Computer Hope
Software => Computer viruses and spyware => Topic started by: 007will on May 05, 2011, 02:25:19 PM
-
My computer suddenly had a box popup from MS Removal Tool stating I have loads of infections/Malware so the messages say. It tells me everything I try is "infected". I tried to open the programs you advise but these do not work! I tried re-booting in safe mode and using system restore but this wouldn't work either! can you help me??
Thank you!
-
Please follow the instructions in the following link and post your logs:
http://www.computerhope.com/forum/index.php/topic,46313.0.html
-
okay i have managed to do the logs...
-
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6515
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702
05/05/2011 21:47:39
mbam-log-2011-05-05 (21-47-39).txt
Scan type: Quick scan
Objects scanned: 182755
Time elapsed: 8 minute(s), 12 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 23
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\ICS5R7Y0OS (Trojan.FakeAlert.SA) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NtWqIVLZEWZU (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\R8388QA8U8 (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\� (Hijack.Zones) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\R8388QA8U8 (Trojan.Downloader) -> Value: R8388QA8U8 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bL28601CaIgA28601 (Trojan.FakeAlert.Gen) -> Value: bL28601CaIgA28601 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mssend (Trojan.Agent) -> Value: mssend -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\documents and settings\Owner\local settings\Temp\Mnp.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\bl28601caiga28601\bl28601caiga28601.exe (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\Temp\m.28b.tmp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\Temp\Mnj.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\Temp\Mnm.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\Temp\Mnn.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\Temp\Mno.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\Temp\Mnq.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\Temp\Mnr.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\Temp\Mns.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\Temp\Mnt.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\Temp\Mnu.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\Mnk.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\Mnl.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\Mnm.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\Mpogoa.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\Temp\ppddfcfux.exxe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\Temp\w32rim_mem.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\Temp\wrfwe_di.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{bbaeaeaf-1275-40e2-bd6c-bc8f88bd114a}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{810401e2-dde0-454e-b0e2-aa89c9e5967c}.job (Trojan.FraudPack) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\xfgkxer1hbbxwfxokvojijtyebjdow3k2\svcnost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
-
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 05/05/2011 at 10:03 PM
Application Version : 4.51.1000
Core Rules Database Version : 6950
Trace Rules Database Version: 4762
Scan type : Quick Scan
Total Scan Time : 00:07:16
Memory items scanned : 548
Memory threats detected : 0
Registry items scanned : 1506
Registry threats detected : 2
File items scanned : 5024
File threats detected : 84
Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\system@imrworldwide[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[3].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[2].txt
C:\Documents and Settings\Owner\Cookies\owner@advertising[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\system@myroitracking[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\system@atdmt[1].txt
C:\Documents and Settings\Owner\Cookies\system@invitemedia[1].txt
C:\Documents and Settings\Owner\Cookies\system@serving-sys[1].txt
C:\Documents and Settings\Owner\Cookies\system@doubleclick[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@clicksor[3].txt
C:\Documents and Settings\Owner\Cookies\system@realmedia[1].txt
C:\Documents and Settings\Owner\Cookies\system@mediatraffic[1].txt
C:\Documents and Settings\Owner\Cookies\owner@apmebf[1].txt
C:\Documents and Settings\Owner\Cookies\owner@fastclick[1].txt
C:\Documents and Settings\Owner\Cookies\system@adbrite[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adtech[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@xiti[1].txt
C:\Documents and Settings\Owner\Cookies\owner@revsci[1].txt
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
C:\Documents and Settings\Owner\Cookies\owner@yieldmanager[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][3].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\system@bizzclick[1].txt
C:\Documents and Settings\Owner\Cookies\system@statcounter[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\system@clicksor[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@myroitracking[3].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@serving-sys[1].txt
C:\Documents and Settings\Owner\Cookies\owner@invitemedia[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
secure-it.imrworldwide.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\4PEFYC9S ]
C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@clicksor[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@clicksor[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@atdmt[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@clicksor[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@bizzclick[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@bizzclick[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@statcounter[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@adtech[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@apmebf[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@apmebf[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@ru4[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@ru4[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@ru4[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
C:\Documents and Settings\NetworkService\Cookies\system@myroitracking[1].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][3].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
C:\Documents and Settings\NetworkService\Cookies\system@myroitracking[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@myroitracking[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@solvemedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@fastclick[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@fastclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@zedo[1].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
C:\Documents and Settings\NetworkService\Cookies\system@mediabrandsww[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@imrworldwide[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@imrworldwide[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@imrworldwide[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@mediabrandsww[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@bizzclick[1].txt
macromedia.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\DJ8G5CAP ]
media.mtvnservices.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\DJ8G5CAP ]
secure-it.imrworldwide.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\DJ8G5CAP ]
www.adserverplatform.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\DJ8G5CAP ]
Malware.Trace
HKU\.DEFAULT\Software\NtWqIVLZEWZU
-
Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.
1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.
If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
****************************************************
Download DDS from HERE (http://download.bleepingcomputer.com/sUBs/dds.scr) or HERE (http://www.forospyware.com/sUBs/dds) and save it to your desktop.
Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)
* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.
1) DDS.txt
2) Attach.txt
* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.
Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copying and pasting it into the reply.
**************************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.
Link 1 (http://screen317.spywareinfoforum.org/SecurityCheck.exe)
Link 2 (http://screen317.changelog.fr/SecurityCheck.exe)
* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.
Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
-
DDS (Ver_11-03-05.01) - NTFSx86
Run by Owner at 13:40:12.31 on 08/05/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1014.242 [GMT 1:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVH.EXE
C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\TEMP\kixd\setup.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [{4A29A5C9-E3D8-408B-4DBE-54A2258FA697}] "c:\documents and settings\owner\application data\awraoh\adcu.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Zune Launcher] "f:\zune\ZuneLauncher.exe"
mRun: [<NO NAME>]
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [AMService] c:\windows\temp\kixd\setup.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1295466996328
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 ASTRA32;ASTRA32 Kernel Driver 5.2.1.0;c:\program files\astra32\astra32.sys [2007-2-22 30864]
R2 cvhsvc;Client Virtualization Handler;c:\program files\common files\microsoft shared\virtualization handler\CVHSVC.EXE [2010-2-28 821664]
R2 sftlist;Application Virtualization Client;c:\program files\microsoft application virtualization client\sftlist.exe [2010-4-24 483688]
R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfsxp.sys [2009-12-2 554344]
R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplayxp.sys [2009-12-2 211432]
R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirxp.sys [2009-12-2 20584]
R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvolxp.sys [2009-12-2 18280]
R3 sftvsa;Application Virtualization Service Agent;c:\program files\microsoft application virtualization client\sftvsa.exe [2010-4-24 209768]
S0 nwba;nwba;c:\windows\system32\drivers\fxufjr.sys --> c:\windows\system32\drivers\fxufjr.sys [?]
S1 ethxylvf;ethxylvf;c:\windows\system32\drivers\ethxylvf.sys [2011-5-5 135680]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
S2 AMService;AMService;c:\windows\temp\kixd\setup.exe run --> c:\windows\temp\kixd\setup.exe run [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;f:\zune\wmzunecomm.exe --> f:\zune\WMZuneComm.exe [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-05-08 11:48:43 -------- d-----w- c:\docume~1\owner\applic~1\Ulirmo
2011-05-08 11:48:43 -------- d-----w- c:\docume~1\owner\applic~1\Awraoh
2011-05-05 21:25:13 135680 ----a-w- c:\windows\system32\drivers\ethxylvf.sys
2011-05-05 21:22:13 388096 ----a-r- c:\docume~1\owner\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-05-05 21:22:13 -------- d-----w- c:\program files\Trend Micro
2011-05-05 20:44:55 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-05-05 20:35:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-05 20:35:09 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-05 20:32:34 -------- d-----w- c:\program files\CCleaner
2011-05-05 19:19:48 -------- d-----w- c:\docume~1\alluse~1\applic~1\bL28601CaIgA28601
2011-05-05 18:49:54 55808 ---h--w- c:\docume~1\owner\applic~1\ntuser.dat
2011-05-05 18:49:46 -------- d-----w- c:\docume~1\owner\applic~1\xfgkxer1hbbxwfxokvojijtyebjdow3k2
2011-05-05 18:46:28 114176 --sha-r- c:\windows\system32\rpcns4H.dll
2011-05-05 18:46:28 114176 --sha-r- c:\windows\system32\logonuiv.dll
2011-05-05 18:46:28 114176 --sha-r- c:\windows\system32\ialmuTHAU.dll
2011-05-05 18:41:00 7071056 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{7c8c2a59-ac6b-4305-bf8f-aa42a1fbbbc0}\mpengine.dll
2011-04-29 12:34:08 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-04-29 12:34:08 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-29 06:43:54 -------- d-----w- c:\docume~1\owner\applic~1\Sibelius Software
2011-04-28 23:18:51 -------- d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2011-04-28 23:18:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-04-28 23:18:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-28 22:38:23 -------- d-----w- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2011-04-28 22:38:13 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-04-25 15:51:51 -------- d-----w- c:\program files\iPod
2011-04-25 15:51:45 -------- d-----w- c:\program files\iTunes
2011-04-25 15:46:52 -------- d-----w- c:\program files\Bonjour
2011-04-25 13:59:55 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\SoftGrid Client
2011-04-25 13:59:51 -------- d-----w- c:\docume~1\owner\applic~1\SoftGrid Client
2011-04-25 13:57:35 -------- d-----w- c:\documents and settings\all users\Microsoft
2011-04-25 13:57:34 -------- d-----w- c:\program files\Microsoft Application Virtualization Client
2011-04-25 13:56:28 -------- d-----w- c:\docume~1\owner\applic~1\TP
2011-04-18 21:12:27 -------- d-----w- c:\program files\Amazon
2011-04-16 14:29:38 -------- d-----w- c:\docume~1\owner\applic~1\OpenOffice.org
2011-04-16 14:26:19 -------- d-----w- c:\program files\OpenOffice.org 3
2011-04-16 14:25:55 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-16 14:25:55 472808 ----a-w- c:\windows\system32\deployJava1.dll
.
