Computer Hope
Software => Computer viruses and spyware => Virus and spyware removal => Topic started by: stonemanjr on August 04, 2011, 09:55:22 AM
-
Experiencing slow down/lockup issues due to the following. These are files and warnings that are showing after scanning that say we are on this computer. This is a WindowsXP Professional OS with Service Pack 3 loaded. We have run ComboFix 1x, Malwarebytes, and SuperANtispyware. Avira ANtivir is our antivirus and we have SPybot running also.
PE_Perfect pecompact
Ark.5
UPX
TR/SPy.Keylogger.qme
msounser.dll found under windows/system32
HELP :(
ComboFix 11-08-03.03 - Owner 08/03/2011 16:11:28.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.204 [GMT -4:00]
Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000007_.tmp.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_RKHIT
-------\Service_RkHit
.
.
((((((((((((((((((((((((( Files Created from 2011-07-03 to 2011-08-03 )))))))))))))))))))))))))))))))
.
.
2011-08-03 20:25 . 2011-08-03 20:25 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{56EC127E-2099-4E6E-8F75-7482DFF0A88A}\MpKslf59954db.sys
2011-08-03 20:25 . 2011-08-03 20:25 -------- d-----w- c:\windows\system32\wbem\snmp
2011-08-03 20:25 . 2011-08-03 20:25 -------- d-----w- c:\windows\system32\oobe
2011-08-03 20:25 . 2011-08-03 20:25 -------- d-----w- c:\program files\microsoft frontpage
2011-08-03 19:29 . 2011-08-03 19:29 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-08-03 19:27 . 2011-08-03 19:27 -------- d-----w- c:\windows\LastGood.Tmp
2011-08-03 19:27 . 2011-08-03 19:27 -------- dc----w- c:\windows\system32\DRVSTORE
2011-08-03 19:27 . 2011-07-21 18:59 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-08-03 19:26 . 2011-08-03 19:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2011-08-03 19:26 . 2011-08-03 19:26 -------- d-----w- c:\program files\Lavasoft
2011-08-03 18:29 . 2011-08-03 18:29 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-08-03 18:28 . 2011-08-03 18:28 -------- d-----w- c:\program files\Trend Micro
2011-08-03 18:08 . 2011-08-03 19:09 -------- d-----w- c:\program files\UPXRemoval Tool
2011-08-03 17:55 . 2011-04-23 23:51 537850 ----a-w- C:\HaxFix.exe
2011-08-03 17:55 . 2011-08-03 17:58 -------- d-----w- c:\windows\HaxFix
2011-08-02 20:03 . 2011-07-13 03:39 6881616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{56EC127E-2099-4E6E-8F75-7482DFF0A88A}\mpengine.dll
2011-08-02 19:46 . 2011-08-02 19:46 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Western Digital
2011-08-01 19:59 . 2011-08-01 19:59 -------- d-----w- c:\program files\Microsoft ActiveSync
2011-08-01 19:58 . 2011-08-01 19:59 -------- d-----w- c:\windows\SHELLNEW
2011-08-01 19:58 . 2011-08-01 19:58 -------- d-----w- c:\program files\Microsoft.NET
2011-08-01 19:55 . 2011-08-01 19:55 -------- d-----r- C:\MSOCache
2011-07-28 22:09 . 2011-07-28 22:09 -------- d-----w- c:\program files\MWSnap
2011-07-28 16:53 . 2011-07-28 16:53 -------- d-----w- c:\windows\AOL page_files
2011-07-28 13:52 . 2011-07-28 13:52 -------- d-----w- c:\windows\photo.php_files
2011-07-13 16:42 . 2011-07-13 16:42 -------- d-----w- c:\documents and settings\Owner\Application Data\AutoScreenShotMaker
2011-07-13 16:42 . 2011-07-13 16:42 -------- d-----w- c:\program files\Auto Screenshot Maker
2011-07-13 16:07 . 2011-07-13 16:07 -------- d-----w- c:\documents and settings\Owner\Application Data\DonationCoder
2011-07-13 16:06 . 2011-07-13 17:26 -------- d-----w- c:\program files\ScreenshotCaptor
2011-07-13 03:12 . 2011-04-26 11:02 293376 ----a-w- c:\windows\system32\SET5D0.tmp
2011-07-12 14:09 . 2011-07-12 14:10 -------- d-----w- c:\program files\HotHotSoftware
2011-07-11 16:16 . 2006-10-26 23:56 33104 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\msonpppr.dll
2011-07-11 16:16 . 2008-11-10 15:41 32656 ----a-w- c:\windows\system32\msonpmon.dll
2011-07-11 12:43 . 2011-07-11 12:43 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2011-07-08 21:04 . 2011-07-08 21:15 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\ApplicationHistory
2011-07-08 20:58 . 2011-07-08 20:58 -------- d-----w- c:\program files\MichaelFontana
2011-07-07 22:27 . 2011-07-07 22:27 -------- d-----w- c:\program files\Recuva
2011-07-07 22:24 . 2011-07-07 22:24 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2011-07-07 15:03 . 2011-07-07 15:03 -------- d-----w- c:\program files\WebEx
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-13 03:39 . 2011-01-25 21:30 6881616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-07-06 23:52 . 2011-01-29 01:08 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52 . 2011-01-29 01:08 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-30 16:13 . 2011-01-24 14:44 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-06-30 16:13 . 2011-01-24 14:44 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-06-02 14:07 . 2009-10-19 08:27 1867904 ----a-w- c:\windows\system32\win32k.sys
2011-06-27 20:52 . 2011-05-06 19:42 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-02-21 19:21 . 2011-01-24 14:58 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
.
[7] 2008-04-14 . B153AFFAC761E7F5FCFA822B9C4E97BC . 14336 . . [5.1.2600.5512] . . c:\windows\system32\drivers\asyncmac.sys
.
[7] 2008-04-14 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\system32\drivers\beep.sys
.
[7] 2008-04-14 . 463C1EC80CD17420A542B7F36A36F128 . 24576 . . [5.1.2600.5512] . . c:\windows\system32\drivers\kbdclass.sys
.
[7] 2009-10-19 . B5B1080D35974C0E718D64280761BCD5 . 182912 . . [5.1.2600.5588] . . c:\windows\system32\drivers\ndis.sys
.
[7] 2009-03-23 . AE8CAD8F28DB13B515A68510A539B0B8 . 576512 . . [5.1.2600.5782] . . c:\windows\system32\drivers\ntfs.sys
.
[7] 2008-04-14 . 73C1E1F395918BC2C6DD67AF7591A3AD . 2944 . . [5.1.2600.0] . . c:\windows\system32\drivers\null.sys
.
[-] 2009-10-19 . BA8C046D98345129723E6BCAA1E8AB99 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
.
[7] 2009-10-19 . 7E39A3EDC13B076E70FDB9A6F6D7A4B4 . 78336 . . [5.1.2600.5574] . . c:\windows\system32\browser.dll
.
[7] 2008-04-14 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . c:\windows\system32\lsass.exe
.
[7] 2008-04-14 . 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE . 198144 . . [5.1.2600.5512] . . c:\windows\system32\netman.dll
.
[7] 2008-04-14 12:00 . 1280A158C722FA95A80FB7AEBE78FA7D . 792064 . . [2001.12.4414.700] . . c:\windows\system32\comres.dll
.
[7] 2009-10-19 . F13D1AA04F1F02399EB87F011584B7C0 . 408576 . . [6.7.2600.5796] . . c:\windows\system32\qmgr.dll
[7] 2009-10-19 . F13D1AA04F1F02399EB87F011584B7C0 . 408576 . . [6.7.2600.5796] . . c:\windows\system32\bits\qmgr.dll
.
[7] 2009-10-19 . 9222562D44021B988B9F9F62207FB6F2 . 401408 . . [5.1.2600.5755] . . c:\windows\system32\rpcss.dll
.
[7] 2009-10-19 . 020CEAAEDC8EB655B6506B8C70D53BB6 . 110592 . . [5.1.2600.5755] . . c:\windows\system32\services.exe
.
[7] 2010-08-17 . 258DD5D4283FD9F9A7166BE9AE45CE73 . 58880 . . [5.1.2600.6024] . . c:\windows\$hf_mig$\KB2347290\SP3QFE\spoolsv.exe
[7] 2010-08-17 . 60784F891563FB1B767F70117FC2428F . 58880 . . [5.1.2600.6024] . . c:\windows\system32\spoolsv.exe
[7] 2010-08-17 . 60784F891563FB1B767F70117FC2428F . 58880 . . [5.1.2600.6024] . . c:\windows\system32\dllcache\spoolsv.exe
[7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB2347290$\spoolsv.exe
.
[7] 2009-10-19 . 53A8857723277B1D6D5EE60A9F85B117 . 509440 . . [5.1.2600.5788] . . c:\windows\system32\winlogon.exe
.
[7] 2009-10-19 . 62BB79160F86CD962F312C68C6239BFD . 53472 . . [7.4.7600.226] . . c:\windows\system32\wuauclt.exe
.
