Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Recycler Virus or just leftovers Logs Redirected


  • This topic is locked This topic is locked
9 replies to this topic

#1 wmcot

wmcot

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Salt Lake City, Utah
  • Local time:06:19 PM

Posted 29 January 2012 - 12:04 AM

OK. Here are my logs as requested after running DDS and GMER:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.2.0
Run by wmcot at 21:14:55 on 2012-01-28
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.283 [GMT -7:00]
.
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {846CF6AC-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {823B85C4-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8488B474-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {842F889C-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8444931C-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {839B8B94-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8495E844-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {84670DDC-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {84676A5C-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {84587D3C-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8430DA5C-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {843EC72C-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {846B1B64-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {846ABDDC-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8496D9E4-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8445F354-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8491264C-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {848D663C-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {BADB0D00-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {844FFDDC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8495756C-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {846429A4-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {84319DDC-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8445F2DC-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8486CDDC-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {84815644-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {84615DDC-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {842C0054-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {84298B5C-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {83E22A1C-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Outdated* {00000000-0000-0000-0000-000000000000}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {847847DC-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {84333DDC-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {842E6C1C-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {846C93AC-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8494AA5C-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {843B05BC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {84258A5C-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {84676C1C-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {846A9A5C-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8431EC34-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8429BDDC-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {848865C4-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {842ADA5C-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {84901624-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {84683CAC-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8436CA5C-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8443BBCC-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {849142BC-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8483799C-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {841F789C-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {8415B9FC-FFA4-0100-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {844DE424-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {84720B64-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {84960DDC-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {84331A5C-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {848FDB2C-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {84948A5C-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {84238DDC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {8462EC3C-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8488E624-FFA4-0111-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {844CDBEC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {843C5DDC-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8489E62C-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {842B7DDC-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {846CBB64-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {84498A5C-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {849FDDDC-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8482C914-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {84909CD4-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8478EA5C-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {84474DDC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {842E2DDC-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8497E9A4-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {83BEA464-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {841E3A5C-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {842A1DDC-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {843B1A0C-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {846A2A5C-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {84237C1C-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {84292A84-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {846F27D4-FFA4-00CC-0D24-347CA8A3377C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
E:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
E:\Program Files\ASUS\PC Probe II\Probe2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\System32\dllhost.exe
e:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesApp32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://cm.my.yahoo.com/
uSearch Page =
uSearch Bar =
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
{555d4d79-4bd2-4094-a395-cfc534424a05}
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Antivirus System Tray Tool] c:\program files\avira\antivir desktop\avgnt.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware] "e:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [Launch PC Probe II] "e:\program files\asus\pc probe ii\Probe2.exe" 1
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [NWEReboot]
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Risk/Images/stg_drm.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Risk/Images/armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: Interfaces\{713B05C3-06AB-4BE1-B3FB-3E622D37D171} : NameServer = 192.168.0.1,192.168.0.16
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {AC519E4E-EDF0-48C7-8ADA-2A4A5B1C81C9} - No File
LSA: Authentication Packages = msv1_0 c:\windows\system32\awtuvuuV
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
IFEO: AcroRd32.exe - "c:\program files\tuneup utilities 2012\TUAutoReactivator32.exe"
IFEO: excel.exe - "c:\program files\tuneup utilities 2012\TUAutoReactivator32.exe"
IFEO: lightscribecontrolpanel.exe - "c:\program files\tuneup utilities 2012\TUAutoReactivator32.exe"
IFEO: lslauncher.exe - "c:\program files\tuneup utilities 2012\TUAutoReactivator32.exe"
IFEO: lws.exe - "c:\program files\tuneup utilities 2012\TUAutoReactivator32.exe"
.
Note: multiple IFEO entries found. Please refer to Attach.txt
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\wmcot\application data\mozilla\firefox\profiles\xnr317et.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/p/1.html
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=937811&p=
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.0.61118.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol400.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - plugin: e:\program files\quicktime\plugins\npqtplugin.dll
FF - plugin: e:\program files\quicktime\plugins\npqtplugin2.dll
FF - plugin: e:\program files\quicktime\plugins\npqtplugin3.dll
FF - plugin: e:\program files\quicktime\plugins\npqtplugin4.dll
FF - plugin: e:\program files\quicktime\plugins\npqtplugin5.dll
FF - plugin: e:\program files\quicktime\plugins\npqtplugin6.dll
FF - plugin: e:\program files\quicktime\plugins\npqtplugin7.dll
FF - plugin: e:\program files\videolan\vlc\npvlc.dll
FF - plugin: f:\program files\itunes\mozilla plugins\npitunes.dll
.
---- FIREFOX POLICIES ----

FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 600000
FF - user.js: nglayout.initialpaint.delay - 600
.
============= SERVICES / DRIVERS ===============
.
R0 m5288;m5288;c:\windows\system32\drivers\m5288.sys [2008-12-8 210304]
R0 UliPnp;ULi PnP Driver;c:\windows\system32\drivers\ULiPnp.sys [2008-12-8 8064]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2011-12-3 36000]
R2 ALIEHCD;ULi PCI to USB Enhanced Host Controller;c:\windows\system32\drivers\AliEhci.sys [2008-12-8 84471]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-12-3 86224]
R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2011-12-3 110032]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-12-3 74640]
R2 MBAMService;MBAMService;e:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-1-13 652872]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2012\TuneUpUtilitiesService32.exe [2011-12-8 1514304]
R2 ubsbm;Unibrain 1394 SBM Driver;c:\windows\system32\drivers\UBSBM.sys [2005-7-27 14080]
R2 ubumapi;Unibrain 1394 FireAPI Driver;c:\windows\system32\drivers\UBUMAPI.sys [2005-7-27 36352]
R3 aliroothub;USB 2.0 Root Hub;c:\windows\system32\drivers\AliRtHub.sys [2008-12-8 5304]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2008-10-18 20464]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2011-9-11 119656]
R3 PROCEXP151;PROCEXP151;\??\c:\windows\system32\drivers\procexp151.sys --> c:\windows\system32\drivers\PROCEXP151.SYS [?]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2012\TuneUpUtilitiesDriver32.sys [2011-12-2 10064]
R3 ubohci;Unibrain 1394 OHCI Driver;c:\windows\system32\drivers\ubohci.sys [2005-7-27 77056]
S3 aligp;USB Composite Device;c:\windows\system32\drivers\AliGP.sys [2008-12-8 9658]
S3 cpuz132;cpuz132;\??\c:\docume~1\wmcot\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\wmcot\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2001-8-23 14336]
S3 SliceDisk5;SliceDisk5;\??\e:\program files\a-ff find and mount\slicedisk.sys --> e:\program files\a-ff find and mount\slicedisk.sys [?]
S4 sprtsvc_quickcare;SupportSoft Sprocket Service (quickcare);c:\program files\qwest\quickcare\bin\sprtsvc.exe [2010-4-27 206120]
S4 tgsrvc_quickcare;SupportSoft Repair Service (quickcare);c:\program files\qwest\quickcare\bin\tgsrvc.exe [2010-4-27 185640]
.
=============== Created Last 30 ================
.
2012-01-28 08:44:43 -------- d-----w- c:\documents and settings\all users\application data\Nero
2012-01-28 08:27:02 -------- d-----w- c:\documents and settings\wmcot\local settings\application data\Sun
2012-01-28 08:14:52 -------- d-----w- c:\program files\AMD APP
2012-01-28 08:14:30 -------- d-----w- c:\program files\ATI Technologies
2012-01-28 08:14:26 -------- d-----w- c:\program files\ATI
2012-01-28 08:13:20 -------- d-----w- C:\AMD
2012-01-28 08:06:18 637848 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-01-28 07:35:03 876136 ----a-w- c:\windows\system32\nvhdagenco3220102.dll
2012-01-27 02:50:54 31552 ----a-w- c:\windows\system32\TURegOpt.exe
2012-01-27 02:50:09 -------- d-----w- c:\program files\TuneUp Utilities 2012
2012-01-25 07:33:11 -------- d-----w- c:\documents and settings\wmcot\application data\TrojanHunter
2012-01-25 03:49:51 -------- d--h--w- c:\windows\system32\GroupPolicy
2012-01-24 04:54:45 -------- d-----w- c:\documents and settings\wmcot\local settings\application data\eSupport.com
2012-01-23 00:37:11 -------- d-----w- c:\program files\UPHClean
2012-01-17 05:33:12 -------- d-----w- c:\windows\system32\CatRoot2
2012-01-15 05:56:49 768848 ----a-w- c:\windows\system32msvcr100.dll
2012-01-08 06:35:01 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
2012-01-08 06:35:01 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
2012-01-08 06:35:01 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
2012-01-08 06:35:01 43992 ----a-w- c:\program files\mozilla firefox\mozutils.dll
2012-01-03 13:10:44 182672 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2012-01-03 13:10:44 182672 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2012-01-03 00:28:24 5685 ----a-r- c:\windows\system32\drivers\AsIO.sys
2012-01-03 00:28:24 24576 ----a-r- c:\windows\system32\AsIO.dll
2012-01-03 00:28:20 5120 ----a-w- c:\windows\system32\drivers\AsInsHelp64.sys
2012-01-03 00:28:20 3328 ----a-w- c:\windows\system32\drivers\AsInsHelp32.sys
.
==================== Find3M ====================
.
2012-01-28 08:05:54 567184 ----a-w- c:\windows\system32\deployJava1.dll
2012-01-28 08:05:54 141312 ----a-w- c:\windows\system32\javacpl.cpl
2012-01-28 07:36:28 285176 ----a-w- c:\windows\system32\nvdrsdb1.bin
2012-01-28 07:36:28 1 ----a-w- c:\windows\system32\nvdrssel.bin
2012-01-28 07:36:22 285176 ----a-w- c:\windows\system32\nvdrsdb0.bin
2012-01-24 04:47:05 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-14 01:03:59 33280 ----a-w- c:\windows\system32\rundll32.exe
2011-12-10 22:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-06 05:04:00 59904 ----a-w- c:\windows\system32\OpenVideo.dll
2011-12-06 05:03:52 54784 ----a-w- c:\windows\system32\OVDecode.dll
2011-12-06 05:03:04 14499328 ----a-w- c:\windows\system32\amdocl.dll
2011-12-06 05:02:16 44032 ----a-w- c:\windows\system32\OpenCL.dll
2011-11-25 21:57:19 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35:08 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21:44 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21:44 152064 ----a-w- c:\windows\system32\schannel.dll
2011-11-16 00:57:06 2463744 ----a-w- c:\windows\system32\SlotMaximizerBe.dll
2011-11-16 00:57:02 122880 ----a-w- c:\windows\system32\SlotMaximizerAg.dll
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-03 15:28:36 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28:36 1292288 ----a-w- c:\windows\system32\quartz.dll
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
.
============= FINISH: 21:16:23.37 ===============


