Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ZeroAccess


  • This topic is locked This topic is locked
30 replies to this topic

#1 AnaheimDucksFan

AnaheimDucksFan

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 13 February 2012 - 10:10 AM

Hello,

I started a topic originally here, and boopme instructed me to follow steps 6-9 and post them here.

Step 6
I ran the defogger and here is the log it put on my desktop:

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 19:41 on 12/02/2012 (Administrator)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...
Unable to read 1240659334.sys


-=E.O.F=-

Step 7
My DDS.txt log:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13
Run by Administrator at 19:45:05 on 2012-02-12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1480 [GMT -8:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Akamai\netsession_win.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Akamai\netsession_win.exe
C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Logitech\LWS\LU\LULnchr.exe
C:\Program Files\Logitech\LWS\LU\LogitechUpdate.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\WINDOWS\system32\msfeedssync.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://start.pogo.iplay.com/?o=shp
uInternet Settings,ProxyOverride = <local>;127.0.0.1:9421;
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Updater For Simppull Toolbar: {c4b8bab4-1667-11df-a242-ba9455d89593} - c:\program files\simppulltoolbar\auxi\simppulltoolbAu.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {E4E6BF2A-1667-11DF-A01F-1F9655D89593} - No File
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: {E3A80BA5-D967-4EAB-891F-A49CADD92835} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {DAB35D68-1CDC-4375-8333-D7BBCEE3C0A0} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Software Informer] "c:\program files\software informer\softinfo.exe" -autorun
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Akamai NetSession Interface] "c:\documents and settings\administrator\local settings\application data\akamai\netsession_win.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [LWS] c:\program files\logitech\lws\webcam software\LWS.exe -hide
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{2D3E6A8C-EA10-4639-B3DF-DC16ED6B6A78} : DhcpNameServer = 192.168.1.254
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: WB - c:\program files\alienguise\fastload.dll
AppInit_DLLs: wbsys.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 nwprovau
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\nszcylm3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1320680&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\nszcylm3.default\extensions\{f92a9fe4-2850-4198-b9d5-279880e49b16}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\nszcylm3.default\extensions\{f92a9fe4-2850-4198-b9d5-279880e49b16}\components\RadioWMPCore.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\oberon media\ncadapter\1.0.0.7\npapicomadapter.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ClickPotatoLiteSA.dll
FF - plugin: c:\program files\smileycentral_1vei\installr\1.bin\NP1vEISb.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R0 nvcchflt;NVIDIA Disk Cache Filter Driver;c:\windows\system32\drivers\nvcchflt.sys [2009-4-25 16640]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-7-20 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-7-20 309848]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-4-14 14336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-7-20 19544]
S2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-7-20 42184]
S3 Airgo3P;Airgo Networks AGN300 True MIMO ™ Wireless Driver;c:\windows\system32\drivers\TMIMO31P.sys [2009-4-25 781824]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-2-2 40776]
.
=============== Created Last 30 ================
.
2012-02-12 21:37:58 -------- d-----w- c:\documents and settings\administrator\application data\SUPERAntiSpyware.com
2012-02-12 21:37:29 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-02-12 21:37:29 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2012-02-03 03:25:10 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-03 03:25:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-02 15:35:10 -------- d-----w- c:\program files\CCleaner
2012-02-02 15:32:01 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-02-02 15:20:25 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2012-02-02 15:15:07 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2012-01-23 04:00:17 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Akamai
.
==================== Find3M ====================
.
2011-07-20 20:08:48 470 ----a-w- c:\program files\0720201113084840.bat
.
============= FINISH: 19:46:19.90 ===============

I've also attached the attach.txt file.

Step 8
I've attached the Ark.log file.

Thank you in advance for any help.

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:52 AM

Posted 13 February 2012 - 12:48 PM

Hello AnaheimDucksFan,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

  • Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
    .


1.
Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply


2.
Please download exeHelper to your desktop.
  • Double-click on exeHelper.com to run the fix.
  • A black window should pop up, press any key to close once the fix is completed.
  • Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)


3.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


4.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply:
TdssKiller log
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 AnaheimDucksFan

AnaheimDucksFan
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 14 February 2012 - 10:09 AM

fireman4it,

I have every step but the ComboFix.exe done, but I wanted to run something by you before I did that. Is it a problem that the laptop won't shutdown on its own? You said ComboFix is going to want to reset. The laptop will log off and shut down windows, but doesn't actually kill the power to the laptop on its own. I have to hold down the power button after it's all down to turn it off and then turn it back on myself since reset it. Is this going to be a problem?

Thanks,
ADF

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:52 AM

Posted 14 February 2012 - 10:33 AM

I have every step but the ComboFix.exe done, but I wanted to run something by you before I did that. Is it a problem that the laptop won't shutdown on its own? You said ComboFix is going to want to reset. The laptop will log off and shut down windows, but doesn't actually kill the power to the laptop on its own. I have to hold down the power button after it's all down to turn it off and then turn it back on myself since reset it. Is this going to be a problem?


No, This will not be a problem as Combofix will just restart Windows it wont shut the machine down.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 AnaheimDucksFan

AnaheimDucksFan
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 15 February 2012 - 12:10 AM

fireman4it,

Thanks in advance for your help. Here are my results.

1
Went fine!

2
Here are the results of the exehelperlog.txt:

exeHelper by Raktor
Build 20100414
Run at 21:14:38 on 02/13/12
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

3
Ran the program. Skipped the first object as I couldn’t cure it. Was able to cure the second object though. Here are the results of TDSSKiller.2.7.12.0_13.02.2012_21.22.48_log.txt:

