Author Topic: Malware Issues - PE_Perfect pecompact TR/SPy.Keylogger.qme (Read 13038 times)

stonemanjr · « **on:** August 04, 2011, 09:55:22 AM »

Experiencing slow down/lockup issues due to the following. These are files and warnings that are showing after scanning that say we are on this computer. This is a WindowsXP Professional OS with Service Pack 3 loaded. We have run ComboFix 1x, Malwarebytes, and SuperANtispyware. Avira ANtivir is our antivirus and we have SPybot running also.

PE_Perfect pecompact
Ark.5
UPX
TR/SPy.Keylogger.qme
msounser.dll found under windows/system32

HELP

ComboFix 11-08-03.03 - Owner 08/03/2011 16:11:28.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.204 [GMT -4:00]
Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000007_.tmp.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_RKHIT
-------\Service_RkHit
.
.
((((((((((((((((((((((((( Files Created from 2011-07-03 to 2011-08-03 )))))))))))))))))))))))))))))))
.
.
2011-08-03 20:25 . 2011-08-03 20:25   28752   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{56EC127E-2099-4E6E-8F75-7482DFF0A88A}\MpKslf59954db.sys
2011-08-03 20:25 . 2011-08-03 20:25   --------   d-----w-   c:\windows\system32\wbem\snmp
2011-08-03 20:25 . 2011-08-03 20:25   --------   d-----w-   c:\windows\system32\oobe
2011-08-03 20:25 . 2011-08-03 20:25   --------   d-----w-   c:\program files\microsoft frontpage
2011-08-03 19:29 . 2011-08-03 19:29   101720   ----a-w-   c:\windows\system32\drivers\SBREDrv.sys
2011-08-03 19:27 . 2011-08-03 19:27   --------   d-----w-   c:\windows\LastGood.Tmp
2011-08-03 19:27 . 2011-08-03 19:27   --------   dc----w-   c:\windows\system32\DRVSTORE
2011-08-03 19:27 . 2011-07-21 18:59   64512   ----a-w-   c:\windows\system32\drivers\Lbd.sys
2011-08-03 19:26 . 2011-08-03 19:27   --------   d-----w-   c:\documents and settings\All Users\Application Data\Lavasoft
2011-08-03 19:26 . 2011-08-03 19:26   --------   d-----w-   c:\program files\Lavasoft
2011-08-03 18:29 . 2011-08-03 18:29   388096   ----a-r-   c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-08-03 18:28 . 2011-08-03 18:28   --------   d-----w-   c:\program files\Trend Micro
2011-08-03 18:08 . 2011-08-03 19:09   --------   d-----w-   c:\program files\UPXRemoval Tool
2011-08-03 17:55 . 2011-04-23 23:51   537850   ----a-w-   C:\HaxFix.exe
2011-08-03 17:55 . 2011-08-03 17:58   --------   d-----w-   c:\windows\HaxFix
2011-08-02 20:03 . 2011-07-13 03:39   6881616   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{56EC127E-2099-4E6E-8F75-7482DFF0A88A}\mpengine.dll
2011-08-02 19:46 . 2011-08-02 19:46   --------   d-----w-   c:\documents and settings\Owner\Local Settings\Application Data\Western Digital
2011-08-01 19:59 . 2011-08-01 19:59   --------   d-----w-   c:\program files\Microsoft ActiveSync
2011-08-01 19:58 . 2011-08-01 19:59   --------   d-----w-   c:\windows\SHELLNEW
2011-08-01 19:58 . 2011-08-01 19:58   --------   d-----w-   c:\program files\Microsoft.NET
2011-08-01 19:55 . 2011-08-01 19:55   --------   d-----r-   C:\MSOCache
2011-07-28 22:09 . 2011-07-28 22:09   --------   d-----w-   c:\program files\MWSnap
2011-07-28 16:53 . 2011-07-28 16:53   --------   d-----w-   c:\windows\AOL page_files
2011-07-28 13:52 . 2011-07-28 13:52   --------   d-----w-   c:\windows\photo.php_files
2011-07-13 16:42 . 2011-07-13 16:42   --------   d-----w-   c:\documents and settings\Owner\Application Data\AutoScreenShotMaker
2011-07-13 16:42 . 2011-07-13 16:42   --------   d-----w-   c:\program files\Auto Screenshot Maker
2011-07-13 16:07 . 2011-07-13 16:07   --------   d-----w-   c:\documents and settings\Owner\Application Data\DonationCoder
2011-07-13 16:06 . 2011-07-13 17:26   --------   d-----w-   c:\program files\ScreenshotCaptor
2011-07-13 03:12 . 2011-04-26 11:02   293376   ----a-w-   c:\windows\system32\SET5D0.tmp
2011-07-12 14:09 . 2011-07-12 14:10   --------   d-----w-   c:\program files\HotHotSoftware
2011-07-11 16:16 . 2006-10-26 23:56   33104   ----a-w-   c:\windows\system32\Spool\prtprocs\w32x86\msonpppr.dll
2011-07-11 16:16 . 2008-11-10 15:41   32656   ----a-w-   c:\windows\system32\msonpmon.dll
2011-07-11 12:43 . 2011-07-11 12:43   --------   d-----w-   c:\documents and settings\LocalService\Local Settings\Application Data\Google
2011-07-08 21:04 . 2011-07-08 21:15   --------   d-----w-   c:\documents and settings\Owner\Local Settings\Application Data\ApplicationHistory
2011-07-08 20:58 . 2011-07-08 20:58   --------   d-----w-   c:\program files\MichaelFontana
2011-07-07 22:27 . 2011-07-07 22:27   --------   d-----w-   c:\program files\Recuva
2011-07-07 22:24 . 2011-07-07 22:24   --------   d-----w-   c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2011-07-07 15:03 . 2011-07-07 15:03   --------   d-----w-   c:\program files\WebEx
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-13 03:39 . 2011-01-25 21:30   6881616   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-07-06 23:52 . 2011-01-29 01:08   41272   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52 . 2011-01-29 01:08   22712   ----a-w-   c:\windows\system32\drivers\mbam.sys
2011-06-30 16:13 . 2011-01-24 14:44   138192   ----a-w-   c:\windows\system32\drivers\avipbb.sys
2011-06-30 16:13 . 2011-01-24 14:44   66616   ----a-w-   c:\windows\system32\drivers\avgntflt.sys
2011-06-02 14:07 . 2009-10-19 08:27   1867904   ----a-w-   c:\windows\system32\win32k.sys
2011-06-27 20:52 . 2011-05-06 19:42   142296   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
2011-02-21 19:21 . 2011-01-24 14:58   119808   ----a-w-   c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
.
[7] 2008-04-14 . B153AFFAC761E7F5FCFA822B9C4E97BC . 14336 . . [5.1.2600.5512] . . c:\windows\system32\drivers\asyncmac.sys
.
[7] 2008-04-14 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\system32\drivers\beep.sys
.
[7] 2008-04-14 . 463C1EC80CD17420A542B7F36A36F128 . 24576 . . [5.1.2600.5512] . . c:\windows\system32\drivers\kbdclass.sys
.
[7] 2009-10-19 . B5B1080D35974C0E718D64280761BCD5 . 182912 . . [5.1.2600.5588] . . c:\windows\system32\drivers\ndis.sys
.
[7] 2009-03-23 . AE8CAD8F28DB13B515A68510A539B0B8 . 576512 . . [5.1.2600.5782] . . c:\windows\system32\drivers\ntfs.sys
.
[7] 2008-04-14 . 73C1E1F395918BC2C6DD67AF7591A3AD . 2944 . . [5.1.2600.0] . . c:\windows\system32\drivers\null.sys
.
[-] 2009-10-19 . BA8C046D98345129723E6BCAA1E8AB99 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
.
[7] 2009-10-19 . 7E39A3EDC13B076E70FDB9A6F6D7A4B4 . 78336 . . [5.1.2600.5574] . . c:\windows\system32\browser.dll
.
[7] 2008-04-14 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . c:\windows\system32\lsass.exe
.
[7] 2008-04-14 . 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE . 198144 . . [5.1.2600.5512] . . c:\windows\system32\netman.dll
.
[7] 2008-04-14 12:00 . 1280A158C722FA95A80FB7AEBE78FA7D . 792064 . . [2001.12.4414.700] . . c:\windows\system32\comres.dll
.
