Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

system iexplore.exe virus


  • This topic is locked This topic is locked
16 replies to this topic

#1 jimmydiego

jimmydiego

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 15 April 2012 - 12:43 PM

iexplore.exe ( user='SYSTEM' ) won't stop running x3

it's playing audio on my machine for "gieco" and "verizon" commercials,
it's also using 30-70% cpu

no window opens, no browser, just audio.

it takes 5-6 attempts to shut it down in the task manager, it also shuffles the task manager so sometimes it's(iexplore.exe) at the top, sometimes it's at the bottom. it restarts after 1-2 minutes after I end process.

plagued suddenly with redirects.

I'll get this continually:
"malware bytes sucessfully blocked access to a potentially malicious website 206.161.121.4 type: outgoing"

then the audio commercials start again.


I ran FULL scans with malwarebytes, and SUPERantispyware.

I also ran tdsskiller.

looked up the IP, seems to be bothering quite a few people, annoying as all hell.
I saw some stuff about "svchost.exe" I've got x10 of those running also.
interesting marketing technique, I now passionately hate both these companies.


edit: my homepage has changed from blank to 'msn.com'


would love some help with this,

Jimmy



HIJACK LOG:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:35:19 AM, on 4/15/2012
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\WLTRYSVC.EXE
F:\WINDOWS\System32\bcmwltry.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\SUPERAntiSpyware\SASCORE.EXE
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Java\jre6\bin\jqs.exe
F:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\wscntfy.exe
F:\WINDOWS\system32\WLTRAY.exe
F:\Program Files\Synaptics\SynTP\SynTPEnh.exe
F:\Program Files\Battery Meter\BTMeter.exe
F:\WINDOWS\system32\hkcmd.exe
F:\WINDOWS\system32\igfxpers.exe
F:\WINDOWS\RTHDCPL.EXE
F:\Program Files\DivX\DivX Update\DivXUpdate.exe
F:\Program Files\Common Files\Java\Java Update\jusched.exe
F:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
F:\WINDOWS\system32\igfxsrvc.exe
F:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
F:\Program Files\Mozilla Firefox\plugin-container.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Mozilla Firefox\plugin-container.exe
F:\Documents and Settings\jimmy\Desktop\HijackThis.exe
F:\Program Files\Opera\Opera.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - F:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - F:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] F:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BTMeter] F:\Program Files\Battery Meter\BTMeter.exe
O4 - HKLM\..\Run: [IgfxTray] F:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] F:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] F:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DivXUpdate] "F:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe ARM] "F:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "F:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: McAfee Security Scan Plus.lnk = ?
O20 - Winlogon Notify: !SASWinLogon - F:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - F:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - F:\WINDOWS\system32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - F:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - F:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - F:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - F:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - F:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - Unknown owner - F:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - F:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 4725 bytes

Edited by hamluis, 15 April 2012 - 02:01 PM.
Moved from Win XP to Malware Removal Logs.


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:47 PM

Posted 15 April 2012 - 03:35 PM

Hi,

Please do the following:

Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • when the window opens, click on Change Parameters
  • under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System” (If found - select delete)
  • click OK
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)



NEXT



Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 jimmydiego

jimmydiego
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 16 April 2012 - 12:03 AM

thanks for the reply,

I now have a non-stop "lysol cleaner" and "dishtv" commercial playing....

I will never be a customer of either company again...



but really, thanks I ran the stuff,

Jimmy






tdsskiller log:

