Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ZeroAccess rootkit removal


  • This topic is locked This topic is locked
27 replies to this topic

#1 Nisheeth

Nisheeth

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 07 December 2012 - 04:50 AM

I had earlier posted for help in a different thread, http://www.bleepingcomputer.com/forums/topic477394.html

Broni redirected me to post here, appending the logs from a DDS scan. Both logs are appended below. Logs from other scans run (SecurityCheck, FSS, MBAM etc.) are available in the other thread. Any assistance would be greatly appreciated.

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.9.2
Run by Administrator at 15:04:05 on 2012-12-07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1276 [GMT 5.5:30]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\WINDOWS\system32\ChgService.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe
C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\WINDOWS\system32\StacSV.exe
C:\Program Files\MBlaze UI\bin\MonServiceUDisk.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Drupal\xmail\XMail.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
mWinlogon: SFCDisable = dword:-99
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [GoogleDriveSync] "c:\program files\google\drive\googledrivesync.exe" /autostart
uRun: [DAEMON Tools Pro Agent] "c:\program files\daemon tools pro\DTProAgent.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Driver Genius] <no file>
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\administrator\application data\dropbox\bin\Dropbox.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:32
uPolicies-Explorer: NoResolveTrack = dword:1
uPolicies-Explorer: NoSMConfigurePrograms = dword:1
mPolicies-System: DisableCAD = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:16895
mPolicies-Explorer: ForceClassicControlPanel = dword:1
mPolicies-Explorer: NoResolveTrack = dword:1
mPolicies-Explorer: NoSMConfigurePrograms = dword:1
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
TCP: Interfaces\{0C10BCF8-5042-48A0-B30F-4A6BA761000D} : NameServer = 4.4.4.4,8.8.8.8
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: SecurityProviders = msapsspc.dll, schannel.dll, credssp.dll, digest.dll, msnsspc.dll
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
Hosts: 0.0.0.0 mpa.one.microsoft.com genuine.microsoft.com sls.microsoft.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\vi5jx70l.default\
FF - prefs.js: browser.startup.homepage - www.google.com/ig
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B9e8f7fff-739a-4262-93d3-2fd81eeaf429%7D&mid=3936fdc6e07c47d0af2ed15565b6f57d-71153aba9dd4dcb3700d4d6b5afc8ed10fd5882d&ds=AVG&v=11.0.0.9&lang=en&pr=fr&d=2012-06-04%2017%3A54%3A25&sap=ku&q=
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\vi5jx70l.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll
FF - plugin: c:\program files\common files\adobe\oobe\pdapp\ccm\utilities\npAdobeAAMDetect32.dll
FF - plugin: c:\program files\common files\adobe\oobe\pdapp\ccm\utilities\npAdobeAAMDetect64.dll
FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_110.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - plugin: c:\windows\system32\npwmsdrm.dll
.
============= SERVICES / DRIVERS ===============
.
R0 iastor2;iastor2;c:\windows\system32\drivers\iastor2.sys [2011-10-2 277784]
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 193552]
R0 mv61xxmm;mv61xxmm;c:\windows\system32\drivers\mv61xxmm.sys [2011-10-2 13616]
R0 mv64xxmm;mv64xxmm;c:\windows\system32\drivers\mv64xxmm.sys [2011-10-2 5632]
R0 mvxxmm;mvxxmm;c:\windows\system32\drivers\mvxxmm.sys [2011-10-2 13616]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-13 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2012-7-12 116608]
R2 Change Modem Device Service;Change Modem Device Service;c:\windows\system32\ChgService.exe [2012-10-4 135168]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2012-6-3 54760]
R2 Skype C2C Service;Skype C2C Service;c:\documents and settings\all users\application data\skype\toolbars\skype c2c service\c2c_service.exe [2012-11-22 3290304]
R2 UDisk Monitor;UDisk Monitor;c:\program files\mblaze ui\bin\MonServiceUDisk.exe [2012-11-26 512000]
R2 XMail;XMail Server;c:\program files\drupal\xmail\XMail.exe [2012-7-9 397824]
R3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [2012-9-18 25088]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-11-9 160944]
S3 cmnsusbser;Mobile Connector USB Device for Legacy Serial Communication LCT2053s;c:\windows\system32\drivers\cmnsusbser.sys [2012-10-4 103424]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
S3 ztemtusbser;ZTEMT Legacy Serial Communication;c:\windows\system32\drivers\CT_ZTEMT_U_USBSER.sys [2012-11-26 105472]
.
=============== Created Last 30 ================
.
2012-12-05 00:05:06 -------- d-----w- c:\documents and settings\administrator\application data\SUPERAntiSpyware.com
2012-12-05 00:04:50 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-12-05 00:04:49 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2012-12-04 14:56:01 -------- d-----w- c:\documents and settings\administrator\local settings\application data\PCHealth
2012-12-04 14:35:38 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes
2012-12-04 14:35:26 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-12-04 14:35:25 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-12-04 14:35:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-12-03 15:17:51 -------- d-----w- c:\documents and settings\all users\application data\Windows Codecs
2012-12-03 15:17:44 -------- d-----w- c:\program files\Mega Codec Pack
2012-12-02 09:45:29 6812136 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{56a74965-a106-4898-b528-4cc521713e2a}\mpengine.dll
2012-12-01 10:15:09 6812136 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-11-26 14:52:30 -------- d-----w- c:\documents and settings\administrator\application data\ZTEEVDO
2012-11-26 14:49:49 105472 ----a-w- c:\windows\system32\drivers\CT_ZTEMT_U_USBSER.sys
2012-11-26 14:49:39 -------- d-----w- c:\program files\MBlaze UI
2012-11-22 05:04:38 5885632 ----a-w- c:\program files\mozilla firefox\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll
2012-11-16 07:48:20 -------- d-----w- C:\Codemasters
2012-11-16 07:46:03 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Help
2012-11-16 07:44:08 183808 ----a-w- c:\windows\system\qmdx.dll
2012-11-14 03:48:54 58368 ------w- c:\windows\system32\dllcache\synceng.dll
2012-11-13 11:27:24 -------- d-----w- c:\documents and settings\administrator\Logs
2012-11-12 14:12:01 -------- d-----w- c:\documents and settings\administrator\application data\Microsoft Games
2012-11-12 13:59:52 -------- d-----w- c:\program files\Microsoft Games
.
==================== Find3M ====================
.
2012-11-10 02:44:22 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-10 02:44:22 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-22 08:43:24 1875328 ----a-w- c:\windows\system32\win32k.sys
2012-10-02 18:04:21 58368 ----a-w- c:\windows\system32\synceng.dll
2012-09-24 17:46:36 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
.
============= FINISH: 15:04:49.10 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 6/2/2012 3:12:29 AM
System Uptime: 12/7/2012 2:20:05 PM (1 hours ago)
.
Motherboard: Dell Inc. | |
Processor: Intel® Core™2 Duo CPU T7500 @ 2.20GHz | Microprocessor | 2193/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 112 GiB total, 26.837 GiB free.
D: is CDROM ()
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Modem Device on High Definition Audio Bus
Device ID: HDAUDIO\FUNC_02&VEN_14F1&DEV_2C06&SUBSYS_14F1000F&REV_1000\4&8F2C18F&0&0102
Manufacturer:
Name: Modem Device on High Definition Audio Bus
PNP Device ID: HDAUDIO\FUNC_02&VEN_14F1&DEV_2C06&SUBSYS_14F1000F&REV_1000\4&8F2C18F&0&0102
Service:
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
7-Zip 9.20
Acquia Dev Desktop
Adobe AIR
Adobe Community Help
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Illustrator CS5.1
CoSBiLab Graph
CutePDF Writer 2.8
Driver Genius Professional Edition
Dropbox
Foxit Reader
Free Alarm Clock 2.7.0
Garmin Communicator Plugin
Garmin USB Drivers
Git version 1.7.11-preview20120710
Google Chrome
Google Drive
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB2756822)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB954550-v5)
IguanaTex
JabRef 2.8.1
Java 7 Update 9
Java Auto Updater
JavaFX 2.1.1
Junk Mail filter update
Malwarebytes Anti-Malware version 1.65.1.1000
MATLAB R2012a
MBlaze UI
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656370)
Microsoft .NET Framework 1.1 Security Update (KB2698023)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Add-in 1.5
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30411
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_ATL_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
Microsoft_VC90_MFCLOC_x86
MiKTeX 2.9
Mindful Clock
MMX310G 3G USB Manager version 5.364
Mozilla Firefox 16.0.2 (x86 en-US)
Mozilla Maintenance Service
MSVCRT
MSXML 4.0 SP3 Parser (KB2721691)
MSXML4 Parser
NBA LIVE 06
NVIDIA Control Panel 296.70
NVIDIA Graphics Driver 296.70
NVIDIA Install Application
NVIDIA nView 136.27
O2Micro Flash Memory Card Reader Driver (x86)
OpenOffice.org 3.4
PDF Settings CS5
Rise of Nations
Royale Remixed Theme
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596856) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687311) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687314) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687439) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687441) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2687307) 32-Bit Edition
Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2687315) 32-Bit Edition
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB2722913)
Security Update for Windows Internet Explorer 8 (KB2744842)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2685939)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219)
Security Update for Windows XP (KB2707511)
Security Update for Windows XP (KB2709162)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2718523)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135)
Security Update for Windows XP (KB2724197)
Security Update for Windows XP (KB2727528)
Security Update for Windows XP (KB2731847)
Security Update for Windows XP (KB2761226)
Security Update for Windows XP (KB941569)
Segoe UI
Sid Meier's Alpha Centauri
SigmaTel Audio
Skype Click to Call
Skype™ 6.0
Slik Subversion 1.7.5 (x86)
SSH Secure Shell
Steam
SUPERAntiSpyware
TeamViewer 7
TeXworks 0.4.4
The Elder Scrolls III: Morrowind
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596660) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596848) 32-Bit Edition
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2760413) 32-Bit Edition
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Windows Internet Explorer 8 (KB2598845)
Update for Windows Internet Explorer 8 (KB2632503)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2641690)
Update for Windows XP (KB2661254-v2)
Update for Windows XP (KB2718704)
Update for Windows XP (KB2736233)
Update for Windows XP (KB2749655)
VLC media player 2.0.2
Vuze
WebFldrs XP
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (04/19/2012 2.3.1.0)
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0
.
==== Event Viewer Messages From Past Week ========
.
12/5/2012 5:48:21 AM, error: Service Control Manager [7031] - The SAS Core Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
12/5/2012 5:48:17 AM, error: Service Control Manager [7034] - The NVIDIA Driver Helper Service service terminated unexpectedly. It has done this 1 time(s).
12/5/2012 5:48:13 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
12/5/2012 5:48:07 AM, error: Service Control Manager [7034] - The O2Micro Flash Memory Card Service service terminated unexpectedly. It has done this 1 time(s).
12/5/2012 5:48:03 AM, error: Service Control Manager [7034] - The SigmaTel Audio Service service terminated unexpectedly. It has done this 1 time(s).
12/5/2012 5:48:01 AM, error: Service Control Manager [7034] - The Skype C2C Service service terminated unexpectedly. It has done this 1 time(s).
12/5/2012 5:47:56 AM, error: Service Control Manager [7034] - The UDisk Monitor service terminated unexpectedly. It has done this 1 time(s).
12/5/2012 5:47:53 AM, error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
12/5/2012 5:47:38 AM, error: Service Control Manager [7034] - The XMail Server service terminated unexpectedly. It has done this 1 time(s).
12/4/2012 8:34:53 AM, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
12/4/2012 8:24:00 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: iastor2
12/4/2012 8:01:04 PM, error: Service Control Manager [7034] - The Change Modem Device Service service terminated unexpectedly. It has done this 1 time(s).
12/4/2012 3:00:28 PM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
12/3/2012 9:47:57 PM, error: ztemtusbser [43] -
12/2/2012 1:35:56 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.141.900.0 Update Source: Microsoft Update Server Update Stage: Download Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.9002.0 Error code: 0x80240022 Error description: The program can't check for definition updates.
12/2/2012 1:35:56 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.141.900.0 Update Source: Microsoft Update Server Update Stage: Download Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.9002.0 Error code: 0x80240022 Error description: The program can't check for definition updates.
.
==== End Of File ===========================

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:05 AM

Posted 07 December 2012 - 07:10 AM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your malware problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.




These are the programs I would like you to run next, if you have any problems with these just skip it and run the next one.

-Security Check-

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-AdwCleaner-

  • Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

--RogueKiller--

  • Download & SAVE to your Desktop RogueKiller or from here
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Nisheeth

Nisheeth
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 07 December 2012 - 09:51 AM

Hi Gringo

Thanks a ton. Logs are appended below. Running securitycheck gave me an error in accessing netsh.exe. Everything else ran smoothly.