[7] 2009-10-19 . F13D1AA04F1F02399EB87F011584B7C0 . 408576 . . [6.7.2600.5796] . . c:\windows\system32\qmgr.dll
[7] 2009-10-19 . F13D1AA04F1F02399EB87F011584B7C0 . 408576 . . [6.7.2600.5796] . . c:\windows\system32\bits\qmgr.dll
.
[7] 2009-10-19 . 9222562D44021B988B9F9F62207FB6F2 . 401408 . . [5.1.2600.5755] . . c:\windows\system32\rpcss.dll
.
[7] 2009-10-19 . 020CEAAEDC8EB655B6506B8C70D53BB6 . 110592 . . [5.1.2600.5755] . . c:\windows\system32\services.exe
.
[7] 2010-08-17 . 258DD5D4283FD9F9A7166BE9AE45CE73 . 58880 . . [5.1.2600.6024] . . c:\windows\$hf_mig$\KB2347290\SP3QFE\spoolsv.exe
[7] 2010-08-17 . 60784F891563FB1B767F70117FC2428F . 58880 . . [5.1.2600.6024] . . c:\windows\system32\spoolsv.exe
[7] 2010-08-17 . 60784F891563FB1B767F70117FC2428F . 58880 . . [5.1.2600.6024] . . c:\windows\system32\dllcache\spoolsv.exe
[7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB2347290$\spoolsv.exe
.
[7] 2009-10-19 . 53A8857723277B1D6D5EE60A9F85B117 . 509440 . . [5.1.2600.5788] . . c:\windows\system32\winlogon.exe
.
[7] 2009-10-19 . 62BB79160F86CD962F312C68C6239BFD . 53472 . . [7.4.7600.226] . . c:\windows\system32\wuauclt.exe
.
[7] 2010-08-23 . 93AFB83FBC1F9443CAC722FCA63D73BF . 617472 . . [5.82] . . c:\windows\system32\comctl32.dll
[7] 2010-08-23 . 93AFB83FBC1F9443CAC722FCA63D73BF . 617472 . . [5.82] . . c:\windows\system32\dllcache\comctl32.dll
[7] 2010-08-23 . 736B12B725AEB2B07F0241A9F680CB10 . 1054208 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
[7] 2009-10-19 . AEF3D788DBF40C7C4D204EA45EB0C505 . 921088 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll
[7] 2009-10-19 . C6BE3E18287F21EE3ED3C84ED14E9D7A . 1054208 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5705_x-ww_36cfed49\comctl32.dll
[7] 2008-04-14 . 06F247492BC786CE5C24A23E178C711A . 617472 . . [5.82] . . c:\windows\$NtUninstallKB2296011$\comctl32.dll
.
[7] 2008-04-14 . 3D4E199942E29207970E04315D02AD3B . 62464 . . [5.1.2600.5512] . . c:\windows\system32\cryptsvc.dll
.
[7] 2009-10-19 08:25 . F17F6226BDC0CD5F0BEF0DAF84D29BEC . 253952 . . [2001.12.4414.706] . . c:\windows\system32\es.dll
.
[7] 2008-04-14 . 0DA85218E92526972A821587E6A8BF8F . 110080 . . [5.1.2600.5512] . . c:\windows\system32\imm32.dll
.
[7] 2009-10-19 . DA11D9D6ECBDF0F93436A4B7C13F7BEC . 991744 . . [5.1.2600.5781] . . c:\windows\system32\kernel32.dll
.
[7] 2008-04-14 . 2DC5A8019E2387987905F77C664E4BE2 . 19968 . . [5.1.2600.5512] . . c:\windows\system32\linkinfo.dll
.
[7] 2008-04-14 . 012DF358CEBAA23ACB26D82077820817 . 22016 . . [5.1.2600.5512] . . c:\windows\system32\lpk.dll
.
[7] 2011-05-30 . D0B1DB576941CB0B6669B8752FFAC79A . 5967360 . . [8.00.6001.23181] . . c:\windows\system32\mshtml.dll
[7] 2011-05-30 . D0B1DB576941CB0B6669B8752FFAC79A . 5967360 . . [8.00.6001.23181] . . c:\windows\system32\dllcache\mshtml.dll
.
[7] 2009-10-19 . 4200BE3808F6406DBE45A7B88DAE5035 . 322560 . . [7.0.2600.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a\msvcrt.dll
[7] 2009-10-19 . 06B8485FB1DA9A552B10AB978CD1AC85 . 343040 . . [7.0.2600.5701] . . c:\windows\system32\msvcrt.dll
[7] 2009-10-19 . A4C4A54FD7E31179CB5BDF7896DF3DF7 . 343040 . . [7.0.2600.5701] . . c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.5701_x-ww_40d12c25\msvcrt.dll
.
[7] 2009-10-19 . 290C1A30DEFC723BBE10910AC2D6F6D0 . 245248 . . [5.1.2600.5649] . . c:\windows\system32\mswsock.dll
[7] 2008-06-20 . FCEE5FCB99F7C724593365C706D28388 . 245248 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\mswsock.dll
.
[7] 2009-10-19 . DAB13813B25B3D009B2AC1194CF5D0A2 . 407552 . . [5.1.2600.5755] . . c:\windows\system32\netlogon.dll
.
[7] 2008-04-14 . 50A166237A0FA771261275A405646CC0 . 17408 . . [6.00.2900.5512] . . c:\windows\system32\powrprof.dll
.
[7] 2008-04-14 . A86BB5E61BF3E39B62AB4C7E7085A084 . 181248 . . [5.1.2600.5512] . . c:\windows\system32\scecli.dll
.
[7] 2008-04-14 . 96E1C926F22EE1BFBAE82901A35F6BF3 . 5120 . . [5.1.2600.5512] . . c:\windows\system32\sfc.dll
.
[7] 2009-10-19 . 67E38B4A549833E02D4D1617B5DBC318 . 14848 . . [5.1.2600.5689] . . c:\windows\system32\svchost.exe
.
[7] 2009-10-19 . E2B32B10ACC5D97623275AAFB67E5F03 . 249856 . . [5.1.2600.5654] . . c:\windows\system32\tapisrv.dll
.
[7] 2009-10-19 . 3DE22354C3609B3C3E5DC2C19C5E0693 . 578560 . . [5.1.2600.5577] . . c:\windows\system32\user32.dll
.
[7] 2008-04-14 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . c:\windows\system32\userinit.exe
.
[7] 2011-04-25 . 7F4F1697001B9E9A7924D219DC215903 . 919552 . . [8.00.6001.23165] . . c:\windows\system32\wininet.dll
[7] 2011-04-25 . 7F4F1697001B9E9A7924D219DC215903 . 919552 . . [8.00.6001.23165] . . c:\windows\system32\dllcache\wininet.dll
[7] 2011-02-22 . A9FA95F0D7F511959AC721E4843E5967 . 919552 . . [8.00.6001.23139] . . c:\windows\ie8updates\KB2530548-IE8\wininet.dll
[7] 2010-12-20 . 5504B4ECCE892EB82CD2C5FA71940AC1 . 919552 . . [8.00.6001.23111] . . c:\windows\ie8updates\KB2497640-IE8\wininet.dll
[7] 2010-11-06 . 9357C4249F4810FB0E49C13387A8A77C . 919552 . . [8.00.6001.23084] . . c:\windows\ie8updates\KB2482017-IE8\wininet.dll
[7] 2009-10-19 . 972B226BDAD71C55F3CC9A72BBF8F1C1 . 916480 . . [8.00.6001.22918] . . c:\windows\ie8updates\KB2416400-IE8\wininet.dll
.
[7] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\system32\ws2_32.dll
.
[7] 2008-04-14 . 9789E95E1D88EEB4B922BF3EA7779C28 . 19968 . . [5.1.2600.5512] . . c:\windows\system32\ws2help.dll
.
[7] 2009-10-19 . 2BB75B7F548D82A099125D0C5971DE7D . 1033728 . . [6.00.2900.5634] . . c:\windows\explorer.exe
.
[7] 2008-04-14 . 058710B720282CA82B909912D3EF28DB . 146432 . . [5.1.2600.5512] . . c:\windows\regedit.exe
.
[7] 2010-07-16 . 8D51FB47062F2A1A9EFECCEF338A4C46 . 1289216 . . [5.1.2600.6010] . . c:\windows\system32\ole32.dll
[7] 2010-07-16 . 8D51FB47062F2A1A9EFECCEF338A4C46 . 1289216 . . [5.1.2600.6010] . . c:\windows\system32\dllcache\ole32.dll
[7] 2009-10-19 . 54FAEE910065DF0149E060F82EF7A0A9 . 1288704 . . [5.1.2600.5692] . . c:\windows\$NtUninstallKB979687$\ole32.dll
.
[7] 2010-04-16 . 9E03DC5AB51CFD0190541CE2038D819D . 406016 . . [1.0420.2600.5969] . . c:\windows\system32\usp10.dll
[7] 2010-04-16 . 9E03DC5AB51CFD0190541CE2038D819D . 406016 . . [1.0420.2600.5969] . . c:\windows\system32\dllcache\usp10.dll
[7] 2010-04-16 . F8894BCC961D461674002B4BAE7AECC1 . 406016 . . [1.0420.2600.5969] . . c:\windows\$hf_mig$\KB981322\SP3QFE\usp10.dll
[7] 2008-04-14 . 7D7D8501F3CB45D0408CDEFA08CDAEFF . 406016 . . [1.0420.2600.5512] . . c:\windows\$NtUninstallKB981322$\usp10.dll
.
[7] 2008-04-14 . 9B9F1C38D559047B8AC0DBA2D5FEBDE9 . 4096 . . [5.3.2600.5512] . . c:\windows\system32\ksuser.dll
.
[7] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\system32\srsvc.dll
.
.
[7] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\system32\xmlprov.dll
.
[7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\system32\eventlog.dll
.
[7] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
[7] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe
.
