Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zero Access Rootkit Infection


  • This topic is locked This topic is locked
40 replies to this topic

#1 tonto58

tonto58

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 06 February 2012 - 09:30 AM

Hi All, re-directed here from "Am I Infected". http://www.bleepingcomputer.com/forums/topic441240.html


My Computer seems to be getting worse by the day. It is now constantly crashing & rebooting itself after some of the suggested scans and taking forever to reboot.

Running Windows Xp on an older machine AMD Athlon XP 1800+ 1.5 Ghz with 1.5 Gig of Ram



Here is my dds file


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Run by Litho Art at 9:24:03 on 2012-02-06
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1131 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
E:\Program Files\SASCORE.EXE
c:\Program Files\Common Files\EFI\EFI ES-1000 Service\ES1000Service.exe
c:\Program Files\Common Files\EFI\EFI ES-1000 Service\ES1000Server.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\hasplms.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Tweak-XP Pro\AdBlocker.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://ca.yahoo.com/
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://ca.yahoo.com/?fr=fp-yie8
mWinlogon: SFCDisable=-99 (0xffffff9d)
uWinlogon: SHELL=c:\documents and settings\litho art\local settings\application data\d80131ed\X
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {3049c3e9-b461-4bc5-8870-4c09146192ca} - RealPlayer Download and Record Plugin for Internet Explorer
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - e:\progra~1\spybot~1\SDHelper.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - e:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - e:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - e:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [BlockAds] "e:\program files\tweak-xp pro\AdBlocker.exe"
uRun: [Google Update] "c:\documents and settings\litho art\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [Tpwrtray] TPWRTRAY.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
dRunOnce: [RunNarrator] Narrator.exe
uPolicies-explorer: NoFileUrl = 0 (0x0)
uPolicies-explorer: NoUpdateCheck = 0 (0x0)
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
IE: &Search - ?p=ZCfox000
IE: E&xport to Microsoft Excel - e:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - e:\progra~1\spybot~1\SDHelper.dll
LSP: mswsock.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - hxxp://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1312733277125
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: Interfaces\{C9780DEB-7D73-4B0A-9AA6-E04014D7832F} : NameServer = 192.168.1.1
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: intu-res - {9CE7D474-16F9-4889-9BB9-53E2008EAE8A} - c:\program files\common files\intuit\intu-res.dll
Notify: !SASWinLogon - e:\program files\SASWINLO.DLL
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - e:\program files\SASSEH.DLL
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\litho art\application data\mozilla\firefox\profiles\p46iqx5a.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\litho art\application data\mozilla\firefox\profiles\p46iqx5a.default\extensions\{91da5e8a-3318-4f8c-b67e-5964de3ab546}\components\RadioWMPCore.dll
FF - component: c:\documents and settings\litho art\application data\mozilla\firefox\profiles\p46iqx5a.default\extensions\{91da5e8a-3318-4f8c-b67e-5964de3ab546}\components\RadioWMPCoreGecko19.dll
FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\TrustCheckerMozillaPlugin.dll
FF - plugin: c:\documents and settings\litho art\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\litho art\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\litho art\local settings\application data\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: e:\program files\adobe\reader\browser\nppdf32.dll
FF - plugin: e:\program files\netscape6\nppl3260.dll
FF - plugin: e:\program files\netscape6\nprjplug.dll
FF - plugin: e:\program files\netscape6\nprpjplug.dll
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;e:\program files\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;e:\program files\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;e:\program files\SASCORE.EXE [2011-7-18 116608]
R2 EFI ES1000;EFI ES1000;c:\program files\common files\efi\efi es-1000 service\ES1000Service.exe [2009-11-25 9216]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2011-5-17 10384]
R3 vdiskbus;Virtual Disk Bus;c:\windows\system32\drivers\VDiskBus.sys [2005-6-27 35107]
S0 06172837;06172837;c:\windows\system32\drivers\01792130.sys --> c:\windows\system32\drivers\01792130.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-3-8 136176]
S2 NAVAPEL;NAVAPEL;\??\c:\program files\symantec_client_security\symantec antivirus\navapel.sys --> c:\program files\symantec_client_security\symantec antivirus\NAVAPEL.SYS [?]
S3 CtUsbMs;Creative HID USB Filter Driver;c:\windows\system32\drivers\CtUsbMs.sys [2006-12-27 14720]
S3 FILEMON;FILEMON;\??\c:\program files\winternals\filemon ee\filesys.sys --> c:\program files\winternals\filemon ee\FILESYS.SYS [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-3-8 136176]
S3 NAVAP;NAVAP;\??\c:\progra~1\symant~1\symant~1\navap.sys --> c:\progra~1\symant~1\symant~1\NAVAP.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
.
=============== Created Last 30 ================
.
2101-04-27 13:39:37 607744 -c--a-w- c:\windows\system32\Decslib.dll
2101-04-27 13:37:18 112688 -c--a-w- c:\windows\system32\shw32.dll
2101-04-27 13:37:13 211456 -c--a-w- c:\windows\system32\qd3d_ir2.q3x
2101-04-27 13:37:12 70656 -c--a-w- c:\windows\system32\3dviewer.dll
2101-04-27 13:37:11 909312 -c--a-w- c:\windows\system32\qd3d.dll
2101-04-27 13:37:11 553984 -c--a-w- c:\windows\system32\rave.dll
2101-04-27 13:36:57 168448 -c--a-w- c:\windows\system32\Awrtl30.dll
2101-04-27 13:36:56 100864 -c--a-w- c:\windows\system32\awpe.dll
2101-04-27 13:36:41 245760 -c--a-w- c:\windows\system32\Sccomp91.dll
2101-04-27 13:36:41 110592 -c--a-w- c:\windows\system32\Sccres91.dll
2101-04-27 13:36:40 225280 -c--a-w- c:\windows\system32\Scint91.dll
2101-04-27 13:36:30 -------- d-----w- c:\windows\Profiles
2101-04-27 13:31:48 -------- d-----w- c:\windows\Corel
2012-02-05 20:25:42 -------- d-----w- c:\windows\Internet Logs
2012-02-05 00:51:20 -------- dc----w- C:\TDSSKiller_Quarantine
2012-01-27 23:58:41 -------- dcs---w- c:\documents and settings\all users\application data\Memeo
2012-01-27 23:58:41 -------- d-s---w- c:\documents and settings\litho art\local settings\application data\Memeo
2012-01-27 23:49:02 -------- d-----w- c:\documents and settings\litho art\local settings\application data\Safe mirror
2012-01-27 23:48:07 -------- d-----w- c:\program files\Cobian Backup 10
2012-01-27 19:49:00 -------- dcsh--w- c:\documents and settings\litho art\PrivacIE
2012-01-26 22:08:00 -------- d-----w- c:\documents and settings\litho art\local settings\application data\Yahoo
2012-01-26 21:52:56 -------- dcsh--w- c:\documents and settings\litho art\IETldCache
2012-01-26 21:39:04 -------- d-----w- c:\windows\ie8updates
2012-01-26 21:36:40 -------- d-----w- c:\documents and settings\litho art\local settings\application data\PCHealth
2012-01-26 21:34:41 -------- dc-h--w- c:\windows\ie8
2012-01-26 21:34:28 -------- d--h--w- c:\windows\msdownld.tmp
2012-01-26 21:27:51 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll
2012-01-26 21:27:46 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2012-01-26 21:27:44 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2012-01-26 21:27:43 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2012-01-26 15:22:50 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2012-01-25 14:50:56 1409 ----a-w- c:\windows\QTFont.for
2012-01-24 13:28:32 0 --sha-w- c:\windows\system32\dds_log_trash.cmd
2012-01-19 13:59:20 -------- d-----w- c:\program files\MSECache
.
==================== Find3M ====================
.
2012-02-05 01:44:40 206464 ----a-w- c:\windows\system32\drivers\UdfReadr_xp.sys
2012-01-30 19:46:59 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2011-12-19 20:12:03 434884 ----a-w- c:\windows\system32\FontInfo.bin
2011-12-19 20:12:03 142820 ----a-w- c:\windows\system32\GlyphInfo.bin
2011-12-10 20:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-02 14:25:01 2071 -c--a-w- c:\windows\panose.bin
2011-11-25 21:57:19 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35:08 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21:44 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21:44 152064 ----a-w- c:\windows\system32\schannel.dll
.
============= FINISH: 9:26:07.28 ===============

BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:22 PM

Posted 06 February 2012 - 09:43 AM

Hello tonto58 and welcome to BC.

Please give me enough time to review your logs, I will advice you on what to do next ASAP.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:22 PM

Posted 06 February 2012 - 10:43 AM

Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.

Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.

  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.

Posted Image


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:

  • Leave your computer alone while ComboFix is running.
  • ComboFix will restart your computer if malware is found; allow it to do so.
  • ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  • Please do not mouseclick combofix's window while its running because it may call it to stall.
  • ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#4 tonto58

tonto58
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 06 February 2012 - 11:43 AM

As Instructed, I launched combofix and it updated Windows Recovery Console. Rootkit found and Combofix required to restart.

Computer sat at "Windows is Shutting Down" for about 30 minutes. It is now at a black screen for the last 15 minutes.

#5 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:22 PM

Posted 06 February 2012 - 12:04 PM

Please do a hard restart, combofix will continue once the computer has restarted.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#6 tonto58

tonto58
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 06 February 2012 - 01:05 PM

Combofix Log:


ComboFix 12-02-06.01 - Litho Art 02/06/2012 12:20:28.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1178 [GMT -5:00]
Running from: c:\documents and settings\Litho Art\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\DragToDiscUserNameD.txt
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Litho Art\Application Data\Desktopicon
c:\documents and settings\Litho Art\Application Data\Desktopicon\config.ini
c:\documents and settings\Litho Art\Local Settings\Application Data\d80131ed\U\00000001.@
c:\documents and settings\Litho Art\Local Settings\Application Data\d80131ed\U\000000c0.@
c:\documents and settings\Litho Art\Local Settings\Application Data\d80131ed\U\000000cb.@
c:\documents and settings\Litho Art\Local Settings\Application Data\d80131ed\U\000000cf.@
c:\documents and settings\Litho Art\Local Settings\Application Data\d80131ed\U\80000000.@
c:\documents and settings\Litho Art\Local Settings\Application Data\d80131ed\U\800000c0.@
c:\documents and settings\Litho Art\Local Settings\Application Data\d80131ed\U\800000cb.@
c:\documents and settings\Litho Art\Local Settings\Application Data\d80131ed\U\800000cf.@
c:\documents and settings\Litho Art\Local Settings\Application Data\d80131ed\X
c:\documents and settings\Litho Art\System
c:\documents and settings\Litho Art\System\win_qs8.jqx
c:\documents and settings\Litho Art\WINDOWS
c:\windows\$NtUninstallKB5651$
c:\windows\$NtUninstallKB5651$\175298907
c:\windows\$NtUninstallKB5651$\3623956973\@
c:\windows\$NtUninstallKB5651$\3623956973\L\akygdmgo
c:\windows\$NtUninstallKB5651$\3623956973\loader.tlb
c:\windows\$NtUninstallKB5651$\3623956973\U\@00000001
c:\windows\$NtUninstallKB5651$\3623956973\U\@000000c0
c:\windows\$NtUninstallKB5651$\3623956973\U\@000000cb
c:\windows\$NtUninstallKB5651$\3623956973\U\@000000cf
c:\windows\$NtUninstallKB5651$\3623956973\U\@80000000
c:\windows\$NtUninstallKB5651$\3623956973\U\@800000c0
c:\windows\$NtUninstallKB5651$\3623956973\U\@800000cb
c:\windows\$NtUninstallKB5651$\3623956973\U\@800000cf
c:\windows\system32\AAD.DLL
c:\windows\system32\AAK.dll
c:\windows\system32\AFGMp50.dll
c:\windows\system32\alertservice.dll
c:\windows\system32\AppnBase.dll
c:\windows\system32\BRGSp50.dll
c:\windows\system32\compbatt.dll
c:\windows\system32\dimension4.dll
c:\windows\system32\eventclientmultiplexer.dll
c:\windows\system32\inspect.dll
c:\windows\system32\ipnat.dll
c:\windows\system32\licensemanagersocket.dll
c:\windows\system32\ltck000c.dll
c:\windows\system32\mldserv.dll
c:\windows\system32\ncupdatesvc.dll
c:\windows\system32\NWDNS.dll
c:\windows\system32\pdlnatcm.dll
c:\windows\system32\pid_0928.dll
c:\windows\system32\purgeieservice.dll
c:\windows\system32\QWAVE.dll
c:\windows\system32\Rawwan.dll
c:\windows\system32\razerusb.dll
c:\windows\system32\richvideo.dll
c:\windows\system32\RR2Mjpeg.dll
c:\windows\system32\SE26obex.dll
c:\windows\system32\shellhwdetection.dll
c:\windows\system32\sndsrvc.dll
c:\windows\system32\sscdbus.dll
c:\windows\system32\symwsc.dll
c:\windows\system32\tfsnopio.dll
c:\windows\system32\tsircsrv.dll
c:\windows\system32\tzontservice.dll
c:\windows\system32\U81xbus.dll
c:\windows\system32\USB_RNDIS.dll
c:\windows\system32\vxsvc.dll
c:\windows\system32\websenseclientdeployservice.dll
c:\windows\system32\wg111nd5.dll
E:\setup.exe
.
Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
Restored copy from - The cat found it :)
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_FILEMON
-------\Service_FILEMON
-------\Legacy_dvpapi
-------\Legacy_Nsynas32
-------\Service_dvpapi
-------\Service_Nsynas32
.
.
((((((((((((((((((((((((( Files Created from 2012-01-06 to 2012-02-06 )))))))))))))))))))))))))))))))
.
.
2101-04-27 13:39 . 1998-09-25 16:18 607744 -c--a-w- c:\windows\system32\Decslib.dll
2101-04-27 13:37 . 1998-11-03 15:10 112688 -c--a-w- c:\windows\system32\shw32.dll
2101-04-27 13:37 . 1997-07-30 19:43 211456 -c--a-w- c:\windows\system32\qd3d_ir2.q3x
2101-04-27 13:37 . 1997-07-30 19:58 70656 -c--a-w- c:\windows\system32\3dviewer.dll