21:22:48.0654 4032 TDSS rootkit removing tool 2.7.12.0 Feb 11 2012 16:58:52
21:22:49.0217 4032 ============================================================
21:22:49.0217 4032 Current date / time: 2012/02/13 21:22:49.0217
21:22:49.0217 4032 SystemInfo:
21:22:49.0217 4032
21:22:49.0217 4032 OS Version: 5.1.2600 ServicePack: 3.0
21:22:49.0217 4032 Product type: Workstation
21:22:49.0232 4032 ComputerName: SPIERING
21:22:49.0232 4032 UserName: Administrator
21:22:49.0232 4032 Windows directory: C:\WINDOWS
21:22:49.0232 4032 System windows directory: C:\WINDOWS
21:22:49.0232 4032 Processor architecture: Intel x86
21:22:49.0232 4032 Number of processors: 1
21:22:49.0232 4032 Page size: 0x1000
21:22:49.0232 4032 Boot type: Normal boot
21:22:49.0232 4032 ============================================================
21:22:50.0217 4032 Drive \Device\Harddisk0\DR0 - Size: 0x12A1F16000 (74.53 Gb), SectorSize: 0x200, Cylinders: 0x2601, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
21:22:50.0217 4032 \Device\Harddisk0\DR0:
21:22:50.0217 4032 MBR used
21:22:50.0217 4032 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x950A5C1
21:22:50.0248 4032 Initialize success
21:22:50.0248 4032 ============================================================
22:05:35.0139 4028 ============================================================
22:05:35.0139 4028 Scan started
22:05:35.0139 4028 Mode: Manual;
22:05:35.0139 4028 ============================================================
22:05:35.0264 4028 Suspicious service (NoAccess): 1240659334
22:05:35.0795 4028 1240659334 (e6769261babfb6f6af1a2fe45466cf42) C:\WINDOWS\system32\drivers\1240659334.sys
22:05:35.0795 4028 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\1240659334.sys. md5: e6769261babfb6f6af1a2fe45466cf42
22:05:35.0795 4028 1240659334 ( LockedService.Multi.Generic ) - warning
22:05:35.0795 4028 1240659334 - detected LockedService.Multi.Generic (1)
22:05:35.0857 4028 Aavmker4 (dfcdd5936cad0138775d5a105d4c7716) C:\WINDOWS\system32\drivers\Aavmker4.sys
22:05:35.0873 4028 Aavmker4 - ok
22:05:35.0904 4028 Abiosdsk - ok
22:05:35.0936 4028 abp480n5 - ok
22:05:36.0014 4028 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
22:05:36.0029 4028 ACPI - ok
22:05:36.0076 4028 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
22:05:36.0076 4028 ACPIEC - ok
22:05:36.0154 4028 adpu160m - ok
22:05:36.0279 4028 aeaudio (c984de22ed71414abc42c1e03d412e33) C:\WINDOWS\system32\drivers\aeaudio.sys
22:05:36.0279 4028 aeaudio - ok
22:05:36.0357 4028 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
22:05:36.0357 4028 aec - ok
22:05:36.0436 4028 AFD (8d499b1276012eb907e7a9e0f4d8fda4) C:\WINDOWS\System32\drivers\afd.sys
22:05:36.0436 4028 AFD - ok
22:05:36.0561 4028 AgereSoftModem (b5fe0b3e65890a364969126dcae9f828) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
22:05:36.0623 4028 AgereSoftModem - ok
22:05:36.0732 4028 Aha154x - ok
22:05:36.0764 4028 aic78u2 - ok
22:05:36.0795 4028 aic78xx - ok
22:05:36.0904 4028 Airgo3P (6aebf9a2a0fe89549e37fd65f37274ec) C:\WINDOWS\system32\DRIVERS\TMIMO31P.sys
22:05:36.0951 4028 Airgo3P - ok
22:05:37.0014 4028 AliIde - ok
22:05:37.0045 4028 AmdK8 (59301936898ae62245a6f09c0aba9475) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
22:05:37.0045 4028 AmdK8 - ok
22:05:37.0092 4028 amsint - ok
22:05:37.0186 4028 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
22:05:37.0186 4028 Arp1394 - ok
22:05:37.0279 4028 asc - ok
22:05:37.0326 4028 asc3350p - ok
22:05:37.0357 4028 asc3550 - ok
22:05:37.0451 4028 aswFsBlk (861cb512e4e850e87dd2316f88d69330) C:\WINDOWS\system32\drivers\aswFsBlk.sys
22:05:37.0451 4028 aswFsBlk - ok
22:05:37.0498 4028 aswMon2 (7857e0b4c817f69ff463eea2c63e56f9) C:\WINDOWS\system32\drivers\aswMon2.sys
22:05:37.0514 4028 aswMon2 - ok
22:05:37.0576 4028 aswRdr (8db043bf96bb6d334e5b4888e709e1c7) C:\WINDOWS\system32\drivers\aswRdr.sys
22:05:37.0576 4028 aswRdr - ok
22:05:37.0639 4028 aswSnx (17230708a2028cd995656df455f2e303) C:\WINDOWS\system32\drivers\aswSnx.sys
22:05:37.0654 4028 aswSnx - ok
22:05:37.0764 4028 aswSP (dbedd9d43b00630966ef05d2d8d04cee) C:\WINDOWS\system32\drivers\aswSP.sys
22:05:37.0764 4028 aswSP - ok
22:05:37.0811 4028 aswTdi (984cfce2168286c2511695c2f9621475) C:\WINDOWS\system32\drivers\aswTdi.sys
22:05:37.0811 4028 aswTdi - ok
22:05:37.0873 4028 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
22:05:37.0873 4028 AsyncMac - ok
22:05:37.0936 4028 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\drivers\atapi.sys
22:05:37.0936 4028 atapi - ok
22:05:37.0982 4028 Atdisk - ok
22:05:38.0029 4028 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
22:05:38.0029 4028 Atmarpc - ok
22:05:38.0139 4028 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
22:05:38.0139 4028 audstub - ok
22:05:38.0217 4028 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
22:05:38.0217 4028 Beep - ok
22:05:38.0264 4028 btaudio - ok
22:05:38.0295 4028 BTDriver - ok
22:05:38.0389 4028 BTKRNL (521330df69f782d8d016ca02f4f2a922) C:\WINDOWS\system32\DRIVERS\btkrnl.sys
22:05:38.0420 4028 BTKRNL - ok
22:05:38.0482 4028 BTSERIAL - ok
22:05:38.0529 4028 BTWDNDIS - ok
22:05:38.0607 4028 btwhid (8252afdc28ea6714452d96868370b1e7) C:\WINDOWS\system32\DRIVERS\btwhid.sys
22:05:38.0607 4028 btwhid - ok
22:05:38.0670 4028 BTWUSB (9803be8f1ae813e8814c8fe1a869cc0f) C:\WINDOWS\system32\Drivers\btwusb.sys
22:05:38.0686 4028 BTWUSB - ok
22:05:38.0795 4028 Cam5603D (273daec27d2aaddc0e7918c35ffa15e3) C:\WINDOWS\system32\Drivers\BisonCam.sys
22:05:38.0826 4028 Cam5603D - ok
22:05:38.0889 4028 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
22:05:38.0889 4028 cbidf2k - ok
22:05:38.0982 4028 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
22:05:38.0982 4028 CCDECODE - ok
22:05:39.0061 4028 cd20xrnt - ok
22:05:39.0123 4028 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
22:05:39.0123 4028 Cdaudio - ok
22:05:39.0186 4028 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
22:05:39.0201 4028 Cdfs - ok
22:05:39.0232 4028 Cdrom (f17808e20259b0c3fc00a965ba9eb10b) C:\WINDOWS\system32\DRIVERS\cdrom.sys
22:05:39.0232 4028 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\cdrom.sys. Real md5: f17808e20259b0c3fc00a965ba9eb10b, Fake md5: 4b0a100eaf5c49ef3cca8c641431eacc
22:05:39.0248 4028 Cdrom ( Virus.Win32.ZAccess.c ) - infected
22:05:39.0248 4028 Cdrom - detected Virus.Win32.ZAccess.c (0)
22:05:39.0279 4028 Changer - ok
22:05:39.0357 4028 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
22:05:39.0357 4028 CmBatt - ok
22:05:39.0404 4028 CmdIde - ok
22:05:39.0467 4028 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
22:05:39.0467 4028 Compbatt - ok
22:05:39.0561 4028 Cpqarray - ok
22:05:39.0607 4028 dac2w2k - ok
22:05:39.0639 4028 dac960nt - ok
22:05:39.0701 4028 Disk (47b6aaec570f2c11d8bad80a064d8ed1) C:\WINDOWS\system32\DRIVERS\disk.sys
22:05:39.0701 4028 Disk - ok
22:05:39.0811 4028 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
22:05:39.0857 4028 dmboot - ok
22:05:39.0920 4028 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
22:05:39.0936 4028 dmio - ok
22:05:40.0014 4028 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
22:05:40.0014 4028 dmload - ok
22:05:40.0123 4028 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
22:05:40.0123 4028 DMusic - ok
22:05:40.0186 4028 dpti2o - ok
22:05:40.0232 4028 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
22:05:40.0232 4028 drmkaud - ok
22:05:40.0342 4028 exFat (4d893323dae445e34a4c9038b0551bc9) C:\WINDOWS\system32\drivers\exFat.sys
22:05:40.0342 4028 exFat - ok
22:05:40.0420 4028 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
22:05:40.0420 4028 Fastfat - ok
22:05:40.0498 4028 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
22:05:40.0498 4028 Fdc - ok
22:05:40.0576 4028 FilterService (20fe03294ac1429ae88a64c2f754b0d4) C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys
22:05:40.0576 4028 FilterService - ok
22:05:40.0654 4028 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
22:05:40.0654 4028 Fips - ok
22:05:40.0701 4028 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
22:05:40.0701 4028 Flpydisk - ok
22:05:40.0779 4028 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
22:05:40.0795 4028 FltMgr - ok
22:05:40.0857 4028 Fs_Rec (30d42943a54704ef13e2562911dbfcea) C:\WINDOWS\system32\drivers\Fs_Rec.sys
22:05:40.0873 4028 Fs_Rec - ok
