Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ie Hijacked


  • This topic is locked This topic is locked
70 replies to this topic

#1 redbullpower

redbullpower

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:51 AM

Posted 08 December 2011 - 06:15 AM

After doing a number of scans with malwarebytes and superantispyware no malware is detected however ie is still being hijacked.
When clicking on the search results from Google a random webpage is displayed. This does not happen everytime but every 3-4 instances.
This behaviour is not apparent in Firefox.


Here is a hijackthis log

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:12:06 AM, on 12/8/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\xampp\apache\bin\httpd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxeccoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\xampp\mysql\bin\mysqld.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe
C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesApp32.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\AirPrint\airprint.exe
C:\xampp\apache\bin\httpd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Orb Networks\Orb\bin\OrbLauncher.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Lexmark Pro800-Pro900 Series\lxecmon.exe
C:\Program Files\Lexmark Pro800-Pro900 Series\ezprint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Windy31_Manager\Common\Windy31 GW.exe
C:\Documents and Settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Orb Networks\Orb\bin\Orb.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
C:\Program Files\internet explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll (filesize 372736 bytes, MD5 17BD4BA2058C38AE1A512AE81F244F38)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (filesize 75200 bytes, MD5 203A74767EB81F96A5166B1933DB46D0)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (filesize 386264 bytes, MD5 C2591E7BCACBDE2EB6D15CFF5D7432BE)
O2 - BHO: Adobe PDF Link Helper - {44D17824-2A0E-19CE-65BD-247C45EB0A63} - C:\WINDOWS\system32\oledllg.dll (filesize 98304 bytes, MD5 EB4B6A7ECBD0CE61E0F5879074193FB2)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL (filesize 4221328 bytes, MD5 FB8C6A46EAF7585D2CA8583C4C9A8EDF)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (filesize 408448 bytes, MD5 B7899C3E21B299D7A3C0DA96CAE340BD)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (filesize 342192 bytes, MD5 B2BBF2C1F9A146D80862B4B5488DE0D8)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dll (filesize 1003576 bytes, MD5 BBD2D60B8F0F0DC68D6211C81B755B6D)
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL (filesize 561552 bytes, MD5 A5D08B86E8A437AA6DEAF7A187BF6CA5)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (filesize 79648 bytes, MD5 2C003D049CD5E45BB88B6F8583561035)
O2 - BHO: ChromeFrame BHO - {ECB3C477-1A0A-44BD-BB57-78F9EFE34FA7} - C:\Program Files\Google\Chrome Frame\Application\15.0.874.121\npchrome_frame.dll (filesize 1952824 bytes, MD5 ECFDFAD1F7F7961B8E95811460FCDCC7)
O3 - Toolbar: Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\Snagit 10\SnagitIEAddin.dll (filesize 206152 bytes, MD5 6D7C6A0A885B54B18AE2009CF21CBBAB)
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll (filesize 372736 bytes, MD5 17BD4BA2058C38AE1A512AE81F244F38)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (filesize 342192 bytes, MD5 B2BBF2C1F9A146D80862B4B5488DE0D8)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup (filesize 33280 bytes, MD5 037B1E7798960E0420003D05BB577EE6)
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exeC:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Orb] "C:\Program Files\Orb Networks\Orb\bin\OrbLauncher.exe" /background (filesize 754288 bytes, MD5 DBA324211E0CE772AF8CFF2D99A0BB8C)
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices (filesize 91520 bytes, MD5 901AA7A38CE13F14B6BBEC38C0595698)
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" (filesize 17408 bytes, MD5 255E405D801CF01247390F38F92D8042)
O4 - HKLM\..\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey (filesize 997920 bytes, MD5 D0EBE8F93C70FCA792E241CE268BC837)
O4 - HKLM\..\Run: [SwitchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exeC:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O4 - HKLM\..\Run: [Windy31Install] C:\WINDOWS\RaLaunch.exe "H:\Windy31Install.exe" (filesize 24576 bytes, MD5 0E0284CF90666D1577401D2F0DF8A883)
O4 - HKLM\..\Run: [lxecmon.exe] "C:\Program Files\Lexmark Pro800-Pro900 Series\lxecmon.exe" (filesize 770728 bytes, MD5 343D804954F1879B9F1D54D4DF22D36E)
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark Pro800-Pro900 Series\ezprint.exe" (filesize 148280 bytes, MD5 6A4F2FC608DDA404DF2E5775876630A6)
O4 - HKLM\..\Run: [Lexmark Pro800-Pro900 Series Fax Server] "C:\Program Files\Lexmark Pro800-Pro900 Series\fm3032.exe" /s (filesize 316072 bytes, MD5 6B7E08A53CA89A7E10C6E285457998E4)
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" (filesize 59240 bytes, MD5 F7DD2D785280DB73DC9060F80361BEFB)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (filesize 421888 bytes, MD5 0AEE5668EB59912F32FF245BFA72465F)
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Dropbox.lnk = C:\Documents and Settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe (filesize 24183152 bytes, MD5 05A72E267523163ACDB753A6EC36CE2F)
O4 - Global Startup: Google Calendar Sync.lnk = C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe (filesize 542264 bytes, MD5 C5B5552E5C1A0079C1F7313E7CC7707E)
O4 - Global Startup: VPN Client.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (filesize 123904 bytes, MD5 B5C9F63C01FCFEC3F64EC6A0940A1825)
O4 - Global Startup: Windy31 Manager.lnk = C:\Program Files\Windy31_Manager\Common\Windy31 GW.exe (filesize 548864 bytes, MD5 D184263912DFE16C59E3F59484217032)
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (filesize 644496 bytes, MD5 1EE17A713AC4A99763E9A3DC210F9AD0)
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (filesize 644496 bytes, MD5 1EE17A713AC4A99763E9A3DC210F9AD0)
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (filesize 497040 bytes, MD5 1631B83DB38541CAE9F7E206CB91E441)
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (filesize 497040 bytes, MD5 1631B83DB38541CAE9F7E206CB91E441)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (filesize 558080 bytes, MD5 AAC1D4EE39DF138C5D30AC5883E3B59F)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (filesize 558080 bytes, MD5 AAC1D4EE39DF138C5D30AC5883E3B59F)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (filesize 1658592 bytes, MD5 F125C0A696480F3D132B1BC736D871BF)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (filesize 1658592 bytes, MD5 F125C0A696480F3D132B1BC736D871BF)
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwoc.ops.placeware.com/etc/place/OSCAR/SCOpws-c2/5.1.6.246/lib/quicksilver.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} (PjAdoInfo3 Class) - http://piranha/ProjectServer/objects/pjclient.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://rigs.precisiondrilling.com/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1201703285771
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: gcf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - C:\Program Files\Google\Chrome Frame\Application\15.0.874.121\npchrome_frame.dll (filesize 1952824 bytes, MD5 ECFDFAD1F7F7961B8E95811460FCDCC7)
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL (filesize 49024 bytes, MD5 81E7E920312D372CF57A817049AC7C76)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLLC:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll (filesize 1025024 bytes, MD5 E392E172687BE172F8600C5F41AB03D9)
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll (filesize 1025024 bytes, MD5 E392E172687BE172F8600C5F41AB03D9)
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXEC:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: AirPrint - Apple Inc. - C:\Program Files\AirPrint\airprint.exeC:\Program Files\AirPrint\airprint.exe
O23 - Service: Apache2.2 - Apache Software Foundation - C:\xampp\apache\bin\httpd.exeC:\xampp\apache\bin\httpd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeC:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exeC:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - c:\xampp\FileZillaFTP\FileZillaServer.exec:\xampp\FileZillaFTP\FileZillaServer.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeC:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GenericMount Helper Service - Unknown owner - E:\Shared\Drivers\GenericMountHelper.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exeC:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exeC:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeC:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exeC:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeC:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxecCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxecserv.exeC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxecserv.exe
O23 - Service: lxec_device - - C:\WINDOWS\system32\lxeccoms.exeC:\WINDOWS\system32\lxeccoms.exe
O23 - Service: mysql - Unknown owner - C:\xampp\mysql\bin\mysqld.exeC:\xampp\mysql\bin\mysqld.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exeC:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exeC:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OrbMediaService - Orb Networks - C:\Program Files\Orb Networks\Orb\bin\OrbMediaService.exeC:\Program Files\Orb Networks\Orb\bin\OrbMediaService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exeC:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exeC:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exeC:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesService32.exeC:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server197\MediaServer.exeC:\Program Files\TVersity\Media Server197\MediaServer.exe
O23 - Service: XAMPP Service (XAMPP) - Unknown owner - C:\xampp\service.exeC:\xampp\service.exe






Here is the DDS Log

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by Administrator at 11:35:40 on 2011-12-08
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2807.1400 [GMT 0:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\xampp\apache\bin\httpd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxeccoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\xampp\mysql\bin\mysqld.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe
C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesApp32.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\AirPrint\airprint.exe
C:\xampp\apache\bin\httpd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Orb Networks\Orb\bin\OrbLauncher.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Lexmark Pro800-Pro900 Series\lxecmon.exe
C:\Program Files\Lexmark Pro800-Pro900 Series\ezprint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Windy31_Manager\Common\Windy31 GW.exe
C:\Documents and Settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Orb Networks\Orb\bin\Orb.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
mSearch Bar =
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Adobe PDF Link Helper: {44d17824-2a0e-19ce-65bd-247c45eb0a63} - c:\windows\system32\oledllg.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: ChromeFrame BHO: {ecb3c477-1a0a-44bd-bb57-78f9efe34fa7} - c:\program files\google\chrome frame\application\15.0.874.121\npchrome_frame.dll
TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 10\SnagitIEAddin.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [PRONoMgr.exe] c:\program files\intel\ncs\proset\PRONoMgr.exe
mRun: [Orb] "c:\program files\orb networks\orb\bin\OrbLauncher.exe" /background
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [Windy31Install] c:\windows\ralaunch.exe "h:\Windy31Install.exe"
mRun: [lxecmon.exe] "c:\program files\lexmark pro800-pro900 series\lxecmon.exe"
mRun: [EzPrint] "c:\program files\lexmark pro800-pro900 series\ezprint.exe"
mRun: [Lexmark Pro800-Pro900 Series Fax Server] "c:\program files\lexmark pro800-pro900 series\fm3032.exe" /s
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\administrator\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\google~1.lnk - c:\program files\google\google calendar sync\GoogleCalendarSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\VPNCLI~1.LNK -
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\windy3~1.lnk - c:\program files\windy31_manager\common\Windy31 GW.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} - hxxp://scpwoc.ops.placeware.com/etc/place/OSCAR/SCOpws-c2/5.1.6.246/lib/quicksilver.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} - hxxp://piranha/ProjectServer/objects/pjclient.cab
DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://rigs.precisiondrilling.com/mgaxctrl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1201703285771
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38124.2318287037
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.36.1
TCP: Interfaces\{77D8AB80-46BB-4BF3-95F8-18174D886F59} : DhcpNameServer = 192.168.36.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: gcf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - c:\program files\google\chrome frame\application\15.0.874.121\npchrome_frame.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\ntb2awb2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2548838&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - TVersitybar Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 49273
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npContribute.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 MpKsla7d32bc2;MpKsla7d32bc2;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e7ae0c38-28d1-4066-95ae-f4da4b467f6c}\MpKsla7d32bc2.sys [2011-12-8 29904]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 AirPrint;AirPrint;c:\program files\airprint\airprint.exe -s --> c:\program files\airprint\airprint.exe -s [?]
R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [2010-10-18 19632]
R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [2010-5-16 20968]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2011-1-20 21992]
R2 lxec_device;lxec_device;c:\windows\system32\lxeccoms.exe -service --> c:\windows\system32\lxeccoms.exe -service [?]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2012\TuneUpUtilitiesService32.exe [2011-11-2 1473712]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [2010-2-16 28672]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-10 4640000]
R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [2010-5-19 127496]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2012\TuneUpUtilitiesDriver32.sys [2011-10-13 10064]
S1 MpKsl48cea076;MpKsl48cea076;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{44f850b5-de19-4de2-a872-d4dfa684cccb}\mpksl48cea076.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{44f850b5-de19-4de2-a872-d4dfa684cccb}\MpKsl48cea076.sys [?]
S1 MpKsl7f4fc8ae;MpKsl7f4fc8ae;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3d8808f6-26e2-44c6-a0ec-7e6eabc28da6}\mpksl7f4fc8ae.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3d8808f6-26e2-44c6-a0ec-7e6eabc28da6}\MpKsl7f4fc8ae.sys [?]
S1 MpKsl9b54010b;MpKsl9b54010b;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{75ec1f2d-912c-4b80-9a8e-0d7fe9d0d223}\mpksl9b54010b.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{75ec1f2d-912c-4b80-9a8e-0d7fe9d0d223}\MpKsl9b54010b.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-2 130248]
S2 lxecCATSCustConnectService;lxecCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxecserv.exe [2011-7-8 193192]
S2 XAMPP;XAMPP Service;c:\xampp\service.exe [2007-12-21 62464]
S3 GenericMount Helper Service;GenericMount Helper Service;"e:\shared\drivers\genericmounthelper.exe" --> e:\shared\drivers\GenericMountHelper.exe [?]
S3 GenericMount;Generic Mount Driver;c:\windows\system32\drivers\genericmount.sys --> c:\windows\system32\drivers\GenericMount.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-7-2 130248]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2011-6-12 31125880]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
S3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2010-2-4 19056]
S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
S3 WebTool;WebTool;c:\progra~1\mi4f93~1\webtool.exe [2007-7-19 705024]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [2011-11-4 25704]
S3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [2011-11-4 25704]
S3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [2011-11-4 25704]
S3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [2011-11-4 25704]
S3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [2011-11-4 25704]
S4 SymSnapService;SymSnapService;"e:\shared\drivers\symsnapservice.exe" --> e:\shared\drivers\SymSnapService.exe [?]
.
=============== Created Last 30 ================
.
2011-12-08 09:56:30 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e7ae0c38-28d1-4066-95ae-f4da4b467f6c}\MpKsla7d32bc2.sys
2011-12-08 09:56:07 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e7ae0c38-28d1-4066-95ae-f4da4b467f6c}\offreg.dll
2011-12-07 14:05:38 6823496 ------w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e7ae0c38-28d1-4066-95ae-f4da4b467f6c}\mpengine.dll
2011-12-06 13:13:27 -------- d-----w- c:\documents and settings\administrator\application data\SUPERAntiSpyware.com
2011-12-06 13:12:39 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-12-06 13:12:39 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-12-05 14:03:18 388096 ----a-r- c:\documents and settings\administrator\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-12-05 14:03:16 -------- d-----w- c:\program files\Trend Micro
2011-12-04 13:42:35 -------- d-----w- c:\windows\system32\2060
2011-11-29 11:40:02 -------- d-----w- c:\program files\common files\Common Apps
2011-11-29 11:38:24 -------- d-----w- c:\documents and settings\administrator\application data\B4949
2011-11-29 11:38:04 -------- d-----w- c:\program files\SysTools OST Recovery
2011-11-25 16:10:49 -------- d-----w- c:\program files\Xiph.Org
2011-11-25 16:10:20 -------- d-----w- c:\program files\Conduit
2011-11-25 16:10:10 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Conduit
2011-11-23 13:29:28 -------- d-----w- c:\program files\Stellar Phoenix Password Recovery
2011-11-23 12:47:07 -------- d-----w- c:\program files\NirSoft
2011-11-21 21:39:46 189 ----a-w- c:\program files\0LE7DVQJ.bat
2011-11-21 21:34:48 -------- d-----w- c:\documents and settings\administrator\application data\FlashFXP
2011-11-21 21:28:14 -------- d-----w- c:\program files\FlashFXP 4
2011-11-21 21:28:14 -------- d-----w- c:\documents and settings\all users\application data\FlashFXP
.
==================== Find3M ====================
.
2011-11-29 16:14:07 57600 ----a-w- c:\windows\system32\drivers\redbook.sys.org
2011-11-02 19:29:26 31552 ----a-w- c:\windows\system32\TURegOpt.exe
2011-11-02 19:29:08 28992 ----a-w- c:\windows\system32\uxtuneup.dll
2011-10-19 08:36:02 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-18 13:45:59 5816 ----a-w- c:\windows\system32\casigmgr32s.dll
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 10:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 10:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 10:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2004-03-11 17:27:22 40960 ----a-w- c:\program files\Uninstall_CDS.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD2500JB-00GVA0 rev.08.02D08 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-c
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x8A7A4AB8]
3 CLASSPNP[0xF7637FD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\00000073[0x8A848F18]
5 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E37D5] -> \Device\Ide\IdeDeviceP0T0L0-4[0x8A7ABD98]
kernel: MBR read successfully
_asm { CLD ; XOR AX, AX; MOV ES, AX; MOV DS, AX; MOV SS, AX; MOV SP, 0x7c00; MOV SI, 0x7c1a; MOV DI, 0x61a; MOV CX, 0x1e6; REP MOVSB ; JMP 0x8a1a; }
user != kernel MBR !!!
.
============= FINISH: 11:37:56.07 ===============