2101-04-27 13:37 . 1997-07-30 19:21 553984 -c--a-w- c:\windows\system32\rave.dll
2101-04-27 13:37 . 1997-07-30 16:59 909312 -c--a-w- c:\windows\system32\qd3d.dll
2101-04-27 13:36 . 1998-12-10 12:42 168448 -c--a-w- c:\windows\system32\Awrtl30.dll
2101-04-27 13:36 . 1999-03-21 13:49 100864 -c--a-w- c:\windows\system32\awpe.dll
2101-04-27 13:36 . 1999-07-22 00:15 110592 -c--a-w- c:\windows\system32\Sccres91.dll
2101-04-27 13:36 . 1999-07-22 00:14 245760 -c--a-w- c:\windows\system32\Sccomp91.dll
2101-04-27 13:36 . 1999-07-22 00:14 225280 -c--a-w- c:\windows\system32\Scint91.dll
2101-04-27 13:36 . 2101-04-27 13:36 -------- d-----w- c:\windows\Profiles
2101-04-27 13:31 . 2010-11-09 00:41 -------- d-----w- c:\windows\Corel
2012-02-06 15:55 . 2008-04-13 18:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-02-05 20:25 . 2012-02-05 20:25 -------- d-----w- c:\windows\Internet Logs
2012-02-05 00:51 . 2012-02-05 00:51 -------- dc----w- C:\TDSSKiller_Quarantine
2012-01-29 01:13 . 2012-01-29 01:13 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2012-01-27 23:58 . 2012-01-28 00:10 -------- dcs---w- c:\documents and settings\All Users\Application Data\Memeo
2012-01-27 23:58 . 2012-01-28 00:10 -------- d-s---w- c:\documents and settings\Litho Art\Local Settings\Application Data\Memeo
2012-01-27 23:49 . 2012-01-27 23:49 -------- d-----w- c:\documents and settings\Litho Art\Local Settings\Application Data\Safe mirror
2012-01-27 23:48 . 2012-01-28 00:09 -------- d-----w- c:\program files\Cobian Backup 10
2012-01-27 19:49 . 2012-01-27 19:49 -------- dcsh--w- c:\documents and settings\Litho Art\PrivacIE
2012-01-27 07:33 . 2012-01-27 07:33 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2012-01-27 07:33 . 2012-01-27 07:33 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2012-01-27 07:32 . 2012-01-27 07:32 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2012-01-26 22:08 . 2012-01-26 22:08 -------- d-----w- c:\documents and settings\Litho Art\Local Settings\Application Data\Yahoo
2012-01-26 21:55 . 2012-01-26 21:55 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2012-01-26 21:52 . 2012-01-26 21:52 -------- dcsh--w- c:\documents and settings\Litho Art\IETldCache
2012-01-26 21:36 . 2012-01-26 21:36 -------- dc----w- c:\documents and settings\All Users\Application Data\Yahoo!
2012-01-26 21:36 . 2012-01-26 21:36 -------- dc----w- c:\documents and settings\Litho Art\Application Data\Yahoo!
2012-01-26 21:36 . 2012-01-26 21:36 -------- d-----w- c:\documents and settings\Litho Art\Local Settings\Application Data\PCHealth
2012-01-26 21:34 . 2012-01-26 21:35 -------- dc-h--w- c:\windows\ie8
2012-01-26 21:34 . 2012-01-26 21:40 -------- d--h--w- c:\windows\msdownld.tmp
2012-01-26 21:27 . 2011-08-16 10:45 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll
2012-01-26 21:27 . 2011-11-04 19:20 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2012-01-26 21:27 . 2011-11-04 19:20 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2012-01-26 21:27 . 2011-11-04 19:20 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2012-01-26 15:22 . 2011-03-11 14:10 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2012-01-25 14:50 . 2012-01-25 14:50 1409 ----a-w- c:\windows\QTFont.for
2012-01-24 13:28 . 2012-02-05 21:18 0 --sha-w- c:\windows\system32\dds_log_trash.cmd
2012-01-19 13:59 . 2012-01-19 13:59 -------- d-----w- c:\program files\MSECache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-05 01:44 . 2003-01-13 14:19 206464 ----a-w- c:\windows\system32\drivers\UdfReadr_xp.sys
2012-01-30 19:46 . 2007-07-26 01:49 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2011-12-10 20:24 . 2011-08-04 15:32 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-25 21:57 . 2001-08-23 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2001-08-23 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2004-04-23 20:52 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2004-08-07 13:25 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2001-08-23 12:00 152064 ----a-w- c:\windows\system32\schannel.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BlockAds"="e:\program files\Tweak-XP Pro\AdBlocker.exe" [2002-09-13 45056]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 196608]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-08-03 13892200]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-08-03 111208]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-07-05 1632360]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFileUrl"= 0 (0x0)
"NoUpdateCheck"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "e:\program files\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- e:\program files\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 16:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0pgdfgsvc c 1
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EM_EXEC
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlockAds]
2002-09-13 05:00 45056 ----a-w- e:\program files\Tweak-XP Pro\AdBlocker.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccleaner]
2011-07-25 17:59 2585408 ----a-w- c:\program files\CCleaner\ccleaner.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-09-16 20:04 1164584 -c--a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 -c--a-w- c:\program files\Google\Google Talk\googletalk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2005-06-02 20:03 1957888 -c----w- c:\program files\Ahead\Nero BackItUp\NBJ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 -c--a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-02-16 14:54 282624 -c--a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2012-02-04 00:25 4617600 ----a-w- e:\program files\SUPERANTISPYWARE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"Norton AntiVirus Server"=2 (0x2)