22:05:40.0951 4028 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
22:05:40.0951 4028 Ftdisk - ok
22:05:41.0029 4028 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
22:05:41.0029 4028 GEARAspiWDM - ok
22:05:41.0154 4028 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
22:05:41.0154 4028 Gpc - ok
22:05:41.0232 4028 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
22:05:41.0232 4028 hidusb - ok
22:05:41.0279 4028 hpn - ok
22:05:41.0342 4028 HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
22:05:41.0357 4028 HPZid412 - ok
22:05:41.0420 4028 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
22:05:41.0420 4028 HPZipr12 - ok
22:05:41.0498 4028 HPZius12 (7ac43c38ca8fd7ed0b0a4466f753e06e) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
22:05:41.0498 4028 HPZius12 - ok
22:05:41.0623 4028 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
22:05:41.0623 4028 HTTP - ok
22:05:41.0670 4028 i2omgmt - ok
22:05:41.0686 4028 i2omp - ok
22:05:41.0732 4028 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
22:05:41.0732 4028 i8042prt - ok
22:05:41.0811 4028 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
22:05:41.0811 4028 Imapi - ok
22:05:41.0857 4028 ini910u - ok
22:05:41.0889 4028 IntelIde - ok
22:05:41.0920 4028 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
22:05:41.0936 4028 Ip6Fw - ok
22:05:41.0967 4028 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
22:05:41.0967 4028 IpFilterDriver - ok
22:05:41.0998 4028 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
22:05:41.0998 4028 IpInIp - ok
22:05:42.0045 4028 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
22:05:42.0045 4028 IpNat - ok
22:05:42.0092 4028 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
22:05:42.0092 4028 IPSec - ok
22:05:42.0154 4028 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
22:05:42.0154 4028 IRENUM - ok
22:05:42.0217 4028 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
22:05:42.0217 4028 isapnp - ok
22:05:42.0279 4028 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
22:05:42.0279 4028 Kbdclass - ok
22:05:42.0373 4028 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
22:05:42.0373 4028 kbdhid - ok
22:05:42.0451 4028 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
22:05:42.0467 4028 kmixer - ok
22:05:42.0545 4028 KSecDD (c6ebf1d6ad71df30db49b8d3287e1368) C:\WINDOWS\system32\drivers\KSecDD.sys
22:05:42.0545 4028 KSecDD - ok
22:05:42.0607 4028 lbrtfdc - ok
22:05:42.0717 4028 LVPr2Mon (8be71d7edb8c7494913722059f760dd0) C:\WINDOWS\system32\Drivers\LVPr2Mon.sys
22:05:42.0717 4028 LVPr2Mon - ok
22:05:43.0123 4028 LVUVC (c3d02260beb2b48dea1efdfca91e4b69) C:\WINDOWS\system32\DRIVERS\lvuvc.sys
22:05:43.0248 4028 LVUVC - ok
22:05:43.0295 4028 MBAMSwissArmy (0db7527db188c7d967a37bb51bbf3963) C:\WINDOWS\system32\drivers\mbamswissarmy.sys
22:05:43.0311 4028 MBAMSwissArmy - ok
22:05:43.0389 4028 MidiSyn (8c7d037a53b495e7c250fd70b158b581) C:\WINDOWS\system32\drivers\MidiSyn.sys
22:05:43.0404 4028 MidiSyn - ok
22:05:43.0451 4028 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
22:05:43.0451 4028 Modem - ok
22:05:43.0482 4028 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
22:05:43.0482 4028 Mouclass - ok
22:05:43.0529 4028 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
22:05:43.0529 4028 mouhid - ok
22:05:43.0576 4028 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
22:05:43.0576 4028 MountMgr - ok
22:05:43.0623 4028 mraid35x - ok
22:05:43.0654 4028 MRxDAV (65e818c473e220b6ab762e1966296fd1) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
22:05:43.0654 4028 MRxDAV - ok
22:05:43.0748 4028 MRxSmb (8dd801e28eb76fda2a38907882a0036f) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
22:05:43.0748 4028 MRxSmb - ok
22:05:43.0873 4028 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
22:05:43.0873 4028 Msfs - ok
22:05:43.0967 4028 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
22:05:43.0967 4028 MSKSSRV - ok
22:05:44.0014 4028 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
22:05:44.0029 4028 MSPCLOCK - ok
22:05:44.0092 4028 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
22:05:44.0107 4028 MSPQM - ok
22:05:44.0154 4028 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
22:05:44.0154 4028 mssmbios - ok
22:05:44.0217 4028 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
22:05:44.0217 4028 MSTEE - ok
22:05:44.0311 4028 Mup (f7b1ad991491f02af6da70b00b8bf114) C:\WINDOWS\system32\drivers\Mup.sys
22:05:44.0311 4028 Mup - ok
22:05:44.0389 4028 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
22:05:44.0404 4028 NABTSFEC - ok
22:05:44.0482 4028 NDIS (b5b1080d35974c0e718d64280761bcd5) C:\WINDOWS\system32\drivers\NDIS.sys
22:05:44.0498 4028 NDIS - ok
22:05:44.0592 4028 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
22:05:44.0592 4028 NdisIP - ok
22:05:44.0654 4028 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
22:05:44.0654 4028 NdisTapi - ok
22:05:44.0717 4028 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
22:05:44.0717 4028 Ndisuio - ok
22:05:44.0779 4028 NdisWan (b053a8411045fd0664b389a090cb2bbc) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
22:05:44.0779 4028 NdisWan - ok
22:05:44.0842 4028 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
22:05:44.0842 4028 NDProxy - ok
22:05:44.0904 4028 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
22:05:44.0904 4028 NetBIOS - ok
22:05:44.0998 4028 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
22:05:45.0014 4028 NetBT - ok
22:05:45.0123 4028 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
22:05:45.0123 4028 NIC1394 - ok
22:05:45.0186 4028 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
22:05:45.0186 4028 Npfs - ok
22:05:45.0311 4028 Ntfs (4c51d5275ae8a16999edfe7e647d00de) C:\WINDOWS\system32\drivers\Ntfs.sys
22:05:45.0342 4028 Ntfs - ok
22:05:45.0436 4028 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
22:05:45.0436 4028 Null - ok
22:05:45.0686 4028 nv (bbe208c1b83f62ee6e4a39f18dbf373e) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
22:05:45.0842 4028 nv - ok
22:05:45.0936 4028 nvata (c03e15101f6d9e82cd9b0e7d715f5de3) C:\WINDOWS\system32\DRIVERS\nvata.sys
22:05:45.0936 4028 nvata - ok
22:05:45.0998 4028 nvatabus (83f0275a21d9772b51cef57e35afae61) C:\WINDOWS\system32\DRIVERS\nvatabus.sys
22:05:46.0014 4028 nvatabus - ok
22:05:46.0061 4028 nvcchflt (fb7213bc5279c1af5e4e9ca05d944f2c) C:\WINDOWS\system32\DRIVERS\nvcchflt.sys
22:05:46.0061 4028 nvcchflt - ok
22:05:46.0123 4028 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
22:05:46.0139 4028 NwlnkFlt - ok
22:05:46.0186 4028 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
22:05:46.0201 4028 NwlnkFwd - ok
22:05:46.0264 4028 NwlnkIpx (8b8b1be2dba4025da6786c645f77f123) C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys
22:05:46.0264 4028 NwlnkIpx - ok
22:05:46.0295 4028 NwlnkNb (56d34a67c05e94e16377c60609741ff8) C:\WINDOWS\system32\DRIVERS\nwlnknb.sys
22:05:46.0295 4028 NwlnkNb - ok
22:05:46.0389 4028 NwlnkSpx (c0bb7d1615e1acbdc99757f6ceaf8cf0) C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys
22:05:46.0389 4028 NwlnkSpx - ok
22:05:46.0451 4028 NWRDR (36b9b950e3d2e100970a48d8bad86740) C:\WINDOWS\system32\DRIVERS\nwrdr.sys
22:05:46.0467 4028 NWRDR - ok
22:05:46.0545 4028 ohci1394 (2553f7c60b8d291b5a812245e6d4da6e) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
22:05:46.0545 4028 ohci1394 - ok
22:05:46.0639 4028 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
22:05:46.0654 4028 Parport - ok
22:05:46.0717 4028 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
22:05:46.0717 4028 PartMgr - ok
22:05:46.0826 4028 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
22:05:46.0826 4028 ParVdm - ok
22:05:46.0873 4028 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
22:05:46.0873 4028 PCI - ok
22:05:46.0920 4028 PCIDump - ok
22:05:46.0951 4028 PCIIde - ok
22:05:47.0045 4028 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
22:05:47.0045 4028 Pcmcia - ok
22:05:47.0107 4028 PDCOMP - ok
22:05:47.0170 4028 PDFRAME - ok
22:05:47.0217 4028 PDRELI - ok
22:05:47.0248 4028 PDRFRAME - ok
22:05:47.0295 4028 perc2 - ok
22:05:47.0326 4028 perc2hib - ok
22:05:47.0451 4028 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
22:05:47.0451 4028 PptpMiniport - ok
22:05:47.0545 4028 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
22:05:47.0545 4028 Processor - ok
