw621

jw621
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 21 October 2011 - 12:43 PM

Ok - replying from work computer - having an issue. Combo fix on it's 2nd time trying to reboot. It has the window up that says: Rebooting your machine...please wait. Let ComboFix reboot your machine, do not manually restart.

It has been like this for going on 2 hours now. Just that exact message up. I'm waiting, but not seeing any changes...

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:10 PM

Posted 21 October 2011 - 01:26 PM

go ahead and restart


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 jw621

jw621
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 21 October 2011 - 01:42 PM

Ok - well it's still redirecting about 1 out of 4 times. Here is the log:

ComboFix 11-10-21.02 - Joanne 10/21/2011 11:13:28.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.690 [GMT -5:00]
Running from: c:\documents and settings\Joanne\Desktop\ComboFix.exe
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\assembly\GAC_MSIL\desktop.ini
c:\windows\system32\d3d9caps.dat
.
c:\windows\system32\drivers\archlp.sys . . . is infected!! . . . Failed to find a valid replacement.
Infected copy of c:\windows\system32\msiexec.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\msiexec.exe
.
c:\windows\system32\wuauclt.exe . . . is infected!!
.
c:\program files\Roxio\BackOnTrack\Instant Restore\BOTService.exe . . . is infected!!
c:\program files\Roxio\BackOnTrack\Instant Restore\BOTService.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe . . . is infected!!
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe . . . was deleted!! You should re-install the program it pertains to
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_e576f8f3
.
.
((((((((((((((((((((((((( Files Created from 2011-09-21 to 2011-10-21 )))))))))))))))))))))))))))))))
.
.
2011-10-20 02:26 . 2011-10-20 02:26 -------- d--h--w- c:\windows\PIF
2011-10-19 03:11 . 2011-09-06 20:36 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-10-19 03:11 . 2011-09-06 20:37 320856 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-10-19 03:11 . 2011-09-06 20:38 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-10-19 03:11 . 2011-09-06 20:36 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-10-19 03:11 . 2011-09-06 20:36 52568 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-10-19 03:11 . 2011-09-06 20:36 110552 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-10-19 03:11 . 2011-09-06 20:36 104536 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-10-19 03:11 . 2011-09-06 20:33 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-10-19 03:11 . 2011-09-06 20:45 41184 ------w- c:\windows\avastSS.scr
2011-10-19 03:11 . 2011-09-06 20:45 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-10-19 03:10 . 2011-10-19 03:10 -------- d-----w- c:\program files\AVAST Software
2011-10-19 03:10 . 2011-10-19 03:10 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-10-19 02:55 . 2011-10-19 02:55 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-10-19 02:55 . 2011-10-19 02:55 -------- d-----w- c:\documents and settings\Joanne\Application Data\Malwarebytes
2011-10-19 02:55 . 2011-10-19 02:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-10-19 02:55 . 2011-10-19 02:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-19 02:55 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-19 02:06 . 2011-10-19 02:06 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-10-19 01:59 . 2011-10-19 02:37 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-09-26 16:41 . 2011-09-26 16:41 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41 . 2011-09-26 16:41 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41 . 2011-09-26 16:41 220160 ------w- c:\windows\system32\dllcache\oleacc.dll
2011-09-26 16:41 . 2011-09-26 16:41 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-26 16:41 . 2011-09-26 16:41 20480 ------w- c:\windows\system32\dllcache\oleaccrc.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-09 09:12 . 2011-09-09 09:12 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2011-09-06 13:20 1858944 ----a-w- c:\windows\system32\win32k.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-08-07 . C1BD669C43A9EF205C1568DC7183FAA8 . 53472 . . [7.4.7600.226] . . c:\windows\system32\wuauclt.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-09-06 20:45 122512 ------w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00Zecter]
@="{D25B32FE-CB96-491A-98FF-AD59DA382D69}"
[HKEY_CLASSES_ROOT\CLSID\{D25B32FE-CB96-491A-98FF-AD59DA382D69}]
2010-03-28 22:22 718848 ----a-w- c:\program files\Hewlett-Packard\HP CloudDrive\ShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\01Zecter]
@="{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}"
[HKEY_CLASSES_ROOT\CLSID\{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}]
2010-03-28 22:22 718848 ----a-w- c:\program files\Hewlett-Packard\HP CloudDrive\ShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\02Zecter]
@="{B3C78E40-6B64-47C3-AE34-60B770881EB8}"
[HKEY_CLASSES_ROOT\CLSID\{B3C78E40-6B64-47C3-AE34-60B770881EB8}]
2010-03-28 22:22 718848 ----a-w- c:\program files\Hewlett-Packard\HP CloudDrive\ShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\03Zecter]
@="{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}"
[HKEY_CLASSES_ROOT\CLSID\{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}]
2010-03-28 22:22 718848 ----a-w- c:\program files\Hewlett-Packard\HP CloudDrive\ShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\04Zecter]
@="{855156F0-2A0F-11DE-8C30-0800200C9A66}"
[HKEY_CLASSES_ROOT\CLSID\{855156F0-2A0F-11DE-8C30-0800200C9A66}]
2010-03-28 22:22 718848 ----a-w- c:\program files\Hewlett-Packard\HP CloudDrive\ShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-01-22 2363392]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-08-18 17360520]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-10-13 186904]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-04-16 1721640]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-04-30 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-04-30 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-04-30 141336]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2010-02-25 323640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2010-04-05 8192]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2010-02-26 495708]
"snp2uvc"="c:\windows\system32\csnp2uvc.dll" [2009-02-16 196608]
"DTRun"="c:\program files\ArcSoft\TotalMedia Theatre 3\uDTRun.exe" [2009-12-10 518656]
"ZumoDrive"="c:\program files\Hewlett-Packard\HP CloudDrive\ZumoLauncher.lnk" [2010-07-19 1733]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2009-11-18 54576]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-09-06 3722416]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
HP Media Suite.lnk - c:\program files\Hewlett-Packard\HP Media Suite\Home\ArcStart.exe [2010-4-1 91648]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Hewlett-Packard\\HP CloudDrive\\zumodrive.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\{68550918-63B5-4762-85CB-3C160AA4B213}\\setup\\hpznui01.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Macrovision\\FLEXnet Connect\\11\\agent.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jaucheck.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jusched.exe"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jucheck.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.exe"=
"c:\\Program Files\\AVAST Software\\Avast\\AvastUI.exe"=
"c:\\Documents and Settings\\Joanne\\Desktop\\123.com.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:UDP"= 5353:UDP:Java™ Platform SE binary
"8182:TCP"= 8182:TCP:Java™ Platform SE binary
.
R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [6/2/2010 8:11 PM 21488]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [6/2/2010 8:11 PM 15856]
R0 SysCow;SysCow;c:\windows\system32\drivers\syscow32x.sys [12/28/2009 1:17 AM 106096]
R1 archlp;archlp;c:\windows\system32\drivers\ArcHlp.sys [6/3/2009 4:17 PM 131584]
R1 DVMIO;DeviceVM IO Service;c:\windows\system32\drivers\dvmio.sys [11/11/2009 3:09 PM 18136]
R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [6/2/2010 8:11 PM 25584]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [6/2/2010 6:53 PM 113664]
S2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe --> c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe [?]
S2 Arcsoft Security Service;Arcsoft Security Service;c:\program files\ArcSoft\TotalMedia Theatre 3\ArcSecurity.exe --> c:\program files\ArcSoft\TotalMedia Theatre 3\ArcSecurity.exe [?]
S2 BOTService;BOTService;"c:\program files\Roxio\BackOnTrack\Instant Restore\BOTService.exe" --> c:\program files\Roxio\BackOnTrack\Instant Restore\BOTService.exe [?]
S2 DvmMDES;DeviceVM Meta Data Export Service;"c:\swsetup\QuickWeb\QW.SYS\config\DVMExportService.exe" --> c:\swsetup\QuickWeb\QW.SYS\config\DVMExportService.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/24/2010 10:30 PM 136176]
S2 HP Wireless Assistant Service;HP Wireless Assistant Service;"c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe" --> c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [?]
S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2/28/2011 6:44 PM 183560]
S3 Com4QLBEx;Com4QLBEx;"c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe" --> c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/24/2010 10:30 PM 136176]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [6/2/2010 6:54 PM 186912]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-01-22 16:06 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{4FB2AA7C-C8E4-BBC8-BB1C-FAAB2EF5914B}]
2010-03-26 23:27 200769 ----a-w- c:\program files\Hewlett-Packard\HP Media Suite\Home\QuickLaunch.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-21 c:\windows\Tasks\BackOnTrack Instant Restore Idle.job
- c:\program files\Roxio\BackOnTrack\Instant Restore\RstIdle.exe [2010-02-04 19:00]
.
2011-10-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-25 03:30]
.
2011-10-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-25 03:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
LSP: mswsock.dll
TCP: DhcpNameServer = 97.64.183.164 97.64.209.37
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-AESTFltr - c:\windows\system32\AESTFltr.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-21 13:30
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\$NtUninstallKB57978$:SummaryInformation 0 bytes hidden from API
c:\windows\4093146853:445187852.exe 816 bytes executable
.
.
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\4093146853:445187852.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Hewlett-Packard\HP CloudDrive\zumodrive.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\windows\system32\wscntfy.exe
c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe
.
**************************************************************************
.
Completion time: 2011-10-21 13:34:23 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-21 18:34
.
Pre-Run: 132,581,015,552 bytes free
Post-Run: 133,871,194,112 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 7D6FAF9C93774D015ACC43D72C443EFC