"DefWatch"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\Tweak-XP Pro\\AdBlocker.exe"=
"e:\\Program Files\\GlobalSCAPE\\CuteFTP Pro\\TE\\ftpte.exe"=
"c:\\Program Files\\Dantz\\Retrospect 7.0\\Retrospect.exe"=
"e:\\Program Files\\Teamspeak2_RC2\\server_windows.exe"=
"e:\\Program Files\\Call of Duty\\CoDUOMP.exe"=
"e:\\Program Files\\WBC_Ply.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Documents and Settings\\Litho Art\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"e:\\Program Files\\Spybot - Search & Destroy\\SDUpdate.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Documents and Settings\\Litho Art\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=
"e:\\Mozilla\\firefox.exe"=
"e:\\Program Files\\SSUPDATE.EXE"=
"e:\\Program Files\\SUPERANTISPYWARE.EXE"=
"c:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater.exe"=
"e:\\Program Files\\Microsoft Office\\Office10\\WINWORD.EXE"=
"c:\\Documents and Settings\\Litho Art\\Desktop\\aswMBR.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"110:TCP"= 110:TCP:Namespro
"1947:TCP"= 1947:TCP:HASP SRM
"1947:UDP"= 1947:UDP:HASP SRM
.
R1 SASDIFSV;SASDIFSV;e:\program files\sasdifsv.sys [7/22/2011 11:27 AM 12880]
R1 SASKUTIL;SASKUTIL;e:\program files\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
R2 !SASCORE;SAS Core Service;e:\program files\SASCORE.EXE [7/18/2011 7:02 PM 116608]
R2 EFI ES1000;EFI ES1000;c:\program files\Common Files\EFI\EFI ES-1000 Service\ES1000Service.exe [11/25/2009 9:42 PM 9216]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [5/17/2011 10:07 AM 10384]
S0 06172837;06172837;c:\windows\system32\drivers\01792130.sys --> c:\windows\system32\drivers\01792130.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/8/2011 8:40 PM 136176]
S3 CtUsbMs;Creative HID USB Filter Driver;c:\windows\system32\drivers\CtUsbMs.sys [12/27/2006 2:57 PM 14720]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/8/2011 8:40 PM 136176]
S3 vdiskbus;Virtual Disk Bus;c:\windows\system32\DRIVERS\vdiskbus.sys --> c:\windows\system32\DRIVERS\vdiskbus.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 3:06 PM 11520]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Nsynas32
PEVSystemStart
AYDrvNT_ALYAC
dirms_defragmentation
camdrl
lvckap
qmofiltr
PNDIS5
belmonitorservice
db2licd
hidgame
spcstb
smcservice
amdagp
TNaviSrv
CdaD10BA
IPSECSHM
vds
pmem
U81xmdfl
abnetmon
sony_ssm.sys
viagfx
avinitnt
scramby
hdaudbus
vmsprog
w200mdfl
wacomvhid
U81xobex
REVO
vpcusb
prepdrvr
dvpapi
{95808DC4-FA4A-4c74-92FE-5B863F82066B}
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 09:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-05 c:\windows\Tasks\Auslogics Disk Defrag Sheduled Defragmentation.job
- e:\auslogics disk defrag\DiskDefrag.exe [2011-08-08 14:07]
.
2012-02-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 01:39]
.
2012-02-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 01:39]
.
2012-02-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-583907252-220523388-725345543-1003Core.job
- c:\documents and settings\Litho Art\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-29 01:50]
.
2012-02-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-583907252-220523388-725345543-1003UA.job
- c:\documents and settings\Litho Art\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-29 01:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ca.yahoo.com/
IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: Interfaces\{C9780DEB-7D73-4B0A-9AA6-E04014D7832F}: NameServer = 192.168.1.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Litho Art\Application Data\Mozilla\Firefox\Profiles\p46iqx5a.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
FF - prefs.js: network.proxy.type - 4
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-Tpwrtray - TPWRTRAY.EXE
SafeBoot-06172837.sys
MSConfigStartUp-Ad-aware - e:\program files\Lavasoft\Ad-aware 6\Ad-aware.exe
MSConfigStartUp-TMESRV - (no file)
AddRemove-XANT Utilities - e:\program files\xante\Uninst.isu
AddRemove-{7216871F-869E-437C-B9BF-2A13F2DCE63F}_is1 - e:\auslogics disk defrag\Auslogics BoostSpeed\unins001.exe
AddRemove-{D61C8B8D-F2B0-42F1-ABA5-CB63D7AD43E1}_is1 - e:\auslogics disk defrag\AusLogics BoostSpeed\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-06 12:53
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\UdfReadr_xp]
"ImagePath"="system32\drivers\tskAE3.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-583907252-220523388-725345543-1003\Software\Corel\WritingTools\9.1\User Word Lists\*& ]
"Selected UWL"=hex:02,00
.
[HKEY_USERS\S-1-5-21-583907252-220523388-725345543-1003\Software\Corel\WritingTools\9.1\User Word Lists\*& \Word List 0]
"Name"="c:\\Documents and Settings\\Litho Art\\My Documents\\Corel User Files\\WT9_1.UWL"
"Enabled"=hex:01,00,00,00
.
[HKEY_USERS\S-1-5-21-583907252-220523388-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1680)
e:\program files\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
- - - - - - - > 'explorer.exe'(2796)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\EFI\EFI ES-1000 Service\ES1000Server.exe
c:\windows\system32\hasplms.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-02-06 13:02:43 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-06 18:02
.
Pre-Run: 3,766,345,728 bytes free
Post-Run: 4,569,493,504 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
[spybotsd]
timeout.old=30
.
- - End Of File - - 0A66A7066F72E3D4696E2F8BF46CE141