[7] 2010-08-23 . 93AFB83FBC1F9443CAC722FCA63D73BF . 617472 . . [5.82] . . c:\windows\system32\comctl32.dll
[7] 2010-08-23 . 93AFB83FBC1F9443CAC722FCA63D73BF . 617472 . . [5.82] . . c:\windows\system32\dllcache\comctl32.dll
[7] 2010-08-23 . 736B12B725AEB2B07F0241A9F680CB10 . 1054208 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
[7] 2009-10-19 . AEF3D788DBF40C7C4D204EA45EB0C505 . 921088 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll
[7] 2009-10-19 . C6BE3E18287F21EE3ED3C84ED14E9D7A . 1054208 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5705_x-ww_36cfed49\comctl32.dll
[7] 2008-04-14 . 06F247492BC786CE5C24A23E178C711A . 617472 . . [5.82] . . c:\windows\$NtUninstallKB2296011$\comctl32.dll
.
[7] 2008-04-14 . 3D4E199942E29207970E04315D02AD3B . 62464 . . [5.1.2600.5512] . . c:\windows\system32\cryptsvc.dll
.
[7] 2009-10-19 08:25 . F17F6226BDC0CD5F0BEF0DAF84D29BEC . 253952 . . [2001.12.4414.706] . . c:\windows\system32\es.dll
.
[7] 2008-04-14 . 0DA85218E92526972A821587E6A8BF8F . 110080 . . [5.1.2600.5512] . . c:\windows\system32\imm32.dll
.
[7] 2009-10-19 . DA11D9D6ECBDF0F93436A4B7C13F7BEC . 991744 . . [5.1.2600.5781] . . c:\windows\system32\kernel32.dll
.
[7] 2008-04-14 . 2DC5A8019E2387987905F77C664E4BE2 . 19968 . . [5.1.2600.5512] . . c:\windows\system32\linkinfo.dll
.
[7] 2008-04-14 . 012DF358CEBAA23ACB26D82077820817 . 22016 . . [5.1.2600.5512] . . c:\windows\system32\lpk.dll
.
[7] 2011-05-30 . D0B1DB576941CB0B6669B8752FFAC79A . 5967360 . . [8.00.6001.23181] . . c:\windows\system32\mshtml.dll
[7] 2011-05-30 . D0B1DB576941CB0B6669B8752FFAC79A . 5967360 . . [8.00.6001.23181] . . c:\windows\system32\dllcache\mshtml.dll
.
[7] 2009-10-19 . 4200BE3808F6406DBE45A7B88DAE5035 . 322560 . . [7.0.2600.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a\msvcrt.dll
[7] 2009-10-19 . 06B8485FB1DA9A552B10AB978CD1AC85 . 343040 . . [7.0.2600.5701] . . c:\windows\system32\msvcrt.dll
[7] 2009-10-19 . A4C4A54FD7E31179CB5BDF7896DF3DF7 . 343040 . . [7.0.2600.5701] . . c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.5701_x-ww_40d12c25\msvcrt.dll
.
[7] 2009-10-19 . 290C1A30DEFC723BBE10910AC2D6F6D0 . 245248 . . [5.1.2600.5649] . . c:\windows\system32\mswsock.dll
[7] 2008-06-20 . FCEE5FCB99F7C724593365C706D28388 . 245248 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\mswsock.dll
.
[7] 2009-10-19 . DAB13813B25B3D009B2AC1194CF5D0A2 . 407552 . . [5.1.2600.5755] . . c:\windows\system32\netlogon.dll
.
[7] 2008-04-14 . 50A166237A0FA771261275A405646CC0 . 17408 . . [6.00.2900.5512] . . c:\windows\system32\powrprof.dll
.
[7] 2008-04-14 . A86BB5E61BF3E39B62AB4C7E7085A084 . 181248 . . [5.1.2600.5512] . . c:\windows\system32\scecli.dll
.
[7] 2008-04-14 . 96E1C926F22EE1BFBAE82901A35F6BF3 . 5120 . . [5.1.2600.5512] . . c:\windows\system32\sfc.dll
.
[7] 2009-10-19 . 67E38B4A549833E02D4D1617B5DBC318 . 14848 . . [5.1.2600.5689] . . c:\windows\system32\svchost.exe
.
[7] 2009-10-19 . E2B32B10ACC5D97623275AAFB67E5F03 . 249856 . . [5.1.2600.5654] . . c:\windows\system32\tapisrv.dll
.
[7] 2009-10-19 . 3DE22354C3609B3C3E5DC2C19C5E0693 . 578560 . . [5.1.2600.5577] . . c:\windows\system32\user32.dll
.
[7] 2008-04-14 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . c:\windows\system32\userinit.exe
.
[7] 2011-04-25 . 7F4F1697001B9E9A7924D219DC215903 . 919552 . . [8.00.6001.23165] . . c:\windows\system32\wininet.dll
[7] 2011-04-25 . 7F4F1697001B9E9A7924D219DC215903 . 919552 . . [8.00.6001.23165] . . c:\windows\system32\dllcache\wininet.dll
[7] 2011-02-22 . A9FA95F0D7F511959AC721E4843E5967 . 919552 . . [8.00.6001.23139] . . c:\windows\ie8updates\KB2530548-IE8\wininet.dll
[7] 2010-12-20 . 5504B4ECCE892EB82CD2C5FA71940AC1 . 919552 . . [8.00.6001.23111] . . c:\windows\ie8updates\KB2497640-IE8\wininet.dll
[7] 2010-11-06 . 9357C4249F4810FB0E49C13387A8A77C . 919552 . . [8.00.6001.23084] . . c:\windows\ie8updates\KB2482017-IE8\wininet.dll
[7] 2009-10-19 . 972B226BDAD71C55F3CC9A72BBF8F1C1 . 916480 . . [8.00.6001.22918] . . c:\windows\ie8updates\KB2416400-IE8\wininet.dll
.
[7] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\system32\ws2_32.dll
.
[7] 2008-04-14 . 9789E95E1D88EEB4B922BF3EA7779C28 . 19968 . . [5.1.2600.5512] . . c:\windows\system32\ws2help.dll
.
[7] 2009-10-19 . 2BB75B7F548D82A099125D0C5971DE7D . 1033728 . . [6.00.2900.5634] . . c:\windows\explorer.exe
.
[7] 2008-04-14 . 058710B720282CA82B909912D3EF28DB . 146432 . . [5.1.2600.5512] . . c:\windows\regedit.exe
.
[7] 2010-07-16 . 8D51FB47062F2A1A9EFECCEF338A4C46 . 1289216 . . [5.1.2600.6010] . . c:\windows\system32\ole32.dll
[7] 2010-07-16 . 8D51FB47062F2A1A9EFECCEF338A4C46 . 1289216 . . [5.1.2600.6010] . . c:\windows\system32\dllcache\ole32.dll
[7] 2009-10-19 . 54FAEE910065DF0149E060F82EF7A0A9 . 1288704 . . [5.1.2600.5692] . . c:\windows\$NtUninstallKB979687$\ole32.dll
.
[7] 2010-04-16 . 9E03DC5AB51CFD0190541CE2038D819D . 406016 . . [1.0420.2600.5969] . . c:\windows\system32\usp10.dll
[7] 2010-04-16 . 9E03DC5AB51CFD0190541CE2038D819D . 406016 . . [1.0420.2600.5969] . . c:\windows\system32\dllcache\usp10.dll
[7] 2010-04-16 . F8894BCC961D461674002B4BAE7AECC1 . 406016 . . [1.0420.2600.5969] . . c:\windows\$hf_mig$\KB981322\SP3QFE\usp10.dll
[7] 2008-04-14 . 7D7D8501F3CB45D0408CDEFA08CDAEFF . 406016 . . [1.0420.2600.5512] . . c:\windows\$NtUninstallKB981322$\usp10.dll
.
[7] 2008-04-14 . 9B9F1C38D559047B8AC0DBA2D5FEBDE9 . 4096 . . [5.3.2600.5512] . . c:\windows\system32\ksuser.dll
.
[7] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\system32\srsvc.dll
.
.
[7] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\system32\xmlprov.dll
.
[7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\system32\eventlog.dll
.
[7] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
[7] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe
.
[7] 2009-10-19 . 888CD7B39C37E13A2419BECFAAF0A28C . 135168 . . [6.00.2900.5853] . . c:\windows\system32\shsvcs.dll
.
[7] 2008-04-14 . 5B19B557B0C188210A56A6B699D90B8F . 59904 . . [5.1.2600.5512] . . c:\windows\system32\regsvc.dll
.
[7] 2008-04-14 . 0A9A7365A1CA4319AA7C1D6CD8E4EAFA . 192512 . . [5.1.2600.5512] . . c:\windows\system32\schedsvc.dll
.
[7] 2008-04-14 . 0A5679B3714EDAB99E357057EE88FCA6 . 71680 . . [5.1.2600.5512] . . c:\windows\system32\ssdpsrv.dll
.
[7] 2009-10-19 . 5128852A18AE46C387F87BF27DA4C9DD . 296960 . . [5.1.2600.5815] . . c:\windows\system32\termsrv.dll
.
[7] 2009-10-19 . 0A878AA66E4DD3E2608192A1ECCD9F8F . 344064 . . [5.1.2600.5589] . . c:\windows\system32\hnetcfg.dll
.