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:10 PM

Posted 21 October 2011 - 01:49 PM

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

File::
c:\windows\4093146853
c:\windows\4093146853:445187852.exe

Folder::
c:\windows\$NtUninstallKB57978$

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 jw621

jw621
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 21 October 2011 - 03:09 PM

ok still having redirect issue. Had the same problem with Combofix stalling out when trying to reboot 2nd time, so i did a manual reboot again - this time after 1 hour of sitting. during the second time of it running i got 2 error messages saying PEV.exe had to shut down. Here is the log:

ComboFix 11-10-21.03 - Joanne 10/21/2011 14:06:19.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.694 [GMT -5:00]
Running from: c:\documents and settings\Joanne\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Joanne\Desktop\CFScript.txt
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
FILE ::
"c:\windows\4093146853"
"c:\windows\4093146853:445187852.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\assembly\GAC_MSIL\desktop.ini
.
c:\windows\system32\drivers\archlp.sys . . . is infected!! . . . Failed to find a valid replacement.
c:\windows\system32\wuauclt.exe . . . is infected!!
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_e576f8f3
.
.
((((((((((((((((((((((((( Files Created from 2011-09-21 to 2011-10-21 )))))))))))))))))))))))))))))))
.
.
2011-10-20 02:26 . 2011-10-20 02:26 -------- d--h--w- c:\windows\PIF
2011-10-19 03:11 . 2011-09-06 20:36 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-10-19 03:11 . 2011-09-06 20:37 320856 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-10-19 03:11 . 2011-09-06 20:38 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-10-19 03:11 . 2011-09-06 20:36 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-10-19 03:11 . 2011-09-06 20:36 52568 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-10-19 03:11 . 2011-09-06 20:36 110552 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-10-19 03:11 . 2011-09-06 20:36 104536 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-10-19 03:11 . 2011-09-06 20:33 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-10-19 03:11 . 2011-09-06 20:45 41184 ------w- c:\windows\avastSS.scr
2011-10-19 03:11 . 2011-09-06 20:45 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-10-19 03:10 . 2011-10-19 03:10 -------- d-----w- c:\program files\AVAST Software
2011-10-19 03:10 . 2011-10-19 03:10 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-10-19 02:55 . 2011-10-19 02:55 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-10-19 02:55 . 2011-10-19 02:55 -------- d-----w- c:\documents and settings\Joanne\Application Data\Malwarebytes
2011-10-19 02:55 . 2011-10-19 02:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-10-19 02:55 . 2011-10-19 02:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-19 02:55 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-19 02:06 . 2011-10-19 02:06 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-10-19 01:59 . 2011-10-19 02:37 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-09-26 16:41 . 2011-09-26 16:41 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41 . 2011-09-26 16:41 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41 . 2011-09-26 16:41 220160 ------w- c:\windows\system32\dllcache\oleacc.dll
2011-09-26 16:41 . 2011-09-26 16:41 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-26 16:41 . 2011-09-26 16:41 20480 ------w- c:\windows\system32\dllcache\oleaccrc.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-09 09:12 . 2011-09-09 09:12 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2011-09-06 13:20 1858944 ----a-w- c:\windows\system32\win32k.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-08-07 . C1BD669C43A9EF205C1568DC7183FAA8 . 53472 . . [7.4.7600.226] . . c:\windows\system32\wuauclt.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-09-06 20:45 122512 ------w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00Zecter]
@="{D25B32FE-CB96-491A-98FF-AD59DA382D69}"
[HKEY_CLASSES_ROOT\CLSID\{D25B32FE-CB96-491A-98FF-AD59DA382D69}]
2010-03-28 22:22 718848 ----a-w- c:\program files\Hewlett-Packard\HP CloudDrive\ShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\01Zecter]
@="{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}"
[HKEY_CLASSES_ROOT\CLSID\{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}]
2010-03-28 22:22 718848 ----a-w- c:\program files\Hewlett-Packard\HP CloudDrive\ShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\02Zecter]
@="{B3C78E40-6B64-47C3-AE34-60B770881EB8}"
[HKEY_CLASSES_ROOT\CLSID\{B3C78E40-6B64-47C3-AE34-60B770881EB8}]
2010-03-28 22:22 718848 ----a-w- c:\program files\Hewlett-Packard\HP CloudDrive\ShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\03Zecter]
@="{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}"
[HKEY_CLASSES_ROOT\CLSID\{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}]
2010-03-28 22:22 718848 ----a-w- c:\program files\Hewlett-Packard\HP CloudDrive\ShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\04Zecter]
@="{855156F0-2A0F-11DE-8C30-0800200C9A66}"
[HKEY_CLASSES_ROOT\CLSID\{855156F0-2A0F-11DE-8C30-0800200C9A66}]
2010-03-28 22:22 718848 ----a-w- c:\program files\Hewlett-Packard\HP CloudDrive\ShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-01-22 2363392]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-08-18 17360520]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-10-13 186904]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-04-16 1721640]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-04-30 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-04-30 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-04-30 141336]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2010-02-25 323640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2010-04-05 8192]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2010-02-26 495708]
"snp2uvc"="c:\windows\system32\csnp2uvc.dll" [2009-02-16 196608]
"DTRun"="c:\program files\ArcSoft\TotalMedia Theatre 3\uDTRun.exe" [2009-12-10 518656]
"ZumoDrive"="c:\program files\Hewlett-Packard\HP CloudDrive\ZumoLauncher.lnk" [2010-07-19 1733]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2009-11-18 54576]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-09-06 3722416]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
HP Media Suite.lnk - c:\program files\Hewlett-Packard\HP Media Suite\Home\ArcStart.exe [2010-4-1 91648]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Hewlett-Packard\\HP CloudDrive\\zumodrive.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\{68550918-63B5-4762-85CB-3C160AA4B213}\\setup\\hpznui01.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Macrovision\\FLEXnet Connect\\11\\agent.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jaucheck.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jusched.exe"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jucheck.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.exe"=
"c:\\Program Files\\AVAST Software\\Avast\\AvastUI.exe"=
"c:\\Documents and Settings\\Joanne\\Desktop\\123.com.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:UDP"= 5353:UDP:Java™ Platform SE binary
"8182:TCP"= 8182:TCP:Java™ Platform SE binary
.
R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [6/2/2010 8:11 PM 21488]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [6/2/2010 8:11 PM 15856]
R0 SysCow;SysCow;c:\windows\system32\drivers\syscow32x.sys [12/28/2009 1:17 AM 106096]
R1 archlp;archlp;c:\windows\system32\drivers\ArcHlp.sys [6/3/2009 4:17 PM 131584]
R1 DVMIO;DeviceVM IO Service;c:\windows\system32\drivers\dvmio.sys [11/11/2009 3:09 PM 18136]
R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [6/2/2010 8:11 PM 25584]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [6/2/2010 6:53 PM 113664]
S2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe --> c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe [?]
S2 Arcsoft Security Service;Arcsoft Security Service;c:\program files\ArcSoft\TotalMedia Theatre 3\ArcSecurity.exe --> c:\program files\ArcSoft\TotalMedia Theatre 3\ArcSecurity.exe [?]
S2 BOTService;BOTService;"c:\program files\Roxio\BackOnTrack\Instant Restore\BOTService.exe" --> c:\program files\Roxio\BackOnTrack\Instant Restore\BOTService.exe [?]
S2 DvmMDES;DeviceVM Meta Data Export Service;"c:\swsetup\QuickWeb\QW.SYS\config\DVMExportService.exe" --> c:\swsetup\QuickWeb\QW.SYS\config\DVMExportService.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/24/2010 10:30 PM 136176]
S2 HP Wireless Assistant Service;HP Wireless Assistant Service;"c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe" --> c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [?]
S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2/28/2011 6:44 PM 183560]
S3 Com4QLBEx;Com4QLBEx;"c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe" --> c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/24/2010 10:30 PM 136176]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [6/2/2010 6:54 PM 186912]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-01-22 16:06 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{4FB2AA7C-C8E4-BBC8-BB1C-FAAB2EF5914B}]
2010-03-26 23:27 200769 ----a-w- c:\program files\Hewlett-Packard\HP Media Suite\Home\QuickLaunch.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-21 c:\windows\Tasks\BackOnTrack Instant Restore Idle.job
- c:\program files\Roxio\BackOnTrack\Instant Restore\RstIdle.exe [2010-02-04 19:00]
.
2011-10-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-25 03:30]
.
2011-10-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-25 03:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
LSP: mswsock.dll
TCP: DhcpNameServer = 97.64.183.164 97.64.209.37
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-21 14:56
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\$NtUninstallKB57978$:SummaryInformation 0 bytes hidden from API
c:\windows\4093146853:445187852.exe 816 bytes executable
.
.
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\4093146853:445187852.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Hewlett-Packard\HP CloudDrive\zumodrive.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\ROUTE.exe
c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe
.
**************************************************************************
.
Completion time: 2011-10-21 14:59:51 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-21 19:59
ComboFix2.txt 2011-10-21 18:34
.
Pre-Run: 133,724,528,640 bytes free
Post-Run: 133,619,245,056 bytes free
.
- - End Of File - - 2A4D53B5D7D3D1176378DD7D00EEBC19