#7 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:22 PM

Posted 06 February 2012 - 09:07 PM

What is your anti virus product? Are you using any?


:step1: Please download SystemLook from jpshortstuff and save it to your Desktop

Download Mirror #1
Download Mirror #2

  • Double-click the SystemLook and copy-paste the following into the box
    :dir
    c:\documents and settings\litho art\local settings\application data\d80131ed\X
    c:\documents and settings\litho art\local settings\application data\d80131ed
    
  • Hit the Look button. Let it finish the scan
  • A log will then pop-up to your Desktop.. Post the content of the log here in your next reply


:step2: ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista/Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here to run the scan.

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close, but make sure you copy the logfile first.
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#8 tonto58

tonto58
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 06 February 2012 - 10:23 PM

Not currently running antivirus.

Was surviving on zone alarm which I have uninstalled because it was not responding when I got infected. In the past I also scanned with Search & Destroy and SuperAntiSpyware.

SystemLook Log:

SystemLook 30.07.11 by jpshortstuff
Log created at 22:18 on 06/02/2012 by Litho Art
Administrator - Elevation successful

========== dir ==========

c:\documents and settings\litho art\local settings\application data\d80131ed\X - Unable to find folder.

c:\documents and settings\litho art\local settings\application data\d80131ed - Parameters: "(none)"

---Files---
@ --ahs-- 2048 bytes [20:26 14/11/2011] [20:26 14/11/2011]
loader.tlb --ahs-- 2632 bytes [02:01 05/02/2012] [17:17 06/02/2012]

---Folders---
U d-ahs-- [20:26 14/11/2011]

-= EOF =-

Running Eset now.

#9 tonto58

tonto58
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 07 February 2012 - 08:25 AM

Eset Log:

C:\Qoobox\Quarantine\C\Documents and Settings\Litho Art\Local Settings\Application Data\d80131ed\X.vir a variant of Win32/Sirefef.DD trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Litho Art\Local Settings\Application Data\d80131ed\U\00000001.@.vir a variant of Win32/Sirefef.CR trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Litho Art\Local Settings\Application Data\d80131ed\U\000000c0.@.vir Win32/Redirector.A trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Litho Art\Local Settings\Application Data\d80131ed\U\000000cb.@.vir Win32/Redirector.A trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Litho Art\Local Settings\Application Data\d80131ed\U\000000cf.@.vir Win32/Redirector.A trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Litho Art\Local Settings\Application Data\d80131ed\U\80000000.@.vir Win32/Sirefef.DV trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Litho Art\Local Settings\Application Data\d80131ed\U\800000c0.@.vir Win32/Sirefef.EN trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Litho Art\Local Settings\Application Data\d80131ed\U\800000cb.@.vir a variant of Win32/Agent.TEO trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Litho Art\Local Settings\Application Data\d80131ed\U\800000cf.@.vir probably a variant of Win32/Sirefef.DV trojan
C:\Qoobox\Quarantine\C\WINDOWS\assembly\GAC_MSIL\desktop.ini.vir a variant of Win32/Sirefef.EF trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\cdrom.sys.vir Win32/Sirefef.DA trojan
C:\TDSSKiller_Quarantine\03.02.2012_20.07.42\rtkt0000\svc0000\tsk0000.dta Win32/Sirefef.DM trojan
F:\Downloads\cnet_disk-defrag-setup_exe.exe a variant of Win32/InstallCore.D application
F:\Downloads\cnet_fences_public_exe.exe a variant of Win32/InstallCore.D application
F:\Virginia'sComputer\Temp\tony\kazaalite_202_b1.zip multiple threats

#10 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:22 PM

Posted 07 February 2012 - 09:14 AM

Hi,

Please try to reinstall your AV, update it and let me know if you encounter any problem.


:step1: We need to execute an OTM script
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".

    :Files
    F:\Downloads\cnet_disk-defrag-setup_exe.exe 
    F:\Downloads\cnet_fences_public_exe.exe 
    F:\Virginia'sComputer\Temp\tony\kazaalite_202_b1.zip 
    
    :Commands
    [emptytemp]
    
  • Push the large Posted Image button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


:step2: Please run DDS once again and post the new report for my review.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#11 tonto58

tonto58
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 07 February 2012 - 09:18 AM

Thank you for your tremendous help so far. Is there an av you recommend (Freeware for now). Also can I run OTM before installing AV?

#12 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:22 PM

Posted 07 February 2012 - 09:31 AM

You're welcome. It is better to run OTM first (to make sure it will run smoothly) before installing an AV.

I always like Avast for freeware: http://www.avast.com/free-antivirus-download

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#13 tonto58

tonto58
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 07 February 2012 - 10:08 AM

Here are the requested logs. Computer still slow shutting down and rebooting but definitely better than before.

All processes killed
========== FILES ==========
F:\Downloads\cnet_disk-defrag-setup_exe.exe moved successfully.
F:\Downloads\cnet_fences_public_exe.exe moved successfully.
F:\Virginia'sComputer\Temp\tony\kazaalite_202_b1.zip moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 78991 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Litho Art
->Temp folder emptied: 327723 bytes
->Temporary Internet Files folder emptied: 50775 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 50293961 bytes
->Flash cache emptied: 12678360 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 8814659 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 348 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 348 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 13790941 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 8408131 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 2612703 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 93.00 mb


OTM by OldTimer - Version 3.1.19.0 log created on 02072012_094339

Files moved on Reboot...
File move failed. C:\WINDOWS\temp\hlktmp scheduled to be moved on reboot.

Registry entries deleted on Reboot...