22:05:47.0607 4028 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
22:05:47.0607 4028 PSched - ok
22:05:47.0686 4028 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
22:05:47.0686 4028 Ptilink - ok
22:05:47.0732 4028 ql1080 - ok
22:05:47.0779 4028 Ql10wnt - ok
22:05:47.0811 4028 ql12160 - ok
22:05:47.0857 4028 ql1240 - ok
22:05:47.0889 4028 ql1280 - ok
22:05:47.0951 4028 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
22:05:47.0951 4028 RasAcd - ok
22:05:48.0061 4028 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
22:05:48.0061 4028 Rasl2tp - ok
22:05:48.0139 4028 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
22:05:48.0139 4028 RasPppoe - ok
22:05:48.0217 4028 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
22:05:48.0217 4028 Raspti - ok
22:05:48.0279 4028 Rdbss (77050c6615f6eb5402f832b27fd695e0) C:\WINDOWS\system32\DRIVERS\rdbss.sys
22:05:48.0279 4028 Rdbss - ok
22:05:48.0342 4028 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
22:05:48.0342 4028 RDPCDD - ok
22:05:48.0451 4028 rdpdr (c694a927eb7c354f7ae97955043a9641) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
22:05:48.0451 4028 rdpdr - ok
22:05:48.0561 4028 RDPWD (e8e3107243b16a549b88d145ec051b06) C:\WINDOWS\system32\drivers\RDPWD.sys
22:05:48.0576 4028 RDPWD - ok
22:05:48.0654 4028 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
22:05:48.0654 4028 redbook - ok
22:05:48.0748 4028 rimmptsk (b6e686aab08bc276d0000293f9fba0bb) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
22:05:48.0748 4028 rimmptsk - ok
22:05:48.0811 4028 rimsptsk (bcff51e0be86d6f0e2180e5142203527) C:\WINDOWS\system32\DRIVERS\rimsptsk.sys
22:05:48.0811 4028 rimsptsk - ok
22:05:48.0904 4028 rspndr (743d7d59767073a617b1dcc6c546f234) C:\WINDOWS\system32\DRIVERS\rspndr.sys
22:05:48.0904 4028 rspndr - ok
22:05:49.0029 4028 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
22:05:49.0029 4028 SASDIFSV - ok
22:05:49.0061 4028 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
22:05:49.0061 4028 SASKUTIL - ok
22:05:49.0217 4028 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
22:05:49.0217 4028 sdbus - ok
22:05:49.0311 4028 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
22:05:49.0311 4028 Secdrv - ok
22:05:49.0436 4028 senfilt (eca77beeb2be8d573cf1b265e44fbfbd) C:\WINDOWS\system32\drivers\senfilt.sys
22:05:49.0467 4028 senfilt - ok
22:05:49.0576 4028 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
22:05:49.0576 4028 Serial - ok
22:05:49.0670 4028 sffdisk (0fa803c64df0914b41f807ea276bf2a6) C:\WINDOWS\system32\DRIVERS\sffdisk.sys
22:05:49.0670 4028 sffdisk - ok
22:05:49.0748 4028 sffp_sd (c17c331e435ed8737525c86a7557b3ac) C:\WINDOWS\system32\DRIVERS\sffp_sd.sys
22:05:49.0748 4028 sffp_sd - ok
22:05:49.0857 4028 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
22:05:49.0857 4028 Sfloppy - ok
22:05:49.0982 4028 Simbad - ok
22:05:50.0061 4028 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
22:05:50.0061 4028 SLIP - ok
22:05:50.0186 4028 smwdm (c202d0f0b7bef8d81fc6c4fc59fb4a4b) C:\WINDOWS\system32\drivers\smwdm.sys
22:05:50.0186 4028 smwdm - ok
22:05:50.0248 4028 Sparrow - ok
22:05:50.0326 4028 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
22:05:50.0326 4028 splitter - ok
22:05:50.0404 4028 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
22:05:50.0404 4028 sr - ok
22:05:50.0529 4028 Srv (9b390283569ea58d43d2586032b892f5) C:\WINDOWS\system32\DRIVERS\srv.sys
22:05:50.0545 4028 Srv - ok
22:05:50.0654 4028 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
22:05:50.0654 4028 streamip - ok
22:05:50.0732 4028 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
22:05:50.0748 4028 swenum - ok
22:05:50.0826 4028 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
22:05:50.0826 4028 swmidi - ok
22:05:50.0889 4028 symc810 - ok
22:05:50.0951 4028 symc8xx - ok
22:05:50.0998 4028 sym_hi - ok
22:05:51.0029 4028 sym_u3 - ok
22:05:51.0123 4028 SynTP (309bb0cbc522d7d7e52de62e8d3a379d) C:\WINDOWS\system32\DRIVERS\SynTP.sys
22:05:51.0139 4028 SynTP - ok
22:05:51.0186 4028 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
22:05:51.0186 4028 sysaudio - ok
22:05:51.0295 4028 Tcpip (ba8c046d98345129723e6bcaa1e8ab99) C:\WINDOWS\system32\DRIVERS\tcpip.sys
22:05:51.0311 4028 Tcpip - ok
22:05:51.0389 4028 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
22:05:51.0404 4028 TDPIPE - ok
22:05:51.0482 4028 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
22:05:51.0498 4028 TDTCP - ok
22:05:51.0576 4028 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
22:05:51.0576 4028 TermDD - ok
22:05:51.0639 4028 TosIde - ok
22:05:51.0717 4028 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
22:05:51.0717 4028 Udfs - ok
22:05:51.0764 4028 ultra - ok
22:05:51.0842 4028 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
22:05:51.0857 4028 Update - ok
22:05:51.0982 4028 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\WINDOWS\system32\Drivers\usbaapl.sys
22:05:51.0982 4028 USBAAPL - ok
22:05:52.0076 4028 usbccgp (c18d6c74953621346df6b0a11f80c1cc) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
22:05:52.0076 4028 usbccgp - ok
22:05:52.0139 4028 usbehci (152ee0baa614388273a0b9ae9c9fd5a0) C:\WINDOWS\system32\DRIVERS\usbehci.sys
22:05:52.0139 4028 usbehci - ok
22:05:52.0201 4028 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
22:05:52.0201 4028 usbhub - ok
22:05:52.0264 4028 usbohci (c5e11cd822adf0019a5a862d9c4e2222) C:\WINDOWS\system32\DRIVERS\usbohci.sys
22:05:52.0264 4028 usbohci - ok
22:05:52.0389 4028 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
22:05:52.0389 4028 usbprint - ok
22:05:52.0467 4028 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
22:05:52.0467 4028 usbscan - ok
22:05:52.0529 4028 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
22:05:52.0545 4028 USBSTOR - ok
22:05:52.0639 4028 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
22:05:52.0654 4028 usbvideo - ok
22:05:52.0764 4028 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
22:05:52.0764 4028 VgaSave - ok
22:05:52.0795 4028 ViaIde - ok
22:05:52.0857 4028 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
22:05:52.0857 4028 VolSnap - ok
22:05:52.0936 4028 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
22:05:52.0936 4028 Wanarp - ok
22:05:53.0029 4028 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys
22:05:53.0061 4028 Wdf01000 - ok
22:05:53.0123 4028 WDICA - ok
22:05:53.0279 4028 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
22:05:53.0279 4028 wdmaud - ok
22:05:53.0404 4028 WinUSB (fd600b032e741eb6aab509fc630f7c42) C:\WINDOWS\system32\DRIVERS\WinUSB.sys
22:05:53.0404 4028 WinUSB - ok
22:05:53.0514 4028 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
22:05:53.0514 4028 WmiAcpi - ok
22:05:53.0623 4028 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
22:05:53.0623 4028 WSTCODEC - ok
22:05:53.0717 4028 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
22:05:53.0732 4028 WudfPf - ok
22:05:53.0811 4028 WUDFRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
22:05:53.0811 4028 WUDFRd - ok
22:05:53.0936 4028 yukonwxp (89f8c4875e19c7081cf9c37539242ae3) C:\WINDOWS\system32\DRIVERS\yk51x86.sys
22:05:53.0951 4028 yukonwxp - ok
22:05:53.0982 4028 zumbus - ok
22:05:54.0061 4028 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
22:05:54.0186 4028 \Device\Harddisk0\DR0 - ok
22:05:54.0201 4028 Boot (0x1200) (2a93f598d8b32060aed3d9c39836bf4e) \Device\Harddisk0\DR0\Partition0
22:05:54.0201 4028 \Device\Harddisk0\DR0\Partition0 - ok
22:05:54.0201 4028 ============================================================
22:05:54.0201 4028 Scan finished
22:05:54.0201 4028 ============================================================
22:05:54.0232 1476 Detected object count: 2
22:05:54.0232 1476 Actual detected object count: 2
22:09:45.0154 1476 1240659334 ( LockedService.Multi.Generic ) - skipped by user
22:09:45.0154 1476 1240659334 ( LockedService.Multi.Generic ) - User select action: Skip
22:09:45.0311 1476 C:\WINDOWS\system32\DRIVERS\cdrom.sys - copied to quarantine
22:09:45.0607 1476 Backup copy found, using it..
22:09:45.0623 1476 C:\WINDOWS\system32\DRIVERS\cdrom.sys - will be cured on reboot
22:09:47.0342 1476 C:\WINDOWS\system32\c_11805.nls - will be deleted on reboot
22:09:51.0592 1476 Cdrom ( Virus.Win32.ZAccess.c ) - User select action: Cure
22:09:59.0779 3152 Deinitialize success