[7] 2008-04-14 . D8849F77C0B66226335A59D26CB4EDC6 . 167936 . . [5.1.2600.5512] . . c:\windows\system32\appmgmts.dll
.
[7] 2008-04-14 . 9859C0F6936E723E4892D7141B1327D5 . 11648 . . [5.1.2600.0] . . c:\windows\system32\drivers\acpiec.sys
.
[7] 2008-04-13 20:09 . 8BED39E3C35D6A489438B8141717A557 . 142592 . . [5.1.2601.3142] . . c:\windows\system32\drivers\aec.sys
.
[7] 2008-04-13 . 08FD04AA961BDC77FB983F328334E3D7 . 42368 . . [5.1.2600.5512] . . c:\windows\system32\drivers\AGP440.SYS
.
[7] 2008-04-14 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ip6fw.sys
.
[7] 2010-09-18 07:18 . 842900DEDBC8E3E8DBCCCB298FD88F65 . 953856 . . [4.1.6151] . . c:\windows\$hf_mig$\KB2387149\SP3QFE\mfc40u.dll
[7] 2010-09-18 06:53 . E76A5C202E68AF5A322D16B5A78F48B9 . 953856 . . [4.1.6151] . . c:\windows\system32\mfc40u.dll
[7] 2010-09-18 06:53 . E76A5C202E68AF5A322D16B5A78F48B9 . 953856 . . [4.1.6151] . . c:\windows\system32\dllcache\mfc40u.dll
[7] 2008-04-14 12:00 . CDDD4416B2B4C7295FE3FDB6DDE57E4E . 927504 . . [4.1.0.61] . . c:\windows\$NtUninstallKB2387149$\mfc40u.dll
.
[7] 2008-04-14 . 986B1FF5814366D71E0AC5755C88F2D3 . 33792 . . [5.1.2600.5512] . . c:\windows\system32\msgsvc.dll
.
[7] 2009-10-19 08:26 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\mspmsnsv.dll
.
[7] 2010-12-10 . F67CD97282E0ABFAF91A9A1359B16F2D . 2069376 . . [5.1.2600.6055] . . c:\windows\Driver Cache\i386\ntkrnlpa.exe
[7] 2010-12-10 . F67CD97282E0ABFAF91A9A1359B16F2D . 2069376 . . [5.1.2600.6055] . . c:\windows\system32\ntkrnlpa.exe
[7] 2010-12-10 . F67CD97282E0ABFAF91A9A1359B16F2D . 2069376 . . [5.1.2600.6055] . . c:\windows\system32\dllcache\ntkrnlpa.exe
[7] 2010-04-28 . 756362706DE8BC92F11E197C98A73844 . 2066944 . . [5.1.2600.5973] . . c:\windows\$NtUninstallKB2393802$\ntkrnlpa.exe
[7] 2009-10-19 . 363B2BBEE0AEDC9E5433616D0AD0236A . 2066176 . . [5.1.2600.5857] . . c:\windows\$NtUninstallKB981852$\ntkrnlpa.exe
.
[7] 2008-04-14 12:00 . 156F64A3345BD23C600655FB4D10BC08 . 435200 . . [5.1.2400.5512] . . c:\windows\system32\ntmssvc.dll
.
[7] 2008-04-14 . 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 . 185856 . . [5.1.2600.5512] . . c:\windows\system32\upnphost.dll
.
[7] 2008-04-14 . 4D83ED8BDDEC431FC8AD907B47CFB6E3 . 367616 . . [5.3.2600.5512] . . c:\windows\system32\dsound.dll
.
[7] 2009-10-19 . D2CF91B2C710E9F666E60AFBF87643EE . 1689088 . . [5.03.2600.5601] . . c:\windows\system32\d3d9.dll
.
[7] 2008-04-14 . A340CD71EB535A3DD751B5F28723E50C . 279552 . . [5.03.2600.5512] . . c:\windows\system32\ddraw.dll
.
[7] 2008-04-14 12:00 . 5652F6CE1D9E9D8068B9D29BC21B5409 . 84992 . . [5.1.2600.5512] . . c:\windows\system32\olepro32.dll
.
[7] 2008-04-14 . DBE2B62353660ECCA0D75EA307A717E9 . 39936 . . [5.1.2600.5512] . . c:\windows\system32\perfctrs.dll
.
[7] 2008-04-14 . C7CE131408739B0B3A318BE2D0032719 . 18944 . . [5.1.2600.5512] . . c:\windows\system32\version.dll
.
.
.
[7] 2010-12-09 . A531BBD3DE13121C1380ED7DC99082DB . 2192768 . . [5.1.2600.6055] . . c:\windows\Driver Cache\i386\ntoskrnl.exe
[7] 2010-12-09 . A531BBD3DE13121C1380ED7DC99082DB . 2192768 . . [5.1.2600.6055] . . c:\windows\system32\ntoskrnl.exe
[7] 2010-12-09 . A531BBD3DE13121C1380ED7DC99082DB . 2192768 . . [5.1.2600.6055] . . c:\windows\system32\dllcache\ntoskrnl.exe
[7] 2010-04-27 . A2ABBEC40CDB57454645D06B7EBD22F5 . 2190080 . . [5.1.2600.5973] . . c:\windows\$NtUninstallKB2393802$\ntoskrnl.exe
[7] 2009-10-19 . FDE779EA1A564EBFE16F4E0F82B61BAD . 2189312 . . [5.1.2600.5857] . . c:\windows\$NtUninstallKB981852$\ntoskrnl.exe
.
[7] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\system32\srsvc.dll
.
[7] 2009-10-19 . 9F8A0D0CBB2FA265A754516128C00E22 . 175616 . . [5.1.2600.5635] . . c:\windows\system32\w32time.dll
.
[7] 2008-04-14 . 8BAD69CBAC032D4BBACFCE0306174C30 . 333824 . . [5.1.2600.5512] . . c:\windows\system32\wiaservc.dll
.
[7] 2008-04-14 . 5C12660A97822F6E61576943B49AAAD6 . 18944 . . [5.1.2600.5512] . . c:\windows\system32\midimap.dll
.
[7] 2008-04-14 . 6F9BEF24C578D5D6740E080BEDD6A448 . 7680 . . [5.1.2600.5512] . . c:\windows\system32\rasadhlp.dll
.
c:\windows\System32\wscntfy.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"suomy"="c:\program files\lfcncjawgoifqf\ltnkvkri.exe" [2006-03-18 2285089]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2011-02-21 30192]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"suomy"="c:\program files\lfcncjawgoifqf\ltnkvkri.exe" [2006-03-18 2285089]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 18 (0x12)
"NoSMConfigurePrograms"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SUPERAntiSpyware"=c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
"PHIME2002ASync"=c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
"PHIME2002A"=c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/3/2011 3:27 PM 64512]
R1 MpKslf59954db;MpKslf59954db;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{56EC127E-2099-4E6E-8F75-7482DFF0A88A}\MpKslf59954db.sys [8/3/2011 4:25 PM 28752]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [7/21/2011 2:59 PM 15232]
S1 bkowctbp;bkowctbp;\??\c:\windows\system32\drivers\bkowctbp.sys --> c:\windows\system32\drivers\bkowctbp.sys [?]
S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [10/19/2009 4:29 AM 9472]
S1 MpKsl01e83a9c;MpKsl01e83a9c;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{762C4104-FA34-4361-8671-024A9949C0F9}\MpKsl01e83a9c.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{762C4104-FA34-4361-8671-024A9949C0F9}\MpKsl01e83a9c.sys [?]
S1 MpKsl0cc9110d;MpKsl0cc9110d;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A679349B-4E95-4D26-9E57-DEAA1C6DA335}\MpKsl0cc9110d.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A679349B-4E95-4D26-9E57-DEAA1C6DA335}\MpKsl0cc9110d.sys [?]
S1 MpKsl136f1fb0;MpKsl136f1fb0;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{152509A8-3EEA-45E6-A651-4EA25BFFB147}\MpKsl136f1fb0.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{152509A8-3EEA-45E6-A651-4EA25BFFB147}\MpKsl136f1fb0.sys [?]
S1 MpKsl162d5693;MpKsl162d5693;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3A3AE65D-5BDA-44D4-86D2-B2FD79F2B441}\MpKsl162d5693.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3A3AE65D-5BDA-44D4-86D2-B2FD79F2B441}\MpKsl162d5693.sys [?]
S1 MpKsl17f7d890;MpKsl17f7d890;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4A494EFD-F2FB-49F5-9AF1-B874C44BC895}\MpKsl17f7d890.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4A494EFD-F2FB-49F5-9AF1-B874C44BC895}\MpKsl17f7d890.sys [?]
S1 MpKsl1920c0d3;MpKsl1920c0d3;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0EDBD694-3A5A-4A0B-B56E-8137E3E27531}\MpKsl1920c0d3.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0EDBD694-3A5A-4A0B-B56E-8137E3E27531}\MpKsl1920c0d3.sys [?]
S1 MpKsl239b35ac;MpKsl239b35ac;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{04986CEF-4FC6-4C56-BBC8-7D82431E3FF9}\MpKsl239b35ac.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{04986CEF-4FC6-4C56-BBC8-7D82431E3FF9}\MpKsl239b35ac.sys [?]