[7] 2009-10-19 . 888CD7B39C37E13A2419BECFAAF0A28C . 135168 . . [6.00.2900.5853] . . c:\windows\system32\shsvcs.dll
.
[7] 2008-04-14 . 5B19B557B0C188210A56A6B699D90B8F . 59904 . . [5.1.2600.5512] . . c:\windows\system32\regsvc.dll
.
[7] 2008-04-14 . 0A9A7365A1CA4319AA7C1D6CD8E4EAFA . 192512 . . [5.1.2600.5512] . . c:\windows\system32\schedsvc.dll
.
[7] 2008-04-14 . 0A5679B3714EDAB99E357057EE88FCA6 . 71680 . . [5.1.2600.5512] . . c:\windows\system32\ssdpsrv.dll
.
[7] 2009-10-19 . 5128852A18AE46C387F87BF27DA4C9DD . 296960 . . [5.1.2600.5815] . . c:\windows\system32\termsrv.dll
.
[7] 2009-10-19 . 0A878AA66E4DD3E2608192A1ECCD9F8F . 344064 . . [5.1.2600.5589] . . c:\windows\system32\hnetcfg.dll
.
[7] 2008-04-14 . D8849F77C0B66226335A59D26CB4EDC6 . 167936 . . [5.1.2600.5512] . . c:\windows\system32\appmgmts.dll
.
[7] 2008-04-14 . 9859C0F6936E723E4892D7141B1327D5 . 11648 . . [5.1.2600.0] . . c:\windows\system32\drivers\acpiec.sys
.
[7] 2008-04-13 20:09 . 8BED39E3C35D6A489438B8141717A557 . 142592 . . [5.1.2601.3142] . . c:\windows\system32\drivers\aec.sys
.
[7] 2008-04-13 . 08FD04AA961BDC77FB983F328334E3D7 . 42368 . . [5.1.2600.5512] . . c:\windows\system32\drivers\AGP440.SYS
.
[7] 2008-04-14 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ip6fw.sys
.
[7] 2010-09-18 07:18 . 842900DEDBC8E3E8DBCCCB298FD88F65 . 953856 . . [4.1.6151] . . c:\windows\$hf_mig$\KB2387149\SP3QFE\mfc40u.dll
[7] 2010-09-18 06:53 . E76A5C202E68AF5A322D16B5A78F48B9 . 953856 . . [4.1.6151] . . c:\windows\system32\mfc40u.dll
[7] 2010-09-18 06:53 . E76A5C202E68AF5A322D16B5A78F48B9 . 953856 . . [4.1.6151] . . c:\windows\system32\dllcache\mfc40u.dll
[7] 2008-04-14 12:00 . CDDD4416B2B4C7295FE3FDB6DDE57E4E . 927504 . . [4.1.0.61] . . c:\windows\$NtUninstallKB2387149$\mfc40u.dll
.
[7] 2008-04-14 . 986B1FF5814366D71E0AC5755C88F2D3 . 33792 . . [5.1.2600.5512] . . c:\windows\system32\msgsvc.dll
.
[7] 2009-10-19 08:26 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\mspmsnsv.dll
.
[7] 2010-12-10 . F67CD97282E0ABFAF91A9A1359B16F2D . 2069376 . . [5.1.2600.6055] . . c:\windows\Driver Cache\i386\ntkrnlpa.exe
[7] 2010-12-10 . F67CD97282E0ABFAF91A9A1359B16F2D . 2069376 . . [5.1.2600.6055] . . c:\windows\system32\ntkrnlpa.exe
[7] 2010-12-10 . F67CD97282E0ABFAF91A9A1359B16F2D . 2069376 . . [5.1.2600.6055] . . c:\windows\system32\dllcache\ntkrnlpa.exe
[7] 2010-04-28 . 756362706DE8BC92F11E197C98A73844 . 2066944 . . [5.1.2600.5973] . . c:\windows\$NtUninstallKB2393802$\ntkrnlpa.exe
[7] 2009-10-19 . 363B2BBEE0AEDC9E5433616D0AD0236A . 2066176 . . [5.1.2600.5857] . . c:\windows\$NtUninstallKB981852$\ntkrnlpa.exe
.
[7] 2008-04-14 12:00 . 156F64A3345BD23C600655FB4D10BC08 . 435200 . . [5.1.2400.5512] . . c:\windows\system32\ntmssvc.dll
.
[7] 2008-04-14 . 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 . 185856 . . [5.1.2600.5512] . . c:\windows\system32\upnphost.dll
.
[7] 2008-04-14 . 4D83ED8BDDEC431FC8AD907B47CFB6E3 . 367616 . . [5.3.2600.5512] . . c:\windows\system32\dsound.dll
.
[7] 2009-10-19 . D2CF91B2C710E9F666E60AFBF87643EE . 1689088 . . [5.03.2600.5601] . . c:\windows\system32\d3d9.dll
.
[7] 2008-04-14 . A340CD71EB535A3DD751B5F28723E50C . 279552 . . [5.03.2600.5512] . . c:\windows\system32\ddraw.dll
.
[7] 2008-04-14 12:00 . 5652F6CE1D9E9D8068B9D29BC21B5409 . 84992 . . [5.1.2600.5512] . . c:\windows\system32\olepro32.dll
.
[7] 2008-04-14 . DBE2B62353660ECCA0D75EA307A717E9 . 39936 . . [5.1.2600.5512] . . c:\windows\system32\perfctrs.dll
.
[7] 2008-04-14 . C7CE131408739B0B3A318BE2D0032719 . 18944 . . [5.1.2600.5512] . . c:\windows\system32\version.dll
.
.
.
[7] 2010-12-09 . A531BBD3DE13121C1380ED7DC99082DB . 2192768 . . [5.1.2600.6055] . . c:\windows\Driver Cache\i386\ntoskrnl.exe
[7] 2010-12-09 . A531BBD3DE13121C1380ED7DC99082DB . 2192768 . . [5.1.2600.6055] . . c:\windows\system32\ntoskrnl.exe
[7] 2010-12-09 . A531BBD3DE13121C1380ED7DC99082DB . 2192768 . . [5.1.2600.6055] . . c:\windows\system32\dllcache\ntoskrnl.exe
[7] 2010-04-27 . A2ABBEC40CDB57454645D06B7EBD22F5 . 2190080 . . [5.1.2600.5973] . . c:\windows\$NtUninstallKB2393802$\ntoskrnl.exe
[7] 2009-10-19 . FDE779EA1A564EBFE16F4E0F82B61BAD . 2189312 . . [5.1.2600.5857] . . c:\windows\$NtUninstallKB981852$\ntoskrnl.exe
.
[7] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\system32\srsvc.dll
.
[7] 2009-10-19 . 9F8A0D0CBB2FA265A754516128C00E22 . 175616 . . [5.1.2600.5635] . . c:\windows\system32\w32time.dll
.
[7] 2008-04-14 . 8BAD69CBAC032D4BBACFCE0306174C30 . 333824 . . [5.1.2600.5512] . . c:\windows\system32\wiaservc.dll
.
[7] 2008-04-14 . 5C12660A97822F6E61576943B49AAAD6 . 18944 . . [5.1.2600.5512] . . c:\windows\system32\midimap.dll
.
[7] 2008-04-14 . 6F9BEF24C578D5D6740E080BEDD6A448 . 7680 . . [5.1.2600.5512] . . c:\windows\system32\rasadhlp.dll
.
c:\windows\System32\wscntfy.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"suomy"="c:\program files\lfcncjawgoifqf\ltnkvkri.exe" [2006-03-18 2285089]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2011-02-21 30192]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"suomy"="c:\program files\lfcncjawgoifqf\ltnkvkri.exe" [2006-03-18 2285089]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 18 (0x12)
"NoSMConfigurePrograms"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SUPERAntiSpyware"=c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
"PHIME2002ASync"=c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
"PHIME2002A"=c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/3/2011 3:27 PM 64512]
R1 MpKslf59954db;MpKslf59954db;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{56EC127E-2099-4E6E-8F75-7482DFF0A88A}\MpKslf59954db.sys [8/3/2011 4:25 PM 28752]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [7/21/2011 2:59 PM 15232]
S1 bkowctbp;bkowctbp;\??\c:\windows\system32\drivers\bkowctbp.sys --> c:\windows\system32\drivers\bkowctbp.sys [?]
S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [10/19/2009 4:29 AM 9472]
S1 MpKsl01e83a9c;MpKsl01e83a9c;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{762C4104-FA34-4361-8671-024A9949C0F9}\MpKsl01e83a9c.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{762C4104-FA34-4361-8671-024A9949C0F9}\MpKsl01e83a9c.sys [?]
S1 MpKsl0cc9110d;MpKsl0cc9110d;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A679349B-4E95-4D26-9E57-DEAA1C6DA335}\MpKsl0cc9110d.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A679349B-4E95-4D26-9E57-DEAA1C6DA335}\MpKsl0cc9110d.sys [?]
S1 MpKsl136f1fb0;MpKsl136f1fb0;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{152509A8-3EEA-45E6-A651-4EA25BFFB147}\MpKsl136f1fb0.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{152509A8-3EEA-45E6-A651-4EA25BFFB147}\MpKsl136f1fb0.sys [?]
S1 MpKsl162d5693;MpKsl162d5693;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3A3AE65D-5BDA-44D4-86D2-B2FD79F2B441}\MpKsl162d5693.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3A3AE65D-5BDA-44D4-86D2-B2FD79F2B441}\MpKsl162d5693.sys [?]