Thanks again for all the help!!

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:10 PM

Posted 21 October 2011 - 05:59 PM

Please download DummyCreator.zip and unzip it.
  • Run the tool.
  • Copy and paste the following into the edit box:

    c:\windows\4093146853
  • Press Create button and post the content of the Result.txt.

    Important: Restart the computer.




I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 jw621

jw621
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 21 October 2011 - 06:55 PM

Ok - results of those are here:

dummy log:

DummyCreator by Farbar
Ran by Joanne (administrator) on 21-10-2011 at 18:37:45
**************************************************************

c:\windows\4093146853 [21-10-2011 18:37:45]

== End of log ==

TDSS Killer log:

18:45:42.0906 3068 TDSS rootkit removing tool 2.6.12.0 Oct 21 2011 11:23:48
18:45:43.0296 3068 ============================================================
18:45:43.0296 3068 Current date / time: 2011/10/21 18:45:43.0296
18:45:43.0296 3068 SystemInfo:
18:45:43.0296 3068
18:45:43.0296 3068 OS Version: 5.1.2600 ServicePack: 3.0
18:45:43.0296 3068 Product type: Workstation
18:45:43.0296 3068 ComputerName: WOODWARD
18:45:43.0296 3068 UserName: Joanne
18:45:43.0296 3068 Windows directory: C:\WINDOWS
18:45:43.0296 3068 System windows directory: C:\WINDOWS
18:45:43.0296 3068 Processor architecture: Intel x86
18:45:43.0296 3068 Number of processors: 2
18:45:43.0296 3068 Page size: 0x1000
18:45:43.0296 3068 Boot type: Normal boot
18:45:43.0296 3068 ============================================================
18:45:43.0781 3068 Initialize success
18:45:47.0000 2476 ============================================================
18:45:47.0000 2476 Scan started
18:45:47.0000 2476 Mode: Manual;
18:45:47.0000 2476 ============================================================
18:45:47.0468 2476 Abiosdsk - ok
18:45:47.0562 2476 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
18:45:47.0578 2476 abp480n5 - ok
18:45:47.0625 2476 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
18:45:47.0625 2476 ACPI - ok
18:45:47.0640 2476 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
18:45:47.0640 2476 ACPIEC - ok
18:45:47.0687 2476 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
18:45:47.0703 2476 adpu160m - ok
18:45:47.0734 2476 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
18:45:47.0750 2476 aec - ok
18:45:47.0796 2476 AESTAud (822d53766d57c90c437536232ece9023) C:\WINDOWS\system32\drivers\AESTAud.sys
18:45:47.0796 2476 AESTAud - ok
18:45:47.0859 2476 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
18:45:47.0875 2476 AFD - ok
18:45:47.0906 2476 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
18:45:47.0906 2476 agp440 - ok
18:45:47.0921 2476 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
18:45:47.0937 2476 agpCPQ - ok
18:45:47.0953 2476 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
18:45:47.0953 2476 Aha154x - ok
18:45:47.0984 2476 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
18:45:47.0984 2476 aic78u2 - ok
18:45:48.0031 2476 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
18:45:48.0031 2476 aic78xx - ok
18:45:48.0078 2476 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
18:45:48.0078 2476 AliIde - ok
18:45:48.0093 2476 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
18:45:48.0109 2476 alim1541 - ok
18:45:48.0125 2476 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
18:45:48.0125 2476 amdagp - ok
18:45:48.0140 2476 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
18:45:48.0156 2476 amsint - ok
18:45:48.0203 2476 archlp (f62c4729d0462253e80491d119cdf61f) C:\WINDOWS\system32\drivers\archlp.sys
18:45:48.0218 2476 Suspicious file (Forged): C:\WINDOWS\system32\drivers\archlp.sys. Real md5: f62c4729d0462253e80491d119cdf61f, Fake md5: 20da1dc31893e1ad82a9c79011f5b344
18:45:48.0218 2476 archlp ( Rootkit.Win32.ZAccess.e ) - infected
18:45:48.0218 2476 archlp - detected Rootkit.Win32.ZAccess.e (0)
18:45:48.0234 2476 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
18:45:48.0234 2476 asc - ok
18:45:48.0281 2476 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
18:45:48.0281 2476 asc3350p - ok
18:45:48.0296 2476 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
18:45:48.0296 2476 asc3550 - ok
18:45:48.0343 2476 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
18:45:48.0343 2476 AsyncMac - ok
18:45:48.0375 2476 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
18:45:48.0375 2476 atapi - ok
18:45:48.0390 2476 Atdisk - ok
18:45:48.0421 2476 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
18:45:48.0421 2476 Atmarpc - ok
18:45:48.0453 2476 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
18:45:48.0453 2476 audstub - ok
18:45:48.0593 2476 BCM43XX (5d4893633b7161fa25500eb7aeabec94) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
18:45:48.0671 2476 BCM43XX - ok
18:45:48.0687 2476 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
18:45:48.0703 2476 Beep - ok
18:45:48.0750 2476 BRCMDECO (4f4b36b401f03178f805b1fde1b030d4) C:\WINDOWS\system32\DRIVERS\BRCMHD32.sys
18:45:48.0765 2476 BRCMDECO - ok
18:45:48.0875 2476 catchme - ok
18:45:48.0906 2476 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
18:45:48.0906 2476 cbidf - ok
18:45:48.0937 2476 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
18:45:48.0937 2476 cbidf2k - ok
18:45:49.0000 2476 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
18:45:49.0000 2476 CCDECODE - ok
18:45:49.0015 2476 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
18:45:49.0031 2476 cd20xrnt - ok
18:45:49.0046 2476 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
18:45:49.0046 2476 Cdaudio - ok
18:45:49.0078 2476 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
18:45:49.0078 2476 Cdfs - ok
18:45:49.0109 2476 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
18:45:49.0125 2476 Cdrom - ok
18:45:49.0125 2476 Changer - ok
18:45:49.0203 2476 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
18:45:49.0218 2476 CmBatt - ok
18:45:49.0218 2476 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
18:45:49.0234 2476 CmdIde - ok
18:45:49.0250 2476 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
18:45:49.0250 2476 Compbatt - ok
18:45:49.0281 2476 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
18:45:49.0281 2476 Cpqarray - ok
18:45:49.0312 2476 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
18:45:49.0312 2476 dac2w2k - ok
18:45:49.0328 2476 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
18:45:49.0328 2476 dac960nt - ok
18:45:49.0359 2476 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
18:45:49.0359 2476 Disk - ok
18:45:49.0406 2476 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
18:45:49.0437 2476 dmboot - ok
18:45:49.0453 2476 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
18:45:49.0453 2476 dmio - ok
18:45:49.0468 2476 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
18:45:49.0484 2476 dmload - ok
18:45:49.0546 2476 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
18:45:49.0546 2476 DMusic - ok
18:45:49.0562 2476 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
18:45:49.0562 2476 dpti2o - ok
18:45:49.0593 2476 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
18:45:49.0593 2476 drmkaud - ok
18:45:49.0640 2476 DVMIO (ff7a7a1e0f9a0ab892a454ffb9d14bbe) C:\WINDOWS\system32\DRIVERS\dvmio.sys
18:45:49.0640 2476 DVMIO - ok
18:45:49.0687 2476 e576f8f3 ( Rootkit.Win32.PMax.gen ) - infected
18:45:49.0687 2476 e576f8f3 - detected Rootkit.Win32.PMax.gen (0)
18:45:49.0734 2476 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
18:45:49.0734 2476 Fastfat - ok
18:45:49.0765 2476 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
18:45:49.0781 2476 Fdc - ok
18:45:49.0796 2476 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
18:45:49.0796 2476 Fips - ok
18:45:49.0812 2476 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
18:45:49.0812 2476 Flpydisk - ok
18:45:49.0859 2476 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
18:45:49.0859 2476 FltMgr - ok
18:45:49.0875 2476 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
18:45:49.0890 2476 Fs_Rec - ok