Results of screen317's Security Check version 0.99.56
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
AVG Anti-Virus Free Edition 2012
Microsoft Security Essentials
Antivirus up to date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
SUPERAntiSpyware
Malwarebytes Anti-Malware version 1.65.1.1000
JavaFX 2.1.1
Java 7 Update 9
Adobe Flash Player 11.5.502.110
Mozilla Firefox 16.0.2 Firefox out of Date!
Google Chrome 21.0.1180.83
Google Chrome 21.0.1180.89
Google Chrome 22.0.1229.79
Google Chrome 22.0.1229.92
Google Chrome 22.0.1229.94
Google Chrome 23.0.1271.64
Google Chrome 23.0.1271.91
Google Chrome 23.0.1271.95
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 29% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````

adwCleaner:

# AdwCleaner v2.011 - Logfile created 12/07/2012 at 19:39:52
# Updated 02/12/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Administrator - EXPERIEN-BAA70F
# Boot Mode : Normal
# Running from : C:\Downloads\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

File Found : C:\Program Files\Mozilla Firefox\searchplugins\avg-secure-search.xml

***** [Registry] *****

Key Found : HKCU\Software\IGearSettings
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{CC5AD34C-6F10-4CB3-B74A-C2DD4D5060A3}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Found : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Found : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Found : HKU\S-1-5-21-1229272821-57989841-1801674531-500\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v16.0.2 (en-US)

Profile name : default
File : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vi5jx70l.default\prefs.js

Found : user_pref("keyword.URL", "hxxp://isearch.avg.com/search?cid=%7B9e8f7fff-739a-4262-93d3-2fd81eeaf429%[...]
Found : user_pref("pagetweak.pref.cacheInfo", "{\"hxxp://wedata.net/databases/AutoPagerize/items.json\":{\"u[...]
Found : user_pref("pagetweak.pref.hxxp://www.bleepingcomputer.com/forums/index.php?app=forums&module=post&se[...]

-\\ Google Chrome v23.0.1271.95

File : C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [2469 octets] - [07/12/2012 19:39:52]

########## EOF - C:\AdwCleaner[R1].txt - [2529 octets] ##########

RogueKiller:

RogueKiller V8.3.2 [Dec 7 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Administrator [Admin rights]
Mode : Scan -- Date : 12/07/2012 19:45:31

¤¤¤ Bad processes : 1 ¤¤¤
[][DLL] rundll32.exe -- C:\WINDOWS\system32\rundll32.exe : NvMCTray.dll -> KILLED [TermProc]

¤¤¤ Registry Entries : 6 ¤¤¤
[RUN][NOTFOUND] HKLM\[...]\Run : NvMediaCenter (RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login) -> FOUND
[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{0C10BCF8-5042-48A0-B30F-4A6BA761000D} : NameServer (4.4.4.4,8.8.8.8) -> FOUND
[DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{0C10BCF8-5042-48A0-B30F-4A6BA761000D} : NameServer (4.4.4.4,8.8.8.8) -> FOUND
[HJ] HKLM\[...]\SystemRestore : DisableSR (1) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[257] : NtTerminateProcess @ 0x805D2308 -> HOOKED (\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS @ 0xAF9CE640)

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost
127.0.0.1 3dns.adobe.com 3dns-1.adobe.com 3dns-2.adobe.com 3dns-3.adobe.com 3dns-4.adobe.com activate.adobe.com activate-sea.adobe.com activate-sjc0.adobe.com activate.wip.adobe.com
127.0.0.1 activate.wip1.adobe.com activate.wip2.adobe.com activate.wip3.adobe.com activate.wip4.adobe.com adobe-dns.adobe.com adobe-dns-1.adobe.com adobe-dns-2.adobe.com adobe-dns-3.adobe.com adobe-dns-4.adobe.com
127.0.0.1 adobeereg.com practivate.adobe practivate.adobe.com practivate.adobe.newoa practivate.adobe.ntp practivate.adobe.ipp ereg.adobe.com ereg.wip.adobe.com ereg.wip1.adobe.com
127.0.0.1 ereg.wip2.adobe.com ereg.wip3.adobe.com ereg.wip4.adobe.com hl2rcv.adobe.com wip.adobe.com wip1.adobe.com wip2.adobe.com wip3.adobe.com wip4.adobe.com
127.0.0.1 www.adobeereg.com wwis-dubc1-vip60.adobe.com www.wip.adobe.com www.wip1.adobe.com
127.0.0.1 www.wip2.adobe.com www.wip3.adobe.com www.wip4.adobe.com wwis-dubc1-vip60.adobe.com crl.verisign.net CRL.VERISIGN.NET ood.opsource.net
0.0.0.0 mpa.one.microsoft.com genuine.microsoft.com sls.microsoft.com



¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST9120823AS +++++
--- User ---
[MBR] cedcfb2741ee18232e8a612b0d64d78b
[BSP] e33c4b9e464fb4434afda2459378fa79 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 114470 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_12072012_02d1945.txt >>
RKreport[1]_S_12072012_02d1945.txt

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:05 AM

Posted 07 December 2012 - 11:41 AM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Nisheeth

Nisheeth
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 07 December 2012 - 12:14 PM

I haven't run it yet; there is something weird to report. . Suddenly my security center is working, and it is claiming that I have AVG free edition 2012 running on my machine (when in fact I don't) and the combofix tool is reporting that running combofix might damage my computer. Do I proceed anyway?

Edited by Nisheeth, 07 December 2012 - 12:15 PM.


#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:05 AM

Posted 07 December 2012 - 12:30 PM

yes proceed
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Nisheeth

Nisheeth
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 07 December 2012 - 01:11 PM

After running combofix, I have Windows firewall, security center and system restore back up and operational. However, Security Essentials still gives me the same error as before "The specified service does not exist as an installed service", and refuses to start. Log for combofix is appended below,

ComboFix 12-12-04.01 - Administrator 12/07/2012 23:17:58.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1667 [GMT 5.5:30]
Running from: c:\downloads\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
C:\Install.exe
c:\windows\$NtUninstallKB51731$
c:\windows\$NtUninstallKB51731$\1180863303
c:\windows\$NtUninstallKB51731$\2576044952\@
c:\windows\$NtUninstallKB51731$\2576044952\Desktop.ini
c:\windows\$NtUninstallKB51731$\2576044952\L\00000004.@
c:\windows\$NtUninstallKB51731$\2576044952\L\201d3dde
c:\windows\$NtUninstallKB51731$\2576044952\L\4cce1f70
c:\windows\$NtUninstallKB51731$\2576044952\L\iwmurmtj
c:\windows\$NtUninstallKB51731$\2576044952\U\00000004.@
c:\windows\$NtUninstallKB51731$\2576044952\U\00000008.@
c:\windows\$NtUninstallKB51731$\2576044952\U\000000cb.@
c:\windows\$NtUninstallKB51731$\2576044952\U\80000000.@
c:\windows\$NtUninstallKB51731$\2576044952\U\80000032.@
c:\windows\system32\Cache
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\29a345509d2a13dc.fb
c:\windows\system32\Cache\2c53092c95605355.fb
c:\windows\system32\Cache\31a0997e9a5b5eb3.fb
c:\windows\system32\Cache\32c84fe32bb74d60.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\6d03dad1035885d3.fb
c:\windows\system32\Cache\a8556537add6dfc5.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\c1fa887b03019701.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\f998975c9cc711ee.fb
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
.
Infected copy of c:\windows\system32\drivers\ipsec.sys was found and disinfected
Restored copy from - The cat found it :)
.
((((((((((((((((((((((((( Files Created from 2012-11-07 to 2012-12-07 )))))))))))))))))))))))))))))))
.
.
2012-12-07 18:01 . 2012-12-07 18:01 -------- d-----w- c:\windows\system32\xircom
2012-12-07 18:01 . 2012-12-07 18:01 -------- d-----w- c:\windows\system32\wbem\snmp
2012-12-07 18:01 . 2012-12-07 18:01 -------- d-----w- c:\program files\microsoft frontpage
2012-12-07 17:45 . 2011-10-02 12:00 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2012-12-04 14:56 . 2012-12-04 14:56 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\PCHealth
2012-12-04 14:35 . 2012-12-04 14:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2012-12-04 14:35 . 2012-12-04 14:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-12-03 16:01 . 2012-12-03 16:01 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2012-12-03 15:17 . 2012-12-03 15:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Windows Codecs
2012-12-03 15:17 . 2012-12-03 15:18 -------- d-----w- c:\program files\Mega Codec Pack
2012-12-02 09:45 . 2012-11-08 18:00 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{56A74965-A106-4898-B528-4CC521713E2A}\mpengine.dll
2012-12-01 10:15 . 2012-11-08 18:00 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-11-26 14:52 . 2012-11-26 15:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\ZTEEVDO
2012-11-26 14:49 . 2011-12-25 10:12 105472 ----a-w- c:\windows\system32\drivers\CT_ZTEMT_U_USBSER.sys
2012-11-26 14:49 . 2012-11-26 14:49 -------- d-----w- c:\program files\MBlaze UI
2012-11-23 04:27 . 2012-11-23 04:27 -------- d-----w- c:\program files\Common Files\Skype
2012-11-22 05:04 . 2012-11-22 05:04 5885632 ----a-w- c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
2012-11-16 07:48 . 2012-11-16 07:48 -------- d-----w- C:\Codemasters
2012-11-16 07:46 . 2012-11-16 07:46 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Help
2012-11-16 07:44 . 1998-07-26 17:03 183808 ----a-w- c:\windows\system\qmdx.dll
2012-11-14 03:48 . 2012-10-02 18:04 58368 ------w- c:\windows\system32\dllcache\synceng.dll
2012-11-13 11:27 . 2012-11-13 11:27 -------- d-----w- c:\documents and settings\Administrator\Logs
2012-11-12 14:12 . 2012-11-12 14:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\Microsoft Games
2012-11-12 13:59 . 2012-11-12 13:59 -------- d-----w- c:\program files\Microsoft Games
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-10 02:44 . 2012-06-04 20:29 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-11-10 02:44 . 2011-10-02 12:00 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-22 08:43 . 2011-10-02 12:00 1875328 ----a-w- c:\windows\system32\win32k.sys
2012-10-02 18:04 . 2011-10-02 12:00 58368 ----a-w- c:\windows\system32\synceng.dll
2012-09-24 17:46 . 2012-10-19 01:39 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-10-28 11:36 . 2012-10-28 11:35 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2011-10-02 . EA22DA5C7AE7192A12E37A7C546220C6 . 361600 . . [5.1.2600.6009] . . c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2012-11-08 11:28 556056 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2012-11-08 11:28 556056 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2012-11-08 11:28 556056 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2012-11-08 11:28 556056 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Windows Codecs]
@="{1EC23CFF-4C58-458f-924C-8519AEF61B32}"
[HKEY_CLASSES_ROOT\CLSID\{1EC23CFF-4C58-458f-924C-8519AEF61B32}]
2012-12-03 15:17 172032 ----a-w- c:\documents and settings\All Users\Application Data\Windows Codecs\MediaShellOverlays.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GoogleDriveSync"="c:\program files\Google\Drive\googledrivesync.exe" [2012-11-08 16070136]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-04-27 15496000]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2012-04-27 1634112]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2012-09-20 444904]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-03-08 128512]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe [2012-5-25 27112840]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, credssp.dll, digest.dll, msnsspc.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2012-09-20 01:57 444904 ----a-w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5.5ServiceManager]
2011-01-12 12:08 1523360 ----a-w- c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeAC]
2012-04-25 08:27 1328976 ----a-w- c:\program files\FreeAlarmClock\FreeAlarmClock.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MindfulClock]
2008-02-21 15:49 442368 ----a-w- c:\program files\MindfulClock\Mfclock.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-16 21:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2012-06-05 07:36 1242448 ----a-w- c:\program files\Steam\Steam.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R0 iastor2;iastor2;c:\windows\system32\drivers\iastor2.sys [10/2/2011 5:30 PM 277784]
R0 mv61xxmm;mv61xxmm;c:\windows\system32\drivers\mv61xxmm.sys [10/2/2011 5:30 PM 13616]
R0 mv64xxmm;mv64xxmm;c:\windows\system32\drivers\mv64xxmm.sys [10/2/2011 5:30 PM 5632]
R0 mvxxmm;mvxxmm;c:\windows\system32\drivers\mvxxmm.sys [10/2/2011 5:30 PM 13616]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/3/2012 4:12 AM 691696]
R2 Change Modem Device Service;Change Modem Device Service;c:\windows\system32\ChgService.exe [10/4/2012 3:04 AM 135168]
R2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [11/22/2012 10:29 AM 3290304]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [11/9/2012 11:21 AM 160944]
R2 UDisk Monitor;UDisk Monitor;c:\program files\MBlaze UI\bin\MonServiceUDisk.exe [11/26/2012 8:19 PM 512000]
R2 XMail;XMail Server;c:\program files\Drupal\xmail\XMail.exe [7/9/2012 4:46 AM 397824]
R3 cmnsusbser;Mobile Connector USB Device for Legacy Serial Communication LCT2053s;c:\windows\system32\drivers\cmnsusbser.sys [10/4/2012 3:04 AM 103424]
R3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [9/18/2012 6:50 PM 25088]
S3 ztemtusbser;ZTEMT Legacy Serial Communication;c:\windows\system32\drivers\CT_ZTEMT_U_USBSER.sys [11/26/2012 8:19 PM 105472]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - BITS
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-04 c:\windows\Tasks\AdobeAAMUpdater-1.0-EXPERIEN-BAA70F-Administrator.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2012-09-20 01:57]
.
2012-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-06-02 22:42]
.
2012-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-06-02 22:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{0C10BCF8-5042-48A0-B30F-4A6BA761000D}: NameServer = 4.4.4.4,8.8.8.8
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vi5jx70l.default\
FF - prefs.js: browser.startup.homepage - www.google.com/ig
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-DAEMON Tools Pro Agent - c:\program files\DAEMON Tools Pro\DTProAgent.exe
HKLM-Run-Driver Genius - (no file)
SafeBoot-MsMpSvc
MSConfigStartUp-DAEMON Tools Pro Agent - c:\program files\DAEMON Tools Pro\DTProAgent.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-12-07 23:34
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1229272821-57989841-1801674531-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,01,68,02,17,ed,36,4e,46,af,1a,bf,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,01,68,02,17,ed,36,4e,46,af,1a,bf,\
.
[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
"value"="?\06\01\04\16\15\13?"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\WPAEvents]
@Denied: (A B C D 2 3 5 6) (Everyone)
"OOBETimer"=hex:ff,d5,71,d6,8b,6a,8d,6f,d5,33,93,fd
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3080)
c:\windows\system32\WININET.dll
c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\program files\Google\Drive\googledrivesync32.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\SCardSvr.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\O2Micro Flash Memory Card Driver\o2flash.exe
c:\windows\system32\StacSV.exe
c:\windows\system32\SearchIndexer.exe
c:\\?\c:\windows\system32\WBEM\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2012-12-07 23:35:22 - machine was rebooted
ComboFix-quarantined-files.txt 2012-12-07 18:05
.
Pre-Run: 28,725,440,512 bytes free
Post-Run: 29,305,212,928 bytes free
.
- - End Of File - - FD290F4EE967867517297392E8521A9E