S1 MpKsl2c1598c4;MpKsl2c1598c4;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C8E563B3-EB9D-4355-9784-73E2C7AD3132}\MpKsl2c1598c4.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C8E563B3-EB9D-4355-9784-73E2C7AD3132}\MpKsl2c1598c4.sys [?]
S1 MpKsl402ccee3;MpKsl402ccee3;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4A494EFD-F2FB-49F5-9AF1-B874C44BC895}\MpKsl402ccee3.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4A494EFD-F2FB-49F5-9AF1-B874C44BC895}\MpKsl402ccee3.sys [?]
S1 MpKsl427d79a1;MpKsl427d79a1;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BA39CC46-23DA-4A0E-93E9-EB0D7A6AA66C}\MpKsl427d79a1.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BA39CC46-23DA-4A0E-93E9-EB0D7A6AA66C}\MpKsl427d79a1.sys [?]
S1 MpKsl49ad88d2;MpKsl49ad88d2;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8FD42E65-73A7-48DB-B612-E049CC77CBC8}\MpKsl49ad88d2.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8FD42E65-73A7-48DB-B612-E049CC77CBC8}\MpKsl49ad88d2.sys [?]
S1 MpKsl5d6d4cdd;MpKsl5d6d4cdd;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AAAC346A-D529-43A0-9A3F-133A61997703}\MpKsl5d6d4cdd.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AAAC346A-D529-43A0-9A3F-133A61997703}\MpKsl5d6d4cdd.sys [?]
S1 MpKsl6345b0bc;MpKsl6345b0bc;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BA39CC46-23DA-4A0E-93E9-EB0D7A6AA66C}\MpKsl6345b0bc.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BA39CC46-23DA-4A0E-93E9-EB0D7A6AA66C}\MpKsl6345b0bc.sys [?]
S1 MpKsl7c4e5c27;MpKsl7c4e5c27;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A265B2C2-13C4-435B-8E30-C9AC6C19D68A}\MpKsl7c4e5c27.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A265B2C2-13C4-435B-8E30-C9AC6C19D68A}\MpKsl7c4e5c27.sys [?]
S1 MpKsl85315904;MpKsl85315904;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{56EC127E-2099-4E6E-8F75-7482DFF0A88A}\MpKsl85315904.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{56EC127E-2099-4E6E-8F75-7482DFF0A88A}\MpKsl85315904.sys [?]
S1 MpKsl87163c1a;MpKsl87163c1a;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{96A48D4A-C82F-45DA-A00D-0E05050D6688}\MpKsl87163c1a.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{96A48D4A-C82F-45DA-A00D-0E05050D6688}\MpKsl87163c1a.sys [?]
S1 MpKsl9c781a98;MpKsl9c781a98;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{56EC127E-2099-4E6E-8F75-7482DFF0A88A}\MpKsl9c781a98.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{56EC127E-2099-4E6E-8F75-7482DFF0A88A}\MpKsl9c781a98.sys [?]
S1 MpKsla37afca9;MpKsla37afca9;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B76D9221-FAF9-4E81-B3D4-57FEC93B1F71}\MpKsla37afca9.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B76D9221-FAF9-4E81-B3D4-57FEC93B1F71}\MpKsla37afca9.sys [?]
S1 MpKslb5c5dbf9;MpKslb5c5dbf9;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F3C6D79C-3BB3-4576-BCD1-9D60D7D5B3C9}\MpKslb5c5dbf9.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F3C6D79C-3BB3-4576-BCD1-9D60D7D5B3C9}\MpKslb5c5dbf9.sys [?]
S1 MpKslb8365f74;MpKslb8365f74;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{405BBECE-9C92-49AE-B76A-22C8549C18BA}\MpKslb8365f74.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{405BBECE-9C92-49AE-B76A-22C8549C18BA}\MpKslb8365f74.sys [?]
S1 MpKslcbe4f901;MpKslcbe4f901;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8FD42E65-73A7-48DB-B612-E049CC77CBC8}\MpKslcbe4f901.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8FD42E65-73A7-48DB-B612-E049CC77CBC8}\MpKslcbe4f901.sys [?]
S1 MpKsld2c007be;MpKsld2c007be;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{96A48D4A-C82F-45DA-A00D-0E05050D6688}\MpKsld2c007be.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{96A48D4A-C82F-45DA-A00D-0E05050D6688}\MpKsld2c007be.sys [?]
S1 MpKslde174466;MpKslde174466;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{56EC127E-2099-4E6E-8F75-7482DFF0A88A}\MpKslde174466.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{56EC127E-2099-4E6E-8F75-7482DFF0A88A}\MpKslde174466.sys [?]
S1 MpKsle5c06711;MpKsle5c06711;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0EDBD694-3A5A-4A0B-B56E-8137E3E27531}\MpKsle5c06711.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0EDBD694-3A5A-4A0B-B56E-8137E3E27531}\MpKsle5c06711.sys [?]
S1 MpKslf07ca68a;MpKslf07ca68a;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FC2CC0F9-B77C-48A3-9133-78A4E06867D0}\MpKslf07ca68a.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FC2CC0F9-B77C-48A3-9133-78A4E06867D0}\MpKslf07ca68a.sys [?]
S1 MpKslffcdefc5;MpKslffcdefc5;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6B8AF660-721D-4EFE-ADBB-97CDC7E3C87E}\MpKslffcdefc5.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6B8AF660-721D-4EFE-ADBB-97CDC7E3C87E}\MpKslffcdefc5.sys [?]
S1 qpgubjnu;qpgubjnu;\??\c:\windows\system32\drivers\qpgubjnu.sys --> c:\windows\system32\drivers\qpgubjnu.sys [?]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 4:30 AM 15544]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSLF59954DB
*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-07-21 18:59]
.
2011-08-03 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 18:26]
.
2011-08-03 c:\windows\Tasks\User_Feed_Synchronization-{F51BDFA4-4B2F-4CA5-8A91-76142D68EC61}.job
- c:\windows\system32\msfeedssync.exe [2009-10-19 08:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\qrdrfwd2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-03 16:30
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-484763869-1844823847-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{23CBCFBB-AEC5-CA23-CA98-CF93341FF517}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(952)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\msounsers.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Lavasoft\Ad-Aware\AAWService.exe
c:\program files\Avira\AntiVir Desktop\sched.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Secunia\PSI\sua.exe
c:\program files\UPHClean\uphclean.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2011-08-03 17:02:02 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-03 20:59
.
Pre-Run: 61,411,377,152 bytes free
Post-Run: 62,508,892,160 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 676E9DA49995EDA4FDE8617E602F3A63
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:53:53 AM, on 8/4/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Secunia\PSI\PSIA.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\program files\lfcncjawgoifqf\ltnkvkri.exe
C:\program files\lfcncjawgoifqf\ltnkvkri.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Secunia\PSI\sua.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [suomy] c:\program files\lfcncjawgoifqf\ltnkvkri.exe lt
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [suomy] c:\program files\lfcncjawgoifqf\ltnkvkri.exe lt
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: WKCALREM.LNK = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Google Desktop Manager 5.9.1005.12335 (GoogleDesktopManager-051210-111108) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Secunia PSI Agent - Secunia - C:\Program Files\Secunia\PSI\PSIA.exe
O23 - Service: Secunia Update Agent - Secunia - C:\Program Files\Secunia\PSI\sua.exe
--
End of file - 4784 bytes
[regaining space - attachment deleted by admin]
-
Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.
1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.
If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
********************************************************
Open HijackThis and select Open the Misc Tools section. Select open process manager. select
C:\program files\lfcncjawgoifqf\ltnkvkri.exe
C:\program files\lfcncjawgoifqf\ltnkvkri.exe
and click on kill process.
*****************************************************
Open HijackThis and select Do a system scan only
Place a check mark next to the following entries: (if there)
O4 - HKLM\..\Run: [suomy] c:\program files\lfcncjawgoifqf\ltnkvkri.exe lt
O4 - HKCU\..\Run: [suomy] c:\program files\lfcncjawgoifqf\ltnkvkri.exe lt
Important: Close all open windows except for HijackThis and then click Fix checked.
Once completed, exit HijackThis.
**********************************************
•Please download Dial-A-Fix from one of the following mirrors:
Primary mirror (http://djlizard.net.nyud.net:8080/software/Dial-a-fix-v0.60.0.24.zip)
Secondary mirror (http://djlizard.net/software/Dial-a-fix-v0.60.0.24.zip)
•Extract the zip file to your desktop.
•Double click Dial-a-Fix.exe to start the program. Dial-A-Fix might give you a lot errors, just ignore them and Click
(http://i424.photobucket.com/albums/pp322/digistar/OK.jpg) to continue.
•Press the green double checkmark box (Looks like this:
(http://i424.photobucket.com/albums/pp322/digistar/checkmark.png)
UNcheck Empty Temp Folders, as well as Adjust Time/Date in the prep section. The prep section should then look like this:
(http://i424.photobucket.com/albums/pp322/digistar/ncheck.png)
(http://i424.photobucket.com/albums/pp322/digistar/Window.png)
•Click on Go
•Wait for Dial-A-Fix to finish (All the checks marks will be all gone)
•Close Dial-A-Fix
*************************************************
ComboFix is not a toy and should not be run without proper supervision.