Thanks for any assistance
Redbullpower

Edited by redbullpower, 09 December 2011 - 05:30 AM.


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:51 PM

Posted 10 December 2011 - 03:12 PM

Hi,

Please do the following:


Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • When asked if you want to download Avast's virus definitions please select Yes.
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 redbullpower

redbullpower
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:51 AM

Posted 12 December 2011 - 05:23 AM

CatByte, thanks for helping me out.
I have tried to run aswMBR twice now and have received the same error both times.

avast! Antirootkit has encountered a problem and needs to close. We are sorry for the inconvenience.

This happens about 15 minutes into the scan.

#4 redbullpower

redbullpower
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:51 AM

Posted 12 December 2011 - 06:26 AM

I attempted a third scan which finished successfully.

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-12-12 10:24:58
-----------------------------
10:24:58.950 OS Version: Windows 5.1.2600 Service Pack 3
10:24:58.950 Number of processors: 1 586 0x209
10:24:58.950 ComputerName: GUYDOWN UserName:
10:25:05.668 Initialize success
10:25:37.684 AVAST engine defs: 11121102
10:26:43.591 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
10:26:43.591 Disk 0 Vendor: WDC_WD2500JB-00GVA0 08.02D08 Size: 238475MB BusType: 3
10:26:43.607 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-c
10:26:43.622 Disk 1 Vendor: WDC_WD2500JB-00GVA0 08.02D08 Size: 238475MB BusType: 3
10:26:43.638 Disk 2 \Device\Harddisk2\DR2 -> \Device\Ide\IdeDeviceP1T1L0-20
10:26:43.638 Disk 2 Vendor: WDC_WD2500JB-00GVA0 08.02D08 Size: 238475MB BusType: 3
10:26:43.685 Disk 0 MBR read successfully
10:26:43.716 Disk 0 MBR scan
10:26:43.794 Disk 0 unknown MBR code
10:26:43.841 Disk 0 scanning sectors +488392065
10:26:44.013 Disk 0 scanning C:\WINDOWS\system32\drivers
10:27:15.357 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
10:27:15.357 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"


aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-12-12 10:24:58
-----------------------------
10:24:58.950 OS Version: Windows 5.1.2600 Service Pack 3
10:24:58.950 Number of processors: 1 586 0x209
10:24:58.950 ComputerName: GUYDOWN UserName:
10:25:05.668 Initialize success
10:25:37.684 AVAST engine defs: 11121102
10:26:43.591 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
10:26:43.591 Disk 0 Vendor: WDC_WD2500JB-00GVA0 08.02D08 Size: 238475MB BusType: 3
10:26:43.607 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-c
10:26:43.622 Disk 1 Vendor: WDC_WD2500JB-00GVA0 08.02D08 Size: 238475MB BusType: 3
10:26:43.638 Disk 2 \Device\Harddisk2\DR2 -> \Device\Ide\IdeDeviceP1T1L0-20
10:26:43.638 Disk 2 Vendor: WDC_WD2500JB-00GVA0 08.02D08 Size: 238475MB BusType: 3
10:26:43.685 Disk 0 MBR read successfully
10:26:43.716 Disk 0 MBR scan
10:26:43.794 Disk 0 unknown MBR code
10:26:43.841 Disk 0 scanning sectors +488392065
10:26:44.013 Disk 0 scanning C:\WINDOWS\system32\drivers
10:27:15.357 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
10:27:15.357 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"
10:27:55.185 Service scanning
10:27:59.826 Modules scanning
10:28:32.592 Disk 0 trace - called modules:
10:28:32.654 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
10:28:32.670 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a7ebab8]
10:28:32.701 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\00000076[0x8a7a9f18]
10:28:32.732 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x8a7ee940]
10:28:38.014 AVAST engine scan C:\WINDOWS
10:30:12.889 AVAST engine scan C:\WINDOWS\system32
10:41:00.206 AVAST engine scan C:\WINDOWS\system32\drivers
10:42:22.504 AVAST engine scan C:\Documents and Settings\Administrator
10:46:16.696 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
10:46:16.728 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"


aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-12-12 10:24:58
-----------------------------
10:24:58.950 OS Version: Windows 5.1.2600 Service Pack 3
10:24:58.950 Number of processors: 1 586 0x209
10:24:58.950 ComputerName: GUYDOWN UserName:
10:25:05.668 Initialize success
10:25:37.684 AVAST engine defs: 11121102
10:26:43.591 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
10:26:43.591 Disk 0 Vendor: WDC_WD2500JB-00GVA0 08.02D08 Size: 238475MB BusType: 3
10:26:43.607 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-c
10:26:43.622 Disk 1 Vendor: WDC_WD2500JB-00GVA0 08.02D08 Size: 238475MB BusType: 3
10:26:43.638 Disk 2 \Device\Harddisk2\DR2 -> \Device\Ide\IdeDeviceP1T1L0-20
10:26:43.638 Disk 2 Vendor: WDC_WD2500JB-00GVA0 08.02D08 Size: 238475MB BusType: 3
10:26:43.685 Disk 0 MBR read successfully
10:26:43.716 Disk 0 MBR scan
10:26:43.794 Disk 0 unknown MBR code
10:26:43.841 Disk 0 scanning sectors +488392065
10:26:44.013 Disk 0 scanning C:\WINDOWS\system32\drivers
10:27:15.357 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
10:27:15.357 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"
10:27:55.185 Service scanning
10:27:59.826 Modules scanning
10:28:32.592 Disk 0 trace - called modules:
10:28:32.654 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
10:28:32.670 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a7ebab8]
10:28:32.701 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\00000076[0x8a7a9f18]
10:28:32.732 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x8a7ee940]
10:28:38.014 AVAST engine scan C:\WINDOWS
10:30:12.889 AVAST engine scan C:\WINDOWS\system32
10:41:00.206 AVAST engine scan C:\WINDOWS\system32\drivers
10:42:22.504 AVAST engine scan C:\Documents and Settings\Administrator
10:46:16.696 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
10:46:16.728 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"
11:08:58.707 AVAST engine scan C:\Documents and Settings\All Users
11:17:50.498 Scan finished successfully
11:23:35.989 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
11:23:36.036 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"

#5 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:51 PM

Posted 12 December 2011 - 09:25 AM

Hi,

Please attach the MBR.dat file (zip it up first) It was created by aswMBR and should be on your desktop, thanks, now run the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#6 redbullpower

redbullpower
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:51 AM

Posted 12 December 2011 - 04:25 PM

Here is the combofix log...I was posting just when this site went down, so sorry for the delay.