DDS:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Run by Litho Art at 10:05:45 on 2012-02-07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.992 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
E:\Program Files\SASCORE.EXE
c:\Program Files\Common Files\EFI\EFI ES-1000 Service\ES1000Service.exe
c:\Program Files\Common Files\EFI\EFI ES-1000 Service\ES1000Server.exe
C:\WINDOWS\system32\hasplms.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Tweak-XP Pro\AdBlocker.exe
E:\Mozilla\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://ca.yahoo.com/
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {3049c3e9-b461-4bc5-8870-4c09146192ca} - RealPlayer Download and Record Plugin for Internet Explorer
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - e:\progra~1\spybot~1\SDHelper.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - e:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - e:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [BlockAds] "e:\program files\tweak-xp pro\AdBlocker.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
dRunOnce: [RunNarrator] Narrator.exe
uPolicies-explorer: NoFileUrl = 0 (0x0)
uPolicies-explorer: NoUpdateCheck = 0 (0x0)
IE: E&xport to Microsoft Excel - e:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - e:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - hxxp://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1312733277125
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: Interfaces\{C9780DEB-7D73-4B0A-9AA6-E04014D7832F} : NameServer = 192.168.1.1
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: intu-res - {9CE7D474-16F9-4889-9BB9-53E2008EAE8A} - c:\program files\common files\intuit\intu-res.dll
Notify: !SASWinLogon - e:\program files\SASWINLO.DLL
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - e:\program files\SASSEH.DLL
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\litho art\application data\mozilla\firefox\profiles\p46iqx5a.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\litho art\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\litho art\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\litho art\local settings\application data\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: e:\program files\adobe\reader\browser\nppdf32.dll
FF - plugin: e:\program files\netscape6\nppl3260.dll
FF - plugin: e:\program files\netscape6\nprjplug.dll
FF - plugin: e:\program files\netscape6\nprpjplug.dll
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;e:\program files\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;e:\program files\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;e:\program files\SASCORE.EXE [2011-7-18 116608]
R2 EFI ES1000;EFI ES1000;c:\program files\common files\efi\efi es-1000 service\ES1000Service.exe [2009-11-25 9216]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2011-5-17 10384]
S0 06172837;06172837;c:\windows\system32\drivers\01792130.sys --> c:\windows\system32\drivers\01792130.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-3-8 136176]
S2 NAVAPEL;NAVAPEL;\??\c:\program files\symantec_client_security\symantec antivirus\navapel.sys --> c:\program files\symantec_client_security\symantec antivirus\NAVAPEL.SYS [?]
S3 CtUsbMs;Creative HID USB Filter Driver;c:\windows\system32\drivers\CtUsbMs.sys [2006-12-27 14720]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-3-8 136176]
S3 NAVAP;NAVAP;\??\c:\progra~1\symant~1\symant~1\navap.sys --> c:\progra~1\symant~1\symant~1\NAVAP.sys [?]
S3 vdiskbus;Virtual Disk Bus;c:\windows\system32\drivers\vdiskbus.sys --> c:\windows\system32\drivers\vdiskbus.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
.
=============== Created Last 30 ================
.
2101-04-27 13:39:37 607744 -c--a-w- c:\windows\system32\Decslib.dll
2101-04-27 13:37:18 112688 -c--a-w- c:\windows\system32\shw32.dll
2101-04-27 13:37:13 211456 -c--a-w- c:\windows\system32\qd3d_ir2.q3x
2101-04-27 13:37:12 70656 -c--a-w- c:\windows\system32\3dviewer.dll
2101-04-27 13:37:11 909312 -c--a-w- c:\windows\system32\qd3d.dll
2101-04-27 13:37:11 553984 -c--a-w- c:\windows\system32\rave.dll
2101-04-27 13:36:57 168448 -c--a-w- c:\windows\system32\Awrtl30.dll
2101-04-27 13:36:56 100864 -c--a-w- c:\windows\system32\awpe.dll
2101-04-27 13:36:41 245760 -c--a-w- c:\windows\system32\Sccomp91.dll
2101-04-27 13:36:41 110592 -c--a-w- c:\windows\system32\Sccres91.dll
2101-04-27 13:36:40 225280 -c--a-w- c:\windows\system32\Scint91.dll
2101-04-27 13:36:30 -------- d-----w- c:\windows\Profiles
2101-04-27 13:31:48 -------- d-----w- c:\windows\Corel
2012-02-07 14:43:39 -------- dc----w- C:\_OTM
2012-02-06 15:55:44 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-02-06 15:51:59 -------- dcsha-r- C:\cmdcons
2012-02-06 15:47:52 98816 ----a-w- c:\windows\sed.exe
2012-02-06 15:47:52 518144 ----a-w- c:\windows\SWREG.exe
2012-02-06 15:47:52 256000 ----a-w- c:\windows\PEV.exe
2012-02-06 15:47:52 208896 ----a-w- c:\windows\MBR.exe
2012-02-05 20:25:42 -------- d-----w- c:\windows\Internet Logs
2012-02-05 00:51:20 -------- dc----w- C:\TDSSKiller_Quarantine
2012-01-27 23:58:41 -------- dcs---w- c:\documents and settings\all users\application data\Memeo
2012-01-27 23:58:41 -------- d-s---w- c:\documents and settings\litho art\local settings\application data\Memeo
2012-01-27 23:49:02 -------- d-----w- c:\documents and settings\litho art\local settings\application data\Safe mirror
2012-01-27 23:48:07 -------- d-----w- c:\program files\Cobian Backup 10
2012-01-27 19:49:00 -------- dcsh--w- c:\documents and settings\litho art\PrivacIE
2012-01-26 22:08:00 -------- d-----w- c:\documents and settings\litho art\local settings\application data\Yahoo
2012-01-26 21:52:56 -------- dcsh--w- c:\documents and settings\litho art\IETldCache
2012-01-26 21:39:04 -------- d-----w- c:\windows\ie8updates
2012-01-26 21:36:40 -------- d-----w- c:\documents and settings\litho art\local settings\application data\PCHealth
2012-01-26 21:34:41 -------- dc-h--w- c:\windows\ie8
2012-01-26 21:27:51 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll
2012-01-26 21:27:46 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2012-01-26 21:27:44 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2012-01-26 21:27:43 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2012-01-26 15:22:50 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2012-01-25 14:50:56 1409 ----a-w- c:\windows\QTFont.for
2012-01-24 13:28:32 0 --sha-w- c:\windows\system32\dds_log_trash.cmd
2012-01-19 13:59:20 -------- d-----w- c:\program files\MSECache
.
==================== Find3M ====================
.
2012-02-05 01:44:40 206464 ----a-w- c:\windows\system32\drivers\UdfReadr_xp.sys
2012-01-30 19:46:59 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2011-12-19 20:12:03 434884 ----a-w- c:\windows\system32\FontInfo.bin
2011-12-19 20:12:03 142820 ----a-w- c:\windows\system32\GlyphInfo.bin
2011-12-10 20:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-02 14:25:01 2071 -c--a-w- c:\windows\panose.bin
2011-11-25 21:57:19 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35:08 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21:44 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21:44 152064 ----a-w- c:\windows\system32\schannel.dll
.
============= FINISH: 10:07:22.90 ===============

Edited by tonto58, 07 February 2012 - 02:12 PM.


#14 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:22 PM

Posted 08 February 2012 - 08:42 AM

Computer still slow shutting down and rebooting but definitely better than before.

The log looks clean, let's remove software/application leftovers that can affect system performance.


:step1: We need to execute a ComboFix script.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy-paste the text in the code box below into it:

File::
c:\windows\system32\drivers\01792130.sys 
c:\program files\symantec_client_security\symantec antivirus\navapel.sys 
c:\progra~1\symant~1\symant~1\navap.sys 
c:\windows\system32\drivers\vdiskbus.sys 

Folder::
c:\program files\symantec_client_security

DDS::
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

Driver::
06172837
NAVAPEL
NAVAP
vdiskbus

ClearJavaCache::


4. Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

5. Refering to the picture above, drag CFScript into ComboFix.exe

6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



:step2: Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
  • Download the latest version of Java Runtime Environment (JRE) Version 7.
  • Look for "Java SE 7u2".
  • Click the "Download JRE" button to the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".