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:05 AM

Posted 07 December 2012 - 02:41 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Nisheeth

Nisheeth
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 07 December 2012 - 09:36 PM

TDSKiller log:

07:09:27.0171 3864 TDSS rootkit removing tool 2.8.15.0 Oct 31 2012 21:47:35
07:09:29.0171 3864 ============================================================
07:09:29.0171 3864 Current date / time: 2012/12/08 07:09:29.0171
07:09:29.0171 3864 SystemInfo:
07:09:29.0171 3864
07:09:29.0171 3864 OS Version: 5.1.2600 ServicePack: 3.0
07:09:29.0171 3864 Product type: Workstation
07:09:29.0171 3864 ComputerName: EXPERIEN-BAA70F
07:09:29.0171 3864 UserName: Administrator
07:09:29.0171 3864 Windows directory: C:\WINDOWS
07:09:29.0171 3864 System windows directory: C:\WINDOWS
07:09:29.0171 3864 Processor architecture: Intel x86
07:09:29.0171 3864 Number of processors: 2
07:09:29.0171 3864 Page size: 0x1000
07:09:29.0171 3864 Boot type: Normal boot
07:09:29.0171 3864 ============================================================
07:09:29.0531 3864 Drive \Device\Harddisk0\DR0 - Size: 0x1BF2976000 (111.79 Gb), SectorSize: 0x200, Cylinders: 0x3901, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
07:09:29.0546 3864 ============================================================
07:09:29.0546 3864 \Device\Harddisk0\DR0:
07:09:29.0562 3864 MBR partitions:
07:09:29.0562 3864 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0xDF93782
07:09:29.0562 3864 ============================================================
07:09:29.0609 3864 C: <-> \Device\Harddisk0\DR0\Partition1
07:09:29.0625 3864 ============================================================
07:09:29.0625 3864 Initialize success
07:09:29.0625 3864 ============================================================
07:09:36.0890 3408 ============================================================
07:09:36.0890 3408 Scan started
07:09:36.0890 3408 Mode: Manual;
07:09:36.0890 3408 ============================================================
07:09:37.0031 3408 ================ Scan system memory ========================
07:09:37.0031 3408 System memory - ok
07:09:37.0031 3408 ================ Scan services =============================
07:09:37.0859 3408 Abiosdsk - ok
07:09:37.0859 3408 abp480n5 - ok
07:09:37.0890 3408 [ 8FD99680A539792A30E97944FDAECF17 ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys
07:09:37.0890 3408 ACPI - ok
07:09:37.0906 3408 [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC C:\WINDOWS\system32\drivers\ACPIEC.sys
07:09:37.0906 3408 ACPIEC - ok
07:09:37.0906 3408 adpu160m - ok
07:09:37.0937 3408 [ 8BED39E3C35D6A489438B8141717A557 ] aec C:\WINDOWS\system32\drivers\aec.sys
07:09:37.0937 3408 aec - ok
07:09:37.0953 3408 [ F6B7B1ECD7B41736BDB6FF4B092BCB79 ] AFD C:\WINDOWS\System32\drivers\afd.sys
07:09:37.0953 3408 AFD - ok
07:09:37.0968 3408 Aha154x - ok
07:09:37.0968 3408 aic78u2 - ok
07:09:37.0968 3408 aic78xx - ok
07:09:37.0984 3408 [ A9A3DAA780CA6C9671A19D52456705B4 ] Alerter C:\WINDOWS\system32\alrsvc.dll
07:09:37.0984 3408 Alerter - ok
07:09:37.0984 3408 [ 8C515081584A38AA007909CD02020B3D ] ALG C:\WINDOWS\System32\alg.exe
07:09:37.0984 3408 ALG - ok
07:09:37.0984 3408 AliIde - ok
07:09:38.0000 3408 amsint - ok
07:09:38.0015 3408 [ D8849F77C0B66226335A59D26CB4EDC6 ] AppMgmt C:\WINDOWS\System32\appmgmts.dll
07:09:38.0015 3408 AppMgmt - ok
07:09:38.0031 3408 [ B5B8A80875C1DEDEDA8B02765642C32F ] Arp1394 C:\WINDOWS\system32\DRIVERS\arp1394.sys
07:09:38.0031 3408 Arp1394 - ok
07:09:38.0031 3408 asc - ok
07:09:38.0031 3408 asc3350p - ok
07:09:38.0031 3408 asc3550 - ok
07:09:38.0234 3408 [ 0E5E4957549056E2BF2C49F4F6B601AD ] aspnet_state C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
07:09:38.0234 3408 aspnet_state - ok
07:09:38.0265 3408 [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys
07:09:38.0265 3408 AsyncMac - ok
07:09:38.0281 3408 [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi C:\WINDOWS\system32\DRIVERS\atapi.sys
07:09:38.0281 3408 atapi - ok
07:09:38.0281 3408 Atdisk - ok
07:09:38.0296 3408 [ 9916C1225104BA14794209CFA8012159 ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys
07:09:38.0296 3408 Atmarpc - ok
07:09:38.0312 3408 [ DEF7A7882BEC100FE0B2CE2549188F9D ] AudioSrv C:\WINDOWS\System32\audiosrv.dll
07:09:38.0312 3408 AudioSrv - ok
07:09:38.0343 3408 [ D9F724AA26C010A217C97606B160ED68 ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys
07:09:38.0343 3408 audstub - ok
07:09:38.0359 3408 [ 6F7911F3E674363A91541E097F49B633 ] b57w2k C:\WINDOWS\system32\DRIVERS\b57xp32.sys
07:09:38.0359 3408 b57w2k - ok
07:09:38.0453 3408 [ B6383446C911E285147F343D9FF04AFE ] BCM43XX C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
07:09:38.0531 3408 BCM43XX - ok
07:09:38.0546 3408 [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep C:\WINDOWS\system32\drivers\Beep.sys
07:09:38.0546 3408 Beep - ok
07:09:38.0593 3408 [ 574738F61FCA2935F5265DC4E5691314 ] BITS C:\WINDOWS\system32\qmgr.dll
07:09:38.0593 3408 BITS - ok
07:09:38.0625 3408 [ FC6D1D80588D371F0321E15A75B2F8F2 ] Browser C:\WINDOWS\System32\browser.dll
07:09:38.0625 3408 Browser - ok
07:09:38.0625 3408 catchme - ok
07:09:38.0656 3408 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k C:\WINDOWS\system32\drivers\cbidf2k.sys
07:09:38.0656 3408 cbidf2k - ok
07:09:38.0687 3408 [ 0BE5AEF125BE881C4F854C554F2B025C ] CCDECODE C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
07:09:38.0687 3408 CCDECODE - ok
07:09:38.0687 3408 cd20xrnt - ok
07:09:38.0687 3408 [ C1B486A7658353D33A10CC15211A873B ] Cdaudio C:\WINDOWS\system32\drivers\Cdaudio.sys
07:09:38.0687 3408 Cdaudio - ok
07:09:38.0734 3408 [ C885B02847F5D2FD45A24E219ED93B32 ] Cdfs C:\WINDOWS\system32\drivers\Cdfs.sys
07:09:38.0734 3408 Cdfs - ok
07:09:38.0750 3408 [ 4B0A100EAF5C49EF3CCA8C641431EACC ] Cdrom C:\WINDOWS\system32\DRIVERS\cdrom.sys
07:09:38.0750 3408 Cdrom - ok
07:09:38.0796 3408 [ 26DF7F19F261E6BF71B66FC0597B80EB ] Change Modem Device Service C:\WINDOWS\system32\ChgService.exe
07:09:38.0796 3408 Change Modem Device Service - ok
07:09:38.0812 3408 Changer - ok
07:09:38.0843 3408 [ 1CFE720EB8D93A7158A4EBC3AB178BDE ] CiSvc C:\WINDOWS\system32\cisvc.exe
07:09:38.0843 3408 CiSvc - ok
07:09:38.0843 3408 [ 34CBE729F38138217F9C80212A2A0C82 ] ClipSrv C:\WINDOWS\system32\clipsrv.exe
07:09:38.0843 3408 ClipSrv - ok
07:09:38.0859 3408 [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
07:09:38.0921 3408 clr_optimization_v2.0.50727_32 - ok
07:09:38.0953 3408 [ 0F6C187D38D98F8DF904589A5F94D411 ] CmBatt C:\WINDOWS\system32\DRIVERS\CmBatt.sys
07:09:38.0953 3408 CmBatt - ok
07:09:38.0953 3408 CmdIde - ok
07:09:38.0984 3408 [ 675D67423980FC1784B93AA47D350A31 ] cmnsusbser C:\WINDOWS\system32\DRIVERS\cmnsusbser.sys
07:09:38.0984 3408 cmnsusbser - ok
07:09:39.0000 3408 [ 6E4C9F21F0FAE8940661144F41B13203 ] Compbatt C:\WINDOWS\system32\DRIVERS\compbatt.sys
07:09:39.0000 3408 Compbatt - ok
07:09:39.0015 3408 COMSysApp - ok
07:09:39.0015 3408 Cpqarray - ok
07:09:39.0046 3408 [ 3D4E199942E29207970E04315D02AD3B ] CryptSvc C:\WINDOWS\System32\cryptsvc.dll
07:09:39.0046 3408 CryptSvc - ok
07:09:39.0046 3408 dac2w2k - ok
07:09:39.0062 3408 dac960nt - ok
07:09:39.0093 3408 [ 9222562D44021B988B9F9F62207FB6F2 ] DcomLaunch C:\WINDOWS\system32\rpcss.dll
07:09:39.0093 3408 DcomLaunch - ok
07:09:39.0125 3408 [ C51DE19619D50CBD03708647ACA10E70 ] Dhcp C:\WINDOWS\System32\dhcpcsvc.dll
07:09:39.0125 3408 Dhcp - ok
07:09:39.0140 3408 [ 47B6AAEC570F2C11D8BAD80A064D8ED1 ] Disk C:\WINDOWS\system32\DRIVERS\disk.sys
07:09:39.0140 3408 Disk - ok
07:09:39.0140 3408 dmadmin - ok
07:09:39.0171 3408 [ D992FE1274BDE0F84AD826ACAE022A41 ] dmboot C:\WINDOWS\system32\drivers\dmboot.sys
07:09:39.0203 3408 dmboot - ok
07:09:39.0218 3408 [ 7C824CF7BBDE77D95C08005717A95F6F ] dmio C:\WINDOWS\system32\drivers\dmio.sys
07:09:39.0218 3408 dmio - ok
07:09:39.0250 3408 [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload C:\WINDOWS\system32\drivers\dmload.sys
07:09:39.0250 3408 dmload - ok
07:09:39.0265 3408 [ 57EDEC2E5F59F0335E92F35184BC8631 ] dmserver C:\WINDOWS\System32\dmserver.dll
07:09:39.0265 3408 dmserver - ok
07:09:39.0281 3408 [ 8A208DFCF89792A484E76C40E5F50B45 ] DMusic C:\WINDOWS\system32\drivers\DMusic.sys
07:09:39.0281 3408 DMusic - ok
07:09:39.0296 3408 [ D977659AE4D8ECE5286D99D1ED34614D ] Dnscache C:\WINDOWS\System32\dnsrslvr.dll
07:09:39.0296 3408 Dnscache - ok
07:09:39.0328 3408 [ B4109C8C3D54C83246997A777724F318 ] Dot3svc C:\WINDOWS\System32\dot3svc.dll
07:09:39.0328 3408 Dot3svc - ok
07:09:39.0328 3408 dpti2o - ok
07:09:39.0328 3408 [ 8F5FCFF8E8848AFAC920905FBD9D33C8 ] drmkaud C:\WINDOWS\system32\drivers\drmkaud.sys
07:09:39.0328 3408 drmkaud - ok
07:09:39.0359 3408 [ 2187855A7703ADEF0CEF9EE4285182CC ] EapHost C:\WINDOWS\System32\eapsvc.dll
07:09:39.0359 3408 EapHost - ok
07:09:39.0375 3408 [ BC93B4A066477954555966D77FEC9ECB ] ERSvc C:\WINDOWS\System32\ersvc.dll
07:09:39.0375 3408 ERSvc - ok
07:09:39.0406 3408 [ C519E15665CD89A91AD383FCE3CB556A ] Eventlog C:\WINDOWS\system32\services.exe
07:09:39.0406 3408 Eventlog - ok
07:09:39.0453 3408 [ F17F6226BDC0CD5F0BEF0DAF84D29BEC ] EventSystem C:\WINDOWS\system32\es.dll
07:09:39.0453 3408 EventSystem - ok
07:09:39.0484 3408 [ 4D893323DAE445E34A4C9038B0551BC9 ] exFat C:\WINDOWS\system32\drivers\exFat.sys
07:09:39.0484 3408 exFat - ok
07:09:39.0515 3408 [ 38D332A6D56AF32635675F132548343E ] Fastfat C:\WINDOWS\system32\drivers\Fastfat.sys
07:09:39.0515 3408 Fastfat - ok
07:09:39.0531 3408 [ 888CD7B39C37E13A2419BECFAAF0A28C ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
07:09:39.0546 3408 FastUserSwitchingCompatibility - ok
07:09:39.0546 3408 [ 92CDD60B6730B9F50F6A1A0C1F8CDC81 ] Fdc C:\WINDOWS\system32\drivers\Fdc.sys
07:09:39.0546 3408 Fdc - ok
07:09:39.0546 3408 [ D45926117EB9FA946A6AF572FBE1CAA3 ] Fips C:\WINDOWS\system32\drivers\Fips.sys