ComboFix 11-12-12.02 - Administrator 12/12/2011 16:08:50.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2807.1737 [GMT 0:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\help\wmplayer.bak
c:\windows\pkunzip.pif
c:\windows\pkzip.pif
c:\windows\system32\msssc.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-11-12 to 2011-12-12 )))))))))))))))))))))))))))))))
.
.
2011-12-12 07:12 . 2011-12-12 07:12 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{48E74C1D-142E-425F-8E26-61AE7CCD76E5}\offreg.dll
2011-12-12 07:11 . 2011-11-21 10:47 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{48E74C1D-142E-425F-8E26-61AE7CCD76E5}\mpengine.dll
2011-12-06 13:13 . 2011-12-06 13:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2011-12-06 13:12 . 2011-12-06 13:13 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-12-06 13:12 . 2011-12-06 13:12 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-12-05 14:03 . 2011-12-05 14:03 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-12-05 14:03 . 2011-12-05 14:03 -------- d-----w- c:\program files\Trend Micro
2011-12-04 13:42 . 2011-12-04 13:42 -------- d-----w- c:\windows\system32\2060
2011-11-29 11:40 . 2011-11-29 11:40 -------- d-----w- c:\program files\Common Files\Common Apps
2011-11-29 11:38 . 2011-11-29 14:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\B4949
2011-11-29 11:38 . 2011-11-29 12:54 -------- d-----w- c:\program files\SysTools OST Recovery
2011-11-25 16:10 . 2011-11-25 16:10 -------- d-----w- c:\program files\Xiph.Org
2011-11-25 16:10 . 2011-12-06 11:55 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Conduit
2011-11-23 13:29 . 2011-11-23 13:29 -------- d-----w- c:\program files\Stellar Phoenix Password Recovery
2011-11-23 12:47 . 2011-11-23 12:47 -------- d-----w- c:\program files\NirSoft
2011-11-21 21:39 . 2011-11-21 21:39 189 ----a-w- c:\program files\0LE7DVQJ.bat
2011-11-21 21:34 . 2011-11-21 21:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\FlashFXP
2011-11-21 21:28 . 2011-11-21 22:20 -------- d-----w- c:\program files\FlashFXP 4
2011-11-21 21:28 . 2011-11-21 21:28 -------- d-----w- c:\documents and settings\All Users\Application Data\FlashFXP
2011-11-14 08:21 . 2011-11-14 08:21 -------- d-----w- c:\documents and settings\LocalService\Application Data\TuneUp Software
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-29 16:14 . 2011-11-29 16:14 57600 ----a-w- c:\windows\system32\drivers\redbook.sys.org
2011-11-21 10:47 . 2009-11-22 07:26 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-11-02 19:29 . 2011-11-07 08:19 31552 ----a-w- c:\windows\system32\TURegOpt.exe
2011-11-02 19:29 . 2011-11-07 08:31 28992 ----a-w- c:\windows\system32\uxtuneup.dll
2011-10-19 08:36 . 2011-06-19 20:36 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22 . 2004-03-02 20:18 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2002-09-23 22:10 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 10:41 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 10:41 . 1980-01-01 07:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 10:41 . 1980-01-01 07:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2004-03-11 17:27 . 2007-04-04 16:46 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2011-11-09 18:32 . 2011-11-07 08:37 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2011-12-04_14.42.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-12-10 07:01 . 2011-12-10 07:01 16384 c:\windows\Temp\Perflib_Perfdata_588.dat
+ 1980-01-01 07:00 . 2011-12-06 09:31 96690 c:\windows\system32\perfc009.dat
- 2010-10-01 12:17 . 2011-11-29 12:10 34144 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\oisicon.exe
+ 2010-10-01 12:17 . 2011-12-06 11:44 34144 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\oisicon.exe
- 2010-10-01 12:17 . 2011-11-29 12:10 42848 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\msouc.exe
+ 2010-10-01 12:17 . 2011-12-06 11:44 42848 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\msouc.exe
+ 2010-10-01 12:17 . 2011-12-06 11:44 19296 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\cagicon.exe
- 2010-10-01 12:17 . 2011-11-29 12:10 19296 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\cagicon.exe
+ 2011-01-12 18:59 . 2011-01-12 18:59 43352 c:\windows\Installer\$PatchCache$\Managed\00004109110000000000000000F01FEC\14.0.6029\OUTLRPC.DLL
+ 2010-10-22 15:05 . 2010-10-22 15:05 28000 c:\windows\Installer\$PatchCache$\Managed\00004109110000000000000000F01FEC\14.0.6029\OUTLACCT.DLL
+ 2011-12-04 13:42 . 2011-12-12 11:28 7061 c:\windows\system32\2060\inf2060.dat
+ 1980-01-01 07:00 . 2011-12-06 09:31 527342 c:\windows\system32\perfh009.dat
+ 2010-10-01 12:17 . 2011-12-06 11:44 415584 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\pubs.exe
- 2010-10-01 12:17 . 2011-11-29 12:10 415584 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\pubs.exe
- 2010-10-01 12:17 . 2011-11-29 12:10 303456 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\outicon.exe
+ 2010-10-01 12:17 . 2011-12-06 11:44 303456 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\outicon.exe
+ 2010-10-01 12:17 . 2011-12-06 11:44 571232 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\misc.exe
- 2010-10-01 12:17 . 2011-11-29 12:10 571232 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\misc.exe
+ 2010-10-01 12:17 . 2011-12-06 11:44 326496 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\joticon.exe
- 2010-10-01 12:17 . 2011-11-29 12:10 326496 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\joticon.exe
- 2010-10-01 12:17 . 2011-11-29 12:10 469856 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\inficon.exe
+ 2010-10-01 12:17 . 2011-12-06 11:44 469856 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\inficon.exe
- 2010-10-01 12:17 . 2011-11-29 12:10 178528 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\grvicons.exe
+ 2010-10-01 12:17 . 2011-12-06 11:44 178528 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\grvicons.exe
+ 2010-10-22 15:05 . 2010-10-22 15:05 423280 c:\windows\Installer\$PatchCache$\Managed\00004109110000000000000000F01FEC\14.0.6029\RTFHTML.DLL
+ 2011-03-18 23:08 . 2011-03-18 23:08 329616 c:\windows\Installer\$PatchCache$\Managed\00004109110000000000000000F01FEC\14.0.6029\OUTLPH.DLL
+ 2011-12-05 14:03 . 2011-12-05 14:03 1094656 c:\windows\Installer\7c54ce.msi
+ 2010-10-01 12:17 . 2011-12-06 11:44 1479520 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\xlicons.exe
- 2010-10-01 12:17 . 2011-11-29 12:10 1479520 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\xlicons.exe
+ 2010-10-01 12:17 . 2011-12-06 11:44 1858400 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\wordicon.exe
- 2010-10-01 12:17 . 2011-11-29 12:10 1858400 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\wordicon.exe
+ 2010-10-01 12:17 . 2011-12-06 11:44 3792736 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\pptico.exe
- 2010-10-01 12:17 . 2011-11-29 12:10 3792736 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\pptico.exe
+ 2010-10-01 12:17 . 2011-12-06 11:44 1449312 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\accicons.exe
- 2010-10-01 12:17 . 2011-11-29 12:10 1449312 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\accicons.exe
+ 2010-12-21 01:15 . 2010-12-21 01:15 1041248 c:\windows\Installer\$PatchCache$\Managed\00004109110000000000000000F01FEC\14.0.6029\UMOUTLOOKADDIN.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{44D17824-2A0E-19CE-65BD-247C45EB0A63}]
2008-04-14 00:12 98304 ----a-w- c:\windows\system32\oledllg.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-11-07 4617600]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-08-03 4493312]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 86016]
"Orb"="c:\program files\Orb Networks\Orb\bin\OrbLauncher.exe" [2010-04-02 754288]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"Windy31Install"="c:\windows\RaLaunch.exe" [2007-03-26 24576]
"lxecmon.exe"="c:\program files\Lexmark Pro800-Pro900 Series\lxecmon.exe" [2011-01-23 770728]
"EzPrint"="c:\program files\Lexmark Pro800-Pro900 Series\ezprint.exe" [2011-01-23 148280]
"Lexmark Pro800-Pro900 Series Fax Server"="c:\program files\Lexmark Pro800-Pro900 Series\fm3032.exe" [2011-01-23 316072]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-12-21 519584]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe [2011-9-2 24183152]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Google Calendar Sync.lnk - c:\program files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2011-4-8 542264]
VPN Client.lnk - [N/A]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
Windy31 Manager.lnk - c:\program files\Windy31_Manager\Common\Windy31 GW.exe [2011-3-8 548864]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave"=DrvTrNTm.dll
"mixer"=DrvTrNTm.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4112942072-571041465-3807212853-1108\Scripts\Logon\0\0]
"Script"=\\mapfusion.com\sysvol\mapfusion.com\scripts\login.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4112942072-571041465-3807212853-1115\Scripts\Logon\0\0]
"Script"=\\mapfusion.com\sysvol\mapfusion.com\scripts\login.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4112942072-571041465-3807212853-1120\Scripts\Logon\0\0]
"Script"=\\mapfusion.com\sysvol\mapfusion.com\scripts\login.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4112942072-571041465-3807212853-1125\Scripts\Logon\0\0]
"Script"=\\mapfusion.com\sysvol\mapfusion.com\scripts\login.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4112942072-571041465-3807212853-1142\Scripts\Logon\0\0]
"Script"=\\mapfusion.com\sysvol\mapfusion.com\scripts\login.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4112942072-571041465-3807212853-1144\Scripts\Logon\0\0]
"Script"=\\mapfusion.com\sysvol\mapfusion.com\scripts\login.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4112942072-571041465-3807212853-1149\Scripts\Logon\0\0]
"Script"=\\mapfusion.com\sysvol\mapfusion.com\scripts\login.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4112942072-571041465-3807212853-1152\Scripts\Logon\0\0]
"Script"=\\mapfusion.com\sysvol\mapfusion.com\scripts\login.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4112942072-571041465-3807212853-1773\Scripts\Logon\0\0]
"Script"=\\mapfusion.com\sysvol\mapfusion.com\scripts\login.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1343024091-839522115-1257\Scripts\Logon\0\0]
"Script"=\\mapfusion.com\SysVol\mapfusion.com\scripts\logon.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1343024091-839522115-1257\Scripts\Logon\1\0]
"Script"=\\mapfusion.com\SysVol\mapfusion.com\scripts\logon.cmd
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2009-05-11 19:42 2356088 ----a-w- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2008-04-14 00:12 380416 ----a-w- c:\windows\system32\irprops.cpl
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ibmmessages]
2003-09-30 16:05 536576 ----a-w- c:\program files\IBM\Messages By IBM\ibmmessages.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-10-09 17:06 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2004-08-03 00:03 4493312 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2004-08-03 00:03 917504 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 17:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
2008-04-14 00:12 143360 ----a-w- c:\windows\system32\mobsync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UC_Start]
2003-03-17 22:27 32768 ----a-w- c:\ibmtools\Updater\ucstartup.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"InCDsrv"=2 (0x2)
"Bonjour Service"=2 (0x2)
"aspnet_state"=3 (0x3)
"AppMgmt"=3 (0x3)
"Apache2"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AllAlertsDisabled"=dword:00000001
"TermService"=dword:00000001
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbLauncher.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbSetupWizard.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbControlPanel.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Messenger\\Msmsgs.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\WINDOWS\\system32\\lxeccoms.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\Program Files\\Outlook Email Address Extractor\\Oee.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Administrator\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Program Files\\TVersity\\Media Server197\\MediaServer.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"30333:TCP"= 30333:TCP:skype
"1034:TCP"= 1034:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R1 MpKsl8cafe5a4;MpKsl8cafe5a4;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{044A5CC4-5DA9-413B-9A67-0462523D3BD1}\MpKsl8cafe5a4.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{044A5CC4-5DA9-413B-9A67-0462523D3BD1}\MpKsl8cafe5a4.sys [?]
R1 MpKslb7d10417;MpKslb7d10417;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{044A5CC4-5DA9-413B-9A67-0462523D3BD1}\MpKslb7d10417.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{044A5CC4-5DA9-413B-9A67-0462523D3BD1}\MpKslb7d10417.sys [?]
R1 MpKsld534f85e;MpKsld534f85e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{044A5CC4-5DA9-413B-9A67-0462523D3BD1}\MpKsld534f85e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{044A5CC4-5DA9-413B-9A67-0462523D3BD1}\MpKsld534f85e.sys [?]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 4:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 9:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 11:38 PM 116608]
R2 AirPrint;AirPrint;c:\program files\AirPrint\airprint.exe -s --> c:\program files\AirPrint\airprint.exe -s [?]
R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [10/18/2010 12:32 AM 19632]
R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [5/16/2010 12:47 PM 20968]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [1/20/2011 11:14 AM 21992]
R2 lxec_device;lxec_device;c:\windows\system32\lxeccoms.exe -service --> c:\windows\system32\lxeccoms.exe -service [?]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [2/16/2010 6:42 PM 28672]
R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [5/19/2010 6:29 PM 127496]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2012\TuneUpUtilitiesDriver32.sys [10/13/2011 5:33 PM 10064]
S1 MpKsl48cea076;MpKsl48cea076;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{44F850B5-DE19-4DE2-A872-D4DFA684CCCB}\MpKsl48cea076.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{44F850B5-DE19-4DE2-A872-D4DFA684CCCB}\MpKsl48cea076.sys [?]
S1 MpKsl7f4fc8ae;MpKsl7f4fc8ae;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3D8808F6-26E2-44C6-A0EC-7E6EABC28DA6}\MpKsl7f4fc8ae.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3D8808F6-26E2-44C6-A0EC-7E6EABC28DA6}\MpKsl7f4fc8ae.sys [?]
S1 MpKsl9b54010b;MpKsl9b54010b;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{75EC1F2D-912C-4B80-9A8E-0D7FE9D0D223}\MpKsl9b54010b.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{75EC1F2D-912C-4B80-9A8E-0D7FE9D0D223}\MpKsl9b54010b.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/2/2010 7:44 PM 130248]
S2 lxecCATSCustConnectService;lxecCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxecserv.exe [7/8/2011 2:17 PM 193192]
S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe [11/2/2011 7:29 PM 1473712]
S2 XAMPP;XAMPP Service;c:\xampp\service.exe [12/21/2007 2:01 AM 62464]
S3 GenericMount Helper Service;GenericMount Helper Service;"e:\shared\Drivers\GenericMountHelper.exe" --> e:\shared\Drivers\GenericMountHelper.exe [?]
S3 GenericMount;Generic Mount Driver;c:\windows\system32\DRIVERS\GenericMount.sys --> c:\windows\system32\DRIVERS\GenericMount.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/2/2010 7:44 PM 130248]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [6/12/2011 10:15 AM 31125880]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 6:19 PM 50704]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/10/2010 1:37 AM 4640000]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [2/4/2010 12:47 AM 19056]
S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
S3 WebTool;WebTool;c:\progra~1\MI4F93~1\webtool.exe [7/19/2007 3:31 PM 705024]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
S3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [11/4/2011 4:02 PM 25704]
S3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [11/4/2011 4:25 PM 25704]
S3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [11/4/2011 4:26 PM 25704]
S3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [11/4/2011 4:27 PM 25704]
S3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [11/4/2011 4:28 PM 25704]
S4 SymSnapService;SymSnapService;"e:\shared\Drivers\SymSnapService.exe" --> e:\shared\Drivers\SymSnapService.exe [?]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - aswMBR
*Deregistered* - uwldqpob
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-12 c:\windows\Tasks\AdobeAAMUpdater-1.0-GUYDOWN-Administrator.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-02-18 03:44]
.
2011-12-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:57]
.
2011-12-12 c:\windows\Tasks\defrag.job
- c:\windows\system32\defrag.exe [1980-01-01 00:12]
.
2011-12-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-02 19:44]
.
2011-12-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-02 19:44]
.
2011-12-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4035870869-1440049310-3935256124-500Core1cc8f0a73e00168.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-06 14:46]
.
2011-12-12 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 14:39]
.
2011-12-12 c:\windows\Tasks\Orb Index when idle.job
- c:\program files\Orb Networks\Orb\bin\OrbLauncher.exe [2010-04-02 23:48]
.
2011-12-10 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4035870869-1440049310-3935256124-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 09:47]
.
2011-12-07 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4035870869-1440049310-3935256124-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 09:47]
.
2011-12-12 c:\windows\Tasks\User_Feed_Synchronization-{7264ADE4-5841-43F6-99F0-C4EBCFFE1515}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mSearch Bar =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.36.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} - hxxp://scpwoc.ops.placeware.com/etc/place/OSCAR/SCOpws-c2/5.1.6.246/lib/quicksilver.cab
DPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} - hxxp://piranha/ProjectServer/objects/pjclient.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ntb2awb2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2548838&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - TVersitybar Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 49273
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-EPA_EZ_GPO_Tool - c:\windows\System32\EZ_GPO_Tool.exe
AddRemove-CPUID CPU-Z_is1 - c:\program files\CPUID\CPU-Z\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-12 16:53
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD2500JB-00GVA0 rev.08.02D08 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-c
.
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user != kernel MBR !!!
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-4035870869-1440049310-3935256124-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,27,68,34,e2,13,70,79,44,b1,5e,fe,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f1,6a,39,ae,5a,55,dd,43,bb,a1,a7,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,27,68,34,e2,13,70,79,44,b1,5e,fe,\
.
[HKEY_USERS\S-1-5-21-4035870869-1440049310-3935256124-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{BB1CF7F0-F92E-1947-2AFE-E5C59C35E1FF}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"falgabjfaoaa"=hex:61,61,00,00
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DCB42C02-2C7E-50EC-E2B5A792F7765BFB}\{38286259-1A12-EDE0-84E2CD6A1D76E8F7}\{2C2658AF-F73E-73C6-89D45D0D6FCCCFF2}*]
"63AUOURV1X6YIYB2ELIFO4LTRC1"=hex:01,00,01,00,00,00,00,00,87,da,ad,38,2b,26,f8,
c3,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(984)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2011-12-12 17:09:05
ComboFix-quarantined-files.txt 2011-12-12 17:08
ComboFix2.txt 2011-12-05 13:10
ComboFix3.txt 2011-12-04 15:01
ComboFix4.txt 2010-10-04 20:24
.
Pre-Run: 38,058,020,864 bytes free
Post-Run: 38,175,813,632 bytes free
.
- - End Of File - - DE1B5782BFFBA2ED38178E6AD01581E7

#7 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:51 PM

Posted 12 December 2011 - 05:57 PM

Hi

Please do the following:


Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)



NEXT



  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

Folder::
c:\windows\system32\2060
c:\documents and settings\Administrator\Application Data\B4949

File::
c:\program files\0LE7DVQJ.bat

FireFox::
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ntb2awb2.default\
FF - prefs.js: network.proxy.http_port - 49273
ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#8 redbullpower

redbullpower
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:51 AM

Posted 13 December 2011 - 04:59 AM

Here are the 2 logs you requested. TDSSKiller found a suspicious file but not a malicious file.
Not sure if it is a coincidence but this site went down again right after I pushed the "Add Reply" button. The same as what happened yesterday.