S1 MpKsl17f7d890;MpKsl17f7d890;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4A494EFD-F2FB-49F5-9AF1-B874C44BC895}\MpKsl17f7d890.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4A494EFD-F2FB-49F5-9AF1-B874C44BC895}\MpKsl17f7d890.sys [?]
S1 MpKsl1920c0d3;MpKsl1920c0d3;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0EDBD694-3A5A-4A0B-B56E-8137E3E27531}\MpKsl1920c0d3.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0EDBD694-3A5A-4A0B-B56E-8137E3E27531}\MpKsl1920c0d3.sys [?]
S1 MpKsl239b35ac;MpKsl239b35ac;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{04986CEF-4FC6-4C56-BBC8-7D82431E3FF9}\MpKsl239b35ac.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{04986CEF-4FC6-4C56-BBC8-7D82431E3FF9}\MpKsl239b35ac.sys [?]
S1 MpKsl2c1598c4;MpKsl2c1598c4;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C8E563B3-EB9D-4355-9784-73E2C7AD3132}\MpKsl2c1598c4.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C8E563B3-EB9D-4355-9784-73E2C7AD3132}\MpKsl2c1598c4.sys [?]
S1 MpKsl402ccee3;MpKsl402ccee3;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4A494EFD-F2FB-49F5-9AF1-B874C44BC895}\MpKsl402ccee3.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4A494EFD-F2FB-49F5-9AF1-B874C44BC895}\MpKsl402ccee3.sys [?]
S1 MpKsl427d79a1;MpKsl427d79a1;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BA39CC46-23DA-4A0E-93E9-EB0D7A6AA66C}\MpKsl427d79a1.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BA39CC46-23DA-4A0E-93E9-EB0D7A6AA66C}\MpKsl427d79a1.sys [?]
S1 MpKsl49ad88d2;MpKsl49ad88d2;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8FD42E65-73A7-48DB-B612-E049CC77CBC8}\MpKsl49ad88d2.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8FD42E65-73A7-48DB-B612-E049CC77CBC8}\MpKsl49ad88d2.sys [?]
S1 MpKsl5d6d4cdd;MpKsl5d6d4cdd;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AAAC346A-D529-43A0-9A3F-133A61997703}\MpKsl5d6d4cdd.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AAAC346A-D529-43A0-9A3F-133A61997703}\MpKsl5d6d4cdd.sys [?]
S1 MpKsl6345b0bc;MpKsl6345b0bc;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BA39CC46-23DA-4A0E-93E9-EB0D7A6AA66C}\MpKsl6345b0bc.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BA39CC46-23DA-4A0E-93E9-EB0D7A6AA66C}\MpKsl6345b0bc.sys [?]
S1 MpKsl7c4e5c27;MpKsl7c4e5c27;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A265B2C2-13C4-435B-8E30-C9AC6C19D68A}\MpKsl7c4e5c27.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A265B2C2-13C4-435B-8E30-C9AC6C19D68A}\MpKsl7c4e5c27.sys [?]
S1 MpKsl85315904;MpKsl85315904;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{56EC127E-2099-4E6E-8F75-7482DFF0A88A}\MpKsl85315904.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{56EC127E-2099-4E6E-8F75-7482DFF0A88A}\MpKsl85315904.sys [?]
S1 MpKsl87163c1a;MpKsl87163c1a;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{96A48D4A-C82F-45DA-A00D-0E05050D6688}\MpKsl87163c1a.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{96A48D4A-C82F-45DA-A00D-0E05050D6688}\MpKsl87163c1a.sys [?]
S1 MpKsl9c781a98;MpKsl9c781a98;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{56EC127E-2099-4E6E-8F75-7482DFF0A88A}\MpKsl9c781a98.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{56EC127E-2099-4E6E-8F75-7482DFF0A88A}\MpKsl9c781a98.sys [?]
S1 MpKsla37afca9;MpKsla37afca9;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B76D9221-FAF9-4E81-B3D4-57FEC93B1F71}\MpKsla37afca9.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B76D9221-FAF9-4E81-B3D4-57FEC93B1F71}\MpKsla37afca9.sys [?]
S1 MpKslb5c5dbf9;MpKslb5c5dbf9;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F3C6D79C-3BB3-4576-BCD1-9D60D7D5B3C9}\MpKslb5c5dbf9.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F3C6D79C-3BB3-4576-BCD1-9D60D7D5B3C9}\MpKslb5c5dbf9.sys [?]
S1 MpKslb8365f74;MpKslb8365f74;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{405BBECE-9C92-49AE-B76A-22C8549C18BA}\MpKslb8365f74.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{405BBECE-9C92-49AE-B76A-22C8549C18BA}\MpKslb8365f74.sys [?]
S1 MpKslcbe4f901;MpKslcbe4f901;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8FD42E65-73A7-48DB-B612-E049CC77CBC8}\MpKslcbe4f901.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8FD42E65-73A7-48DB-B612-E049CC77CBC8}\MpKslcbe4f901.sys [?]
S1 MpKsld2c007be;MpKsld2c007be;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{96A48D4A-C82F-45DA-A00D-0E05050D6688}\MpKsld2c007be.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{96A48D4A-C82F-45DA-A00D-0E05050D6688}\MpKsld2c007be.sys [?]
S1 MpKslde174466;MpKslde174466;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{56EC127E-2099-4E6E-8F75-7482DFF0A88A}\MpKslde174466.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{56EC127E-2099-4E6E-8F75-7482DFF0A88A}\MpKslde174466.sys [?]
S1 MpKsle5c06711;MpKsle5c06711;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0EDBD694-3A5A-4A0B-B56E-8137E3E27531}\MpKsle5c06711.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0EDBD694-3A5A-4A0B-B56E-8137E3E27531}\MpKsle5c06711.sys [?]
S1 MpKslf07ca68a;MpKslf07ca68a;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FC2CC0F9-B77C-48A3-9133-78A4E06867D0}\MpKslf07ca68a.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FC2CC0F9-B77C-48A3-9133-78A4E06867D0}\MpKslf07ca68a.sys [?]
S1 MpKslffcdefc5;MpKslffcdefc5;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6B8AF660-721D-4EFE-ADBB-97CDC7E3C87E}\MpKslffcdefc5.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6B8AF660-721D-4EFE-ADBB-97CDC7E3C87E}\MpKslffcdefc5.sys [?]
S1 qpgubjnu;qpgubjnu;\??\c:\windows\system32\drivers\qpgubjnu.sys --> c:\windows\system32\drivers\qpgubjnu.sys [?]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 4:30 AM 15544]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSLF59954DB
*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-07-21 18:59]
.
2011-08-03 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 18:26]
.
2011-08-03 c:\windows\Tasks\User_Feed_Synchronization-{F51BDFA4-4B2F-4CA5-8A91-76142D68EC61}.job
- c:\windows\system32\msfeedssync.exe [2009-10-19 08:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\qrdrfwd2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-03 16:30
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-484763869-1844823847-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{23CBCFBB-AEC5-CA23-CA98-CF93341FF517}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(952)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\msounsers.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Lavasoft\Ad-Aware\AAWService.exe
c:\program files\Avira\AntiVir Desktop\sched.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Secunia\PSI\sua.exe
c:\program files\UPHClean\uphclean.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2011-08-03 17:02:02 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-03 20:59
.
Pre-Run: 61,411,377,152 bytes free
Post-Run: 62,508,892,160 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 676E9DA49995EDA4FDE8617E602F3A63

