Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Another Celas infection


  • This topic is locked This topic is locked
16 replies to this topic

#1 GalwayColm

GalwayColm

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:40 AM

Posted 22 May 2012 - 08:20 AM

Mod Edit: Split from http://www.bleepingcomputer.com/forums/topic454394.html/page__p__2707116#entry2707116 - Hamluis.


I seem to be infected with the same virus elise
gonna try what you suggested there and will post my results to you.
Is this ok?

Regards,

Colm

Edited by Elise, 22 May 2012 - 08:48 AM.


BC AdBot (Login to Remove)

 


#2 GalwayColm

GalwayColm
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:40 AM

Posted 22 May 2012 - 08:45 AM

Here is the resulting enum.log

49.3M May 22 13:24 /mnt/sda1/Windows/System32/config/SOFTWARE
22.3M May 22 13:35 /mnt/sda1/Windows/System32/config/SYSTEM


Regards,
Colm

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,091 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:40 AM

Posted 22 May 2012 - 08:48 AM

Hello, please let me know what windows version you are running.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 GalwayColm

GalwayColm
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:40 AM

Posted 22 May 2012 - 08:59 AM

think its windows vista

#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,091 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:40 AM

Posted 22 May 2012 - 09:06 AM

Do you have your Windows DVD? If not, start your computer and tap F8 until the advanced boot options menu comes up. Please see if the option "Repair Windows" shows up.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 GalwayColm

GalwayColm
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:40 AM

Posted 22 May 2012 - 09:08 AM

dont have my windows dvd...but repair windows comes up....just entering it now

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,091 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:40 AM

Posted 22 May 2012 - 09:11 AM

Okay, once there, do the following:

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 GalwayColm

GalwayColm
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:40 AM

Posted 22 May 2012 - 09:11 AM

yes it is windows vista and it actually says repair computer....then when i enter that it enters into system recovery.

Regards,

colm

#9 GalwayColm

GalwayColm
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:40 AM

Posted 22 May 2012 - 09:14 AM

How do i know if im 32 or 64 elise?

syas in system recovery option for Recovery Manager 32bits....does that mean its 32?

Regards,

Colm

#10 GalwayColm

GalwayColm
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:40 AM

Posted 22 May 2012 - 09:26 AM

Hi Elise,

The following is the results of the scan:

Scan result of Farbar Recovery Scan Tool (FRST written by farbar) Version: 20-05-2012
Ran by SYSTEM at 22-05-2012 15:23:09
Running from G:\
Windows Vista ™ Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet003

========================== Registry (Whitelisted) =============

HKLM\...\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1049896 2008-04-17] (Synaptics, Inc.)
HKLM\...\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\2.0" [222504 2007-12-24] (CyberLink Corp.)
HKLM\...\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe" [468264 2008-06-11] (CyberLink Corp.)
HKLM\...\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [51048 2008-10-16] (Symantec Corporation)
HKLM\...\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start [202032 2008-05-12] ( Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe [80896 2007-08-22] (Hewlett-Packard)
HKLM\...\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe [70912 2008-04-15] (Hewlett-Packard)
HKLM\...\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [54840 2007-05-08] (Hewlett-Packard)
HKLM\...\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [488752 2008-04-15] (Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [246504 2010-01-11] (Sun Microsystems, Inc.)
HKLM\...\Run: [LXCCCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16 [73728 2007-02-21] ()
HKLM\...\Run: [lxccmon.exe] "C:\Program Files\Lexmark 3300 Series\lxccmon.exe" [205744 2007-05-10] (Lexmark International, Inc.)
HKLM\...\Run: [EzPrint] "C:\Program Files\Lexmark S300-S400 Series\ezprint.exe" [139944 2009-08-10] ()
HKLM\...\Run: [lxeamon.exe] "C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe" [766632 2009-08-10] ()
HKLM\...\Run: [Lexmark S300-S400 Series Fax Server] "C:\Program Files\Lexmark S300-S400 Series\fm3032.exe" /s [316072 2009-08-10] ()
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [40368 2009-12-18] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [932288 2010-09-21] (Adobe Systems Incorporated)
HKLM\...\Run: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot [274608 2010-11-29] (RealNetworks, Inc.)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2010-09-08] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421160 2010-11-17] (Apple Inc.)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [136216 2010-08-25] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [171032 2010-08-25] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [170520 2010-08-25] (Intel Corporation)
HKU\Colm Daly\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-20] (Microsoft Corporation)
HKU\Colm Daly\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2009-03-08] (Google Inc.)
HKU\Colm Daly\...\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background [3883856 2009-07-26] (Microsoft Corporation)
HKU\Colm Daly\...\Run: [Skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized [21633320 2008-11-17] (Skype Technologies S.A.)
HKU\Colm Daly\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-20] (Microsoft Corporation)
HKU\Colm Daly\...\Run: [mnumsg.exe] C:\Program Files\MyShoppingGenie\mnumsg.exe [681312 2010-06-08] (MyNetUniverse Inc.)
HKU\DC Security\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2009-03-08] (Google Inc.)
HKU\DC Security\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2010-09-08] (Apple Inc.)
HKU\DC Security\...\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background [3883856 2009-07-26] (Microsoft Corporation)
HKU\user\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2009-03-08] (Google Inc.)
HKU\user\...\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background [3883856 2009-07-26] (Microsoft Corporation)
HKU\user\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2010-09-08] (Apple Inc.)
HKU\Colm Daly\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-20] (Microsoft Corporation)
HKU\Colm Daly\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2009-03-08] (Google Inc.)
HKU\Colm Daly\...\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background [3883856 2009-07-26] (Microsoft Corporation)
HKU\Colm Daly\...\Run: [Skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized [21633320 2008-11-17] (Skype Technologies S.A.)
HKU\Colm Daly\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-20] (Microsoft Corporation)
HKU\Colm Daly\...\Run: [mnumsg.exe] C:\Program Files\MyShoppingGenie\mnumsg.exe [681312 2010-06-08] (MyNetUniverse Inc.)
HKU\DC Security\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2009-03-08] (Google Inc.)
HKU\DC Security\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2010-09-08] (Apple Inc.)
HKU\DC Security\...\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background [3883856 2009-07-26] (Microsoft Corporation)
HKU\user\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2009-03-08] (Google Inc.)
HKU\user\...\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background [3883856 2009-07-26] (Microsoft Corporation)
HKU\user\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2010-09-08] (Apple Inc.)
HKLM\...\RunOnce: [*Restore] C:\Windows\system32\rstrui.exe /RUNONCE [318464 2008-08-02] (Microsoft Corporation)
HKLM\...\Winlogon: [Shell] C:\Windows\Temp\usbvro\setup.exe [x ] ()
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Winlogon\Notify\xromnop: C:\Windows\system32\config\systemprofile\AppData\Local\xromnop.dll [X]
Tcpip\Parameters: [DhcpNameServer] 89.101.160.5 89.101.160.4

================================ Services (Whitelisted) ==================

2 AMService; C:\Windows\TEMP\giysxe\setup.exe run [45568 2012-05-14] ()
3 GameConsoleService; "C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe" [181800 2007-07-23] (WildTangent, Inc.)
2 lxcc_device; C:\Windows\system32\lxcccoms.exe -service [537520 2007-03-25] ( )
2 lxeaCATSCustConnectService; C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxeaserv.exe [98984 2009-07-29] (Lexmark International, Inc.)
2 lxea_device; C:\Windows\system32\lxeacoms.exe -service [602792 2009-07-29] ( )
2 palmusbd; C:\Windows\System32\MegaSR.dll [5632 2008-01-20] (Oak Technology Inc.)
2 Recovery Service for Windows; C:\Windows\SMINST\BLService.exe [361808 2008-04-26] ()
2 RichVideo; "C:\Program Files\CyberLink\Shared Files\RichVideo.exe" [272024 2007-01-09] ()
2 SLService; slserv.exe [57344 2005-03-22] ( )
3 Symantec Core LC; C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe [1245064 2008-08-02] ()
2 symids; \\.\globalrootC:\Windows\system32\svchost.exe -k netsvcs [21504 2008-01-20] (Microsoft Corporation)
2 TeamViewer7; C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe [3027840 2012-01-19] (TeamViewer GmbH)
2 Automatic LiveUpdate Scheduler; "c:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe" [x]
2 ccEvtMgr; "c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [x]
2 ccSetMgr; "c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [x]
2 CLTNetCnService; "c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [x]
3 comHost; "c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe" [x]
2 HP Health Check Service; "c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe" [x]
3 LiveUpdate; "c:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE" [x]
2 LiveUpdate Notice; "c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [x]
3 MSSQL$MSSMLBIZ; "c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ [x]
4 MSSQLServerADHelper; "c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe" [x]
2 SQLBrowser; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe" [x]
2 SQLWriter; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [x]