18:45:49.0906 2476 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
18:45:49.0921 2476 Ftdisk - ok
18:45:49.0984 2476 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
18:45:49.0984 2476 Gpc - ok
18:45:50.0031 2476 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
18:45:50.0031 2476 HDAudBus - ok
18:45:50.0093 2476 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
18:45:50.0093 2476 hpn - ok
18:45:50.0140 2476 HpqKbFiltr (35956140e686d53bf676cf0c778880fc) C:\WINDOWS\system32\DRIVERS\HpqKbFiltr.sys
18:45:50.0140 2476 HpqKbFiltr - ok
18:45:50.0187 2476 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
18:45:50.0187 2476 HPZid412 - ok
18:45:50.0218 2476 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
18:45:50.0218 2476 HPZipr12 - ok
18:45:50.0265 2476 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
18:45:50.0281 2476 HPZius12 - ok
18:45:50.0375 2476 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
18:45:50.0390 2476 HTTP - ok
18:45:50.0406 2476 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
18:45:50.0406 2476 i2omgmt - ok
18:45:50.0437 2476 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
18:45:50.0437 2476 i2omp - ok
18:45:50.0484 2476 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
18:45:50.0500 2476 i8042prt - ok
18:45:50.0593 2476 ialm (601c76224d741fe70afc4298c0a04213) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
18:45:50.0640 2476 ialm - ok
18:45:50.0703 2476 iaStor (0baa4115dfffd6a6d809a89d65e1281a) C:\WINDOWS\system32\DRIVERS\iaStor.sys
18:45:50.0703 2476 iaStor - ok
18:45:50.0734 2476 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
18:45:50.0750 2476 Imapi - ok
18:45:50.0765 2476 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
18:45:50.0765 2476 ini910u - ok
18:45:50.0796 2476 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
18:45:50.0796 2476 IntelIde - ok
18:45:50.0812 2476 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
18:45:50.0828 2476 intelppm - ok
18:45:50.0859 2476 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
18:45:50.0859 2476 Ip6Fw - ok
18:45:50.0875 2476 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
18:45:50.0875 2476 IpFilterDriver - ok
18:45:50.0890 2476 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
18:45:50.0890 2476 IpInIp - ok
18:45:50.0937 2476 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
18:45:50.0937 2476 IpNat - ok
18:45:50.0953 2476 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
18:45:50.0968 2476 IPSec - ok
18:45:50.0984 2476 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
18:45:50.0984 2476 IRENUM - ok
18:45:51.0015 2476 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
18:45:51.0015 2476 isapnp - ok
18:45:51.0046 2476 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
18:45:51.0046 2476 Kbdclass - ok
18:45:51.0109 2476 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
18:45:51.0109 2476 kmixer - ok
18:45:51.0140 2476 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
18:45:51.0156 2476 KSecDD - ok
18:45:51.0171 2476 lbrtfdc - ok
18:45:51.0203 2476 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
18:45:51.0218 2476 mnmdd - ok
18:45:51.0250 2476 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
18:45:51.0250 2476 Modem - ok
18:45:51.0296 2476 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
18:45:51.0296 2476 Mouclass - ok
18:45:51.0312 2476 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
18:45:51.0312 2476 MountMgr - ok
18:45:51.0343 2476 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
18:45:51.0343 2476 mraid35x - ok
18:45:51.0359 2476 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
18:45:51.0375 2476 MRxDAV - ok
18:45:51.0390 2476 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
18:45:51.0406 2476 MRxSmb - ok
18:45:51.0453 2476 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
18:45:51.0453 2476 Msfs - ok
18:45:51.0500 2476 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
18:45:51.0500 2476 MSKSSRV - ok
18:45:51.0515 2476 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
18:45:51.0515 2476 MSPCLOCK - ok
18:45:51.0531 2476 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
18:45:51.0546 2476 MSPQM - ok
18:45:51.0562 2476 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
18:45:51.0562 2476 mssmbios - ok
18:45:51.0625 2476 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
18:45:51.0625 2476 MSTEE - ok
18:45:51.0656 2476 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
18:45:51.0656 2476 Mup - ok
18:45:51.0687 2476 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
18:45:51.0687 2476 NABTSFEC - ok
18:45:51.0718 2476 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
18:45:51.0718 2476 NDIS - ok
18:45:51.0734 2476 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
18:45:51.0734 2476 NdisIP - ok
18:45:51.0781 2476 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
18:45:51.0781 2476 NdisTapi - ok
18:45:51.0812 2476 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
18:45:51.0812 2476 Ndisuio - ok
18:45:51.0828 2476 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
18:45:51.0843 2476 NdisWan - ok
18:45:51.0875 2476 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
18:45:51.0875 2476 NDProxy - ok
18:45:51.0890 2476 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
18:45:51.0890 2476 NetBIOS - ok
18:45:51.0937 2476 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
18:45:51.0937 2476 NetBT - ok
18:45:52.0000 2476 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
18:45:52.0000 2476 Npfs - ok
18:45:52.0031 2476 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
18:45:52.0062 2476 Ntfs - ok
18:45:52.0078 2476 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
18:45:52.0078 2476 Null - ok
18:45:52.0109 2476 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
18:45:52.0109 2476 NwlnkFlt - ok
18:45:52.0125 2476 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
18:45:52.0125 2476 NwlnkFwd - ok
18:45:52.0156 2476 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
18:45:52.0171 2476 Parport - ok
18:45:52.0187 2476 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
18:45:52.0187 2476 PartMgr - ok
18:45:52.0203 2476 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
18:45:52.0203 2476 ParVdm - ok
18:45:52.0218 2476 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
18:45:52.0218 2476 PCI - ok
18:45:52.0234 2476 PCIDump - ok
18:45:52.0296 2476 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
18:45:52.0296 2476 PCIIde - ok
18:45:52.0328 2476 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
18:45:52.0328 2476 Pcmcia - ok
18:45:52.0343 2476 PDCOMP - ok
18:45:52.0359 2476 PDFRAME - ok
18:45:52.0375 2476 PDRELI - ok
18:45:52.0375 2476 PDRFRAME - ok
18:45:52.0406 2476 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
18:45:52.0406 2476 perc2 - ok
18:45:52.0421 2476 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
18:45:52.0421 2476 perc2hib - ok
18:45:52.0484 2476 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
18:45:52.0484 2476 PptpMiniport - ok
18:45:52.0500 2476 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
18:45:52.0500 2476 PSched - ok
18:45:52.0531 2476 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
18:45:52.0546 2476 Ptilink - ok
18:45:52.0562 2476 PxHelp20 (40fedd328f98245ad201cf5f9f311724) C:\WINDOWS\system32\Drivers\PxHelp20.sys
18:45:52.0578 2476 PxHelp20 - ok
18:45:52.0593 2476 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
18:45:52.0593 2476 ql1080 - ok
18:45:52.0609 2476 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
18:45:52.0625 2476 Ql10wnt - ok
18:45:52.0625 2476 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
18:45:52.0640 2476 ql12160 - ok
18:45:52.0656 2476 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
18:45:52.0656 2476 ql1240 - ok
18:45:52.0671 2476 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
18:45:52.0671 2476 ql1280 - ok
18:45:52.0687 2476 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
18:45:52.0687 2476 RasAcd - ok
18:45:52.0734 2476 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
18:45:52.0734 2476 Rasl2tp - ok
18:45:52.0796 2476 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