07:31:22.0862 5428 TDSS rootkit removing tool 2.6.23.0 Dec 13 2011 10:39:31
07:31:23.0096 5428 ============================================================
07:31:23.0096 5428 Current date / time: 2011/12/13 07:31:23.0096
07:31:23.0096 5428 SystemInfo:
07:31:23.0096 5428
07:31:23.0096 5428 OS Version: 5.1.2600 ServicePack: 3.0
07:31:23.0096 5428 Product type: Workstation
07:31:23.0096 5428 ComputerName: GUYDOWN
07:31:23.0096 5428 UserName: Administrator
07:31:23.0096 5428 Windows directory: C:\WINDOWS
07:31:23.0096 5428 System windows directory: C:\WINDOWS
07:31:23.0096 5428 Processor architecture: Intel x86
07:31:23.0096 5428 Number of processors: 1
07:31:23.0096 5428 Page size: 0x1000
07:31:23.0096 5428 Boot type: Normal boot
07:31:23.0096 5428 ============================================================
07:31:24.0862 5428 Initialize success
07:31:31.0002 0932 ============================================================
07:31:31.0002 0932 Scan started
07:31:31.0002 0932 Mode: Manual;
07:31:31.0002 0932 ============================================================
07:31:32.0706 0932 Abiosdsk - ok
07:31:33.0081 0932 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\System32\DRIVERS\ABP480N5.SYS
07:31:33.0096 0932 abp480n5 - ok
07:31:33.0487 0932 ac97intc (0f2d66d5f08ebe2f77bb904288dcf6f0) C:\WINDOWS\system32\drivers\ac97intc.sys
07:31:33.0518 0932 ac97intc - ok
07:31:33.0956 0932 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
07:31:34.0018 0932 ACPI - ok
07:31:34.0377 0932 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
07:31:34.0393 0932 ACPIEC - ok
07:31:34.0784 0932 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\System32\DRIVERS\adpu160m.sys
07:31:34.0815 0932 adpu160m - ok
07:31:35.0221 0932 aeaudio (b2886807ac2543da273765cef4d82d68) C:\WINDOWS\system32\drivers\aeaudio.sys
07:31:35.0268 0932 aeaudio - ok
07:31:35.0674 0932 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
07:31:35.0721 0932 aec - ok
07:31:36.0143 0932 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
07:31:36.0206 0932 AFD - ok
07:31:36.0565 0932 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\System32\DRIVERS\agp440.sys
07:31:36.0581 0932 agp440 - ok
07:31:36.0940 0932 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\System32\DRIVERS\agpCPQ.sys
07:31:36.0956 0932 agpCPQ - ok
07:31:37.0315 0932 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\System32\DRIVERS\aha154x.sys
07:31:37.0331 0932 Aha154x - ok
07:31:37.0706 0932 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\System32\DRIVERS\aic78u2.sys
07:31:37.0721 0932 aic78u2 - ok
07:31:38.0096 0932 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\System32\DRIVERS\aic78xx.sys
07:31:38.0112 0932 aic78xx - ok
07:31:38.0487 0932 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\System32\DRIVERS\aliide.sys
07:31:38.0487 0932 AliIde - ok
07:31:38.0862 0932 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\System32\DRIVERS\alim1541.sys
07:31:38.0877 0932 alim1541 - ok
07:31:39.0252 0932 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\System32\DRIVERS\amdagp.sys
07:31:39.0268 0932 amdagp - ok
07:31:39.0674 0932 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\System32\DRIVERS\amsint.sys
07:31:39.0690 0932 amsint - ok
07:31:40.0065 0932 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\System32\DRIVERS\asc.sys
07:31:40.0112 0932 asc - ok
07:31:40.0471 0932 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\System32\DRIVERS\asc3350p.sys
07:31:40.0659 0932 asc3350p - ok
07:31:43.0049 0932 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\System32\DRIVERS\asc3550.sys
07:31:43.0096 0932 asc3550 - ok
07:31:43.0674 0932 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
07:31:43.0690 0932 AsyncMac - ok
07:31:44.0081 0932 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
07:31:44.0112 0932 atapi - ok
07:31:44.0456 0932 Atdisk - ok
07:31:44.0831 0932 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
07:31:44.0846 0932 Atmarpc - ok
07:31:45.0206 0932 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
07:31:45.0206 0932 audstub - ok
07:31:45.0581 0932 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
07:31:45.0596 0932 Beep - ok
07:31:45.0690 0932 catchme - ok
07:31:46.0065 0932 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\System32\DRIVERS\cbidf2k.sys
07:31:46.0081 0932 cbidf - ok
07:31:46.0424 0932 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
07:31:46.0424 0932 cbidf2k - ok
07:31:46.0815 0932 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\System32\DRIVERS\cd20xrnt.sys
07:31:46.0831 0932 cd20xrnt - ok
07:31:47.0190 0932 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
07:31:47.0190 0932 Cdaudio - ok
07:31:47.0581 0932 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
07:31:47.0612 0932 Cdfs - ok
07:31:48.0018 0932 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
07:31:48.0049 0932 Cdrom - ok
07:31:48.0393 0932 Changer - ok
07:31:48.0815 0932 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\System32\DRIVERS\cmdide.sys
07:31:48.0831 0932 CmdIde - ok
07:31:49.0174 0932 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
07:31:49.0206 0932 Compbatt - ok
07:31:49.0628 0932 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\System32\DRIVERS\cpqarray.sys
07:31:49.0643 0932 Cpqarray - ok
07:31:50.0112 0932 cpuz133 (13a0d3f9d5f39adaca0a8d3bb327eb31) C:\WINDOWS\system32\drivers\cpuz133_x32.sys
07:31:50.0112 0932 cpuz133 - ok
07:31:50.0487 0932 cpuz135 (c2eb4539a4f6ab6edd01bdc191619975) C:\WINDOWS\system32\drivers\cpuz135_x32.sys
07:31:50.0503 0932 cpuz135 - ok
07:31:50.0643 0932 CrystalSysInfo (f054744f67576a01139885173392502b) C:\Program Files\MediaCoder\SysInfo.sys
07:31:50.0643 0932 CrystalSysInfo - ok
07:31:51.0018 0932 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\WINDOWS\system32\DRIVERS\CVirtA.sys
07:31:51.0018 0932 CVirtA - ok
07:31:51.0503 0932 CVPNDRVA (8a15d7bd4cf1a8ccd7c65f7349f22e35) C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
07:31:51.0612 0932 CVPNDRVA - ok
07:31:53.0143 0932 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\System32\DRIVERS\dac2w2k.sys
07:31:53.0409 0932 dac2w2k - ok
07:31:54.0534 0932 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\System32\DRIVERS\dac960nt.sys
07:31:54.0550 0932 dac960nt - ok
07:31:55.0112 0932 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
07:31:55.0128 0932 Disk - ok
07:31:55.0971 0932 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
07:31:56.0315 0932 dmboot - ok
07:31:56.0768 0932 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
07:31:56.0831 0932 dmio - ok
07:31:57.0175 0932 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
07:31:57.0175 0932 dmload - ok
07:31:57.0565 0932 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
07:31:57.0581 0932 DMusic - ok
07:31:58.0003 0932 DNE (7b4fdfbe97c047175e613aa96f3de987) C:\WINDOWS\system32\DRIVERS\dne2000.sys
07:31:58.0050 0932 DNE - ok
07:31:58.0503 0932 Dot4 (3e4b043f8bc6be1d4820cc6c9c500306) C:\WINDOWS\system32\DRIVERS\Dot4.sys
07:31:58.0581 0932 Dot4 - ok
07:31:58.0971 0932 Dot4Print (77ce63a8a34ae23d9fe4c7896d1debe7) C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
07:31:58.0971 0932 Dot4Print - ok
07:31:59.0346 0932 dot4usb (6ec3af6bb5b30e488a0c559921f012e1) C:\WINDOWS\system32\DRIVERS\dot4usb.sys
07:31:59.0346 0932 dot4usb - ok
07:32:00.0034 0932 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\System32\DRIVERS\dpti2o.sys
07:32:00.0112 0932 dpti2o - ok
07:32:01.0018 0932 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
07:32:01.0050 0932 drmkaud - ok
07:32:01.0675 0932 E100B (98b46b331404a951cabad8b4877e1276) C:\WINDOWS\system32\DRIVERS\e100b325.sys
07:32:01.0737 0932 E100B - ok
07:32:02.0268 0932 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
07:32:02.0331 0932 Fastfat - ok
07:32:02.0722 0932 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
07:32:02.0768 0932 Fdc - ok
07:32:03.0159 0932 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
07:32:03.0190 0932 Fips - ok
07:32:03.0612 0932 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
07:32:03.0628 0932 Flpydisk - ok
07:32:04.0034 0932 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
07:32:04.0081 0932 FltMgr - ok
07:32:04.0440 0932 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
07:32:04.0440 0932 Fs_Rec - ok
07:32:04.0831 0932 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
07:32:04.0878 0932 Ftdisk - ok
07:32:05.0253 0932 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
07:32:05.0253 0932 GEARAspiWDM - ok
07:32:05.0581 0932 GenericMount - ok
07:32:06.0003 0932 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
07:32:06.0018 0932 Gpc - ok
07:32:06.0409 0932 grmnusb (6003bc70f1a8307262bd3c941bda0b7e) C:\WINDOWS\system32\drivers\grmnusb.sys
07:32:06.0425 0932 grmnusb - ok
07:32:06.0831 0932 HidBatt (748031ff4fe45ccc47546294905feab8) C:\WINDOWS\system32\DRIVERS\HidBatt.sys
07:32:06.0831 0932 HidBatt - ok
07:32:07.0206 0932 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
07:32:07.0206 0932 HidUsb - ok
07:32:07.0581 0932 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\System32\DRIVERS\hpn.sys
07:32:07.0597 0932 hpn - ok
07:32:08.0050 0932 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
07:32:08.0159 0932 HTTP - ok
07:32:08.0550 0932 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
07:32:08.0565 0932 i2omgmt - ok
07:32:08.0940 0932 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\System32\DRIVERS\i2omp.sys
07:32:08.0972 0932 i2omp - ok
07:32:10.0628 0932 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
07:32:10.0753 0932 i8042prt - ok
07:32:11.0222 0932 ialm (8afbda54d93d3c14fd8686bc2f2e2e18) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
07:32:11.0269 0932 ialm - ok
07:32:11.0675 0932 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
07:32:11.0706 0932 Imapi - ok
07:32:12.0065 0932 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\System32\DRIVERS\ini910u.sys
07:32:12.0065 0932 ini910u - ok
07:32:12.0472 0932 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\System32\DRIVERS\intelide.sys
07:32:12.0503 0932 IntelIde - ok
07:32:12.0894 0932 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
07:32:12.0909 0932 intelppm - ok
07:32:13.0269 0932 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
07:32:13.0331 0932 Ip6Fw - ok
07:32:13.0925 0932 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
07:32:13.0972 0932 IpFilterDriver - ok
07:32:14.0503 0932 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
07:32:14.0550 0932 IpInIp - ok
07:32:15.0112 0932 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
07:32:15.0222 0932 IpNat - ok
07:32:15.0753 0932 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
07:32:15.0784 0932 IPSec - ok
07:32:16.0456 0932 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
07:32:16.0456 0932 IRENUM - ok
07:32:16.0894 0932 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
07:32:16.0909 0932 isapnp - ok
07:32:17.0097 0932 ISODrive (2f03ceb28307983f3b36216d35ffa5aa) C:\Program Files\UltraISO\drivers\ISODrive.sys
07:32:17.0159 0932 ISODrive - ok
07:32:17.0628 0932 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
07:32:17.0644 0932 Kbdclass - ok
07:32:17.0987 0932 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
07:32:18.0003 0932 kbdhid - ok
07:32:18.0409 0932 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
07:32:18.0472 0932 kmixer - ok
07:32:18.0878 0932 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
07:32:18.0909 0932 KSecDD - ok
07:32:19.0269 0932 lbrtfdc - ok
07:32:19.0644 0932 libusb0 (34d6730e198a5b0fce0790a6b4769ef2) C:\WINDOWS\system32\drivers\libusb0.sys
07:32:19.0659 0932 libusb0 - ok
07:32:20.0066 0932 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
07:32:20.0066 0932 mnmdd - ok
07:32:20.0503 0932 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
07:32:20.0550 0932 Modem - ok
07:32:20.0925 0932 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
07:32:20.0956 0932 Mouclass - ok
07:32:24.0472 0932 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
07:32:24.0487 0932 mouhid - ok
07:32:25.0847 0932 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
07:32:25.0878 0932 MountMgr - ok
07:32:26.0362 0932 MpFilter (fee0baded54222e9f1dae9541212aab1) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
07:32:26.0425 0932 MpFilter - ok
07:32:26.0487 0932 MpKsl48cea076 - ok
07:32:26.0519 0932 MpKsl7f4fc8ae - ok
07:32:26.0550 0932 MpKsl8cafe5a4 - ok
07:32:26.0581 0932 MpKsl9b54010b - ok
07:32:26.0628 0932 MpKslb7d10417 - ok
07:32:26.0659 0932 MpKsld534f85e - ok
07:32:27.0034 0932 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\System32\DRIVERS\mraid35x.sys
07:32:27.0034 0932 mraid35x - ok
07:32:27.0487 0932 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
07:32:27.0550 0932 MRxDAV - ok
07:32:28.0097 0932 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
07:32:28.0269 0932 MRxSmb - ok
07:32:28.0675 0932 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
07:32:28.0675 0932 Msfs - ok
07:32:29.0034 0932 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
07:32:29.0050 0932 MSKSSRV - ok
07:32:29.0409 0932 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
07:32:29.0409 0932 MSPCLOCK - ok
07:32:29.0753 0932 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
07:32:29.0753 0932 MSPQM - ok
07:32:30.0128 0932 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
07:32:30.0128 0932 mssmbios - ok
07:32:30.0519 0932 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
07:32:30.0550 0932 Mup - ok
07:32:31.0456 0932 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
07:32:31.0644 0932 NDIS - ok
07:32:32.0066 0932 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
07:32:32.0066 0932 NdisTapi - ok
07:32:32.0456 0932 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
07:32:32.0472 0932 Ndisuio - ok