07:09:39.0562 3408 Fips - ok
07:09:39.0562 3408 [ 9D27E7B80BFCDF1CDD9B555862D5E7F0 ] Flpydisk C:\WINDOWS\system32\drivers\Flpydisk.sys
07:09:39.0562 3408 Flpydisk - ok
07:09:39.0578 3408 [ B2CF4B0786F8212CB92ED2B50C6DB6B0 ] FltMgr C:\WINDOWS\system32\DRIVERS\fltMgr.sys
07:09:39.0593 3408 FltMgr - ok
07:09:39.0625 3408 [ 8BA7C024070F2B7FDD98ED8A4BA41789 ] FontCache3.0.0.0 c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
07:09:39.0625 3408 FontCache3.0.0.0 - ok
07:09:39.0656 3408 [ E0087225B137E57239FF40F8AE82059B ] fssfltr C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys
07:09:39.0656 3408 fssfltr - ok
07:09:39.0796 3408 [ 45B52394F9624237F33A8A3D73C0B221 ] fsssvc C:\Program Files\Windows Live\Family Safety\fsssvc.exe
07:09:39.0843 3408 fsssvc - ok
07:09:39.0875 3408 [ 30D42943A54704EF13E2562911DBFCEA ] Fs_Rec C:\WINDOWS\system32\drivers\Fs_Rec.sys
07:09:39.0875 3408 Fs_Rec - ok
07:09:39.0890 3408 [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk C:\WINDOWS\system32\DRIVERS\ftdisk.sys
07:09:39.0890 3408 Ftdisk - ok
07:09:39.0906 3408 [ 0A02C63C8B144BD8C86B103DEE7C86A2 ] Gpc C:\WINDOWS\system32\DRIVERS\msgpc.sys
07:09:39.0906 3408 Gpc - ok
07:09:39.0953 3408 [ F02A533F517EB38333CB12A9E8963773 ] gupdate C:\Program Files\Google\Update\GoogleUpdate.exe
07:09:39.0968 3408 gupdate - ok
07:09:39.0968 3408 [ F02A533F517EB38333CB12A9E8963773 ] gupdatem C:\Program Files\Google\Update\GoogleUpdate.exe
07:09:39.0968 3408 gupdatem - ok
07:09:40.0000 3408 [ 573C7D0A32852B48F3058CFD8026F511 ] HDAudBus C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
07:09:40.0000 3408 HDAudBus - ok
07:09:40.0046 3408 [ 4FCCA060DFE0C51A09DD5C3843888BCD ] helpsvc C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
07:09:40.0046 3408 helpsvc - ok
07:09:40.0046 3408 HidServ - ok
07:09:40.0078 3408 [ CCF82C5EC8A7326C3066DE870C06DAF1 ] HidUsb C:\WINDOWS\system32\DRIVERS\hidusb.sys
07:09:40.0078 3408 HidUsb - ok
07:09:40.0109 3408 [ 8878BD685E490239777BFE51320B88E9 ] hkmsvc C:\WINDOWS\System32\kmsvc.dll
07:09:40.0109 3408 hkmsvc - ok
07:09:40.0109 3408 hpn - ok
07:09:40.0125 3408 [ 937031C085718C1C04A9C0864625EC6B ] HTTP C:\WINDOWS\system32\Drivers\HTTP.sys
07:09:40.0140 3408 HTTP - ok
07:09:40.0171 3408 [ 6100A808600F44D999CEBDEF8841C7A3 ] HTTPFilter C:\WINDOWS\System32\w3ssl.dll
07:09:40.0171 3408 HTTPFilter - ok
07:09:40.0171 3408 i2omgmt - ok
07:09:40.0171 3408 i2omp - ok
07:09:40.0203 3408 [ 4A0B06AA8943C1E332520F7440C0AA30 ] i8042prt C:\WINDOWS\system32\DRIVERS\i8042prt.sys
07:09:40.0203 3408 i8042prt - ok
07:09:40.0218 3408 [ E5A0034847537EAEE3C00349D5C34C5F ] iaStor C:\WINDOWS\system32\DRIVERS\iaStor.sys
07:09:40.0218 3408 iaStor - ok
07:09:40.0250 3408 [ FD7F9D74C2B35DBDA400804A3F5ED5D8 ] iastor2 C:\WINDOWS\system32\drivers\iastor2.sys
07:09:40.0265 3408 iastor2 - ok
07:09:40.0328 3408 [ C01AC32DC5C03076CFB852CB5DA5229C ] idsvc c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
07:09:40.0375 3408 idsvc - ok
07:09:40.0406 3408 [ 083A052659F5310DD8B6A6CB05EDCF8E ] Imapi C:\WINDOWS\system32\DRIVERS\imapi.sys
07:09:40.0406 3408 Imapi - ok
07:09:40.0421 3408 [ 30DEAF54A9755BB8546168CFE8A6B5E1 ] ImapiService C:\WINDOWS\system32\imapi.exe
07:09:40.0421 3408 ImapiService - ok
07:09:40.0421 3408 ini910u - ok
07:09:40.0421 3408 IntelIde - ok
07:09:40.0437 3408 [ 8C953733D8F36EB2133F5BB58808B66B ] intelppm C:\WINDOWS\system32\DRIVERS\intelppm.sys
07:09:40.0437 3408 intelppm - ok
07:09:40.0453 3408 [ 3BB22519A194418D5FEC05D800A19AD0 ] Ip6Fw C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
07:09:40.0453 3408 Ip6Fw - ok
07:09:40.0484 3408 [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
07:09:40.0484 3408 IpFilterDriver - ok
07:09:40.0484 3408 [ B87AB476DCF76E72010632B5550955F5 ] IpInIp C:\WINDOWS\system32\DRIVERS\ipinip.sys
07:09:40.0484 3408 IpInIp - ok
07:09:40.0500 3408 [ CC748EA12C6EFFDE940EE98098BF96BB ] IpNat C:\WINDOWS\system32\DRIVERS\ipnat.sys
07:09:40.0500 3408 IpNat - ok
07:09:40.0546 3408 [ 23C74D75E36E7158768DD63D92789A91 ] IPSec C:\WINDOWS\system32\DRIVERS\ipsec.sys
07:09:40.0562 3408 IPSec - ok
07:09:40.0593 3408 [ C93C9FF7B04D772627A3646D89F7BF89 ] IRENUM C:\WINDOWS\system32\DRIVERS\irenum.sys
07:09:40.0593 3408 IRENUM - ok
07:09:40.0625 3408 [ 05A299EC56E52649B1CF2FC52D20F2D7 ] isapnp C:\WINDOWS\system32\DRIVERS\isapnp.sys
07:09:40.0625 3408 isapnp - ok
07:09:40.0734 3408 [ B591E761161D1EF547D76EF236EAA6A5 ] JavaQuickStarterService C:\Program Files\Java\jre7\bin\jqs.exe
07:09:40.0734 3408 JavaQuickStarterService - ok
07:09:40.0765 3408 [ 463C1EC80CD17420A542B7F36A36F128 ] Kbdclass C:\WINDOWS\system32\DRIVERS\kbdclass.sys
07:09:40.0765 3408 Kbdclass - ok
07:09:40.0796 3408 [ 9EF487A186DEA361AA06913A75B3FA99 ] kbdhid C:\WINDOWS\system32\DRIVERS\kbdhid.sys
07:09:40.0796 3408 kbdhid - ok
07:09:40.0812 3408 [ 692BCF44383D056AED41B045A323D378 ] kmixer C:\WINDOWS\system32\drivers\kmixer.sys
07:09:40.0812 3408 kmixer - ok
07:09:40.0843 3408 [ C6EBF1D6AD71DF30DB49B8D3287E1368 ] KSecDD C:\WINDOWS\system32\drivers\KSecDD.sys
07:09:40.0843 3408 KSecDD - ok
07:09:40.0859 3408 [ 3695B8D03745B2F8022B161238347A9D ] LanmanServer C:\WINDOWS\System32\srvsvc.dll
07:09:40.0875 3408 LanmanServer - ok
07:09:40.0890 3408 [ 3B9324D60DD321BAB7BF6F77931D3FD1 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
07:09:40.0890 3408 lanmanworkstation - ok
07:09:40.0906 3408 lbrtfdc - ok
07:09:40.0937 3408 [ A7DB739AE99A796D91580147E919CC59 ] LmHosts C:\WINDOWS\System32\lmhsvc.dll
07:09:40.0937 3408 LmHosts - ok
07:09:40.0953 3408 [ 986B1FF5814366D71E0AC5755C88F2D3 ] Messenger C:\WINDOWS\System32\msgsvc.dll
07:09:40.0953 3408 Messenger - ok
07:09:41.0093 3408 [ 123271BD5237AB991DC5C21FDF8835EB ] Microsoft Office Groove Audit Service C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe
07:09:41.0093 3408 Microsoft Office Groove Audit Service - ok
07:09:41.0125 3408 [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd C:\WINDOWS\system32\drivers\mnmdd.sys
07:09:41.0125 3408 mnmdd - ok
07:09:41.0140 3408 [ D18F1F0C101D06A1C1ADF26EED16FCDD ] mnmsrvc C:\WINDOWS\system32\mnmsrvc.exe
07:09:41.0140 3408 mnmsrvc - ok
07:09:41.0156 3408 [ DFCBAD3CEC1C5F964962AE10E0BCC8E1 ] Modem C:\WINDOWS\system32\drivers\Modem.sys
07:09:41.0156 3408 Modem - ok
07:09:41.0187 3408 [ 35C9E97194C8CFB8430125F8DBC34D04 ] Mouclass C:\WINDOWS\system32\DRIVERS\mouclass.sys
07:09:41.0187 3408 Mouclass - ok
07:09:41.0203 3408 [ B1C303E17FB9D46E87A98E4BA6769685 ] mouhid C:\WINDOWS\system32\DRIVERS\mouhid.sys
07:09:41.0203 3408 mouhid - ok
07:09:41.0218 3408 [ 1A1FAA5102466F418494E94FF9B0B091 ] MountMgr C:\WINDOWS\system32\drivers\MountMgr.sys
07:09:41.0218 3408 MountMgr - ok
07:09:41.0250 3408 [ 8BE15F71DE6FF33FC56DCDE7B2B9EFE8 ] MozillaMaintenance C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
07:09:41.0250 3408 MozillaMaintenance - ok
07:09:41.0265 3408 [ EE728AF83850DDAD9A3FCAC0AAB3AD97 ] MpFilter C:\WINDOWS\system32\DRIVERS\MpFilter.sys
07:09:41.0281 3408 MpFilter - ok
07:09:41.0281 3408 mraid35x - ok
07:09:41.0312 3408 [ 4FEFD389D71126EE581B9F9CB2918BE4 ] MRxDAV C:\WINDOWS\system32\DRIVERS\mrxdav.sys
07:09:41.0328 3408 MRxDAV - ok
07:09:41.0328 3408 [ FB2FCCC70F7174C7BF64F48E96D3ADF4 ] MRxSmb C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
07:09:41.0343 3408 MRxSmb - ok
07:09:41.0359 3408 [ A137F1470499A205ABBB9AAFB3B6F2B1 ] MSDTC C:\WINDOWS\system32\msdtc.exe
07:09:41.0359 3408 MSDTC - ok
07:09:41.0375 3408 [ C941EA2454BA8350021D774DAF0F1027 ] Msfs C:\WINDOWS\system32\drivers\Msfs.sys
07:09:41.0375 3408 Msfs - ok
07:09:41.0375 3408 MSIServer - ok
07:09:41.0406 3408 [ D1575E71568F4D9E14CA56B7B0453BF1 ] MSKSSRV C:\WINDOWS\system32\drivers\MSKSSRV.sys
07:09:41.0406 3408 MSKSSRV - ok
07:09:41.0406 3408 [ 325BB26842FC7CCC1FCCE2C457317F3E ] MSPCLOCK C:\WINDOWS\system32\drivers\MSPCLOCK.sys
07:09:41.0406 3408 MSPCLOCK - ok
07:09:41.0437 3408 [ BAD59648BA099DA4A17680B39730CB3D ] MSPQM C:\WINDOWS\system32\drivers\MSPQM.sys
07:09:41.0437 3408 MSPQM - ok
07:09:41.0468 3408 [ AF5F4F3F14A8EA2C26DE30F7A1E17136 ] mssmbios C:\WINDOWS\system32\DRIVERS\mssmbios.sys
07:09:41.0468 3408 mssmbios - ok
07:09:41.0500 3408 [ E53736A9E30C45FA9E7B5EAC55056D1D ] MSTEE C:\WINDOWS\system32\drivers\MSTEE.sys
07:09:41.0500 3408 MSTEE - ok
07:09:41.0531 3408 [ F7B1AD991491F02AF6DA70B00B8BF114 ] Mup C:\WINDOWS\system32\drivers\Mup.sys
07:09:41.0531 3408 Mup - ok
07:09:41.0531 3408 [ 75B85F6A5CDCCB602EC98E0D37CCC072 ] mv61xxmm C:\WINDOWS\system32\drivers\mv61xxmm.sys
07:09:41.0546 3408 mv61xxmm - ok
07:09:41.0546 3408 [ 6090786DAA545A3EC7D34A46A8CD1661 ] mv64xxmm C:\WINDOWS\system32\drivers\mv64xxmm.sys
07:09:41.0546 3408 mv64xxmm - ok
07:09:41.0546 3408 [ 45A7B1DC4C099AE8D424190A23AA8168 ] mvxxmm C:\WINDOWS\system32\drivers\mvxxmm.sys
07:09:41.0546 3408 mvxxmm - ok
07:09:41.0562 3408 [ 5B50F1B2A2ED47D560577B221DA734DB ] NABTSFEC C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
07:09:41.0578 3408 NABTSFEC - ok
07:09:41.0609 3408 [ 0102140028FAD045756796E1C685D695 ] napagent C:\WINDOWS\System32\qagentrt.dll
07:09:41.0609 3408 napagent - ok
07:09:41.0640 3408 [ 1DF7F42665C94B825322FAE71721130D ] NDIS C:\WINDOWS\system32\drivers\NDIS.sys
07:09:41.0640 3408 NDIS - ok
07:09:41.0671 3408 [ 7FF1F1FD8609C149AA432F95A8163D97 ] NdisIP C:\WINDOWS\system32\DRIVERS\NdisIP.sys
07:09:41.0671 3408 NdisIP - ok
07:09:41.0671 3408 [ 091735A5F20ACB1DC147383A905AE002 ] NdisTapi C:\WINDOWS\system32\DRIVERS\ndistapi.sys
07:09:41.0671 3408 NdisTapi - ok
07:09:41.0687 3408 [ F927A4434C5028758A842943EF1A3849 ] Ndisuio C:\WINDOWS\system32\DRIVERS\ndisuio.sys
07:09:41.0687 3408 Ndisuio - ok
07:09:41.0718 3408 [ EDC1531A49C80614B2CFDA43CA8659AB ] NdisWan C:\WINDOWS\system32\DRIVERS\ndiswan.sys
07:09:41.0718 3408 NdisWan - ok
07:09:41.0718 3408 [ 816460BD4B4ACD27937D1D0813E2E9E9 ] NDProxy C:\WINDOWS\system32\drivers\NDProxy.sys
07:09:41.0718 3408 NDProxy - ok