GMER LOG:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-28 22:00:18
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 HDS728040PLAT20 rev.PF1OA21B
Running: uex1rtlk.exe; Driver: C:\DOCUME~1\wmcot\LOCALS~1\Temp\fxliqkow.sys


---- System - GMER 1.0.15 ----

SSDT F7C26E06 ZwCreateKey
SSDT F7C26DFC ZwCreateThread
SSDT F7C26E0B ZwDeleteKey
SSDT F7C26E15 ZwDeleteValueKey
SSDT F7C26E1A ZwLoadKey
SSDT F7C26DE8 ZwOpenProcess
SSDT F7C26DED ZwOpenThread
SSDT F7C26E24 ZwReplaceKey
SSDT F7C26E1F ZwRestoreKey
SSDT F7C26E10 ZwSetValueKey

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + 25E 804E4AB8 4 Bytes [E8, 6D, C2, F7]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF5CB1380, 0x8D6CD5, 0xE8000020]
init C:\WINDOWS\system32\drivers\Senfilt.sys entry point in "init" section [0xEF2F8A00]
? C:\WINDOWS\system32\Drivers\PROCEXP151.SYS The system cannot find the file specified. !
? C:\DOCUME~1\wmcot\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[4068] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 0126B750 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

Device \Driver\ubohci \Device\C1394 UB1394.SYS (FireAPIŽ 1394 Class Driver (XP)/Unibrain S.A.)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 wmcot

wmcot
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Salt Lake City, Utah
  • Local time:06:19 PM

Posted 29 January 2012 - 12:05 AM

To my untrained eyes, nothing jumps out at me, but I'm still wondering about those S-1-5-21-2052111302-602162358-839522115-1003 folders appearing in Recycler.

I hope this helps shed some light on it.


Thanks.

#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:19 PM

Posted 01 February 2012 - 01:41 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall
===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please post the logs and let me know what issues you are having with this computer.