Re-running ComboFix to remove infections:
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Open notepad and copy/paste the text in the quotebox below into it:
KillAll::
File::
c:\windows\system32\SET5D0.tmp
c:\windows\system32\drivers\bkowctbp.sys
c:\windows\system32\drivers\qpgubjnu.sys
Folder::
C:\program files\lfcncjawgoifqf
C:\program files\lfcncjawgoifqf
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"suomy"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"suomy"=-
Driver::
bkowctbp
qpgubjnu
- Save this as CFScript.txt, in the same location as ComboFix.exe
(http://i424.photobucket.com/albums/pp322/digistar/cfscriptb4.gif)
- Referring to the picture above, drag CFScript into ComboFix.exe
- When finished, it shall produce a log for you at C:\ComboFix.txt
- Please post the contents of the log in your next reply.
****************************************************
P2P - I see you have P2P software installed on your machine (FrostWire). We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.
Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.
-
Thanks Dave. I will get Frostwire off immediately.
The first file- proceses you noticed with the funny letters are from All IN ONe Keylogger. I think they do that to disguise it. Do you still want me to kill/remove it? I can uninstall the entire program if you need me to.
DO you want me to proceed any further before doing these things?
I appreciate your help
-
The first file- proceses you noticed with the funny letters are from All IN ONe Keylogger. I think they do that to disguise it. Do you still want me to kill/remove it? I can uninstall the entire program if you need me to.
If this is something you installed and you're happy with, leave it be. I just couldn't find anything and random letters are almost a dead giveaway for infections. I'm glad you told me about it. Please proceed with the rest of the fix.
-
ok. thank you. DO you want me to insert the same text from notepad into the Combo FIx?
thanks alot Dave
the other thing we are noticing is that the drop down menus in Microsoft Office 2003 Word and Excel are invisible- unusable??? never seen this before
-
DO you want me to insert the same text from notepad into the Combo FIx?
Yes, please do exactly as instructed.
-
ok-done. see combo fix log attached
[regaining space - attachment deleted by admin]
-
ComboFix 11-08-06.02 - Owner 08/06/2011 16:47:46.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.200 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
.
FILE ::
"c:\windows\system32\drivers\bkowctbp.sys"
"c:\windows\system32\drivers\qpgubjnu.sys"
"c:\windows\system32\SET5D0.tmp"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\lfcncjawgoifqf
c:\program files\lfcncjawgoifqf\help.chm
c:\program files\lfcncjawgoifqf\Log\Text\aiotxt.dat
c:\program files\lfcncjawgoifqf\Log\Visual\06172011.dat
c:\program files\lfcncjawgoifqf\Log\Visual\06182011.dat
c:\program files\lfcncjawgoifqf\ltnkvkri.exe
c:\program files\lfcncjawgoifqf\unins000.dat
c:\program files\lfcncjawgoifqf\unins000.exe
c:\windows\system32\SET5D0.tmp
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_bkowctbp
-------\Service_qpgubjnu
.
.
((((((((((((((((((((((((( Files Created from 2011-07-07 to 2011-08-07 )))))))))))))))))))))))))))))))
.
.
2011-08-07 00:40 . 2011-08-07 00:40 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DF078E9C-8BA1-48F2-B39B-EAC49EFB1BE4}\MpKslaf718e34.sys
2011-08-06 20:19 . 2011-08-06 20:19 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DF078E9C-8BA1-48F2-B39B-EAC49EFB1BE4}\MpKsl3076c91a.sys
2011-08-05 06:54 . 2011-08-07 00:39 -------- d-----w- c:\windows\system32\CatRoot2
2011-08-05 06:35 . 2011-08-05 06:35 -------- d-----w- C:\ProgramData
2011-08-05 06:34 . 2011-08-05 06:35 -------- d-----w- c:\program files\Free YouTube Downloader
2011-08-05 05:55 . 2011-08-05 05:55 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Application Updater
2011-08-05 05:54 . 2011-08-05 05:54 -------- d-----w- c:\documents and settings\All Users\Application Data\YouTube Downloader
2011-08-05 01:25 . 2011-07-13 03:39 6881616 ------w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DF078E9C-8BA1-48F2-B39B-EAC49EFB1BE4}\mpengine.dll
2011-08-05 01:22 . 2011-08-05 01:22 -------- d-----w- c:\documents and settings\Owner\Application Data\Avira
2011-08-05 01:22 . 2011-08-05 01:22 -------- d-----w- c:\program files\Avira
2011-08-05 01:22 . 2011-08-05 01:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-08-05 01:21 . 2011-08-05 01:21 -------- d-----w- c:\program files\K-Lite Codec Pack
2011-08-04 22:45 . 2011-08-04 22:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Common Files
2011-08-04 18:36 . 2011-08-04 18:36 -------- d-----w- c:\program files\MSECache
2011-08-04 06:13 . 2011-08-04 06:13 -------- d-----w- c:\documents and settings\All Users\Application Data\!SASCORE
2011-08-04 05:22 . 2011-08-04 05:22 114048 ----a-w- c:\windows\system32\drivers\snapman.sys
2011-08-04 05:22 . 2011-08-04 05:22 -------- d-----w- c:\program files\Acronis
2011-08-04 05:21 . 2011-08-04 05:22 -------- d-----w- c:\program files\Common Files\Acronis
2011-08-03 20:25 . 2011-08-03 20:25 -------- d-----w- c:\windows\system32\wbem\snmp
2011-08-03 20:25 . 2011-08-03 20:25 -------- d-----w- c:\windows\system32\oobe
2011-08-03 20:25 . 2011-08-03 20:25 -------- d-----w- c:\windows\system32\xircom
2011-08-03 20:25 . 2011-08-03 20:25 -------- d-----w- c:\program files\microsoft frontpage
2011-08-03 19:29 . 2011-08-03 19:29 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-08-03 19:27 . 2011-08-05 01:22 -------- dc----w- c:\windows\system32\DRVSTORE
2011-08-03 19:27 . 2011-07-21 18:59 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-08-03 19:26 . 2011-08-04 15:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2011-08-03 19:26 . 2011-08-03 19:26 -------- d-----w- c:\program files\Lavasoft
2011-08-03 18:29 . 2011-08-03 18:29 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-08-03 18:28 . 2011-08-03 18:28 -------- d-----w- c:\program files\Trend Micro
2011-08-03 18:08 . 2011-08-03 19:09 -------- d-----w- c:\program files\UPXRemoval Tool
2011-08-03 17:55 . 2011-04-23 23:51 537850 ----a-w- C:\HaxFix.exe
2011-08-03 17:55 . 2011-08-03 17:58 -------- d-----w- c:\windows\HaxFix
2011-08-02 19:46 . 2011-08-02 19:46 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Western Digital
2011-08-01 19:59 . 2011-08-01 19:59 -------- d-----w- c:\program files\Microsoft ActiveSync
2011-08-01 19:58 . 2011-08-01 19:59 -------- d-----w- c:\windows\SHELLNEW
2011-08-01 19:58 . 2011-08-01 19:58 -------- d-----w- c:\program files\Microsoft.NET
2011-08-01 19:55 . 2011-08-01 19:55 -------- d-----r- C:\MSOCache
2011-07-28 22:09 . 2011-07-28 22:09 -------- d-----w- c:\program files\MWSnap
2011-07-28 16:53 . 2011-07-28 16:53 -------- d-----w- c:\windows\AOL page_files
2011-07-28 13:52 . 2011-07-28 13:52 -------- d-----w- c:\windows\photo.php_files
2011-07-13 16:42 . 2011-07-13 16:42 -------- d-----w- c:\documents and settings\Owner\Application Data\AutoScreenShotMaker
2011-07-13 16:42 . 2011-07-13 16:42 -------- d-----w- c:\program files\Auto Screenshot Maker
2011-07-13 16:07 . 2011-07-13 16:07 -------- d-----w- c:\documents and settings\Owner\Application Data\DonationCoder
2011-07-13 16:06 . 2011-07-13 17:26 -------- d-----w- c:\program files\ScreenshotCaptor
2011-07-12 14:09 . 2000-07-15 05:00 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2011-07-12 14:09 . 2011-07-12 14:10 -------- d-----w- c:\program files\HotHotSoftware
2011-07-11 16:16 . 2006-10-26 23:56 33104 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\msonpppr.dll
2011-07-11 16:16 . 2008-11-10 15:41 32656 ----a-w- c:\windows\system32\msonpmon.dll
2011-07-11 12:43 . 2011-07-11 12:43 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2011-07-08 21:04 . 2011-07-08 21:15 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\ApplicationHistory
2011-07-08 20:58 . 2011-07-08 20:58 -------- d-----w- c:\program files\MichaelFontana