07:32:32.0863 0932 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
07:32:32.0894 0932 NdisWan - ok
07:32:33.0284 0932 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
07:32:33.0300 0932 NDProxy - ok
07:32:33.0675 0932 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
07:32:33.0691 0932 NetBIOS - ok
07:32:34.0097 0932 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
07:32:34.0175 0932 NetBT - ok
07:32:34.0613 0932 NPF (b9730495e0cf674680121e34bd95a73b) C:\WINDOWS\system32\drivers\npf.sys
07:32:34.0644 0932 NPF - ok
07:32:34.0988 0932 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
07:32:35.0003 0932 Npfs - ok
07:32:35.0566 0932 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
07:32:35.0784 0932 Ntfs - ok
07:32:36.0128 0932 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
07:32:36.0144 0932 Null - ok
07:32:36.0503 0932 nv (e3197cab208ea4cf1ab525a850551f55) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
07:32:39.0066 0932 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\nv4_mini.sys. Real md5: e3197cab208ea4cf1ab525a850551f55, Fake md5: 933a02052aed2da698811a14b7848faf
07:32:39.0081 0932 nv ( ForgedFile.Multi.Generic ) - warning
07:32:39.0081 0932 nv - detected ForgedFile.Multi.Generic (1)
07:32:39.0660 0932 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
07:32:39.0660 0932 NwlnkFlt - ok
07:32:40.0035 0932 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
07:32:40.0035 0932 NwlnkFwd - ok
07:32:40.0472 0932 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
07:32:40.0503 0932 Parport - ok
07:32:40.0878 0932 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
07:32:40.0878 0932 PartMgr - ok
07:32:41.0238 0932 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
07:32:41.0238 0932 ParVdm - ok
07:32:41.0363 0932 pbfilter (61a5701e3f543861b21bbe0932c4cc03) C:\Program Files\PeerBlock\pbfilter.sys
07:32:41.0378 0932 pbfilter - ok
07:32:41.0753 0932 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
07:32:41.0785 0932 PCI - ok
07:32:42.0113 0932 PCIDump - ok
07:32:42.0472 0932 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
07:32:42.0472 0932 PCIIde - ok
07:32:42.0878 0932 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
07:32:42.0925 0932 Pcmcia - ok
07:32:43.0253 0932 PDCOMP - ok
07:32:43.0597 0932 PDFRAME - ok
07:32:43.0941 0932 PDRELI - ok
07:32:44.0285 0932 PDRFRAME - ok
07:32:45.0066 0932 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\System32\DRIVERS\perc2.sys
07:32:45.0081 0932 perc2 - ok
07:32:45.0519 0932 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\System32\DRIVERS\perc2hib.sys
07:32:45.0535 0932 perc2hib - ok
07:32:45.0956 0932 pfc (444f122e68db44c0589227781f3c8b3f) C:\WINDOWS\system32\drivers\pfc.sys
07:32:45.0956 0932 pfc - ok
07:32:46.0331 0932 PMEM (fa292805788528c083f416e151b60ab6) C:\WINDOWS\system32\DRIVERS\pmemnt.sys
07:32:46.0347 0932 PMEM - ok
07:32:46.0769 0932 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
07:32:46.0800 0932 PptpMiniport - ok
07:32:47.0206 0932 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
07:32:47.0222 0932 Processor - ok
07:32:47.0613 0932 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
07:32:47.0660 0932 PSched - ok
07:32:48.0081 0932 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
07:32:48.0081 0932 Ptilink - ok
07:32:48.0519 0932 PxHelp20 (40fedd328f98245ad201cf5f9f311724) C:\WINDOWS\system32\Drivers\PxHelp20.sys
07:32:48.0566 0932 PxHelp20 - ok
07:32:48.0988 0932 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\System32\DRIVERS\ql1080.sys
07:32:49.0019 0932 ql1080 - ok
07:32:49.0378 0932 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\System32\DRIVERS\ql10wnt.sys
07:32:49.0394 0932 Ql10wnt - ok
07:32:49.0769 0932 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\System32\DRIVERS\ql12160.sys
07:32:49.0785 0932 ql12160 - ok
07:32:50.0144 0932 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\System32\DRIVERS\ql1240.sys
07:32:50.0160 0932 ql1240 - ok
07:32:50.0535 0932 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\System32\DRIVERS\ql1280.sys
07:32:50.0566 0932 ql1280 - ok
07:32:50.0925 0932 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
07:32:50.0925 0932 RasAcd - ok
07:32:51.0332 0932 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
07:32:51.0347 0932 Rasl2tp - ok
07:32:51.0707 0932 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
07:32:51.0722 0932 RasPppoe - ok
07:32:52.0066 0932 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
07:32:52.0082 0932 Raspti - ok
07:32:52.0519 0932 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
07:32:52.0582 0932 Rdbss - ok
07:32:52.0925 0932 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
07:32:52.0925 0932 RDPCDD - ok
07:32:53.0410 0932 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
07:32:53.0472 0932 rdpdr - ok
07:32:54.0113 0932 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
07:32:54.0628 0932 RDPWD - ok
07:32:55.0894 0932 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
07:32:55.0925 0932 redbook - ok
07:32:56.0285 0932 RimUsb - ok
07:32:56.0675 0932 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
07:32:56.0691 0932 RimVSerPort - ok
07:32:57.0035 0932 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
07:32:57.0035 0932 ROOTMODEM - ok
07:32:57.0597 0932 RT73 (4f153709d0691c6de8c9a4c5e813907c) C:\WINDOWS\system32\DRIVERS\MWP54XP.sys
07:32:57.0769 0932 RT73 - ok
07:32:57.0878 0932 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
07:32:57.0894 0932 SASDIFSV - ok
07:32:57.0957 0932 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
07:32:57.0988 0932 SASKUTIL - ok
07:32:58.0394 0932 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
07:32:58.0410 0932 Secdrv - ok
07:32:58.0769 0932 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
07:32:58.0785 0932 serenum - ok
07:32:59.0144 0932 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
07:32:59.0175 0932 Serial - ok
07:32:59.0582 0932 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
07:32:59.0582 0932 Sfloppy - ok
07:32:59.0925 0932 Simbad - ok
07:33:00.0300 0932 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\System32\DRIVERS\sisagp.sys
07:33:00.0316 0932 sisagp - ok
07:33:00.0910 0932 smwdm (a817845e68342d7d1c97937ea707412b) C:\WINDOWS\system32\drivers\smwdm.sys
07:33:01.0113 0932 smwdm - ok
07:33:01.0472 0932 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\System32\DRIVERS\sparrow.sys
07:33:01.0488 0932 Sparrow - ok
07:33:01.0847 0932 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
07:33:01.0847 0932 splitter - ok
07:33:02.0238 0932 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
07:33:02.0269 0932 sr - ok
07:33:02.0785 0932 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
07:33:02.0925 0932 Srv - ok
07:33:03.0316 0932 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
07:33:03.0332 0932 StillCam - ok
07:33:03.0738 0932 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
07:33:03.0754 0932 swenum - ok
07:33:04.0129 0932 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
07:33:04.0160 0932 swmidi - ok
07:33:04.0566 0932 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\System32\DRIVERS\symc810.sys
07:33:04.0597 0932 symc810 - ok
07:33:06.0097 0932 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\System32\DRIVERS\symc8xx.sys
07:33:06.0129 0932 symc8xx - ok
07:33:07.0597 0932 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\System32\DRIVERS\sym_hi.sys
07:33:07.0629 0932 sym_hi - ok
07:33:07.0988 0932 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\System32\DRIVERS\sym_u3.sys
07:33:08.0004 0932 sym_u3 - ok
07:33:08.0394 0932 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
07:33:08.0441 0932 sysaudio - ok
07:33:08.0863 0932 tap0901 (34f1bcb847a924a161422f106a79b9ff) C:\WINDOWS\system32\DRIVERS\tap0901.sys
07:33:09.0035 0932 tap0901 - ok
07:33:09.0941 0932 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
07:33:10.0082 0932 Tcpip - ok
07:33:10.0457 0932 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
07:33:10.0457 0932 TDPIPE - ok
07:33:10.0847 0932 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
07:33:10.0863 0932 TDTCP - ok
07:33:11.0238 0932 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
07:33:11.0254 0932 TermDD - ok
07:33:11.0629 0932 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\System32\DRIVERS\toside.sys
07:33:11.0644 0932 TosIde - ok
07:33:12.0051 0932 TotRec7 (e9c2642ec635b01f19f343df5eb488d3) C:\WINDOWS\system32\drivers\TotRec7.sys
07:33:12.0097 0932 TotRec7 - ok
07:33:12.0254 0932 TuneUpUtilitiesDrv (f2107c9d85ec0df116939ccce06ae697) C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesDriver32.sys
07:33:12.0269 0932 TuneUpUtilitiesDrv - ok
07:33:12.0691 0932 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
07:33:12.0707 0932 Udfs - ok
07:33:13.0097 0932 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\System32\DRIVERS\ultra.sys
07:33:13.0113 0932 ultra - ok
07:33:13.0644 0932 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
07:33:13.0785 0932 Update - ok
07:33:14.0191 0932 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys
07:33:14.0207 0932 USBAAPL - ok
07:33:14.0613 0932 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
07:33:14.0629 0932 usbaudio - ok
07:33:15.0394 0932 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
07:33:15.0441 0932 usbccgp - ok
07:33:16.0160 0932 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
07:33:16.0176 0932 usbehci - ok
07:33:16.0863 0932 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
07:33:16.0926 0932 usbhub - ok
07:33:18.0613 0932 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
07:33:18.0801 0932 usbprint - ok
07:33:19.0738 0932 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
07:33:19.0738 0932 usbscan - ok
07:33:20.0332 0932 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
07:33:20.0348 0932 USBSTOR - ok
07:33:20.0769 0932 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
07:33:20.0769 0932 usbuhci - ok
07:33:21.0160 0932 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
07:33:21.0160 0932 VgaSave - ok
07:33:21.0551 0932 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\System32\DRIVERS\viaagp.sys
07:33:21.0566 0932 viaagp - ok
07:33:21.0926 0932 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\System32\DRIVERS\viaide.sys
07:33:21.0926 0932 ViaIde - ok
07:33:22.0269 0932 VMnetAdapter - ok
07:33:22.0660 0932 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
07:33:22.0676 0932 VolSnap - ok
07:33:23.0129 0932 vsdatant (27b3dd12a19eec50220df15b64913dda) C:\WINDOWS\system32\vsdatant.sys
07:33:23.0238 0932 vsdatant - ok
07:33:23.0644 0932 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
07:33:23.0660 0932 Wanarp - ok
07:33:24.0223 0932 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
07:33:24.0379 0932 Wdf01000 - ok
07:33:24.0738 0932 WDICA - ok
07:33:25.0129 0932 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
07:33:25.0160 0932 wdmaud - ok
07:33:26.0238 0932 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
07:33:26.0285 0932 WS2IFSL - ok
07:33:26.0894 0932 WsAudio_DeviceS(1) (4160cbe59d9b5be22e4c3897e8db9d56) C:\WINDOWS\system32\drivers\WsAudio_DeviceS(1).sys
07:33:26.0910 0932 WsAudio_DeviceS(1) - ok
07:33:27.0285 0932 WsAudio_DeviceS(2) (4160cbe59d9b5be22e4c3897e8db9d56) C:\WINDOWS\system32\drivers\WsAudio_DeviceS(2).sys
07:33:27.0301 0932 WsAudio_DeviceS(2) - ok
07:33:27.0676 0932 WsAudio_DeviceS(3) (4160cbe59d9b5be22e4c3897e8db9d56) C:\WINDOWS\system32\drivers\WsAudio_DeviceS(3).sys
07:33:27.0691 0932 WsAudio_DeviceS(3) - ok
07:33:28.0051 0932 WsAudio_DeviceS(4) (4160cbe59d9b5be22e4c3897e8db9d56) C:\WINDOWS\system32\drivers\WsAudio_DeviceS(4).sys
07:33:28.0066 0932 WsAudio_DeviceS(4) - ok
07:33:28.0441 0932 WsAudio_DeviceS(5) (4160cbe59d9b5be22e4c3897e8db9d56) C:\WINDOWS\system32\drivers\WsAudio_DeviceS(5).sys
07:33:28.0457 0932 WsAudio_DeviceS(5) - ok
07:33:28.0863 0932 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
07:33:28.0895 0932 WudfPf - ok
07:33:29.0285 0932 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
07:33:29.0316 0932 WudfRd - ok
07:33:29.0754 0932 {6080A529-897E-4629-A488-ABA0C29B635E} (9cc9bf9961726eeabb9ee70b80a7741f) C:\WINDOWS\system32\drivers\ialmsbw.sys
07:33:29.0801 0932 {6080A529-897E-4629-A488-ABA0C29B635E} - ok
07:33:30.0207 0932 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (9e23f50a94da9d2958465853c0b9cde6) C:\WINDOWS\system32\drivers\ialmkchw.sys
07:33:30.0238 0932 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} - ok
07:33:30.0270 0932 MBR (0x1B8) (ab67d479e4ee1ccad757294b60ddb98f) \Device\Harddisk0\DR0
07:33:30.0488 0932 \Device\Harddisk0\DR0 - ok
07:33:30.0535 0932 MBR (0x1B8) (b0d724d471a83dff762f19470bf0f9a8) \Device\Harddisk1\DR1
07:33:30.0551 0932 \Device\Harddisk1\DR1 - ok
07:33:30.0566 0932 MBR (0x1B8) (b0d724d471a83dff762f19470bf0f9a8) \Device\Harddisk2\DR2
07:33:30.0566 0932 \Device\Harddisk2\DR2 - ok
07:33:30.0566 0932 Boot (0x1200) (17a4f311dc86316deb94fc3bffd5d970) \Device\Harddisk0\DR0\Partition0
07:33:30.0582 0932 \Device\Harddisk0\DR0\Partition0 - ok
07:33:30.0582 0932 Boot (0x1200) (8626512d7553be7151bd5958b9b36858) \Device\Harddisk1\DR1\Partition0
07:33:30.0598 0932 \Device\Harddisk1\DR1\Partition0 - ok
07:33:30.0598 0932 Boot (0x1200) (6be5bfd04cfa211020125a9caa6c0028) \Device\Harddisk2\DR2\Partition0
07:33:30.0598 0932 \Device\Harddisk2\DR2\Partition0 - ok
07:33:30.0613 0932 ============================================================
07:33:30.0613 0932 Scan finished
07:33:30.0613 0932 ============================================================
07:33:30.0676 3220 Detected object count: 1
07:33:30.0676 3220 Actual detected object count: 1
07:35:10.0818 3220 nv ( ForgedFile.Multi.Generic ) - skipped by user
07:35:10.0818 3220 nv ( ForgedFile.Multi.Generic ) - User select action: Skip
07:37:12.0585 4812 Deinitialize success