==================== Find3M ====================
.
2011-05-05 20:14:56 9728 ---h--w- c:\docume~1\owner\applic~1\desktop.ini
2011-04-06 15:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 15:20:16 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 15:20:16 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 15:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ------w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ------w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD5000AADS-00S9B0 rev.01.00A01 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8652D6F0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86533a10]; MOV EAX, [0x86533a8c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x865CEAB8]
3 CLASSPNP[0xF75FEFD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x86578D58]
\Driver\atapi[0x865D4A08] -> IRP_MJ_CREATE -> 0x8652D6F0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8652D53B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 13:41:23.85 ===============
-
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 11/01/2011 19:29:56
System Uptime: 08/05/2011 12:44:45 (1 hours ago)
.
Motherboard: Dell Inc. | | 0HJ054
Processor: Intel(R) Pentium(R) D CPU 2.66GHz | Microprocessor | 2660/533mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 466 GiB total, 453.216 GiB free.
D: is CDROM (CDFS)
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1: 05/05/2011 20:51:22 - System Checkpoint
RP2: 05/05/2011 22:19:45 - Installed Java(TM) 6 Update 25
RP3: 05/05/2011 22:22:11 - Installed HiJackThis
.
==== Installed Programs ======================
.
Adobe Flash Player 10 ActiveX
AiO_Scan_CDA
AiOSoftwareNPI
Amazon MP3 Downloader 1.0.9
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ASTRA32 - Advanced System Information Tool 2.06
Bonjour
BufferChm
C3100
c3100_Help
CCleaner
CustomerResearchQFolder
Destinations
DeviceManagementQFolder
DocProc
DocProcQFolder
eSupportQFolder
Fax_CDA
High Definition Audio Driver Package - KB835221
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format 11 SDK (KB973442)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB981793)
HP Customer Participation Program 7.0
HP Imaging Device Functions 7.0
HP Photosmart Essential
HP Photosmart, Officejet and Deskjet 7.0.A
HP Product Assistant
HP Solution Center 7.0
HP Update
HPPhotoSmartExpress
HPProductAssistant
InstantShareDevicesMFC
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
iTunes
Java Auto Updater
Java(TM) 6 Update 25
Malwarebytes' Anti-Malware
MarketResearch
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft Office Click-to-Run 2010
Microsoft Office Home and Business 2010 - English
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.9
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft WinUsb 1.0
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NewCopy_CDA
OCR Software by I.R.I.S 7.0
OpenOffice.org 3.3
PanoStandAlone
ProductContextNPI
QuickTime
Readme
Scan
ScannerCopy
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2416400)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982381)
Security Update for Windows XP (KB982665)
Segoe UI
SigmaTel Audio
SolutionCenter
Status
SUPERAntiSpyware
Toolbox
TrayApp
Unload
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
WebReg
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Management Framework Core
Windows Media Format 11 runtime
Windows Media Player 11
Windows Mobile Device Updater Component
Windows Search 4.0
Windows XP Service Pack 3
Zune
Zune Language Pack (DEU)
Zune Language Pack (ESP)
Zune Language Pack (FRA)
Zune Language Pack (ITA)
Zune Language Pack (NLD)
Zune Language Pack (PTB)
Zune Language Pack (PTG)
.
==== Event Viewer Messages From Past Week ========
.
08/05/2011 13:01:36, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
08/05/2011 12:51:03, error: Service Control Manager [7000] - The SASDIFSV service failed to start due to the following error: Cannot create a file when that file already exists.
08/05/2011 12:48:41, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Pml Driver HPZ12 service to connect.
08/05/2011 12:48:41, error: Service Control Manager [7000] - The Pml Driver HPZ12 service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
08/05/2011 12:46:45, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the AMService service to connect.
08/05/2011 12:46:45, error: Service Control Manager [7000] - The Zune Bus Enumerator service failed to start due to the following error: The system cannot find the path specified.
.
==== End Of File ===========================
-
Results of screen317's Security Check version 0.99.10
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Security Center service is not running! This report may not be accurate!
Microsoft Security Essentials
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
CCleaner
Java(TM) 6 Update 25
Out of date Java installed!
Adobe Flash Player
````````````````````````````````
Process Check:
objlist.exe by Laurent
``````````End of Log````````````
-
You have one of the latest infection going around. Please try this and don't be surprised if it will not run completely. Please let me know and I will give you further instructions.
- Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and save it to your Desktop.
- Extract its contents to your desktop.
- Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
- If an infected file is detected, the default action will be Cure, click on Continue.
- If a suspicious file is detected, the default action will be Skip, click on Continue.
- It may ask you to reboot the computer to complete the process. Click on Reboot Now.
- Click the Report button and copy/paste the contents of it into your next reply
Note:It will also create a log in the C:\ directory..
-
2011/05/08 22:29:44.0281 3664 Mode: Manual;
2011/05/08 22:29:44.0281 3664 ================================================================================
2011/05/08 22:29:44.0906 3664 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/05/08 22:29:44.0937 3664 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/05/08 22:29:44.0984 3664 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/05/08 22:29:45.0031 3664 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys
2011/05/08 22:29:45.0281 3664 ASTRA32 (5fc1fed39ed5d3f71c7d2fc16a49e2a2) C:\Program Files\ASTRA32\ASTRA32.sys
2011/05/08 22:29:45.0328 3664 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/05/08 22:29:45.0328 3664 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/05/08 22:29:45.0375 3664 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/05/08 22:29:45.0421 3664 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/05/08 22:29:45.0468 3664 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/05/08 22:29:45.0546 3664 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/05/08 22:29:45.0625 3664 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/05/08 22:29:45.0625 3664 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/05/08 22:29:45.0687 3664 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/05/08 22:29:45.0718 3664 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
2011/05/08 22:29:45.0843 3664 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/05/08 22:29:45.0906 3664 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/05/08 22:29:45.0953 3664 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/05/08 22:29:45.0984 3664 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/05/08 22:29:46.0015 3664 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/05/08 22:29:46.0078 3664 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/05/08 22:29:46.0125 3664 E100B (d57a8fc800b501ac05b10d00f66d127a) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/05/08 22:29:46.0187 3664 ethxylvf (134bf92d51d07e59113dd98721879f8b) C:\WINDOWS\system32\drivers\ethxylvf.sys
2011/05/08 22:29:46.0218 3664 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/05/08 22:29:46.0281 3664 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/05/08 22:29:46.0296 3664 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/05/08 22:29:46.0312 3664 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/05/08 22:29:46.0359 3664 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/05/08 22:29:46.0406 3664 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/05/08 22:29:46.0421 3664 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/05/08 22:29:46.0500 3664 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/05/08 22:29:46.0531 3664 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/05/08 22:29:46.0578 3664 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/05/08 22:29:46.0593 3664 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/05/08 22:29:46.0687 3664 HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/05/08 22:29:46.0718 3664 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/05/08 22:29:46.0765 3664 HPZius12 (7ac43c38ca8fd7ed0b0a4466f753e06e) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/05/08 22:29:46.0828 3664 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/05/08 22:29:46.0875 3664 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
2011/05/08 22:29:46.0968 3664 ialm (0f0194c4b635c10c3f785e4fee52d641) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/05/08 22:29:47.0000 3664 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/05/08 22:29:47.0109 3664 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/05/08 22:29:47.0140 3664 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/05/08 22:29:47.0171 3664 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/05/08 22:29:47.0203 3664 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/05/08 22:29:47.0218 3664 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/05/08 22:29:47.0234 3664 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/05/08 22:29:47.0250 3664 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/05/08 22:29:47.0265 3664 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/05/08 22:29:47.0296 3664 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/05/08 22:29:47.0312 3664 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/05/08 22:29:47.0343 3664 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/05/08 22:29:47.0375 3664 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/05/08 22:29:47.0453 3664 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/05/08 22:29:47.0484 3664 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/05/08 22:29:47.0500 3664 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/05/08 22:29:47.0531 3664 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/05/08 22:29:47.0546 3664 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/05/08 22:29:47.0578 3664 MpFilter (7e34bfa1a7b60bba1da03d677f16cd63) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