========================== Drivers (Whitelisted) =============

3 BCM43XV; C:\Windows\System32\DRIVERS\bcmwl6.sys [464384 2006-11-01] (Broadcom Corporation)
3 COH_Mon; \??\C:\Windows\system32\Drivers\COH_Mon.sys [23888 2008-07-29] (Symantec Corporation)
2 CO_Mon; \??\C:\Windows\system32\drivers\CO_Mon.sys [36056 2007-08-08] (Symantec Corporation)
1 eeCtrl; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [371248 2009-02-25] (Symantec Corporation)
3 EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [101936 2009-02-25] (Symantec Corporation)
3 HSFHWAZL; C:\Windows\System32\DRIVERS\VSTAZL3.SYS [200704 2008-01-20] (Conexant Systems, Inc.)
3 hwdatacard; C:\Windows\System32\DRIVERS\ewusbmdm.sys [101504 2007-08-24] (Huawei Technologies Co., Ltd.)
1 IDSvix86; \??\C:\PROGRA~2\Symantec\DEFINI~1\SymcData\ipsdefs\20090303.002\IDSvix86.sys [270384 2009-01-02] (Symantec Corporation)
3 IntcHdmiAddService; C:\Windows\System32\drivers\IntcHdmi.sys [113664 2008-06-04] (Intel® Corporation)
3 Mtlmnt5; C:\Windows\System32\DRIVERS\SLDRV\Mtlmnt5.sys [229848 2005-03-22] ( )
3 Mtlstrm; C:\Windows\System32\DRIVERS\SLDRV\Mtlstrm.sys [1397136 2005-03-22] ( )
3 NAVENG; \??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20090307.022\NAVENG.SYS [89104 2009-02-19] (Symantec Corporation)
3 NAVEX15; \??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20090307.022\NAVEX15.SYS [876144 2009-02-19] (Symantec Corporation)
1 netbt; C:\Windows\System32\DRIVERS\netbt.sys [184320 2008-01-20] ()
3 NVENETFD; C:\Windows\System32\DRIVERS\nvm60x32.sys [429056 2006-11-01] (NVIDIA Corporation)
0 RecAgent; C:\Windows\System32\DRIVERS\SLDRV\RecAgent.sys [14648 2005-03-22] ( )
3 RTL8169; C:\Windows\System32\DRIVERS\Rtlh86.sys [123904 2008-06-10] (Realtek Corporation )
3 RTSTOR; C:\Windows\System32\drivers\RTSTOR.SYS [62464 2008-06-05] (Realtek Semiconductor Corp.)
3 Slnt7554; C:\Windows\System32\DRIVERS\SLDRV\slnt7554.sys [225280 2005-03-22] ( )
3 SlNtHal; C:\Windows\System32\DRIVERS\SLDRV\Slnthal.sys [101328 2005-03-22] ( )
3 SlWdmSup; C:\Windows\System32\DRIVERS\SLDRV\SlWdmSup.sys [13280 2005-03-22] ( )
1 SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys [447024 2008-09-04] (Symantec Corporation)
1 SRTSP; C:\Windows\System32\Drivers\SRTSP.SYS [279088 2008-01-31] (Symantec Corporation)
3 SRTSPL; C:\Windows\System32\Drivers\SRTSPL.SYS [317616 2008-01-31] (Symantec Corporation)
1 SRTSPX; C:\Windows\System32\Drivers\SRTSPX.SYS [43696 2008-01-31] (Symantec Corporation)
3 SYMDNS; C:\Windows\System32\Drivers\SYMDNS.SYS [13616 2009-02-18] (Symantec Corporation)
3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT.SYS [124464 2009-01-12] (Symantec Corporation)
3 SYMFW; C:\Windows\System32\Drivers\SYMFW.SYS [96560 2009-02-18] (Symantec Corporation)
1 SymIM; C:\Windows\System32\DRIVERS\SymIMv.sys [24112 2009-02-18] (Symantec Corporation)
3 SYMNDISV; C:\Windows\System32\Drivers\SYMNDISV.SYS [41008 2009-02-18] (Symantec Corporation)
3 SYMREDRV; C:\Windows\System32\Drivers\SYMREDRV.SYS [22320 2009-02-18] (Symantec Corporation)
1 SYMTDI; C:\Windows\System32\Drivers\SYMTDI.SYS [184496 2009-02-18] (Symantec Corporation)
3 .cdrom; \? [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
2 wuaserv; [x]

========================== NetSvcs (Whitelisted) ===========
NETSVC: palmusbd

============ One Month Created Files and Folders ==============

2012-05-22 15:22 - 2012-05-22 15:22 - 0000000 ____D C:\FRST
2012-05-22 04:29 - 2012-05-22 05:34 - 2075336704 __ASH C:\hiberfil.sys
2012-05-22 02:14 - 2012-05-22 02:14 - 0000611 ____A C:\Users\Public\Desktop\CD-R BACKUP PLAYER.lnk
2012-05-22 02:14 - 2012-05-22 02:14 - 0000611 ____A C:\Users\All Users\Desktop\CD-R BACKUP PLAYER.lnk
2012-05-22 02:14 - 2012-05-22 02:14 - 0000611 ____A C:\Documents and Settings\Public\Desktop\CD-R BACKUP PLAYER.lnk
2012-05-22 02:14 - 2012-05-22 02:14 - 0000611 ____A C:\Documents and Settings\All Users\Desktop\CD-R BACKUP PLAYER.lnk
2012-05-17 04:16 - 2012-05-22 02:14 - 0000000 ____D C:\Program Files\CdPlayBack
2012-05-17 04:06 - 2012-05-17 04:06 - 0000833 ____A C:\Users\All Users\Start Menu\Programs\Startup\EventLogger.lnk
2012-05-17 04:06 - 2012-05-17 04:06 - 0000833 ____A C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EventLogger.lnk
2012-05-17 04:06 - 2012-05-17 04:06 - 0000717 ____A C:\Users\Public\Desktop\JM Integrated Remote Station.lnk
2012-05-17 04:06 - 2012-05-17 04:06 - 0000717 ____A C:\Users\All Users\Desktop\JM Integrated Remote Station.lnk
2012-05-17 04:06 - 2012-05-17 04:06 - 0000717 ____A C:\Documents and Settings\Public\Desktop\JM Integrated Remote Station.lnk
2012-05-17 04:06 - 2012-05-17 04:06 - 0000717 ____A C:\Documents and Settings\All Users\Desktop\JM Integrated Remote Station.lnk
2012-05-17 04:06 - 2012-05-17 04:06 - 0000000 ____D C:\Program Files\JM Integrated Remote Station
2012-05-17 04:05 - 2012-05-17 04:05 - 0000000 ____D C:\Users\Colm Daly\Application Data\InstallShield
2012-05-17 04:05 - 2012-05-17 04:05 - 0000000 ____D C:\Users\Colm Daly\AppData\Roaming\InstallShield
2012-05-17 04:05 - 2012-05-17 04:05 - 0000000 ____D C:\Documents and Settings\Colm Daly\Application Data\InstallShield
2012-05-17 04:05 - 2012-05-17 04:05 - 0000000 ____D C:\Documents and Settings\Colm Daly\AppData\Roaming\InstallShield
2012-05-15 11:21 - 2012-05-15 10:45 - 0026675 ____A C:\Users\Colm Daly\Desktop\lp.jpg
2012-05-15 11:21 - 2012-05-15 10:45 - 0026675 ____A C:\Documents and Settings\Colm Daly\Desktop\lp.jpg
2012-05-09 00:49 - 2012-05-21 01:04 - 0000342 ____A C:\Windows\Tasks\At35.job
2012-05-09 00:49 - 2012-05-18 02:00 - 0000342 ____A C:\Windows\Tasks\At36.job
2012-05-09 00:49 - 2012-05-18 02:00 - 0000340 ____A C:\Windows\Tasks\At12.job
2012-05-09 00:49 - 2012-05-18 01:02 - 0000340 ____A C:\Windows\Tasks\At11.job
2012-05-09 00:49 - 2012-05-18 00:13 - 0000342 ____A C:\Windows\Tasks\At34.job
2012-05-09 00:49 - 2012-05-18 00:13 - 0000340 ____A C:\Windows\Tasks\At23.job
2012-05-09 00:49 - 2012-05-18 00:08 - 0000342 ____A C:\Windows\Tasks\At44.job
2012-05-09 00:49 - 2012-05-18 00:08 - 0000342 ____A C:\Windows\Tasks\At33.job
2012-05-09 00:49 - 2012-05-17 04:03 - 0000340 ____A C:\Windows\Tasks\At14.job
2012-05-09 00:49 - 2012-05-17 04:01 - 0000342 ____A C:\Windows\Tasks\At38.job
2012-05-09 00:49 - 2012-05-17 03:04 - 0000340 ____A C:\Windows\Tasks\At13.job
2012-05-09 00:49 - 2012-05-17 03:00 - 0000342 ____A C:\Windows\Tasks\At37.job
2012-05-09 00:49 - 2012-05-16 00:00 - 0000340 ____A C:\Windows\Tasks\At10.job
2012-05-09 00:49 - 2012-05-15 13:00 - 0000342 ____A C:\Windows\Tasks\At47.job
2012-05-09 00:49 - 2012-05-15 12:00 - 0000342 ____A C:\Windows\Tasks\At46.job
2012-05-09 00:49 - 2012-05-15 12:00 - 0000340 ____A C:\Windows\Tasks\At22.job
2012-05-09 00:49 - 2012-05-15 11:00 - 0000342 ____A C:\Windows\Tasks\At45.job
2012-05-09 00:49 - 2012-05-15 11:00 - 0000340 ____A C:\Windows\Tasks\At21.job
2012-05-09 00:49 - 2012-05-14 23:00 - 0000340 ____A C:\Windows\Tasks\At9.job
2012-05-09 00:49 - 2012-05-14 22:00 - 0000342 ____A C:\Windows\Tasks\At32.job
2012-05-09 00:49 - 2012-05-14 22:00 - 0000340 ____A C:\Windows\Tasks\At8.job
2012-05-09 00:49 - 2012-05-14 21:03 - 0000342 ____A C:\Windows\Tasks\At31.job
2012-05-09 00:49 - 2012-05-14 21:00 - 0000340 ____A C:\Windows\Tasks\At7.job
2012-05-09 00:49 - 2012-05-14 20:02 - 0000342 ____A C:\Windows\Tasks\At30.job
2012-05-09 00:49 - 2012-05-14 20:02 - 0000340 ____A C:\Windows\Tasks\At6.job
2012-05-09 00:49 - 2012-05-14 19:00 - 0000342 ____A C:\Windows\Tasks\At29.job
2012-05-09 00:49 - 2012-05-14 19:00 - 0000340 ____A C:\Windows\Tasks\At5.job
2012-05-09 00:49 - 2012-05-14 14:00 - 0000342 ____A C:\Windows\Tasks\At48.job
2012-05-09 00:49 - 2012-05-14 14:00 - 0000340 ____A C:\Windows\Tasks\At24.job
2012-05-09 00:49 - 2012-05-14 10:00 - 0000340 ____A C:\Windows\Tasks\At20.job
2012-05-09 00:49 - 2012-05-14 09:46 - 0000342 ____A C:\Windows\Tasks\At43.job
2012-05-09 00:49 - 2012-05-14 09:46 - 0000342 ____A C:\Windows\Tasks\At42.job
2012-05-09 00:49 - 2012-05-14 09:46 - 0000342 ____A C:\Windows\Tasks\At41.job
2012-05-09 00:49 - 2012-05-14 09:46 - 0000342 ____A C:\Windows\Tasks\At40.job
2012-05-09 00:49 - 2012-05-14 09:46 - 0000342 ____A C:\Windows\Tasks\At39.job
2012-05-09 00:49 - 2012-05-14 09:46 - 0000342 ____A C:\Windows\Tasks\At28.job
2012-05-09 00:49 - 2012-05-14 09:46 - 0000342 ____A C:\Windows\Tasks\At27.job
2012-05-09 00:49 - 2012-05-14 09:46 - 0000342 ____A C:\Windows\Tasks\At26.job
2012-05-09 00:49 - 2012-05-14 09:46 - 0000342 ____A C:\Windows\Tasks\At25.job
2012-05-09 00:49 - 2012-05-14 09:46 - 0000340 ____A C:\Windows\Tasks\At4.job
2012-05-09 00:49 - 2012-05-14 09:46 - 0000340 ____A C:\Windows\Tasks\At3.job
2012-05-09 00:49 - 2012-05-14 09:46 - 0000340 ____A C:\Windows\Tasks\At2.job
2012-05-09 00:49 - 2012-05-14 09:46 - 0000340 ____A C:\Windows\Tasks\At19.job
2012-05-09 00:49 - 2012-05-14 09:46 - 0000340 ____A C:\Windows\Tasks\At18.job
2012-05-09 00:49 - 2012-05-14 09:46 - 0000340 ____A C:\Windows\Tasks\At17.job
2012-05-09 00:49 - 2012-05-14 09:46 - 0000340 ____A C:\Windows\Tasks\At16.job
2012-05-09 00:49 - 2012-05-14 09:46 - 0000340 ____A C:\Windows\Tasks\At15.job
2012-05-09 00:49 - 2012-05-14 09:46 - 0000340 ____A C:\Windows\Tasks\At1.job
2012-05-09 00:49 - 2012-05-09 00:49 - 0083456 ____A C:\Users\All Users\h0360288.exe_
2012-05-09 00:49 - 2012-05-09 00:49 - 0083456 ____A C:\Users\All Users\h0360288.exe
2012-05-09 00:49 - 2012-05-09 00:49 - 0083456 ____A C:\Users\All Users\Application Data\h0360288.exe_
2012-05-09 00:49 - 2012-05-09 00:49 - 0083456 ____A C:\Users\All Users\Application Data\h0360288.exe
2012-05-09 00:49 - 2012-05-09 00:49 - 0083456 ____A C:\ProgramData\h0360288.exe_
2012-05-09 00:49 - 2012-05-09 00:49 - 0083456 ____A C:\ProgramData\h0360288.exe
2012-05-09 00:49 - 2012-05-09 00:49 - 0083456 ____A C:\Documents and Settings\All Users\h0360288.exe_
2012-05-09 00:49 - 2012-05-09 00:49 - 0083456 ____A C:\Documents and Settings\All Users\h0360288.exe
2012-05-09 00:49 - 2012-05-09 00:49 - 0083456 ____A C:\Documents and Settings\All Users\Application Data\h0360288.exe_
2012-05-09 00:49 - 2012-05-09 00:49 - 0083456 ____A C:\Documents and Settings\All Users\Application Data\h0360288.exe
2012-04-30 00:57 - 2012-05-22 05:35 - 0000000 __ASH C:\Windows\System32\dds_trash_log.cmd