ComboFix 11-12-12.02 - Administrator 12/13/2011 7:50.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2807.1679 [GMT 0:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
FILE ::
"c:\program files\0LE7DVQJ.bat"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Application Data\B4949
c:\documents and settings\Administrator\Application Data\B4949\98E7.494
c:\program files\0LE7DVQJ.bat
.
.
((((((((((((((((((((((((( Files Created from 2011-11-13 to 2011-12-13 )))))))))))))))))))))))))))))))
.
.
2011-12-13 07:14 . 2011-12-13 07:14 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{43925150-0216-4D23-A0D9-B1544E643682}\offreg.dll
2011-12-13 07:12 . 2011-11-21 10:47 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{43925150-0216-4D23-A0D9-B1544E643682}\mpengine.dll
2011-12-06 13:13 . 2011-12-06 13:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2011-12-06 13:12 . 2011-12-06 13:13 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-12-06 13:12 . 2011-12-06 13:12 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-12-05 14:03 . 2011-12-05 14:03 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-12-05 14:03 . 2011-12-05 14:03 -------- d-----w- c:\program files\Trend Micro
2011-12-04 13:42 . 2011-12-04 13:42 -------- d-----w- c:\windows\system32\2060
2011-11-29 11:40 . 2011-11-29 11:40 -------- d-----w- c:\program files\Common Files\Common Apps
2011-11-29 11:38 . 2011-11-29 12:54 -------- d-----w- c:\program files\SysTools OST Recovery
2011-11-25 16:10 . 2011-11-25 16:10 -------- d-----w- c:\program files\Xiph.Org
2011-11-25 16:10 . 2011-12-06 11:55 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Conduit
2011-11-23 13:29 . 2011-11-23 13:29 -------- d-----w- c:\program files\Stellar Phoenix Password Recovery
2011-11-23 12:47 . 2011-11-23 12:47 -------- d-----w- c:\program files\NirSoft
2011-11-21 21:34 . 2011-11-21 21:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\FlashFXP
2011-11-21 21:28 . 2011-11-21 22:20 -------- d-----w- c:\program files\FlashFXP 4
2011-11-21 21:28 . 2011-11-21 21:28 -------- d-----w- c:\documents and settings\All Users\Application Data\FlashFXP
2011-11-14 08:21 . 2011-11-14 08:21 -------- d-----w- c:\documents and settings\LocalService\Application Data\TuneUp Software
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-29 16:14 . 2011-11-29 16:14 57600 ----a-w- c:\windows\system32\drivers\redbook.sys.org
2011-11-21 10:47 . 2009-11-22 07:26 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-11-02 19:29 . 2011-11-07 08:19 31552 ----a-w- c:\windows\system32\TURegOpt.exe
2011-11-02 19:29 . 2011-11-07 08:31 28992 ----a-w- c:\windows\system32\uxtuneup.dll
2011-10-19 08:36 . 2011-06-19 20:36 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22 . 2004-03-02 20:18 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2002-09-23 22:10 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 10:41 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 10:41 . 1980-01-01 07:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 10:41 . 1980-01-01 07:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2004-03-11 17:27 . 2007-04-04 16:46 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2011-11-09 18:32 . 2011-11-07 08:37 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2011-12-04_14.42.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-12-10 07:01 . 2011-12-10 07:01 16384 c:\windows\Temp\Perflib_Perfdata_588.dat
+ 1980-01-01 07:00 . 2011-12-06 09:31 96690 c:\windows\system32\perfc009.dat
- 2010-10-01 12:17 . 2011-11-29 12:10 34144 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\oisicon.exe
+ 2010-10-01 12:17 . 2011-12-06 11:44 34144 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\oisicon.exe
- 2010-10-01 12:17 . 2011-11-29 12:10 42848 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\msouc.exe
+ 2010-10-01 12:17 . 2011-12-06 11:44 42848 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\msouc.exe
+ 2010-10-01 12:17 . 2011-12-06 11:44 19296 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\cagicon.exe
- 2010-10-01 12:17 . 2011-11-29 12:10 19296 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\cagicon.exe
+ 2011-01-12 18:59 . 2011-01-12 18:59 43352 c:\windows\Installer\$PatchCache$\Managed\00004109110000000000000000F01FEC\14.0.6029\OUTLRPC.DLL
+ 2010-10-22 15:05 . 2010-10-22 15:05 28000 c:\windows\Installer\$PatchCache$\Managed\00004109110000000000000000F01FEC\14.0.6029\OUTLACCT.DLL
+ 2011-12-04 13:42 . 2011-12-12 11:28 7061 c:\windows\system32\2060\inf2060.dat
+ 1980-01-01 07:00 . 2011-12-06 09:31 527342 c:\windows\system32\perfh009.dat
+ 2010-10-01 12:17 . 2011-12-06 11:44 415584 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\pubs.exe
- 2010-10-01 12:17 . 2011-11-29 12:10 415584 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\pubs.exe
- 2010-10-01 12:17 . 2011-11-29 12:10 303456 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\outicon.exe
+ 2010-10-01 12:17 . 2011-12-06 11:44 303456 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\outicon.exe
+ 2010-10-01 12:17 . 2011-12-06 11:44 571232 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\misc.exe
- 2010-10-01 12:17 . 2011-11-29 12:10 571232 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\misc.exe
+ 2010-10-01 12:17 . 2011-12-06 11:44 326496 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\joticon.exe
- 2010-10-01 12:17 . 2011-11-29 12:10 326496 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\joticon.exe
- 2010-10-01 12:17 . 2011-11-29 12:10 469856 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\inficon.exe
+ 2010-10-01 12:17 . 2011-12-06 11:44 469856 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\inficon.exe
- 2010-10-01 12:17 . 2011-11-29 12:10 178528 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\grvicons.exe
+ 2010-10-01 12:17 . 2011-12-06 11:44 178528 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\grvicons.exe
+ 2010-10-22 15:05 . 2010-10-22 15:05 423280 c:\windows\Installer\$PatchCache$\Managed\00004109110000000000000000F01FEC\14.0.6029\RTFHTML.DLL
+ 2011-03-18 23:08 . 2011-03-18 23:08 329616 c:\windows\Installer\$PatchCache$\Managed\00004109110000000000000000F01FEC\14.0.6029\OUTLPH.DLL
+ 2011-12-05 14:03 . 2011-12-05 14:03 1094656 c:\windows\Installer\7c54ce.msi
+ 2010-10-01 12:17 . 2011-12-06 11:44 1479520 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\xlicons.exe
- 2010-10-01 12:17 . 2011-11-29 12:10 1479520 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\xlicons.exe
+ 2010-10-01 12:17 . 2011-12-06 11:44 1858400 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\wordicon.exe
- 2010-10-01 12:17 . 2011-11-29 12:10 1858400 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\wordicon.exe
+ 2010-10-01 12:17 . 2011-12-06 11:44 3792736 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\pptico.exe
- 2010-10-01 12:17 . 2011-11-29 12:10 3792736 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\pptico.exe
+ 2010-10-01 12:17 . 2011-12-06 11:44 1449312 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\accicons.exe
- 2010-10-01 12:17 . 2011-11-29 12:10 1449312 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\accicons.exe
+ 2010-12-21 01:15 . 2010-12-21 01:15 1041248 c:\windows\Installer\$PatchCache$\Managed\00004109110000000000000000F01FEC\14.0.6029\UMOUTLOOKADDIN.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{44D17824-2A0E-19CE-65BD-247C45EB0A63}]
2008-04-14 00:12 98304 ----a-w- c:\windows\system32\oledllg.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-11-07 4617600]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-08-03 4493312]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 86016]
"Orb"="c:\program files\Orb Networks\Orb\bin\OrbLauncher.exe" [2010-04-02 754288]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"Windy31Install"="c:\windows\RaLaunch.exe" [2007-03-26 24576]
"lxecmon.exe"="c:\program files\Lexmark Pro800-Pro900 Series\lxecmon.exe" [2011-01-23 770728]
"EzPrint"="c:\program files\Lexmark Pro800-Pro900 Series\ezprint.exe" [2011-01-23 148280]
"Lexmark Pro800-Pro900 Series Fax Server"="c:\program files\Lexmark Pro800-Pro900 Series\fm3032.exe" [2011-01-23 316072]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-12-21 519584]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe [2011-9-2 24183152]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Google Calendar Sync.lnk - c:\program files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2011-4-8 542264]
VPN Client.lnk - [N/A]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
Windy31 Manager.lnk - c:\program files\Windy31_Manager\Common\Windy31 GW.exe [2011-3-8 548864]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave"=DrvTrNTm.dll
"mixer"=DrvTrNTm.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4112942072-571041465-3807212853-1108\Scripts\Logon\0\0]
"Script"=\\mapfusion.com\sysvol\mapfusion.com\scripts\login.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4112942072-571041465-3807212853-1115\Scripts\Logon\0\0]
"Script"=\\mapfusion.com\sysvol\mapfusion.com\scripts\login.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4112942072-571041465-3807212853-1120\Scripts\Logon\0\0]
"Script"=\\mapfusion.com\sysvol\mapfusion.com\scripts\login.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4112942072-571041465-3807212853-1125\Scripts\Logon\0\0]
"Script"=\\mapfusion.com\sysvol\mapfusion.com\scripts\login.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4112942072-571041465-3807212853-1142\Scripts\Logon\0\0]
"Script"=\\mapfusion.com\sysvol\mapfusion.com\scripts\login.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4112942072-571041465-3807212853-1144\Scripts\Logon\0\0]
"Script"=\\mapfusion.com\sysvol\mapfusion.com\scripts\login.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4112942072-571041465-3807212853-1149\Scripts\Logon\0\0]
"Script"=\\mapfusion.com\sysvol\mapfusion.com\scripts\login.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4112942072-571041465-3807212853-1152\Scripts\Logon\0\0]
"Script"=\\mapfusion.com\sysvol\mapfusion.com\scripts\login.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4112942072-571041465-3807212853-1773\Scripts\Logon\0\0]
"Script"=\\mapfusion.com\sysvol\mapfusion.com\scripts\login.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1343024091-839522115-1257\Scripts\Logon\0\0]
"Script"=\\mapfusion.com\SysVol\mapfusion.com\scripts\logon.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1343024091-839522115-1257\Scripts\Logon\1\0]
"Script"=\\mapfusion.com\SysVol\mapfusion.com\scripts\logon.cmd
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2009-05-11 19:42 2356088 ----a-w- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2008-04-14 00:12 380416 ----a-w- c:\windows\system32\irprops.cpl
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ibmmessages]
2003-09-30 16:05 536576 ----a-w- c:\program files\IBM\Messages By IBM\ibmmessages.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-10-09 17:06 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2004-08-03 00:03 4493312 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2004-08-03 00:03 917504 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 17:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
2008-04-14 00:12 143360 ----a-w- c:\windows\system32\mobsync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UC_Start]
2003-03-17 22:27 32768 ----a-w- c:\ibmtools\Updater\ucstartup.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"InCDsrv"=2 (0x2)
"Bonjour Service"=2 (0x2)
"aspnet_state"=3 (0x3)
"AppMgmt"=3 (0x3)
"Apache2"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AllAlertsDisabled"=dword:00000001
"TermService"=dword:00000001
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbLauncher.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbSetupWizard.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbControlPanel.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Messenger\\Msmsgs.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\WINDOWS\\system32\\lxeccoms.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\Program Files\\Outlook Email Address Extractor\\Oee.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Administrator\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Program Files\\TVersity\\Media Server197\\MediaServer.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"30333:TCP"= 30333:TCP:skype
"1034:TCP"= 1034:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R1 MpKsl8cafe5a4;MpKsl8cafe5a4;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{044A5CC4-5DA9-413B-9A67-0462523D3BD1}\MpKsl8cafe5a4.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{044A5CC4-5DA9-413B-9A67-0462523D3BD1}\MpKsl8cafe5a4.sys [?]
R1 MpKslb7d10417;MpKslb7d10417;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{044A5CC4-5DA9-413B-9A67-0462523D3BD1}\MpKslb7d10417.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{044A5CC4-5DA9-413B-9A67-0462523D3BD1}\MpKslb7d10417.sys [?]
R1 MpKsld534f85e;MpKsld534f85e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{044A5CC4-5DA9-413B-9A67-0462523D3BD1}\MpKsld534f85e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{044A5CC4-5DA9-413B-9A67-0462523D3BD1}\MpKsld534f85e.sys [?]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 4:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 9:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 11:38 PM 116608]
R2 AirPrint;AirPrint;c:\program files\AirPrint\airprint.exe -s --> c:\program files\AirPrint\airprint.exe -s [?]
R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [10/18/2010 12:32 AM 19632]
R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [5/16/2010 12:47 PM 20968]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [1/20/2011 11:14 AM 21992]
R2 lxec_device;lxec_device;c:\windows\system32\lxeccoms.exe -service --> c:\windows\system32\lxeccoms.exe -service [?]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [2/16/2010 6:42 PM 28672]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/10/2010 1:37 AM 4640000]
R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [5/19/2010 6:29 PM 127496]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2012\TuneUpUtilitiesDriver32.sys [10/13/2011 5:33 PM 10064]
S1 MpKsl48cea076;MpKsl48cea076;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{44F850B5-DE19-4DE2-A872-D4DFA684CCCB}\MpKsl48cea076.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{44F850B5-DE19-4DE2-A872-D4DFA684CCCB}\MpKsl48cea076.sys [?]
S1 MpKsl7f4fc8ae;MpKsl7f4fc8ae;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3D8808F6-26E2-44C6-A0EC-7E6EABC28DA6}\MpKsl7f4fc8ae.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3D8808F6-26E2-44C6-A0EC-7E6EABC28DA6}\MpKsl7f4fc8ae.sys [?]
S1 MpKsl9b54010b;MpKsl9b54010b;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{75EC1F2D-912C-4B80-9A8E-0D7FE9D0D223}\MpKsl9b54010b.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{75EC1F2D-912C-4B80-9A8E-0D7FE9D0D223}\MpKsl9b54010b.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/2/2010 7:44 PM 130248]
S2 lxecCATSCustConnectService;lxecCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxecserv.exe [7/8/2011 2:17 PM 193192]
S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe [11/2/2011 7:29 PM 1473712]
S2 XAMPP;XAMPP Service;c:\xampp\service.exe [12/21/2007 2:01 AM 62464]
S3 GenericMount Helper Service;GenericMount Helper Service;"e:\shared\Drivers\GenericMountHelper.exe" --> e:\shared\Drivers\GenericMountHelper.exe [?]
S3 GenericMount;Generic Mount Driver;c:\windows\system32\DRIVERS\GenericMount.sys --> c:\windows\system32\DRIVERS\GenericMount.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/2/2010 7:44 PM 130248]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [6/12/2011 10:15 AM 31125880]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 6:19 PM 50704]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [2/4/2010 12:47 AM 19056]
S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
S3 WebTool;WebTool;c:\progra~1\MI4F93~1\webtool.exe [7/19/2007 3:31 PM 705024]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
S3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [11/4/2011 4:02 PM 25704]
S3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [11/4/2011 4:25 PM 25704]
S3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [11/4/2011 4:26 PM 25704]
S3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [11/4/2011 4:27 PM 25704]
S3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [11/4/2011 4:28 PM 25704]
S4 SymSnapService;SymSnapService;"e:\shared\Drivers\SymSnapService.exe" --> e:\shared\Drivers\SymSnapService.exe [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 33648084
*Deregistered* - 33648084
*Deregistered* - aswMBR
*Deregistered* - uwldqpob
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-13 c:\windows\Tasks\AdobeAAMUpdater-1.0-GUYDOWN-Administrator.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-02-18 03:44]
.
2011-12-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:57]
.
2011-12-13 c:\windows\Tasks\defrag.job
- c:\windows\system32\defrag.exe [1980-01-01 00:12]
.
2011-12-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-02 19:44]
.
2011-12-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-02 19:44]
.
2011-12-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4035870869-1440049310-3935256124-500Core1cc8f0a73e00168.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-06 14:46]
.
2011-12-12 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 14:39]
.
2011-12-13 c:\windows\Tasks\Orb Index when idle.job
- c:\program files\Orb Networks\Orb\bin\OrbLauncher.exe [2010-04-02 23:48]
.
2011-12-10 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4035870869-1440049310-3935256124-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 09:47]
.
2011-12-07 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4035870869-1440049310-3935256124-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 09:47]
.
2011-12-13 c:\windows\Tasks\User_Feed_Synchronization-{7264ADE4-5841-43F6-99F0-C4EBCFFE1515}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mSearch Bar =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.36.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} - hxxp://scpwoc.ops.placeware.com/etc/place/OSCAR/SCOpws-c2/5.1.6.246/lib/quicksilver.cab
DPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} - hxxp://piranha/ProjectServer/objects/pjclient.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ntb2awb2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2548838&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - TVersitybar Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-13 08:50
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD2500JB-00GVA0 rev.08.02D08 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-c
.
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user != kernel MBR !!!
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-4035870869-1440049310-3935256124-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,27,68,34,e2,13,70,79,44,b1,5e,fe,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f1,6a,39,ae,5a,55,dd,43,bb,a1,a7,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,27,68,34,e2,13,70,79,44,b1,5e,fe,\
.
[HKEY_USERS\S-1-5-21-4035870869-1440049310-3935256124-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{BB1CF7F0-F92E-1947-2AFE-E5C59C35E1FF}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"falgabjfaoaa"=hex:61,61,00,00
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DCB42C02-2C7E-50EC-E2B5A792F7765BFB}\{38286259-1A12-EDE0-84E2CD6A1D76E8F7}\{2C2658AF-F73E-73C6-89D45D0D6FCCCFF2}*]
"63AUOURV1X6YIYB2ELIFO4LTRC1"=hex:01,00,01,00,00,00,00,00,87,da,ad,38,2b,26,f8,
c3,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(984)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2011-12-13 09:07:13
ComboFix-quarantined-files.txt 2011-12-13 09:06
ComboFix2.txt 2011-12-12 17:09
ComboFix3.txt 2011-12-05 13:10
ComboFix4.txt 2011-12-04 15:01
ComboFix5.txt 2011-12-13 07:42
.
Pre-Run: 38,083,973,120 bytes free
Post-Run: 38,090,149,888 bytes free
.
- - End Of File - - E43979D692835F6AACF0580912A49868