2011/05/08 22:29:47.0609 3664 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/05/08 22:29:47.0640 3664 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/05/08 22:29:47.0687 3664 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/05/08 22:29:47.0734 3664 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/05/08 22:29:47.0750 3664 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/05/08 22:29:47.0796 3664 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/05/08 22:29:47.0843 3664 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/05/08 22:29:47.0859 3664 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/05/08 22:29:47.0906 3664 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/05/08 22:29:47.0953 3664 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/05/08 22:29:47.0968 3664 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/05/08 22:29:48.0000 3664 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/05/08 22:29:48.0015 3664 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/05/08 22:29:48.0046 3664 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/05/08 22:29:48.0093 3664 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/05/08 22:29:48.0156 3664 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/05/08 22:29:48.0171 3664 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/05/08 22:29:48.0218 3664 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/05/08 22:29:48.0265 3664 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/05/08 22:29:48.0281 3664 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/05/08 22:29:48.0328 3664 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/05/08 22:29:48.0343 3664 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/05/08 22:29:48.0390 3664 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/05/08 22:29:48.0421 3664 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/05/08 22:29:48.0484 3664 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/05/08 22:29:48.0531 3664 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/05/08 22:29:48.0687 3664 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/05/08 22:29:48.0703 3664 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/05/08 22:29:48.0750 3664 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/05/08 22:29:48.0859 3664 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/05/08 22:29:48.0875 3664 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/05/08 22:29:48.0906 3664 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/05/08 22:29:48.0921 3664 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/05/08 22:29:48.0937 3664 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/05/08 22:29:48.0968 3664 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/05/08 22:29:49.0015 3664 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/05/08 22:29:49.0046 3664 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/05/08 22:29:49.0156 3664 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/05/08 22:29:49.0187 3664 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/05/08 22:29:49.0218 3664 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/05/08 22:29:49.0265 3664 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2011/05/08 22:29:49.0312 3664 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/05/08 22:29:49.0390 3664 Sftfs (14cb193ecd4e71a32446790f9ecf39dd) C:\WINDOWS\system32\DRIVERS\Sftfsxp.sys
2011/05/08 22:29:49.0421 3664 Sftplay (1f05637831caf19b069aaf361d720bb9) C:\WINDOWS\system32\DRIVERS\Sftplayxp.sys
2011/05/08 22:29:49.0453 3664 Sftredir (423628f17862593d7d43e02187f4c1b5) C:\WINDOWS\system32\DRIVERS\Sftredirxp.sys
2011/05/08 22:29:49.0484 3664 Sftvol (258ab73a01fa1b8d1a2a053c6bba5544) C:\WINDOWS\system32\DRIVERS\Sftvolxp.sys
2011/05/08 22:29:49.0562 3664 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/05/08 22:29:49.0578 3664 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/05/08 22:29:49.0625 3664 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/05/08 22:29:49.0703 3664 STHDA (2a2dc39623adef8ab3703ab9fac4b440) C:\WINDOWS\system32\drivers\sthda.sys
2011/05/08 22:29:49.0765 3664 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/05/08 22:29:49.0781 3664 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/05/08 22:29:49.0921 3664 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/05/08 22:29:49.0984 3664 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/05/08 22:29:50.0031 3664 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/05/08 22:29:50.0062 3664 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/05/08 22:29:50.0093 3664 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/05/08 22:29:50.0171 3664 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/05/08 22:29:50.0234 3664 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/05/08 22:29:50.0265 3664 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/05/08 22:29:50.0296 3664 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/05/08 22:29:50.0312 3664 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/05/08 22:29:50.0359 3664 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/05/08 22:29:50.0421 3664 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/05/08 22:29:50.0484 3664 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/05/08 22:29:50.0500 3664 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/05/08 22:29:50.0515 3664 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/05/08 22:29:50.0562 3664 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/05/08 22:29:50.0578 3664 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/05/08 22:29:50.0656 3664 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
2011/05/08 22:29:50.0703 3664 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/05/08 22:29:50.0781 3664 WinUSB (fd600b032e741eb6aab509fc630f7c42) C:\WINDOWS\system32\DRIVERS\WinUSB.sys
2011/05/08 22:29:50.0859 3664 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2011/05/08 22:29:50.0921 3664 WudfPf (eaa6324f51214d2f6718977ec9ce0def) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/05/08 22:29:50.0937 3664 WudfRd (f91ff1e51fca30b3c3981db7d5924252) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/05/08 22:29:50.0984 3664 zumbus (337b9607f041b77824411750069aff2d) C:\WINDOWS\system32\DRIVERS\zumbus.sys
2011/05/08 22:29:51.0406 3664 ================================================================================
2011/05/08 22:29:51.0406 3664 Scan finished
2011/05/08 22:29:51.0406 3664 ================================================================================
-
I don't know if that was right. I did the scan and it deleted something then restarted. I have then done a report which is what i post.
Also when this is all fixed can you advise me what the best AV software to have on my PC is?
Many thanks!
-
Also when this is all fixed can you advise me what the best AV software to have on my PC is?
This is a tough question. Almost everyone has their favourite. I, myself, prefer MicroSoft Security Essentials because it highly efficient and low resource usage. It's free to all registered Windows users and requires no registration or renewal and it updates automatically.I'll give you a link below but in addition to a good, updated AV you also require programs to protect against other malware such as rogues and trojans. I will post these at the conclusion of our cleaning.
Remember to only install one antivirus!
1) Avast! Home Edition (http://www.majorgeeks.com/Avast_Home_Edition_d1968.html)
2) AVG Free Edition (http://www.majorgeeks.com/download.php?det=886)
3) Avira AntiVir Personal (http://www.majorgeeks.com/AntiVir_Personal_Edition_7_d955.html)
4) Microsoft Security Essentials for Windows Vista\Windows 7 (http://majorgeeks.com/Microsoft_Security_Essentials_for_Windows_VistaWindows_7_d6242.html) - 64 bit Download (http://majorgeeks.com/downloadget.php?id=6242&file=5&evp=9112d44b71f157fc5d7fcd7724b088ca)
4-a) Microsoft Security Essentials for Windows XP (http://www.microsoft.com/security_essentials/)
5) Comodo Antivirus (http://www.majorgeeks.com/Comodo_AntiVirus_d5109.html) (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" if you choose this one)
6) PC Tools AntiVirus Free Edition (http://www.majorgeeks.com/PC_Tools_AntiVirus_Free_Edition_d5469.html)
It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.
**************************************************
Please download ComboFix (http://img7.imageshack.us/img7/4930/combofix.gif) from BleepingComputer.com (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Alternate link: GeeksToGo.com (http://subs.geekstogo.com/ComboFix.exe)
and save it to your Desktop.
It would be easiest to download using Internet Explorer.
If you insist on using Firefox, make sure that your download settings are as follows:
* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here (http://www.bleepingcomputer.com/forums/topic114351.html)
Double click ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console
(http://i424.photobucket.com/albums/pp322/digistar/Query_RC.gif)
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
(http://i424.photobucket.com/albums/pp322/digistar/RC_successful.gif)
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.
If you have problems with ComboFix usage, see How to use ComboFix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
-
ComboFix 11-05-08.04 - Owner 09/05/2011 17:46:12.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1014.728 [GMT 1:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Owner\Application Data\Awraoh
c:\documents and settings\Owner\Application Data\Awraoh\adcu.exe
c:\documents and settings\Owner\Application Data\desktop.ini
c:\documents and settings\Owner\Application Data\ntuser.dat
.
.
((((((((((((((((((((((((( Files Created from 2011-04-09 to 2011-05-09 )))))))))))))))))))))))))))))))
.
.