    • Select "Windows x86 Offline" and click on jre-7u2-windows-i586.exe
  • Save it to your desktop
  • Close any programs you may have running - especially your web browser.
  • Uninstall all older versions of Java (any item with Java Runtime Environment, JRE or J2SE in the name).
  • Reboot your computer once all Java components are removed.
  • Install the newest version by double clicking (run as Administrator for Windows Vista/Seven) the downloaded file.



:step3: Click HERE to download HijackThis.
  • Save it to your Desktop.
  • Double click on the HiJackThis.msi icon to install the program.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis
  • Launch HijackThis.
  • Click on the scan button.
  • Save the log, and post it in your next reply.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#15 tonto58

tonto58
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 08 February 2012 - 10:26 AM

CF Log as requested:

ComboFix 12-02-06.01 - Litho Art 02/08/2012 9:12.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1103 [GMT -5:00]
Running from: c:\documents and settings\Litho Art\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Litho Art\Desktop\CFScript.txt
.
FILE ::
"c:\progra~1\symant~1\symant~1\navap.sys"
"c:\program files\symantec_client_security\symantec antivirus\navapel.sys"
"c:\windows\system32\drivers\01792130.sys"
"c:\windows\system32\drivers\vdiskbus.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NAVAP
-------\Legacy_NAVAPEL
-------\Service_06172837
-------\Service_NAVAP
-------\Service_NAVAPEL
-------\Service_vdiskbus
.
.
((((((((((((((((((((((((( Files Created from 2012-01-08 to 2012-02-08 )))))))))))))))))))))))))))))))
.
.
2101-04-27 13:39 . 1998-09-25 16:18 607744 -c--a-w- c:\windows\system32\Decslib.dll
2101-04-27 13:37 . 1998-11-03 15:10 112688 -c--a-w- c:\windows\system32\shw32.dll
2101-04-27 13:37 . 1997-07-30 19:43 211456 -c--a-w- c:\windows\system32\qd3d_ir2.q3x
2101-04-27 13:37 . 1997-07-30 19:58 70656 -c--a-w- c:\windows\system32\3dviewer.dll
2101-04-27 13:37 . 1997-07-30 19:21 553984 -c--a-w- c:\windows\system32\rave.dll
2101-04-27 13:37 . 1997-07-30 16:59 909312 -c--a-w- c:\windows\system32\qd3d.dll
2101-04-27 13:36 . 1998-12-10 12:42 168448 -c--a-w- c:\windows\system32\Awrtl30.dll
2101-04-27 13:36 . 1999-03-21 13:49 100864 -c--a-w- c:\windows\system32\awpe.dll
2101-04-27 13:36 . 1999-07-22 00:15 110592 -c--a-w- c:\windows\system32\Sccres91.dll
2101-04-27 13:36 . 1999-07-22 00:14 245760 -c--a-w- c:\windows\system32\Sccomp91.dll
2101-04-27 13:36 . 1999-07-22 00:14 225280 -c--a-w- c:\windows\system32\Scint91.dll
2101-04-27 13:36 . 2101-04-27 13:36 -------- d-----w- c:\windows\Profiles
2101-04-27 13:31 . 2010-11-09 00:41 -------- d-----w- c:\windows\Corel
2012-02-07 14:43 . 2012-02-07 14:43 -------- dc----w- C:\_OTM
2012-02-06 15:55 . 2008-04-13 18:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-02-05 20:25 . 2012-02-05 20:25 -------- d-----w- c:\windows\Internet Logs
2012-02-05 00:51 . 2012-02-05 00:51 -------- dc----w- C:\TDSSKiller_Quarantine
2012-01-29 01:13 . 2012-01-29 01:13 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2012-01-27 23:58 . 2012-01-28 00:10 -------- dcs---w- c:\documents and settings\All Users\Application Data\Memeo
2012-01-27 23:58 . 2012-01-28 00:10 -------- d-s---w- c:\documents and settings\Litho Art\Local Settings\Application Data\Memeo
2012-01-27 23:49 . 2012-01-27 23:49 -------- d-----w- c:\documents and settings\Litho Art\Local Settings\Application Data\Safe mirror
2012-01-27 23:48 . 2012-01-28 00:09 -------- d-----w- c:\program files\Cobian Backup 10
2012-01-27 19:49 . 2012-01-27 19:49 -------- dcsh--w- c:\documents and settings\Litho Art\PrivacIE
2012-01-27 07:33 . 2012-01-27 07:33 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2012-01-27 07:33 . 2012-01-27 07:33 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2012-01-27 07:32 . 2012-01-27 07:32 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2012-01-26 22:08 . 2012-01-26 22:08 -------- d-----w- c:\documents and settings\Litho Art\Local Settings\Application Data\Yahoo
2012-01-26 21:55 . 2012-01-26 21:55 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2012-01-26 21:52 . 2012-01-26 21:52 -------- dcsh--w- c:\documents and settings\Litho Art\IETldCache
2012-01-26 21:36 . 2012-01-26 21:36 -------- dc----w- c:\documents and settings\All Users\Application Data\Yahoo!
2012-01-26 21:36 . 2012-01-26 21:36 -------- dc----w- c:\documents and settings\Litho Art\Application Data\Yahoo!
2012-01-26 21:36 . 2012-01-26 21:36 -------- d-----w- c:\documents and settings\Litho Art\Local Settings\Application Data\PCHealth
2012-01-26 21:34 . 2012-01-26 21:35 -------- dc-h--w- c:\windows\ie8
2012-01-26 21:27 . 2011-08-16 10:45 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll
2012-01-26 21:27 . 2011-11-04 19:20 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2012-01-26 21:27 . 2011-11-04 19:20 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2012-01-26 21:27 . 2011-11-04 19:20 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2012-01-26 15:22 . 2011-03-11 14:10 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2012-01-25 14:50 . 2012-01-25 14:50 1409 ----a-w- c:\windows\QTFont.for
2012-01-24 13:28 . 2012-02-05 21:18 0 --sha-w- c:\windows\system32\dds_log_trash.cmd
2012-01-19 13:59 . 2012-01-19 13:59 -------- d-----w- c:\program files\MSECache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-05 01:44 . 2003-01-13 14:19 206464 ----a-w- c:\windows\system32\drivers\UdfReadr_xp.sys
2012-01-30 19:46 . 2007-07-26 01:49 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2011-12-10 20:24 . 2011-08-04 15:32 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-25 21:57 . 2001-08-23 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2001-08-23 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2004-04-23 20:52 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2004-08-07 13:25 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2001-08-23 12:00 152064 ----a-w- c:\windows\system32\schannel.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BlockAds"="e:\program files\Tweak-XP Pro\AdBlocker.exe" [2002-09-13 45056]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 196608]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-08-03 13892200]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-08-03 111208]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-07-05 1632360]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFileUrl"= 0 (0x0)
"NoUpdateCheck"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "e:\program files\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- e:\program files\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 16:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0pgdfgsvc c 1
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlockAds]