07:09:41.0734 3408 [ 5D81CF9A2F1A3A756B66CF684911CDF0 ] NetBIOS C:\WINDOWS\system32\DRIVERS\netbios.sys
07:09:41.0734 3408 NetBIOS - ok
07:09:41.0734 3408 [ 74B2B2F5BEA5E9A3DC021D685551BD3D ] NetBT C:\WINDOWS\system32\DRIVERS\netbt.sys
07:09:41.0734 3408 NetBT - ok
07:09:41.0750 3408 [ B857BA82860D7FF85AE29B095645563B ] NetDDE C:\WINDOWS\system32\netdde.exe
07:09:41.0750 3408 NetDDE - ok
07:09:41.0750 3408 [ B857BA82860D7FF85AE29B095645563B ] NetDDEdsdm C:\WINDOWS\system32\netdde.exe
07:09:41.0765 3408 NetDDEdsdm - ok
07:09:41.0781 3408 [ BF2466B3E18E970D8A976FB95FC1CA85 ] Netlogon C:\WINDOWS\system32\lsass.exe
07:09:41.0781 3408 Netlogon - ok
07:09:41.0796 3408 [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE ] Netman C:\WINDOWS\System32\netman.dll
07:09:41.0796 3408 Netman - ok
07:09:41.0843 3408 [ D34612C5D02D026535B3095D620626AE ] NetTcpPortSharing c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
07:09:41.0843 3408 NetTcpPortSharing - ok
07:09:41.0875 3408 [ E9E47CFB2D461FA0FC75B7A74C6383EA ] NIC1394 C:\WINDOWS\system32\DRIVERS\nic1394.sys
07:09:41.0875 3408 NIC1394 - ok
07:09:41.0906 3408 [ FCEE5FCB99F7C724593365C706D28388 ] Nla C:\WINDOWS\System32\mswsock.dll
07:09:41.0906 3408 Nla - ok
07:09:41.0968 3408 [ 3182D64AE053D6FB034F44B6DEF8034A ] Npfs C:\WINDOWS\system32\drivers\Npfs.sys
07:09:41.0968 3408 Npfs - ok
07:09:41.0984 3408 [ 4C51D5275AE8A16999EDFE7E647D00DE ] Ntfs C:\WINDOWS\system32\drivers\Ntfs.sys
07:09:42.0000 3408 Ntfs - ok
07:09:42.0000 3408 [ BF2466B3E18E970D8A976FB95FC1CA85 ] NtLmSsp C:\WINDOWS\system32\lsass.exe
07:09:42.0000 3408 NtLmSsp - ok
07:09:42.0031 3408 [ 156F64A3345BD23C600655FB4D10BC08 ] NtmsSvc C:\WINDOWS\system32\ntmssvc.dll
07:09:42.0046 3408 NtmsSvc - ok
07:09:42.0062 3408 [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null C:\WINDOWS\system32\drivers\Null.sys
07:09:42.0062 3408 Null - ok
07:09:42.0671 3408 [ 646F8F8A55128B7B031F8F10E78F814E ] nv C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
07:09:43.0250 3408 nv - ok
07:09:43.0281 3408 [ E182AE4FDA5C638FE02143E2D50AE5A6 ] NVSvc C:\WINDOWS\system32\nvsvc32.exe
07:09:43.0281 3408 NVSvc - ok
07:09:43.0296 3408 [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
07:09:43.0296 3408 NwlnkFlt - ok
07:09:43.0312 3408 [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
07:09:43.0312 3408 NwlnkFwd - ok
07:09:43.0343 3408 [ D955D5DE998DB2476BF0892BE3A96C26 ] o2flash C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe
07:09:43.0343 3408 o2flash - ok
07:09:43.0453 3408 [ 785F487A64950F3CB8E9F16253BA3B7B ] odserv C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
07:09:43.0453 3408 odserv - ok
07:09:43.0484 3408 [ 2553F7C60B8D291B5A812245E6D4DA6E ] ohci1394 C:\WINDOWS\system32\DRIVERS\ohci1394.sys
07:09:43.0484 3408 ohci1394 - ok
07:09:43.0500 3408 [ 5A432A042DAE460ABE7199B758E8606C ] ose C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
07:09:43.0515 3408 ose - ok
07:09:43.0546 3408 [ 5575FAF8F97CE5E713D108C2A58D7C7C ] Parport C:\WINDOWS\system32\drivers\Parport.sys
07:09:43.0546 3408 Parport - ok
07:09:43.0562 3408 [ BEB3BA25197665D82EC7065B724171C6 ] PartMgr C:\WINDOWS\system32\drivers\PartMgr.sys
07:09:43.0562 3408 PartMgr - ok
07:09:43.0578 3408 [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm C:\WINDOWS\system32\drivers\ParVdm.sys
07:09:43.0578 3408 ParVdm - ok
07:09:43.0609 3408 [ A219903CCF74233761D92BEF471A07B1 ] PCI C:\WINDOWS\system32\DRIVERS\pci.sys
07:09:43.0609 3408 PCI - ok
07:09:43.0609 3408 PCIDump - ok
07:09:43.0625 3408 [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde C:\WINDOWS\system32\DRIVERS\pciide.sys
07:09:43.0625 3408 PCIIde - ok
07:09:43.0656 3408 [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1 ] Pcmcia C:\WINDOWS\system32\DRIVERS\pcmcia.sys
07:09:43.0656 3408 Pcmcia - ok
07:09:43.0656 3408 PDCOMP - ok
07:09:43.0656 3408 PDFRAME - ok
07:09:43.0656 3408 PDRELI - ok
07:09:43.0656 3408 PDRFRAME - ok
07:09:43.0671 3408 perc2 - ok
07:09:43.0671 3408 perc2hib - ok
07:09:43.0687 3408 [ C519E15665CD89A91AD383FCE3CB556A ] PlugPlay C:\WINDOWS\system32\services.exe
07:09:43.0687 3408 PlugPlay - ok
07:09:43.0703 3408 [ BF2466B3E18E970D8A976FB95FC1CA85 ] PolicyAgent C:\WINDOWS\system32\lsass.exe
07:09:43.0703 3408 PolicyAgent - ok
07:09:43.0734 3408 [ EFEEC01B1D3CF84F16DDD24D9D9D8F99 ] PptpMiniport C:\WINDOWS\system32\DRIVERS\raspptp.sys
07:09:43.0734 3408 PptpMiniport - ok
07:09:43.0734 3408 [ BF2466B3E18E970D8A976FB95FC1CA85 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
07:09:43.0734 3408 ProtectedStorage - ok
07:09:43.0750 3408 [ D8E11D311785F89F1D70A28B0E879127 ] PSched C:\WINDOWS\system32\DRIVERS\psched.sys
07:09:43.0750 3408 PSched - ok
07:09:43.0765 3408 [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink C:\WINDOWS\system32\DRIVERS\ptilink.sys
07:09:43.0765 3408 Ptilink - ok
07:09:43.0765 3408 ql1080 - ok
07:09:43.0781 3408 Ql10wnt - ok
07:09:43.0781 3408 ql12160 - ok
07:09:43.0781 3408 ql1240 - ok
07:09:43.0781 3408 ql1280 - ok
07:09:43.0781 3408 [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd C:\WINDOWS\system32\DRIVERS\rasacd.sys
07:09:43.0781 3408 RasAcd - ok
07:09:43.0796 3408 [ AD188BE7BDF94E8DF4CA0A55C00A5073 ] RasAuto C:\WINDOWS\System32\rasauto.dll
07:09:43.0796 3408 RasAuto - ok
07:09:43.0812 3408 [ 11B4A627BC9614B885C4969BFA5FF8A6 ] Rasl2tp C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
07:09:43.0812 3408 Rasl2tp - ok
07:09:43.0812 3408 [ 76A9A3CBEADD68CC57CDA5E1D7448235 ] RasMan C:\WINDOWS\System32\rasmans.dll
07:09:43.0812 3408 RasMan - ok
07:09:43.0828 3408 [ 5BC962F2654137C9909C3D4603587DEE ] RasPppoe C:\WINDOWS\system32\DRIVERS\raspppoe.sys
07:09:43.0843 3408 RasPppoe - ok
07:09:43.0843 3408 [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti C:\WINDOWS\system32\DRIVERS\raspti.sys
07:09:43.0843 3408 Raspti - ok
07:09:43.0859 3408 [ 77050C6615F6EB5402F832B27FD695E0 ] Rdbss C:\WINDOWS\system32\DRIVERS\rdbss.sys
07:09:43.0859 3408 Rdbss - ok
07:09:43.0875 3408 [ 4912D5B403614CE99C28420F75353332 ] RDPCDD C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
07:09:43.0875 3408 RDPCDD - ok
07:09:43.0890 3408 [ 47EA20320E3D6FDC7B7BB22B2B881CA6 ] rdpdr C:\WINDOWS\system32\DRIVERS\rdpdr.sys
07:09:43.0890 3408 rdpdr - ok
07:09:43.0937 3408 [ C7D9BC54354B8C706ABF172D48313F1B ] RDPWD C:\WINDOWS\system32\drivers\RDPWD.sys
07:09:43.0937 3408 RDPWD - ok
07:09:44.0000 3408 [ 3C37BF86641BDA977C3BF8A840F3B7FA ] RDSessMgr C:\WINDOWS\system32\sessmgr.exe
07:09:44.0000 3408 RDSessMgr - ok
07:09:44.0031 3408 [ F828DD7E1419B6653894A8F97A0094C5 ] redbook C:\WINDOWS\system32\DRIVERS\redbook.sys
07:09:44.0031 3408 redbook - ok
07:09:44.0078 3408 [ 7E699FF5F59B5D9DE5390E3C34C67CF5 ] RemoteAccess C:\WINDOWS\System32\mprdim.dll
07:09:44.0078 3408 RemoteAccess - ok
07:09:44.0093 3408 [ 5B19B557B0C188210A56A6B699D90B8F ] RemoteRegistry C:\WINDOWS\system32\regsvc.dll
07:09:44.0109 3408 RemoteRegistry - ok
07:09:44.0125 3408 [ AAED593F84AFA419BBAE8572AF87CF6A ] RpcLocator C:\WINDOWS\system32\locator.exe
07:09:44.0125 3408 RpcLocator - ok
07:09:44.0140 3408 [ 9222562D44021B988B9F9F62207FB6F2 ] RpcSs C:\WINDOWS\System32\rpcss.dll
07:09:44.0140 3408 RpcSs - ok
07:09:44.0171 3408 [ 743D7D59767073A617B1DCC6C546F234 ] rspndr C:\WINDOWS\system32\DRIVERS\rspndr.sys
07:09:44.0171 3408 rspndr - ok
07:09:44.0203 3408 [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP C:\WINDOWS\system32\rsvp.exe
07:09:44.0203 3408 RSVP - ok
07:09:44.0203 3408 [ BF2466B3E18E970D8A976FB95FC1CA85 ] SamSs C:\WINDOWS\system32\lsass.exe
07:09:44.0203 3408 SamSs - ok
07:09:44.0234 3408 [ 86D007E7A654B9A71D1D7D856B104353 ] SCardSvr C:\WINDOWS\System32\SCardSvr.exe
07:09:44.0234 3408 SCardSvr - ok
07:09:44.0265 3408 [ 0A9A7365A1CA4319AA7C1D6CD8E4EAFA ] Schedule C:\WINDOWS\system32\schedsvc.dll
07:09:44.0265 3408 Schedule - ok
07:09:44.0281 3408 [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv C:\WINDOWS\system32\DRIVERS\secdrv.sys
07:09:44.0281 3408 Secdrv - ok
07:09:44.0296 3408 [ CBE612E2BB6A10E3563336191EDA1250 ] seclogon C:\WINDOWS\System32\seclogon.dll
07:09:44.0296 3408 seclogon - ok
07:09:44.0312 3408 [ 7FDD5D0684ECA8C1F68B4D99D124DCD0 ] SENS C:\WINDOWS\system32\sens.dll
07:09:44.0312 3408 SENS - ok
07:09:44.0312 3408 [ 0F29512CCD6BEAD730039FB4BD2C85CE ] serenum C:\WINDOWS\system32\DRIVERS\serenum.sys
07:09:44.0312 3408 serenum - ok
07:09:44.0312 3408 [ CCA207A8896D4C6A0C9CE29A4AE411A7 ] Serial C:\WINDOWS\system32\DRIVERS\serial.sys
07:09:44.0328 3408 Serial - ok
07:09:44.0359 3408 [ 8E6B8C671615D126FDC553D1E2DE5562 ] Sfloppy C:\WINDOWS\system32\drivers\Sfloppy.sys
07:09:44.0359 3408 Sfloppy - ok
07:09:44.0406 3408 [ 4F10A2FA76B5BD54CD68AFA94E8ADB39 ] SharedAccess C:\WINDOWS\System32\ipnathlp.dll
07:09:44.0406 3408 SharedAccess - ok
07:09:44.0437 3408 [ 888CD7B39C37E13A2419BECFAAF0A28C ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
07:09:44.0437 3408 ShellHWDetection - ok
07:09:44.0453 3408 Simbad - ok
07:09:44.0640 3408 [ 3740B83AEC21D981065D7E819BD7E878 ] Skype C2C Service C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe
07:09:44.0734 3408 Skype C2C Service - ok
07:09:44.0781 3408 [ A4FAB5F7818A69DA6E740943CB8F7CA9 ] SkypeUpdate C:\Program Files\Skype\Updater\Updater.exe
07:09:44.0781 3408 SkypeUpdate - ok
07:09:44.0812 3408 [ 866D538EBE33709A5C9F5C62B73B7D14 ] SLIP C:\WINDOWS\system32\DRIVERS\SLIP.sys
07:09:44.0812 3408 SLIP - ok
07:09:44.0828 3408 Sparrow - ok
07:09:44.0843 3408 [ AB8B92451ECB048A4D1DE7C3FFCB4A9F ] splitter C:\WINDOWS\system32\drivers\splitter.sys
07:09:44.0843 3408 splitter - ok
07:09:44.0859 3408 [ 258DD5D4283FD9F9A7166BE9AE45CE73 ] Spooler C:\WINDOWS\system32\spoolsv.exe
07:09:44.0859 3408 Spooler - ok
07:09:44.0890 3408 [ CDDDEC541BC3C96F91ECB48759673505 ] sptd C:\WINDOWS\system32\Drivers\sptd.sys
07:09:44.0890 3408 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: CDDDEC541BC3C96F91ECB48759673505