#9 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:51 PM

Posted 13 December 2011 - 09:40 AM

The suspicious file is likely patched, as one of the folders regenerated in ComboFix also, let's confirm what we are dealing with

please do the following:



submit a file to virustotal for analysis
  • Use the browse button on that page to navigate to the location of the file to be scanned.
  • In the right hand panel,
  • click on the file C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
  • then click the open button.
  • The file will now be displayed in the submit box.
  • Scroll down a bit and click "send file", wait for the results
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Once scanned, copy and paste the link to the results page in your next reply.

Please do the same for the following file:
c:\windows\system32\drivers\redbook.sys.org


NEXT



  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

DirLook::
c:\windows\system32\2060

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#10 redbullpower

redbullpower
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:51 AM

Posted 13 December 2011 - 11:04 AM

CatByte:

virustotal appears to be down at the moment but I will continue trying.

I will proceed with the combofix + script in the meantime.

#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:51 PM

Posted 13 December 2011 - 11:22 AM

OK

there are others we can try

  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:


    C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.


Do the same for the this file too

c:\windows\system32\drivers\redbook.sys.org

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#12 redbullpower

redbullpower
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:51 AM

Posted 13 December 2011 - 12:29 PM

CatByte:

I tried both files but the box that pops up (to show the progress) says there is an error 403 forbidden.
No progress is shown scanning the files.