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:53:53 AM, on 8/4/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Secunia\PSI\PSIA.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\program files\lfcncjawgoifqf\ltnkvkri.exe
C:\program files\lfcncjawgoifqf\ltnkvkri.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Secunia\PSI\sua.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [suomy] c:\program files\lfcncjawgoifqf\ltnkvkri.exe lt
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [suomy] c:\program files\lfcncjawgoifqf\ltnkvkri.exe lt
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: WKCALREM.LNK = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Google Desktop Manager 5.9.1005.12335 (GoogleDesktopManager-051210-111108) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Secunia PSI Agent - Secunia - C:\Program Files\Secunia\PSI\PSIA.exe
O23 - Service: Secunia Update Agent - Secunia - C:\Program Files\Secunia\PSI\sua.exe

--
End of file - 4784 bytes

[regaining space - attachment deleted by admin]

SuperDave · « **Reply #1 on:** August 04, 2011, 05:00:12 PM »

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
********************************************************
Open HijackThis and select Open the Misc Tools section. Select open process manager. select
C:\program files\lfcncjawgoifqf\ltnkvkri.exe
C:\program files\lfcncjawgoifqf\ltnkvkri.exe

and click on kill process.
*****************************************************
Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

O4 - HKLM\..\Run: [suomy] c:\program files\lfcncjawgoifqf\ltnkvkri.exe lt
O4 - HKCU\..\Run: [suomy] c:\program files\lfcncjawgoifqf\ltnkvkri.exe lt

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.
**********************************************
•Please download Dial-A-Fix from one of the following mirrors:

Primary mirror
Secondary mirror

•Extract the zip file to your desktop.

•Double click Dial-a-Fix.exe to start the program. Dial-A-Fix might give you a lot errors, just ignore them and Click

to continue.

•Press the green double checkmark box (Looks like this:

UNcheck Empty Temp Folders, as well as Adjust Time/Date in the prep section. The prep section should then look like this:

•Click on Go

•Wait for Dial-A-Fix to finish (All the checks marks will be all gone)

•Close Dial-A-Fix
*************************************************
ComboFix is not a toy and should not be run without proper supervision.

Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:
Quote
KillAll::

File::
c:\windows\system32\SET5D0.tmp
c:\windows\system32\drivers\bkowctbp.sys
c:\windows\system32\drivers\qpgubjnu.sys

Folder::
C:\program files\lfcncjawgoifqf
C:\program files\lfcncjawgoifqf

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"suomy"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"suomy"=-
Driver::
bkowctbp
qpgubjnu
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

****************************************************

P2P - I see you have P2P software installed on your machine (FrostWire). We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

stonemanjr · « **Reply #2 on:** August 05, 2011, 12:51:53 AM »

Thanks Dave. I will get Frostwire off immediately.
The first file- proceses you noticed with the funny letters are from All IN ONe Keylogger. I think they do that to disguise it. Do you still want me to kill/remove it? I can uninstall the entire program if you need me to.

DO you want me to proceed any further before doing these things?

I appreciate your help

SuperDave · « **Reply #3 on:** August 05, 2011, 05:44:10 PM »

Quote

The first file- proceses you noticed with the funny letters are from All IN ONe Keylogger. I think they do that to disguise it. Do you still want me to kill/remove it? I can uninstall the entire program if you need me to.

If this is something you installed and you're happy with, leave it be. I just couldn't find anything and random letters are almost a dead giveaway for infections. I'm glad you told me about it. Please proceed with the rest of the fix.

stonemanjr · « **Reply #4 on:** August 05, 2011, 06:28:47 PM »

ok. thank you. DO you want me to insert the same text from notepad into the Combo FIx?

thanks alot Dave

the other thing we are noticing is that the drop down menus in Microsoft Office 2003 Word and Excel are invisible- unusable??? never seen this before

SuperDave · « **Reply #5 on:** August 05, 2011, 06:31:09 PM »

Quote

DO you want me to insert the same text from notepad into the Combo FIx?

Yes, please do exactly as instructed.

stonemanjr · « **Reply #6 on:** August 06, 2011, 06:53:31 PM »

ok-done. see combo fix log attached

[regaining space - attachment deleted by admin]

stonemanjr · « **Reply #7 on:** August 06, 2011, 06:54:22 PM »