07:09:44.0890 3408 sptd ( LockedFile.Multi.Generic ) - warning
07:09:44.0890 3408 sptd - detected LockedFile.Multi.Generic (1)
07:09:44.0921 3408 [ 76BB022C2FB6902FD5BDD4F78FC13A5D ] sr C:\WINDOWS\system32\DRIVERS\sr.sys
07:09:44.0921 3408 sr - ok
07:09:44.0921 3408 [ 3805DF0AC4296A34BA4BF93B346CC378 ] srservice C:\WINDOWS\system32\srsvc.dll
07:09:44.0937 3408 srservice - ok
07:09:44.0953 3408 [ 9B390283569EA58D43D2586032B892F5 ] Srv C:\WINDOWS\system32\DRIVERS\srv.sys
07:09:44.0953 3408 Srv - ok
07:09:44.0968 3408 [ 0A5679B3714EDAB99E357057EE88FCA6 ] SSDPSRV C:\WINDOWS\System32\ssdpsrv.dll
07:09:44.0984 3408 SSDPSRV - ok
07:09:45.0000 3408 [ 6F855B5625A47F3AC731A262FDC379A6 ] STacSV C:\WINDOWS\system32\StacSV.exe
07:09:45.0015 3408 STacSV - ok
07:09:45.0015 3408 Steam Client Service - ok
07:09:45.0062 3408 [ 951801DFB54D86F611F0AF47825476F9 ] STHDA C:\WINDOWS\system32\drivers\sthda.sys
07:09:45.0062 3408 STHDA - ok
07:09:45.0093 3408 [ 8BAD69CBAC032D4BBACFCE0306174C30 ] stisvc C:\WINDOWS\system32\wiaservc.dll
07:09:45.0109 3408 stisvc - ok
07:09:45.0140 3408 [ 77813007BA6265C4B6098187E6ED79D2 ] streamip C:\WINDOWS\system32\DRIVERS\StreamIP.sys
07:09:45.0140 3408 streamip - ok
07:09:45.0156 3408 [ 3941D127AEF12E93ADDF6FE6EE027E0F ] swenum C:\WINDOWS\system32\DRIVERS\swenum.sys
07:09:45.0156 3408 swenum - ok
07:09:45.0171 3408 [ 8CE882BCC6CF8A62F2B2323D95CB3D01 ] swmidi C:\WINDOWS\system32\drivers\swmidi.sys
07:09:45.0171 3408 swmidi - ok
07:09:45.0171 3408 SwPrv - ok
07:09:45.0171 3408 symc810 - ok
07:09:45.0171 3408 symc8xx - ok
07:09:45.0171 3408 sym_hi - ok
07:09:45.0187 3408 sym_u3 - ok
07:09:45.0187 3408 [ 8B83F3ED0F1688B4958F77CD6D2BF290 ] sysaudio C:\WINDOWS\system32\drivers\sysaudio.sys
07:09:45.0187 3408 sysaudio - ok
07:09:45.0218 3408 [ C7ABBC59B43274B1109DF6B24D617051 ] SysmonLog C:\WINDOWS\system32\smlogsvc.exe
07:09:45.0218 3408 SysmonLog - ok
07:09:45.0234 3408 [ E2B32B10ACC5D97623275AAFB67E5F03 ] TapiSrv C:\WINDOWS\System32\tapisrv.dll
07:09:45.0234 3408 TapiSrv - ok
07:09:45.0265 3408 [ EA22DA5C7AE7192A12E37A7C546220C6 ] Tcpip C:\WINDOWS\system32\DRIVERS\tcpip.sys
07:09:45.0281 3408 Tcpip - ok
07:09:45.0296 3408 [ 6471A66807F5E104E4885F5B67349397 ] TDPIPE C:\WINDOWS\system32\drivers\TDPIPE.sys
07:09:45.0296 3408 TDPIPE - ok
07:09:45.0312 3408 [ C0578456F29E5F26285F81B7B71FE57D ] TDTCP C:\WINDOWS\system32\drivers\TDTCP.sys
07:09:45.0312 3408 TDTCP - ok
07:09:45.0343 3408 [ 9101FFFCFCCD1A30E870A5B8A9091B10 ] teamviewervpn C:\WINDOWS\system32\DRIVERS\teamviewervpn.sys
07:09:45.0343 3408 teamviewervpn - ok
07:09:45.0343 3408 [ 88155247177638048422893737429D9E ] TermDD C:\WINDOWS\system32\DRIVERS\termdd.sys
07:09:45.0359 3408 TermDD - ok
07:09:45.0406 3408 [ 5128852A18AE46C387F87BF27DA4C9DD ] TermService C:\WINDOWS\System32\termsrv.dll
07:09:45.0421 3408 TermService - ok
07:09:45.0437 3408 [ 888CD7B39C37E13A2419BECFAAF0A28C ] Themes C:\WINDOWS\System32\shsvcs.dll
07:09:45.0437 3408 Themes - ok
07:09:45.0468 3408 [ DB7205804759FF62C34E3EFD8A4CC76A ] TlntSvr C:\WINDOWS\system32\tlntsvr.exe
07:09:45.0468 3408 TlntSvr - ok
07:09:45.0468 3408 TosIde - ok
07:09:45.0468 3408 [ 55BCA12F7F523D35CA3CB833C725F54E ] TrkWks C:\WINDOWS\system32\trkwks.dll
07:09:45.0484 3408 TrkWks - ok
07:09:45.0515 3408 [ 5787B80C2E3C5E2F56C2A233D91FA2C9 ] Udfs C:\WINDOWS\system32\drivers\Udfs.sys
07:09:45.0515 3408 Udfs - ok
07:09:45.0593 3408 [ EA5618CA62A80DEDD75F56DF5405BC6C ] UDisk Monitor C:\Program Files\MBlaze UI\bin\MonServiceUDisk.exe
07:09:45.0609 3408 UDisk Monitor - ok
07:09:45.0609 3408 ultra - ok
07:09:45.0640 3408 [ 402DDC88356B1BAC0EE3DD1580C76A31 ] Update C:\WINDOWS\system32\DRIVERS\update.sys
07:09:45.0640 3408 Update - ok
07:09:45.0671 3408 [ 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 ] upnphost C:\WINDOWS\System32\upnphost.dll
07:09:45.0687 3408 upnphost - ok
07:09:45.0687 3408 [ 05365FB38FCA1E98F7A566AAAF5D1815 ] UPS C:\WINDOWS\System32\ups.exe
07:09:45.0687 3408 UPS - ok
07:09:45.0718 3408 [ E919708DB44ED8543A7C017953148330 ] usbaudio C:\WINDOWS\system32\drivers\usbaudio.sys
07:09:45.0718 3408 usbaudio - ok
07:09:45.0734 3408 [ 173F317CE0DB8E21322E71B7E60A27E8 ] usbccgp C:\WINDOWS\system32\DRIVERS\usbccgp.sys
07:09:45.0734 3408 usbccgp - ok
07:09:45.0750 3408 [ 64CA8ED4B0980AAE46BEB3727046E860 ] USBCCID C:\WINDOWS\system32\DRIVERS\usbccid.sys
07:09:45.0765 3408 USBCCID - ok
07:09:45.0781 3408 [ 52674B5DBEE499342A599C7771ABECAA ] usbehci C:\WINDOWS\system32\DRIVERS\usbehci.sys
07:09:45.0781 3408 usbehci - ok
07:09:45.0781 3408 [ 1AB3CDDE553B6E064D2E754EFE20285C ] usbhub C:\WINDOWS\system32\DRIVERS\usbhub.sys
07:09:45.0781 3408 usbhub - ok
07:09:45.0812 3408 [ A32426D9B14A089EAA1D922E0C5801A9 ] USBSTOR C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
07:09:45.0812 3408 USBSTOR - ok
07:09:45.0828 3408 [ 26496F9DEE2D787FC3E61AD54821FFE6 ] usbuhci C:\WINDOWS\system32\DRIVERS\usbuhci.sys
07:09:45.0828 3408 usbuhci - ok
07:09:45.0843 3408 [ 63BBFCA7F390F4C49ED4B96BFB1633E0 ] usbvideo C:\WINDOWS\system32\Drivers\usbvideo.sys
07:09:45.0843 3408 usbvideo - ok
07:09:45.0890 3408 [ 0D3A8FAFCEACD8B7625CD549757A7DF1 ] VgaSave C:\WINDOWS\System32\drivers\vga.sys
07:09:45.0890 3408 VgaSave - ok
07:09:45.0890 3408 ViaIde - ok
07:09:45.0890 3408 [ 4C8FCB5CC53AAB716D810740FE59D025 ] VolSnap C:\WINDOWS\system32\drivers\VolSnap.sys
07:09:45.0890 3408 VolSnap - ok
07:09:45.0906 3408 [ 7A9DB3A67C333BF0BD42E42B8596854B ] VSS C:\WINDOWS\System32\vssvc.exe
07:09:45.0921 3408 VSS - ok
07:09:45.0921 3408 [ 9F8A0D0CBB2FA265A754516128C00E22 ] W32Time C:\WINDOWS\system32\w32time.dll
07:09:45.0937 3408 W32Time - ok
07:09:45.0937 3408 [ E20B95BAEDB550F32DD489265C1DA1F6 ] Wanarp C:\WINDOWS\system32\DRIVERS\wanarp.sys
07:09:45.0937 3408 Wanarp - ok
07:09:45.0937 3408 WDICA - ok
07:09:45.0953 3408 [ 6768ACF64B18196494413695F0C3A00F ] wdmaud C:\WINDOWS\system32\drivers\wdmaud.sys
07:09:45.0953 3408 wdmaud - ok
07:09:45.0984 3408 [ 703591CD1403BC19E7198CA7B314E132 ] WebClient C:\WINDOWS\System32\webclnt.dll
07:09:45.0984 3408 WebClient - ok
07:09:46.0062 3408 [ 2D0E4ED081963804CCC196A0929275B5 ] winmgmt C:\WINDOWS\system32\wbem\WMIsvc.dll
07:09:46.0062 3408 winmgmt - ok
07:09:46.0093 3408 [ C51B4A5C05A5475708E3C81C7765B71D ] WmdmPmSN C:\WINDOWS\system32\MsPMSNSv.dll
07:09:46.0093 3408 WmdmPmSN - ok
07:09:46.0125 3408 [ C8A6C82F90B055149925DC7526B2D78C ] Wmi C:\WINDOWS\System32\advapi32.dll
07:09:46.0140 3408 Wmi - ok
07:09:46.0140 3408 [ C42584FD66CE9E17403AEBCA199F7BDB ] WmiAcpi C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
07:09:46.0140 3408 WmiAcpi - ok
07:09:46.0187 3408 [ E0673F1106E62A68D2257E376079F821 ] WmiApSrv C:\WINDOWS\system32\wbem\wmiapsrv.exe
07:09:46.0187 3408 WmiApSrv - ok
07:09:46.0250 3408 [ F74E3D9A7FA9556C3BBB14D4E5E63D3B ] WMPNetworkSvc C:\Program Files\Windows Media Player\WMPNetwk.exe
07:09:46.0265 3408 WMPNetworkSvc - ok
07:09:46.0296 3408 [ CF4DEF1BF66F06964DC0D91844239104 ] WpdUsb C:\WINDOWS\system32\DRIVERS\wpdusb.sys
07:09:46.0296 3408 WpdUsb - ok
07:09:46.0312 3408 [ 6ABE6E225ADB5A751622A9CC3BC19CE8 ] WS2IFSL C:\WINDOWS\System32\drivers\ws2ifsl.sys
07:09:46.0312 3408 WS2IFSL - ok
07:09:46.0343 3408 [ 7C278E6408D1DCE642230C0585A854D5 ] wscsvc C:\WINDOWS\system32\wscsvc.dll
07:09:46.0343 3408 wscsvc - ok
07:09:46.0343 3408 WSearch - ok
07:09:46.0375 3408 [ C98B39829C2BBD34E454150633C62C78 ] WSTCODEC C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
07:09:46.0375 3408 WSTCODEC - ok
07:09:46.0390 3408 [ FC1E3B06AE8D160B686C5D04B5E85371 ] wuauserv C:\WINDOWS\system32\wuauserv.dll
07:09:46.0390 3408 wuauserv - ok
07:09:46.0406 3408 [ F15FEAFFFBB3644CCC80C5DA584E6311 ] WudfPf C:\WINDOWS\system32\DRIVERS\WudfPf.sys
07:09:46.0406 3408 WudfPf - ok
07:09:46.0421 3408 [ 28B524262BCE6DE1F7EF9F510BA3985B ] WudfRd C:\WINDOWS\system32\DRIVERS\wudfrd.sys
07:09:46.0437 3408 WudfRd - ok
07:09:46.0437 3408 [ 05231C04253C5BC30B26CBAAE680ED89 ] WudfSvc C:\WINDOWS\System32\WUDFSvc.dll
07:09:46.0453 3408 WudfSvc - ok
07:09:46.0468 3408 [ 349B8D2BB755E8C3B0E3E82A87663E55 ] WZCSVC C:\WINDOWS\System32\wzcsvc.dll
07:09:46.0484 3408 WZCSVC - ok
07:09:46.0703 3408 [ 1619A3283D9125D44116A1EE9143E035 ] XMail C:\Program Files\Drupal\xmail\XMail.exe
07:09:46.0718 3408 XMail - ok
07:09:46.0765 3408 [ 295D21F14C335B53CB8154E5B1F892B9 ] xmlprov C:\WINDOWS\System32\xmlprov.dll
07:09:46.0765 3408 xmlprov - ok
07:09:46.0796 3408 [ 4B6DFADD45C19AD43FD56B965EFD2DC3 ] ztemtusbser C:\WINDOWS\system32\DRIVERS\CT_ZTEMT_U_USBSER.sys
07:09:46.0796 3408 ztemtusbser - ok
07:09:46.0812 3408 ================ Scan global ===============================
07:09:46.0828 3408 [ 42F1F4C0AFB08410E5F02D4B13EBB623 ] C:\WINDOWS\system32\basesrv.dll
07:09:46.0859 3408 [ B23423313519C522E0E73BA170D3CE71 ] C:\WINDOWS\system32\winsrv.dll
07:09:46.0875 3408 [ B23423313519C522E0E73BA170D3CE71 ] C:\WINDOWS\system32\winsrv.dll
07:09:46.0890 3408 [ C519E15665CD89A91AD383FCE3CB556A ] C:\WINDOWS\system32\services.exe
07:09:46.0890 3408 [Global] - ok
07:09:46.0890 3408 ================ Scan MBR ==================================
07:09:46.0906 3408 [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk0\DR0
07:09:47.0109 3408 \Device\Harddisk0\DR0 - ok
07:09:47.0109 3408 ================ Scan VBR ==================================
07:09:47.0109 3408 [ 7552CC29C337BBDB1AF3E7E94BB007EA ] \Device\Harddisk0\DR0\Partition1
07:09:47.0109 3408 \Device\Harddisk0\DR0\Partition1 - ok
07:09:47.0109 3408 ============================================================
07:09:47.0109 3408 Scan finished
07:09:47.0109 3408 ============================================================
07:09:47.0125 1688 Detected object count: 1
07:09:47.0125 1688 Actual detected object count: 1
07:10:27.0640 1688 sptd ( LockedFile.Multi.Generic ) - skipped by user
07:10:27.0640 1688 sptd ( LockedFile.Multi.Generic ) - User select action: Skip