2011-05-08 11:48 . 2011-05-09 16:33 -------- d-----w- c:\documents and settings\Owner\Application Data\Ulirmo
2011-05-05 21:25 . 2011-05-05 21:25 135680 ----a-w- c:\windows\system32\drivers\ethxylvf.sys
2011-05-05 21:22 . 2011-05-05 21:22 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-05-05 21:22 . 2011-05-05 21:22 -------- d-----w- c:\program files\Trend Micro
2011-05-05 21:20 . 2011-05-05 21:20 -------- d-----w- c:\program files\Common Files\Java
2011-05-05 20:44 . 2011-05-05 20:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-05-05 20:35 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-05 20:35 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-05 20:32 . 2011-05-05 20:32 -------- d-----w- c:\program files\CCleaner
2011-05-05 19:19 . 2011-05-05 20:47 -------- d-----w- c:\documents and settings\All Users\Application Data\bL28601CaIgA28601
2011-05-05 18:49 . 2011-05-05 20:47 -------- d-----w- c:\documents and settings\Owner\Application Data\xfgkxer1hbbxwfxokvojijtyebjdow3k2
2011-05-05 18:46 . 2011-05-05 18:46 114176 --sha-r- c:\windows\system32\rpcns4H.dll
2011-05-05 18:46 . 2011-05-05 18:46 114176 --sha-r- c:\windows\system32\logonuiv.dll
2011-05-05 18:46 . 2011-05-05 18:46 114176 --sha-r- c:\windows\system32\ialmuTHAU.dll
2011-05-05 18:41 . 2011-04-11 07:04 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7C8C2A59-AC6B-4305-BF8F-AA42A1FBBBC0}\mpengine.dll
2011-04-29 12:34 . 2011-04-29 12:34 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-29 12:30 . 2011-04-29 12:33 -------- d-s---w- c:\documents and settings\Administrator
2011-04-29 06:43 . 2011-04-29 06:43 -------- d-----w- c:\documents and settings\Owner\Application Data\Sibelius Software
2011-04-28 23:18 . 2011-04-28 23:18 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2011-04-28 23:18 . 2011-04-28 23:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-28 23:18 . 2011-05-05 20:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-28 22:38 . 2011-04-28 22:38 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2011-04-28 22:38 . 2011-05-08 11:50 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-04-25 15:51 . 2011-04-25 15:51 -------- d-----w- c:\program files\iPod
2011-04-25 15:51 . 2011-04-25 15:53 -------- d-----w- c:\program files\iTunes
2011-04-25 15:46 . 2011-04-25 15:46 -------- d-----w- c:\program files\Bonjour
2011-04-25 14:07 . 2011-04-25 14:07 -------- d-----r- C:\MSOCache
2011-04-25 13:59 . 2011-04-25 13:59 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\SoftGrid Client
2011-04-25 13:59 . 2011-05-09 16:43 -------- d-----w- c:\documents and settings\Owner\Application Data\SoftGrid Client
2011-04-25 13:59 . 2011-04-25 13:59 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\{90140011-0062-0409-0000-0000000FF1CE}
2011-04-25 13:59 . 2011-05-09 16:43 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SoftGrid Client
2011-04-25 13:57 . 2011-04-25 13:57 -------- d-----w- c:\documents and settings\All Users\Microsoft
2011-04-25 13:57 . 2011-04-29 12:38 -------- d-----w- c:\program files\Microsoft Application Virtualization Client
2011-04-25 13:56 . 2011-04-25 14:01 -------- d-----w- c:\documents and settings\Owner\Application Data\TP
2011-04-18 21:13 . 2011-04-18 21:13 -------- d-----w- c:\documents and settings\Owner\Application Data\Amazon
2011-04-18 21:12 . 2011-04-18 21:12 -------- d-----w- c:\program files\Amazon
2011-04-17 14:07 . 2011-04-17 14:07 -------- d-----w- c:\windows\Sun
2011-04-16 14:29 . 2011-04-16 14:29 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org
2011-04-16 14:26 . 2011-04-16 14:26 -------- d-----w- c:\program files\OpenOffice.org 3
2011-04-16 14:25 . 2011-04-14 04:07 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-16 14:25 . 2011-04-14 01:40 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-16 14:25 . 2011-05-05 21:20 -------- d-----w- c:\program files\Java
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\RPRSTITL.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\RPRSTEXT.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\RPRSSTMP.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\RPRSSPEC.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\RPRSSCRP.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\RPRSREH_.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\RPRSMET_.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\RPRSCHOR.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\RPRS____.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSTEXT.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSSE__.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSS___.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSROMC.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSPC__.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSP___.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSO___.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSNN__.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSM___.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSFS__.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSFBE_.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSFB__.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSCSC_.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSCS__.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSC___.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUS____.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\INKPEN2_.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\INK2TEXT.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\INK2SPEC.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\INK2SCRI.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\INK2METR.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\INK2CHOR.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\HELST___.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\HELSS___.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\HELSM___.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\HELSINKI.FOT
2011-04-11 07:04 . 2011-02-06 22:20 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-04-06 15:20 . 2011-04-06 15:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 15:20 . 2011-04-06 15:20 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 15:20 . 2011-04-06 15:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 15:20 . 2011-04-06 15:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-07 05:33 . 2011-01-11 19:25 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-08-04 10:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-04 10:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-04 10:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-04 10:00 385024 ------w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2004-08-04 10:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-04 10:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2011-01-19 20:06 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2004-08-04 10:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2004-08-04 10:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 10:00 186880 ----a-w- c:\windows\system32\encdec.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-05-08 2424192]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-02-18 49208]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-14 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
ykitl.exe [2011-5-8 284160]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 19:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 19:41 67656]
R2 ASTRA32;ASTRA32 Kernel Driver 5.2.1.0;c:\program files\ASTRA32\astra32.sys [22/02/2007 12:28 30864]
R2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [28/02/2010 02:33 821664]
R2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [24/04/2010 01:10 483688]
R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfsxp.sys [02/12/2009 22:23 554344]
R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplayxp.sys [02/12/2009 22:23 211432]
R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirxp.sys [02/12/2009 22:23 20584]
R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvolxp.sys [02/12/2009 22:23 18280]
R3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [24/04/2010 01:10 209768]
S0 nwba;nwba;c:\windows\system32\drivers\fxufjr.sys --> c:\windows\system32\drivers\fxufjr.sys [?]
S1 ethxylvf;ethxylvf;c:\windows\system32\drivers\ethxylvf.sys [05/05/2011 22:25 135680]
S2 AMService;AMService;c:\windows\TEMP\kixd\setup.exe run --> c:\windows\TEMP\kixd\setup.exe run [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 14:16 130384]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [09/01/2010 21:37 4640000]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [04/08/2004 11:00 14336]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;f:\zune\WMZuneComm.exe --> f:\zune\WMZuneComm.exe [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 14:16 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-{4A29A5C9-E3D8-408B-4DBE-54A2258FA697} - c:\documents and settings\Owner\Application Data\Awraoh\adcu.exe
HKLM-Run-Zune Launcher - f:\zune\ZuneLauncher.exe
SafeBoot-WudfPf
SafeBoot-WudfRd
AddRemove-Zune - f:\zune\ZuneSetup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-09 17:53
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(644)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2011-05-09 17:54:46
ComboFix-quarantined-files.txt 2011-05-09 16:54
.
Pre-Run: 486,545,432,576 bytes free
Post-Run: 488,234,688,512 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 16E3555B8274A30826B69815E5ADE5EE
-
I have a bunch of files to be checked.
Please go to Jotti's malware scan (http://virusscan.jotti.org/)
(If more than one file needs scanned they must be done separately and links posted for each one)
* Copy the file path in the below Code box:
c:\windows\system32\drivers\ethxylvf.sys
c:\windows\system32\rpcns4H.dll
c:\windows\system32\logonuiv.dll
c:\windows\system32\ialmuTHAU.dll
c:\documents and settings\Default User\Start Menu\Programs\Startup\
ykitl.exe
* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.
***************************************************
Re-running ComboFix to remove infections:
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Open notepad and copy/paste the text in the quotebox below into it:
KillAll::
Folder::
c:\documents and settings\All Users\Application Data\bL28601CaIgA28601
c:\documents and settings\Owner\Application Data\xfgkxer1hbbxwfxokvojijtyebjdow3k2
MBR::
- Save this as CFScript.txt, in the same location as ComboFix.exe
(http://i424.photobucket.com/albums/pp322/digistar/cfscriptb4.gif)
- Referring to the picture above, drag CFScript into ComboFix.exe
- When finished, it shall produce a log for you at C:\ComboFix.txt
- Please post the contents of the log in your next reply.
-
http://virusscan.jotti.org/en-gb/scanresult/01b7612528486ee80756776c20e5be28dd792b5f
http://virusscan.jotti.org/en-gb/scanresult/fc5eb0e11068590e5fbc6d3b16b706d3f8e4a611
http://virusscan.jotti.org/en-gb/scanresult/84391c69438966404bbdce4fc504ddcf4e87473f
http://virusscan.jotti.org/en-gb/scanresult/9880348cf42936dbe2702d75b9841c5bebf7b9f7
Sorry i couldn't find the last link you listed.
-
ComboFix 11-05-09.03 - Owner 10/05/2011 18:13:20.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1014.545 [GMT 1:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\bL28601CaIgA28601
c:\documents and settings\All Users\Application Data\bL28601CaIgA28601\bL28601CaIgA28601
c:\documents and settings\Owner\Application Data\xfgkxer1hbbxwfxokvojijtyebjdow3k2
.
.
((((((((((((((((((((((((( Files Created from 2011-04-10 to 2011-05-10 )))))))))))))))))))))))))))))))
.
.