21:29:18.0109 2336 TDSS rootkit removing tool 2.7.28.0 Apr 10 2012 16:54:05
21:29:18.0968 2336 ============================================================
21:29:18.0968 2336 Current date / time: 2012/04/15 21:29:18.0968
21:29:18.0968 2336 SystemInfo:
21:29:18.0968 2336
21:29:18.0968 2336 OS Version: 5.1.2600 ServicePack: 2.0
21:29:18.0968 2336 Product type: Workstation
21:29:18.0968 2336 ComputerName: MOBILE
21:29:18.0968 2336 UserName: jimmy
21:29:18.0968 2336 Windows directory: F:\WINDOWS
21:29:18.0968 2336 System windows directory: F:\WINDOWS
21:29:18.0968 2336 Processor architecture: Intel x86
21:29:18.0968 2336 Number of processors: 2
21:29:18.0968 2336 Page size: 0x1000
21:29:18.0968 2336 Boot type: Normal boot
21:29:18.0968 2336 ============================================================
21:29:21.0390 2336 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
21:29:21.0390 2336 \Device\Harddisk0\DR0:
21:29:21.0390 2336 MBR used
21:29:21.0390 2336 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x14000, BlocksNum 0x1167D6B0
21:29:21.0437 2336 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x11693E86, BlocksNum 0x1380D7A
21:29:21.0531 2336 Initialize success
21:29:21.0531 2336 ============================================================
21:29:30.0640 2732 ============================================================
21:29:30.0640 2732 Scan started
21:29:30.0656 2732 Mode: Manual; TDLFS;
21:29:30.0656 2732 ============================================================
21:29:31.0578 2732 !SASCORE (c0393eb99a6c72c6bef9bfc4a72b33a6) F:\Program Files\SUPERAntiSpyware\SASCORE.EXE
21:29:31.0593 2732 !SASCORE - ok
21:29:31.0656 2732 Abiosdsk - ok
21:29:31.0671 2732 abp480n5 - ok
21:29:31.0718 2732 ACPI (a10c7534f7223f4a73a948967d00e69b) F:\WINDOWS\system32\DRIVERS\ACPI.sys
21:29:31.0718 2732 ACPI - ok
21:29:31.0765 2732 ACPIEC (9859c0f6936e723e4892d7141b1327d5) F:\WINDOWS\system32\DRIVERS\ACPIEC.sys
21:29:31.0765 2732 ACPIEC - ok
21:29:31.0781 2732 adpu160m - ok
21:29:31.0828 2732 aec (841f385c6cfaf66b58fbd898722bb4f0) F:\WINDOWS\system32\drivers\aec.sys
21:29:31.0828 2732 aec - ok
21:29:31.0875 2732 AFD (55e6e1c51b6d30e54335750955453702) F:\WINDOWS\System32\drivers\afd.sys
21:29:31.0875 2732 AFD - ok
21:29:31.0890 2732 Aha154x - ok
21:29:31.0906 2732 aic78u2 - ok
21:29:31.0921 2732 aic78xx - ok
21:29:31.0953 2732 Alerter (c7ae0fd3867db0d42b03b73c18f3d671) F:\WINDOWS\system32\alrsvc.dll
21:29:31.0953 2732 Alerter - ok
21:29:31.0984 2732 ALG (f1958fbf86d5c004cf19a5951a9514b7) F:\WINDOWS\System32\alg.exe
21:29:31.0984 2732 ALG - ok
21:29:32.0000 2732 AliIde - ok
21:29:32.0125 2732 Ambfilt (f6af59d6eee5e1c304f7f73706ad11d8) F:\WINDOWS\system32\drivers\Ambfilt.sys
21:29:32.0156 2732 Ambfilt - ok
21:29:32.0171 2732 amsint - ok
21:29:32.0187 2732 AppMgmt - ok
21:29:32.0203 2732 asc - ok
21:29:32.0218 2732 asc3350p - ok
21:29:32.0234 2732 asc3550 - ok
21:29:32.0281 2732 AsyncMac (02000abf34af4c218c35d257024807d6) F:\WINDOWS\system32\DRIVERS\asyncmac.sys
21:29:32.0281 2732 AsyncMac - ok
21:29:32.0312 2732 atapi (cdfe4411a69c224bd1d11b2da92dac51) F:\WINDOWS\system32\DRIVERS\atapi.sys
21:29:32.0312 2732 atapi - ok
21:29:32.0328 2732 Atdisk - ok
21:29:32.0359 2732 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) F:\WINDOWS\system32\DRIVERS\atmarpc.sys
21:29:32.0359 2732 Atmarpc - ok
21:29:32.0390 2732 AudioSrv (db66db626e4882ebef55f136f12c1829) F:\WINDOWS\System32\audiosrv.dll
21:29:32.0390 2732 AudioSrv - ok
21:29:32.0421 2732 audstub (d9f724aa26c010a217c97606b160ed68) F:\WINDOWS\system32\DRIVERS\audstub.sys
21:29:32.0437 2732 audstub - ok
21:29:32.0531 2732 BCM43XX (37f385a93c620cbe0f89c17e45f697a1) F:\WINDOWS\system32\DRIVERS\bcmwl5.sys
21:29:32.0562 2732 BCM43XX - ok
21:29:32.0593 2732 Beep (da1f27d85e0d1525f6621372e7b685e9) F:\WINDOWS\system32\drivers\Beep.sys
21:29:32.0593 2732 Beep - ok
21:29:32.0656 2732 BITS (2c69ec7e5a311334d10dd95f338fccea) F:\WINDOWS\system32\qmgr.dll
21:29:32.0671 2732 BITS - ok
21:29:32.0687 2732 Browser (e3cfccdda4edd1d0dc9168b2e18f27b8) F:\WINDOWS\System32\browser.dll
21:29:32.0703 2732 Browser - ok
21:29:32.0718 2732 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) F:\WINDOWS\system32\drivers\cbidf2k.sys
21:29:32.0718 2732 cbidf2k - ok
21:29:32.0781 2732 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) F:\WINDOWS\system32\DRIVERS\CCDECODE.sys
21:29:32.0781 2732 CCDECODE - ok
21:29:32.0796 2732 cd20xrnt - ok
21:29:32.0828 2732 Cdaudio (c1b486a7658353d33a10cc15211a873b) F:\WINDOWS\system32\drivers\Cdaudio.sys
21:29:32.0828 2732 Cdaudio - ok
21:29:32.0859 2732 Cdfs (cd7d5152df32b47f4e36f710b35aae02) F:\WINDOWS\system32\drivers\Cdfs.sys
21:29:32.0875 2732 Cdfs - ok
21:29:32.0890 2732 Cdrom (af9c19b3100fe010496b1a27181fbf72) F:\WINDOWS\system32\DRIVERS\cdrom.sys
21:29:32.0906 2732 Cdrom - ok
21:29:32.0921 2732 cercsr6 (84853b3fd012251690570e9e7e43343f) F:\WINDOWS\system32\drivers\cercsr6.sys
21:29:32.0921 2732 cercsr6 - ok
21:29:32.0937 2732 Changer - ok
21:29:32.0968 2732 CiSvc (3192bd04d032a9c4a85a3278c268a13a) F:\WINDOWS\system32\cisvc.exe
21:29:32.0968 2732 CiSvc - ok
21:29:32.0984 2732 ClipSrv (c8dec22c4137d7a90f8bdf41ca4b82ae) F:\WINDOWS\system32\clipsrv.exe
21:29:32.0984 2732 ClipSrv - ok
21:29:33.0031 2732 CmBatt (4266be808f85826aedf3c64c1e240203) F:\WINDOWS\system32\DRIVERS\CmBatt.sys
21:29:33.0031 2732 CmBatt - ok
21:29:33.0046 2732 CmdIde - ok
21:29:33.0078 2732 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) F:\WINDOWS\system32\DRIVERS\compbatt.sys
21:29:33.0078 2732 Compbatt - ok
21:29:33.0093 2732 COMSysApp - ok
21:29:33.0125 2732 Cpqarray - ok
21:29:33.0140 2732 CryptSvc (10654f9ddcea9c46cfb77554231be73b) F:\WINDOWS\System32\cryptsvc.dll
21:29:33.0156 2732 CryptSvc - ok
21:29:33.0203 2732 CtClsFlt (b27d15c551a6678137c6b751b160756d) F:\WINDOWS\system32\DRIVERS\CtClsFlt.sys
21:29:33.0203 2732 CtClsFlt - ok
21:29:33.0218 2732 dac2w2k - ok
21:29:33.0250 2732 dac960nt - ok
21:29:33.0343 2732 DcomLaunch (24b5d53b9accc1e2edcf0a878d6659d4) F:\WINDOWS\system32\rpcss.dll
21:29:33.0359 2732 DcomLaunch - ok
21:29:33.0375 2732 Dhcp (cb6ca3e5261d65f6f809eed23bf167aa) F:\WINDOWS\System32\dhcpcsvc.dll
21:29:33.0375 2732 Dhcp - ok
21:29:33.0406 2732 Disk (00ca44e4534865f8a3b64f7c0984bff0) F:\WINDOWS\system32\DRIVERS\disk.sys
21:29:33.0406 2732 Disk - ok
21:29:33.0437 2732 dmadmin - ok
21:29:33.0484 2732 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) F:\WINDOWS\system32\drivers\dmboot.sys
21:29:33.0500 2732 dmboot - ok
21:29:33.0531 2732 dmio (f5e7b358a732d09f4bcf2824b88b9e28) F:\WINDOWS\system32\drivers\dmio.sys
21:29:33.0531 2732 dmio - ok
21:29:33.0578 2732 dmload (e9317282a63ca4d188c0df5e09c6ac5f) F:\WINDOWS\system32\drivers\dmload.sys
21:29:33.0578 2732 dmload - ok
21:29:33.0593 2732 dmserver (1639d9964c9e1b2ecca95c8217d3e70d) F:\WINDOWS\System32\dmserver.dll
21:29:33.0593 2732 dmserver - ok
21:29:33.0640 2732 DMusic (a6f881284ac1150e37d9ae47ff601267) F:\WINDOWS\system32\drivers\DMusic.sys
21:29:33.0640 2732 DMusic - ok
21:29:33.0656 2732 Dnscache (7379de06fd196e396a00aa97b990c00d) F:\WINDOWS\System32\dnsrslvr.dll
21:29:33.0656 2732 Dnscache - ok
21:29:33.0671 2732 dpti2o - ok
21:29:33.0703 2732 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) F:\WINDOWS\system32\drivers\drmkaud.sys
21:29:33.0703 2732 drmkaud - ok
21:29:33.0734 2732 EMSC (a6da3468ffafbdce403ef2973ff03865) F:\WINDOWS\system32\DRIVERS\EMSC.SYS
21:29:33.0734 2732 EMSC - ok
21:29:33.0765 2732 ERSvc (67dff7bbbd0e80aab7b3cf061448db8a) F:\WINDOWS\System32\ersvc.dll
21:29:33.0765 2732 ERSvc - ok
21:29:33.0812 2732 Eventlog (4712531ab7a01b7ee059853ca17d39bd) F:\WINDOWS\system32\services.exe
21:29:33.0812 2732 Eventlog - ok
21:29:33.0859 2732 EventSystem (60d1a6342238378bfb7545c81ee3606c) F:\WINDOWS\system32\es.dll
21:29:33.0859 2732 EventSystem - ok
21:29:33.0890 2732 Fastfat (3117f595e9615e04f05a54fc15a03b20) F:\WINDOWS\system32\drivers\Fastfat.sys
21:29:33.0906 2732 Fastfat - ok
21:29:33.0937 2732 FastUserSwitchingCompatibility (e7518dc542d3ebdcb80edd98462c7821) F:\WINDOWS\System32\shsvcs.dll
21:29:33.0937 2732 FastUserSwitchingCompatibility - ok
21:29:33.0953 2732 Fdc (ced2e8396a8838e59d8fd529c680e02c) F:\WINDOWS\system32\drivers\Fdc.sys
21:29:33.0953 2732 Fdc - ok
21:29:34.0000 2732 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) F:\WINDOWS\system32\drivers\Fips.sys
21:29:34.0000 2732 Fips - ok
21:29:34.0031 2732 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) F:\WINDOWS\system32\drivers\Flpydisk.sys
21:29:34.0031 2732 Flpydisk - ok
21:29:34.0078 2732 FltMgr (157754f0df355a9e0a6f54721914f9c6) F:\WINDOWS\system32\DRIVERS\fltMgr.sys
21:29:34.0078 2732 FltMgr - ok
21:29:34.0093 2732 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) F:\WINDOWS\system32\drivers\Fs_Rec.sys
21:29:34.0093 2732 Fs_Rec - ok
21:29:34.0125 2732 Ftdisk (6ac26732762483366c3969c9e4d2259d) F:\WINDOWS\system32\DRIVERS\ftdisk.sys
21:29:34.0125 2732 Ftdisk - ok
21:29:34.0140 2732 Gpc (c0f1d4a21de5a415df8170616703debf) F:\WINDOWS\system32\DRIVERS\msgpc.sys
21:29:34.0140 2732 Gpc - ok
21:29:34.0203 2732 gupdate (8f0de4fef8201e306f9938b0905ac96a) F:\Program Files\Google\Update\GoogleUpdate.exe
21:29:34.0218 2732 gupdate - ok
21:29:34.0234 2732 gupdatem (8f0de4fef8201e306f9938b0905ac96a) F:\Program Files\Google\Update\GoogleUpdate.exe
21:29:34.0234 2732 gupdatem - ok
21:29:34.0265 2732 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) F:\WINDOWS\system32\DRIVERS\HDAudBus.sys
21:29:34.0265 2732 HDAudBus - ok
21:29:34.0296 2732 helpsvc (8827911a8c37e40c027cbfc88e69d967) F:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
21:29:34.0296 2732 helpsvc - ok
21:29:34.0343 2732 HidServ (9376e6893e52b368abc6255bf54f0b28) F:\WINDOWS\System32\hidserv.dll
21:29:34.0343 2732 HidServ - ok
21:29:34.0375 2732 hidusb (1de6783b918f540149aa69943bdfeba8) F:\WINDOWS\system32\DRIVERS\hidusb.sys
21:29:34.0375 2732 hidusb - ok
21:29:34.0375 2732 hpn - ok
21:29:34.0468 2732 HPSLPSVC (9d23402d305869844bc6004a05cc74ba) F:\Program Files\HP\Digital Imaging\bin\HPSLPSVC32.DLL
21:29:34.0484 2732 HPSLPSVC - ok
21:29:34.0531 2732 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) F:\WINDOWS\system32\DRIVERS\HPZid412.sys
21:29:34.0531 2732 HPZid412 - ok
21:29:34.0546 2732 HPZipr12 (89f41658929393487b6b7d13c8528ce3) F:\WINDOWS\system32\DRIVERS\HPZipr12.sys
21:29:34.0546 2732 HPZipr12 - ok
21:29:34.0578 2732 HPZius12 (abcb05ccdbf03000354b9553820e39f8) F:\WINDOWS\system32\DRIVERS\HPZius12.sys
21:29:34.0593 2732 HPZius12 - ok
21:29:34.0640 2732 HTTP (c19b522a9ae0bbc3293397f3055e80a1) F:\WINDOWS\system32\Drivers\HTTP.sys
21:29:34.0656 2732 HTTP - ok
21:29:34.0687 2732 HTTPFilter (064d8581adf77c25133e7d751d917d83) F:\WINDOWS\System32\w3ssl.dll
21:29:34.0703 2732 HTTPFilter - ok
21:29:34.0718 2732 i2omgmt - ok
21:29:34.0734 2732 i2omp - ok
21:29:34.0765 2732 i8042prt (5502b58eef7486ee6f93f3f164dcb808) F:\WINDOWS\system32\DRIVERS\i8042prt.sys
21:29:34.0765 2732 i8042prt - ok
21:29:35.0078 2732 ialm (48846b31be5a4fa662ccfde7a1ba86b9) F:\WINDOWS\system32\DRIVERS\igxpmp32.sys
21:29:35.0187 2732 ialm - ok
21:29:35.0265 2732 IDriverT (6f95324909b502e2651442c1548ab12f) F:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
21:29:35.0265 2732 IDriverT - ok
21:29:35.0296 2732 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) F:\WINDOWS\system32\DRIVERS\imapi.sys
21:29:35.0296 2732 Imapi - ok
21:29:35.0343 2732 ImapiService (fa788520bcac0f5d9d5cde5615c0d931) F:\WINDOWS\system32\imapi.exe