18:45:52.0796 2476 RasPppoe - ok
18:45:52.0828 2476 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
18:45:52.0828 2476 Raspti - ok
18:45:52.0875 2476 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
18:45:52.0875 2476 Rdbss - ok
18:45:52.0890 2476 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
18:45:52.0890 2476 RDPCDD - ok
18:45:52.0921 2476 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
18:45:52.0921 2476 rdpdr - ok
18:45:52.0984 2476 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
18:45:52.0984 2476 RDPWD - ok
18:45:53.0031 2476 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
18:45:53.0031 2476 redbook - ok
18:45:53.0078 2476 RSUSBSTOR (867beb23207ba425c85293bb0d3ea971) C:\WINDOWS\system32\Drivers\RtsUStor.sys
18:45:53.0093 2476 RSUSBSTOR - ok
18:45:53.0125 2476 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
18:45:53.0125 2476 rtl8139 - ok
18:45:53.0156 2476 RTLE8023xp (387c8f70e992efa3d25816ecc1ab2b8b) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
18:45:53.0171 2476 RTLE8023xp - ok
18:45:53.0203 2476 SahdIa32 (0b2d5d2341437d7d7e1a6c7bbce3786a) C:\WINDOWS\system32\Drivers\SahdIa32.sys
18:45:53.0203 2476 SahdIa32 - ok
18:45:53.0218 2476 SaibIa32 (7a5f65b16249af2bc9d18d815f5d7172) C:\WINDOWS\system32\Drivers\SaibIa32.sys
18:45:53.0234 2476 SaibIa32 - ok
18:45:53.0250 2476 SaibVd32 (e333c9515822de586a3ff759a0c9b7bf) C:\WINDOWS\system32\Drivers\SaibVd32.sys
18:45:53.0250 2476 SaibVd32 - ok
18:45:53.0296 2476 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
18:45:53.0296 2476 Secdrv - ok
18:45:53.0328 2476 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
18:45:53.0343 2476 Serial - ok
18:45:53.0421 2476 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
18:45:53.0421 2476 Sfloppy - ok
18:45:53.0453 2476 Simbad - ok
18:45:53.0500 2476 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
18:45:53.0500 2476 sisagp - ok
18:45:53.0546 2476 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
18:45:53.0546 2476 SLIP - ok
18:45:53.0703 2476 SNP2UVC (cb403d702d0c6b558cf656646e71db7f) C:\WINDOWS\system32\DRIVERS\snp2uvc.sys
18:45:53.0796 2476 SNP2UVC - ok
18:45:53.0812 2476 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
18:45:53.0812 2476 Sparrow - ok
18:45:53.0828 2476 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
18:45:53.0843 2476 splitter - ok
18:45:53.0859 2476 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
18:45:53.0859 2476 sr - ok
18:45:53.0921 2476 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
18:45:53.0921 2476 Srv - ok
18:45:54.0015 2476 STHDA (54570bac06c8d64c01b38285de92c464) C:\WINDOWS\system32\drivers\sthda.sys
18:45:54.0046 2476 STHDA - ok
18:45:54.0093 2476 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
18:45:54.0109 2476 StillCam - ok
18:45:54.0125 2476 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
18:45:54.0125 2476 streamip - ok
18:45:54.0156 2476 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
18:45:54.0156 2476 swenum - ok
18:45:54.0171 2476 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
18:45:54.0187 2476 swmidi - ok
18:45:54.0218 2476 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
18:45:54.0218 2476 symc810 - ok
18:45:54.0265 2476 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
18:45:54.0265 2476 symc8xx - ok
18:45:54.0296 2476 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
18:45:54.0312 2476 sym_hi - ok
18:45:54.0343 2476 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
18:45:54.0343 2476 sym_u3 - ok
18:45:54.0390 2476 SynTP (60900234ec482627a33081a453c63776) C:\WINDOWS\system32\DRIVERS\SynTP.sys
18:45:54.0390 2476 SynTP - ok
18:45:54.0421 2476 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
18:45:54.0421 2476 sysaudio - ok
18:45:54.0453 2476 SysCow (e26c320c315174f79ff314e7db64210c) C:\WINDOWS\system32\drivers\syscow32x.sys
18:45:54.0468 2476 SysCow - ok
18:45:54.0546 2476 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
18:45:54.0562 2476 Tcpip - ok
18:45:54.0593 2476 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
18:45:54.0593 2476 TDPIPE - ok
18:45:54.0609 2476 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
18:45:54.0625 2476 TDTCP - ok
18:45:54.0640 2476 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
18:45:54.0640 2476 TermDD - ok
18:45:54.0687 2476 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
18:45:54.0687 2476 TosIde - ok
18:45:54.0718 2476 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
18:45:54.0734 2476 Udfs - ok
18:45:54.0750 2476 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
18:45:54.0750 2476 ultra - ok
18:45:54.0781 2476 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
18:45:54.0796 2476 Update - ok
18:45:54.0843 2476 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
18:45:54.0843 2476 usbccgp - ok
18:45:54.0890 2476 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
18:45:54.0890 2476 usbehci - ok
18:45:54.0921 2476 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
18:45:54.0921 2476 usbhub - ok
18:45:54.0953 2476 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
18:45:54.0953 2476 usbprint - ok
18:45:54.0984 2476 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
18:45:54.0984 2476 usbscan - ok
18:45:55.0015 2476 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
18:45:55.0031 2476 USBSTOR - ok
18:45:55.0062 2476 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
18:45:55.0062 2476 usbuhci - ok
18:45:55.0093 2476 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
18:45:55.0109 2476 usbvideo - ok
18:45:55.0109 2476 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
18:45:55.0125 2476 VgaSave - ok
18:45:55.0140 2476 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
18:45:55.0156 2476 viaagp - ok
18:45:55.0171 2476 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
18:45:55.0171 2476 ViaIde - ok
18:45:55.0187 2476 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
18:45:55.0187 2476 VolSnap - ok
18:45:55.0234 2476 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
18:45:55.0250 2476 Wanarp - ok
18:45:55.0296 2476 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
18:45:55.0312 2476 Wdf01000 - ok
18:45:55.0328 2476 WDICA - ok
18:45:55.0343 2476 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
18:45:55.0343 2476 wdmaud - ok
18:45:55.0437 2476 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
18:45:55.0437 2476 WmiAcpi - ok
18:45:55.0531 2476 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
18:45:55.0531 2476 WSTCODEC - ok
18:45:55.0578 2476 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
18:45:55.0578 2476 WudfPf - ok
18:45:55.0609 2476 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
18:45:55.0609 2476 WudfRd - ok
18:45:55.0656 2476 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk0\DR0
18:45:55.0671 2476 \Device\Harddisk0\DR0 - ok
18:45:55.0687 2476 Boot (0x1200) (86e2971f15e74a03f066e0429cf57d71) \Device\Harddisk0\DR0\Partition0
18:45:55.0687 2476 \Device\Harddisk0\DR0\Partition0 - ok
18:45:55.0687 2476 ============================================================
18:45:55.0687 2476 Scan finished
18:45:55.0687 2476 ============================================================
18:45:55.0703 2896 Detected object count: 2
18:45:55.0703 2896 Actual detected object count: 2
18:46:00.0421 2896 VerifyFileNameVersionInfo: GetFileVersionInfoSizeW(C:\WINDOWS\system32\drivers\ArcHlp.sys) error 1813
18:46:04.0468 2896 Backup copy not found, trying to cure infected file..
18:46:04.0468 2896 C:\WINDOWS\system32\drivers\archlp.sys - Cure failed (FFFFFFFF)
18:46:04.0468 2896 C:\WINDOWS\system32\drivers\archlp.sys - processing error
18:46:04.0468 2896 archlp ( Rootkit.Win32.ZAccess.e ) - User select action: Cure
18:46:04.0484 2896 HKLM\SYSTEM\ControlSet001\services\e576f8f3 - will be deleted on reboot
18:46:04.0500 2896 HKLM\SYSTEM\ControlSet002\services\e576f8f3 - will be deleted on reboot
18:46:04.0500 2896 HKLM\SYSTEM\ControlSet003\services\e576f8f3 - will be deleted on reboot
18:46:04.0515 2896 C:\WINDOWS\4093146853:445187852.exe - will be deleted on reboot
18:46:04.0515 2896 e576f8f3 ( Rootkit.Win32.PMax.gen ) - User select action: Delete
18:46:17.0718 3056 Deinitialize success