ComboFix 11-08-06.02 - Owner 08/06/2011 16:47:46.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.200 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
.
FILE ::
"c:\windows\system32\drivers\bkowctbp.sys"
"c:\windows\system32\drivers\qpgubjnu.sys"
"c:\windows\system32\SET5D0.tmp"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\lfcncjawgoifqf
c:\program files\lfcncjawgoifqf\help.chm
c:\program files\lfcncjawgoifqf\Log\Text\aiotxt.dat
c:\program files\lfcncjawgoifqf\Log\Visual\06172011.dat
c:\program files\lfcncjawgoifqf\Log\Visual\06182011.dat
c:\program files\lfcncjawgoifqf\ltnkvkri.exe
c:\program files\lfcncjawgoifqf\unins000.dat
c:\program files\lfcncjawgoifqf\unins000.exe
c:\windows\system32\SET5D0.tmp
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_bkowctbp
-------\Service_qpgubjnu
.
.
((((((((((((((((((((((((( Files Created from 2011-07-07 to 2011-08-07 )))))))))))))))))))))))))))))))
.
.
2011-08-07 00:40 . 2011-08-07 00:40   28752   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DF078E9C-8BA1-48F2-B39B-EAC49EFB1BE4}\MpKslaf718e34.sys
2011-08-06 20:19 . 2011-08-06 20:19   28752   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DF078E9C-8BA1-48F2-B39B-EAC49EFB1BE4}\MpKsl3076c91a.sys
2011-08-05 06:54 . 2011-08-07 00:39   --------   d-----w-   c:\windows\system32\CatRoot2
2011-08-05 06:35 . 2011-08-05 06:35   --------   d-----w-   C:\ProgramData
2011-08-05 06:34 . 2011-08-05 06:35   --------   d-----w-   c:\program files\Free YouTube Downloader
2011-08-05 05:55 . 2011-08-05 05:55   --------   d-----w-   c:\windows\system32\config\systemprofile\Application Data\Application Updater
2011-08-05 05:54 . 2011-08-05 05:54   --------   d-----w-   c:\documents and settings\All Users\Application Data\YouTube Downloader
2011-08-05 01:25 . 2011-07-13 03:39   6881616   ------w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DF078E9C-8BA1-48F2-B39B-EAC49EFB1BE4}\mpengine.dll
2011-08-05 01:22 . 2011-08-05 01:22   --------   d-----w-   c:\documents and settings\Owner\Application Data\Avira
2011-08-05 01:22 . 2011-08-05 01:22   --------   d-----w-   c:\program files\Avira
2011-08-05 01:22 . 2011-08-05 01:22   --------   d-----w-   c:\documents and settings\All Users\Application Data\Avira
2011-08-05 01:21 . 2011-08-05 01:21   --------   d-----w-   c:\program files\K-Lite Codec Pack
2011-08-04 22:45 . 2011-08-04 22:45   --------   d-----w-   c:\documents and settings\All Users\Application Data\Common Files
2011-08-04 18:36 . 2011-08-04 18:36   --------   d-----w-   c:\program files\MSECache
2011-08-04 06:13 . 2011-08-04 06:13   --------   d-----w-   c:\documents and settings\All Users\Application Data\!SASCORE
2011-08-04 05:22 . 2011-08-04 05:22   114048   ----a-w-   c:\windows\system32\drivers\snapman.sys
2011-08-04 05:22 . 2011-08-04 05:22   --------   d-----w-   c:\program files\Acronis
2011-08-04 05:21 . 2011-08-04 05:22   --------   d-----w-   c:\program files\Common Files\Acronis
2011-08-03 20:25 . 2011-08-03 20:25   --------   d-----w-   c:\windows\system32\wbem\snmp
2011-08-03 20:25 . 2011-08-03 20:25   --------   d-----w-   c:\windows\system32\oobe
2011-08-03 20:25 . 2011-08-03 20:25   --------   d-----w-   c:\windows\system32\xircom
2011-08-03 20:25 . 2011-08-03 20:25   --------   d-----w-   c:\program files\microsoft frontpage
2011-08-03 19:29 . 2011-08-03 19:29   101720   ----a-w-   c:\windows\system32\drivers\SBREDrv.sys
2011-08-03 19:27 . 2011-08-05 01:22   --------   dc----w-   c:\windows\system32\DRVSTORE
2011-08-03 19:27 . 2011-07-21 18:59   64512   ----a-w-   c:\windows\system32\drivers\Lbd.sys
2011-08-03 19:26 . 2011-08-04 15:04   --------   d-----w-   c:\documents and settings\All Users\Application Data\Lavasoft
2011-08-03 19:26 . 2011-08-03 19:26   --------   d-----w-   c:\program files\Lavasoft
2011-08-03 18:29 . 2011-08-03 18:29   388096   ----a-r-   c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-08-03 18:28 . 2011-08-03 18:28   --------   d-----w-   c:\program files\Trend Micro
2011-08-03 18:08 . 2011-08-03 19:09   --------   d-----w-   c:\program files\UPXRemoval Tool
2011-08-03 17:55 . 2011-04-23 23:51   537850   ----a-w-   C:\HaxFix.exe
2011-08-03 17:55 . 2011-08-03 17:58   --------   d-----w-   c:\windows\HaxFix
2011-08-02 19:46 . 2011-08-02 19:46   --------   d-----w-   c:\documents and settings\Owner\Local Settings\Application Data\Western Digital
2011-08-01 19:59 . 2011-08-01 19:59   --------   d-----w-   c:\program files\Microsoft ActiveSync
2011-08-01 19:58 . 2011-08-01 19:59   --------   d-----w-   c:\windows\SHELLNEW
2011-08-01 19:58 . 2011-08-01 19:58   --------   d-----w-   c:\program files\Microsoft.NET
2011-08-01 19:55 . 2011-08-01 19:55   --------   d-----r-   C:\MSOCache
2011-07-28 22:09 . 2011-07-28 22:09   --------   d-----w-   c:\program files\MWSnap
2011-07-28 16:53 . 2011-07-28 16:53   --------   d-----w-   c:\windows\AOL page_files
2011-07-28 13:52 . 2011-07-28 13:52   --------   d-----w-   c:\windows\photo.php_files
2011-07-13 16:42 . 2011-07-13 16:42   --------   d-----w-   c:\documents and settings\Owner\Application Data\AutoScreenShotMaker
2011-07-13 16:42 . 2011-07-13 16:42   --------   d-----w-   c:\program files\Auto Screenshot Maker
2011-07-13 16:07 . 2011-07-13 16:07   --------   d-----w-   c:\documents and settings\Owner\Application Data\DonationCoder
2011-07-13 16:06 . 2011-07-13 17:26   --------   d-----w-   c:\program files\ScreenshotCaptor
2011-07-12 14:09 . 2000-07-15 05:00   101888   ----a-w-   c:\windows\system32\VB6STKIT.DLL
2011-07-12 14:09 . 2011-07-12 14:10   --------   d-----w-   c:\program files\HotHotSoftware
2011-07-11 16:16 . 2006-10-26 23:56   33104   ----a-w-   c:\windows\system32\Spool\prtprocs\w32x86\msonpppr.dll
2011-07-11 16:16 . 2008-11-10 15:41   32656   ----a-w-   c:\windows\system32\msonpmon.dll
2011-07-11 12:43 . 2011-07-11 12:43   --------   d-----w-   c:\documents and settings\LocalService\Local Settings\Application Data\Google
2011-07-08 21:04 . 2011-07-08 21:15   --------   d-----w-   c:\documents and settings\Owner\Local Settings\Application Data\ApplicationHistory
2011-07-08 20:58 . 2011-07-08 20:58   --------   d-----w-   c:\program files\MichaelFontana
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-06 20:28 . 2011-01-24 14:44   138192   ----a-w-   c:\windows\system32\drivers\avipbb.sys
2011-08-06 20:28 . 2011-01-24 14:44   66616   ----a-w-   c:\windows\system32\drivers\avgntflt.sys
2011-07-13 03:39 . 2011-01-25 21:30   6881616   ------w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-07-06 23:52 . 2011-01-29 01:08   41272   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52 . 2011-01-29 01:08   22712   ----a-w-   c:\windows\system32\drivers\mbam.sys
2011-06-02 14:07 . 2009-10-19 08:27   1867904   ----a-w-   c:\windows\system32\win32k.sys
2011-06-27 20:52 . 2011-05-06 19:42   142296   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
2011-02-21 19:21 . 2011-01-24 14:58   119808   ----a-w-   c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-08-03_20.26.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-08-07 00:36 . 2011-08-07 00:36   16384 c:\windows\Temp\Perflib_Perfdata_1a0.dat
- 2011-01-24 14:44 . 2010-06-17 20:27   28520 c:\windows\system32\drivers\ssmdrv.sys
+ 2011-01-24 14:44 . 2010-06-17 18:27   28520 c:\windows\system32\drivers\ssmdrv.sys
- 2011-01-24 14:44 . 2010-06-17 20:27   22360 c:\windows\system32\drivers\avgntmgr.sys
+ 2011-01-24 14:44 . 2010-06-17 18:27   22360 c:\windows\system32\drivers\avgntmgr.sys
+ 2011-01-24 14:44 . 2010-06-17 18:27   45416 c:\windows\system32\drivers\avgntdd.sys
- 2011-01-24 14:44 . 2010-06-17 20:27   45416 c:\windows\system32\drivers\avgntdd.sys
+ 2007-07-04 18:57 . 2007-07-04 18:57   17176 c:\windows\system32\acrotls.dll
+ 2011-01-23 00:34 . 2011-01-23 00:34   9847 c:\windows\system32\mswnnmoue.dll
- 2009-06-16 12:27 . 2009-06-16 12:27   9847 c:\windows\system32\mswnnmoue.dll
+ 2007-06-15 17:05 . 2007-06-15 17:05   206368 c:\windows\system32\snapapi.dll
+ 2010-02-16 04:57 . 2010-02-16 04:57   155648 c:\windows\system32\msounsers.dll
- 2010-02-23 22:26 . 2010-02-23 22:26   155648 c:\windows\system32\msounsers.dll
+ 2011-03-04 19:30 . 2011-08-05 01:24   4520184 c:\windows\system32\Restore\rstrlog.dat
+ 2011-08-04 05:22 . 2011-08-04 05:22   2545152 c:\windows\Installer\1abe286.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2011-02-21 30192]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
WKCALREM.LNK - c:\program files\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 18 (0x12)
"NoSMConfigurePrograms"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SUPERAntiSpyware"=c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
"PHIME2002ASync"=c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
"PHIME2002A"=c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
R1 MpKsl3076c91a;MpKsl3076c91a;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DF078E9C-8BA1-48F2-B39B-EAC49EFB1BE4}\MpKsl3076c91a.sys [8/6/2011 4:19 PM 28752]