21:29:35.0343 2732 ImapiService - ok
21:29:35.0359 2732 ini910u - ok
21:29:35.0656 2732 IntcAzAudAddService (cb1113029fae50c685198eabd9885161) F:\WINDOWS\system32\drivers\RtkHDAud.sys
21:29:35.0750 2732 IntcAzAudAddService - ok
21:29:35.0765 2732 IntelIde - ok
21:29:35.0812 2732 intelppm (279fb78702454dff2bb445f238c048d2) F:\WINDOWS\system32\DRIVERS\intelppm.sys
21:29:35.0812 2732 intelppm - ok
21:29:35.0843 2732 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) F:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
21:29:35.0843 2732 Ip6Fw - ok
21:29:35.0875 2732 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) F:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
21:29:35.0875 2732 IpFilterDriver - ok
21:29:35.0890 2732 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) F:\WINDOWS\system32\DRIVERS\ipinip.sys
21:29:35.0906 2732 IpInIp - ok
21:29:35.0937 2732 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) F:\WINDOWS\system32\DRIVERS\ipnat.sys
21:29:35.0937 2732 IpNat - ok
21:29:35.0984 2732 IPSec (64537aa5c003a6afeee1df819062d0d1) F:\WINDOWS\system32\DRIVERS\ipsec.sys
21:29:35.0984 2732 IPSec - ok
21:29:36.0015 2732 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) F:\WINDOWS\system32\DRIVERS\irenum.sys
21:29:36.0015 2732 IRENUM - ok
21:29:36.0062 2732 isapnp (e504f706ccb699c2596e9a3da1596e87) F:\WINDOWS\system32\DRIVERS\isapnp.sys
21:29:36.0062 2732 isapnp - ok
21:29:36.0156 2732 JavaQuickStarterService (381b25dc8e958d905b33130d500bbf29) F:\Program Files\Java\jre6\bin\jqs.exe
21:29:36.0156 2732 JavaQuickStarterService - ok
21:29:36.0187 2732 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) F:\WINDOWS\system32\DRIVERS\kbdclass.sys
21:29:36.0203 2732 Kbdclass - ok
21:29:36.0265 2732 kmixer (d93cad07c5683db066b0b2d2d3790ead) F:\WINDOWS\system32\drivers\kmixer.sys
21:29:36.0265 2732 kmixer - ok
21:29:36.0312 2732 KSecDD (1be7cc2535d760ae4d481576eb789f24) F:\WINDOWS\system32\drivers\KSecDD.sys
21:29:36.0312 2732 KSecDD - ok
21:29:36.0343 2732 lanmanserver (93d32468d34e000cb3407947d1d6e22a) F:\WINDOWS\System32\srvsvc.dll
21:29:36.0359 2732 lanmanserver - ok
21:29:36.0406 2732 lanmanworkstation (e1f27cfcd114ec9f1e1f44674b2ff9f0) F:\WINDOWS\System32\wkssvc.dll
21:29:36.0421 2732 lanmanworkstation - ok
21:29:36.0437 2732 lbrtfdc - ok
21:29:36.0468 2732 LmHosts (b3eff6d938c572e90a07b3d87a3c7657) F:\WINDOWS\System32\lmhsvc.dll
21:29:36.0468 2732 LmHosts - ok
21:29:36.0500 2732 MBAMProtector (fb097bbc1a18f044bd17bd2fccf97865) F:\WINDOWS\system32\drivers\mbam.sys
21:29:36.0500 2732 MBAMProtector - ok
21:29:36.0593 2732 MBAMService (ba400ed640bca1eae5c727ae17c10207) F:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
21:29:36.0609 2732 MBAMService - ok
21:29:36.0609 2732 McComponentHostService - ok
21:29:36.0640 2732 Messenger (95fd808e4ac22aba025a7b3eac0375d2) F:\WINDOWS\System32\msgsvc.dll
21:29:36.0656 2732 Messenger - ok
21:29:36.0687 2732 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) F:\WINDOWS\system32\drivers\mnmdd.sys
21:29:36.0687 2732 mnmdd - ok
21:29:36.0718 2732 mnmsrvc (f6415361201915b9fe3896b0e4e724ff) F:\WINDOWS\system32\mnmsrvc.exe
21:29:36.0718 2732 mnmsrvc - ok
21:29:36.0765 2732 Modem (6fc6f9d7acc36dca9b914565a3aeda05) F:\WINDOWS\system32\drivers\Modem.sys
21:29:36.0765 2732 Modem - ok
21:29:36.0859 2732 Monfilt (9fa7207d1b1adead88ae8eed9cdbbaa5) F:\WINDOWS\system32\drivers\Monfilt.sys
21:29:36.0890 2732 Monfilt - ok
21:29:36.0921 2732 Mouclass (34e1f0031153e491910e12551400192c) F:\WINDOWS\system32\DRIVERS\mouclass.sys
21:29:36.0921 2732 Mouclass - ok
21:29:36.0953 2732 mouhid (b1c303e17fb9d46e87a98e4ba6769685) F:\WINDOWS\system32\DRIVERS\mouhid.sys
21:29:36.0953 2732 mouhid - ok
21:29:36.0968 2732 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) F:\WINDOWS\system32\drivers\MountMgr.sys
21:29:36.0984 2732 MountMgr - ok
21:29:37.0000 2732 mraid35x - ok
21:29:37.0031 2732 MRxDAV (46edcc8f2db2f322c24f48785cb46366) F:\WINDOWS\system32\DRIVERS\mrxdav.sys
21:29:37.0031 2732 MRxDAV - ok
21:29:37.0078 2732 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) F:\WINDOWS\system32\DRIVERS\mrxsmb.sys
21:29:37.0078 2732 MRxSmb - ok
21:29:37.0125 2732 MSDTC (c7c3d89eb0a6f3dba622ea737fa335b1) F:\WINDOWS\system32\msdtc.exe
21:29:37.0140 2732 MSDTC - ok
21:29:37.0156 2732 Msfs (561b3a4333ca2dbdba28b5b956822519) F:\WINDOWS\system32\drivers\Msfs.sys
21:29:37.0156 2732 Msfs - ok
21:29:37.0171 2732 MSIServer - ok
21:29:37.0218 2732 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) F:\WINDOWS\system32\drivers\MSKSSRV.sys
21:29:37.0218 2732 MSKSSRV - ok
21:29:37.0265 2732 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) F:\WINDOWS\system32\drivers\MSPCLOCK.sys
21:29:37.0265 2732 MSPCLOCK - ok
21:29:37.0296 2732 MSPQM (1988a33ff19242576c3d0ef9ce785da7) F:\WINDOWS\system32\drivers\MSPQM.sys
21:29:37.0296 2732 MSPQM - ok
21:29:37.0328 2732 mssmbios (469541f8bfd2b32659d5d463a6714bce) F:\WINDOWS\system32\DRIVERS\mssmbios.sys
21:29:37.0328 2732 mssmbios - ok
21:29:37.0343 2732 MSTEE (bf13612142995096ab084f2db7f40f77) F:\WINDOWS\system32\drivers\MSTEE.sys
21:29:37.0343 2732 MSTEE - ok
21:29:37.0375 2732 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) F:\WINDOWS\system32\drivers\Mup.sys
21:29:37.0390 2732 Mup - ok
21:29:37.0421 2732 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) F:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
21:29:37.0421 2732 NABTSFEC - ok
21:29:37.0453 2732 NDIS (558635d3af1c7546d26067d5d9b6959e) F:\WINDOWS\system32\drivers\NDIS.sys
21:29:37.0453 2732 NDIS - ok
21:29:37.0484 2732 NdisIP (520ce427a8b298f54112857bcf6bde15) F:\WINDOWS\system32\DRIVERS\NdisIP.sys
21:29:37.0484 2732 NdisIP - ok
21:29:37.0515 2732 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) F:\WINDOWS\system32\DRIVERS\ndistapi.sys
21:29:37.0531 2732 NdisTapi - ok
21:29:37.0562 2732 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) F:\WINDOWS\system32\DRIVERS\ndisuio.sys
21:29:37.0562 2732 Ndisuio - ok
21:29:37.0609 2732 NdisWan (0b90e255a9490166ab368cd55a529893) F:\WINDOWS\system32\DRIVERS\ndiswan.sys
21:29:37.0609 2732 NdisWan - ok
21:29:37.0625 2732 NDProxy (59fc3fb44d2669bc144fd87826bb571f) F:\WINDOWS\system32\drivers\NDProxy.sys
21:29:37.0625 2732 NDProxy - ok
21:29:37.0671 2732 Net Driver HPZ12 (69c503c004f49aee8b8e3067cc047ba7) F:\WINDOWS\system32\HPZinw12.dll
21:29:37.0671 2732 Net Driver HPZ12 - ok
21:29:37.0703 2732 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) F:\WINDOWS\system32\DRIVERS\netbios.sys
21:29:37.0718 2732 NetBIOS - ok
21:29:37.0750 2732 NetBT (0c80e410cd2f47134407ee7dd19cc86b) F:\WINDOWS\system32\DRIVERS\netbt.sys
21:29:37.0750 2732 NetBT - ok
21:29:37.0781 2732 NetDDE (05afb5ad06462257bea7495283c86d50) F:\WINDOWS\system32\netdde.exe
21:29:37.0796 2732 NetDDE - ok
21:29:37.0796 2732 NetDDEdsdm (05afb5ad06462257bea7495283c86d50) F:\WINDOWS\system32\netdde.exe
21:29:37.0812 2732 NetDDEdsdm - ok
21:29:37.0828 2732 Netlogon (84885f9b82f4d55c6146ebf6065d75d2) F:\WINDOWS\system32\lsass.exe
21:29:37.0828 2732 Netlogon - ok
21:29:37.0875 2732 Netman (dab9e6c7105d2ef49876fe92c524f565) F:\WINDOWS\System32\netman.dll
21:29:37.0875 2732 Netman - ok
21:29:37.0921 2732 Nla (097722f235a1fb698bf9234e01b52637) F:\WINDOWS\System32\mswsock.dll
21:29:37.0921 2732 Nla - ok
21:29:37.0937 2732 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) F:\WINDOWS\system32\drivers\Npfs.sys
21:29:37.0937 2732 Npfs - ok
21:29:38.0000 2732 Ntfs (b78be402c3f63dd55521f73876951cdd) F:\WINDOWS\system32\drivers\Ntfs.sys
21:29:38.0015 2732 Ntfs - ok
21:29:38.0015 2732 NtLmSsp (84885f9b82f4d55c6146ebf6065d75d2) F:\WINDOWS\system32\lsass.exe
21:29:38.0031 2732 NtLmSsp - ok
21:29:38.0078 2732 NtmsSvc (b62f29c00ac55a761b2e45877d85ea0f) F:\WINDOWS\system32\ntmssvc.dll
21:29:38.0093 2732 NtmsSvc - ok
21:29:38.0125 2732 Null (73c1e1f395918bc2c6dd67af7591a3ad) F:\WINDOWS\system32\drivers\Null.sys
21:29:38.0140 2732 Null - ok
21:29:38.0171 2732 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) F:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
21:29:38.0171 2732 NwlnkFlt - ok
21:29:38.0187 2732 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) F:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
21:29:38.0187 2732 NwlnkFwd - ok
21:29:38.0218 2732 Parport (29744eb4ce659dfe3b4122deb45bc478) F:\WINDOWS\system32\drivers\Parport.sys
21:29:38.0218 2732 Parport - ok
21:29:38.0234 2732 PartMgr (3334430c29dc338092f79c38ef7b4cd0) F:\WINDOWS\system32\drivers\PartMgr.sys
21:29:38.0234 2732 PartMgr - ok
21:29:38.0281 2732 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) F:\WINDOWS\system32\drivers\ParVdm.sys
21:29:38.0281 2732 ParVdm - ok
21:29:38.0312 2732 PCI (8086d9979234b603ad5bc2f5d890b234) F:\WINDOWS\system32\DRIVERS\pci.sys
21:29:38.0312 2732 PCI - ok
21:29:38.0328 2732 PCIDump - ok
21:29:38.0359 2732 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) F:\WINDOWS\system32\DRIVERS\pciide.sys
21:29:38.0359 2732 PCIIde - ok
21:29:38.0406 2732 Pcmcia (82a087207decec8456fbe8537947d579) F:\WINDOWS\system32\drivers\Pcmcia.sys
21:29:38.0406 2732 Pcmcia - ok
21:29:38.0421 2732 PDCOMP - ok
21:29:38.0437 2732 PDFRAME - ok
21:29:38.0453 2732 PDRELI - ok
21:29:38.0468 2732 PDRFRAME - ok
21:29:38.0500 2732 perc2 - ok
21:29:38.0515 2732 perc2hib - ok
21:29:38.0578 2732 PlugPlay (4712531ab7a01b7ee059853ca17d39bd) F:\WINDOWS\system32\services.exe
21:29:38.0578 2732 PlugPlay - ok
21:29:38.0625 2732 Pml Driver HPZ12 (12b4549d515cb26bb8d375038017ca65) F:\WINDOWS\system32\HPZipm12.dll
21:29:38.0625 2732 Pml Driver HPZ12 - ok
21:29:38.0671 2732 PolicyAgent (84885f9b82f4d55c6146ebf6065d75d2) F:\WINDOWS\system32\lsass.exe
21:29:38.0671 2732 PolicyAgent - ok
21:29:38.0687 2732 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) F:\WINDOWS\system32\DRIVERS\raspptp.sys
21:29:38.0703 2732 PptpMiniport - ok
21:29:38.0718 2732 ProtectedStorage (84885f9b82f4d55c6146ebf6065d75d2) F:\WINDOWS\system32\lsass.exe
21:29:38.0718 2732 ProtectedStorage - ok
21:29:38.0734 2732 PSched (48671f327553dcf1d27f6197f622a668) F:\WINDOWS\system32\DRIVERS\psched.sys
21:29:38.0734 2732 PSched - ok
21:29:38.0765 2732 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) F:\WINDOWS\system32\DRIVERS\ptilink.sys
21:29:38.0765 2732 Ptilink - ok
21:29:38.0796 2732 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) F:\WINDOWS\system32\Drivers\PxHelp20.sys
21:29:38.0796 2732 PxHelp20 - ok
21:29:38.0812 2732 ql1080 - ok
21:29:38.0828 2732 Ql10wnt - ok
21:29:38.0843 2732 ql12160 - ok
21:29:38.0859 2732 ql1240 - ok
21:29:38.0875 2732 ql1280 - ok
21:29:38.0906 2732 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) F:\WINDOWS\system32\DRIVERS\rasacd.sys
21:29:38.0906 2732 RasAcd - ok
21:29:38.0937 2732 RasAuto (44db7a9bdd2fb58747d123fbf1d35adb) F:\WINDOWS\System32\rasauto.dll
21:29:38.0953 2732 RasAuto - ok
21:29:38.0984 2732 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) F:\WINDOWS\system32\DRIVERS\rasl2tp.sys
21:29:38.0984 2732 Rasl2tp - ok
21:29:39.0031 2732 RasMan (41a3c11e3517c962c9b44893bcec3b34) F:\WINDOWS\System32\rasmans.dll
21:29:39.0031 2732 RasMan - ok
21:29:39.0062 2732 RasPppoe (7306eeed8895454cbed4669be9f79faa) F:\WINDOWS\system32\DRIVERS\raspppoe.sys
21:29:39.0062 2732 RasPppoe - ok
21:29:39.0078 2732 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) F:\WINDOWS\system32\DRIVERS\raspti.sys
21:29:39.0078 2732 Raspti - ok
21:29:39.0109 2732 Rdbss (29d66245adba878fff574cd66abd2884) F:\WINDOWS\system32\DRIVERS\rdbss.sys
21:29:39.0109 2732 Rdbss - ok