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:10 PM

Posted 21 October 2011 - 09:27 PM

rerun combofix once more please


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 jw621

jw621
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 21 October 2011 - 10:19 PM

ComboFix went much better this time, didnt take as long and never stalled out. Also, computer is now, as far as I can tell, not doing the redirect. I do get an error message saying HP Wireless assistant cannot find information and has to shut down (but this doesnt seem to affect anything and just shuts down, just something that wasnt happening before this virus). Here is the log.

ComboFix 11-10-21.06 - Joanne 10/21/2011 21:52:25.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.691 [GMT -5:00]
Running from: c:\documents and settings\Joanne\Desktop\ComboFix.exe
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB57978$\2241262803
c:\windows\$NtUninstallKB57978$\3849779443\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
c:\windows\$NtUninstallKB57978$\3849779443\click.tlb
c:\windows\$NtUninstallKB57978$\3849779443\L\yoaqmkmv
c:\windows\$NtUninstallKB57978$\3849779443\loader.tlb
c:\windows\$NtUninstallKB57978$\3849779443\U\@00000001
c:\windows\$NtUninstallKB57978$\3849779443\U\@000000c0
c:\windows\$NtUninstallKB57978$\3849779443\U\@000000cb
c:\windows\$NtUninstallKB57978$\3849779443\U\@000000cf
c:\windows\$NtUninstallKB57978$\3849779443\U\@80000000
c:\windows\$NtUninstallKB57978$\3849779443\U\@800000c0
c:\windows\$NtUninstallKB57978$\3849779443\U\@800000cb
c:\windows\$NtUninstallKB57978$\3849779443\U\@800000cf
c:\windows\4093146853
c:\windows\assembly\GAC_MSIL\desktop.ini
c:\windows\$NtUninstallKB57978$ . . . . Failed to delete
.
c:\windows\system32\drivers\archlp.sys . . . is infected!! . . . Failed to find a valid replacement.
Infected copy of c:\windows\system32\drivers\ntfs.sys was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\ntfs.sys
.
c:\windows\system32\wuauclt.exe . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2011-09-22 to 2011-10-22 )))))))))))))))))))))))))))))))
.
.
2011-10-21 23:54 . 2011-10-21 23:54 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-10-20 02:26 . 2011-10-20 02:26 -------- d--h--w- c:\windows\PIF
2011-10-19 03:11 . 2011-09-06 20:36 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-10-19 03:11 . 2011-09-06 20:37 320856 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-10-19 03:11 . 2011-09-06 20:38 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-10-19 03:11 . 2011-09-06 20:36 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-10-19 03:11 . 2011-09-06 20:36 52568 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-10-19 03:11 . 2011-09-06 20:36 110552 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-10-19 03:11 . 2011-09-06 20:36 104536 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-10-19 03:11 . 2011-09-06 20:33 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-10-19 03:11 . 2011-09-06 20:45 41184 ------w- c:\windows\avastSS.scr
2011-10-19 03:11 . 2011-09-06 20:45 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-10-19 03:10 . 2011-10-19 03:10 -------- d-----w- c:\program files\AVAST Software
2011-10-19 03:10 . 2011-10-19 03:10 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-10-19 02:55 . 2011-10-19 02:55 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-10-19 02:55 . 2011-10-19 02:55 -------- d-----w- c:\documents and settings\Joanne\Application Data\Malwarebytes
2011-10-19 02:55 . 2011-10-19 02:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-10-19 02:55 . 2011-10-19 02:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-19 02:55 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-19 02:06 . 2011-10-19 02:06 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-10-19 01:59 . 2011-10-19 02:37 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-09-26 16:41 . 2011-09-26 16:41 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41 . 2011-09-26 16:41 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41 . 2011-09-26 16:41 220160 ------w- c:\windows\system32\dllcache\oleacc.dll
2011-09-26 16:41 . 2011-09-26 16:41 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-26 16:41 . 2011-09-26 16:41 20480 ------w- c:\windows\system32\dllcache\oleaccrc.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-09 09:12 . 2011-09-09 09:12 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2011-09-06 13:20 1858944 ----a-w- c:\windows\system32\win32k.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-08-07 . C1BD669C43A9EF205C1568DC7183FAA8 . 53472 . . [7.4.7600.226] . . c:\windows\system32\wuauclt.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-09-06 20:45 122512 ------w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00Zecter]
@="{D25B32FE-CB96-491A-98FF-AD59DA382D69}"
[HKEY_CLASSES_ROOT\CLSID\{D25B32FE-CB96-491A-98FF-AD59DA382D69}]
2010-03-28 22:22 718848 ----a-w- c:\program files\Hewlett-Packard\HP CloudDrive\ShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\01Zecter]
@="{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}"
[HKEY_CLASSES_ROOT\CLSID\{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}]
2010-03-28 22:22 718848 ----a-w- c:\program files\Hewlett-Packard\HP CloudDrive\ShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\02Zecter]
@="{B3C78E40-6B64-47C3-AE34-60B770881EB8}"
[HKEY_CLASSES_ROOT\CLSID\{B3C78E40-6B64-47C3-AE34-60B770881EB8}]
2010-03-28 22:22 718848 ----a-w- c:\program files\Hewlett-Packard\HP CloudDrive\ShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\03Zecter]
@="{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}"
[HKEY_CLASSES_ROOT\CLSID\{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}]
2010-03-28 22:22 718848 ----a-w- c:\program files\Hewlett-Packard\HP CloudDrive\ShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\04Zecter]
@="{855156F0-2A0F-11DE-8C30-0800200C9A66}"
[HKEY_CLASSES_ROOT\CLSID\{855156F0-2A0F-11DE-8C30-0800200C9A66}]