aswMBR log:



aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2012-12-08 07:13:46
-----------------------------
07:13:46.718 OS Version: Windows 5.1.2600 Service Pack 3
07:13:46.718 Number of processors: 2 586 0xF0B
07:13:46.718 ComputerName: EXPERIEN-BAA70F UserName: Administrator
07:13:47.171 Initialize success
08:03:54.437 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
08:03:54.437 Disk 0 Vendor: ST912082 3.AD Size: 114473MB BusType: 3
08:03:54.484 Disk 0 MBR read successfully
08:03:54.484 Disk 0 MBR scan
08:03:54.484 Disk 0 Windows XP default MBR code
08:03:54.484 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 114470 MB offset 63
08:03:54.484 Disk 0 scanning sectors +234436545
08:03:54.546 Disk 0 scanning C:\WINDOWS\system32\drivers
08:03:58.359 Service scanning
08:04:05.531 Service sptd C:\WINDOWS\System32\Drivers\sptd.sys **LOCKED** 32
08:04:08.578 Modules scanning
08:04:16.718 Disk 0 trace - called modules:
08:04:16.765 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys spbz.sys hal.dll >>UNKNOWN [0x8a08e938]<<
08:04:16.765 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89ff3420]
08:04:16.765 3 CLASSPNP.SYS[b8108fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x89fd8030]
08:04:16.781 Scan finished successfully
08:04:28.968 Disk 0 MBR has been saved successfully to "C:\Downloads\MBR.dat"
08:04:29.015 The log file has been saved successfully to "C:\Downloads\aswMBR.txt"