21:29:39.0140 2732 RDPCDD (4912d5b403614ce99c28420f75353332) F:\WINDOWS\system32\DRIVERS\RDPCDD.sys
21:29:39.0140 2732 RDPCDD - ok
21:29:39.0187 2732 RDPWD (d4f5643d7714ef499ae9527fdcd50894) F:\WINDOWS\system32\drivers\RDPWD.sys
21:29:39.0203 2732 RDPWD - ok
21:29:39.0234 2732 RDSessMgr (729798e0933076b8fcfcd9934698f164) F:\WINDOWS\system32\sessmgr.exe
21:29:39.0234 2732 RDSessMgr - ok
21:29:39.0265 2732 redbook (b31b4588e4086d8d84adbf9845c2402b) F:\WINDOWS\system32\DRIVERS\redbook.sys
21:29:39.0265 2732 redbook - ok
21:29:39.0312 2732 RemoteAccess (3046db917e3cfa040632799dd9b14865) F:\WINDOWS\System32\mprdim.dll
21:29:39.0312 2732 RemoteAccess - ok
21:29:39.0343 2732 RpcLocator (793f04a09b15e7c6c11dbdffaf06c0ab) F:\WINDOWS\system32\locator.exe
21:29:39.0343 2732 RpcLocator - ok
21:29:39.0390 2732 RpcSs (24b5d53b9accc1e2edcf0a878d6659d4) F:\WINDOWS\system32\rpcss.dll
21:29:39.0406 2732 RpcSs - ok
21:29:39.0453 2732 RSUSBSTOR (83f7a29b659771e60cd71999ef57aa0c) F:\WINDOWS\system32\Drivers\RtsUStor.sys
21:29:39.0453 2732 RSUSBSTOR - ok
21:29:39.0500 2732 RSVP (471b3f9741d762abe75e9deea4787e47) F:\WINDOWS\system32\rsvp.exe
21:29:39.0500 2732 RSVP - ok
21:29:39.0546 2732 RTLE8023xp (cb9310a5a910648d359c99a857e22a54) F:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
21:29:39.0546 2732 RTLE8023xp - ok
21:29:39.0593 2732 SamSs (84885f9b82f4d55c6146ebf6065d75d2) F:\WINDOWS\system32\lsass.exe
21:29:39.0593 2732 SamSs - ok
21:29:39.0656 2732 SASDIFSV (39763504067962108505bff25f024345) F:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
21:29:39.0656 2732 SASDIFSV - ok
21:29:39.0671 2732 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) F:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
21:29:39.0671 2732 SASKUTIL - ok
21:29:39.0734 2732 SCardSvr (25d8de134df108e3dbc8d7d23b1aa58e) F:\WINDOWS\System32\SCardSvr.exe
21:29:39.0750 2732 SCardSvr - ok
21:29:39.0781 2732 Schedule (92360854316611f6cc471612213c3d92) F:\WINDOWS\system32\schedsvc.dll
21:29:39.0796 2732 Schedule - ok
21:29:39.0828 2732 Secdrv (d26e26ea516450af9d072635c60387f4) F:\WINDOWS\system32\DRIVERS\secdrv.sys
21:29:39.0828 2732 Secdrv - ok
21:29:39.0859 2732 seclogon (b1e0ce09895376871746f36dc5773b4f) F:\WINDOWS\System32\seclogon.dll
21:29:39.0859 2732 seclogon - ok
21:29:39.0890 2732 SENS (dfd9870cf39c791d86c4c209da9fa919) F:\WINDOWS\system32\sens.dll
21:29:39.0890 2732 SENS - ok
21:29:39.0937 2732 Serial (cd9404d115a00d249f70a371b46d5a26) F:\WINDOWS\system32\drivers\Serial.sys
21:29:39.0937 2732 Serial - ok
21:29:39.0953 2732 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) F:\WINDOWS\system32\drivers\Sfloppy.sys
21:29:39.0953 2732 Sfloppy - ok
21:29:40.0015 2732 SharedAccess (36cc8c01b5e50163037bef56cb96deff) F:\WINDOWS\System32\ipnathlp.dll
21:29:40.0031 2732 SharedAccess - ok
21:29:40.0062 2732 ShellHWDetection (e7518dc542d3ebdcb80edd98462c7821) F:\WINDOWS\System32\shsvcs.dll
21:29:40.0062 2732 ShellHWDetection - ok
21:29:40.0078 2732 Simbad - ok
21:29:40.0125 2732 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) F:\WINDOWS\system32\DRIVERS\SLIP.sys
21:29:40.0125 2732 SLIP - ok
21:29:40.0140 2732 Sparrow - ok
21:29:40.0203 2732 splitter (8e186b8f23295d1e42c573b82b80d548) F:\WINDOWS\system32\drivers\splitter.sys
21:29:40.0203 2732 splitter - ok
21:29:40.0234 2732 Spooler (7435b108b935e42ea92ca94f59c8e717) F:\WINDOWS\system32\spoolsv.exe
21:29:40.0234 2732 Spooler - ok
21:29:40.0281 2732 sr (e41b6d037d6cd08461470af04500dc24) F:\WINDOWS\system32\DRIVERS\sr.sys
21:29:40.0281 2732 sr - ok
21:29:40.0312 2732 srservice (92bdf74f12d6cbec43c94d4b7f804838) F:\WINDOWS\system32\srsvc.dll
21:29:40.0328 2732 srservice - ok
21:29:40.0375 2732 Srv (7a4f147cc6b133f905f6e65e2f8669fb) F:\WINDOWS\system32\DRIVERS\srv.sys
21:29:40.0375 2732 Srv - ok
21:29:40.0421 2732 SSDPSRV (4b8d61792f7175bed48859cc18ce4e38) F:\WINDOWS\System32\ssdpsrv.dll
21:29:40.0421 2732 SSDPSRV - ok
21:29:40.0468 2732 stisvc (d9f6c4f6b1e188adafc42b561d9bc2e6) F:\WINDOWS\system32\wiaservc.dll
21:29:40.0484 2732 stisvc - ok
21:29:40.0531 2732 streamip (284c57df5dc7abca656bc2b96a667afb) F:\WINDOWS\system32\DRIVERS\StreamIP.sys
21:29:40.0531 2732 streamip - ok
21:29:40.0562 2732 swenum (03c1bae4766e2450219d20b993d6e046) F:\WINDOWS\system32\DRIVERS\swenum.sys
21:29:40.0562 2732 swenum - ok
21:29:40.0593 2732 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) F:\WINDOWS\system32\drivers\swmidi.sys
21:29:40.0593 2732 swmidi - ok
21:29:40.0609 2732 SwPrv - ok
21:29:40.0625 2732 symc810 - ok
21:29:40.0640 2732 symc8xx - ok
21:29:40.0656 2732 sym_hi - ok
21:29:40.0671 2732 sym_u3 - ok
21:29:40.0734 2732 SynTP (5cdd124913e91c7f79b4d5cae1c7c4de) F:\WINDOWS\system32\DRIVERS\SynTP.sys
21:29:40.0734 2732 SynTP - ok
21:29:40.0765 2732 sysaudio (650ad082d46bac0e64c9c0e0928492fd) F:\WINDOWS\system32\drivers\sysaudio.sys
21:29:40.0781 2732 sysaudio - ok
21:29:40.0812 2732 SysmonLog (8b54aa346d1b1b113ffaa75501b8b1b2) F:\WINDOWS\system32\smlogsvc.exe
21:29:40.0812 2732 SysmonLog - ok
21:29:40.0859 2732 TapiSrv (eb4a4187d74a8efdcbea3ea2cb1bdfbd) F:\WINDOWS\System32\tapisrv.dll
21:29:40.0859 2732 TapiSrv - ok
21:29:40.0921 2732 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) F:\WINDOWS\system32\DRIVERS\tcpip.sys
21:29:40.0921 2732 Tcpip - ok
21:29:40.0968 2732 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) F:\WINDOWS\system32\drivers\TDPIPE.sys
21:29:40.0968 2732 TDPIPE - ok
21:29:40.0984 2732 TDTCP (ed0580af02502d00ad8c4c066b156be9) F:\WINDOWS\system32\drivers\TDTCP.sys
21:29:40.0984 2732 TDTCP - ok
21:29:41.0015 2732 TermDD (a540a99c281d933f3d69d55e48727f47) F:\WINDOWS\system32\DRIVERS\termdd.sys
21:29:41.0015 2732 TermDD - ok
21:29:41.0046 2732 TermService (b60c877d16d9c880b952fda04adf16e6) F:\WINDOWS\System32\termsrv.dll
21:29:41.0062 2732 TermService - ok
21:29:41.0093 2732 Themes (e7518dc542d3ebdcb80edd98462c7821) F:\WINDOWS\System32\shsvcs.dll
21:29:41.0109 2732 Themes - ok
21:29:41.0125 2732 TosIde - ok
21:29:41.0171 2732 TrkWks (6d9ac544b30f96c57f8206566c1fb6a1) F:\WINDOWS\system32\trkwks.dll
21:29:41.0171 2732 TrkWks - ok
21:29:41.0218 2732 Udfs (12f70256f140cd7d52c58c7048fde657) F:\WINDOWS\system32\drivers\Udfs.sys
21:29:41.0234 2732 Udfs - ok
21:29:41.0250 2732 ultra - ok
21:29:41.0281 2732 Update (aff2e5045961bbc0a602bb6f95eb1345) F:\WINDOWS\system32\DRIVERS\update.sys
21:29:41.0281 2732 Update - ok
21:29:41.0343 2732 upnphost (0546477bde979e33294fe97f6b3de84a) F:\WINDOWS\System32\upnphost.dll
21:29:41.0343 2732 upnphost - ok
21:29:41.0359 2732 UPS (3f5df65b0758675f95a2d43918a740a3) F:\WINDOWS\System32\ups.exe
21:29:41.0375 2732 UPS - ok
21:29:41.0406 2732 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) F:\WINDOWS\system32\DRIVERS\usbccgp.sys
21:29:41.0406 2732 usbccgp - ok
21:29:41.0453 2732 usbehci (15e993ba2f6946b2bfbbfcd30398621e) F:\WINDOWS\system32\DRIVERS\usbehci.sys
21:29:41.0453 2732 usbehci - ok
21:29:41.0468 2732 usbhub (c72f40947f92cea56a8fb532edf025f1) F:\WINDOWS\system32\DRIVERS\usbhub.sys
21:29:41.0468 2732 usbhub - ok
21:29:41.0500 2732 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) F:\WINDOWS\system32\DRIVERS\usbprint.sys
21:29:41.0500 2732 usbprint - ok
21:29:41.0531 2732 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) F:\WINDOWS\system32\DRIVERS\usbscan.sys
21:29:41.0531 2732 usbscan - ok
21:29:41.0562 2732 usbstor (6cd7b22193718f1d17a47a1cd6d37e75) F:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
21:29:41.0562 2732 usbstor - ok
21:29:41.0593 2732 usbuhci (f8fd1400092e23c8f2f31406ef06167b) F:\WINDOWS\system32\DRIVERS\usbuhci.sys
21:29:41.0593 2732 usbuhci - ok
21:29:41.0640 2732 usbvideo (8968ff3973a883c49e8b564200f565b9) F:\WINDOWS\system32\Drivers\usbvideo.sys
21:29:41.0640 2732 usbvideo - ok
21:29:41.0671 2732 VgaSave (8a60edd72b4ea5aea8202daf0e427925) F:\WINDOWS\System32\drivers\vga.sys
21:29:41.0671 2732 VgaSave - ok
21:29:41.0687 2732 ViaIde - ok
21:29:41.0718 2732 VolSnap (ee4660083deba849ff6c485d944b379b) F:\WINDOWS\system32\drivers\VolSnap.sys
21:29:41.0718 2732 VolSnap - ok
21:29:41.0765 2732 VSS (3ee00364ae0fd8d604f46cbaf512838a) F:\WINDOWS\System32\vssvc.exe
21:29:41.0765 2732 VSS - ok
21:29:41.0812 2732 W32Time (2b281958f5d0cf99ed626e3ef39d5c8d) F:\WINDOWS\system32\w32time.dll
21:29:41.0812 2732 W32Time - ok
21:29:41.0843 2732 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) F:\WINDOWS\system32\DRIVERS\wanarp.sys
21:29:41.0843 2732 Wanarp - ok
21:29:41.0906 2732 Wdf01000 (d918617b46457b9ac28027722e30f647) F:\WINDOWS\system32\Drivers\wdf01000.sys
21:29:41.0906 2732 Wdf01000 - ok
21:29:41.0921 2732 WDICA - ok
21:29:41.0968 2732 wdmaud (2797f33ebf50466020c430ee4f037933) F:\WINDOWS\system32\drivers\wdmaud.sys
21:29:41.0968 2732 wdmaud - ok
21:29:42.0000 2732 WebClient (5d0a442864bfbf3b19dcca4cd29f6e99) F:\WINDOWS\System32\webclnt.dll
21:29:42.0015 2732 WebClient - ok
21:29:42.0078 2732 winmgmt (f399242a80c4066fd155efa4cf96658e) F:\WINDOWS\system32\wbem\WMIsvc.dll
21:29:42.0078 2732 winmgmt - ok
21:29:42.0109 2732 wltrysvc - ok
21:29:42.0171 2732 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) F:\WINDOWS\system32\MsPMSNSv.dll
21:29:42.0171 2732 WmdmPmSN - ok
21:29:42.0203 2732 WmiApSrv (ba8cecc3e813e1f7c441b20393d4f86c) F:\WINDOWS\system32\wbem\wmiapsrv.exe
21:29:42.0218 2732 WmiApSrv - ok
21:29:42.0312 2732 WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) F:\Program Files\Windows Media Player\WMPNetwk.exe
21:29:42.0328 2732 WMPNetworkSvc - ok
21:29:42.0375 2732 wscsvc (4d59daa66c60858cdf4f67a900f42d4a) F:\WINDOWS\system32\wscsvc.dll
21:29:42.0375 2732 wscsvc - ok
21:29:42.0406 2732 WSTCODEC (d5842484f05e12121c511aa93f6439ec) F:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
21:29:42.0406 2732 WSTCODEC - ok
21:29:42.0453 2732 wuauserv (13d72740963cba12d9ff76a7f218bcd8) F:\WINDOWS\system32\wuauserv.dll
21:29:42.0453 2732 wuauserv - ok
21:29:42.0484 2732 WudfPf (f15feafffbb3644ccc80c5da584e6311) F:\WINDOWS\system32\DRIVERS\WudfPf.sys
21:29:42.0500 2732 WudfPf - ok
21:29:42.0515 2732 WudfRd (28b524262bce6de1f7ef9f510ba3985b) F:\WINDOWS\system32\DRIVERS\wudfrd.sys
21:29:42.0531 2732 WudfRd - ok
21:29:42.0562 2732 WudfSvc (05231c04253c5bc30b26cbaae680ed89) F:\WINDOWS\System32\WUDFSvc.dll
21:29:42.0578 2732 WudfSvc - ok
21:29:42.0609 2732 WZCSVC (5a91e6feab9f901302fa7ff768c0120f) F:\WINDOWS\System32\wzcsvc.dll
21:29:42.0625 2732 WZCSVC - ok
21:29:42.0656 2732 xmlprov (eef46dab68229a14da3d8e73c99e2959) F:\WINDOWS\System32\xmlprov.dll
21:29:42.0656 2732 xmlprov - ok
21:29:42.0718 2732 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
21:29:43.0015 2732 \Device\Harddisk0\DR0 ( TDSS File System ) - warning
21:29:43.0015 2732 \Device\Harddisk0\DR0 - detected TDSS File System (1)
21:29:43.0015 2732 Boot (0x1200) (2b5328674833811ab92acf4e4ecb7890) \Device\Harddisk0\DR0\Partition0
21:29:43.0015 2732 \Device\Harddisk0\DR0\Partition0 - ok
21:29:43.0046 2732 Boot (0x1200) (6e8318fd847099136b39f1161f8369e6) \Device\Harddisk0\DR0\Partition1
21:29:43.0046 2732 \Device\Harddisk0\DR0\Partition1 - ok
21:29:43.0062 2732 ============================================================
21:29:43.0062 2732 Scan finished
21:29:43.0062 2732 ============================================================
21:29:43.0093 3808 Detected object count: 1
21:29:43.0093 3808 Actual detected object count: 1
21:29:48.0812 3808 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
21:29:48.0812 3808 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip
21:31:20.0093 2872 Deinitialize success