============ 3 Months Modified Files and Folders ===============

2012-05-22 15:22 - 2012-05-22 15:22 - 0000000 ____D C:\FRST
2012-05-22 12:30 - 2008-01-20 18:25 - 0066560 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\smb.sys
2012-05-22 05:35 - 2006-11-02 04:47 - 0004784 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-05-22 05:35 - 2006-11-02 04:47 - 0004784 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-05-22 05:34 - 2012-05-22 04:29 - 2075336704 __ASH C:\hiberfil.sys
2012-05-22 05:24 - 2008-10-22 16:35 - 1716188 ____A C:\Windows\WindowsUpdate.log
2012-05-22 05:20 - 2010-10-09 03:35 - 0000430 ___AH C:\Windows\Tasks\User_Feed_Synchronization-{233D2421-B65E-4DC9-AE1F-D520AFA3A7BA}.job
2012-05-22 05:20 - 2009-01-23 15:29 - 0000416 ___AH C:\Windows\Tasks\User_Feed_Synchronization-{4737A32E-5B38-441F-86C8-35D55FA0A76D}.job
2012-05-22 05:13 - 2012-04-30 00:57 - 0000000 __ASH C:\Windows\System32\dds_trash_log.cmd
2012-05-22 05:13 - 2010-01-31 10:15 - 0000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-05-22 05:13 - 2006-11-02 05:01 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2012-05-22 05:13 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\LogFiles
2012-05-22 04:07 - 2009-07-04 02:23 - 1488392 ____A C:\Windows\ntbtlog.txt
2012-05-22 03:13 - 2010-01-31 10:15 - 0000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-05-22 03:13 - 2006-11-02 02:33 - 0773076 ____A C:\Windows\System32\PerfStringBackup.INI
2012-05-22 02:29 - 2006-11-02 05:01 - 0032544 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-05-22 02:17 - 2010-11-29 12:05 - 0001931 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2012-05-22 02:17 - 2010-11-29 12:05 - 0001931 ____A C:\Users\All Users\Desktop\Google Chrome.lnk
2012-05-22 02:17 - 2010-11-29 12:05 - 0001931 ____A C:\Documents and Settings\Public\Desktop\Google Chrome.lnk
2012-05-22 02:17 - 2010-11-29 12:05 - 0001931 ____A C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
2012-05-22 02:14 - 2012-05-22 02:14 - 0000611 ____A C:\Users\Public\Desktop\CD-R BACKUP PLAYER.lnk
2012-05-22 02:14 - 2012-05-22 02:14 - 0000611 ____A C:\Users\All Users\Desktop\CD-R BACKUP PLAYER.lnk
2012-05-22 02:14 - 2012-05-22 02:14 - 0000611 ____A C:\Documents and Settings\Public\Desktop\CD-R BACKUP PLAYER.lnk
2012-05-22 02:14 - 2012-05-22 02:14 - 0000611 ____A C:\Documents and Settings\All Users\Desktop\CD-R BACKUP PLAYER.lnk
2012-05-22 02:14 - 2012-05-17 04:16 - 0000000 ____D C:\Program Files\CdPlayBack
2012-05-22 02:14 - 2008-08-02 10:11 - 0000000 ___HD C:\Program Files\InstallShield Installation Information
2012-05-22 02:11 - 2011-08-19 05:05 - 0000000 ____D C:\Users\Colm Daly\Desktop\CCTV
2012-05-22 02:11 - 2011-08-19 05:05 - 0000000 ____D C:\Documents and Settings\Colm Daly\Desktop\CCTV
2012-05-22 02:05 - 2009-08-05 07:55 - 0000000 ____D C:\Users\Colm Daly\Desktop\security
2012-05-22 02:05 - 2009-08-05 07:55 - 0000000 ____D C:\Documents and Settings\Colm Daly\Desktop\security
2012-05-21 01:06 - 2010-05-26 08:38 - 0028578 ____A C:\Users\All Users\lxeascan.log
2012-05-21 01:06 - 2010-05-26 08:38 - 0028578 ____A C:\Users\All Users\Application Data\lxeascan.log
2012-05-21 01:06 - 2010-05-26 08:38 - 0028578 ____A C:\ProgramData\lxeascan.log
2012-05-21 01:06 - 2010-05-26 08:38 - 0028578 ____A C:\Documents and Settings\All Users\lxeascan.log
2012-05-21 01:06 - 2010-05-26 08:38 - 0028578 ____A C:\Documents and Settings\All Users\Application Data\lxeascan.log
2012-05-21 01:06 - 2009-03-10 09:43 - 0000000 ____D C:\Users\Colm Daly\Tracing
2012-05-21 01:06 - 2009-03-10 09:43 - 0000000 ____D C:\Documents and Settings\Colm Daly\Tracing
2012-05-21 01:05 - 2008-10-22 17:20 - 0000288 ____A C:\Users\Public\Documents\hpqp.ini
2012-05-21 01:05 - 2008-10-22 17:20 - 0000288 ____A C:\Users\All Users\Documents\hpqp.ini
2012-05-21 01:05 - 2008-10-22 17:20 - 0000288 ____A C:\Documents and Settings\Public\Documents\hpqp.ini
2012-05-21 01:05 - 2008-10-22 17:20 - 0000288 ____A C:\Documents and Settings\All Users\Documents\hpqp.ini
2012-05-21 01:04 - 2012-05-09 00:49 - 0000342 ____A C:\Windows\Tasks\At35.job
2012-05-18 02:08 - 2010-05-26 08:49 - 0000000 ____D C:\Users\All Users\Lx_cats
2012-05-18 02:08 - 2010-05-26 08:49 - 0000000 ____D C:\Users\All Users\Application Data\Lx_cats
2012-05-18 02:08 - 2010-05-26 08:49 - 0000000 ____D C:\ProgramData\Lx_cats
2012-05-18 02:08 - 2010-05-26 08:49 - 0000000 ____D C:\Documents and Settings\All Users\Lx_cats
2012-05-18 02:08 - 2010-05-26 08:49 - 0000000 ____D C:\Documents and Settings\All Users\Application Data\Lx_cats
2012-05-18 02:00 - 2012-05-09 00:49 - 0000342 ____A C:\Windows\Tasks\At36.job
2012-05-18 02:00 - 2012-05-09 00:49 - 0000340 ____A C:\Windows\Tasks\At12.job
2012-05-18 01:02 - 2012-05-09 00:49 - 0000340 ____A C:\Windows\Tasks\At11.job
2012-05-18 00:28 - 2011-02-15 15:30 - 0000000 ____D C:\Users\All Users\VideoViewer
2012-05-18 00:28 - 2011-02-15 15:30 - 0000000 ____D C:\Users\All Users\Application Data\VideoViewer
2012-05-18 00:28 - 2011-02-15 15:30 - 0000000 ____D C:\ProgramData\VideoViewer
2012-05-18 00:28 - 2011-02-15 15:30 - 0000000 ____D C:\Documents and Settings\All Users\VideoViewer
2012-05-18 00:28 - 2011-02-15 15:30 - 0000000 ____D C:\Documents and Settings\All Users\Application Data\VideoViewer
2012-05-18 00:27 - 2011-02-15 15:37 - 0000000 ____A C:\DebugTraceNormal.log
2012-05-18 00:17 - 2009-08-10 04:12 - 0000000 ____D C:\Program Files\Lx_cats
2012-05-18 00:13 - 2012-05-09 00:49 - 0000342 ____A C:\Windows\Tasks\At34.job
2012-05-18 00:13 - 2012-05-09 00:49 - 0000340 ____A C:\Windows\Tasks\At23.job
2012-05-18 00:13 - 2009-02-13 08:11 - 0000000 ____D C:\Users\Public\Documents\Symantec
2012-05-18 00:13 - 2009-02-13 08:11 - 0000000 ____D C:\Users\All Users\Documents\Symantec
2012-05-18 00:13 - 2009-02-13 08:11 - 0000000 ____D C:\Documents and Settings\Public\Documents\Symantec
2012-05-18 00:13 - 2009-02-13 08:11 - 0000000 ____D C:\Documents and Settings\All Users\Documents\Symantec
2012-05-18 00:13 - 2008-01-20 18:47 - 0063958 ____A C:\Windows\PFRO.log
2012-05-18 00:08 - 2012-05-09 00:49 - 0000342 ____A C:\Windows\Tasks\At44.job
2012-05-18 00:08 - 2012-05-09 00:49 - 0000342 ____A C:\Windows\Tasks\At33.job
2012-05-17 04:23 - 2011-01-06 01:58 - 0000000 ____D C:\Users\Colm Daly\Desktop\Stopwatch
2012-05-17 04:23 - 2011-01-06 01:58 - 0000000 ____D C:\Documents and Settings\Colm Daly\Desktop\Stopwatch
2012-05-17 04:23 - 2010-08-17 05:01 - 0000000 ____D C:\Users\Colm Daly\Desktop\VClient_v136
2012-05-17 04:23 - 2010-08-17 05:01 - 0000000 ____D C:\Documents and Settings\Colm Daly\Desktop\VClient_v136
2012-05-17 04:23 - 2010-08-12 00:40 - 0000000 ____D C:\Users\Colm Daly\Desktop\Western Downlaods
2012-05-17 04:23 - 2010-08-12 00:40 - 0000000 ____D C:\Documents and Settings\Colm Daly\Desktop\Western Downlaods
2012-05-17 04:07 - 2011-10-29 03:24 - 0000000 ____D C:\Users\Colm Daly\Desktop\New Folder (2)
2012-05-17 04:07 - 2011-10-29 03:24 - 0000000 ____D C:\Documents and Settings\Colm Daly\Desktop\New Folder (2)
2012-05-17 04:06 - 2012-05-17 04:06 - 0000833 ____A C:\Users\All Users\Start Menu\Programs\Startup\EventLogger.lnk
2012-05-17 04:06 - 2012-05-17 04:06 - 0000833 ____A C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EventLogger.lnk
2012-05-17 04:06 - 2012-05-17 04:06 - 0000717 ____A C:\Users\Public\Desktop\JM Integrated Remote Station.lnk
2012-05-17 04:06 - 2012-05-17 04:06 - 0000717 ____A C:\Users\All Users\Desktop\JM Integrated Remote Station.lnk
2012-05-17 04:06 - 2012-05-17 04:06 - 0000717 ____A C:\Documents and Settings\Public\Desktop\JM Integrated Remote Station.lnk
2012-05-17 04:06 - 2012-05-17 04:06 - 0000717 ____A C:\Documents and Settings\All Users\Desktop\JM Integrated Remote Station.lnk
2012-05-17 04:06 - 2012-05-17 04:06 - 0000000 ____D C:\Program Files\JM Integrated Remote Station
2012-05-17 04:05 - 2012-05-17 04:05 - 0000000 ____D C:\Users\Colm Daly\Application Data\InstallShield
2012-05-17 04:05 - 2012-05-17 04:05 - 0000000 ____D C:\Users\Colm Daly\AppData\Roaming\InstallShield
2012-05-17 04:05 - 2012-05-17 04:05 - 0000000 ____D C:\Documents and Settings\Colm Daly\Application Data\InstallShield
2012-05-17 04:05 - 2012-05-17 04:05 - 0000000 ____D C:\Documents and Settings\Colm Daly\AppData\Roaming\InstallShield
2012-05-17 04:03 - 2012-05-09 00:49 - 0000340 ____A C:\Windows\Tasks\At14.job
2012-05-17 04:01 - 2012-05-09 00:49 - 0000342 ____A C:\Windows\Tasks\At38.job