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-06 20:28 . 2011-01-24 14:44 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-08-06 20:28 . 2011-01-24 14:44 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-07-13 03:39 . 2011-01-25 21:30 6881616 ------w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-07-06 23:52 . 2011-01-29 01:08 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52 . 2011-01-29 01:08 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-02 14:07 . 2009-10-19 08:27 1867904 ----a-w- c:\windows\system32\win32k.sys
2011-06-27 20:52 . 2011-05-06 19:42 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-02-21 19:21 . 2011-01-24 14:58 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-08-03_20.26.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-08-07 00:36 . 2011-08-07 00:36 16384 c:\windows\Temp\Perflib_Perfdata_1a0.dat
- 2011-01-24 14:44 . 2010-06-17 20:27 28520 c:\windows\system32\drivers\ssmdrv.sys
+ 2011-01-24 14:44 . 2010-06-17 18:27 28520 c:\windows\system32\drivers\ssmdrv.sys
- 2011-01-24 14:44 . 2010-06-17 20:27 22360 c:\windows\system32\drivers\avgntmgr.sys
+ 2011-01-24 14:44 . 2010-06-17 18:27 22360 c:\windows\system32\drivers\avgntmgr.sys
+ 2011-01-24 14:44 . 2010-06-17 18:27 45416 c:\windows\system32\drivers\avgntdd.sys
- 2011-01-24 14:44 . 2010-06-17 20:27 45416 c:\windows\system32\drivers\avgntdd.sys
+ 2007-07-04 18:57 . 2007-07-04 18:57 17176 c:\windows\system32\acrotls.dll
+ 2011-01-23 00:34 . 2011-01-23 00:34 9847 c:\windows\system32\mswnnmoue.dll
- 2009-06-16 12:27 . 2009-06-16 12:27 9847 c:\windows\system32\mswnnmoue.dll
+ 2007-06-15 17:05 . 2007-06-15 17:05 206368 c:\windows\system32\snapapi.dll
+ 2010-02-16 04:57 . 2010-02-16 04:57 155648 c:\windows\system32\msounsers.dll
- 2010-02-23 22:26 . 2010-02-23 22:26 155648 c:\windows\system32\msounsers.dll
+ 2011-03-04 19:30 . 2011-08-05 01:24 4520184 c:\windows\system32\Restore\rstrlog.dat
+ 2011-08-04 05:22 . 2011-08-04 05:22 2545152 c:\windows\Installer\1abe286.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2011-02-21 30192]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
WKCALREM.LNK - c:\program files\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 18 (0x12)
"NoSMConfigurePrograms"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SUPERAntiSpyware"=c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
"PHIME2002ASync"=c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
"PHIME2002A"=c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
R1 MpKsl3076c91a;MpKsl3076c91a;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DF078E9C-8BA1-48F2-B39B-EAC49EFB1BE4}\MpKsl3076c91a.sys [8/6/2011 4:19 PM 28752]
R1 MpKslaf718e34;MpKslaf718e34;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DF078E9C-8BA1-48F2-B39B-EAC49EFB1BE4}\MpKslaf718e34.sys [8/6/2011 8:40 PM 28752]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [6/29/2010 1:48 PM 114416]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [1/24/2011 10:44 AM 136360]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [1/10/2011 10:24 AM 993848]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [1/10/2011 10:24 AM 399416]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 4:30 AM 15544]
S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [10/19/2009 4:29 AM 9472]
S1 MpKsl01e83a9c;MpKsl01e83a9c;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{762C4104-FA34-4361-8671-024A9949C0F9}\MpKsl01e83a9c.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{762C4104-FA34-4361-8671-024A9949C0F9}\MpKsl01e83a9c.sys [?]
S1 MpKsl0cc9110d;MpKsl0cc9110d;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A679349B-4E95-4D26-9E57-DEAA1C6DA335}\MpKsl0cc9110d.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A679349B-4E95-4D26-9E57-DEAA1C6DA335}\MpKsl0cc9110d.sys [?]
S1 MpKsl136f1fb0;MpKsl136f1fb0;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{152509A8-3EEA-45E6-A651-4EA25BFFB147}\MpKsl136f1fb0.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{152509A8-3EEA-45E6-A651-4EA25BFFB147}\MpKsl136f1fb0.sys [?]
S1 MpKsl162d5693;MpKsl162d5693;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3A3AE65D-5BDA-44D4-86D2-B2FD79F2B441}\MpKsl162d5693.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3A3AE65D-5BDA-44D4-86D2-B2FD79F2B441}\MpKsl162d5693.sys [?]
S1 MpKsl17f7d890;MpKsl17f7d890;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4A494EFD-F2FB-49F5-9AF1-B874C44BC895}\MpKsl17f7d890.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4A494EFD-F2FB-49F5-9AF1-B874C44BC895}\MpKsl17f7d890.sys [?]
S1 MpKsl1920c0d3;MpKsl1920c0d3;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0EDBD694-3A5A-4A0B-B56E-8137E3E27531}\MpKsl1920c0d3.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0EDBD694-3A5A-4A0B-B56E-8137E3E27531}\MpKsl1920c0d3.sys [?]
S1 MpKsl239b35ac;MpKsl239b35ac;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{04986CEF-4FC6-4C56-BBC8-7D82431E3FF9}\MpKsl239b35ac.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{04986CEF-4FC6-4C56-BBC8-7D82431E3FF9}\MpKsl239b35ac.sys [?]
S1 MpKsl2c1598c4;MpKsl2c1598c4;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C8E563B3-EB9D-4355-9784-73E2C7AD3132}\MpKsl2c1598c4.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C8E563B3-EB9D-4355-9784-73E2C7AD3132}\MpKsl2c1598c4.sys [?]
S1 MpKsl361b2b0d;MpKsl361b2b0d;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DF078E9C-8BA1-48F2-B39B-EAC49EFB1BE4}\MpKsl361b2b0d.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DF078E9C-8BA1-48F2-B39B-EAC49EFB1BE4}\MpKsl361b2b0d.sys [?]
S1 MpKsl402ccee3;MpKsl402ccee3;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4A494EFD-F2FB-49F5-9AF1-B874C44BC895}\MpKsl402ccee3.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4A494EFD-F2FB-49F5-9AF1-B874C44BC895}\MpKsl402ccee3.sys [?]
S1 MpKsl427d79a1;MpKsl427d79a1;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BA39CC46-23DA-4A0E-93E9-EB0D7A6AA66C}\MpKsl427d79a1.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BA39CC46-23DA-4A0E-93E9-EB0D7A6AA66C}\MpKsl427d79a1.sys [?]
S1 MpKsl49ad88d2;MpKsl49ad88d2;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8FD42E65-73A7-48DB-B612-E049CC77CBC8}\MpKsl49ad88d2.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8FD42E65-73A7-48DB-B612-E049CC77CBC8}\MpKsl49ad88d2.sys [?]
S1 MpKsl5d6d4cdd;MpKsl5d6d4cdd;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AAAC346A-D529-43A0-9A3F-133A61997703}\MpKsl5d6d4cdd.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AAAC346A-D529-43A0-9A3F-133A61997703}\MpKsl5d6d4cdd.sys [?]
S1 MpKsl6345b0bc;MpKsl6345b0bc;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BA39CC46-23DA-4A0E-93E9-EB0D7A6AA66C}\MpKsl6345b0bc.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BA39CC46-23DA-4A0E-93E9-EB0D7A6AA66C}\MpKsl6345b0bc.sys [?]
S1 MpKsl71b96f71;MpKsl71b96f71;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DF078E9C-8BA1-48F2-B39B-EAC49EFB1BE4}\MpKsl71b96f71.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DF078E9C-8BA1-48F2-B39B-EAC49EFB1BE4}\MpKsl71b96f71.sys [?]
S1 MpKsl7c4e5c27;MpKsl7c4e5c27;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A265B2C2-13C4-435B-8E30-C9AC6C19D68A}\MpKsl7c4e5c27.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A265B2C2-13C4-435B-8E30-C9AC6C19D68A}\MpKsl7c4e5c27.sys [?]
S1 MpKsl85315904;MpKsl85315904;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{56EC127E-2099-4E6E-8F75-7482DFF0A88A}\MpKsl85315904.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{56EC127E-2099-4E6E-8F75-7482DFF0A88A}\MpKsl85315904.sys [?]
S1 MpKsl87163c1a;MpKsl87163c1a;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{96A48D4A-C82F-45DA-A00D-0E05050D6688}\MpKsl87163c1a.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{96A48D4A-C82F-45DA-A00D-0E05050D6688}\MpKsl87163c1a.sys [?]
S1 MpKsl9c781a98;MpKsl9c781a98;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{56EC127E-2099-4E6E-8F75-7482DFF0A88A}\MpKsl9c781a98.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{56EC127E-2099-4E6E-8F75-7482DFF0A88A}\MpKsl9c781a98.sys [?]
S1 MpKsla37afca9;MpKsla37afca9;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B76D9221-FAF9-4E81-B3D4-57FEC93B1F71}\MpKsla37afca9.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B76D9221-FAF9-4E81-B3D4-57FEC93B1F71}\MpKsla37afca9.sys [?]
S1 MpKslb393e67e;MpKslb393e67e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{56EC127E-2099-4E6E-8F75-7482DFF0A88A}\MpKslb393e67e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{56EC127E-2099-4E6E-8F75-7482DFF0A88A}\MpKslb393e67e.sys [?]