combofix log:

ComboFix 12-04-15.02 - jimmy 04/15/2012 21:37:20.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.268 [GMT -7:00]
Running from: f:\documents and settings\jimmy\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
f:\documents and settings\All Users\Application Data\TEMP
f:\documents and settings\jimmy\Application Data\Toolbar4
f:\documents and settings\jimmy\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\009ad7c78fa16405f84086fbb252845c
f:\documents and settings\jimmy\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\0404edbd589ae6af09ac9759b8ba03aa
f:\documents and settings\jimmy\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\0f274b8992fdb64d5e4f1f83668eeee7
f:\documents and settings\jimmy\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\1aad34453450f3be3dcf8f495ba7c0f2
f:\documents and settings\jimmy\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\27c746d432b7a753a0af8d7c033b46fe
f:\documents and settings\jimmy\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\3191c436badf4725efbdf2814434db76
f:\documents and settings\jimmy\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\3ffc06c172fab9b6200871c096f05d95
f:\documents and settings\jimmy\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\44567846e0387d6a62062ab4dbf9ae96
f:\documents and settings\jimmy\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\52b66d6979ef2abcea9a736d1b4dbc82
f:\documents and settings\jimmy\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\6646a9dcb7f9a07a91c1501fcb30fab3
f:\documents and settings\jimmy\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\6a56174a168dc8fca375dc7cd61c18f5
f:\documents and settings\jimmy\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\757a20d7a75ae93435ac64a6095eab39
f:\documents and settings\jimmy\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\89c35566d3dfdce78572ff8c2a627ad2
f:\documents and settings\jimmy\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\8ab3fdb54b7b6f11d0c790c70f095874
f:\documents and settings\jimmy\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\8d7129d91fe9f4f63cdc5db9c5b4ccd4
f:\documents and settings\jimmy\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\9840cd5f73490a37d4f3e47107ced675
f:\documents and settings\jimmy\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\9956734e872eec3ea3e17f52e84dc6cc
f:\documents and settings\jimmy\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\9d810aab3f7bcbacb07c241f8d726714
f:\documents and settings\jimmy\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\9e43b23ad10de3e0eceb370efafb39ef
f:\documents and settings\jimmy\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\acfc834035dccfb94e7f9067f5d48a83
f:\documents and settings\jimmy\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\b801583e8861fc45946de3f28fe5bb04
f:\documents and settings\jimmy\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\bbd70e0c6a27130f40bc8806e5252b76
f:\documents and settings\jimmy\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\bdcf0ed363b85538f740c9b718bf611c
f:\documents and settings\jimmy\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\c0b9e89d52d9e1ff85c2db9f694af77d
f:\documents and settings\jimmy\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\c2a0aae22a7f344f04bdffc005fa544d
f:\documents and settings\jimmy\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\c48c9e27c16419ab995d48b077a802ff
f:\documents and settings\jimmy\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\c4febd1a585c3ce70660e8fe92979428
f:\documents and settings\jimmy\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\c594d37e13c887da6ddc9975fa9aae82
f:\documents and settings\jimmy\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\c81d0870792eee856f1fa6c4f43ceeee
f:\documents and settings\jimmy\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\cb6e63c98e12bf07d58131fbb0acdae6
f:\documents and settings\jimmy\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\db97ecdde59727f50132d25b008ece4e
f:\documents and settings\jimmy\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\include_files\74a63c3c5a2486e81c036be3713f690b
f:\documents and settings\jimmy\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\include_files\83ea6a13f78e077873046748f65782ff
f:\documents and settings\jimmy\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\include_files\8d679ed9e4143c44e3b5c26f2d2cded1
f:\windows\system32\SET184.tmp
f:\windows\system32\SET186.tmp
f:\windows\system32\SET195.tmp
.
f:\windows\system32\winlogon.exe . . . is infected!!
.
f:\windows\system32\svchost.exe . . . is infected!!
.
f:\windows\explorer.exe . . . is infected!!
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
.
.
((((((((((((((((((((((((( Files Created from 2012-03-16 to 2012-04-16 )))))))))))))))))))))))))))))))
.
.
2012-04-15 02:27 . 2012-04-15 02:27 -------- d-----w- f:\documents and settings\jimmy\Application Data\SUPERAntiSpyware.com
2012-04-15 02:26 . 2012-04-15 02:27 -------- d-----w- f:\program files\SUPERAntiSpyware
2012-04-15 02:26 . 2012-04-15 02:26 -------- d-----w- f:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-04-15 02:11 . 2012-04-15 02:11 -------- d-----w- F:\TDSSKiller_Quarantine
2012-04-14 14:24 . 2012-04-14 14:24 -------- d-sh--w- f:\windows\system32\config\systemprofile\PrivacIE
2012-04-14 14:23 . 2012-04-14 14:23 -------- d-sh--w- f:\windows\system32\config\systemprofile\IETldCache
2012-03-18 00:29 . 2012-03-18 00:29 592824 ----a-w- f:\program files\Mozilla Firefox\gkmedias.dll
2012-03-18 00:29 . 2012-03-18 00:29 44472 ----a-w- f:\program files\Mozilla Firefox\mozglue.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-04 22:56 . 2011-03-11 17:35 22344 ----a-w- f:\windows\system32\drivers\mbam.sys
2012-01-31 14:46 . 2011-06-18 16:10 414368 -c--a-w- f:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-18 00:29 . 2012-01-23 16:17 97208 ----a-w- f:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2004-08-04 . B3FAA89C3E30F3D6586A654F1E163530 . 539136 . . [5.1.2600.2180] . . f:\windows\system32\winlogon.exe
.
[-] 2004-08-04 . FBAED7A1F40E8B8C1BBF46E4F17B6ECD . 39424 . . [5.1.2600.2180] . . f:\windows\system32\svchost.exe
.
[-] 2004-08-04 . AD0EBAC4D924C9121584784CE3FD6E18 . 1057280 . . [6.00.2900.2180] . . f:\windows\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="f:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-03-07 3905920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="f:\windows\system32\WLTRAY.exe" [2008-11-26 2289664]
"SynTPEnh"="f:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-02-05 1692968]
"BTMeter"="f:\program files\Battery Meter\BTMeter.exe" [2009-09-17 632176]
"IgfxTray"="f:\windows\system32\igfxtray.exe" [2009-01-08 141848]
"HotKeysCmds"="f:\windows\system32\hkcmd.exe" [2009-01-08 166424]
"Persistence"="f:\windows\system32\igfxpers.exe" [2009-01-08 137752]
"RTHDCPL"="RTHDCPL.EXE" [2009-02-24 17529856]
"NeroFilterCheck"="f:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"DivXUpdate"="f:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"SunJavaUpdateSched"="f:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Adobe ARM"="f:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Malwarebytes' Anti-Malware"="f:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
f:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - f:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [N/A]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "f:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- f:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"f:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"f:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"f:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"f:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"f:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"f:\\Program Files\\Opera\\opera.exe"=
.
R0 EMSC;COMPAL Embedded System Control;f:\windows\system32\drivers\EMSC.sys [7/29/2010 8:32 PM 14248]
R1 SASDIFSV;SASDIFSV;f:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 9:27 AM 12880]
R1 SASKUTIL;SASKUTIL;f:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 2:55 PM 67664]
R2 !SASCORE;SAS Core Service;f:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 4:38 PM 116608]
R2 MBAMService;MBAMService;f:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3/11/2011 10:35 AM 654408]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;f:\windows\system32\drivers\CtClsFlt.sys [7/29/2010 9:00 PM 143840]
R3 MBAMProtector;MBAMProtector;f:\windows\system32\drivers\mbam.sys [3/11/2011 10:35 AM 22344]
S2 gupdate;Google Update Service (gupdate);f:\program files\Google\Update\GoogleUpdate.exe [7/30/2010 6:16 AM 135664]
S3 Ambfilt;Ambfilt;f:\windows\system32\drivers\Ambfilt.sys [8/16/2010 3:22 PM 1684736]
S3 gupdatem;Google Update Service (gupdatem);f:\program files\Google\Update\GoogleUpdate.exe [7/30/2010 6:16 AM 135664]
S3 McComponentHostService;McAfee Security Scan Component Host Service;"f:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe" --> f:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [?]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;f:\windows\system32\drivers\RtsUStor.sys [7/29/2010 8:28 PM 174592]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPService REG_MULTI_SZ HPSLPSVC
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-16 f:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- f:\program files\Google\Update\GoogleUpdate.exe [2010-07-30 13:16]
.
2012-04-15 f:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- f:\program files\Google\Update\GoogleUpdate.exe [2010-07-30 13:16]
.
2012-04-14 f:\windows\Tasks\ParetoLogic Registration3.job
- f:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2011-01-28 21:19]
.
2012-04-07 f:\windows\Tasks\ParetoLogic Update Version3.job
- f:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2011-01-28 21:19]
.
2012-04-16 f:\windows\Tasks\User_Feed_Synchronization-{47A3CF85-1F40-48B9-B8C7-E5252904F0C6}.job
- f:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
TCP: DhcpNameServer = 192.168.15.1
FF - ProfilePath - f:\documents and settings\jimmy\Application Data\Mozilla\Firefox\Profiles\53svrur2.default\
FF - prefs.js: browser.startup.homepage - blank
FF - prefs.js: keyword.URL - hxxp://www.smartwebsearch.net/index.php?form=5&q=
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-McAfee Security Scan - f:\program files\McAfee Security Scan\uninstall.exe
AddRemove-Real GIF Optimizer_is1 - f:\program files\Real GIF Optimizer v3.05\unins000.exe
AddRemove-VidGIF_is1 - f:\program files\GeoVid\VidGIF\unins000.exe
AddRemove-{C1C441C4-57FA-4950-BDBA-BABFBAA2AA39} - f:\program files\ParetoLogic\FileCure\uninstall.exe
AddRemove-QUICKMEDIACONVERTER - c:\program files\QuickMediaConverter\WDUNINST.EXE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-15 21:50
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9e,06,20,ff,f6,c9,56,49,a8,cf,c9,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9e,06,20,ff,f6,c9,56,49,a8,cf,c9,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(804)
f:\program files\SUPERAntiSpyware\SASWINLO.DLL
f:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(3172)
f:\windows\system32\WININET.dll
f:\windows\system32\ieframe.dll
f:\windows\system32\webcheck.dll
f:\windows\system32\WPDShServiceObj.dll
f:\windows\system32\PortableDeviceTypes.dll
f:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
f:\windows\System32\WLTRYSVC.EXE
f:\windows\System32\bcmwltry.exe
f:\program files\Java\jre6\bin\jqs.exe
f:\windows\system32\wscntfy.exe
f:\windows\RTHDCPL.EXE
f:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2012-04-15 21:53:24 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-16 04:53
.
Pre-Run: 1,050,865,664 bytes free
Post-Run: 1,701,761,024 bytes free
.
- - End Of File - - FBE1B33DE2E7CB15A622474E65A3CED0