R1 MpKslaf718e34;MpKslaf718e34;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DF078E9C-8BA1-48F2-B39B-EAC49EFB1BE4}\MpKslaf718e34.sys [8/6/2011 8:40 PM 28752]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [6/29/2010 1:48 PM 114416]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [1/24/2011 10:44 AM 136360]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [1/10/2011 10:24 AM 993848]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [1/10/2011 10:24 AM 399416]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 4:30 AM 15544]
S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [10/19/2009 4:29 AM 9472]
S1 MpKsl01e83a9c;MpKsl01e83a9c;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{762C4104-FA34-4361-8671-024A9949C0F9}\MpKsl01e83a9c.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{762C4104-FA34-4361-8671-024A9949C0F9}\MpKsl01e83a9c.sys [?]
S1 MpKsl0cc9110d;MpKsl0cc9110d;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A679349B-4E95-4D26-9E57-DEAA1C6DA335}\MpKsl0cc9110d.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A679349B-4E95-4D26-9E57-DEAA1C6DA335}\MpKsl0cc9110d.sys [?]
S1 MpKsl136f1fb0;MpKsl136f1fb0;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{152509A8-3EEA-45E6-A651-4EA25BFFB147}\MpKsl136f1fb0.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{152509A8-3EEA-45E6-A651-4EA25BFFB147}\MpKsl136f1fb0.sys [?]
S1 MpKsl162d5693;MpKsl162d5693;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3A3AE65D-5BDA-44D4-86D2-B2FD79F2B441}\MpKsl162d5693.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3A3AE65D-5BDA-44D4-86D2-B2FD79F2B441}\MpKsl162d5693.sys [?]
S1 MpKsl17f7d890;MpKsl17f7d890;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4A494EFD-F2FB-49F5-9AF1-B874C44BC895}\MpKsl17f7d890.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4A494EFD-F2FB-49F5-9AF1-B874C44BC895}\MpKsl17f7d890.sys [?]
S1 MpKsl1920c0d3;MpKsl1920c0d3;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0EDBD694-3A5A-4A0B-B56E-8137E3E27531}\MpKsl1920c0d3.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0EDBD694-3A5A-4A0B-B56E-8137E3E27531}\MpKsl1920c0d3.sys [?]
S1 MpKsl239b35ac;MpKsl239b35ac;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{04986CEF-4FC6-4C56-BBC8-7D82431E3FF9}\MpKsl239b35ac.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{04986CEF-4FC6-4C56-BBC8-7D82431E3FF9}\MpKsl239b35ac.sys [?]
S1 MpKsl2c1598c4;MpKsl2c1598c4;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C8E563B3-EB9D-4355-9784-73E2C7AD3132}\MpKsl2c1598c4.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C8E563B3-EB9D-4355-9784-73E2C7AD3132}\MpKsl2c1598c4.sys [?]
S1 MpKsl361b2b0d;MpKsl361b2b0d;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DF078E9C-8BA1-48F2-B39B-EAC49EFB1BE4}\MpKsl361b2b0d.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DF078E9C-8BA1-48F2-B39B-EAC49EFB1BE4}\MpKsl361b2b0d.sys [?]
S1 MpKsl402ccee3;MpKsl402ccee3;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4A494EFD-F2FB-49F5-9AF1-B874C44BC895}\MpKsl402ccee3.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4A494EFD-F2FB-49F5-9AF1-B874C44BC895}\MpKsl402ccee3.sys [?]
S1 MpKsl427d79a1;MpKsl427d79a1;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BA39CC46-23DA-4A0E-93E9-EB0D7A6AA66C}\MpKsl427d79a1.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BA39CC46-23DA-4A0E-93E9-EB0D7A6AA66C}\MpKsl427d79a1.sys [?]
S1 MpKsl49ad88d2;MpKsl49ad88d2;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8FD42E65-73A7-48DB-B612-E049CC77CBC8}\MpKsl49ad88d2.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8FD42E65-73A7-48DB-B612-E049CC77CBC8}\MpKsl49ad88d2.sys [?]
S1 MpKsl5d6d4cdd;MpKsl5d6d4cdd;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AAAC346A-D529-43A0-9A3F-133A61997703}\MpKsl5d6d4cdd.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AAAC346A-D529-43A0-9A3F-133A61997703}\MpKsl5d6d4cdd.sys [?]
S1 MpKsl6345b0bc;MpKsl6345b0bc;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BA39CC46-23DA-4A0E-93E9-EB0D7A6AA66C}\MpKsl6345b0bc.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BA39CC46-23DA-4A0E-93E9-EB0D7A6AA66C}\MpKsl6345b0bc.sys [?]
S1 MpKsl71b96f71;MpKsl71b96f71;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DF078E9C-8BA1-48F2-B39B-EAC49EFB1BE4}\MpKsl71b96f71.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DF078E9C-8BA1-48F2-B39B-EAC49EFB1BE4}\MpKsl71b96f71.sys [?]
S1 MpKsl7c4e5c27;MpKsl7c4e5c27;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A265B2C2-13C4-435B-8E30-C9AC6C19D68A}\MpKsl7c4e5c27.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A265B2C2-13C4-435B-8E30-C9AC6C19D68A}\MpKsl7c4e5c27.sys [?]
S1 MpKsl85315904;MpKsl85315904;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{56EC127E-2099-4E6E-8F75-7482DFF0A88A}\MpKsl85315904.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{56EC127E-2099-4E6E-8F75-7482DFF0A88A}\MpKsl85315904.sys [?]
S1 MpKsl87163c1a;MpKsl87163c1a;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{96A48D4A-C82F-45DA-A00D-0E05050D6688}\MpKsl87163c1a.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{96A48D4A-C82F-45DA-A00D-0E05050D6688}\MpKsl87163c1a.sys [?]
S1 MpKsl9c781a98;MpKsl9c781a98;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{56EC127E-2099-4E6E-8F75-7482DFF0A88A}\MpKsl9c781a98.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{56EC127E-2099-4E6E-8F75-7482DFF0A88A}\MpKsl9c781a98.sys [?]
S1 MpKsla37afca9;MpKsla37afca9;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B76D9221-FAF9-4E81-B3D4-57FEC93B1F71}\MpKsla37afca9.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B76D9221-FAF9-4E81-B3D4-57FEC93B1F71}\MpKsla37afca9.sys [?]
S1 MpKslb393e67e;MpKslb393e67e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{56EC127E-2099-4E6E-8F75-7482DFF0A88A}\MpKslb393e67e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{56EC127E-2099-4E6E-8F75-7482DFF0A88A}\MpKslb393e67e.sys [?]
S1 MpKslb5c5dbf9;MpKslb5c5dbf9;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F3C6D79C-3BB3-4576-BCD1-9D60D7D5B3C9}\MpKslb5c5dbf9.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F3C6D79C-3BB3-4576-BCD1-9D60D7D5B3C9}\MpKslb5c5dbf9.sys [?]
S1 MpKslb8365f74;MpKslb8365f74;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{405BBECE-9C92-49AE-B76A-22C8549C18BA}\MpKslb8365f74.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{405BBECE-9C92-49AE-B76A-22C8549C18BA}\MpKslb8365f74.sys [?]
S1 MpKslcbe4f901;MpKslcbe4f901;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8FD42E65-73A7-48DB-B612-E049CC77CBC8}\MpKslcbe4f901.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8FD42E65-73A7-48DB-B612-E049CC77CBC8}\MpKslcbe4f901.sys [?]
S1 MpKsld2c007be;MpKsld2c007be;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{96A48D4A-C82F-45DA-A00D-0E05050D6688}\MpKsld2c007be.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{96A48D4A-C82F-45DA-A00D-0E05050D6688}\MpKsld2c007be.sys [?]
S1 MpKslde174466;MpKslde174466;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{56EC127E-2099-4E6E-8F75-7482DFF0A88A}\MpKslde174466.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{56EC127E-2099-4E6E-8F75-7482DFF0A88A}\MpKslde174466.sys [?]
S1 MpKsle5c06711;MpKsle5c06711;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0EDBD694-3A5A-4A0B-B56E-8137E3E27531}\MpKsle5c06711.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0EDBD694-3A5A-4A0B-B56E-8137E3E27531}\MpKsle5c06711.sys [?]
S1 MpKslf07ca68a;MpKslf07ca68a;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FC2CC0F9-B77C-48A3-9133-78A4E06867D0}\MpKslf07ca68a.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FC2CC0F9-B77C-48A3-9133-78A4E06867D0}\MpKslf07ca68a.sys [?]
S1 MpKslffcdefc5;MpKslffcdefc5;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6B8AF660-721D-4EFE-ADBB-97CDC7E3C87E}\MpKslffcdefc5.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6B8AF660-721D-4EFE-ADBB-97CDC7E3C87E}\MpKslffcdefc5.sys [?]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [1/24/2011 10:57 AM 30192]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSLAF718E34
*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-04 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-07-21 18:59]
.
2011-08-07 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 18:26]
.
2011-08-07 c:\windows\Tasks\User_Feed_Synchronization-{F51BDFA4-4B2F-4CA5-8A91-76142D68EC61}.job
- c:\windows\system32\msfeedssync.exe [2009-10-19 08:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\qrdrfwd2.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=937811&p=
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-suomy - c:\program files\lfcncjawgoifqf\ltnkvkri.exe
AddRemove-AnjN9msuv_is1 - c:\program files\Lfcncjawgoifqf\unins000.exe
AddRemove-{1a413f37-ed88-4fec-9666-5c48dc4b7bb7} - c:\program files\YouTube Downloader\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-06 20:39
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-484763869-1844823847-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{23CBCFBB-AEC5-CA23-CA98-CF93341FF517}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2196)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\UPHClean\uphclean.exe
.
**************************************************************************
.
Completion time: 2011-08-06 20:49:10 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-07 00:49
ComboFix2.txt 2011-08-05 02:33
ComboFix3.txt 2011-08-03 21:02
.
Pre-Run: 61,859,135,488 bytes free
Post-Run: 61,938,446,336 bytes free
.
- - End Of File - - ED9EDD576DFC2DA36769AFF49EB40F55