2002-09-13 05:00 45056 ----a-w- e:\program files\Tweak-XP Pro\AdBlocker.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccleaner]
2011-07-25 17:59 2585408 ----a-w- c:\program files\CCleaner\ccleaner.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-09-16 20:04 1164584 -c--a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 -c--a-w- c:\program files\Google\Google Talk\googletalk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2005-06-02 20:03 1957888 -c----w- c:\program files\Ahead\Nero BackItUp\NBJ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 -c--a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-02-16 14:54 282624 -c--a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2012-02-04 00:25 4617600 ----a-w- e:\program files\SUPERANTISPYWARE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"Norton AntiVirus Server"=2 (0x2)
"DefWatch"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\Tweak-XP Pro\\AdBlocker.exe"=
"e:\\Program Files\\GlobalSCAPE\\CuteFTP Pro\\TE\\ftpte.exe"=
"c:\\Program Files\\Dantz\\Retrospect 7.0\\Retrospect.exe"=
"e:\\Program Files\\Teamspeak2_RC2\\server_windows.exe"=
"e:\\Program Files\\Call of Duty\\CoDUOMP.exe"=
"e:\\Program Files\\WBC_Ply.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Documents and Settings\\Litho Art\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"e:\\Program Files\\Spybot - Search & Destroy\\SDUpdate.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Documents and Settings\\Litho Art\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=
"e:\\Mozilla\\firefox.exe"=
"e:\\Program Files\\SSUPDATE.EXE"=
"e:\\Program Files\\SUPERANTISPYWARE.EXE"=
"c:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater.exe"=
"e:\\Program Files\\Microsoft Office\\Office10\\WINWORD.EXE"=
"c:\\Documents and Settings\\Litho Art\\Desktop\\aswMBR.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"110:TCP"= 110:TCP:Namespro
"1947:TCP"= 1947:TCP:HASP SRM
"1947:UDP"= 1947:UDP:HASP SRM
.
R1 SASDIFSV;SASDIFSV;e:\program files\sasdifsv.sys [7/22/2011 11:27 AM 12880]
R1 SASKUTIL;SASKUTIL;e:\program files\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
R2 !SASCORE;SAS Core Service;e:\program files\SASCORE.EXE [7/18/2011 7:02 PM 116608]
R2 EFI ES1000;EFI ES1000;c:\program files\Common Files\EFI\EFI ES-1000 Service\ES1000Service.exe [11/25/2009 9:42 PM 9216]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [5/17/2011 10:07 AM 10384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/8/2011 8:40 PM 136176]
S3 CtUsbMs;Creative HID USB Filter Driver;c:\windows\system32\drivers\CtUsbMs.sys [12/27/2006 2:57 PM 14720]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/8/2011 8:40 PM 136176]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 3:06 PM 11520]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Nsynas32
PEVSystemStart
AYDrvNT_ALYAC
dirms_defragmentation
camdrl
lvckap
qmofiltr
PNDIS5
belmonitorservice
db2licd
hidgame
spcstb
smcservice
amdagp
TNaviSrv
CdaD10BA
IPSECSHM
vds
pmem
U81xmdfl
abnetmon
sony_ssm.sys
viagfx
avinitnt
scramby
hdaudbus
vmsprog
w200mdfl
wacomvhid
U81xobex
REVO
vpcusb
prepdrvr
dvpapi
{95808DC4-FA4A-4c74-92FE-5B863F82066B}
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 09:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-05 c:\windows\Tasks\Auslogics Disk Defrag Sheduled Defragmentation.job
- e:\auslogics disk defrag\DiskDefrag.exe [2011-08-08 14:07]
.
2012-02-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 01:39]
.
2012-02-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 01:39]
.
2012-02-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-583907252-220523388-725345543-1003Core.job
- c:\documents and settings\Litho Art\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-29 01:50]
.
2012-02-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-583907252-220523388-725345543-1003UA.job
- c:\documents and settings\Litho Art\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-29 01:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ca.yahoo.com/
IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: Interfaces\{C9780DEB-7D73-4B0A-9AA6-E04014D7832F}: NameServer = 192.168.1.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Litho Art\Application Data\Mozilla\Firefox\Profiles\p46iqx5a.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
FF - prefs.js: network.proxy.type - 4
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-08 09:37
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\UdfReadr_xp]
"ImagePath"="system32\drivers\tskAE3.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-583907252-220523388-725345543-1003\Software\Corel\WritingTools\9.1\User Word Lists\*& ]
"Selected UWL"=hex:02,00
.
[HKEY_USERS\S-1-5-21-583907252-220523388-725345543-1003\Software\Corel\WritingTools\9.1\User Word Lists\*& \Word List 0]
"Name"="c:\\Documents and Settings\\Litho Art\\My Documents\\Corel User Files\\WT9_1.UWL"
"Enabled"=hex:01,00,00,00
.
[HKEY_USERS\S-1-5-21-583907252-220523388-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1012)
e:\program files\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
- - - - - - - > 'explorer.exe'(2084)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\EFI\EFI ES-1000 Service\ES1000Server.exe
c:\windows\system32\hasplms.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2012-02-08 09:44:41 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-08 14:44
ComboFix2.txt 2012-02-06 18:02
.
Pre-Run: 4,607,836,160 bytes free
Post-Run: 4,623,515,648 bytes free
.
- - End Of File - - 9E42A896628A375B68CD17B13A7225BA

_________________________________________________________________

HJT Log as requested:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:21:35 AM, on 2/8/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
E:\Program Files\SASCORE.EXE
c:\Program Files\Common Files\EFI\EFI ES-1000 Service\ES1000Service.exe
c:\Program Files\Common Files\EFI\EFI ES-1000 Service\ES1000Server.exe
C:\WINDOWS\system32\hasplms.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Tweak-XP Pro\AdBlocker.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Trend Micro\HijackThis\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [BlockAds] "E:\Program Files\Tweak-XP Pro\AdBlocker.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1312733277125
O17 - HKLM\System\CCS\Services\Tcpip\..\{C9780DEB-7D73-4B0A-9AA6-E04014D7832F}: NameServer = 192.168.1.1
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - E:\Program Files\SASCORE.EXE
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: EFI ES1000 - Electronics for Imaging, Inc. - c:\Program Files\Common Files\EFI\EFI ES-1000 Service\ES1000Service.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - C:\WINDOWS\system32\hasplms.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Program Files\Java\jre7\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 5585 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users