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:47 PM

Posted 16 April 2012 - 07:43 AM

Hi

Please re-run TDSSKiller again, with the same parameters, when it finds the following again:

21:29:48.0812 3808 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
21:29:48.0812 3808 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip

please choose to Delete them

NEXT

Combofix is reporting core files are infected

f:\windows\system32\winlogon.exe . . . is infected!!
f:\windows\system32\svchost.exe . . . is infected!!
f:\windows\explorer.exe . . . is infected!!

Once you have re-run TDSSKiller and deleted those files, then please re-run ComboFix and see if it is able to replace those files,

if not (you will see in the log) then please do the following:

Manually Navigate to each of those files in your system32 folder for winlogon.exe and svchost.exe and your windows folder for explorer.exe

right click each of them and choose to "rename" rename them to winlogon.exe.bad, svchost.exe.bad and explorer.exe.bad > after each rename, wait five seconds then press F5 to refresh, hopefully Windows File Protection will kickin and replace those files with a good one. (you will see a file winlogon.exe appear in the system32 folder) if WFP does not work, (if no new file appears) then you will have to go back to the infected file that you renamed with the .bad extension and rename it back to .exe or you wont be able to boot.

If that happens then we will need to look for those files elsewhere

let me know how that goes

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 jimmydiego

jimmydiego
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 16 April 2012 - 11:07 AM

I followed your instructions, the files "winlogon", "svchost", and "explorer" didn't change after I renamed them *.bad and refreshed.
so I changed them back.

here's the new combo log ( let me know if you need the whole thing ):