#4 wmcot

wmcot
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Salt Lake City, Utah
  • Local time:06:19 PM

Posted 02 February 2012 - 12:20 AM

OK. Here are the logs. I had to run ComboFix twice, because it restarted the computer on the first run and that re-enabled Avira and MalwareBytes. MBAM threw up an error which froze the computer. You can see the results of the first run in the log:

ComboFix 12-02-01.01 - wmcot 02/01/2012 21:50:19.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.343 [GMT -7:00]
Running from: c:\documents and settings\wmcot\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {8415B9FC-FFA4-0100-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {8462EC3C-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Outdated* {00000000-0000-0000-0000-000000000000}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {823B85C4-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {839B8B94-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {83BEA464-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {83E22A1C-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {841E3A5C-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {841F789C-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {84237C1C-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {84238DDC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {84258A5C-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {84292A84-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {84298B5C-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8429BDDC-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {842A1DDC-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {842ADA5C-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {842B7DDC-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {842C0054-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {842E2DDC-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {842E6C1C-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {842F889C-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8430DA5C-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {84319DDC-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8431EC34-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {84331A5C-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {84333DDC-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8436CA5C-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {843B05BC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {843B1A0C-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {843C5DDC-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {843EC72C-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8443BBCC-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8444931C-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8445F2DC-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8445F354-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {84474DDC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {84498A5C-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {844CDBEC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {844DE424-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {844FFDDC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {84587D3C-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {84615DDC-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {846429A4-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {84670DDC-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {84676A5C-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {84676C1C-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {84683CAC-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {846A2A5C-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {846A9A5C-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {846ABDDC-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {846B1B64-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {846C93AC-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {846CBB64-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {846CF6AC-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {846F27D4-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {84720B64-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {847847DC-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8478EA5C-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {84815644-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8482C914-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8483799C-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8486CDDC-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {848865C4-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8488B474-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8488E624-FFA4-0111-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8489E62C-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {848D663C-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {848FDB