2011-05-08 11:48 . 2011-05-09 16:33 -------- d-----w- c:\documents and settings\Owner\Application Data\Ulirmo
2011-05-05 21:25 . 2011-05-05 21:25 135680 ----a-w- c:\windows\system32\drivers\ethxylvf.sys
2011-05-05 21:22 . 2011-05-05 21:22 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-05-05 21:22 . 2011-05-05 21:22 -------- d-----w- c:\program files\Trend Micro
2011-05-05 21:20 . 2011-05-05 21:20 -------- d-----w- c:\program files\Common Files\Java
2011-05-05 20:44 . 2011-05-05 20:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-05-05 20:35 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-05 20:35 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-05 20:32 . 2011-05-05 20:32 -------- d-----w- c:\program files\CCleaner
2011-05-05 18:46 . 2011-05-05 18:46 114176 --sha-r- c:\windows\system32\rpcns4H.dll
2011-05-05 18:46 . 2011-05-05 18:46 114176 --sha-r- c:\windows\system32\logonuiv.dll
2011-05-05 18:46 . 2011-05-05 18:46 114176 --sha-r- c:\windows\system32\ialmuTHAU.dll
2011-05-05 18:41 . 2011-04-11 07:04 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7C8C2A59-AC6B-4305-BF8F-AA42A1FBBBC0}\mpengine.dll
2011-04-29 12:34 . 2011-04-29 12:34 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-29 12:30 . 2011-04-29 12:33 -------- d-s---w- c:\documents and settings\Administrator
2011-04-29 06:43 . 2011-04-29 06:43 -------- d-----w- c:\documents and settings\Owner\Application Data\Sibelius Software
2011-04-28 23:18 . 2011-04-28 23:18 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2011-04-28 23:18 . 2011-04-28 23:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-28 23:18 . 2011-05-05 20:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-28 22:38 . 2011-04-28 22:38 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2011-04-28 22:38 . 2011-05-08 11:50 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-04-25 15:51 . 2011-04-25 15:51 -------- d-----w- c:\program files\iPod
2011-04-25 15:51 . 2011-04-25 15:53 -------- d-----w- c:\program files\iTunes
2011-04-25 15:46 . 2011-04-25 15:46 -------- d-----w- c:\program files\Bonjour
2011-04-25 14:07 . 2011-04-25 14:07 -------- d-----r- C:\MSOCache
2011-04-25 13:59 . 2011-04-25 13:59 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\SoftGrid Client
2011-04-25 13:59 . 2011-05-09 17:10 -------- d-----w- c:\documents and settings\Owner\Application Data\SoftGrid Client
2011-04-25 13:59 . 2011-04-25 13:59 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\{90140011-0062-0409-0000-0000000FF1CE}
2011-04-25 13:59 . 2011-05-09 17:10 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SoftGrid Client
2011-04-25 13:57 . 2011-04-25 13:57 -------- d-----w- c:\documents and settings\All Users\Microsoft
2011-04-25 13:57 . 2011-04-29 12:38 -------- d-----w- c:\program files\Microsoft Application Virtualization Client
2011-04-25 13:56 . 2011-04-25 14:01 -------- d-----w- c:\documents and settings\Owner\Application Data\TP
2011-04-18 21:13 . 2011-04-18 21:13 -------- d-----w- c:\documents and settings\Owner\Application Data\Amazon
2011-04-18 21:12 . 2011-04-18 21:12 -------- d-----w- c:\program files\Amazon
2011-04-17 14:07 . 2011-04-17 14:07 -------- d-----w- c:\windows\Sun
2011-04-16 14:29 . 2011-04-16 14:29 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org
2011-04-16 14:26 . 2011-04-16 14:26 -------- d-----w- c:\program files\OpenOffice.org 3
2011-04-16 14:25 . 2011-04-14 04:07 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-16 14:25 . 2011-04-14 01:40 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-16 14:25 . 2011-05-05 21:20 -------- d-----w- c:\program files\Java
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\RPRSTITL.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\RPRSTEXT.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\RPRSSTMP.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\RPRSSPEC.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\RPRSSCRP.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\RPRSREH_.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\RPRSMET_.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\RPRSCHOR.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\RPRS____.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSTEXT.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSSE__.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSS___.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSROMC.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSPC__.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSP___.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSO___.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSNN__.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSM___.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSFS__.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSFBE_.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSFB__.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSCSC_.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSCS__.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSC___.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUS____.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\INKPEN2_.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\INK2TEXT.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\INK2SPEC.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\INK2SCRI.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\INK2METR.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\INK2CHOR.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\HELST___.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\HELSS___.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\HELSM___.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\HELSINKI.FOT
2011-04-11 07:04 . 2011-02-06 22:20 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-04-06 15:20 . 2011-04-06 15:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 15:20 . 2011-04-06 15:20 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 15:20 . 2011-04-06 15:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 15:20 . 2011-04-06 15:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-07 05:33 . 2011-01-11 19:25 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-08-04 10:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-04 10:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-04 10:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-04 10:00 385024 ------w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2004-08-04 10:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-04 10:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2011-01-19 20:06 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2004-08-04 10:00 290432 ----a-w- c:\windows\system32\atmfd.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-05-09_16.53.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-01-11 09:59 . 2011-01-11 09:59 51024 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_214ee422\vcomp90.dll
+ 2011-01-11 09:59 . 2011-01-11 09:59 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90rus.dll
+ 2011-01-11 09:59 . 2011-01-11 09:59 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90kor.dll
+ 2011-01-11 09:59 . 2011-01-11 09:59 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90jpn.dll
+ 2011-01-11 09:59 . 2011-01-11 09:59 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90ita.dll
+ 2011-01-11 09:59 . 2011-01-11 09:59 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90fra.dll
+ 2011-01-11 09:59 . 2011-01-11 09:59 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90esp.dll
+ 2011-01-11 09:59 . 2011-01-11 09:59 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90esn.dll
+ 2011-01-11 09:59 . 2011-01-11 09:59 53584 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90enu.dll
+ 2011-01-11 09:59 . 2011-01-11 09:59 63312 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90deu.dll
+ 2011-01-11 09:59 . 2011-01-11 09:59 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90cht.dll
+ 2011-01-11 09:59 . 2011-01-11 09:59 35664 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90chs.dll
+ 2011-01-11 09:59 . 2011-01-11 09:59 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_d5fe2ecb\mfcm90u.dll
+ 2011-01-11 09:59 . 2011-01-11 09:59 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_d5fe2ecb\mfcm90.dll
+ 2011-05-10 17:19 . 2011-05-10 17:19 16384 c:\windows\temp\Perflib_Perfdata_798.dat
+ 2011-01-11 09:59 . 2011-01-11 09:59 653136 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_0517bbc6\msvcr90.dll
+ 2011-01-11 09:59 . 2011-01-11 09:59 569680 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_0517bbc6\msvcp90.dll
+ 2011-01-11 09:59 . 2011-01-11 09:59 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_0517bbc6\msvcm90.dll
+ 2011-01-11 09:59 . 2011-01-11 09:59 159048 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_65b7a93a\atl90.dll
+ 2011-05-09 17:10 . 2011-05-09 17:10 223232 c:\windows\Installer\186080.msi
+ 2011-01-11 09:59 . 2011-01-11 09:59 3780936 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_d5fe2ecb\mfc90u.dll
+ 2011-01-11 09:59 . 2011-01-11 09:59 3766088 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_d5fe2ecb\mfc90.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-05-08 2424192]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-02-18 49208]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-14 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
ykitl.exe [2011-5-8 284160]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 19:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 19:41 67656]
R2 ASTRA32;ASTRA32 Kernel Driver 5.2.1.0;c:\program files\ASTRA32\astra32.sys [22/02/2007 12:28 30864]
R2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [28/02/2010 02:33 821664]
R2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [24/04/2010 01:10 483688]
R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfsxp.sys [02/12/2009 22:23 554344]
R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplayxp.sys [02/12/2009 22:23 211432]
R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirxp.sys [02/12/2009 22:23 20584]
R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvolxp.sys [02/12/2009 22:23 18280]
R3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [24/04/2010 01:10 209768]
S0 nwba;nwba;c:\windows\system32\drivers\fxufjr.sys --> c:\windows\system32\drivers\fxufjr.sys [?]
S1 ethxylvf;ethxylvf;c:\windows\system32\drivers\ethxylvf.sys [05/05/2011 22:25 135680]
S2 AMService;AMService;c:\windows\TEMP\kixd\setup.exe run --> c:\windows\TEMP\kixd\setup.exe run [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 14:16 130384]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [09/01/2010 21:37 4640000]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [04/08/2004 11:00 14336]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;f:\zune\WMZuneComm.exe --> f:\zune\WMZuneComm.exe [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 14:16 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-10 18:20
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(640)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(560)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2011-05-10 18:23:43 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-10 17:23
ComboFix2.txt 2011-05-09 16:54
.
Pre-Run: 488,152,834,048 bytes free
Post-Run: 488,185,438,208 bytes free
.
- - End Of File - - 39F9F2BE1C45ACA3A07C972651ABE405
-
Ok. Just a few more things to do. Any improvement in your computer?
Re-running ComboFix to remove infections:
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Open notepad and copy/paste the text in the quotebox below into it:
KillAll::
File::
c:\windows\system32\drivers\ethxylvf.sys
c:\documents and settings\Default User\Start Menu\Programs\Startup\
ykitl.exe
Driver::
ethxylvf
- Save this as CFScript.txt, in the same location as ComboFix.exe
(http://i424.photobucket.com/albums/pp322/digistar/cfscriptb4.gif)
- Referring to the picture above, drag CFScript into ComboFix.exe
- When finished, it shall produce a log for you at C:\ComboFix.txt
- Please post the contents of the log in your next reply.
******************************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.
Link 1 (http://screen317.spywareinfoforum.org/SecurityCheck.exe)
Link 2 (http://screen317.changelog.fr/SecurityCheck.exe)
* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.
Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
-
Results of screen317's Security Check version 0.99.10
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Microsoft Security Essentials
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
CCleaner
Java(TM) 6 Update 25
Out of date Java installed!
Adobe Flash Player
````````````````````````````````
Process Check:
objlist.exe by Laurent
Microsoft Security Essentials msseces.exe
``````````End of Log````````````
-
ComboFix 11-05-10.02 - Owner 11/05/2011 18:10:05.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1014.559 [GMT 1:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
FILE ::
"c:\documents and settings\Default User\Start Menu\Programs\Startup\"
"c:\windows\system32\drivers\ethxylvf.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\ethxylvf.sys
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_ethxylvf
.
.
((((((((((((((((((((((((( Files Created from 2011-04-11 to 2011-05-11 )))))))))))))))))))))))))))))))
.
.
2011-05-08 11:48 . 2011-05-09 16:33 -------- d-----w- c:\documents and settings\Owner\Application Data\Ulirmo
2011-05-05 21:22 . 2011-05-05 21:22 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-05-05 21:22 . 2011-05-05 21:22 -------- d-----w- c:\program files\Trend Micro
2011-05-05 21:20 . 2011-05-05 21:20 -------- d-----w- c:\program files\Common Files\Java
2011-05-05 20:44 . 2011-05-05 20:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-05-05 20:35 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-05 20:35 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-05 20:32 . 2011-05-05 20:32 -------- d-----w- c:\program files\CCleaner
2011-05-05 18:46 . 2011-05-05 18:46 114176 --sha-r- c:\windows\system32\rpcns4H.dll
2011-05-05 18:46 . 2011-05-05 18:46 114176 --sha-r- c:\windows\system32\logonuiv.dll
2011-05-05 18:46 . 2011-05-05 18:46 114176 --sha-r- c:\windows\system32\ialmuTHAU.dll
2011-05-05 18:41 . 2011-04-11 07:04 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7C8C2A59-AC6B-4305-BF8F-AA42A1FBBBC0}\mpengine.dll
2011-04-29 12:34 . 2011-04-29 12:34 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-29 12:30 . 2011-04-29 12:33 -------- d-s---w- c:\documents and settings\Administrator
2011-04-29 06:43 . 2011-04-29 06:43 -------- d-----w- c:\documents and settings\Owner\Application Data\Sibelius Software
2011-04-28 23:18 . 2011-04-28 23:18 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2011-04-28 23:18 . 2011-04-28 23:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-28 23:18 . 2011-05-05 20:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-28 22:38 . 2011-04-28 22:38 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2011-04-28 22:38 . 2011-05-08 11:50 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-04-25 15:51 . 2011-04-25 15:51 -------- d-----w- c:\program files\iPod
2011-04-25 15:51 . 2011-04-25 15:53 -------- d-----w- c:\program files\iTunes
2011-04-25 15:46 . 2011-04-25 15:46 -------- d-----w- c:\program files\Bonjour
2011-04-25 14:07 . 2011-04-25 14:07 -------- d-----r- C:\MSOCache
2011-04-25 13:59 . 2011-04-25 13:59 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\SoftGrid Client
2011-04-25 13:59 . 2011-05-10 18:53 -------- d-----w- c:\documents and settings\Owner\Application Data\SoftGrid Client
2011-04-25 13:59 . 2011-04-25 13:59 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\{90140011-0062-0409-0000-0000000FF1CE}
2011-04-25 13:59 . 2011-05-10 18:53 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SoftGrid Client
2011-04-25 13:57 . 2011-04-25 13:57 -------- d-----w- c:\documents and settings\All Users\Microsoft
2011-04-25 13:57 . 2011-04-29 12:38 -------- d-----w- c:\program files\Microsoft Application Virtualization Client
2011-04-25 13:56 . 2011-04-25 14:01 -------- d-----w- c:\documents and settings\Owner\Application Data\TP
2011-04-18 21:13 . 2011-04-18 21:13 -------- d-----w- c:\documents and settings\Owner\Application Data\Amazon
2011-04-18 21:12 . 2011-04-18 21:12 -------- d-----w- c:\program files\Amazon
2011-04-17 14:07 . 2011-04-17 14:07 -------- d-----w- c:\windows\Sun
2011-04-16 14:29 . 2011-04-16 14:29 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org
2011-04-16 14:26 . 2011-04-16 14:26 -------- d-----w- c:\program files\OpenOffice.org 3
2011-04-16 14:25 . 2011-04-14 04:07 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-16 14:25 . 2011-04-14 01:40 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-16 14:25 . 2011-05-05 21:20 -------- d-----w- c:\program files\Java
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\RPRSTITL.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\RPRSTEXT.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\RPRSSTMP.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\RPRSSPEC.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\RPRSSCRP.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\RPRSREH_.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\RPRSMET_.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\RPRSCHOR.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\RPRS____.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSTEXT.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSSE__.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSS___.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSROMC.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSPC__.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSP___.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSO___.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSNN__.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSM___.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSFS__.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSFBE_.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSFB__.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSCSC_.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSCS__.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSC___.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUS____.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\INKPEN2_.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\INK2TEXT.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\INK2SPEC.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\INK2SCRI.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\INK2METR.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\INK2CHOR.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\HELST___.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\HELSS___.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\HELSM___.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\HELSINKI.FOT
2011-04-11 07:04 . 2011-02-06 22:20 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-04-06 15:20 . 2011-04-06 15:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 15:20 . 2011-04-06 15:20 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 15:20 . 2011-04-06 15:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 15:20 . 2011-04-06 15:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-07 05:33 . 2011-01-11 19:25 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-08-04 10:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-04 10:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-04 10:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-04 10:00 385024 ------w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2004-08-04 10:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-04 10:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2011-01-19 20:06 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2004-08-04 10:00 290432 ----a-w- c:\windows\system32\atmfd.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-05-09_16.53.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-01-11 09:59 . 2011-01-11 09:59 51024 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_214ee422\vcomp90.dll
+ 2011-01-11 09:59 . 2011-01-11 09:59 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90rus.dll
+ 2011-01-11 09:59 . 2011-01-11 09:59 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90kor.dll
+ 2011-01-11 09:59 . 2011-01-11 09:59 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90jpn.dll
+ 2011-01-11 09:59 . 2011-01-11 09:59 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90ita.dll
+ 2011-01-11 09:59 . 2011-01-11 09:59 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90fra.dll
+ 2011-01-11 09:59 . 2011-01-11 09:59 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90esp.dll
+ 2011-01-11 09:59 . 2011-01-11 09:59 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90esn.dll
+ 2011-01-11 09:59 . 2011-01-11 09:59 53584 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90enu.dll
+ 2011-01-11 09:59 . 2011-01-11 09:59 63312 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90deu.dll
+ 2011-01-11 09:59 . 2011-01-11 09:59 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90cht.dll
+ 2011-01-11 09:59 . 2011-01-11 09:59 35664 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90chs.dll
+ 2011-01-11 09:59 . 2011-01-11 09:59 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_d5fe2ecb\mfcm90u.dll
+ 2011-01-11 09:59 . 2011-01-11 09:59 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_d5fe2ecb\mfcm90.dll
+ 2011-05-11 17:15 . 2011-05-11 17:15 16384 c:\windows\temp\Perflib_Perfdata_660.dat
+ 2011-01-11 09:59 . 2011-01-11 09:59 653136 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_0517bbc6\msvcr90.dll
+ 2011-01-11 09:59 . 2011-01-11 09:59 569680 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_0517bbc6\msvcp90.dll
+ 2011-01-11 09:59 . 2011-01-11 09:59 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_0517bbc6\msvcm90.dll
+ 2011-01-11 09:59 . 2011-01-11 09:59 159048 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_65b7a93a\atl90.dll
+ 2011-05-09 17:10 . 2011-05-09 17:10 223232 c:\windows\Installer\186080.msi
+ 2011-01-11 09:59 . 2011-01-11 09:59 3780936 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_d5fe2ecb\mfc90u.dll
+ 2011-01-11 09:59 . 2011-01-11 09:59 3766088 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_d5fe2ecb\mfc90.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-05-08 2424192]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-02-18 49208]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-14 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
ykitl.exe [2011-5-8 284160]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 19:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 19:41 67656]
R2 ASTRA32;ASTRA32 Kernel Driver 5.2.1.0;c:\program files\ASTRA32\astra32.sys [22/02/2007 12:28 30864]
R2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [28/02/2010 02:33 821664]
R2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [24/04/2010 01:10 483688]
R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfsxp.sys [02/12/2009 22:23 554344]
R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplayxp.sys [02/12/2009 22:23 211432]
R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirxp.sys [02/12/2009 22:23 20584]
R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvolxp.sys [02/12/2009 22:23 18280]
R3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [24/04/2010 01:10 209768]
S0 nwba;nwba;c:\windows\system32\drivers\fxufjr.sys --> c:\windows\system32\drivers\fxufjr.sys [?]