2012-05-17 03:04 - 2012-05-09 00:49 - 0000340 ____A C:\Windows\Tasks\At13.job
2012-05-17 03:00 - 2012-05-09 00:49 - 0000342 ____A C:\Windows\Tasks\At37.job
2012-05-16 00:00 - 2012-05-09 00:49 - 0000340 ____A C:\Windows\Tasks\At10.job
2012-05-15 23:55 - 2009-01-08 20:31 - 0035328 ____A C:\Users\Colm Daly\Local Settings\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-05-15 23:55 - 2009-01-08 20:31 - 0035328 ____A C:\Users\Colm Daly\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-05-15 23:55 - 2009-01-08 20:31 - 0035328 ____A C:\Users\Colm Daly\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-05-15 23:55 - 2009-01-08 20:31 - 0035328 ____A C:\Documents and Settings\Colm Daly\Local Settings\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-05-15 23:55 - 2009-01-08 20:31 - 0035328 ____A C:\Documents and Settings\Colm Daly\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-05-15 23:55 - 2009-01-08 20:31 - 0035328 ____A C:\Documents and Settings\Colm Daly\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-05-15 23:48 - 2006-11-02 04:52 - 0104067 ____A C:\Windows\setupact.log
2012-05-15 13:00 - 2012-05-09 00:49 - 0000342 ____A C:\Windows\Tasks\At47.job
2012-05-15 12:00 - 2012-05-09 00:49 - 0000342 ____A C:\Windows\Tasks\At46.job
2012-05-15 12:00 - 2012-05-09 00:49 - 0000340 ____A C:\Windows\Tasks\At22.job
2012-05-15 11:00 - 2012-05-09 00:49 - 0000342 ____A C:\Windows\Tasks\At45.job
2012-05-15 11:00 - 2012-05-09 00:49 - 0000340 ____A C:\Windows\Tasks\At21.job
2012-05-15 10:45 - 2012-05-15 11:21 - 0026675 ____A C:\Users\Colm Daly\Desktop\lp.jpg
2012-05-15 10:45 - 2012-05-15 11:21 - 0026675 ____A C:\Documents and Settings\Colm Daly\Desktop\lp.jpg
2012-05-14 23:00 - 2012-05-09 00:49 - 0000340 ____A C:\Windows\Tasks\At9.job
2012-05-14 22:00 - 2012-05-09 00:49 - 0000342 ____A C:\Windows\Tasks\At32.job
2012-05-14 22:00 - 2012-05-09 00:49 - 0000340 ____A C:\Windows\Tasks\At8.job
2012-05-14 21:03 - 2012-05-09 00:49 - 0000342 ____A C:\Windows\Tasks\At31.job
2012-05-14 21:00 - 2012-05-09 00:49 - 0000340 ____A C:\Windows\Tasks\At7.job
2012-05-14 20:02 - 2012-05-09 00:49 - 0000342 ____A C:\Windows\Tasks\At30.job
2012-05-14 20:02 - 2012-05-09 00:49 - 0000340 ____A C:\Windows\Tasks\At6.job
2012-05-14 19:00 - 2012-05-09 00:49 - 0000342 ____A C:\Windows\Tasks\At29.job
2012-05-14 19:00 - 2012-05-09 00:49 - 0000340 ____A C:\Windows\Tasks\At5.job
2012-05-14 18:19 - 2008-08-02 11:04 - 0000000 ____D C:\Users\All Users\Microsoft Help
2012-05-14 18:19 - 2008-08-02 11:04 - 0000000 ____D C:\Users\All Users\Application Data\Microsoft Help
2012-05-14 18:19 - 2008-08-02 11:04 - 0000000 ____D C:\ProgramData\Microsoft Help
2012-05-14 18:19 - 2008-08-02 11:04 - 0000000 ____D C:\Documents and Settings\All Users\Microsoft Help
2012-05-14 18:19 - 2008-08-02 11:04 - 0000000 ____D C:\Documents and Settings\All Users\Application Data\Microsoft Help
2012-05-14 18:13 - 2006-11-02 02:24 - 55656824 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-05-14 14:31 - 2009-01-07 10:24 - 0000554 ____A C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - Colm Daly.job
2012-05-14 14:00 - 2012-05-09 00:49 - 0000342 ____A C:\Windows\Tasks\At48.job
2012-05-14 14:00 - 2012-05-09 00:49 - 0000340 ____A C:\Windows\Tasks\At24.job
2012-05-14 10:00 - 2012-05-09 00:49 - 0000340 ____A C:\Windows\Tasks\At20.job
2012-05-14 09:46 - 2012-05-09 00:49 - 0000342 ____A C:\Windows\Tasks\At43.job
2012-05-14 09:46 - 2012-05-09 00:49 - 0000342 ____A C:\Windows\Tasks\At42.job
2012-05-14 09:46 - 2012-05-09 00:49 - 0000342 ____A C:\Windows\Tasks\At41.job
2012-05-14 09:46 - 2012-05-09 00:49 - 0000342 ____A C:\Windows\Tasks\At40.job
2012-05-14 09:46 - 2012-05-09 00:49 - 0000342 ____A C:\Windows\Tasks\At39.job
2012-05-14 09:46 - 2012-05-09 00:49 - 0000342 ____A C:\Windows\Tasks\At28.job
2012-05-14 09:46 - 2012-05-09 00:49 - 0000342 ____A C:\Windows\Tasks\At27.job
2012-05-14 09:46 - 2012-05-09 00:49 - 0000342 ____A C:\Windows\Tasks\At26.job
2012-05-14 09:46 - 2012-05-09 00:49 - 0000342 ____A C:\Windows\Tasks\At25.job
2012-05-14 09:46 - 2012-05-09 00:49 - 0000340 ____A C:\Windows\Tasks\At4.job
2012-05-14 09:46 - 2012-05-09 00:49 - 0000340 ____A C:\Windows\Tasks\At3.job
2012-05-14 09:46 - 2012-05-09 00:49 - 0000340 ____A C:\Windows\Tasks\At2.job
2012-05-14 09:46 - 2012-05-09 00:49 - 0000340 ____A C:\Windows\Tasks\At19.job
2012-05-14 09:46 - 2012-05-09 00:49 - 0000340 ____A C:\Windows\Tasks\At18.job
2012-05-14 09:46 - 2012-05-09 00:49 - 0000340 ____A C:\Windows\Tasks\At17.job
2012-05-14 09:46 - 2012-05-09 00:49 - 0000340 ____A C:\Windows\Tasks\At16.job
2012-05-14 09:46 - 2012-05-09 00:49 - 0000340 ____A C:\Windows\Tasks\At15.job
2012-05-14 09:46 - 2012-05-09 00:49 - 0000340 ____A C:\Windows\Tasks\At1.job
2012-05-09 00:49 - 2012-05-09 00:49 - 0083456 ____A C:\Users\All Users\h0360288.exe_
2012-05-09 00:49 - 2012-05-09 00:49 - 0083456 ____A C:\Users\All Users\h0360288.exe
2012-05-09 00:49 - 2012-05-09 00:49 - 0083456 ____A C:\Users\All Users\Application Data\h0360288.exe_
2012-05-09 00:49 - 2012-05-09 00:49 - 0083456 ____A C:\Users\All Users\Application Data\h0360288.exe
2012-05-09 00:49 - 2012-05-09 00:49 - 0083456 ____A C:\ProgramData\h0360288.exe_
2012-05-09 00:49 - 2012-05-09 00:49 - 0083456 ____A C:\ProgramData\h0360288.exe
2012-05-09 00:49 - 2012-05-09 00:49 - 0083456 ____A C:\Documents and Settings\All Users\h0360288.exe_
2012-05-09 00:49 - 2012-05-09 00:49 - 0083456 ____A C:\Documents and Settings\All Users\h0360288.exe
2012-05-09 00:49 - 2012-05-09 00:49 - 0083456 ____A C:\Documents and Settings\All Users\Application Data\h0360288.exe_
2012-05-09 00:49 - 2012-05-09 00:49 - 0083456 ____A C:\Documents and Settings\All Users\Application Data\h0360288.exe
2012-05-03 14:56 - 2010-07-23 04:48 - 0000578 ____A C:\Windows\M3JPEG.INI
2012-05-03 13:58 - 2010-06-08 10:06 - 0000000 ____D C:\Users\Colm Daly\Desktop\Colm
2012-05-03 13:58 - 2010-06-08 10:06 - 0000000 ____D C:\Documents and Settings\Colm Daly\Desktop\Colm
2012-05-03 13:57 - 2009-03-24 05:59 - 0000000 ____D C:\Users\Colm Daly\Desktop\New Folder
2012-05-03 13:57 - 2009-03-24 05:59 - 0000000 ____D C:\Documents and Settings\Colm Daly\Desktop\New Folder
2012-04-16 13:40 - 2012-04-16 13:40 - 1609205 ____A C:\Users\Colm Daly\Desktop\DCSecurityNSAI.JPG
2012-04-16 13:40 - 2012-04-16 13:40 - 1609205 ____A C:\Documents and Settings\Colm Daly\Desktop\DCSecurityNSAI.JPG
2012-04-10 05:07 - 2009-03-09 19:33 - 0000052 ____A C:\Windows\System32\DOErrors.log
2012-04-03 09:54 - 2009-01-13 23:17 - 0000000 ____D C:\Users\Colm Daly\Local Settings\Google
2012-04-03 09:54 - 2009-01-13 23:17 - 0000000 ____D C:\Users\Colm Daly\Local Settings\Application Data\Google
2012-04-03 09:54 - 2009-01-13 23:17 - 0000000 ____D C:\Users\Colm Daly\AppData\Local\Google
2012-04-03 09:54 - 2009-01-13 23:17 - 0000000 ____D C:\Documents and Settings\Colm Daly\Local Settings\Google
2012-04-03 09:54 - 2009-01-13 23:17 - 0000000 ____D C:\Documents and Settings\Colm Daly\Local Settings\Application Data\Google
2012-04-03 09:54 - 2009-01-13 23:17 - 0000000 ____D C:\Documents and Settings\Colm Daly\AppData\Local\Google
2012-03-20 08:41 - 2012-03-20 14:57 - 0225280 ____A () C:\Windows\System32\RFScreenManager.dll
2012-03-15 19:06 - 2006-11-02 03:18 - 0000000 ____D C:\Program Files\Common Files\microsoft shared
2012-03-15 19:03 - 2006-11-02 02:23 - 0000219 ____A C:\Windows\win.ini
2012-03-15 15:10 - 2010-12-24 02:04 - 0000284 ____A C:\Windows\GvSaveImage.ini
2012-03-15 15:10 - 2010-04-02 01:26 - 0000463 ____A C:\Windows\GeoLan.ini
2012-03-15 15:10 - 2010-04-02 01:16 - 0000512 ____A C:\Windows\GeoImageProcess_8200.ini
2012-03-15 15:09 - 2010-12-24 01:47 - 0000061 ____A C:\Windows\GeoDebug61.ini
2012-03-05 00:28 - 2012-03-05 00:28 - 0080482 ____A C:\Users\Colm Daly\Desktop\Claremorris creche.pdf
2012-03-05 00:28 - 2012-03-05 00:28 - 0080482 ____A C:\Documents and Settings\Colm Daly\Desktop\Claremorris creche.pdf
2012-03-02 04:22 - 2009-01-07 10:17 - 0000000 ____D C:\users\Colm Daly
2012-02-28 02:45 - 2012-02-28 02:45 - 0000000 ____D C:\Users\Colm Daly\Application Data\Garmin
2012-02-28 02:45 - 2012-02-28 02:45 - 0000000 ____D C:\Users\Colm Daly\AppData\Roaming\Garmin
2012-02-28 02:45 - 2012-02-28 02:45 - 0000000 ____D C:\Documents and Settings\Colm Daly\Application Data\Garmin
2012-02-28 02:45 - 2012-02-28 02:45 - 0000000 ____D C:\Documents and Settings\Colm Daly\AppData\Roaming\Garmin
2012-02-28 02:45 - 2006-11-02 03:18 - 0000000 ___SD C:\Windows\Downloaded Program Files