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:05 AM

Posted 07 December 2012 - 09:43 PM

Greetings
At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Nisheeth

Nisheeth
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 07 December 2012 - 10:16 PM

Log from Combofix appended below. No difficulty in getting it to run. However, MSE still won't start. Also, Combofix doesn't seem to have done anything about the sptd suspicious file that the other two programs fingered.

ComboFix 12-12-07.01 - Administrator 12/08/2012 8:29.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1587 [GMT 5.5:30]
Running from: c:\downloads\ComboFix.exe
Command switches used :: c:\downloads\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((( Files Created from 2012-11-08 to 2012-12-08 )))))))))))))))))))))))))))))))
.
.
2012-12-07 18:01 . 2012-12-07 18:01 -------- d-----w- c:\windows\system32\xircom
2012-12-07 18:01 . 2012-12-07 18:01 -------- d-----w- c:\windows\system32\wbem\snmp
2012-12-07 18:01 . 2012-12-07 18:01 -------- d-----w- c:\program files\microsoft frontpage
2012-12-07 17:45 . 2011-10-02 12:00 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2012-12-04 14:56 . 2012-12-04 14:56 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\PCHealth
2012-12-04 14:35 . 2012-12-04 14:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2012-12-04 14:35 . 2012-12-04 14:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-12-03 16:01 . 2012-12-03 16:01 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2012-12-03 15:17 . 2012-12-03 15:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Windows Codecs
2012-12-03 15:17 . 2012-12-03 15:18 -------- d-----w- c:\program files\Mega Codec Pack
2012-12-02 09:45 . 2012-11-08 18:00 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{56A74965-A106-4898-B528-4CC521713E2A}\mpengine.dll
2012-12-01 10:15 . 2012-11-08 18:00 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-11-26 14:52 . 2012-11-26 15:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\ZTEEVDO
2012-11-26 14:49 . 2011-12-25 10:12 105472 ----a-w- c:\windows\system32\drivers\CT_ZTEMT_U_USBSER.sys
2012-11-26 14:49 . 2012-11-26 14:49 -------- d-----w- c:\program files\MBlaze UI
2012-11-23 04:27 . 2012-11-23 04:27 -------- d-----w- c:\program files\Common Files\Skype
2012-11-22 05:04 . 2012-11-22 05:04 5885632 ----a-w- c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
2012-11-16 07:48 . 2012-11-16 07:48 -------- d-----w- C:\Codemasters
2012-11-16 07:46 . 2012-11-16 07:46 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Help
2012-11-16 07:44 . 1998-07-26 17:03 183808 ----a-w- c:\windows\system\qmdx.dll
2012-11-14 03:48 . 2012-10-02 18:04 58368 ------w- c:\windows\system32\dllcache\synceng.dll
2012-11-13 11:27 . 2012-11-13 11:27 -------- d-----w- c:\documents and settings\Administrator\Logs
2012-11-12 14:12 . 2012-11-12 14:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\Microsoft Games
2012-11-12 13:59 . 2012-11-12 13:59 -------- d-----w- c:\program files\Microsoft Games
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-10 02:44 . 2012-06-04 20:29 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-11-10 02:44 . 2011-10-02 12:00 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-22 08:43 . 2011-10-02 12:00 1875328 ----a-w- c:\windows\system32\win32k.sys
2012-10-02 18:04 . 2011-10-02 12:00 58368 ----a-w- c:\windows\system32\synceng.dll
2012-09-24 17:46 . 2012-10-19 01:39 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-10-28 11:36 . 2012-10-28 11:35 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2011-10-02 . EA22DA5C7AE7192A12E37A7C546220C6 . 361600 . . [5.1.2600.6009] . . c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2012-11-08 11:28 556056 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2012-11-08 11:28 556056 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2012-11-08 11:28 556056 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2012-11-08 11:28 556056 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Windows Codecs]
@="{1EC23CFF-4C58-458f-924C-8519AEF61B32}"
[HKEY_CLASSES_ROOT\CLSID\{1EC23CFF-4C58-458f-924C-8519AEF61B32}]
2012-12-03 15:17 172032 ----a-w- c:\documents and settings\All Users\Application Data\Windows Codecs\MediaShellOverlays.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GoogleDriveSync"="c:\program files\Google\Drive\googledrivesync.exe" [2012-11-08 16070136]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-04-27 15496000]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2012-04-27 1634112]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2012-09-20 444904]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-03-08 128512]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe [2012-5-25 27112840]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, credssp.dll, digest.dll, msnsspc.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2012-09-20 01:57 444904 ----a-w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5.5ServiceManager]
2011-01-12 12:08 1523360 ----a-w- c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeAC]
2012-04-25 08:27 1328976 ----a-w- c:\program files\FreeAlarmClock\FreeAlarmClock.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MindfulClock]
2008-02-21 15:49 442368 ----a-w- c:\program files\MindfulClock\Mfclock.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-16 21:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2012-06-05 07:36 1242448 ----a-w- c:\program files\Steam\Steam.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R0 iastor2;iastor2;c:\windows\system32\drivers\iastor2.sys [10/2/2011 5:30 PM 277784]
R0 mv61xxmm;mv61xxmm;c:\windows\system32\drivers\mv61xxmm.sys [10/2/2011 5:30 PM 13616]
R0 mv64xxmm;mv64xxmm;c:\windows\system32\drivers\mv64xxmm.sys [10/2/2011 5:30 PM 5632]
R0 mvxxmm;mvxxmm;c:\windows\system32\drivers\mvxxmm.sys [10/2/2011 5:30 PM 13616]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/3/2012 4:12 AM 691696]
R3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [9/18/2012 6:50 PM 25088]
S2 Change Modem Device Service;Change Modem Device Service;c:\windows\system32\ChgService.exe [10/4/2012 3:04 AM 135168]
S2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [11/22/2012 10:29 AM 3290304]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [11/9/2012 11:21 AM 160944]
S2 UDisk Monitor;UDisk Monitor;c:\program files\MBlaze UI\bin\MonServiceUDisk.exe [11/26/2012 8:19 PM 512000]
S2 XMail;XMail Server;c:\program files\Drupal\xmail\XMail.exe [7/9/2012 4:46 AM 397824]
S3 cmnsusbser;Mobile Connector USB Device for Legacy Serial Communication LCT2053s;c:\windows\system32\drivers\cmnsusbser.sys [10/4/2012 3:04 AM 103424]
S3 ztemtusbser;ZTEMT Legacy Serial Communication;c:\windows\system32\drivers\CT_ZTEMT_U_USBSER.sys [11/26/2012 8:19 PM 105472]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 18137831
*Deregistered* - 18137831
*Deregistered* - aswMBR
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-04 c:\windows\Tasks\AdobeAAMUpdater-1.0-EXPERIEN-BAA70F-Administrator.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2012-09-20 01:57]
.
2012-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-06-02 22:42]
.
2012-12-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-06-02 22:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{0C10BCF8-5042-48A0-B30F-4A6BA761000D}: NameServer = 4.4.4.4,8.8.8.8
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vi5jx70l.default\
FF - prefs.js: browser.startup.homepage - www.google.com/ig
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-12-08 08:39
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1229272821-57989841-1801674531-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,01,68,02,17,ed,36,4e,46,af,1a,bf,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,01,68,02,17,ed,36,4e,46,af,1a,bf,\
.
[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
"value"="?\06\01\04\16\15\13?"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\WPAEvents]
@Denied: (A B C D 2 3 5 6) (Everyone)
"OOBETimer"=hex:ff,d5,71,d6,8b,6a,8d,6f,d5,33,93,fd
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(664)
c:\windows\system32\WININET.dll
c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\program files\Google\Drive\googledrivesync32.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-12-08 08:40:29
ComboFix-quarantined-files.txt 2012-12-08 03:10
ComboFix2.txt 2012-12-07 18:05
.
Pre-Run: 29,222,981,632 bytes free
Post-Run: 29,260,775,424 bytes free
.
- - End Of File - - BBFA49778FAB401F2F998A1A104BB58D

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:05 AM

Posted 07 December 2012 - 10:21 PM

Hello


The sptd file is fine - I want you to uninstall MSE and reinstall it and see if it starts to work
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 Nisheeth

Nisheeth
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 07 December 2012 - 11:10 PM

Fantastic. It does work. The only (minor) outstanding issue now seems to be the phantom AVG antivirus that my security center still insists is running alongside MSE. You think my PC is now secure enough to type in passwords and conduct financial transactions?

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:05 AM

Posted 07 December 2012 - 11:30 PM

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache:: 

SecCenter::
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 Nisheeth

Nisheeth
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 08 December 2012 - 04:10 AM

Final Combofix log appended below. That did take care of everything I think. Many, many thanks for your help, Gringo.

ComboFix 12-12-07.01 - Administrator 12/08/2012 13:35:59.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1403 [GMT 5.5:30]
Running from: c:\downloads\ComboFix.exe
Command switches used :: c:\downloads\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((( Files Created from 2012-11-08 to 2012-12-08 )))))))))))))))))))))))))))))))
.
.
2012-12-08 08:03 . 2012-11-08 04:30 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5E213762-A467-4D60-A556-D60AF3DB10A8}\mpengine.dll
2012-12-08 03:36 . 2012-12-08 03:36 -------- d-----w- c:\program files\Microsoft Security Client
2012-12-07 18:01 . 2012-12-07 18:01 -------- d-----w- c:\windows\system32\xircom
2012-12-07 18:01 . 2012-12-07 18:01 -------- d-----w- c:\windows\system32\wbem\snmp
2012-12-07 18:01 . 2012-12-07 18:01 -------- d-----w- c:\program files\microsoft frontpage
2012-12-07 17:45 . 2011-10-02 12:00 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2012-12-04 14:56 . 2012-12-04 14:56 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\PCHealth
2012-12-04 14:35 . 2012-12-04 14:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2012-12-04 14:35 . 2012-12-04 14:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-12-03 16:01 . 2012-12-03 16:01 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2012-12-03 15:17 . 2012-12-03 15:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Windows Codecs
2012-12-03 15:17 . 2012-12-03 15:18 -------- d-----w- c:\program files\Mega Codec Pack
2012-11-26 14:52 . 2012-11-26 15:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\ZTEEVDO
2012-11-26 14:49 . 2011-12-25 10:12 105472 ----a-w- c:\windows\system32\drivers\CT_ZTEMT_U_USBSER.sys
2012-11-26 14:49 . 2012-11-26 14:49 -------- d-----w- c:\program files\MBlaze UI
2012-11-23 04:27 . 2012-11-23 04:27 -------- d-----w- c:\program files\Common Files\Skype
2012-11-22 05:04 . 2012-11-22 05:04 5885632 ----a-w- c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
2012-11-16 07:48 . 2012-11-16 07:48 -------- d-----w- C:\Codemasters
2012-11-16 07:46 . 2012-11-16 07:46 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Help
2012-11-16 07:44 . 1998-07-26 17:03 183808 ----a-w- c:\windows\system\qmdx.dll
2012-11-14 03:48 . 2012-10-02 18:04 58368 ------w- c:\windows\system32\dllcache\synceng.dll
2012-11-13 11:27 . 2012-11-13 11:27 -------- d-----w- c:\documents and settings\Administrator\Logs
2012-11-12 14:12 . 2012-11-12 14:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\Microsoft Games
2012-11-12 13:59 . 2012-11-12 13:59 -------- d-----w- c:\program files\Microsoft Games
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-10 02:44 . 2012-06-04 20:29 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-11-10 02:44 . 2011-10-02 12:00 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-22 08:43 . 2011-10-02 12:00 1875328 ----a-w- c:\windows\system32\win32k.sys
2012-10-02 18:04 . 2011-10-02 12:00 58368 ----a-w- c:\windows\system32\synceng.dll
2012-09-24 17:46 . 2012-10-19 01:39 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-10-28 11:36 . 2012-10-28 11:35 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2011-10-02 . EA22DA5C7AE7192A12E37A7C546220C6 . 361600 . . [5.1.2600.6009] . . c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2012-11-08 11:28 556056 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2012-11-08 11:28 556056 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2012-11-08 11:28 556056 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2012-11-08 11:28 556056 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Windows Codecs]
@="{1EC23CFF-4C58-458f-924C-8519AEF61B32}"
[HKEY_CLASSES_ROOT\CLSID\{1EC23CFF-4C58-458f-924C-8519AEF61B32}]
2012-12-03 15:17 172032 ----a-w- c:\documents and settings\All Users\Application Data\Windows Codecs\MediaShellOverlays.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GoogleDriveSync"="c:\program files\Google\Drive\googledrivesync.exe" [2012-11-08 16070136]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-04-27 15496000]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2012-04-27 1634112]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2012-09-20 444904]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-03-08 128512]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe [2012-5-25 27112840]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, credssp.dll, digest.dll, msnsspc.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2012-09-20 01:57 444904 ----a-w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5.5ServiceManager]
2011-01-12 12:08 1523360 ----a-w- c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeAC]
2012-04-25 08:27 1328976 ----a-w- c:\program files\FreeAlarmClock\FreeAlarmClock.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MindfulClock]
2008-02-21 15:49 442368 ----a-w- c:\program files\MindfulClock\Mfclock.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-16 21:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2012-06-05 07:36 1242448 ----a-w- c:\program files\Steam\Steam.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Administrator\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
.
R0 iastor2;iastor2;c:\windows\system32\drivers\iastor2.sys [10/2/2011 5:30 PM 277784]
R0 mv61xxmm;mv61xxmm;c:\windows\system32\drivers\mv61xxmm.sys [10/2/2011 5:30 PM 13616]
R0 mv64xxmm;mv64xxmm;c:\windows\system32\drivers\mv64xxmm.sys [10/2/2011 5:30 PM 5632]
R0 mvxxmm;mvxxmm;c:\windows\system32\drivers\mvxxmm.sys [10/2/2011 5:30 PM 13616]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/3/2012 4:12 AM 691696]
R3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [9/18/2012 6:50 PM 25088]
S2 Change Modem Device Service;Change Modem Device Service;c:\windows\system32\ChgService.exe [10/4/2012 3:04 AM 135168]
S2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [11/22/2012 10:29 AM 3290304]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [11/9/2012 11:21 AM 160944]
S2 UDisk Monitor;UDisk Monitor;c:\program files\MBlaze UI\bin\MonServiceUDisk.exe [11/26/2012 8:19 PM 512000]
S2 XMail;XMail Server;c:\program files\Drupal\xmail\XMail.exe [7/9/2012 4:46 AM 397824]
S3 cmnsusbser;Mobile Connector USB Device for Legacy Serial Communication LCT2053s;c:\windows\system32\drivers\cmnsusbser.sys [10/4/2012 3:04 AM 103424]
S3 ztemtusbser;ZTEMT Legacy Serial Communication;c:\windows\system32\drivers\CT_ZTEMT_U_USBSER.sys [11/26/2012 8:19 PM 105472]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPFILTER
*NewlyCreated* - MSMPSVC
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-04 c:\windows\Tasks\AdobeAAMUpdater-1.0-EXPERIEN-BAA70F-Administrator.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2012-09-20 01:57]
.
2012-12-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-06-02 22:42]
.
2012-12-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-06-02 22:42]
.
2012-12-08 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-09-12 11:55]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{0C10BCF8-5042-48A0-B30F-4A6BA761000D}: NameServer = 4.4.4.4,8.8.8.8
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vi5jx70l.default\
FF - prefs.js: browser.startup.homepage - www.google.com/ig
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-12-08 13:43
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1229272821-57989841-1801674531-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,01,68,02,17,ed,36,4e,46,af,1a,bf,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,01,68,02,17,ed,36,4e,46,af,1a,bf,\
.
[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
"value"="?\06\01\04\16\15\13?"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\WPAEvents]
@Denied: (A B C D 2 3 5 6) (Everyone)
"OOBETimer"=hex:ff,d5,71,d6,8b,6a,8d,6f,d5,33,93,fd
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3424)
c:\windows\system32\WININET.dll
c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\program files\Google\Drive\googledrivesync32.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-12-08 13:44:54
ComboFix-quarantined-files.txt 2012-12-08 08:14
ComboFix2.txt 2012-12-08 03:10
ComboFix3.txt 2012-12-07 18:05
.
Pre-Run: 28,950,396,928 bytes free
Post-Run: 28,942,671,872 bytes free
.
- - End Of File - - 306FACB70BF0EFF7D5BAF0FED053CC29




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users