S2 AMService;AMService;c:\windows\TEMP\kixd\setup.exe run --> c:\windows\TEMP\kixd\setup.exe run [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 14:16 130384]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [09/01/2010 21:37 4640000]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [04/08/2004 11:00 14336]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;f:\zune\WMZuneComm.exe --> f:\zune\WMZuneComm.exe [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 14:16 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-11 18:16
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(620)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(3248)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2011-05-11 18:19:13 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-11 17:19
ComboFix2.txt 2011-05-10 17:23
ComboFix3.txt 2011-05-09 16:54
.
Pre-Run: 488,131,448,832 bytes free
Post-Run: 488,109,334,528 bytes free
.
- - End Of File - - 3134006567461E2BA064FDD000367D38
-
SysProt Antirootkit
Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).
http://sites.google.com/site/sysprotantirootkit/ (http://sites.google.com/site/sysprotantirootkit/)
Unzip it into a folder on your desktop.
- Double click Sysprot.exe to start the program.
- Click on the Log tab.
- In the Write to log box select the following items.
- Process << Selected
- Kernel Modules << Selected
- SSDT << Selected
- Kernel Hooks << Selected
- IRP Hooks << NOT Selected
- Ports << NOT Selected
- Hidden Files << Selected
- At the bottom of the page
- Hidden Objects Only << Selected
- Click on the Create Log button on the bottom right.
- After a few seconds a new window should appear.
- Select Scan Root Drive. Click on the Start button.
- When it is complete a new window will appear to indicate that the scan is finished.
- The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.
-
SysProt AntiRootkit v1.0.1.0
by swatkat
******************************************************************************************
******************************************************************************************
No Hidden Processes found
******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: AA45C000
Module End: AA474000
Hidden: Yes
Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F7B58000
Module End: F7B5A000
Hidden: Yes
Module Name: C:\WINDOWS\system32\DRIVERS\WinUSB.sys
Service Name: WinUSB
Module Base: F7966000
Module End: F796E000
Hidden: Yes
Module Name: C:\WINDOWS\system32\DRIVERS\wudfrd.sys
Service Name: WudfRd
Module Base: AA1CC000
Module End: AA1ED000
Hidden: Yes
******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwTerminateProcess
Address: AA567620
Driver Base: AA55D000
Driver End: AA57F000
Driver Name: \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
******************************************************************************************
******************************************************************************************
No Kernel Hooks found
******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Qoobox\BackEnv\AppData.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Cache.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Cookies.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Desktop.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Favorites.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\History.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Music.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\NetHood.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Personal.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Pictures.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\PrintHood.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Profiles.Folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Programs.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Recent.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\SendTo.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\SetPath.bat
Status: Access denied
Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\StartUp.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\SysPath.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Templates.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\VikPev00
Status: Access denied
-
Looking good. Let's try this scan.
I'd like to scan your machine with ESET OnlineScan
•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
•Click the (http://i424.photobucket.com/albums/pp322/digistar/esetOnline.png) button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on (http://i424.photobucket.com/albums/pp322/digistar/esetSmartInstall.png) to download the ESET Smart Installer. Save it to your desktop.
- Double click on the (http://i424.photobucket.com/albums/pp322/digistar/esetSmartInstallDesktopIcon-1.png) icon on your desktop.
•Check (http://i424.photobucket.com/albums/pp322/digistar/esetAcceptTerms.png)
•Click the (http://i424.photobucket.com/albums/pp322/digistar/esetStart.png) button.
•Accept any security warnings from your browser.
•Check (http://i424.photobucket.com/albums/pp322/digistar/esetScanArchives.png)
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push (http://i424.photobucket.com/albums/pp322/digistar/esetListThreats.png)
•Push (http://i424.photobucket.com/albums/pp322/digistar/esetExport.png), and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the (http://i424.photobucket.com/albums/pp322/digistar/esetBack.png) button.
•Push (http://i424.photobucket.com/albums/pp322/digistar/esetFinish.png)
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt
-
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\37\4bb6a8a5-26d0d414 Java/TrojanDownloader.OpenStream.NBV trojan
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\31\3ba0d75f-12867f1f Java/TrojanDownloader.OpenStream.NBV trojan
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\6\27241306-4d955265 Java/TrojanDownloader.Agent.NCQ trojan
-
Please run ESET again and this time, clean the infections. How's your computer working now? Any other issues?
-
The first and last file i couldn't find but here are the results for the rest.
http://virusscan.jotti.org/en-gb/scanresult/d6ffeee1d24a1531e91b17f4e2e35fe86b924006
http://virusscan.jotti.org/en-gb/scanresult/84391c69438966404bbdce4fc504ddcf4e87473f/66ee4b78e7f4dca13e54b43985109d4933be4897
http://virusscan.jotti.org/en-gb/scanresult/f1504c02d1a67e8a72aee63a14005f4f091f3c5d
-
ComboFix 11-05-14.01 - Owner 15/05/2011 10:25:44.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1014.331 [GMT 1:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((( Files Created from 2011-04-15 to 2011-05-15 )))))))))))))))))))))))))))))))
.
.
2011-05-15 09:33 . 2011-05-15 09:33 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3A938866-38C7-452E-BE72-C0210707AC87}\MpKsld931e1f3.sys
2011-05-15 09:15 . 2011-05-15 09:15 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3A938866-38C7-452E-BE72-C0210707AC87}\MpKslca26fab0.sys
2011-05-15 09:14 . 2011-04-11 07:04 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3A938866-38C7-452E-BE72-C0210707AC87}\mpengine.dll
2011-05-15 09:06 . 2011-05-15 09:06 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-14 10:34 . 2011-05-14 10:34 -------- d-----w- c:\documents and settings\All Users\Application Data\VirtualizedApplications
2011-05-14 08:29 . 2011-05-14 08:29 -------- d-----w- c:\program files\ESET
2011-05-08 11:48 . 2011-05-09 16:33 -------- d-----w- c:\documents and settings\Owner\Application Data\Ulirmo
2011-05-05 21:22 . 2011-05-05 21:22 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-05-05 21:22 . 2011-05-05 21:22 -------- d-----w- c:\program files\Trend Micro
2011-05-05 21:20 . 2011-05-05 21:20 -------- d-----w- c:\program files\Common Files\Java
2011-05-05 20:44 . 2011-05-05 20:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-05-05 20:35 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-05 20:35 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-05 20:32 . 2011-05-05 20:32 -------- d-----w- c:\program files\CCleaner
2011-05-05 18:46 . 2011-05-05 18:46 114176 --sha-r- c:\windows\system32\rpcns4H.dll
2011-05-05 18:46 . 2011-05-05 18:46 114176 --sha-r- c:\windows\system32\logonuiv.dll
2011-05-05 18:46 . 2011-05-05 18:46 114176 --sha-r- c:\windows\system32\ialmuTHAU.dll
2011-04-29 12:34 . 2011-04-29 12:34 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-29 12:30 . 2011-04-29 12:33 -------- d-s---w- c:\documents and settings\Administrator
2011-04-29 06:43 . 2011-04-29 06:43 -------- d-----w- c:\documents and settings\Owner\Application Data\Sibelius Software
2011-04-28 23:18 . 2011-04-28 23:18 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2011-04-28 23:18 . 2011-04-28 23:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-28 23:18 . 2011-05-05 20:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-28 22:38 . 2011-04-28 22:38 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2011-04-28 22:38 . 2011-05-08 11:50 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-04-25 15:51 . 2011-04-25 15:51 -------- d-----w- c:\program files\iPod
2011-04-25 15:51 . 2011-04-25 15:53 -------- d-----w- c:\program files\iTunes
2011-04-25 15:46 . 2011-04-25 15:46 -------- d-----w- c:\program files\Bonjour
2011-04-25 14:07 . 2011-04-25 14:07 -------- d-----r- C:\MSOCache
2011-04-25 13:59 . 2011-04-25 13:59 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\SoftGrid Client
2011-04-25 13:59 . 2011-05-14 11:28 -------- d-----w- c:\documents and settings\Owner\Application Data\SoftGrid Client
2011-04-25 13:59 . 2011-04-25 13:59 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\{90140011-0062-0409-0000-0000000FF1CE}
2011-04-25 13:59 . 2011-05-14 11:28 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SoftGrid Client
2011-04-25 13:57 . 2011-04-25 13:57 -------- d-----w- c:\documents and settings\All Users\Microsoft
2011-04-25 13:57 . 2011-04-29 12:38 -------- d-----w- c:\program files\Microsoft Application Virtualization Client
2011-04-25 13:56 . 2011-04-25 14:01 -------- d-----w- c:\documents and settings\Owner\Application Data\TP
2011-04-18 21:13 . 2011-04-18 21:13 -------- d-----w- c:\documents and settings\Owner\Application Data\Amazon
2011-04-18 21:12 . 2011-04-18 21:12 -------- d-----w- c:\program files\Amazon
2011-04-17 14:07 . 2011-04-17 14:07 -------- d-----w- c:\windows\Sun
2011-04-16 14:29 . 2011-04-16 14:29 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org
2011-04-16 14:26 . 2011-04-16 14:26 -------- d-----w- c:\program files\OpenOffice.org 3
2011-04-16 14:25 . 2011-04-14 04:07 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-16 14:25 . 2011-04-14 01:40 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-16 14:25 . 2011-05-05 21:20 -------- d-----w- c:\program files\Java