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe
[2009-01-08 17:55] - [2008-10-28 22:29] - 2927104 ____A (Microsoft Corporation) 4F554999D7D5F05DAAEBBA7B5BA1089D

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\User32.dll
[2008-01-20 18:24] - [2008-01-20 18:24] - 0627200 ____A (Microsoft Corporation) B974D9F06DC7D1908E825DC201681269

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys
[2008-01-20 18:23] - [2008-01-20 18:23] - 0227896 ____A (Microsoft Corporation) D8B4A53DD2769F226B3EB374374987C9


==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 24%
Total physical RAM: 1978.58 MB
Available physical RAM: 1503.3 MB
Total Pagefile: 1751.13 MB
Available Pagefile: 1570.64 MB
Total Virtual: 2047.88 MB
Available Virtual: 1983.55 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:223.27 GB) (Free:109.39 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (PRESARIO_RP) (Fixed) (Total:9.61 GB) (Free:1.72 GB) NTFS ==>[System with boot components (obtained from reading drive)]
5 Drive g: () (Removable) (Total:1.82 GB) (Free:1.76 GB) FAT
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 233 GB 2232 KB
Disk 1 No Media 0 B 0 B
Disk 2 Online 1869 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 223 GB 32 KB
Partition 2 Primary 10 GB 223 GB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 223 GB Healthy

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D PRESARIO_RP NTFS Partition 10 GB Healthy

======================================================================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1869 MB 36 KB

======================================================================================================

Disk: 2
Partition 1
Type : 06
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 G FAT Removable 1869 MB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-05-22 05:21

======================= End Of Log ==========================



Regards,

Colm

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,091 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:40 AM

Posted 22 May 2012 - 09:43 AM

Hi Colm, please run the following fix, then see if you can boot successfully in windows.