2C-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {84901624-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {84909CD4-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8491264C-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {849142BC-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {84948A5C-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8494AA5C-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8495756C-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8495E844-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {84960DDC-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8496D9E4-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8497E9A4-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {849FDDDC-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {BADB0D00-FFA4-00CC-0D24-347CA8A3377C}
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\wmcot\Application Data\inst.exe
c:\documents and settings\wmcot\Application Data\vso_ts_preview.xml
c:\windows\AutoRun.ini
c:\windows\system32\_000005_.tmp.dll
c:\windows\system32\ctfmon .exe
c:\windows\system32\default_user_class.dat.LOG
c:\windows\system32\msnphoto.scr
c:\windows\system32\tmp.reg
.
-- Previous Run --
.
Infected copy of c:\windows\system32\Version.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\version.dll
.
--------
.
.
((((((((((((((((((((((((( Files Created from 2012-01-02 to 2012-02-02 )))))))))))))))))))))))))))))))
.
.
2012-02-01 05:52 . 2008-10-30 08:57 974848 ----a-w- c:\windows\system32\hpost_p02b.dll
2012-02-01 05:52 . 2008-10-30 08:57 737280 ----a-w- c:\windows\system32\hposwia_p02b.dll
2012-02-01 05:52 . 2008-10-30 08:57 307200 ----a-w- c:\windows\system32\hposc_p02a.dll
2012-02-01 05:52 . 2008-10-29 00:31 372736 ----a-w- c:\windows\system32\hppldcoi.dll
2012-02-01 05:52 . 2008-10-29 00:31 309760 ----a-w- c:\windows\system32\difxapi.dll
2012-02-01 05:52 . 2012-02-01 06:08 -------- d-----w- c:\program files\HP
2012-01-28 08:44 . 2012-01-28 09:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2012-01-28 08:38 . 2012-01-28 09:10 -------- d-----w- c:\program files\Microsoft Silverlight
2012-01-28 08:27 . 2012-01-28 08:27 -------- d-----w- c:\documents and settings\wmcot\Local Settings\Application Data\Sun
2012-01-28 08:14 . 2012-01-28 08:14 -------- d-----w- c:\program files\AMD APP
2012-01-28 08:14 . 2012-01-28 08:14 -------- d-----w- c:\program files\ATI Technologies
2012-01-28 08:14 . 2012-01-28 08:14 -------- d-----w- c:\program files\ATI
2012-01-28 08:13 . 2012-01-28 08:13 -------- d-----w- C:\AMD
2012-01-28 08:06 . 2012-01-28 08:06 -------- d-----w- c:\program files\Common Files\Java
2012-01-28 08:06 . 2012-01-28 08:05 637848 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-01-28 07:35 . 2011-07-07 23:21 876136 ----a-w- c:\windows\system32\nvhdagenco3220102.dll
2012-01-27 02:50 . 2011-12-09 01:11 31552 ----a-w- c:\windows\system32\TURegOpt.exe
2012-01-27 02:50 . 2012-01-27 02:50 -------- d-----w- c:\program files\TuneUp Utilities 2012
2012-01-25 07:33 . 2012-01-25 07:33 -------- d-----w- c:\documents and settings\wmcot\Application Data\TrojanHunter
2012-01-25 03:49 . 2012-01-25 03:49 -------- d--h--w- c:\windows\system32\GroupPolicy
2012-01-24 04:54 . 2012-01-24 04:54 -------- d-----w- c:\documents and settings\wmcot\Local Settings\Application Data\eSupport.com
2012-01-24 00:39 . 2012-01-24 00:39 -------- d-----w- c:\documents and settings\LocalService\Application Data\Malwarebytes
2012-01-23 00:37 . 2012-01-23 00:37 -------- d-----w- c:\program files\UPHClean
2012-01-17 05:33 . 2012-02-02 04:49 -------- d-----w- c:\windows\system32\CatRoot2
2012-01-15 05:56 . 2011-01-07 21:39 768848 ----a-w- c:\windows\system32msvcr100.dll
2012-01-13 07:54 . 2012-01-13 07:55 -------- d-----w- c:\documents and settings\Administrator
2012-01-08 06:35 . 2012-02-01 06:16 45016 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
2012-01-08 06:35 . 2012-01-08 06:35 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-01-08 06:35 . 2012-01-08 06:35 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-01-08 06:35 . 2012-01-08 06:35 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-01-03 13:10 . 2012-01-03 13:10 182672 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2012-01-03 13:10 . 2012-01-03 13:10 182672 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-28 08:05 . 2010-06-23 07:27 567184 ----a-w- c:\windows\system32\deployJava1.dll
2012-01-28 08:05 . 2009-10-24 07:05 141312 ----a-w- c:\windows\system32\javacpl.cpl
2012-01-24 04:47 . 2011-05-14 05:18 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-14 01:03 . 2001-08-23 12:00 33280 ----a-w- c:\windows\system32\rundll32.exe
2011-12-10 22:24 . 2008-10-18 23:58 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-09 06:08 . 2011-12-03 21:41 134856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-12-06 05:04 . 2011-12-06 05:04 59904 ----a-w- c:\windows\system32\OpenVideo.dll