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\RPRSTITL.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\RPRSTEXT.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\RPRSSTMP.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\RPRSSPEC.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\RPRSSCRP.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\RPRSREH_.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\RPRSMET_.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\RPRSCHOR.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\RPRS____.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSTEXT.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSSE__.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSS___.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSROMC.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSPC__.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSP___.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSO___.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSNN__.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSM___.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSFS__.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSFBE_.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSFB__.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSCSC_.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSCS__.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUSC___.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\OPUS____.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\INKPEN2_.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\INK2TEXT.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\INK2SPEC.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\INK2SCRI.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\INK2METR.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\INK2CHOR.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\HELST___.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\HELSS___.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\HELSM___.FOT
2011-04-29 06:43 . 2011-04-29 06:43 1409 ----a-w- c:\windows\Fonts\HELSINKI.FOT
2011-04-11 07:04 . 2011-02-06 22:20 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-04-06 15:20 . 2011-04-06 15:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 15:20 . 2011-04-06 15:20 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 15:20 . 2011-04-06 15:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 15:20 . 2011-04-06 15:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-07 05:33 . 2011-01-11 19:25 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-08-04 10:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-04 10:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-04 10:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-04 10:00 385024 ------w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2004-08-04 10:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-04 10:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2011-01-19 20:06 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2004-08-04 10:00 290432 ----a-w- c:\windows\system32\atmfd.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-05-09_16.53.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-01-11 09:59 . 2011-01-11 09:59 51024 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_214ee422\vcomp90.dll
+ 2011-01-11 09:59 . 2011-01-11 09:59 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90rus.dll
+ 2011-01-11 09:59 . 2011-01-11 09:59 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90kor.dll
+ 2011-01-11 09:59 . 2011-01-11 09:59 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90jpn.dll
+ 2011-01-11 09:59 . 2011-01-11 09:59 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90ita.dll
+ 2011-01-11 09:59 . 2011-01-11 09:59 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90fra.dll
+ 2011-01-11 09:59 . 2011-01-11 09:59 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90esp.dll
+ 2011-01-11 09:59 . 2011-01-11 09:59 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90esn.dll
+ 2011-01-11 09:59 . 2011-01-11 09:59 53584 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90enu.dll
+ 2011-01-11 09:59 . 2011-01-11 09:59 63312 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90deu.dll
+ 2011-01-11 09:59 . 2011-01-11 09:59 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90cht.dll
+ 2011-01-11 09:59 . 2011-01-11 09:59 35664 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90chs.dll
+ 2011-01-11 09:59 . 2011-01-11 09:59 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_d5fe2ecb\mfcm90u.dll
+ 2011-01-11 09:59 . 2011-01-11 09:59 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_d5fe2ecb\mfcm90.dll
+ 2011-05-15 09:33 . 2011-05-15 09:33 16384 c:\windows\temp\Perflib_Perfdata_74c.dat
+ 2011-01-11 09:59 . 2011-01-11 09:59 653136 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_0517bbc6\msvcr90.dll
+ 2011-01-11 09:59 . 2011-01-11 09:59 569680 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_0517bbc6\msvcp90.dll
+ 2011-01-11 09:59 . 2011-01-11 09:59 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_0517bbc6\msvcm90.dll
+ 2011-01-11 09:59 . 2011-01-11 09:59 159048 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_65b7a93a\atl90.dll
+ 2011-05-15 09:06 . 2011-05-15 09:06 240288 c:\windows\system32\Macromed\Flash\FlashUtil10q_ActiveX.exe
+ 2011-05-15 09:06 . 2011-05-15 09:06 321184 c:\windows\system32\Macromed\Flash\FlashUtil10q_ActiveX.dll
+ 2011-05-09 17:10 . 2011-05-09 17:10 223232 c:\windows\Installer\186080.msi
+ 2011-01-11 09:59 . 2011-01-11 09:59 3780936 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_d5fe2ecb\mfc90u.dll
+ 2011-01-11 09:59 . 2011-01-11 09:59 3766088 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_d5fe2ecb\mfc90.dll
+ 2011-01-19 20:26 . 2011-05-11 17:41 42829768 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-05-08 2424192]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-02-18 49208]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-14 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R1 MpKslca26fab0;MpKslca26fab0;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3A938866-38C7-452E-BE72-C0210707AC87}\MpKslca26fab0.sys [15/05/2011 10:15 28752]
R1 MpKsld931e1f3;MpKsld931e1f3;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3A938866-38C7-452E-BE72-C0210707AC87}\MpKsld931e1f3.sys [15/05/2011 10:33 28752]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 19:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 19:41 67656]
R2 ASTRA32;ASTRA32 Kernel Driver 5.2.1.0;c:\program files\ASTRA32\astra32.sys [22/02/2007 12:28 30864]
R2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [28/02/2010 02:33 821664]
R2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [24/04/2010 01:10 483688]
R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfsxp.sys [02/12/2009 22:23 554344]
R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplayxp.sys [02/12/2009 22:23 211432]
R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirxp.sys [02/12/2009 22:23 20584]
R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvolxp.sys [02/12/2009 22:23 18280]
R3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [24/04/2010 01:10 209768]
S0 nwba;nwba;c:\windows\system32\drivers\fxufjr.sys --> c:\windows\system32\drivers\fxufjr.sys [?]
S2 AMService;AMService;c:\windows\TEMP\kixd\setup.exe run --> c:\windows\TEMP\kixd\setup.exe run [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 14:16 130384]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [09/01/2010 21:37 4640000]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [04/08/2004 11:00 14336]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;f:\zune\WMZuneComm.exe [11/11/2010 14:57 268528]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 14:16 753504]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSLD931E1F3
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-15 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 12:26]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-15 10:35
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10q_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10q_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(620)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(724)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
f:\zune\ZuneBusEnum.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\stsystra.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2011-05-15 10:38:24 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-15 09:38
ComboFix2.txt 2011-05-11 17:19
ComboFix3.txt 2011-05-10 17:23
ComboFix4.txt 2011-05-09 16:54
.
Pre-Run: 487,744,663,552 bytes free
Post-Run: 487,813,476,352 bytes free
.
- - End Of File - - 089C36B5AA4188206B2D13BE7F2779A3
-
SORRY! READ THE WRONG PAGE. DONT WORRY ABOUT THE PREVIOUS COUPLE OF POSTS!!
-
I've scanned again and got rid of the infections. Touch wood, everything seems to be okay at the mo i think...
-
That's great. Let's do some cleanup.
To uninstall ComboFix
- Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
- In the field, type in ComboFix /uninstall
(http://i424.photobucket.com/albums/pp322/digistar/Combofix_uninstall_image.jpg)
(Note: Make sure there's a space between the word ComboFix and the forward-slash.)
- Then, press Enter, or click OK.
- This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.
*******************************************************
Clean out your temporary internet files and temp files.
Download TFC by OldTimer (http://oldtimer.geekstogo.com/TFC.exe) to your desktop.
Double-click TFC.exe to run it.
Note: If you are running on Vista, right-click on the file and choose Run As Administrator
TFC will close all programs when run, so make sure you have saved all your work before you begin.
* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.
Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
*******************************************************
Looking over your log it seems you don't have any evidence of a third party firewall.
Firewalls protect against hackers and malicious intruders. You need to download a free firewall from one of these reliable vendors.
Remember only install ONE firewall
1) Comodo Personal Firewall (http://www.majorgeeks.com/Comodo_Personal_Firewall_d5033.html) (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one)
2) Online Armor (http://www.majorgeeks.com/Online_Armor_Free_d4872.html)
3) Agnitum Outpost (http://www.majorgeeks.com/Outpost_Firewall_Free_d1056.html)
4) PC Tools Firewall Plus (http://www.majorgeeks.com/PC_Tools_Firewall_Plus_d5470.html)
If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.
**************************************************
Use the Secunia Software Inspector (http://secunia.com/software_inspector) to check for out of date software.
•Click Start Now
•Check the box next to Enable thorough system inspection.
•Click Start
•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------
Go to Microsoft Windows Update (http://windowsupdate.microsoft.com/) and get all critical updates.
----------
I suggest using WOT - Web of Trust (http://www.mywot.com/). WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.
SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer (http://www.bleepingcomputer.com/forums/tutorial49.html) from Spyware and Malware
* If you don't know what ActiveX controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. (http://www.safer-networking.org/en/spybotsd/index.html) Guide: Use Spybot's Immunize Feature (http://www.bleepingcomputer.com/tutorials/tutorial43.html#immunize) to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ (http://www.safer-networking.org/en/faq/index.html)
Check out Keeping Yourself Safe On The Web (http://evilfantasy.wordpress.com/2008/05/20/keeping-yourself-safe-on-the-web/) for tips and free tools to help keep you safe in the future.
Also see Slow Computer? It may not be Malware (http://evilfantasy.wordpress.com/2008/05/24/slow-computer-it-may-not-be-malware/) for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!