2010-03-28 22:22 718848 ----a-w- c:\program files\Hewlett-Packard\HP CloudDrive\ShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-01-22 2363392]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-08-18 17360520]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-10-13 186904]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-04-16 1721640]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-04-30 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-04-30 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-04-30 141336]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2010-02-25 323640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2010-04-05 8192]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2010-02-26 495708]
"snp2uvc"="c:\windows\system32\csnp2uvc.dll" [2009-02-16 196608]
"DTRun"="c:\program files\ArcSoft\TotalMedia Theatre 3\uDTRun.exe" [2009-12-10 518656]
"ZumoDrive"="c:\program files\Hewlett-Packard\HP CloudDrive\ZumoLauncher.lnk" [2010-07-19 1733]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2009-11-18 54576]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-09-06 3722416]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
HP Media Suite.lnk - c:\program files\Hewlett-Packard\HP Media Suite\Home\ArcStart.exe [2010-4-1 91648]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Hewlett-Packard\\HP CloudDrive\\zumodrive.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\{68550918-63B5-4762-85CB-3C160AA4B213}\\setup\\hpznui01.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Macrovision\\FLEXnet Connect\\11\\agent.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jaucheck.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jusched.exe"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jucheck.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.exe"=
"c:\\Program Files\\AVAST Software\\Avast\\AvastUI.exe"=
"c:\\Documents and Settings\\Joanne\\Desktop\\123.com.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:UDP"= 5353:UDP:Java™ Platform SE binary
"8182:TCP"= 8182:TCP:Java™ Platform SE binary
.
R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [6/2/2010 8:11 PM 21488]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [6/2/2010 8:11 PM 15856]
R0 SysCow;SysCow;c:\windows\system32\drivers\syscow32x.sys [12/28/2009 1:17 AM 106096]
R1 archlp;archlp;c:\windows\system32\drivers\ArcHlp.sys [6/3/2009 4:17 PM 131584]
R1 DVMIO;DeviceVM IO Service;c:\windows\system32\drivers\dvmio.sys [11/11/2009 3:09 PM 18136]
R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [6/2/2010 8:11 PM 25584]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [6/2/2010 6:53 PM 113664]
S2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe --> c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe [?]
S2 Arcsoft Security Service;Arcsoft Security Service;c:\program files\ArcSoft\TotalMedia Theatre 3\ArcSecurity.exe --> c:\program files\ArcSoft\TotalMedia Theatre 3\ArcSecurity.exe [?]
S2 BOTService;BOTService;"c:\program files\Roxio\BackOnTrack\Instant Restore\BOTService.exe" --> c:\program files\Roxio\BackOnTrack\Instant Restore\BOTService.exe [?]
S2 DvmMDES;DeviceVM Meta Data Export Service;"c:\swsetup\QuickWeb\QW.SYS\config\DVMExportService.exe" --> c:\swsetup\QuickWeb\QW.SYS\config\DVMExportService.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/24/2010 10:30 PM 136176]
S2 HP Wireless Assistant Service;HP Wireless Assistant Service;"c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe" --> c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [?]
S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2/28/2011 6:44 PM 183560]
S3 Com4QLBEx;Com4QLBEx;"c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe" --> c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/24/2010 10:30 PM 136176]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [6/2/2010 6:54 PM 186912]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-01-22 16:06 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{4FB2AA7C-C8E4-BBC8-BB1C-FAAB2EF5914B}]
2010-03-26 23:27 200769 ----a-w- c:\program files\Hewlett-Packard\HP Media Suite\Home\QuickLaunch.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-21 c:\windows\Tasks\BackOnTrack Instant Restore Idle.job
- c:\program files\Roxio\BackOnTrack\Instant Restore\RstIdle.exe [2010-02-04 19:00]
.
2011-10-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-25 03:30]
.
2011-10-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-25 03:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 97.64.183.164 97.64.209.37
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-41775004.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-21 22:10
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2820)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\program files\Hewlett-Packard\HP CloudDrive\ShellExt.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\igfxsrvc.exe
c:\program files\Hewlett-Packard\HP CloudDrive\zumodrive.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\windows\system32\wscntfy.exe
c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe
.
**************************************************************************
.
Completion time: 2011-10-21 22:14:08 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-22 03:14
ComboFix2.txt 2011-10-21 19:59
ComboFix3.txt 2011-10-21 18:34
.
Pre-Run: 133,321,674,752 bytes free
Post-Run: 133,478,662,144 bytes free
.
- - End Of File - - 8F538A5F03643FFB480F1E377C40F867

thanks again for all your time!!!

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:10 PM

Posted 22 October 2011 - 03:06 AM

SystemLook:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
:filefind
archlp.sys
wuauclt.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 jw621

jw621
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 22 October 2011 - 08:03 AM

Ok- here is the log:

SystemLook 30.07.11 by jpshortstuff
Log created at 07:56 on 22/10/2011 by Joanne
Administrator - Elevation successful