S1 MpKslb5c5dbf9;MpKslb5c5dbf9;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F3C6D79C-3BB3-4576-BCD1-9D60D7D5B3C9}\MpKslb5c5dbf9.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F3C6D79C-3BB3-4576-BCD1-9D60D7D5B3C9}\MpKslb5c5dbf9.sys [?]
S1 MpKslb8365f74;MpKslb8365f74;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{405BBECE-9C92-49AE-B76A-22C8549C18BA}\MpKslb8365f74.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{405BBECE-9C92-49AE-B76A-22C8549C18BA}\MpKslb8365f74.sys [?]
S1 MpKslcbe4f901;MpKslcbe4f901;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8FD42E65-73A7-48DB-B612-E049CC77CBC8}\MpKslcbe4f901.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8FD42E65-73A7-48DB-B612-E049CC77CBC8}\MpKslcbe4f901.sys [?]
S1 MpKsld2c007be;MpKsld2c007be;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{96A48D4A-C82F-45DA-A00D-0E05050D6688}\MpKsld2c007be.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{96A48D4A-C82F-45DA-A00D-0E05050D6688}\MpKsld2c007be.sys [?]
S1 MpKslde174466;MpKslde174466;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{56EC127E-2099-4E6E-8F75-7482DFF0A88A}\MpKslde174466.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{56EC127E-2099-4E6E-8F75-7482DFF0A88A}\MpKslde174466.sys [?]
S1 MpKsle5c06711;MpKsle5c06711;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0EDBD694-3A5A-4A0B-B56E-8137E3E27531}\MpKsle5c06711.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0EDBD694-3A5A-4A0B-B56E-8137E3E27531}\MpKsle5c06711.sys [?]
S1 MpKslf07ca68a;MpKslf07ca68a;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FC2CC0F9-B77C-48A3-9133-78A4E06867D0}\MpKslf07ca68a.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FC2CC0F9-B77C-48A3-9133-78A4E06867D0}\MpKslf07ca68a.sys [?]
S1 MpKslffcdefc5;MpKslffcdefc5;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6B8AF660-721D-4EFE-ADBB-97CDC7E3C87E}\MpKslffcdefc5.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6B8AF660-721D-4EFE-ADBB-97CDC7E3C87E}\MpKslffcdefc5.sys [?]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [1/24/2011 10:57 AM 30192]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSLAF718E34
*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-04 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-07-21 18:59]
.
2011-08-07 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 18:26]
.
2011-08-07 c:\windows\Tasks\User_Feed_Synchronization-{F51BDFA4-4B2F-4CA5-8A91-76142D68EC61}.job
- c:\windows\system32\msfeedssync.exe [2009-10-19 08:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\qrdrfwd2.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=937811&p=
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-suomy - c:\program files\lfcncjawgoifqf\ltnkvkri.exe
AddRemove-AnjN9msuv_is1 - c:\program files\Lfcncjawgoifqf\unins000.exe
AddRemove-{1a413f37-ed88-4fec-9666-5c48dc4b7bb7} - c:\program files\YouTube Downloader\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-06 20:39
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-484763869-1844823847-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{23CBCFBB-AEC5-CA23-CA98-CF93341FF517}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2196)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\UPHClean\uphclean.exe
.
**************************************************************************
.
Completion time: 2011-08-06 20:49:10 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-07 00:49
ComboFix2.txt 2011-08-05 02:33
ComboFix3.txt 2011-08-03 21:02
.
Pre-Run: 61,859,135,488 bytes free
Post-Run: 61,938,446,336 bytes free
.
- - End Of File - - ED9EDD576DFC2DA36769AFF49EB40F55
-
Dave- have you seen logfile for COmboFix yet?
The avira antivir has cont to pop up saying that TR/SPy.Keylogger.qme is found with msounser.dll being also pciked up in the system32 folder, but when I went to look for it, it is hidden/no show.
-
Please go to Jotti's malware scan (http://virusscan.jotti.org/)
(If more than one file needs scanned they must be done separately and links posted for each one)
* Copy the file path in the below Code box:
c:\windows\system32\msounsers.dll
* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.
***********************************************************
SysProt Antirootkit
Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).
http://sites.google.com/site/sysprotantirootkit/ (http://sites.google.com/site/sysprotantirootkit/)
Unzip it into a folder on your desktop.
- Double click Sysprot.exe to start the program.
- Click on the Log tab.
- In the Write to log box select the following items.
- Process << Selected
- Kernel Modules << Selected
- SSDT << Selected
- Kernel Hooks << Selected
- IRP Hooks << NOT Selected
- Ports << NOT Selected
- Hidden Files << Selected
- At the bottom of the page
- Hidden Objects Only << Selected
- Click on the Create Log button on the bottom right.
- After a few seconds a new window should appear.
- Select Scan Root Drive. Click on the Start button.
- When it is complete a new window will appear to indicate that the scan is finished.
- The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.
-
It says unable to locate the msounser.dll file.
-
Ok. Could you please run the SysPro AntiRookit scan?
-
SysProt AntiRootkit v1.0.1.0
by swatkat
******************************************************************************************
******************************************************************************************
No Hidden Processes found
******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: F6AD1000
Module End: F6AE9000
Hidden: Yes
Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F8AA2000
Module End: F8AA4000
Hidden: Yes
Module Name: \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys
Service Name: ---
Module Base: F4923000
Module End: F4926000
Hidden: Yes
******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwClose
Address: F8C52984
Driver Base: 0
Driver End: 0
Driver Name: _unknown_
Function Name: ZwCreateKey
Address: F8C5293E
Driver Base: 0
Driver End: 0
Driver Name: _unknown_
Function Name: ZwCreateSection
Address: F8C5298E
Driver Base: 0
Driver End: 0
Driver Name: _unknown_
Function Name: ZwCreateThread
Address: F8C52934
Driver Base: 0
Driver End: 0
Driver Name: _unknown_
Function Name: ZwDeleteKey
Address: F8C52943
Driver Base: 0
Driver End: 0
Driver Name: _unknown_
Function Name: ZwDeleteValueKey
Address: F8C5294D
Driver Base: 0
Driver End: 0
Driver Name: _unknown_
Function Name: ZwDuplicateObject
Address: F8C5297F
Driver Base: 0
Driver End: 0
Driver Name: _unknown_
Function Name: ZwLoadKey
Address: F8C52952
Driver Base: 0
Driver End: 0
Driver Name: _unknown_
Function Name: ZwOpenProcess
Address: F8C52920
Driver Base: 0
Driver End: 0
Driver Name: _unknown_
Function Name: ZwOpenThread
Address: F8C52925
Driver Base: 0
Driver End: 0
Driver Name: _unknown_
Function Name: ZwReplaceKey
Address: F8C5295C
Driver Base: 0
Driver End: 0
Driver Name: _unknown_
Function Name: ZwRestoreKey
Address: F8C52957
Driver Base: 0
Driver End: 0
Driver Name: _unknown_
Function Name: ZwSetContextThread
Address: F8C52993
Driver Base: 0
Driver End: 0
Driver Name: _unknown_
Function Name: ZwSetValueKey
Address: F8C52948
Driver Base: 0
Driver End: 0
Driver Name: _unknown_
Function Name: ZwTerminateProcess
Address: F8C5292F
Driver Base: 0
Driver End: 0
Driver Name: _unknown_
Function Name: ZwUnloadKey
Address: F49236D0
Driver Base: F4923000
Driver End: F4926000
Driver Name: \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys
******************************************************************************************
******************************************************************************************
No Kernel Hooks found
******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: F:\b8e91b5566cc5df664\amd64\filterpipelineprintproc.dll
Status: Access denied
Object: F:\b8e91b5566cc5df664\amd64\msxpsdrv.cat
Status: Access denied
Object: F:\b8e91b5566cc5df664\amd64\msxpsdrv.inf
Status: Access denied
Object: F:\b8e91b5566cc5df664\amd64\msxpsinc.gpd
Status: Access denied
Object: F:\b8e91b5566cc5df664\amd64\msxpsinc.ppd
Status: Access denied
Object: F:\b8e91b5566cc5df664\amd64\mxdwdrv.dll
Status: Access denied
Object: F:\b8e91b5566cc5df664\amd64\xpssvcs.dll
Status: Access denied
Object: F:\b8e91b5566cc5df664\i386\filterpipelineprintproc.dll
Status: Access denied
Object: F:\b8e91b5566cc5df664\i386\msxpsdrv.cat
Status: Access denied
Object: F:\b8e91b5566cc5df664\i386\msxpsdrv.inf
Status: Access denied
Object: F:\b8e91b5566cc5df664\i386\msxpsinc.gpd
Status: Access denied
Object: F:\b8e91b5566cc5df664\i386\msxpsinc.ppd
Status: Access denied
Object: F:\b8e91b5566cc5df664\i386\mxdwdrv.dll
Status: Access denied
Object: F:\b8e91b5566cc5df664\i386\xpssvcs.dll
Status: Access denied
Object: F:\Documents and Settings\Gateway\My Documents\HBS General Files\CORNER STONE POLICY\CORNER STONE\Barry Robinson HBS Documents\Job Folder\HomeBase 2005\OLD BRC Folder\MEDICAID DMAS\MEDICAID HBS Chart FORMS\MEDICAID Chart FORMS\SPO Medicaid Eligibity Asses
Status: Hidden
Object: F:\Documents and Settings\Gateway\My Documents\HBS General Files\CORNER STONE POLICY\CORNER STONE\Barry Robinson HBS Documents\Job Folder\HomeBase 2005\OLD BRC Folder\MEDICAID DMAS\MEDICAID HBS Chart FORMS\MEDICAID Chart FORMS\SPO Medicaid Provisional Mas
Status: Hidden
Object: F:\Program Files\IObit\IObit SmartDefrag\language\Lietuviu.lng
Status: Hidden
Object: F:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied
Object: F:\System Volume Information\tracking.log
Status: Access denied
Object: F:\System Volume Information\_restore{CDE62CCB-CA36-4F5F-B4C8-1441E9D5BC5C}
Status: Access denied
Object: C:\Qoobox\BackEnv\AppData.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Cache.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Cookies.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Desktop.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Favorites.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\History.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Music.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\NetHood.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\StartUp.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\SysPath.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Templates.folder.dat
Status: Access denied
-
I'd like to scan your machine with ESET OnlineScan
•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
•Click the (http://i424.photobucket.com/albums/pp322/digistar/esetOnline.png) button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on (http://i424.photobucket.com/albums/pp322/digistar/esetSmartInstall.png) to download the ESET Smart Installer. Save it to your desktop.