4
I ran ComboFix and it ran through, but I can't seem to find the log file. It's not in C:\ComboFix.txt.

Do you have any idea where it may have went? The ComboFix.exe file is located on the desktop, but the txt file isn't there.

Overall, the computer seems pretty good. I haven't gotten any abnow or MediaShift popups since I ran ComboFix.

Thanks,
ADF

#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:52 AM

Posted 15 February 2012 - 11:20 AM

Hello,

Go ahead and run Combofix again and see if it produces a log.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 AnaheimDucksFan

AnaheimDucksFan
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 15 February 2012 - 10:04 PM

fireman4it,

Sounds good. Here it is!

ComboFix 12-02-13.01 - Administrator 02/15/2012 18:35:09.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1532 [GMT -8:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-- Previous Run --
.
c:\windows\system32\msiexec.exe . . . is infected!!
.
c:\windows\system32\msiexec.exe . . . is infected!!
.
c:\windows\system32\wuauclt.exe . . . is infected!!
.
c:\windows\system32\msiexec.exe . . . is infected!!
.
c:\windows\system32\wuauclt.exe . . . is infected!!
.
Infected copy of c:\program files\SUPERAntiSpyware\SASCORE.EXE was found and disinfected
Restored copy from - c:\system volume information\_restore{1A01B970-F1CA-4931-A024-9360C8A88C4A}\RP696\A0216988.exe
.
c:\windows\system32\msiexec.exe . . . is infected!!
.
c:\windows\system32\wuauclt.exe . . . is infected!!
.
Infected copy of c:\program files\SUPERAntiSpyware\SASCORE.EXE was found and disinfected
Restored copy from - c:\system volume information\_restore{1A01B970-F1CA-4931-A024-9360C8A88C4A}\RP696\A0216988.exe
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe . . . is infected!!
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\windows\system32\msiexec.exe . . . is infected!!
.
c:\windows\system32\wuauclt.exe . . . is infected!!
.
Infected copy of c:\program files\SUPERAntiSpyware\SASCORE.EXE was found and disinfected
Restored copy from - c:\system volume information\_restore{1A01B970-F1CA-4931-A024-9360C8A88C4A}\RP696\A0216988.exe
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe . . . is infected!!
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe . . . was deleted!! You should re-install the program it pertains to
.
Infected copy of c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{1A01B970-F1CA-4931-A024-9360C8A88C4A}\RP688\A0211294.exe
.
c:\windows\system32\msiexec.exe . . . is infected!!
.
c:\windows\system32\wuauclt.exe . . . is infected!!
.
Infected copy of c:\program files\SUPERAntiSpyware\SASCORE.EXE was found and disinfected
Restored copy from - c:\system volume information\_restore{1A01B970-F1CA-4931-A024-9360C8A88C4A}\RP696\A0216988.exe
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe . . . is infected!!
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe . . . was deleted!! You should re-install the program it pertains to
.
Infected copy of c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{1A01B970-F1CA-4931-A024-9360C8A88C4A}\RP688\A0211294.exe
.
c:\program files\iPod\bin\iPodService.exe . . . is infected!!
c:\program files\iPod\bin\iPodService.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\windows\system32\msiexec.exe . . . is infected!!
.
c:\windows\system32\wuauclt.exe . . . is infected!!
.
Infected copy of c:\program files\SUPERAntiSpyware\SASCORE.EXE was found and disinfected
Restored copy from - c:\system volume information\_restore{1A01B970-F1CA-4931-A024-9360C8A88C4A}\RP696\A0216988.exe
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe . . . is infected!!
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe . . . was deleted!! You should re-install the program it pertains to
.
Infected copy of c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{1A01B970-F1CA-4931-A024-9360C8A88C4A}\RP688\A0211294.exe
.
c:\program files\iPod\bin\iPodService.exe . . . is infected!!
c:\program files\iPod\bin\iPodService.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Java\jre6\bin\jqs.exe . . . is infected!!
c:\program files\Java\jre6\bin\jqs.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\windows\system32\msiexec.exe . . . is infected!!
.
c:\windows\system32\wuauclt.exe . . . is infected!!
.
Infected copy of c:\program files\SUPERAntiSpyware\SASCORE.EXE was found and disinfected
Restored copy from - c:\system volume information\_restore{1A01B970-F1CA-4931-A024-9360C8A88C4A}\RP696\A0216988.exe
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe . . . is infected!!
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe . . . was deleted!! You should re-install the program it pertains to
.
Infected copy of c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{1A01B970-F1CA-4931-A024-9360C8A88C4A}\RP688\A0211294.exe
.
c:\program files\iPod\bin\iPodService.exe . . . is infected!!
c:\program files\iPod\bin\iPodService.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Java\jre6\bin\jqs.exe . . . is infected!!
c:\program files\Java\jre6\bin\jqs.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe . . . is infected!!
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\windows\system32\msiexec.exe . . . is infected!!
.
c:\windows\system32\wuauclt.exe . . . is infected!!
.
Infected copy of c:\program files\SUPERAntiSpyware\SASCORE.EXE was found and disinfected
Restored copy from - c:\system volume information\_restore{1A01B970-F1CA-4931-A024-9360C8A88C4A}\RP696\A0216988.exe
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe . . . is infected!!
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe . . . was deleted!! You should re-install the program it pertains to
.
Infected copy of c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{1A01B970-F1CA-4931-A024-9360C8A88C4A}\RP688\A0211294.exe
.
c:\program files\iPod\bin\iPodService.exe . . . is infected!!
c:\program files\iPod\bin\iPodService.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Java\jre6\bin\jqs.exe . . . is infected!!
c:\program files\Java\jre6\bin\jqs.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe . . . is infected!!
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\windows\system32\nvsvc32.exe . . . is infected!!
c:\windows\system32\nvsvc32.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\windows\system32\msiexec.exe . . . is infected!!
.
c:\windows\system32\wuauclt.exe . . . is infected!!
.
Infected copy of c:\program files\SUPERAntiSpyware\SASCORE.EXE was found and disinfected
Restored copy from - c:\system volume information\_restore{1A01B970-F1CA-4931-A024-9360C8A88C4A}\RP696\A0216988.exe
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe . . . is infected!!
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe . . . was deleted!! You should re-install the program it pertains to
.
Infected copy of c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{1A01B970-F1CA-4931-A024-9360C8A88C4A}\RP688\A0211294.exe
.
c:\program files\iPod\bin\iPodService.exe . . . is infected!!
c:\program files\iPod\bin\iPodService.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Java\jre6\bin\jqs.exe . . . is infected!!
c:\program files\Java\jre6\bin\jqs.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe . . . is infected!!
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\windows\system32\nvsvc32.exe . . . is infected!!
c:\windows\system32\nvsvc32.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Analog Devices\SoundMAX\SMAgent.exe . . . is infected!!
c:\program files\Analog Devices\SoundMAX\SMAgent.exe . . . was deleted!! You should re-install the program it pertains to
.
--------
.
c:\windows\system32\msiexec.exe . . . is infected!!
.
c:\windows\system32\wuauclt.exe . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2012-01-16 to 2012-02-16 )))))))))))))))))))))))))))))))
.
.
2012-02-14 06:09 . 2012-02-14 06:09 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-12 21:37 . 2012-02-12 21:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2012-02-12 21:37 . 2012-02-15 02:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-02-12 21:37 . 2012-02-12 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-02-03 03:25 . 2011-12-10 23:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-03 03:25 . 2012-02-12 19:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-02 15:35 . 2012-02-02 15:35 -------- d-----w- c:\program files\CCleaner
2012-02-02 15:32 . 2012-02-12 19:17 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-02-02 15:20 . 2012-02-02 15:20 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2012-02-02 15:15 . 2012-02-02 15:15 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2012-01-23 04:00 . 2012-02-08 04:58 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Akamai
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-14 14:58 . 2009-02-13 06:25 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-07-20 20:08 . 2011-07-20 20:08 470 ----a-w- c:\program files\0720201113084840.bat