ComboFix 12-04-15.02 - jimmy 04/16/2012 8:13.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.447 [GMT -7:00]
Running from: f:\documents and settings\jimmy\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
f:\documents and settings\All Users\Application Data\chwoaaa.tmp
.
f:\windows\system32\winlogon.exe . . . is infected!!
.
f:\windows\system32\svchost.exe . . . is infected!!
.
f:\windows\explorer.exe . . . is infected!!
.

`````````````````````````````````````````````````````````````````````````````````

iexplore.exe is still trying to access websites, malwarebytes is trying to block at a rate of one every two minutes.

I'll watch the task manager;
iexplore will start,
take 60% cpu,
malwarebytes will block, and iexplore will drop off the task manager and reappear lower on the list of processes,
remain at 0% cpu for a minute or two and repeat, reshuffle task manager and try again,
when malware bytes doesn't succeed in blocking the audio ads begin (iexplore goes to 75% cpu)

impossible to end iexplore.exe process, it just shuffles.

is it possible to kill iexplore (user system) to stop this?
should I stop using this machine? disable internet? I'm keeping a log of the websites iexplore is contacting, is there anything I should do with those IPAs?

edit: "ctrl-alt-delete" no longer works, no matter how many times I press that combo.... nothing...

thanks for the help so far, I'll stick with trying to fix it for now.

~jimmy~

Edited by jimmydiego, 16 April 2012 - 11:13 AM.


#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:47 PM

Posted 16 April 2012 - 05:19 PM

OK

I just realized that you only have SP2, download and install SP3 and that's where we will get our clean files from

download it from the following link (it says for IT Pro's but it's what you need)

Once you have installed SP3, then re-run ComboFix and post the resulting log:

http://www.microsoft.com/downloads/details...08-1E1555D4F3D4

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 jimmydiego

jimmydiego
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 16 April 2012 - 09:42 PM

I had to delete 4G of files to get the service pack to run, and it took 3 hours.

but I got it to work, I have no free memory space left...




you wanted the log file, here it is :

or not...CONTENT_TOO_LONG

I deleted a couple thousand lines of the log, if you need to see more let me know.

ComboFix 12-04-15.02 - jimmy 04/16/2012 22:03:32.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.314 [GMT -7:00]
Running from: f:\documents and settings\jimmy\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-03-17 to 2012-04-17 )))))))))))))))))))))))))))))))
.
.
2012-04-17 03:53 . 2008-04-14 12:41 4255 ------w- f:\windows\system32\drivers\adv01nt5.dll
2012-04-17 03:51 . 2006-12-29 07:31 19569 ----a-w- f:\windows\002570_.tmp
2012-04-17 02:19 . 2006-12-29 07:31 19569 ----a-w- f:\windows\002566_.tmp
2012-04-17 02:12 . 2009-02-09 12:10 617472 ----a-w- f:\windows\system32\advapi32.dll
2012-04-17 02:00 . 2012-04-17 03:48 -------- d-----w- f:\windows\EHome
2012-04-16 14:54 . 2004-08-04 10:00 221184 ----a-w- f:\windows\system32\wmpns.dll
2012-04-15 02:27 . 2012-04-15 02:27 -------- d-----w- f:\documents and settings\jimmy\Application Data\SUPERAntiSpyware.com
2012-04-15 02:26 . 2012-04-15 02:27 -------- d-----w- f:\program files\SUPERAntiSpyware
2012-04-15 02:26 . 2012-04-15 02:26 -------- d-----w- f:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-04-15 02:11 . 2012-04-16 15:08 -------- d-----w- F:\TDSSKiller_Quarantine
2012-04-14 14:24 . 2012-04-14 14:24 -------- d-sh--w- f:\windows\system32\config\systemprofile\PrivacIE
2012-04-14 14:23 . 2012-04-14 14:23 -------- d-sh--w- f:\windows\system32\config\systemprofile\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-04 22:56 . 2011-03-11 17:35 22344 ----a-w- f:\windows\system32\drivers\mbam.sys
2012-01-31 14:46 . 2011-06-18 16:10 414368 -c--a-w- f:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-18 00:29 . 2012-01-23 16:17 97208 ----a-w- f:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2012-04-17_03.21.31 )))))))))))))))))))))))))))))))))))))))))
.
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="f:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-03-07 3905920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="f:\windows\system32\WLTRAY.exe" [2008-11-26 2289664]
"SynTPEnh"="f:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-02-05 1692968]
"BTMeter"="f:\program files\Battery Meter\BTMeter.exe" [2009-09-17 632176]
"IgfxTray"="f:\windows\system32\igfxtray.exe" [2009-01-08 141848]
"HotKeysCmds"="f:\windows\system32\hkcmd.exe" [2009-01-08 166424]
"Persistence"="f:\windows\system32\igfxpers.exe" [2009-01-08 137752]
"RTHDCPL"="RTHDCPL.EXE" [2009-02-24 17529856]
"Malwarebytes' Anti-Malware"="f:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
f:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - f:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [N/A]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "f:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- f:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"f:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"f:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"f:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"f:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"f:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"f:\\Program Files\\Opera\\opera.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R0 EMSC;COMPAL Embedded System Control;f:\windows\system32\drivers\EMSC.sys [7/29/2010 8:32 PM 14248]
R1 SASDIFSV;SASDIFSV;f:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 9:27 AM 12880]
R1 SASKUTIL;SASKUTIL;f:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 2:55 PM 67664]
R2 !SASCORE;SAS Core Service;f:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 4:38 PM 116608]
R2 gupdate;Google Update Service (gupdate);f:\program files\Google\Update\GoogleUpdate.exe [7/30/2010 6:16 AM 135664]
R2 MBAMService;MBAMService;f:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3/11/2011 10:35 AM 654408]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;f:\windows\system32\drivers\CtClsFlt.sys [7/29/2010 9:00 PM 143840]
R3 MBAMProtector;MBAMProtector;f:\windows\system32\drivers\mbam.sys [3/11/2011 10:35 AM 22344]
S3 Ambfilt;Ambfilt;f:\windows\system32\drivers\Ambfilt.sys [8/16/2010 3:22 PM 1684736]
S3 gupdatem;Google Update Service (gupdatem);f:\program files\Google\Update\GoogleUpdate.exe [7/30/2010 6:16 AM 135664]
S3 McComponentHostService;McAfee Security Scan Component Host Service;"f:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe" --> f:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [?]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;f:\windows\system32\drivers\RtsUStor.sys [7/29/2010 8:28 PM 174592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPService REG_MULTI_SZ HPSLPSVC
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-17 f:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- f:\program files\Google\Update\GoogleUpdate.exe [2010-07-30 13:16]
.
2012-04-17 f:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- f:\program files\Google\Update\GoogleUpdate.exe [2010-07-30 13:16]
.
2012-04-17 f:\windows\Tasks\ParetoLogic Registration3.job
- f:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2011-01-28 21:19]
.
2012-04-07 f:\windows\Tasks\ParetoLogic Update Version3.job
- f:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2011-01-28 21:19]
.
2012-04-17 f:\windows\Tasks\User_Feed_Synchronization-{47A3CF85-1F40-48B9-B8C7-E5252904F0C6}.job
- f:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - f:\documents and settings\jimmy\Application Data\Mozilla\Firefox\Profiles\53svrur2.default\
FF - prefs.js: browser.startup.homepage - blank
FF - prefs.js: keyword.URL - hxxp://www.smartwebsearch.net/index.php?form=5&q=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-16 22:12
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9e,06,20,ff,f6,c9,56,49,a8,cf,c9,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9e,06,20,ff,f6,c9,56,49,a8,cf,c9,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(804)
f:\program files\SUPERAntiSpyware\SASWINLO.DLL
f:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(408)
f:\windows\system32\WININET.dll
f:\windows\system32\ieframe.dll
f:\windows\system32\webcheck.dll
f:\windows\system32\WPDShServiceObj.dll
f:\windows\system32\PortableDeviceTypes.dll
f:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-04-16 22:15:10
ComboFix-quarantined-files.txt 2012-04-17 05:15
ComboFix2.txt 2012-04-17 03:25
ComboFix3.txt 2012-04-16 15:22
ComboFix4.txt 2012-04-16 04:53
.
Pre-Run: 235,675,648 bytes free
Post-Run: 212,721,664 bytes free
.
- - End Of File - - 5665F22F69B40E2907B39C099A94F268

Edited by jimmydiego, 17 April 2012 - 12:37 AM.


#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:47 PM

Posted 17 April 2012 - 03:29 AM

That looks better now, thoise infected files have been replaced, I hope you had an external hard drive that you could move those extra files to?

Please do the following:
  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

NEXT

Please advise if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 jimmydiego

jimmydiego
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 17 April 2012 - 05:32 PM

I got jumpy and got a thumb drive to save my music and photos to (should of done that already).

somehow a lot of files got switched around from C: to F: and filled up F: .

but oh well, I can deal with that, the good news is : NO MORE COMMERCIALS !

it looks like I still have some fixes to do but THANKS for the help so far.


MBAM shows all clear,

ESET found a few though:

C:\Documents and Settings\jimmy\Application Data\Sun\Java\Deployment\cache\6.0\19\623d3213-2e795355 multiple threats
C:\Documents and Settings\jimmy\Application Data\Sun\Java\Deployment\cache\6.0\34\11da5462-22a9f440 multiple threats
C:\Documents and Settings\jimmy\Application Data\Sun\Java\Deployment\cache\6.0\4\40591084-376d825d Java/TrojanDownloader.Agent.NBL trojan
C:\Documents and Settings\jimmy\Application Data\Sun\Java\Deployment\cache\6.0\40\72b4468-147fe2ce Java/TrojanDownloader.Agent.NBE trojan
C:\Documents and Settings\jimmy\Application Data\Sun\Java\Deployment\cache\6.0\8\3f5641c8-6c8d84b9 Java/TrojanDownloader.Agent.NBK trojan
C:\Documents and Settings\jimmy\Local Settings\Temp\jar_cache2956560481558940486.tmp a variant of Java/Exploit.Agent.NAL trojan
C:\Documents and Settings\jimmy\Local Settings\Temp\jar_cache3721383364803802950.tmp a variant of OSX/Exploit.Smid.D trojan
C:\Documents and Settings\jimmy\Local Settings\Temp\jar_cache9112198723726528969.tmp multiple threats
C:\Documents and Settings\jimmy\Local Settings\Temp\plugtmp-17\plugin-libtiff.pdf a variant of PDF/CVE-2010-0188 trojan
C:\Documents and Settings\jimmy\Local Settings\Temp\plugtmp-18\plugin-gimmegirl.pdf PDF/Exploit.Gen trojan
C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\0\43120580-2bd4ae23 Java/TrojanDownloader.Agent.NBK trojan
C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\21\210921d5-7ba168f8 Java/TrojanDownloader.Agent.NBJ trojan
C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\46\67920a2e-3d709f98 Java/TrojanDownloader.Agent.NBM trojan
C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\63\43e0867f-741fc27f Java/TrojanDownloader.Agent.NBL trojan
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\26\575401da-2899ccaf Java/TrojanDownloader.Agent.NBJ trojan
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\9KVLL1SI\www1_realysafe10_co_cc[1].htm HTML/TrojanDownloader.FraudLoad.NAC trojan
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\J3D4LZFI\107a700b035e24472458a42c2de52111c1653011511[1].js JS/Fraud.NAB trojan
C:\WINDOWS\system32\drivers\EMSC.sys Win32/Olmarik.ZC trojan
C:\WINDOWS\Temp\jar_cache3275688649501215964.tmp a variant of OSX/Exploit.Smid.D trojan
C:\WINDOWS\Temp\jar_cache440402850636279991.tmp multiple threats
F:\Documents and Settings\jimmy\Application Data\Sun\Java\Deployment\cache\6.0\37\3b2dbbe5-3de24ffb multiple threats
F:\Documents and Settings\jimmy\Application Data\Sun\Java\Deployment\cache\6.0\37\fad8065-6498c8bf Java/TrojanDownloader.Agent.NDR trojan
F:\Documents and Settings\jimmy\Application Data\Sun\Java\Deployment\cache\6.0\7\1c470587-7ca4cd17 Java/Exploit.Agent.NAW trojan
F:\TDSSKiller_Quarantine\14.04.2012_19.09.50\tdlfs0000\tsk0004.dta a variant of Win32/Olmarik.ADZ trojan
F:\TDSSKiller_Quarantine\16.04.2012_08.08.05\tdlfs0000\tsk0004.dta a variant of Win32/Olmarik.ADZ trojan



I think I'm getting close....

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:47 PM

Posted 17 April 2012 - 06:18 PM

Hi,

Please do the following:

Note: Allow ComboFix to update if it asks to do so:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
C:\Documents and Settings\jimmy\Application Data\Sun\Java\Deployment\cache\6.0\19\623d3213-2e795355 
C:\Documents and Settings\jimmy\Application Data\Sun\Java\Deployment\cache\6.0\34\11da5462-22a9f440 
C:\Documents and Settings\jimmy\Application Data\Sun\Java\Deployment\cache\6.0\4\40591084-376d825d 
C:\Documents and Settings\jimmy\Application Data\Sun\Java\Deployment\cache\6.0\40\72b4468-147fe2ce 
C:\Documents and Settings\jimmy\Application Data\Sun\Java\Deployment\cache\6.0\8\3f5641c8-6c8d84b9 
C:\Documents and Settings\jimmy\Local Settings\Temp\jar_cache2956560481558940486.tmp 
C:\Documents and Settings\jimmy\Local Settings\Temp\jar_cache3721383364803802950.tmp
C:\Documents and Settings\jimmy\Local Settings\Temp\jar_cache9112198723726528969.tmp
C:\Documents and Settings\jimmy\Local Settings\Temp\plugtmp-17\plugin-libtiff.pdf 
C:\Documents and Settings\jimmy\Local Settings\Temp\plugtmp-18\plugin-gimmegirl.pdf 
C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\0\43120580-2bd4ae23 
C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\21\210921d5-7ba168f8 
C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\46\67920a2e-3d709f98 
C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\63\43e0867f-741fc27f 
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\26\575401da-2899ccaf 
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\9KVLL1SI\www1_realysafe10_co_cc[1].htm 
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\J3D4LZFI\107a700b035e24472458a42c2de52111c1653011511[1].js 
C:\WINDOWS\system32\drivers\EMSC.sys 
C:\WINDOWS\Temp\jar_cache3275688649501215964.tmp 
C:\WINDOWS\Temp\jar_cache440402850636279991.tmp 
F:\Documents and Settings\jimmy\Application Data\Sun\Java\Deployment\cache\6.0\37\3b2dbbe5-3de24ffb 
F:\Documents and Settings\jimmy\Application Data\Sun\Java\Deployment\cache\6.0\37\fad8065-6498c8bf 
F:\Documents and Settings\jimmy\Application Data\Sun\Java\Deployment\cache\6.0\7\1c470587-7ca4cd17 

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.


NEXT

what version of Java are you running, if it's anything less than version 6 update 31, then you will need to update it:

Posted Image Your Java is out of date.
Java™ 6 Update 30 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now.
An update should begin; > follow the prompts.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 jimmydiego

jimmydiego
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 17 April 2012 - 09:04 PM

updated java.


combofix log:

ComboFix 12-04-15.02 - jimmy 04/17/2012 18:41:02.5.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.464 [GMT -7:00]
Running from: f:\documents and settings\jimmy\Desktop\ComboFix.exe
Command switches used :: f:\documents and settings\jimmy\Desktop\CFScript.txt
* Created a new restore point
.
FILE ::
"c:\documents and settings\jimmy\Application Data\Sun\Java\Deployment\cache\6.0\19\623d3213-2e795355"
"c:\documents and settings\jimmy\Application Data\Sun\Java\Deployment\cache\6.0\34\11da5462-22a9f440"
"c:\documents and settings\jimmy\Application Data\Sun\Java\Deployment\cache\6.0\4\40591084-376d825d"
"c:\documents and settings\jimmy\Application Data\Sun\Java\Deployment\cache\6.0\40\72b4468-147fe2ce"
"c:\documents and settings\jimmy\Application Data\Sun\Java\Deployment\cache\6.0\8\3f5641c8-6c8d84b9"
"c:\documents and settings\jimmy\Local Settings\Temp\jar_cache2956560481558940486.tmp"
"c:\documents and settings\jimmy\Local Settings\Temp\jar_cache3721383364803802950.tmp"
"c:\documents and settings\jimmy\Local Settings\Temp\jar_cache9112198723726528969.tmp"
"c:\documents and settings\jimmy\Local Settings\Temp\plugtmp-17\plugin-libtiff.pdf"
"c:\documents and settings\jimmy\Local Settings\Temp\plugtmp-18\plugin-gimmegirl.pdf"
"c:\documents and settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\0\43120580-2bd4ae23"
"c:\documents and settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\21\210921d5-7ba168f8"
"c:\documents and settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\46\67920a2e-3d709f98"
"c:\documents and settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\63\43e0867f-741fc27f"
"c:\documents and settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\26\575401da-2899ccaf"
"c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\9KVLL1SI\www1_realysafe10_co_cc[1].htm"
"c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\J3D4LZFI\107a700b035e24472458a42c2de52111c1653011511[1].js"
"c:\windows\system32\drivers\EMSC.sys"
"c:\windows\Temp\jar_cache3275688649501215964.tmp"
"c:\windows\Temp\jar_cache440402850636279991.tmp"
"f:\documents and settings\jimmy\Application Data\Sun\Java\Deployment\cache\6.0\37\3b2dbbe5-3de24ffb"
"f:\documents and settings\jimmy\Application Data\Sun\Java\Deployment\cache\6.0\37\fad8065-6498c8bf"
"f:\documents and settings\jimmy\Application Data\Sun\Java\Deployment\cache\6.0\7\1c470587-7ca4cd17"
.
.
((((((((((((((((((((((((( Files Created from 2012-03-18 to 2012-04-18 )))))))))))))))))))))))))))))))
.
.
2012-04-17 20:28 . 2012-04-17 20:28 -------- d-----w- f:\program files\ESET
2012-04-17 19:17 . 2012-04-17 19:17 -------- d-----w- f:\windows\LastGood
2012-04-17 19:15 . 2012-04-17 19:15 -------- d-----w- f:\program files\MSXML 4.0
2012-04-17 03:53 . 2008-04-14 12:41 4255 ------w- f:\windows\system32\drivers\adv01nt5.dll
2012-04-17 03:51 . 2006-12-29 07:31 19569 ----a-w- f:\windows\002570_.tmp
2012-04-17 02:19 . 2006-12-29 07:31 19569 ----a-w- f:\windows\002566_.tmp
2012-04-17 02:12 . 2009-02-09 12:10 617472 ----a-w- f:\windows\system32\advapi32.dll
2012-04-17 02:00 . 2012-04-17 03:48 -------- d-----w- f:\windows\EHome
2012-04-16 14:54 . 2004-08-04 10:00 221184 ----a-w- f:\windows\system32\wmpns.dll
2012-04-15 02:27 . 2012-04-15 02:27 -------- d-----w- f:\documents and settings\jimmy\Application Data\SUPERAntiSpyware.com
2012-04-15 02:26 . 2012-04-15 02:27 -------- d-----w- f:\program files\SUPERAntiSpyware
2012-04-15 02:26 . 2012-04-15 02:26 -------- d-----w- f:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-04-15 02:11 . 2012-04-16 15:08 -------- d-----w- F:\TDSSKiller_Quarantine
2012-04-14 14:24 . 2012-04-14 14:24 -------- d-sh--w- f:\windows\system32\config\systemprofile\PrivacIE
2012-04-14 14:23 . 2012-04-14 14:23 -------- d-sh--w- f:\windows\system32\config\systemprofile\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-04 22:56 . 2011-03-11 17:35 22344 ----a-w- f:\windows\system32\drivers\mbam.sys
2012-01-31 14:46 . 2011-06-18 16:10 414368 -c--a-w- f:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-18 00:29 . 2012-01-23 16:17 97208 ----a-w- f:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2012-04-17_05.12.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-04-17 19:14 . 2012-04-17 19:14 16384 f:\windows\Temp\Perflib_Perfdata_700.dat
- 2004-08-04 10:00 . 2012-04-17 05:03 40394 f:\windows\system32\perfc009.dat
+ 2004-08-04 10:00 . 2012-04-17 19:18 40394 f:\windows\system32\perfc009.dat
+ 2012-04-17 19:15 . 2012-04-17 19:15 32768 f:\windows\Installer\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}\icon.exe
- 2004-08-04 10:00 . 2012-04-17 05:03 312172 f:\windows\system32\perfh009.dat
+ 2004-08-04 10:00 . 2012-04-17 19:18 312172 f:\windows\system32\perfh009.dat
+ 2012-04-17 19:15 . 2012-04-17 19:15 429568 f:\windows\Installer\1fdcc.msi
+ 2009-07-21 07:03 . 2009-07-21 07:03 1348432 f:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9876.0_x-ww_a621d1d5\msxml4.dll