========== filefind ==========

Searching for "archlp.sys"
C:\System Rollback Data\Restore\Archive\00000060\00000001\0\Attrib\WINDOWS\system32\drivers\ArcHlp.sys --a---- 0 bytes [21:17 03/06/2009] [21:17 03/06/2009] D41D8CD98F00B204E9800998ECF8427E
C:\System Rollback Data\Restore\Archive\00000060\00000001\0\Target\WINDOWS\system32\drivers\ArcHlp.sys --a---- 131584 bytes [21:17 03/06/2009] [21:17 03/06/2009] 20DA1DC31893E1AD82A9C79011F5B344
C:\System Rollback Data\Restore\Archive\00000061\00000060\13\Target\WINDOWS\system32\drivers\ArcHlp.sys --a---- 131584 bytes [21:17 03/06/2009] [21:17 03/06/2009] F62C4729D0462253E80491D119CDF61F
C:\System Rollback Data\Restore\Archive\00000061\00000060\6\Target\WINDOWS\system32\drivers\ArcHlp.sys --a---- 131584 bytes [21:17 03/06/2009] [21:17 03/06/2009] F62C4729D0462253E80491D119CDF61F
C:\System Rollback Data\Restore\Archive\00000061\00000060\7\Target\WINDOWS\system32\drivers\ArcHlp.sys --a---- 131584 bytes [21:17 03/06/2009] [21:17 03/06/2009] F62C4729D0462253E80491D119CDF61F
C:\System Rollback Data\Restore\Archive\00000061\00000060\8\Target\WINDOWS\system32\drivers\ArcHlp.sys --a---- 131584 bytes [21:17 03/06/2009] [21:17 03/06/2009] F62C4729D0462253E80491D119CDF61F
C:\System Rollback Data\Restore\Archive\00000061\00000060\9\Target\WINDOWS\system32\drivers\ArcHlp.sys --a---- 131584 bytes [21:17 03/06/2009] [21:17 03/06/2009] F62C4729D0462253E80491D119CDF61F
C:\System Rollback Data\Restore\Current\31062\10\Target\WINDOWS\system32\drivers\ArcHlp.sys --a---- 131584 bytes [21:17 03/06/2009] [21:17 03/06/2009] F62C4729D0462253E80491D119CDF61F
C:\System Rollback Data\Restore\Current\31062\11\Target\WINDOWS\system32\drivers\ArcHlp.sys --a---- 131584 bytes [21:17 03/06/2009] [21:17 03/06/2009] F62C4729D0462253E80491D119CDF61F
C:\System Rollback Data\Restore\Current\31062\12\Target\WINDOWS\system32\drivers\ArcHlp.sys --a---- 131584 bytes [21:17 03/06/2009] [21:17 03/06/2009] F62C4729D0462253E80491D119CDF61F
C:\System Rollback Data\Restore\Current\31062\13\Target\WINDOWS\system32\drivers\ArcHlp.sys --a---- 131584 bytes [21:17 03/06/2009] [21:17 03/06/2009] F62C4729D0462253E80491D119CDF61F
C:\System Rollback Data\Restore\Current\31062\14\Target\WINDOWS\system32\drivers\ArcHlp.sys --a---- 131584 bytes [21:17 03/06/2009] [21:17 03/06/2009] F62C4729D0462253E80491D119CDF61F
C:\System Rollback Data\Restore\Current\31062\15\Target\WINDOWS\system32\drivers\ArcHlp.sys --a---- 131584 bytes [21:17 03/06/2009] [21:17 03/06/2009] F62C4729D0462253E80491D119CDF61F
C:\System Rollback Data\Restore\Current\31062\16\Target\WINDOWS\system32\drivers\ArcHlp.sys --a---- 131584 bytes [21:17 03/06/2009] [21:17 03/06/2009] F62C4729D0462253E80491D119CDF61F
C:\System Rollback Data\Restore\Current\31062\17\Target\WINDOWS\system32\drivers\ArcHlp.sys --a---- 131584 bytes [21:17 03/06/2009] [21:17 03/06/2009] F62C4729D0462253E80491D119CDF61F
C:\System Rollback Data\Restore\Current\31062\18\Target\WINDOWS\system32\drivers\ArcHlp.sys --a---- 131584 bytes [21:17 03/06/2009] [21:17 03/06/2009] F62C4729D0462253E80491D119CDF61F
C:\System Rollback Data\Restore\Current\31062\19\Target\WINDOWS\system32\drivers\ArcHlp.sys --a---- 131584 bytes [21:17 03/06/2009] [21:17 03/06/2009] F62C4729D0462253E80491D119CDF61F
C:\System Rollback Data\Restore\Current\31062\2\Target\WINDOWS\system32\drivers\ArcHlp.sys --a---- 131584 bytes [21:17 03/06/2009] [21:17 03/06/2009] F62C4729D0462253E80491D119CDF61F
C:\System Rollback Data\Restore\Current\31062\20\Target\WINDOWS\system32\drivers\ArcHlp.sys --a---- 131584 bytes [21:17 03/06/2009] [21:17 03/06/2009] F62C4729D0462253E80491D119CDF61F
C:\System Rollback Data\Restore\Current\31062\21\Target\WINDOWS\system32\drivers\ArcHlp.sys --a---- 131584 bytes [21:17 03/06/2009] [21:17 03/06/2009] F62C4729D0462253E80491D119CDF61F
C:\System Rollback Data\Restore\Current\31062\23\Target\WINDOWS\system32\drivers\ArcHlp.sys --a---- 131584 bytes [21:17 03/06/2009] [21:17 03/06/2009] F62C4729D0462253E80491D119CDF61F
C:\System Rollback Data\Restore\Current\31062\24\Target\WINDOWS\system32\drivers\ArcHlp.sys --a---- 131584 bytes [21:17 03/06/2009] [21:17 03/06/2009] F62C4729D0462253E80491D119CDF61F
C:\System Rollback Data\Restore\Current\31062\25\Target\WINDOWS\system32\drivers\ArcHlp.sys --a---- 131584 bytes [21:17 03/06/2009] [21:17 03/06/2009] F62C4729D0462253E80491D119CDF61F
C:\System Rollback Data\Restore\Current\31062\26\Target\WINDOWS\system32\drivers\ArcHlp.sys --a---- 131584 bytes [21:17 03/06/2009] [21:17 03/06/2009] F62C4729D0462253E80491D119CDF61F
C:\System Rollback Data\Restore\Current\31062\27\Target\WINDOWS\system32\drivers\ArcHlp.sys --a---- 131584 bytes [21:17 03/06/2009] [21:17 03/06/2009] F62C4729D0462253E80491D119CDF61F
C:\System Rollback Data\Restore\Current\31062\28\Target\WINDOWS\system32\drivers\ArcHlp.sys --a---- 131584 bytes [21:17 03/06/2009] [21:17 03/06/2009] F62C4729D0462253E80491D119CDF61F
C:\System Rollback Data\Restore\Current\31062\29\Target\WINDOWS\system32\drivers\ArcHlp.sys --a---- 131584 bytes [21:17 03/06/2009] [21:17 03/06/2009] F62C4729D0462253E80491D119CDF61F
C:\System Rollback Data\Restore\Current\31062\3\Target\WINDOWS\system32\drivers\ArcHlp.sys --a---- 131584 bytes [21:17 03/06/2009] [21:17 03/06/2009] F62C4729D0462253E80491D119CDF61F
C:\System Rollback Data\Restore\Current\31062\30\Target\WINDOWS\system32\drivers\ArcHlp.sys --a---- 131584 bytes [21:17 03/06/2009] [21:17 03/06/2009] F62C4729D0462253E80491D119CDF61F
C:\System Rollback Data\Restore\Current\31062\4\Target\WINDOWS\system32\drivers\ArcHlp.sys --a---- 131584 bytes [21:17 03/06/2009] [21:17 03/06/2009] F62C4729D0462253E80491D119CDF61F
C:\System Rollback Data\Restore\Current\31062\5\Target\WINDOWS\system32\drivers\ArcHlp.sys --a---- 131584 bytes [21:17 03/06/2009] [21:17 03/06/2009] F62C4729D0462253E80491D119CDF61F
C:\System Rollback Data\Restore\Current\31062\6\Target\WINDOWS\system32\drivers\ArcHlp.sys --a---- 131584 bytes [21:17 03/06/2009] [21:17 03/06/2009] F62C4729D0462253E80491D119CDF61F
C:\System Rollback Data\Restore\Current\31062\7\Target\WINDOWS\system32\drivers\ArcHlp.sys --a---- 131584 bytes [21:17 03/06/2009] [21:17 03/06/2009] F62C4729D0462253E80491D119CDF61F
C:\System Rollback Data\Restore\Current\31062\8\Target\WINDOWS\system32\drivers\ArcHlp.sys --a---- 131584 bytes [21:17 03/06/2009] [21:17 03/06/2009] F62C4729D0462253E80491D119CDF61F
C:\System Rollback Data\Restore\Current\31062\9\Target\WINDOWS\system32\drivers\ArcHlp.sys --a---- 131584 bytes [21:17 03/06/2009] [21:17 03/06/2009] F62C4729D0462253E80491D119CDF61F
C:\WINDOWS\system32\drivers\ArcHlp.sys --a---- 131584 bytes [21:17 03/06/2009] [21:17 03/06/2009] F62C4729D0462253E80491D119CDF61F

Searching for "wuauclt.exe"
C:\System Rollback Data\Restore\Archive\00000060\00000001\0\Target\WINDOWS\system32\wuauclt.exe --a---- 111104 bytes [12:00 15/04/2008] [12:00 15/04/2008] ED7262E52C31CF1625B65039102BC16C
C:\WINDOWS\system32\wuauclt.exe --a---- 53472 bytes [00:24 07/08/2009] [00:24 07/08/2009] C1BD669C43A9EF205C1568DC7183FAA8

-= EOF =-

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:10 PM

Posted 22 October 2011 - 11:31 AM

Hello jw621

I need to know if you have access to another XP computer that we can copy files from


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 jw621

jw621
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 22 October 2011 - 12:19 PM

The only other computer I have at home is my work laptop, and I'm not sure what security settings they have on there - I'm not the "administrator" of the computer, but if that doesnt matter there is that. Otherwise I can go to a friend's house and use theirs. Let me know what you think and i'll figure it out.

Thanks.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users