2011-09-30 05:22 . 2011-07-31 02:09 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-02-13 . BA8C046D98345129723E6BCAA1E8AB99 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
.
[-] 2009-08-07 . C1BD669C43A9EF205C1568DC7183FAA8 . 53472 . . [7.4.7600.226] . . c:\windows\system32\wuauclt.exe
.
[-] 2011-02-18 . F1CBB65EFAFAFA19B06D902DE9E02DEA . 3609600 . . [7.00.6000.21299] . . c:\windows\system32\mshtml.dll
[-] 2011-02-18 . F1CBB65EFAFAFA19B06D902DE9E02DEA . 3609600 . . [7.00.6000.21299] . . c:\windows\system32\dllcache\mshtml.dll
[7] 2010-12-20 . 1EDCEC5D649DBAC37ED9FFB5A14CEB0C . 5961216 . . [8.00.6001.19019] . . c:\windows\SoftwareDistribution\Download\d6a0858506d9996856009eb3a494a8c1\SP3GDR\mshtml.dll
[7] 2010-12-20 . 2A2C070EC691CE410533A1DA7AA3CD86 . 5962240 . . [8.00.6001.23111] . . c:\windows\$hf_mig$\KB2482017-IE8\SP3QFE\mshtml.dll
[7] 2010-12-20 . 2A2C070EC691CE410533A1DA7AA3CD86 . 5962240 . . [8.00.6001.23111] . . c:\windows\SoftwareDistribution\Download\d6a0858506d9996856009eb3a494a8c1\SP3QFE\mshtml.dll
[7] 2010-11-06 . 864E69F32656A7121444BA0193D7B64B . 5960704 . . [8.00.6001.23091] . . c:\windows\$hf_mig$\KB2416400-IE8\SP3QFE\mshtml.dll
[7] 2010-09-10 . 8A03CC037E6B7D1796192815231B0C3F . 5958656 . . [8.00.6001.23067] . . c:\windows\$hf_mig$\KB2360131-IE8\SP3QFE\mshtml.dll
[7] 2010-06-24 . 94DC7E938C57F3C3D1BC4A0F68FC5830 . 5954560 . . [8.00.6001.23037] . . c:\windows\$hf_mig$\KB2183461-IE8\SP3QFE\mshtml.dll
[7] 2010-05-06 . 9BE28F749A7FE7F8F177C6AA2E9DA609 . 5953024 . . [8.00.6001.23019] . . c:\windows\$hf_mig$\KB982381-IE8\SP3QFE\mshtml.dll
[-] 2010-01-05 . 3B8259EF10C0F1425395981E40ED0EAA . 3599360 . . [7.00.6000.16981] . . c:\windows\SoftwareDistribution\Download\72187e1a9593df853aa7db379edb1348\SP3GDR\mshtml.dll
[-] 2010-01-05 . 1673677DBD70142DB1294F1B6FC3323E . 3602944 . . [7.00.6000.21183] . . c:\windows\SoftwareDistribution\Download\72187e1a9593df853aa7db379edb1348\SP3QFE\mshtml.dll
.
[-] 2011-02-17 . 25FF5FFE129621CD879F9DB3B308D42C . 841216 . . [7.00.6000.21298] . . c:\windows\system32\wininet.dll
[-] 2011-02-17 . 25FF5FFE129621CD879F9DB3B308D42C . 841216 . . [7.00.6000.21298] . . c:\windows\system32\dllcache\wininet.dll
[7] 2010-12-20 . 88014D62B5E3CDB0AC67948D86C926C8 . 916480 . . [8.00.6001.19019] . . c:\windows\SoftwareDistribution\Download\d6a0858506d9996856009eb3a494a8c1\SP3GDR\wininet.dll
[7] 2010-12-20 . 5504B4ECCE892EB82CD2C5FA71940AC1 . 919552 . . [8.00.6001.23111] . . c:\windows\$hf_mig$\KB2482017-IE8\SP3QFE\wininet.dll
[7] 2010-12-20 . 5504B4ECCE892EB82CD2C5FA71940AC1 . 919552 . . [8.00.6001.23111] . . c:\windows\SoftwareDistribution\Download\d6a0858506d9996856009eb3a494a8c1\SP3QFE\wininet.dll
[7] 2010-11-06 . 9357C4249F4810FB0E49C13387A8A77C . 919552 . . [8.00.6001.23084] . . c:\windows\$hf_mig$\KB2416400-IE8\SP3QFE\wininet.dll
[7] 2010-09-10 . 0555E190DCD06B8998E6DDCA42DAEB82 . 919552 . . [8.00.6001.23060] . . c:\windows\$hf_mig$\KB2360131-IE8\SP3QFE\wininet.dll
[7] 2010-06-24 . 60237E50D575FBA9BEC9BC043F157149 . 919040 . . [8.00.6001.23037] . . c:\windows\$hf_mig$\KB2183461-IE8\SP3QFE\wininet.dll
[7] 2010-05-06 . C1490F68B44AF8B781F52F12F564625D . 919040 . . [8.00.6001.23014] . . c:\windows\$hf_mig$\KB982381-IE8\SP3QFE\wininet.dll
[-] 2010-01-05 . 21E7890F1EC89BEF0AF7C08D730AE317 . 832512 . . [7.00.6000.16981] . . c:\windows\SoftwareDistribution\Download\72187e1a9593df853aa7db379edb1348\SP3GDR\wininet.dll
[-] 2010-01-05 . E7B99465DE2EDCF29784B7600BF6FAE8 . 841216 . . [7.00.6000.21183] . . c:\windows\SoftwareDistribution\Download\72187e1a9593df853aa7db379edb1348\SP3QFE\wininet.dll
.
[-] 2009-02-13 . 2547D2CF090AC7636898F16957EBCEDC . 502272 . . [1.0626.6002.16497] . . c:\windows\system32\usp10.dll
.
.
[7] 2011-02-14 . E3CC8CCF21BFDC954255BB17083FB9F0 . 634648 . . [7.00.6000.21298] . . c:\windows\system32\dllcache\iexplore.exe
[7] 2009-12-18 . 53C291F3B01EECECBD7FD358EA3ACC94 . 634648 . . [7.00.6000.16981] . . c:\windows\SoftwareDistribution\Download\72187e1a9593df853aa7db379edb1348\SP3GDR\iexplore.exe
[7] 2009-12-18 . D19E56D5930C37CF211867DF450C372A . 634632 . . [7.00.6000.21183] . . c:\windows\SoftwareDistribution\Download\72187e1a9593df853aa7db379edb1348\SP3QFE\iexplore.exe
.
c:\windows\System32\wscntfy.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-07-04 11:43 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2011-06-16 6276408]
"Akamai NetSession Interface"="c:\documents and settings\Administrator\Local Settings\Application Data\Akamai\netsession_win.exe" [2012-02-02 3329824]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-01-20 4617600]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7573504]
"nwiz"="nwiz.exe" [2006-05-09 1519616]
"NvMediaCenter"="NvMCTray.dll" [2006-05-09 86016]
"AGRSMMSG"="AGRSMMSG.exe" [2006-02-15 88365]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-03 761946]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2010-05-08 165208]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-06 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2011-02-17 124928]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-20 21:34 24576 ----a-w- c:\program files\AlienGUIse\fastload.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wbsys.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\InstallShield\\Engine\\6\\Intel 32\\IKernel.exe"=
"c:\\WINDOWS\\system32\\msfeedssync.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Documents and Settings\\Administrator\\My Documents\\Downloads\\msgr11us.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Yahoo!\\YUpdater\\yupdater.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jucheck.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jaucheck.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Apple Software Update\\SoftwareUpdate.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Akamai\\netsession_win.exe"=
.
R0 nvcchflt;NVIDIA Disk Cache Filter Driver;c:\windows\system32\drivers\nvcchflt.sys [4/25/2009 3:39 AM 16640]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [7/20/2011 8:36 PM 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/20/2011 8:36 PM 309848]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 8:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 1:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2/14/2012 6:02 PM 116608]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [4/14/2008 3:00 AM 14336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/20/2011 8:36 PM 19544]
R3 Airgo3P;Airgo Networks AGN300 True MIMO ™ Wireless Driver;c:\windows\system32\drivers\TMIMO31P.sys [4/25/2009 3:33 AM 781824]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2/2/2012 7:32 AM 40776]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]
.
2012-02-16 c:\windows\Tasks\User_Feed_Synchronization-{72642D20-2E86-4161-B400-EE58720109ED}.job
- c:\windows\system32\msfeedssync.exe [2009-02-13 06:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://start.pogo.iplay.com/?o=shp
uInternet Settings,ProxyOverride = <local>;127.0.0.1:9421;
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nszcylm3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1320680&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - (no file)
BHO-{C4B8BAB4-1667-11DF-A242-BA9455D89593} - c:\program files\simppulltoolbar\auxi\simppulltoolbAu.dll
BHO-{E4E6BF2A-1667-11DF-A01F-1F9655D89593} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{DAB35D68-1CDC-4375-8333-D7BBCEE3C0A0} - (no file)
HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
HKCU-Run-Weather - c:\program files\AWS\WeatherBug\Weather.exe
HKCU-Run-Software Informer - c:\program files\Software Informer\softinfo.exe
SafeBoot-66485836.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-15 18:55
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_7de0ed9.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-861567501-688789844-1801674531-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ef,d1,4c,aa,3a,16,47,4b,86,24,46,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ef,d1,4c,aa,3a,16,47,4b,86,24,46,\
.
[HKEY_USERS\S-1-5-21-861567501-688789844-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(728)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\AlienGUIse\fastload.dll
.
Completion time: 2012-02-15 19:01:11
ComboFix-quarantined-files.txt 2012-02-16 03:00
.
Pre-Run: 52,942,233,600 bytes free
Post-Run: 53,456,678,912 bytes free
.
- - End Of File - - BAB17854F79990F5B32EE735BCC9AE2C

Thanks,
ADF

#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:52 AM

Posted 15 February 2012 - 10:36 PM

Hello,


Please go ahead and run Combofix again. I need to see something.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 AnaheimDucksFan

AnaheimDucksFan
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 16 February 2012 - 12:13 AM

fireman4it,

You've got it. Here it is.