2011-12-06 05:03 . 2011-12-06 05:03 54784 ----a-w- c:\windows\system32\OVDecode.dll
2011-12-06 05:03 . 2011-12-06 05:03 14499328 ----a-w- c:\windows\system32\amdocl.dll
2011-12-06 05:02 . 2011-12-06 05:02 44032 ----a-w- c:\windows\system32\OpenCL.dll
2011-11-25 21:57 . 2002-08-29 03:41 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2002-08-29 02:14 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2002-08-29 03:41 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2002-08-29 03:41 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2002-08-29 03:41 152064 ----a-w- c:\windows\system32\schannel.dll
2011-11-16 00:57 . 2011-11-16 00:57 2463744 ----a-w- c:\windows\system32\SlotMaximizerBe.dll
2011-11-16 00:57 . 2011-11-16 00:57 122880 ----a-w- c:\windows\system32\SlotMaximizerAg.dll
2011-11-04 19:20 . 2002-08-29 03:41 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 19:20 . 2002-08-29 03:41 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2002-08-29 03:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 11:23 . 2006-11-19 07:43 385024 ----a-w- c:\windows\system32\html.iec
2012-02-01 06:16 . 2011-05-06 05:16 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-10-08 16744256]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Antivirus System Tray Tool]
2011-09-23 18:38 258512 ----a-w- c:\program files\Avira\AntiVir Desktop\avgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
2011-09-23 18:38 258512 ----a-w- c:\program files\Avira\AntiVir Desktop\avgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2011-12-25 00:50 460872 ----a-w- e:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2008-03-17 11:29 1040384 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-09-30 19:19 252296 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LogitechQuickCamRibbon"="e:\program files\Logitech\Logitech WebCam Software\LWS.exe" /hide
"SoundMax"="c:\program files\Analog Devices\SoundMAX\Smax4.exe" /tray
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"nwiz"=c:\program files\NVIDIA Corporation\nview\nwiz.exe /installquiet
"Launch PC Probe II"="e:\program files\ASUS\PC Probe II\Probe2.exe" 1
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Qwest\\QuickConnect\\QuickConnect.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"f:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
.
R0 m5288;m5288;c:\windows\system32\drivers\m5288.sys [12/8/2008 01:41 AM 210304]
R0 UliPnp;ULi PnP Driver;c:\windows\system32\drivers\ULiPnp.sys [12/8/2008 01:41 AM 8064]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [12/3/2011 02:41 PM 36000]
R2 ALIEHCD;ULi PCI to USB Enhanced Host Controller;c:\windows\system32\drivers\AliEhci.sys [12/8/2008 02:02 AM 84471]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/3/2011 02:41 PM 86224]
R2 MBAMService;MBAMService;e:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/13/2012 12:10 AM 652872]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe [12/8/2011 06:11 PM 1514304]
R2 ubsbm;Unibrain 1394 SBM Driver;c:\windows\system32\drivers\UBSBM.sys [7/27/2005 05:25 PM 14080]
R2 ubumapi;Unibrain 1394 FireAPI Driver;c:\windows\system32\drivers\UBUMAPI.sys [7/27/2005 05:25 PM 36352]
R3 aliroothub;USB 2.0 Root Hub;c:\windows\system32\drivers\AliRtHub.sys [12/8/2008 02:02 AM 5304]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/18/2008 04:58 PM 20464]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [9/11/2011 01:07 AM 119656]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2012\TuneUpUtilitiesDriver32.sys [12/2/2011 12:33 AM 10064]
R3 ubohci;Unibrain 1394 OHCI Driver;c:\windows\system32\drivers\ubohci.sys [7/27/2005 05:25 PM 77056]
S3 aligp;USB Composite Device;c:\windows\system32\drivers\AliGP.sys [12/8/2008 02:02 AM 9658]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/23/2001 05:00 AM 14336]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [12/19/2008 11:37 AM 47360]
S3 PROCEXP151;PROCEXP151;\??\c:\windows\system32\Drivers\PROCEXP151.SYS --> c:\windows\system32\Drivers\PROCEXP151.SYS [?]
S3 SliceDisk5;SliceDisk5;\??\e:\program files\A-FF Find and Mount\slicedisk.sys --> e:\program files\A-FF Find and Mount\slicedisk.sys [?]
S4 sprtsvc_quickcare;SupportSoft Sprocket Service (quickcare);c:\program files\Qwest\Quickcare\bin\sprtsvc.exe [4/27/2010 10:07 PM 206120]
S4 tgsrvc_quickcare;SupportSoft Repair Service (quickcare);c:\program files\Qwest\Quickcare\bin\tgsrvc.exe [4/27/2010 10:07 PM 185640]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-09-16 20:11 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://cm.my.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: Interfaces\{713B05C3-06AB-4BE1-B3FB-3E622D37D171}: NameServer = 192.168.0.1,192.168.0.16
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\wmcot\Application Data\Mozilla\Firefox\Profiles\xnr317et.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/p/1.html
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=937811&p=

FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 600000
FF - user.js: nglayout.initialpaint.delay - 600
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-01 21:57
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(952)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(1880)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-02-01 22:02:54
ComboFix-quarantined-files.txt 2012-02-02 05:02
.
Pre-Run: 2,920,984,576 bytes free
Post-Run: 2,865,795,072 bytes free
.
- - End Of File - - 1CAA532081643C176C1BF791919B41F5



Results of screen317's Security Check version 0.99.30
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
Avira Free Antivirus
Antivirus out of date! (On Access scanning disabled!)
```````````````````````````````
Anti-malware/Other Utilities Check:

TuneUp Utilities 2012
TuneUp Utilities Language Pack (en-US)
TuneUp Utilities 2012
TuneUp Utilities Language Pack (en-US)
CCleaner
Java™ 6 Update 30
Java™ 7 Update 2
Adobe Flash Player 11.1.102.55
Adobe Reader X (10.1.2)
Mozilla Firefox 10.0. Firefox out of Date!
Mozilla Thunderbird 3.1.17 Thunderbird out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
``````````End of Log````````````

Avira is out of date because I haven't let it run tonight - I didn't want it to interfere with ComboFix.

I am still getting the folder S-1-5-21-2052111302-602162358-839522115-1003 appearing in each Recycler. I believe this is part of the Recycler virus. Each drive has one and each contains a Desktop.ini and a file called INFO2. These will come back even after making the files visible and deleting them through the CMD window (with Restore off.)

#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:19 PM

Posted 02 February 2012 - 11:29 AM

Lets see what we can find out this.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe to run it.
  • Copy and paste the content of the following bold text into the main textfield:


    :regfind
    S-1-5-21-2052111302-602162358-839522115-1003

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

#6 wmcot

wmcot
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Salt Lake City, Utah
  • Local time:06:19 PM

Posted 02 February 2012 - 11:13 PM

Here are the results from SystemLook:

SystemLook 30.07.11 by jpshortstuff
Log created at 21:11 on 02/02/2012 by wmcot
Administrator - Elevation successful

========== regfind ==========

Searching for "S-1-5-21-2052111302-602162358-839522115-1003"
[HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider\S-1-5-21-2052111302-602162358-839522115-1003]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer\Preferences\HME\S-1-5-21-2052111302-602162358-839522115-1003]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\S-1-5-21-2052111302-602162358-839522115-1003]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-2052111302-602162358-839522115-1003]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2052111302-602162358-839522115-1003]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2052111302-602162358-839522115-1003]
[HKEY_LOCAL_MACHINE\SOFTWARE\Support.com\users]
"LastUser"="S-1-5-21-2052111302-602162358-839522115-1003"
[HKEY_LOCAL_MACHINE\SOFTWARE\TuneUp\Utilities\RegistryDefrag\OCM\|REGISTRY|USER|S-1-5-21-2052111302-602162358-839522115-1003]
[HKEY_LOCAL_MACHINE\SOFTWARE\TuneUp\Utilities\RegistryDefrag\OCM\|REGISTRY|USER|S-1-5-21-2052111302-602162358-839522115-1003_CLASSES]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\hivelist]
"\REGISTRY\USER\S-1-5-21-2052111302-602162358-839522115-1003"="\Device\HarddiskVolume1\Documents and Settings\wmcot\ntuser.dat"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\hivelist]
"\REGISTRY\USER\S-1-5-21-2052111302-602162358-839522115-1003_Classes"="\Device\HarddiskVolume1\Documents and Settings\wmcot\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist]
"\REGISTRY\USER\S-1-5-21-2052111302-602162358-839522115-1003"="\Device\HarddiskVolume1\Documents and Settings\wmcot\ntuser.dat"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist]
"\REGISTRY\USER\S-1-5-21-2052111302-602162358-839522115-1003_Classes"="\Device\HarddiskVolume1\Documents and Settings\wmcot\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat"
[HKEY_USERS\S-1-5-21-2052111302-602162358-839522115-1003]
[HKEY_USERS\S-1-5-21-2052111302-602162358-839522115-1003\Software\Microsoft\Protected Storage System Provider\S-1-5-21-2052111302-602162358-839522115-1003]
[HKEY_USERS\S-1-5-21-2052111302-602162358-839522115-1003_Classes]

-= EOF =-

#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:19 PM

Posted 03 February 2012 - 09:40 AM

I checked further on this and found this article.

http://www.raymond.cc/blog/what-is-info2-file-hidden-in-recycled-or-recycler-folder/

This is not from an infection. I would leave it alone.

#8 wmcot

wmcot
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Salt Lake City, Utah
  • Local time:06:19 PM

Posted 03 February 2012 - 01:19 PM

Great to hear that. I read the article and it explains a lot.

Thanks for all your help in checking out my system. At least I found a few "bugs" along the way and with your help I was able to clean them.

#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:19 PM

Posted 03 February 2012 - 02:06 PM

Glad we could help.

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

Delete the other tools we used.

Surf Safely, and Think Prevention!
===

#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:19 PM

Posted 10 February 2012 - 10:56 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users