Here is the comboxfix log

ComboFix 11-12-12.02 - Administrator 12/13/2011 16:15:01.6.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2807.1642 [GMT 0:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((( Files Created from 2011-11-13 to 2011-12-13 )))))))))))))))))))))))))))))))
.
.
2011-12-13 07:14 . 2011-12-13 07:14 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{43925150-0216-4D23-A0D9-B1544E643682}\offreg.dll
2011-12-13 07:12 . 2011-11-21 10:47 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{43925150-0216-4D23-A0D9-B1544E643682}\mpengine.dll
2011-12-06 13:13 . 2011-12-06 13:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2011-12-06 13:12 . 2011-12-06 13:13 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-12-06 13:12 . 2011-12-06 13:12 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-12-05 14:03 . 2011-12-05 14:03 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-12-05 14:03 . 2011-12-05 14:03 -------- d-----w- c:\program files\Trend Micro
2011-12-04 13:42 . 2011-12-04 13:42 -------- d-----w- c:\windows\system32\2060
2011-11-29 11:40 . 2011-11-29 11:40 -------- d-----w- c:\program files\Common Files\Common Apps
2011-11-29 11:38 . 2011-11-29 12:54 -------- d-----w- c:\program files\SysTools OST Recovery
2011-11-25 16:10 . 2011-11-25 16:10 -------- d-----w- c:\program files\Xiph.Org
2011-11-25 16:10 . 2011-12-06 11:55 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Conduit
2011-11-23 13:29 . 2011-11-23 13:29 -------- d-----w- c:\program files\Stellar Phoenix Password Recovery
2011-11-23 12:47 . 2011-11-23 12:47 -------- d-----w- c:\program files\NirSoft
2011-11-21 21:34 . 2011-11-21 21:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\FlashFXP
2011-11-21 21:28 . 2011-11-21 22:20 -------- d-----w- c:\program files\FlashFXP 4
2011-11-21 21:28 . 2011-11-21 21:28 -------- d-----w- c:\documents and settings\All Users\Application Data\FlashFXP
2011-11-14 08:21 . 2011-11-14 08:21 -------- d-----w- c:\documents and settings\LocalService\Application Data\TuneUp Software
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-29 16:14 . 2011-11-29 16:14 57600 ----a-w- c:\windows\system32\drivers\redbook.sys.org
2011-11-21 10:47 . 2009-11-22 07:26 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-11-02 19:29 . 2011-11-07 08:19 31552 ----a-w- c:\windows\system32\TURegOpt.exe
2011-11-02 19:29 . 2011-11-07 08:31 28992 ----a-w- c:\windows\system32\uxtuneup.dll
2011-10-19 08:36 . 2011-06-19 20:36 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22 . 2004-03-02 20:18 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2002-09-23 22:10 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 10:41 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 10:41 . 1980-01-01 07:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 10:41 . 1980-01-01 07:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2004-03-11 17:27 . 2007-04-04 16:46 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2011-11-09 18:32 . 2011-11-07 08:37 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\windows\system32\2060 ----
.
2011-12-04 13:42 . 2011-12-12 11:28 7061 ----a-w- c:\windows\system32\2060\inf2060.dat
.
.
((((((((((((((((((((((((((((( SnapShot_2011-12-04_14.42.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-12-10 07:01 . 2011-12-10 07:01 16384 c:\windows\Temp\Perflib_Perfdata_588.dat
+ 1980-01-01 07:00 . 2011-12-06 09:31 96690 c:\windows\system32\perfc009.dat
+ 2010-10-01 12:17 . 2011-12-06 11:44 34144 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\oisicon.exe
- 2010-10-01 12:17 . 2011-11-29 12:10 34144 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\oisicon.exe
+ 2010-10-01 12:17 . 2011-12-06 11:44 42848 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\msouc.exe
- 2010-10-01 12:17 . 2011-11-29 12:10 42848 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\msouc.exe
- 2010-10-01 12:17 . 2011-11-29 12:10 19296 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\cagicon.exe
+ 2010-10-01 12:17 . 2011-12-06 11:44 19296 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\cagicon.exe
+ 2011-01-12 18:59 . 2011-01-12 18:59 43352 c:\windows\Installer\$PatchCache$\Managed\00004109110000000000000000F01FEC\14.0.6029\OUTLRPC.DLL
+ 2010-10-22 15:05 . 2010-10-22 15:05 28000 c:\windows\Installer\$PatchCache$\Managed\00004109110000000000000000F01FEC\14.0.6029\OUTLACCT.DLL
+ 1980-01-01 07:00 . 2011-12-06 09:31 527342 c:\windows\system32\perfh009.dat
+ 2010-10-01 12:17 . 2011-12-06 11:44 415584 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\pubs.exe
- 2010-10-01 12:17 . 2011-11-29 12:10 415584 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\pubs.exe
+ 2010-10-01 12:17 . 2011-12-06 11:44 303456 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\outicon.exe
- 2010-10-01 12:17 . 2011-11-29 12:10 303456 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\outicon.exe
- 2010-10-01 12:17 . 2011-11-29 12:10 571232 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\misc.exe
+ 2010-10-01 12:17 . 2011-12-06 11:44 571232 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\misc.exe
+ 2010-10-01 12:17 . 2011-12-06 11:44 326496 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\joticon.exe
- 2010-10-01 12:17 . 2011-11-29 12:10 326496 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\joticon.exe
+ 2010-10-01 12:17 . 2011-12-06 11:44 469856 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\inficon.exe
- 2010-10-01 12:17 . 2011-11-29 12:10 469856 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\inficon.exe
- 2010-10-01 12:17 . 2011-11-29 12:10 178528 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\grvicons.exe
+ 2010-10-01 12:17 . 2011-12-06 11:44 178528 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\grvicons.exe
+ 2010-10-22 15:05 . 2010-10-22 15:05 423280 c:\windows\Installer\$PatchCache$\Managed\00004109110000000000000000F01FEC\14.0.6029\RTFHTML.DLL
+ 2011-03-18 23:08 . 2011-03-18 23:08 329616 c:\windows\Installer\$PatchCache$\Managed\00004109110000000000000000F01FEC\14.0.6029\OUTLPH.DLL
+ 2011-12-05 14:03 . 2011-12-05 14:03 1094656 c:\windows\Installer\7c54ce.msi
+ 2010-10-01 12:17 . 2011-12-06 11:44 1479520 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\xlicons.exe
- 2010-10-01 12:17 . 2011-11-29 12:10 1479520 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\xlicons.exe
- 2010-10-01 12:17 . 2011-11-29 12:10 1858400 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\wordicon.exe
+ 2010-10-01 12:17 . 2011-12-06 11:44 1858400 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\wordicon.exe
+ 2010-10-01 12:17 . 2011-12-06 11:44 3792736 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\pptico.exe
- 2010-10-01 12:17 . 2011-11-29 12:10 3792736 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\pptico.exe
+ 2010-10-01 12:17 . 2011-12-06 11:44 1449312 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\accicons.exe
- 2010-10-01 12:17 . 2011-11-29 12:10 1449312 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\accicons.exe
+ 2010-12-21 01:15 . 2010-12-21 01:15 1041248 c:\windows\Installer\$PatchCache$\Managed\00004109110000000000000000F01FEC\14.0.6029\UMOUTLOOKADDIN.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{44D17824-2A0E-19CE-65BD-247C45EB0A63}]
2008-04-14 00:12 98304 ----a-w- c:\windows\system32\oledllg.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-11-07 4617600]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-08-03 4493312]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 86016]
"Orb"="c:\program files\Orb Networks\Orb\bin\OrbLauncher.exe" [2010-04-02 754288]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"Windy31Install"="c:\windows\RaLaunch.exe" [2007-03-26 24576]
"lxecmon.exe"="c:\program files\Lexmark Pro800-Pro900 Series\lxecmon.exe" [2011-01-23 770728]
"EzPrint"="c:\program files\Lexmark Pro800-Pro900 Series\ezprint.exe" [2011-01-23 148280]
"Lexmark Pro800-Pro900 Series Fax Server"="c:\program files\Lexmark Pro800-Pro900 Series\fm3032.exe" [2011-01-23 316072]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-12-21 519584]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe [2011-9-2 24183152]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Google Calendar Sync.lnk - c:\program files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2011-4-8 542264]
VPN Client.lnk - [N/A]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
Windy31 Manager.lnk - c:\program files\Windy31_Manager\Common\Windy31 GW.exe [2011-3-8 548864]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave"=DrvTrNTm.dll
"mixer"=DrvTrNTm.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4112942072-571041465-3807212853-1108\Scripts\Logon\0\0]
"Script"=\\mapfusion.com\sysvol\mapfusion.com\scripts\login.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4112942072-571041465-3807212853-1115\Scripts\Logon\0\0]
"Script"=\\mapfusion.com\sysvol\mapfusion.com\scripts\login.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4112942072-571041465-3807212853-1120\Scripts\Logon\0\0]
"Script"=\\mapfusion.com\sysvol\mapfusion.com\scripts\login.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4112942072-571041465-3807212853-1125\Scripts\Logon\0\0]
"Script"=\\mapfusion.com\sysvol\mapfusion.com\scripts\login.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4112942072-571041465-3807212853-1142\Scripts\Logon\0\0]
"Script"=\\mapfusion.com\sysvol\mapfusion.com\scripts\login.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4112942072-571041465-3807212853-1144\Scripts\Logon\0\0]
"Script"=\\mapfusion.com\sysvol\mapfusion.com\scripts\login.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4112942072-571041465-3807212853-1149\Scripts\Logon\0\0]
"Script"=\\mapfusion.com\sysvol\mapfusion.com\scripts\login.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4112942072-571041465-3807212853-1152\Scripts\Logon\0\0]
"Script"=\\mapfusion.com\sysvol\mapfusion.com\scripts\login.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4112942072-571041465-3807212853-1773\Scripts\Logon\0\0]
"Script"=\\mapfusion.com\sysvol\mapfusion.com\scripts\login.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1343024091-839522115-1257\Scripts\Logon\0\0]
"Script"=\\mapfusion.com\SysVol\mapfusion.com\scripts\logon.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1343024091-839522115-1257\Scripts\Logon\1\0]
"Script"=\\mapfusion.com\SysVol\mapfusion.com\scripts\logon.cmd
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2009-05-11 19:42 2356088 ----a-w- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2008-04-14 00:12 380416 ----a-w- c:\windows\system32\irprops.cpl
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ibmmessages]
2003-09-30 16:05 536576 ----a-w- c:\program files\IBM\Messages By IBM\ibmmessages.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-10-09 17:06 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2004-08-03 00:03 4493312 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2004-08-03 00:03 917504 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 17:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
2008-04-14 00:12 143360 ----a-w- c:\windows\system32\mobsync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UC_Start]
2003-03-17 22:27 32768 ----a-w- c:\ibmtools\Updater\ucstartup.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"InCDsrv"=2 (0x2)
"Bonjour Service"=2 (0x2)
"aspnet_state"=3 (0x3)
"AppMgmt"=3 (0x3)
"Apache2"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AllAlertsDisabled"=dword:00000001
"TermService"=dword:00000001
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbLauncher.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbSetupWizard.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbControlPanel.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Messenger\\Msmsgs.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\WINDOWS\\system32\\lxeccoms.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\Program Files\\Outlook Email Address Extractor\\Oee.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Administrator\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Program Files\\TVersity\\Media Server197\\MediaServer.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"30333:TCP"= 30333:TCP:skype
"1034:TCP"= 1034:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R1 MpKsl8cafe5a4;MpKsl8cafe5a4;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{044A5CC4-5DA9-413B-9A67-0462523D3BD1}\MpKsl8cafe5a4.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{044A5CC4-5DA9-413B-9A67-0462523D3BD1}\MpKsl8cafe5a4.sys [?]
R1 MpKslb7d10417;MpKslb7d10417;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{044A5CC4-5DA9-413B-9A67-0462523D3BD1}\MpKslb7d10417.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{044A5CC4-5DA9-413B-9A67-0462523D3BD1}\MpKslb7d10417.sys [?]
R1 MpKsld534f85e;MpKsld534f85e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{044A5CC4-5DA9-413B-9A67-0462523D3BD1}\MpKsld534f85e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{044A5CC4-5DA9-413B-9A67-0462523D3BD1}\MpKsld534f85e.sys [?]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 4:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 9:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 11:38 PM 116608]
R2 AirPrint;AirPrint;c:\program files\AirPrint\airprint.exe -s --> c:\program files\AirPrint\airprint.exe -s [?]
R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [10/18/2010 12:32 AM 19632]
R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [5/16/2010 12:47 PM 20968]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [1/20/2011 11:14 AM 21992]
R2 lxec_device;lxec_device;c:\windows\system32\lxeccoms.exe -service --> c:\windows\system32\lxeccoms.exe -service [?]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [2/16/2010 6:42 PM 28672]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/10/2010 1:37 AM 4640000]
R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [5/19/2010 6:29 PM 127496]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2012\TuneUpUtilitiesDriver32.sys [10/13/2011 5:33 PM 10064]
S1 MpKsl48cea076;MpKsl48cea076;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{44F850B5-DE19-4DE2-A872-D4DFA684CCCB}\MpKsl48cea076.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{44F850B5-DE19-4DE2-A872-D4DFA684CCCB}\MpKsl48cea076.sys [?]
S1 MpKsl7f4fc8ae;MpKsl7f4fc8ae;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3D8808F6-26E2-44C6-A0EC-7E6EABC28DA6}\MpKsl7f4fc8ae.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3D8808F6-26E2-44C6-A0EC-7E6EABC28DA6}\MpKsl7f4fc8ae.sys [?]
S1 MpKsl9b54010b;MpKsl9b54010b;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{75EC1F2D-912C-4B80-9A8E-0D7FE9D0D223}\MpKsl9b54010b.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{75EC1F2D-912C-4B80-9A8E-0D7FE9D0D223}\MpKsl9b54010b.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/2/2010 7:44 PM 130248]
S2 lxecCATSCustConnectService;lxecCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxecserv.exe [7/8/2011 2:17 PM 193192]
S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe [11/2/2011 7:29 PM 1473712]
S2 XAMPP;XAMPP Service;c:\xampp\service.exe [12/21/2007 2:01 AM 62464]
S3 GenericMount Helper Service;GenericMount Helper Service;"e:\shared\Drivers\GenericMountHelper.exe" --> e:\shared\Drivers\GenericMountHelper.exe [?]
S3 GenericMount;Generic Mount Driver;c:\windows\system32\DRIVERS\GenericMount.sys --> c:\windows\system32\DRIVERS\GenericMount.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/2/2010 7:44 PM 130248]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [6/12/2011 10:15 AM 31125880]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 6:19 PM 50704]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [2/4/2010 12:47 AM 19056]
S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
S3 WebTool;WebTool;c:\progra~1\MI4F93~1\webtool.exe [7/19/2007 3:31 PM 705024]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
S3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [11/4/2011 4:02 PM 25704]
S3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [11/4/2011 4:25 PM 25704]
S3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [11/4/2011 4:26 PM 25704]
S3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [11/4/2011 4:27 PM 25704]
S3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [11/4/2011 4:28 PM 25704]
S4 SymSnapService;SymSnapService;"e:\shared\Drivers\SymSnapService.exe" --> e:\shared\Drivers\SymSnapService.exe [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 33648084
*Deregistered* - 33648084
*Deregistered* - aswMBR
*Deregistered* - uwldqpob
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-13 c:\windows\Tasks\AdobeAAMUpdater-1.0-GUYDOWN-Administrator.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-02-18 03:44]
.
2011-12-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:57]
.
2011-12-13 c:\windows\Tasks\defrag.job
- c:\windows\system32\defrag.exe [1980-01-01 00:12]
.
2011-12-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-02 19:44]
.
2011-12-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-02 19:44]
.
2011-12-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4035870869-1440049310-3935256124-500Core1cc8f0a73e00168.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-06 14:46]
.
2011-12-12 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 14:39]
.
2011-12-13 c:\windows\Tasks\Orb Index when idle.job
- c:\program files\Orb Networks\Orb\bin\OrbLauncher.exe [2010-04-02 23:48]
.
2011-12-10 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4035870869-1440049310-3935256124-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 09:47]
.
2011-12-07 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4035870869-1440049310-3935256124-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 09:47]
.
2011-12-13 c:\windows\Tasks\User_Feed_Synchronization-{7264ADE4-5841-43F6-99F0-C4EBCFFE1515}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mSearch Bar =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.36.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} - hxxp://scpwoc.ops.placeware.com/etc/place/OSCAR/SCOpws-c2/5.1.6.246/lib/quicksilver.cab
DPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} - hxxp://piranha/ProjectServer/objects/pjclient.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ntb2awb2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2548838&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - TVersitybar Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-13 16:59
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD2500JB-00GVA0 rev.08.02D08 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-c
.
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user != kernel MBR !!!
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-4035870869-1440049310-3935256124-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,27,68,34,e2,13,70,79,44,b1,5e,fe,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f1,6a,39,ae,5a,55,dd,43,bb,a1,a7,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,27,68,34,e2,13,70,79,44,b1,5e,fe,\
.
[HKEY_USERS\S-1-5-21-4035870869-1440049310-3935256124-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{BB1CF7F0-F92E-1947-2AFE-E5C59C35E1FF}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"falgabjfaoaa"=hex:61,61,00,00
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DCB42C02-2C7E-50EC-E2B5A792F7765BFB}\{38286259-1A12-EDE0-84E2CD6A1D76E8F7}\{2C2658AF-F73E-73C6-89D45D0D6FCCCFF2}*]
"63AUOURV1X6YIYB2ELIFO4LTRC1"=hex:01,00,01,00,00,00,00,00,87,da,ad,38,2b,26,f8,
c3,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(984)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(5408)
c:\windows\system32\WININET.dll
c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MICROS~2\Office14\1033\GrooveIntlResource.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\dfshim.dll
.
Completion time: 2011-12-13 17:13:54
ComboFix-quarantined-files.txt 2011-12-13 17:13
ComboFix2.txt 2011-12-13 09:07
ComboFix3.txt 2011-12-12 17:09
ComboFix4.txt 2011-12-05 13:10
ComboFix5.txt 2011-12-13 16:08
.
Pre-Run: 38,102,011,904 bytes free
Post-Run: 38,083,100,672 bytes free
.
- - End Of File - - AD8716B0420955EEB524F3C9E51535F4

#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:51 PM

Posted 13 December 2011 - 12:35 PM

Hi

Please run the following:

  • Please download Junction.zip and save it to your desktop.
  • Unzip it and put junction.exe in the Windows directory (C:\WINDOWS).
  • Now go to Start > Run to open a run box > Copy and paste the following command in the open run box and click OK:

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

  • A command window will open and the system will be scanned.
  • Wait until a log file opens.
  • Copy and paste or attach the content of it in your next reply



NEXT



Press the WinKey + R to open a run box, then copy/paste the following single-line command into the Run box and click OK:

cmd /c del /f/a/q "c:\windows\system32\2060\inf2060.dat"


Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#14 redbullpower

redbullpower
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:51 AM

Posted 13 December 2011 - 02:04 PM

Please see log below.


Junction v1.06 - Windows junction creator and reparse point viewer
Copyright © 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com


Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.


...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

..
Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp: Access is denied.



Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Scans\History\CacheManager\MpScanCache-1.bin: Access is denied.


.

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...
Failed to open \\?\c:\\Qoobox\BackEnv: Access is denied.




...

...

...

...

...

...

...

...

...

...

...

.
Failed to open \\?\c:\\WINDOWS\$NtUninstallKB833987$\sxs.dll: Access is denied.


..

..\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790

.\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e



...

...

...

...

.\\?\c:\\WINDOWS\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492

.\\?\c:\\WINDOWS\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_Microsoft.Workflow.Compiler_31bf3856ad364e35_4.0.0.0_x-ww_97359ba5
Substitute Name: C:\WINDOWS\WinSxS\MSIL_Microsoft.Workflow.Compiler_31bf3856ad364e35_4.0.0.0_x-ww_97359ba5

.

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:51 PM

Posted 13 December 2011 - 02:32 PM

Hi,

Please do the following:

  • please download GrantPerms.zip and save it to your desktop.
  • Unzip the file and run GrantPerms.exe
  • Copy and paste the following in the edit box:


c:\\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp
c:\\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Scans\History\CacheManager\MpScanCache-1.bin
c:\\WINDOWS\$NtUninstallKB833987$\sxs.dll
c:\windows\system32\drivers\redbook.sys.org
C:\WINDOWS\system32\DRIVERS\nv4_mini.sys



  • Now Click Unlock.
  • When it is done click "OK".
  • Now click List Permissions and post the result (Perms.txt) that pops up.
  • A copy of Perms.txt will be saved in the same directory the tool is run.


NEXT


Please see if you can now upload those files to one of the on=line scanners, if not, please repeat the exact message you are getting

thanks

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users