ComboFix 12-02-13.01 - Administrator 02/15/2012 20:56:28.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1627 [GMT -8:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\msiexec.exe . . . is infected!!
.
c:\windows\system32\wuauclt.exe . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2012-01-16 to 2012-02-16 )))))))))))))))))))))))))))))))
.
.
2012-02-16 03:06 . 2012-02-16 03:06 -------- d-----w- c:\windows\system32\xircom
2012-02-16 03:06 . 2012-02-16 03:06 -------- d-----w- c:\windows\system32\wbem\snmp
2012-02-16 03:06 . 2012-02-16 03:06 -------- d-----w- c:\windows\system32\oobe
2012-02-16 03:06 . 2012-02-16 03:06 -------- d-----w- c:\program files\microsoft frontpage
2012-02-14 06:09 . 2012-02-14 06:09 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-12 21:37 . 2012-02-12 21:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2012-02-12 21:37 . 2012-02-15 02:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-02-12 21:37 . 2012-02-12 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-02-03 03:25 . 2011-12-10 23:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-03 03:25 . 2012-02-12 19:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-02 15:35 . 2012-02-02 15:35 -------- d-----w- c:\program files\CCleaner
2012-02-02 15:32 . 2012-02-12 19:17 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-02-02 15:20 . 2012-02-02 15:20 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2012-02-02 15:15 . 2012-02-02 15:15 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2012-01-23 04:00 . 2012-02-08 04:58 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Akamai
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-14 14:58 . 2009-02-13 06:25 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-07-20 20:08 . 2011-07-20 20:08 470 ----a-w- c:\program files\0720201113084840.bat
2011-09-30 05:22 . 2011-07-31 02:09 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-02-13 . BA8C046D98345129723E6BCAA1E8AB99 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
.
[-] 2009-08-07 . C1BD669C43A9EF205C1568DC7183FAA8 . 53472 . . [7.4.7600.226] . . c:\windows\system32\wuauclt.exe
.
[-] 2011-02-18 . F1CBB65EFAFAFA19B06D902DE9E02DEA . 3609600 . . [7.00.6000.21299] . . c:\windows\system32\mshtml.dll
[-] 2011-02-18 . F1CBB65EFAFAFA19B06D902DE9E02DEA . 3609600 . . [7.00.6000.21299] . . c:\windows\system32\dllcache\mshtml.dll
[7] 2010-12-20 . 1EDCEC5D649DBAC37ED9FFB5A14CEB0C . 5961216 . . [8.00.6001.19019] . . c:\windows\SoftwareDistribution\Download\d6a0858506d9996856009eb3a494a8c1\SP3GDR\mshtml.dll
[7] 2010-12-20 . 2A2C070EC691CE410533A1DA7AA3CD86 . 5962240 . . [8.00.6001.23111] . . c:\windows\$hf_mig$\KB2482017-IE8\SP3QFE\mshtml.dll
[7] 2010-12-20 . 2A2C070EC691CE410533A1DA7AA3CD86 . 5962240 . . [8.00.6001.23111] . . c:\windows\SoftwareDistribution\Download\d6a0858506d9996856009eb3a494a8c1\SP3QFE\mshtml.dll
[7] 2010-11-06 . 864E69F32656A7121444BA0193D7B64B . 5960704 . . [8.00.6001.23091] . . c:\windows\$hf_mig$\KB2416400-IE8\SP3QFE\mshtml.dll
[7] 2010-09-10 . 8A03CC037E6B7D1796192815231B0C3F . 5958656 . . [8.00.6001.23067] . . c:\windows\$hf_mig$\KB2360131-IE8\SP3QFE\mshtml.dll
[7] 2010-06-24 . 94DC7E938C57F3C3D1BC4A0F68FC5830 . 5954560 . . [8.00.6001.23037] . . c:\windows\$hf_mig$\KB2183461-IE8\SP3QFE\mshtml.dll
[7] 2010-05-06 . 9BE28F749A7FE7F8F177C6AA2E9DA609 . 5953024 . . [8.00.6001.23019] . . c:\windows\$hf_mig$\KB982381-IE8\SP3QFE\mshtml.dll
[-] 2010-01-05 . 3B8259EF10C0F1425395981E40ED0EAA . 3599360 . . [7.00.6000.16981] . . c:\windows\SoftwareDistribution\Download\72187e1a9593df853aa7db379edb1348\SP3GDR\mshtml.dll
[-] 2010-01-05 . 1673677DBD70142DB1294F1B6FC3323E . 3602944 . . [7.00.6000.21183] . . c:\windows\SoftwareDistribution\Download\72187e1a9593df853aa7db379edb1348\SP3QFE\mshtml.dll
.
[-] 2011-02-17 . 25FF5FFE129621CD879F9DB3B308D42C . 841216 . . [7.00.6000.21298] . . c:\windows\system32\wininet.dll
[-] 2011-02-17 . 25FF5FFE129621CD879F9DB3B308D42C . 841216 . . [7.00.6000.21298] . . c:\windows\system32\dllcache\wininet.dll
[7] 2010-12-20 . 88014D62B5E3CDB0AC67948D86C926C8 . 916480 . . [8.00.6001.19019] . . c:\windows\SoftwareDistribution\Download\d6a0858506d9996856009eb3a494a8c1\SP3GDR\wininet.dll
[7] 2010-12-20 . 5504B4ECCE892EB82CD2C5FA71940AC1 . 919552 . . [8.00.6001.23111] . . c:\windows\$hf_mig$\KB2482017-IE8\SP3QFE\wininet.dll
[7] 2010-12-20 . 5504B4ECCE892EB82CD2C5FA71940AC1 . 919552 . . [8.00.6001.23111] . . c:\windows\SoftwareDistribution\Download\d6a0858506d9996856009eb3a494a8c1\SP3QFE\wininet.dll
[7] 2010-11-06 . 9357C4249F4810FB0E49C13387A8A77C . 919552 . . [8.00.6001.23084] . . c:\windows\$hf_mig$\KB2416400-IE8\SP3QFE\wininet.dll
[7] 2010-09-10 . 0555E190DCD06B8998E6DDCA42DAEB82 . 919552 . . [8.00.6001.23060] . . c:\windows\$hf_mig$\KB2360131-IE8\SP3QFE\wininet.dll
[7] 2010-06-24 . 60237E50D575FBA9BEC9BC043F157149 . 919040 . . [8.00.6001.23037] . . c:\windows\$hf_mig$\KB2183461-IE8\SP3QFE\wininet.dll
[7] 2010-05-06 . C1490F68B44AF8B781F52F12F564625D . 919040 . . [8.00.6001.23014] . . c:\windows\$hf_mig$\KB982381-IE8\SP3QFE\wininet.dll
[-] 2010-01-05 . 21E7890F1EC89BEF0AF7C08D730AE317 . 832512 . . [7.00.6000.16981] . . c:\windows\SoftwareDistribution\Download\72187e1a9593df853aa7db379edb1348\SP3GDR\wininet.dll
[-] 2010-01-05 . E7B99465DE2EDCF29784B7600BF6FAE8 . 841216 . . [7.00.6000.21183] . . c:\windows\SoftwareDistribution\Download\72187e1a9593df853aa7db379edb1348\SP3QFE\wininet.dll
.
[-] 2009-02-13 . 2547D2CF090AC7636898F16957EBCEDC . 502272 . . [1.0626.6002.16497] . . c:\windows\system32\usp10.dll
.
[7] 2011-02-14 . E3CC8CCF21BFDC954255BB17083FB9F0 . 634648 . . [7.00.6000.21298] . . c:\windows\system32\dllcache\iexplore.exe
[7] 2009-12-18 . 53C291F3B01EECECBD7FD358EA3ACC94 . 634648 . . [7.00.6000.16981] . . c:\windows\SoftwareDistribution\Download\72187e1a9593df853aa7db379edb1348\SP3GDR\iexplore.exe
[7] 2009-12-18 . D19E56D5930C37CF211867DF450C372A . 634632 . . [7.00.6000.21183] . . c:\windows\SoftwareDistribution\Download\72187e1a9593df853aa7db379edb1348\SP3QFE\iexplore.exe
.
((((((((((((((((((((((((((((( SnapShot@2012-02-16_02.55.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-02-16 03:06 . 2012-02-16 03:06 16384 c:\windows\Temp\Perflib_Perfdata_2c0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-07-04 11:43 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2011-06-16 6276408]
"Akamai NetSession Interface"="c:\documents and settings\Administrator\Local Settings\Application Data\Akamai\netsession_win.exe" [2012-02-02 3329824]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-01-20 4617600]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7573504]
"nwiz"="nwiz.exe" [2006-05-09 1519616]
"NvMediaCenter"="NvMCTray.dll" [2006-05-09 86016]
"AGRSMMSG"="AGRSMMSG.exe" [2006-02-15 88365]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-03 761946]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2010-05-08 165208]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-06 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2011-02-17 124928]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-20 21:34 24576 ----a-w- c:\program files\AlienGUIse\fastload.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wbsys.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\InstallShield\\Engine\\6\\Intel 32\\IKernel.exe"=
"c:\\WINDOWS\\system32\\msfeedssync.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Documents and Settings\\Administrator\\My Documents\\Downloads\\msgr11us.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Yahoo!\\YUpdater\\yupdater.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jucheck.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jaucheck.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Apple Software Update\\SoftwareUpdate.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Akamai\\netsession_win.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1164:TCP"= 1164:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R0 nvcchflt;NVIDIA Disk Cache Filter Driver;c:\windows\system32\drivers\nvcchflt.sys [4/25/2009 3:39 AM 16640]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [7/20/2011 8:36 PM 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/20/2011 8:36 PM 309848]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 8:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 1:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2/14/2012 6:02 PM 116608]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [4/14/2008 3:00 AM 14336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/20/2011 8:36 PM 19544]
R3 Airgo3P;Airgo Networks AGN300 True MIMO ™ Wireless Driver;c:\windows\system32\drivers\TMIMO31P.sys [4/25/2009 3:33 AM 781824]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2/2/2012 7:32 AM 40776]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]
.
2012-02-16 c:\windows\Tasks\User_Feed_Synchronization-{72642D20-2E86-4161-B400-EE58720109ED}.job
- c:\windows\system32\msfeedssync.exe [2009-02-13 06:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://start.pogo.iplay.com/?o=shp
uInternet Settings,ProxyOverride = <local>;127.0.0.1:9421;
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nszcylm3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1320680&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-15 21:08
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_7de0ed9.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-861567501-688789844-1801674531-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ef,d1,4c,aa,3a,16,47,4b,86,24,46,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ef,d1,4c,aa,3a,16,47,4b,86,24,46,\
.
[HKEY_USERS\S-1-5-21-861567501-688789844-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(884)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\AlienGUIse\fastload.dll
.
- - - - - - - > 'explorer.exe'(2376)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-02-15 21:12:23
ComboFix-quarantined-files.txt 2012-02-16 05:12
ComboFix2.txt 2012-02-16 03:01
.
Pre-Run: 53,489,045,504 bytes free
Post-Run: 53,481,406,464 bytes free
.
- - End Of File - - 178B62415ACC82E6788C31477BDCD2E4