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

HKLM\...\Winlogon: [Shell] C:\Windows\Temp\usbvro\setup.exe [x ] ()
Winlogon\Notify\xromnop: C:\Windows\system32\config\systemprofile\AppData\Local\xromnop.dll [X]
2012-05-09 00:49 - 2012-05-21 01:04 - 0000342 ____A C:\Windows\Tasks\At35.job
2012-05-09 00:49 - 2012-05-18 02:00 - 0000342 ____A C:\Windows\Tasks\At36.job
2012-05-09 00:49 - 2012-05-18 02:00 - 0000340 ____A C:\Windows\Tasks\At12.job
2012-05-09 00:49 - 2012-05-18 01:02 - 0000340 ____A C:\Windows\Tasks\At11.job
2012-05-09 00:49 - 2012-05-18 00:13 - 0000342 ____A C:\Windows\Tasks\At34.job
2012-05-09 00:49 - 2012-05-18 00:13 - 0000340 ____A C:\Windows\Tasks\At23.job
2012-05-09 00:49 - 2012-05-18 00:08 - 0000342 ____A C:\Windows\Tasks\At44.job
2012-05-09 00:49 - 2012-05-18 00:08 - 0000342 ____A C:\Windows\Tasks\At33.job
2012-05-09 00:49 - 2012-05-17 04:03 - 0000340 ____A C:\Windows\Tasks\At14.job
2012-05-09 00:49 - 2012-05-17 04:01 - 0000342 ____A C:\Windows\Tasks\At38.job
2012-05-09 00:49 - 2012-05-17 03:04 - 0000340 ____A C:\Windows\Tasks\At13.job
2012-05-09 00:49 - 2012-05-17 03:00 - 0000342 ____A C:\Windows\Tasks\At37.job
2012-05-09 00:49 - 2012-05-16 00:00 - 0000340 ____A C:\Windows\Tasks\At10.job
2012-05-09 00:49 - 2012-05-15 13:00 - 0000342 ____A C:\Windows\Tasks\At47.job
2012-05-09 00:49 - 2012-05-15 12:00 - 0000342 ____A C:\Windows\Tasks\At46.job
2012-05-09 00:49 - 2012-05-15 12:00 - 0000340 ____A C:\Windows\Tasks\At22.job
2012-05-09 00:49 - 2012-05-15 11:00 - 0000342 ____A C:\Windows\Tasks\At45.job
2012-05-09 00:49 - 2012-05-15 11:00 - 0000340 ____A C:\Windows\Tasks\At21.job
2012-05-09 00:49 - 2012-05-14 23:00 - 0000340 ____A C:\Windows\Tasks\At9.job
2012-05-09 00:49 - 2012-05-14 22:00 - 0000342 ____A C:\Windows\Tasks\At32.job
2012-05-09 00:49 - 2012-05-14 22:00 - 0000340 ____A C:\Windows\Tasks\At8.job
2012-05-09 00:49 - 2012-05-14 21:03 - 0000342 ____A C:\Windows\Tasks\At31.job
2012-05-09 00:49 - 2012-05-14 21:00 - 0000340 ____A C:\Windows\Tasks\At7.job
2012-05-09 00:49 - 2012-05-14 20:02 - 0000342 ____A C:\Windows\Tasks\At30.job
2012-05-09 00:49 - 2012-05-14 20:02 - 0000340 ____A C:\Windows\Tasks\At6.job
2012-05-09 00:49 - 2012-05-14 19:00 - 0000342 ____A C:\Windows\Tasks\At29.job
2012-05-09 00:49 - 2012-05-14 19:00 - 0000340 ____A C:\Windows\Tasks\At5.job
2012-05-09 00:49 - 2012-05-14 14:00 - 0000342 ____A C:\Windows\Tasks\At48.job
2012-05-09 00:49 - 2012-05-14 14:00 - 0000340 ____A C:\Windows\Tasks\At24.job
2012-05-09 00:49 - 2012-05-14 10:00 - 0000340 ____A C:\Windows\Tasks\At20.job
2012-05-09 00:49 - 2012-05-14 09:46 - 0000342 ____A C:\Windows\Tasks\At43.job
2012-05-09 00:49 - 2012-05-14 09:46 - 0000342 ____A C:\Windows\Tasks\At42.job
2012-05-09 00:49 - 2012-05-14 09:46 - 0000342 ____A C:\Windows\Tasks\At41.job
2012-05-09 00:49 - 2012-05-14 09:46 - 0000342 ____A C:\Windows\Tasks\At40.job
2012-05-09 00:49 - 2012-05-14 09:46 - 0000342 ____A C:\Windows\Tasks\At39.job
2012-05-09 00:49 - 2012-05-14 09:46 - 0000342 ____A C:\Windows\Tasks\At28.job
2012-05-09 00:49 - 2012-05-14 09:46 - 0000342 ____A C:\Windows\Tasks\At27.job
2012-05-09 00:49 - 2012-05-14 09:46 - 0000342 ____A C:\Windows\Tasks\At26.job
2012-05-09 00:49 - 2012-05-14 09:46 - 0000342 ____A C:\Windows\Tasks\At25.job
2012-05-09 00:49 - 2012-05-14 09:46 - 0000340 ____A C:\Windows\Tasks\At4.job
2012-05-09 00:49 - 2012-05-14 09:46 - 0000340 ____A C:\Windows\Tasks\At3.job
2012-05-09 00:49 - 2012-05-14 09:46 - 0000340 ____A C:\Windows\Tasks\At2.job
2012-05-09 00:49 - 2012-05-14 09:46 - 0000340 ____A C:\Windows\Tasks\At19.job
2012-05-09 00:49 - 2012-05-14 09:46 - 0000340 ____A C:\Windows\Tasks\At18.job
2012-05-09 00:49 - 2012-05-14 09:46 - 0000340 ____A C:\Windows\Tasks\At17.job
2012-05-09 00:49 - 2012-05-14 09:46 - 0000340 ____A C:\Windows\Tasks\At16.job
2012-05-09 00:49 - 2012-05-14 09:46 - 0000340 ____A C:\Windows\Tasks\At15.job
2012-05-09 00:49 - 2012-05-14 09:46 - 0000340 ____A C:\Windows\Tasks\At1.job
2012-05-09 00:49 - 2012-05-09 00:49 - 0083456 ____A C:\Users\All Users\h0360288.exe_
2012-05-09 00:49 - 2012-05-09 00:49 - 0083456 ____A C:\Users\All Users\h0360288.exe
2012-05-09 00:49 - 2012-05-09 00:49 - 0083456 ____A C:\Users\All Users\Application Data\h0360288.exe_
2012-05-09 00:49 - 2012-05-09 00:49 - 0083456 ____A C:\Users\All Users\Application Data\h0360288.exe
2012-05-09 00:49 - 2012-05-09 00:49 - 0083456 ____A C:\ProgramData\h0360288.exe_
2012-05-09 00:49 - 2012-05-09 00:49 - 0083456 ____A C:\ProgramData\h0360288.exe
2012-05-09 00:49 - 2012-05-09 00:49 - 0083456 ____A C:\Documents and Settings\All Users\h0360288.exe_
2012-05-09 00:49 - 2012-05-09 00:49 - 0083456 ____A C:\Documents and Settings\All Users\h0360288.exe
2012-05-09 00:49 - 2012-05-09 00:49 - 0083456 ____A C:\Documents and Settings\All Users\Application Data\h0360288.exe_
2012-05-09 00:49 - 2012-05-09 00:49 - 0083456 ____A C:\Documents and Settings\All Users\Application Data\h0360288.exe
2012-04-30 00:57 - 2012-05-22 05:35 - 0000000 __ASH C:\Windows\System32\dds_trash_log.cmd


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the BartPE CD.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 GalwayColm

GalwayColm
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:40 AM

Posted 22 May 2012 - 09:55 AM

Here is the fixlog.txt:

Fix result of Farbar Recovery Tool (FRST written by farbar) Version: 20-05-2012
Ran by SYSTEM at 2012-05-22 15:50:23 Run:1
Running from G:\