- Double click on the (http://i424.photobucket.com/albums/pp322/digistar/esetSmartInstallDesktopIcon-1.png) icon on your desktop.
•Check (http://i424.photobucket.com/albums/pp322/digistar/esetAcceptTerms.png)
•Click the (http://i424.photobucket.com/albums/pp322/digistar/esetStart.png) button.
•Accept any security warnings from your browser.
•Check (http://i424.photobucket.com/albums/pp322/digistar/esetScanArchives.png)
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push (http://i424.photobucket.com/albums/pp322/digistar/esetListThreats.png)
•Push (http://i424.photobucket.com/albums/pp322/digistar/esetExport.png), and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the (http://i424.photobucket.com/albums/pp322/digistar/esetBack.png) button.
•Push (http://i424.photobucket.com/albums/pp322/digistar/esetFinish.png)
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt
-
C:\Documents and Settings\Owner\My Documents\Downloads\FreeYouTubeDownloaderSetup(1).exe multiple threats deleted - quarantined
C:\Documents and Settings\Owner\My Documents\Downloads\FreeYouTubeDownloaderSetup.exe multiple threats deleted - quarantined
C:\Documents and Settings\Owner\My Documents\Downloads\Installer-for-frostwire.exe a variant of MSIL/Agent.NGQ trojan cleaned by deleting - quarantined
C:\Documents and Settings\Owner\My Documents\Downloads\PDFConverterSetup.exe a variant of Win32/InstallCore.A application cleaned by deleting - quarantined
C:\Documents and Settings\Owner\My Documents\Downloads\Spydig_Setup.exe multiple threats deleted - quarantined
C:\Documents and Settings\Owner\My Documents\Downloads\UPXRemovalTool.exe probably a variant of Win32/SecurityStronghold application deleted - quarantined
C:\System Volume Information\_restore{CDE62CCB-CA36-4F5F-B4C8-1441E9D5BC5C}\RP233\A0053525.sys Win32/Adware.SpywareCease application cleaned by deleting - quarantined
C:\System Volume Information\_restore{CDE62CCB-CA36-4F5F-B4C8-1441E9D5BC5C}\RP233\A0053530.dll a variant of Win32/Adware.SpywareCease.AA application cleaned by deleting - quarantined
C:\System Volume Information\_restore{CDE62CCB-CA36-4F5F-B4C8-1441E9D5BC5C}\RP233\A0053562.exe probably a variant of Win32/SecurityStronghold application cleaned by deleting - quarantined
C:\System Volume Information\_restore{CDE62CCB-CA36-4F5F-B4C8-1441E9D5BC5C}\RP248\A0056288.exe multiple threats deleted - quarantined
C:\System Volume Information\_restore{CDE62CCB-CA36-4F5F-B4C8-1441E9D5BC5C}\RP249\A0056305.rbf a variant of Win32/Adware.Toolbar.Dealio application cleaned by deleting - quarantined
C:\System Volume Information\_restore{CDE62CCB-CA36-4F5F-B4C8-1441E9D5BC5C}\RP249\A0056306.rbf a variant of Win32/Adware.Toolbar.Dealio application cleaned by deleting - quarantined
C:\System Volume Information\_restore{CDE62CCB-CA36-4F5F-B4C8-1441E9D5BC5C}\RP249\A0056307.rbf probably a variant of Win32/Adware.Toolbar.Dealio application cleaned by deleting - quarantined
C:\System Volume Information\_restore{CDE62CCB-CA36-4F5F-B4C8-1441E9D5BC5C}\RP249\A0056713.rbf a variant of Win32/Adware.Toolbar.Dealio application cleaned by deleting - quarantined
-
That looks great. Just one more scan.
Download Security Check by screen317 from one of the following links and save it to your desktop.
Link 1 (http://screen317.spywareinfoforum.org/SecurityCheck.exe)
Link 2 (http://screen317.changelog.fr/SecurityCheck.exe)
* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.
Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
-
Results of screen317's Security Check version 0.99.18
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
Avira AntiVir Personal - Free Antivirus
ESET Online Scanner v3
Microsoft Security Essentials
WMI entry may not exist for antivirus; attempting automatic update.
Avira successfully updated!
```````````````````````````````
Anti-malware/Other Utilities Check:
MVPS Hosts File
Malwarebytes' Anti-Malware
Wise Disk Cleaner 5.93
Wise Registry Cleaner 5.9.4
Java(TM) 6 Update 26
Flash Player Out of Date!
Adobe Flash Player 10.0.45.2
Adobe Reader X (10.1.0)
Mozilla Firefox (x86 en-US..)
````````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSMpEng.exe
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
Microsoft Security Essentials msseces.exe
Microsoft Security Client Antimalware MsMpEng.exe
``````````End of Log````````````
-
thank you Dave. I have 2 more machines showing same types of problems. Can I run their logs with you to look at and resolve. Thank you again for your help!
-
The Security Check shows two Anti-Virus programs on your computer; Avira AntiVir Personal and Microsoft Security Essentials
If more that one AV program is active on a computer it can cause conflicts.
thank you Dave. I have 2 more machines showing same types of problems. Can I run their logs with you to look at and resolve. Thank you again for your help!
You should start a new thread for each computer otherwise, it's too confusing.
To uninstall ComboFix
- Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
- In the field, type in ComboFix /uninstall
(http://i424.photobucket.com/albums/pp322/digistar/Combofix_uninstall_image.jpg)
(Note: Make sure there's a space between the word ComboFix and the forward-slash.)
- Then, press Enter, or click OK.
- This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.
*****************************************************
Clean out your temporary internet files and temp files.
Download TFC by OldTimer (http://oldtimer.geekstogo.com/TFC.exe) to your desktop.
Double-click TFC.exe to run it.
Note: If you are running on Vista, right-click on the file and choose Run As Administrator
TFC will close all programs when run, so make sure you have saved all your work before you begin.
* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.
Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
******************************************************
Looking over your log it seems you don't have any evidence of a third party firewall.
Firewalls protect against hackers and malicious intruders. You need to download a free firewall from one of these reliable vendors.
Remember only install ONE firewall
1) Comodo Personal Firewall (http://www.majorgeeks.com/Comodo_Personal_Firewall_d5033.html) (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one)
2) Online Armor (http://www.majorgeeks.com/Online_Armor_Free_d4872.html)
3) Agnitum Outpost (http://www.majorgeeks.com/Outpost_Firewall_Free_d1056.html)
4) PC Tools Firewall Plus (http://www.majorgeeks.com/PC_Tools_Firewall_Plus_d5470.html)
If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.
**************************************************
Use the Secunia Software Inspector (http://secunia.com/software_inspector) to check for out of date software.
•Click Start Now
•Check the box next to Enable thorough system inspection.
•Click Start
•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------
Go to Microsoft Windows Update (http://windowsupdate.microsoft.com/) and get all critical updates.
----------
I suggest using WOT - Web of Trust (http://www.mywot.com/). WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.
SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer (http://www.bleepingcomputer.com/forums/tutorial49.html) from Spyware and Malware
* If you don't know what ActiveX controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. (http://www.safer-networking.org/en/spybotsd/index.html) Guide: Use Spybot's Immunize Feature (http://www.bleepingcomputer.com/tutorials/tutorial43.html#immunize) to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ (http://www.safer-networking.org/en/faq/index.html)
Check out Keeping Yourself Safe On The Web (http://evilfantasy.wordpress.com/2008/05/20/keeping-yourself-safe-on-the-web/) for tips and free tools to help keep you safe in the future.
Also see Slow Computer? It may not be Malware (http://evilfantasy.wordpress.com/2008/05/24/slow-computer-it-may-not-be-malware/) for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!