- ADF

#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:52 AM

Posted 16 February 2012 - 09:25 AM

Please download SystemLook from jpshortstuff and save it to your Desktop

Download Mirror #1

Download Mirror #2

  • Double-click the SystemLook and copy/paste the following into the box
    :filefind
    msiexec.exe 
    wuauclt.exe
  • Hit the Look button. Let it finish the scan
  • A log will then pop-up to your Desktop.. Post the content of the log here in your next reply

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 AnaheimDucksFan

AnaheimDucksFan
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 16 February 2012 - 10:09 AM

fireman4it,

I'm having a problem downloading SystemLook. When I click on both those download links, it takes me to the geekstogo forum, but I can't find where to download the file.

Thanks,
ADF

#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:52 AM

Posted 16 February 2012 - 10:59 AM

Hello,

Try this:

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    msiexec.exe 
    wuauclt.exe
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 AnaheimDucksFan

AnaheimDucksFan
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 16 February 2012 - 04:16 PM

Here it is!

SystemLook 30.07.11 by jpshortstuff
Log created at 13:03 on 16/02/2012 by Administrator
Administrator - Elevation successful

========== filefind ==========

Searching for "msiexec.exe "
C:\WINDOWS\system32\msiexec.exe --a---- 97792 bytes [06:26 13/02/2009] [06:26 13/02/2009] D7C6DBD5CA9CA62C56087D97974EC796

Searching for "wuauclt.exe"
C:\WINDOWS\system32\wuauclt.exe --a---- 53472 bytes [09:47 25/04/2009] [02:24 07/08/2009] C1BD669C43A9EF205C1568DC7183FAA8

-= EOF =-

- ADF

#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:52 AM

Posted 16 February 2012 - 05:28 PM

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#15 AnaheimDucksFan

AnaheimDucksFan
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 16 February 2012 - 09:36 PM

Filename: msiexec.exe.vir
Status:
Scan finished. 19 out of 20 scanners reported malware.
Scan taken on: Fri 13 Jan 2012 23:13:16 (CET) Permalink
File size: 97792 bytes
Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5: d7c6dbd5ca9ca62c56087d97974ec796
SHA1: dd9ae4d69eec3575479bb40a9848f7f45e6ba9c9

[ArcaVir]
2012-01-13 W32.patched.mf
[Frisk F-Prot Antivirus]
2012-01-12 W32/Patched.G
[Avast! antivirus]
2012-01-13 Win32:Patched-WQ
[F-Secure Anti-Virus]
2012-01-13 Trojan.Generic.6190595
[Grisoft AVG Anti-Virus]
2012-01-13 Win32/Katusha.A
[G DATA]
2012-01-13 Trojan.Generic.6190595
[Avira AntiVir]
2012-01-13 W32/PatchLoad.A
[Ikarus]
2012-01-13 Trojan.Win32.Patched
[Softwin BitDefender]
2012-01-13 Trojan.Generic.6190595
[Kaspersky Anti-Virus]
2012-01-13 Trojan.Win32.Patched.mf
[ClamAV]
2012-01-13 Trojan.Patched-167
[Panda Antivirus]
2012-01-13 W32/Katusha.BN
[CPsecure]
2012-01-13 Found nothing
[Quick Heal]
2012-01-13 W32.Patchload.O
[Dr.Web]
2012-01-13 Trojan.Starter.1695
[Sophos]
2012-01-13 W32/Patched-AL
[Emsisoft Anti-Malware]
2012-01-13 Trojan.Win32.Patched!IK
[VirusBlokAda VBA32]
2012-01-13 Trojan-Spy.Zbot.gen
[ESET]
2012-01-13 Win32/Patched.HN
[VirusBuster]
2012-01-13 Win32.Katusha.Gen





Filename: wuauclt.exe.tmp.infected
Status:
Scan finished. 19 out of 20 scanners reported malware.
Scan taken on: Sat 19 Nov 2011 05:01:24 (CET) Permalink
File size: 53472 bytes
Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5: c1bd669c43a9ef205c1568dc7183faa8
SHA1: 4854d50a51ba35c046b52cff3d9017206c441eca

[ArcaVir]
2011-11-19 W32.patched.mf
[Frisk F-Prot Antivirus]
2011-11-18 W32/Patched.G
[Avast! antivirus]
2011-11-18 Win32:Patched-WQ
[F-Secure Anti-Virus]
2011-11-19 Trojan.Patched.HE
[Grisoft AVG Anti-Virus]
2011-11-18 Win32/Katusha.A
[G DATA]
2011-11-19 Trojan.Patched.HE
[Avira AntiVir]
2011-11-18 TR/Spy.53472.4
[Ikarus]
2011-11-19 Trojan-Spy.Win32.Zbot
[Softwin BitDefender]
2011-11-18 Trojan.Patched.HE
[Kaspersky Anti-Virus]
2011-11-19 Trojan.Win32.Patched.mf
[ClamAV]
2011-11-19 Trojan.Patched-167
[Panda Antivirus]
2011-11-18 W32/Katusha.BN
[CPsecure]
2011-11-19 Found nothing
[Quick Heal]
2011-11-18 W32.Patchload.O
[Dr.Web]
2011-11-19 Trojan.Starter.1695
[Sophos]
2011-11-19 W32/Patched-AL
[Emsisoft Anti-Malware]
2011-11-19 Trojan-Spy.Win32.Zbot!IK
[VirusBlokAda VBA32]
2011-11-18 Trojan-Spy.Zbot.gen
[ESET]
2011-11-18 Win32/Patched.HN
[VirusBuster]
2011-11-18 Win32.Katusha.Gen

-ADF




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users