==============================================

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell Value was restored.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\xromnop Key deleted successfully.
C:\Windows\Tasks\At35.job moved successfully.
C:\Windows\Tasks\At36.job moved successfully.
C:\Windows\Tasks\At12.job moved successfully.
C:\Windows\Tasks\At11.job moved successfully.
C:\Windows\Tasks\At34.job moved successfully.
C:\Windows\Tasks\At23.job moved successfully.
C:\Windows\Tasks\At44.job moved successfully.
C:\Windows\Tasks\At33.job moved successfully.
C:\Windows\Tasks\At14.job moved successfully.
C:\Windows\Tasks\At38.job moved successfully.
C:\Windows\Tasks\At13.job moved successfully.
C:\Windows\Tasks\At37.job moved successfully.
C:\Windows\Tasks\At10.job moved successfully.
C:\Windows\Tasks\At47.job moved successfully.
C:\Windows\Tasks\At46.job moved successfully.
C:\Windows\Tasks\At22.job moved successfully.
C:\Windows\Tasks\At45.job moved successfully.
C:\Windows\Tasks\At21.job moved successfully.
C:\Windows\Tasks\At9.job moved successfully.
C:\Windows\Tasks\At32.job moved successfully.
C:\Windows\Tasks\At8.job moved successfully.
C:\Windows\Tasks\At31.job moved successfully.
C:\Windows\Tasks\At7.job moved successfully.
C:\Windows\Tasks\At30.job moved successfully.
C:\Windows\Tasks\At6.job moved successfully.
C:\Windows\Tasks\At29.job moved successfully.
C:\Windows\Tasks\At5.job moved successfully.
C:\Windows\Tasks\At48.job moved successfully.
C:\Windows\Tasks\At24.job moved successfully.
C:\Windows\Tasks\At20.job moved successfully.
C:\Windows\Tasks\At43.job moved successfully.
C:\Windows\Tasks\At42.job moved successfully.
C:\Windows\Tasks\At41.job moved successfully.
C:\Windows\Tasks\At40.job moved successfully.
C:\Windows\Tasks\At39.job moved successfully.
C:\Windows\Tasks\At28.job moved successfully.
C:\Windows\Tasks\At27.job moved successfully.
C:\Windows\Tasks\At26.job moved successfully.
C:\Windows\Tasks\At25.job moved successfully.
C:\Windows\Tasks\At4.job moved successfully.
C:\Windows\Tasks\At3.job moved successfully.
C:\Windows\Tasks\At2.job moved successfully.
C:\Windows\Tasks\At19.job moved successfully.
C:\Windows\Tasks\At18.job moved successfully.
C:\Windows\Tasks\At17.job moved successfully.
C:\Windows\Tasks\At16.job moved successfully.
C:\Windows\Tasks\At15.job moved successfully.
C:\Windows\Tasks\At1.job moved successfully.
C:\Users\All Users\h0360288.exe_ moved successfully.
C:\Users\All Users\h0360288.exe moved successfully.
C:\Users\All Users\Application Data\h0360288.exe_ not found.
C:\Users\All Users\Application Data\h0360288.exe not found.
C:\ProgramData\h0360288.exe_ not found.
C:\ProgramData\h0360288.exe not found.
C:\Documents and Settings\All Users\h0360288.exe_ not found.
C:\Documents and Settings\All Users\h0360288.exe not found.
C:\Documents and Settings\All Users\Application Data\h0360288.exe_ not found.
C:\Documents and Settings\All Users\Application Data\h0360288.exe not found.
C:\Windows\System32\dds_trash_log.cmd moved successfully.

==== End of Fixlog ====


Just restarting windows now elise.....
looking good.....
and yes my windows descktop is back!!!
Thank you so much Elise.

Regards,

Colm

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,091 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:40 AM

Posted 22 May 2012 - 10:04 AM

Glad to hear that. :) Lets make sure any other malware is gone as well.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 GalwayColm

GalwayColm
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:40 AM

Posted 22 May 2012 - 10:18 AM

Hi Elisa,

The Following is the dds.txt file:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19088
Run by Colm Daly at 16:09:06 on 2012-05-22
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.353.1033.18.1978.1019 [GMT 1:00]
.
AV: Norton Internet Security *Enabled/Outdated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Enabled/Outdated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
FW: Norton Internet Security *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\TEMP\giysxe\setup.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\lxcccoms.exe
C:\Windows\system32\lxeacoms.exe
C:\Windows\SMINST\BLService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\slserv.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\TeamViewer\Version7\TeamViewer.exe
C:\Program Files\TeamViewer\Version7\tv_w32.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Lexmark 3300 Series\lxccmon.exe
C:\Program Files\Lexmark S300-S400 Series\ezprint.exe
C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Real\RealPlayer\Update\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\MyShoppingGenie\mnumsg.exe
C:\Program Files\JM Integrated Remote Station\cms\EventLogger.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
c:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ie/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ie&c=83&bd=Presario&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ie&c=83&bd=Presario&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ie&c=83&bd=Presario&pf=cnnb
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: AOL Toolbar BHO: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.5\CoIEPlg.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Skype] "c:\program files\skype\\phone\Skype.exe" /nosplash /minimized
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [mnumsg.exe] c:\program files\myshoppinggenie\mnumsg.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" update "software\cyberlink\youcam\2.0"
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [LXCCCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCCtime.dll,_RunDLLEntry@16
mRun: [lxccmon.exe] "c:\program files\lexmark 3300 series\lxccmon.exe"
mRun: [EzPrint] "c:\program files\lexmark s300-s400 series\ezprint.exe"
mRun: [lxeamon.exe] "c:\program files\lexmark s300-s400 series\lxeamon.exe"
mRun: [Lexmark S300-S400 Series Fax Server] "c:\program files\lexmark s300-s400 series\fm3032.exe" /s
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
dRunOnce: [<NO NAME>]
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\eventl~1.lnk - c:\program files\jm integrated remote station\cms\EventLogger.exe
mPolicies-explorer: NoViewContextMenu = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &AOL Toolbar Search - c:\programdata\aol\ietoolbar\resources\en-ie\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: mswsock.dll
Trusted Zone: boi-bol.com\www
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.0.1.0/GarminAxControl_32.CAB
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {173D9E48-B527-4AA0-A929-30B446002AA8} - hxxp://dcsecurity1.i-dvr.net:8080/DVRemoteAx.cab
DPF: {66F7F252-3FE1-4650-B1E5-94B2A38271C5} - hxxp://86.46.59.246/ActiveView.cab
DPF: {6F80BF27-CB16-4589-8C6A-DB422AAB2ED9} - hxxp://192.168.1.100/vcredist_x86.exe
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {971FC730-55F1-461F-83FD-B3BF5E1F039E} - hxxp://86.47.89.211:81/AVC_AX_742.cab
DPF: {9B479D7B-916A-45B0-B042-D42865A60E21} - hxxp://peter10.gicp.net:81/DvrOcx.cab
DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} - hxxp://86.47.88.80:81/cab/OCXChecker_8320.cab
DPF: {CAFCF48D-8E34-4490-8154-026191D73924} - hxxp://192.168.15.200/codebase/NetVideoActiveX_V23.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {FEC048AB-277A-460C-BF50-1A4193AEF148} - hxxp://86.47.88.80:81/cab/DownloadCenter_8300.cab
TCP: DhcpNameServer = 89.101.160.5 89.101.160.4
TCP: Interfaces\{45DBD88F-32ED-4557-BDDC-66C0A8F57A62} : DhcpNameServer = 89.101.160.5 89.101.160.4
TCP: Interfaces\{88741606-61DC-4FEE-BCEF-49420678BCA6} : DhcpNameServer = 89.101.160.5 89.101.160.4
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R?2 AMService;AMService;c:\windows\temp\giysxe\setup.exe run --> c:\windows\temp\giysxe\setup.exe run [?]
R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\ipsdefs\20090303.002\IDSvix86.sys [2009-3-6 270384]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-7 149352]
R2 lxea_device;lxea_device;c:\windows\system32\lxeacoms.exe -service --> c:\windows\system32\lxeacoms.exe -service [?]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\sminst\BLService.exe [2008-8-2 361808]
R2 TeamViewer6;TeamViewer 6;c:\program files\teamviewer\version6\TeamViewer_Service.exe [2010-12-4 2222376]
R2 TeamViewer7;TeamViewer 7;c:\program files\teamviewer\version7\TeamViewer_Service.exe [2012-1-19 3027840]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-8-2 193840]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-26 101936]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-6-4 113664]
R3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-8-2 1245064]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2009-2-19 41008]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-31 135664]
S2 lxeaCATSCustConnectService;lxeaCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxeaserv.exe [2010-5-26 98984]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-13 23888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-31 135664]
S3 Slnt7554;USB Soft Modem Driver;c:\windows\system32\drivers\sldrv\slnt7554.sys [2005-3-22 225280]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-05-22 23:22:53 -------- d-----w- C:\FRST
2012-05-22 14:51:30 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-05-22 10:13:25 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\DotNetInstaller.exe
2012-05-17 12:16:24 -------- d-----w- c:\program files\CdPlayBack
2012-05-17 12:15:48 692224 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iKernel.dll
2012-05-17 12:15:48 57344 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\ctor.dll
2012-05-17 12:15:48 237568 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iscript.dll
2012-05-17 12:15:48 155648 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iuser.dll
2012-05-17 12:15:44 282756 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\setup.dll
2012-05-17 12:15:44 163972 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iGdi.dll
2012-05-17 12:06:07 -------- d-----w- c:\program files\JM Integrated Remote Station
.
==================== Find3M ====================
.
2012-05-22 20:30:55 66560 ----a-w- c:\windows\system32\drivers\smb.sys
2012-03-20 16:41:00 225280 ----a-w- c:\windows\system32\RFScreenManager.dll
.
============= FINISH: 16:12:44.74 ===============



and here is the attach.txt:


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 23/10/2008 01:35:36
System Uptime: 22/05/2012 15:51:01 (1 hours ago)
.
Motherboard: Wistron | | 3612
Processor: Genuine Intel® CPU T1600 @ 1.66GHz | CPU | 1662/667mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 223 GiB total, 108.741 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 1.723 GiB free.
E: is CDROM ()
F: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP714: 04/02/2012 16:32:48 - Scheduled Checkpoint
RP715: 06/02/2012 01:05:25 - Scheduled Checkpoint
RP716: 08/02/2012 14:03:39 - Windows Update
RP717: 09/02/2012 21:16:47 - Scheduled Checkpoint
RP718: 10/02/2012 14:25:20 - Windows Update
RP719: 12/02/2012 00:00:07 - Scheduled Checkpoint
RP720: 15/02/2012 10:23:45 - Windows Update
RP721: 17/02/2012 03:00:26 - Windows Update
RP722: 17/02/2012 22:52:23 - Windows Update
RP723: 02/03/2012 13:00:57 - Scheduled Checkpoint
RP724: 04/03/2012 23:39:22 - Scheduled Checkpoint
RP725: 06/03/2012 17:27:51 - Scheduled Checkpoint
RP726: 11/03/2012 18:58:44 - Scheduled Checkpoint
RP727: 15/03/2012 03:00:49 - Windows Update
RP728: 16/03/2012 03:00:32 - Windows Update
RP729: 09/04/2012 22:42:22 - Scheduled Checkpoint
RP730: 13/04/2012 03:01:25 - Windows Update
RP731: 14/04/2012 00:00:10 - Scheduled Checkpoint
RP732: 15/04/2012 00:00:09 - Scheduled Checkpoint
RP733: 16/04/2012 00:00:13 - Scheduled Checkpoint
RP734: 30/04/2012 11:33:00 - Scheduled Checkpoint
RP735: 04/05/2012 20:20:51 - Scheduled Checkpoint
RP736: 15/05/2012 03:02:01 - Windows Update
RP738: 17/05/2012 13:05:25 - Installed JM Integrated Remote Station
RP740: 17/05/2012 13:16:05 - Installed CD-R BACKUP PLAYER
RP742: 22/05/2012 11:12:31 - Removed CD-R BACKUP PLAYER
RP744: 22/05/2012 11:14:35 - Installed CD-R BACKUP PLAYER
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
2007 Microsoft Office system
ABBYY FineReader 6.0 Sprint
Activation Assistant for the 2007 Microsoft Office suites
Adobe Flash Player 10 ActiveX
Adobe Reader 8.2.0
Adobe Shockwave Player
AOL Toolbar 5.0
AppCore
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Atheros Driver Installation Program
Bonjour
Business Contact Manager for Outlook 2007 SP2
Cards_Calendar_OrderGift_DoMorePlugout
ccCommon
CD-R BACKUP PLAYER
Championship Manager 2010
Championship Manager 2010 (September Data Patch)
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
Component Framework
Conexant HD Audio
CyberLink DVD Suite
CyberLink YouCam
DMMultiView
DvrMaster
ESU for Microsoft Vista
GeoVision AAC
GeoVision ADPCM
GeoVision H264
GeoVision JPEG
GeoVision MPEG2
GeoVision MPEG4
GeoVision MPEG4 ASP
GeoVision MPEG4 AVC
GeoVision MXPG
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
HDAUDIO Soft Data Fax Modem with SmartCP
Hewlett-Packard Active Check for Health Check
Hewlett-Packard Asset Agent for Health Check
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Active Support Library
HP Customer Experience Enhancements
HP Doc Viewer
HP DVD Play 3.7
HP Easy Setup - Frontend
HP Help and Support
HP Photosmart Essential 2.5
HP Quick Launch Buttons 6.40 F1
HP Total Care Advisor
HP Update
HP User Guides 0118
HP Wireless Assistant
HPNetworkAssistant
HPPhotoSmartDiscLabel_PaperLabel
HPPhotoSmartDiscLabel_PrintOnDisc
HPPhotoSmartDiscLabel_Tattoo
HPPhotoSmartDiscLabelContent1
hpphotosmartdisclabelplugin
HPPhotoSmartPhotobookHolidayPack1
HPPhotoSmartPhotobookModernPack1
HPPhotoSmartPhotobookPlayfulPack1
HPPhotoSmartPhotobookScrapbookPack1
HPPhotoSmartPhotobookWebPack1
Intel® Graphics Media Accelerator Driver
iTunes
Java Auto Updater
Java™ 6 Update 18
Java™ 6 Update 5
JM Integrated Remote Station
Junk Mail filter update
LabelPrint
Lexmark 3300 Series
Lexmark Printable Web
Lexmark S300-S400 Series
Lexmark Toolbar
Lexmark Tools for Office
LiveUpdate (Symantec Corporation)
LJD-Video Client
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office 2003 Web Components
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Edition 2003
Microsoft Office Professional Hybrid 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Small Business Connectivity Components
Microsoft Office Word MUI (English) 2007
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
muvee autoProducer 6.1
My HP Games
MyShoppingGenie
Nemon
NetSurveillance
NetWaiting
Norton AntiVirus
Norton AntiVirus Help
Norton Confidential Core
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
OGA Notifier 1.7.0105.35.0
Optus Wireless Broadband
Player
PlayerLiteHJ 1.0.1.1.LHJ
PlayLiteM 1.0.1.5.LM
Power2Go
PowerDirector
PSSWCORE
QuickPlay SlingPlayer 0.4.6
QuickTime
RealPlayer
Realtek 8169 8168 8101E 8102E Ethernet Driver
Realtek USB 2.0 Card Reader
RealUpgrade 1.1
Remote Viewlog
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596880) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597162) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2598041) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2597161) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2596917) 32-Bit Edition
Skype™ 3.8
Smartlink 7
SPBBC 32bit
Symantec Real Time Storage Protection Component
SymNet
Synaptics Pointing Device Driver
TeamViewer 6
TeamViewer 7
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2598290) 32-Bit Edition
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Video Viewer
VideoToolkit01
Vx4SLPlayer 1.0.0
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
.
==== Event Viewer Messages From Past Week ========
.
22/05/2012 13:29:46, Error: EventLog [6008] - The previous system shutdown at 13:26:17 on 22/05/2012 was unexpected.
22/05/2012 13:06:55, Error: EventLog [6008] - The previous system shutdown at 13:04:27 on 22/05/2012 was unexpected.
22/05/2012 13:04:16, Error: Microsoft-Windows-WLAN-AutoConfig [10000] - WLAN Extensibility Module has failed to start. Module Path: C:\Windows\system32\athihvs.dll Error Code: 21
22/05/2012 13:03:50, Error: EventLog [6008] - The previous system shutdown at 12:47:34 on 22/05/2012 was unexpected.
22/05/2012 12:15:07, Error: EventLog [6008] - The previous system shutdown at 12:13:57 on 22/05/2012 was unexpected.
22/05/2012 11:45:58, Error: EventLog [6008] - The previous system shutdown at 11:43:01 on 22/05/2012 was unexpected.
22/05/2012 11:41:19, Error: EventLog [6008] - The previous system shutdown at 11:40:10 on 22/05/2012 was unexpected.
22/05/2012 11:38:00, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC eeCtrl NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb SPBBCDrv spldr SRTSP SRTSPX SymIM SYMTDI tdx Wanarpv6
22/05/2012 11:38:00, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
22/05/2012 11:38:00, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
22/05/2012 11:38:00, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start.
22/05/2012 11:38:00, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
22/05/2012 11:38:00, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
22/05/2012 11:38:00, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
22/05/2012 11:38:00, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
22/05/2012 11:38:00, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.
22/05/2012 11:38:00, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
22/05/2012 11:38:00, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
22/05/2012 11:38:00, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
22/05/2012 11:38:00, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
22/05/2012 11:38:00, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
22/05/2012 11:36:34, Error: EventLog [6008] - The previous system shutdown at 11:35:05 on 22/05/2012 was unexpected.
21/05/2012 10:04:07, Error: EventLog [6008] - The previous system shutdown at 14:57:43 on 20/05/2012 was unexpected.
18/05/2012 09:44:11, Error: Service Control Manager [7034] - The AMService service terminated unexpectedly. It has done this 1 time(s).
18/05/2012 09:16:17, Error: Microsoft-Windows-PrintSpooler [19] - The print spooler failed to share printer Lexmark S400 Series (USB) with shared resource name Lexmark S400 Series (USB). Error 1753. The printer cannot be used by others on the network.
18/05/2012 09:16:17, Error: Microsoft-Windows-PrintSpooler [19] - The print spooler failed to share printer Lexmark S400 Series (Network) with shared resource name Lexmark S400 Series (Network). Error 1753. The printer cannot be used by others on the network.
18/05/2012 09:16:17, Error: Microsoft-Windows-PrintSpooler [19] - The print spooler failed to share printer Lexmark 3300 Series with shared resource name Lexmark 3300 Series. Error 1753. The printer cannot be used by others on the network.
18/05/2012 09:16:17, Error: Microsoft-Windows-PrintSpooler [19] - The print spooler failed to share printer Fax Lexmark S400 Series with shared resource name Fax Lexmark S400 Series. Error 1753. The printer cannot be used by others on the network.
18/05/2012 09:14:54, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
18/05/2012 09:14:54, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the lxeaCATSCustConnectService service to connect.
18/05/2012 09:14:54, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
18/05/2012 09:14:54, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
18/05/2012 09:14:54, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
18/05/2012 09:14:54, Error: Service Control Manager [7000] - The lxeaCATSCustConnectService service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
18/05/2012 09:13:50, Error: EventLog [6008] - The previous system shutdown at 09:11:36 on 18/05/2012 was unexpected.
17/05/2012 12:41:56, Error: cdrom [11] - The driver detected a controller error on \Device\CdRom0.
16/05/2012 08:47:10, Error: Service Control Manager [7034] - The lxea_device service terminated unexpectedly. It has done this 1 time(s).
15/05/2012 03:20:23, Error: Service Control Manager [7030] - The AMService service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
.
==== End Of File ===========================


Regards,

Colm

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,091 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:40 AM

Posted 22 May 2012 - 10:28 AM

Unfortunately you still have a nasty rootkit infection. Please read the following first.

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users