+ 2009-07-21 07:05 . 2009-07-21 07:05 1348432 f:\windows\system32\msxml4.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="f:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-03-07 3905920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="f:\windows\system32\WLTRAY.exe" [2008-11-26 2289664]
"SynTPEnh"="f:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-02-05 1692968]
"BTMeter"="f:\program files\Battery Meter\BTMeter.exe" [2009-09-17 632176]
"IgfxTray"="f:\windows\system32\igfxtray.exe" [2009-01-08 141848]
"HotKeysCmds"="f:\windows\system32\hkcmd.exe" [2009-01-08 166424]
"Persistence"="f:\windows\system32\igfxpers.exe" [2009-01-08 137752]
"RTHDCPL"="RTHDCPL.EXE" [2009-02-24 17529856]
"Malwarebytes' Anti-Malware"="f:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
f:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - f:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [N/A]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "f:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- f:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"f:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"f:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"f:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"f:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"f:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"f:\\Program Files\\Opera\\opera.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R0 EMSC;COMPAL Embedded System Control;f:\windows\system32\drivers\EMSC.sys [7/29/2010 8:32 PM 14248]
R1 SASDIFSV;SASDIFSV;f:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 9:27 AM 12880]
R1 SASKUTIL;SASKUTIL;f:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 2:55 PM 67664]
R2 !SASCORE;SAS Core Service;f:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 4:38 PM 116608]
R2 MBAMService;MBAMService;f:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3/11/2011 10:35 AM 654408]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;f:\windows\system32\drivers\CtClsFlt.sys [7/29/2010 9:00 PM 143840]
R3 MBAMProtector;MBAMProtector;f:\windows\system32\drivers\mbam.sys [3/11/2011 10:35 AM 22344]
S2 gupdate;Google Update Service (gupdate);f:\program files\Google\Update\GoogleUpdate.exe [7/30/2010 6:16 AM 135664]
S3 Ambfilt;Ambfilt;f:\windows\system32\drivers\Ambfilt.sys [8/16/2010 3:22 PM 1684736]
S3 gupdatem;Google Update Service (gupdatem);f:\program files\Google\Update\GoogleUpdate.exe [7/30/2010 6:16 AM 135664]
S3 McComponentHostService;McAfee Security Scan Component Host Service;"f:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe" --> f:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [?]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;f:\windows\system32\drivers\RtsUStor.sys [7/29/2010 8:28 PM 174592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPService REG_MULTI_SZ HPSLPSVC
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-17 f:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- f:\program files\Google\Update\GoogleUpdate.exe [2010-07-30 13:16]
.
2012-04-18 f:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- f:\program files\Google\Update\GoogleUpdate.exe [2010-07-30 13:16]
.
2012-04-18 f:\windows\Tasks\ParetoLogic Registration3.job
- f:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2011-01-28 21:19]
.
2012-04-07 f:\windows\Tasks\ParetoLogic Update Version3.job
- f:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2011-01-28 21:19]
.
2012-04-18 f:\windows\Tasks\User_Feed_Synchronization-{47A3CF85-1F40-48B9-B8C7-E5252904F0C6}.job
- f:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
TCP: DhcpNameServer = 192.168.15.1
FF - ProfilePath - f:\documents and settings\jimmy\Application Data\Mozilla\Firefox\Profiles\53svrur2.default\
FF - prefs.js: browser.startup.homepage - blank
FF - prefs.js: keyword.URL - hxxp://www.smartwebsearch.net/index.php?form=5&q=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-17 18:49
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9e,06,20,ff,f6,c9,56,49,a8,cf,c9,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9e,06,20,ff,f6,c9,56,49,a8,cf,c9,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(816)
f:\program files\SUPERAntiSpyware\SASWINLO.DLL
f:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(3256)
f:\windows\system32\WININET.dll
f:\windows\system32\ieframe.dll
f:\windows\system32\webcheck.dll
f:\windows\system32\WPDShServiceObj.dll
f:\windows\system32\PortableDeviceTypes.dll
f:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-04-17 18:51:49
ComboFix-quarantined-files.txt 2012-04-18 01:51
ComboFix2.txt 2012-04-17 05:15
ComboFix3.txt 2012-04-17 03:25
ComboFix4.txt 2012-04-16 15:22
ComboFix5.txt 2012-04-18 01:39
.
Pre-Run: 2,092,834,816 bytes free
Post-Run: 2,114,510,848 bytes free
.
- - End Of File - - B91B9CEBF061AC8BD1E752C5EA4F62F4




thanks for the clear instructions.

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:47 PM

Posted 18 April 2012 - 06:36 AM

Hi, can you please re-run that ESET online scan again

if you have moved your files to an external harddrive, you may want to have that plugged in and include it in the scan incase any of them are infected

(makesure you "uncheck" to quarantine what it finds as it does find false positives)

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 jimmydiego

jimmydiego
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 18 April 2012 - 07:41 PM

eset 4-18

C:\Documents and Settings\jimmy\Application Data\Sun\Java\Deployment\cache\6.0\19\623d3213-2e795355 multiple threats
C:\Documents and Settings\jimmy\Application Data\Sun\Java\Deployment\cache\6.0\34\11da5462-22a9f440 multiple threats
C:\Documents and Settings\jimmy\Application Data\Sun\Java\Deployment\cache\6.0\4\40591084-376d825d Java/TrojanDownloader.Agent.NBL trojan
C:\Documents and Settings\jimmy\Application Data\Sun\Java\Deployment\cache\6.0\40\72b4468-147fe2ce Java/TrojanDownloader.Agent.NBE trojan
C:\Documents and Settings\jimmy\Application Data\Sun\Java\Deployment\cache\6.0\8\3f5641c8-6c8d84b9 Java/TrojanDownloader.Agent.NBK trojan
C:\Documents and Settings\jimmy\Local Settings\Temp\jar_cache2956560481558940486.tmp a variant of Java/Exploit.Agent.NAL trojan
C:\Documents and Settings\jimmy\Local Settings\Temp\jar_cache3721383364803802950.tmp a variant of OSX/Exploit.Smid.D trojan
C:\Documents and Settings\jimmy\Local Settings\Temp\jar_cache9112198723726528969.tmp multiple threats
C:\Documents and Settings\jimmy\Local Settings\Temp\plugtmp-17\plugin-libtiff.pdf a variant of PDF/CVE-2010-0188 trojan
C:\Documents and Settings\jimmy\Local Settings\Temp\plugtmp-18\plugin-gimmegirl.pdf PDF/Exploit.Gen trojan
C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\0\43120580-2bd4ae23 Java/TrojanDownloader.Agent.NBK trojan
C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\21\210921d5-7ba168f8 Java/TrojanDownloader.Agent.NBJ trojan
C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\46\67920a2e-3d709f98 Java/TrojanDownloader.Agent.NBM trojan
C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\63\43e0867f-741fc27f Java/TrojanDownloader.Agent.NBL trojan
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\26\575401da-2899ccaf Java/TrojanDownloader.Agent.NBJ trojan
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\9KVLL1SI\www1_realysafe10_co_cc[1].htm HTML/TrojanDownloader.FraudLoad.NAC trojan
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\J3D4LZFI\107a700b035e24472458a42c2de52111c1653011511[1].js JS/Fraud.NAB trojan
C:\WINDOWS\system32\drivers\EMSC.sys Win32/Olmarik.ZC trojan
C:\WINDOWS\Temp\jar_cache3275688649501215964.tmp a variant of OSX/Exploit.Smid.D trojan
C:\WINDOWS\Temp\jar_cache440402850636279991.tmp multiple threats
F:\TDSSKiller_Quarantine\14.04.2012_19.09.50\tdlfs0000\tsk0004.dta a variant of Win32/Olmarik.ADZ trojan
F:\TDSSKiller_Quarantine\16.04.2012_08.08.05\tdlfs0000\tsk0004.dta a variant of Win32/Olmarik.ADZ trojan

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:47 PM

Posted 18 April 2012 - 07:56 PM

Hi,

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic450184.html/page__pid__2669268

Collect::
C:\WINDOWS\system32\drivers\EMSC.sys

File::
C:\Documents and Settings\jimmy\Application Data\Sun\Java\Deployment\cache\6.0\19\623d3213-2e795355 
C:\Documents and Settings\jimmy\Application Data\Sun\Java\Deployment\cache\6.0\34\11da5462-22a9f440 
C:\Documents and Settings\jimmy\Application Data\Sun\Java\Deployment\cache\6.0\4\40591084-376d825d 
C:\Documents and Settings\jimmy\Application Data\Sun\Java\Deployment\cache\6.0\40\72b4468-147fe2ce 
C:\Documents and Settings\jimmy\Application Data\Sun\Java\Deployment\cache\6.0\8\3f5641c8-6c8d84b9 
C:\Documents and Settings\jimmy\Local Settings\Temp\jar_cache2956560481558940486.tmp 
C:\Documents and Settings\jimmy\Local Settings\Temp\jar_cache3721383364803802950.tmp 
C:\Documents and Settings\jimmy\Local Settings\Temp\jar_cache9112198723726528969.tmp 
C:\Documents and Settings\jimmy\Local Settings\Temp\plugtmp-17\plugin-libtiff.pdf 
C:\Documents and Settings\jimmy\Local Settings\Temp\plugtmp-18\plugin-gimmegirl.pdf 
C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\0\43120580-2bd4ae23 
C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\21\210921d5-7ba168f8 
C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\46\67920a2e-3d709f98 
C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\63\43e0867f-741fc27f 
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\26\575401da-2899ccaf 
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\9KVLL1SI\www1_realysafe10_co_cc[1].htm 
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\J3D4LZFI\107a700b035e24472458a42c2de52111c1653011511[1].js 
C:\WINDOWS\Temp\jar_cache3275688649501215964.tmp 
C:\WINDOWS\Temp\jar_cache440402850636279991.tmp

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.


Please advise if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 jimmydiego

jimmydiego
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 18 April 2012 - 10:28 PM

ComboFix 12-04-15.02 - jimmy 04/18/2012 20:07:13.6.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.477 [GMT -7:00]
Running from: f:\documents and settings\jimmy\Desktop\ComboFix.exe
Command switches used :: f:\documents and settings\jimmy\Desktop\CFScript.txt
.
FILE ::
"c:\documents and settings\jimmy\Application Data\Sun\Java\Deployment\cache\6.0\19\623d3213-2e795355"
"c:\documents and settings\jimmy\Application Data\Sun\Java\Deployment\cache\6.0\34\11da5462-22a9f440"
"c:\documents and settings\jimmy\Application Data\Sun\Java\Deployment\cache\6.0\4\40591084-376d825d"
"c:\documents and settings\jimmy\Application Data\Sun\Java\Deployment\cache\6.0\40\72b4468-147fe2ce"
"c:\documents and settings\jimmy\Application Data\Sun\Java\Deployment\cache\6.0\8\3f5641c8-6c8d84b9"
"c:\documents and settings\jimmy\Local Settings\Temp\jar_cache2956560481558940486.tmp"
"c:\documents and settings\jimmy\Local Settings\Temp\jar_cache3721383364803802950.tmp"
"c:\documents and settings\jimmy\Local Settings\Temp\jar_cache9112198723726528969.tmp"
"c:\documents and settings\jimmy\Local Settings\Temp\plugtmp-17\plugin-libtiff.pdf"
"c:\documents and settings\jimmy\Local Settings\Temp\plugtmp-18\plugin-gimmegirl.pdf"
"c:\documents and settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\0\43120580-2bd4ae23"
"c:\documents and settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\21\210921d5-7ba168f8"
"c:\documents and settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\46\67920a2e-3d709f98"
"c:\documents and settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\63\43e0867f-741fc27f"
"c:\documents and settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\26\575401da-2899ccaf"
"c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\9KVLL1SI\www1_realysafe10_co_cc[1].htm"
"c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\J3D4LZFI\107a700b035e24472458a42c2de52111c1653011511[1].js"
"c:\windows\Temp\jar_cache3275688649501215964.tmp"
"c:\windows\Temp\jar_cache440402850636279991.tmp"
.
file zipped: c:\windows\system32\drivers\EMSC.sys
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
f:\windows\system32\SETD4.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-03-19 to 2012-04-19 )))))))))))))))))))))))))))))))
.
.
2012-04-18 02:02 . 2012-04-18 02:02 -------- d-----w- f:\program files\Common Files\Java
2012-04-18 01:59 . 2012-04-18 01:59 73728 ----a-w- f:\windows\system32\javacpl.cpl
2012-04-17 20:28 . 2012-04-17 20:28 -------- d-----w- f:\program files\ESET
2012-04-17 19:27 . 2010-09-18 06:53 953856 -c----w- f:\windows\system32\dllcache\mfc40u.dll
2012-04-17 19:26 . 2010-08-23 16:12 617472 -c----w- f:\windows\system32\dllcache\comctl32.dll
2012-04-17 19:23 . 2010-11-02 15:17 40960 -c----w- f:\windows\system32\dllcache\ndproxy.sys
2012-04-17 19:22 . 2012-01-11 19:06 3072 -c----w- f:\windows\system32\dllcache\iacenc.dll
2012-04-17 19:22 . 2012-01-11 19:06 3072 ------w- f:\windows\system32\iacenc.dll
2012-04-17 19:19 . 2011-07-08 14:02 10496 -c----w- f:\windows\system32\dllcache\ndistapi.sys
2012-04-17 19:17 . 2010-10-11 14:59 45568 -c----w- f:\windows\system32\dllcache\wab.exe
2012-04-17 19:15 . 2012-04-17 19:15 -------- d-----w- f:\program files\MSXML 4.0
2012-04-17 03:53 . 2008-04-14 12:41 4255 ------w- f:\windows\system32\drivers\adv01nt5.dll
2012-04-17 03:51 . 2006-12-29 07:31 19569 ----a-w- f:\windows\002570_.tmp
2012-04-17 02:19 . 2006-12-29 07:31 19569 ----a-w- f:\windows\002566_.tmp
2012-04-17 02:12 . 2009-02-09 12:10 617472 ----a-w- f:\windows\system32\advapi32.dll
2012-04-17 02:00 . 2012-04-17 03:48 -------- d-----w- f:\windows\EHome
2012-04-16 14:54 . 2004-08-04 10:00 221184 ----a-w- f:\windows\system32\wmpns.dll
2012-04-15 02:27 . 2012-04-15 02:27 -------- d-----w- f:\documents and settings\jimmy\Application Data\SUPERAntiSpyware.com
2012-04-15 02:26 . 2012-04-15 02:27 -------- d-----w- f:\program files\SUPERAntiSpyware
2012-04-15 02:26 . 2012-04-15 02:26 -------- d-----w- f:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-04-15 02:11 . 2012-04-16 15:08 -------- d-----w- F:\TDSSKiller_Quarantine
2012-04-14 14:24 . 2012-04-14 14:24 -------- d-sh--w- f:\windows\system32\config\systemprofile\PrivacIE
2012-04-14 14:23 . 2012-04-14 14:23 -------- d-sh--w- f:\windows\system32\config\systemprofile\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-18 01:59 . 2012-01-07 03:03 472808 ----a-w- f:\windows\system32\deployJava1.dll
2012-04-04 22:56 . 2011-03-11 17:35 22344 ----a-w- f:\windows\system32\drivers\mbam.sys
2012-03-01 11:01 . 2006-03-04 03:33 916992 ----a-w- f:\windows\system32\wininet.dll
2012-03-01 11:01 . 2004-08-04 10:00 43520 ----a-w- f:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2004-08-04 10:00 1469440 ------w- f:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2004-08-04 10:00 177664 ----a-w- f:\windows\system32\wintrust.dll
2012-02-29 12:17 . 2004-08-04 10:00 385024 ----a-w- f:\windows\system32\html.iec
2012-01-31 14:46 . 2011-06-18 16:10 414368 -c--a-w- f:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-18 00:29 . 2012-01-23 16:17 97208 ----a-w- f:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="f:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-03-07 3905920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="f:\windows\system32\WLTRAY.exe" [2008-11-26 2289664]
"SynTPEnh"="f:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-02-05 1692968]
"BTMeter"="f:\program files\Battery Meter\BTMeter.exe" [2009-09-17 632176]
"IgfxTray"="f:\windows\system32\igfxtray.exe" [2009-01-08 141848]
"HotKeysCmds"="f:\windows\system32\hkcmd.exe" [2009-01-08 166424]
"Persistence"="f:\windows\system32\igfxpers.exe" [2009-01-08 137752]
"RTHDCPL"="RTHDCPL.EXE" [2009-02-24 17529856]
"Malwarebytes' Anti-Malware"="f:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"SunJavaUpdateSched"="f:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
f:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - f:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [N/A]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "f:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- f:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"f:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"f:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"f:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"f:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"f:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"f:\\Program Files\\Opera\\opera.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R0 EMSC;COMPAL Embedded System Control;f:\windows\system32\drivers\EMSC.sys [7/29/2010 8:32 PM 14248]
R1 SASDIFSV;SASDIFSV;f:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 9:27 AM 12880]
R1 SASKUTIL;SASKUTIL;f:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 2:55 PM 67664]
R2 !SASCORE;SAS Core Service;f:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 4:38 PM 116608]
R2 MBAMService;MBAMService;f:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3/11/2011 10:35 AM 654408]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;f:\windows\system32\drivers\CtClsFlt.sys [7/29/2010 9:00 PM 143840]
R3 MBAMProtector;MBAMProtector;f:\windows\system32\drivers\mbam.sys [3/11/2011 10:35 AM 22344]
S2 gupdate;Google Update Service (gupdate);f:\program files\Google\Update\GoogleUpdate.exe [7/30/2010 6:16 AM 135664]
S3 Ambfilt;Ambfilt;f:\windows\system32\drivers\Ambfilt.sys [8/16/2010 3:22 PM 1684736]
S3 CFcatchme;CFcatchme;\??\f:\docume~1\jimmy\LOCALS~1\Temp\CFcatchme.sys --> f:\docume~1\jimmy\LOCALS~1\Temp\CFcatchme.sys [?]
S3 gupdatem;Google Update Service (gupdatem);f:\program files\Google\Update\GoogleUpdate.exe [7/30/2010 6:16 AM 135664]
S3 McComponentHostService;McAfee Security Scan Component Host Service;"f:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe" --> f:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [?]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;f:\windows\system32\drivers\RtsUStor.sys [7/29/2010 8:28 PM 174592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPService REG_MULTI_SZ HPSLPSVC
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-19 f:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- f:\program files\Google\Update\GoogleUpdate.exe [2010-07-30 13:16]
.
2012-04-19 f:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- f:\program files\Google\Update\GoogleUpdate.exe [2010-07-30 13:16]
.
2012-04-19 f:\windows\Tasks\ParetoLogic Registration3.job
- f:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2011-01-28 21:19]
.
2012-04-07 f:\windows\Tasks\ParetoLogic Update Version3.job
- f:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2011-01-28 21:19]
.
2012-04-19 f:\windows\Tasks\User_Feed_Synchronization-{47A3CF85-1F40-48B9-B8C7-E5252904F0C6}.job
- f:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
TCP: DhcpNameServer = 192.168.15.1
FF - ProfilePath - f:\documents and settings\jimmy\Application Data\Mozilla\Firefox\Profiles\53svrur2.default\
FF - prefs.js: browser.startup.homepage - blank
FF - prefs.js: keyword.URL - hxxp://www.smartwebsearch.net/index.php?form=5&q=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-18 20:19
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9e,06,20,ff,f6,c9,56,49,a8,cf,c9,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9e,06,20,ff,f6,c9,56,49,a8,cf,c9,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(804)
f:\program files\SUPERAntiSpyware\SASWINLO.DLL
f:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(3864)
f:\windows\system32\WININET.dll
f:\windows\system32\ieframe.dll
f:\windows\system32\webcheck.dll
f:\windows\system32\WPDShServiceObj.dll
f:\windows\system32\PortableDeviceTypes.dll
f:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
f:\windows\System32\WLTRYSVC.EXE
f:\windows\System32\bcmwltry.exe
f:\program files\Java\jre6\bin\jqs.exe
f:\windows\system32\wscntfy.exe
f:\windows\RTHDCPL.EXE
f:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2012-04-18 20:24:17 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-19 03:24
ComboFix2.txt 2012-04-18 01:51
ComboFix3.txt 2012-04-17 05:15
ComboFix4.txt 2012-04-17 03:25
ComboFix5.txt 2012-04-19 03:05
.
Pre-Run: 1,265,205,248 bytes free
Post-Run: 1,578,987,520 bytes free
.
- - End Of File - - D6AA193004B23692E29B7E626DEBB36B
Upload was successful




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users