stonemanjr · « **Reply #8 on:** August 07, 2011, 10:44:48 AM »

Dave- have you seen logfile for COmboFix yet?

The avira antivir has cont to pop up saying that TR/SPy.Keylogger.qme is found with msounser.dll being also pciked up in the system32 folder, but when I went to look for it, it is hidden/no show.

SuperDave · « **Reply #9 on:** August 07, 2011, 01:17:49 PM »

Please go to Jotti's malware scan
(If more than one file needs scanned they must be done separately and links posted for each one)

* Copy the file path in the below Code box:

Code: [Select]

c:\windows\system32\msounsers.dll

* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.
***********************************************************
SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Double click Sysprot.exe to start the program.
Click on the Log tab.
In the Write to log box select the following items.

Process << Selected
Kernel Modules << Selected
SSDT << Selected
Kernel Hooks << Selected
IRP Hooks << NOT Selected
Ports << NOT Selected
Hidden Files << Selected

At the bottom of the page

Hidden Objects Only << Selected

Click on the Create Log button on the bottom right.
After a few seconds a new window should appear.
Select Scan Root Drive. Click on the Start button.
When it is complete a new window will appear to indicate that the scan is finished.
The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

stonemanjr · « **Reply #10 on:** August 08, 2011, 05:08:20 PM »

It says unable to locate the msounser.dll file.

SuperDave · « **Reply #11 on:** August 08, 2011, 05:10:00 PM »

Ok. Could you please run the SysPro AntiRookit scan?

stonemanjr · « **Reply #12 on:** August 08, 2011, 05:28:07 PM »

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: F6AD1000
Module End: F6AE9000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F8AA2000
Module End: F8AA4000
Hidden: Yes

Module Name: \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys
Service Name: ---
Module Base: F4923000
Module End: F4926000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwClose
Address: F8C52984
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwCreateKey
Address: F8C5293E
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwCreateSection
Address: F8C5298E
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwCreateThread
Address: F8C52934
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwDeleteKey
Address: F8C52943
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwDeleteValueKey
Address: F8C5294D
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwDuplicateObject
Address: F8C5297F
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwLoadKey
Address: F8C52952
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenProcess
Address: F8C52920
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenThread
Address: F8C52925
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwReplaceKey
Address: F8C5295C
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwRestoreKey
Address: F8C52957
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSetContextThread
Address: F8C52993
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSetValueKey
Address: F8C52948
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwTerminateProcess
Address: F8C5292F
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwUnloadKey
Address: F49236D0
Driver Base: F4923000
Driver End: F4926000
Driver Name: \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: F:\b8e91b5566cc5df664\amd64\filterpipelineprintproc.dll
Status: Access denied

Object: F:\b8e91b5566cc5df664\amd64\msxpsdrv.cat
Status: Access denied

Object: F:\b8e91b5566cc5df664\amd64\msxpsdrv.inf
Status: Access denied

Object: F:\b8e91b5566cc5df664\amd64\msxpsinc.gpd
Status: Access denied

Object: F:\b8e91b5566cc5df664\amd64\msxpsinc.ppd
Status: Access denied

Object: F:\b8e91b5566cc5df664\amd64\mxdwdrv.dll
Status: Access denied

Object: F:\b8e91b5566cc5df664\amd64\xpssvcs.dll
Status: Access denied

Object: F:\b8e91b5566cc5df664\i386\filterpipelineprintproc.dll
Status: Access denied

Object: F:\b8e91b5566cc5df664\i386\msxpsdrv.cat
Status: Access denied

Object: F:\b8e91b5566cc5df664\i386\msxpsdrv.inf
Status: Access denied

Object: F:\b8e91b5566cc5df664\i386\msxpsinc.gpd
Status: Access denied

Object: F:\b8e91b5566cc5df664\i386\msxpsinc.ppd
Status: Access denied

Object: F:\b8e91b5566cc5df664\i386\mxdwdrv.dll
Status: Access denied

Object: F:\b8e91b5566cc5df664\i386\xpssvcs.dll
Status: Access denied

Object: F:\Documents and Settings\Gateway\My Documents\HBS General Files\CORNER STONE POLICY\CORNER STONE\Barry Robinson HBS Documents\Job Folder\HomeBase 2005\OLD BRC Folder\MEDICAID DMAS\MEDICAID HBS Chart FORMS\MEDICAID Chart FORMS\SPO Medicaid Eligibity Asses
Status: Hidden

Object: F:\Documents and Settings\Gateway\My Documents\HBS General Files\CORNER STONE POLICY\CORNER STONE\Barry Robinson HBS Documents\Job Folder\HomeBase 2005\OLD BRC Folder\MEDICAID DMAS\MEDICAID HBS Chart FORMS\MEDICAID Chart FORMS\SPO Medicaid Provisional Mas
Status: Hidden

Object: F:\Program Files\IObit\IObit SmartDefrag\language\Lietuviu.lng
Status: Hidden

Object: F:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: F:\System Volume Information\tracking.log
Status: Access denied

Object: F:\System Volume Information\_restore{CDE62CCB-CA36-4F5F-B4C8-1441E9D5BC5C}
Status: Access denied

Object: C:\Qoobox\BackEnv\AppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cache.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cookies.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Desktop.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Favorites.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\History.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Music.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\NetHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartUp.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SysPath.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Templates.folder.dat
Status: Access denied

SuperDave · « **Reply #13 on:** August 09, 2011, 04:26:49 PM »

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the

button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on to download the ESET Smart Installer. Save it to your desktop.
Double click on the icon on your desktop.

•Check

•Click the

button.
•Accept any security warnings from your browser.
•Check

•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push

•Push

, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the

button.
•Push

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

stonemanjr · « **Reply #14 on:** August 09, 2011, 10:15:52 PM »

C:\Documents and Settings\Owner\My Documents\Downloads\FreeYouTubeDownloaderSetup(1).exe   multiple threats   deleted - quarantined
C:\Documents and Settings\Owner\My Documents\Downloads\FreeYouTubeDownloaderSetup.exe   multiple threats   deleted - quarantined
C:\Documents and Settings\Owner\My Documents\Downloads\Installer-for-frostwire.exe   a variant of MSIL/Agent.NGQ trojan   cleaned by deleting - quarantined
C:\Documents and Settings\Owner\My Documents\Downloads\PDFConverterSetup.exe   a variant of Win32/InstallCore.A application   cleaned by deleting - quarantined
C:\Documents and Settings\Owner\My Documents\Downloads\Spydig_Setup.exe   multiple threats   deleted - quarantined
C:\Documents and Settings\Owner\My Documents\Downloads\UPXRemovalTool.exe   probably a variant of Win32/SecurityStronghold application   deleted - quarantined
C:\System Volume Information\_restore{CDE62CCB-CA36-4F5F-B4C8-1441E9D5BC5C}\RP233\A0053525.sys   Win32/Adware.SpywareCease application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{CDE62CCB-CA36-4F5F-B4C8-1441E9D5BC5C}\RP233\A0053530.dll   a variant of Win32/Adware.SpywareCease.AA application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{CDE62CCB-CA36-4F5F-B4C8-1441E9D5BC5C}\RP233\A0053562.exe   probably a variant of Win32/SecurityStronghold application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{CDE62CCB-CA36-4F5F-B4C8-1441E9D5BC5C}\RP248\A0056288.exe   multiple threats   deleted - quarantined
C:\System Volume Information\_restore{CDE62CCB-CA36-4F5F-B4C8-1441E9D5BC5C}\RP249\A0056305.rbf   a variant of Win32/Adware.Toolbar.Dealio application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{CDE62CCB-CA36-4F5F-B4C8-1441E9D5BC5C}\RP249\A0056306.rbf   a variant of Win32/Adware.Toolbar.Dealio application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{CDE62CCB-CA36-4F5F-B4C8-1441E9D5BC5C}\RP249\A0056307.rbf   probably a variant of Win32/Adware.Toolbar.Dealio application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{CDE62CCB-CA36-4F5F-B4C8-1441E9D5BC5C}\RP249\A0056713.rbf   a variant of Win32/Adware.Toolbar.Dealio application   cleaned by deleting - quarantined

Computer Hope Forum

News:

Author Topic: Malware Issues - PE_Perfect pecompact TR/SPy.Keylogger.qme (Read 13038 times)

stonemanjr

Malware Issues - PE_Perfect pecompact TR/SPy.Keylogger.qme

SuperDave

Re: Malware Issues - PE_Perfect pecompact TR/SPy.Keylogger.qme

stonemanjr

Re: Malware Issues - PE_Perfect pecompact TR/SPy.Keylogger.qme

SuperDave

Re: Malware Issues - PE_Perfect pecompact TR/SPy.Keylogger.qme

stonemanjr

Re: Malware Issues - PE_Perfect pecompact TR/SPy.Keylogger.qme

SuperDave

Re: Malware Issues - PE_Perfect pecompact TR/SPy.Keylogger.qme

stonemanjr

Re: Malware Issues - PE_Perfect pecompact TR/SPy.Keylogger.qme

stonemanjr

Re: Malware Issues - PE_Perfect pecompact TR/SPy.Keylogger.qme

stonemanjr

Re: Malware Issues - PE_Perfect pecompact TR/SPy.Keylogger.qme

SuperDave

Re: Malware Issues - PE_Perfect pecompact TR/SPy.Keylogger.qme

stonemanjr

Re: Malware Issues - PE_Perfect pecompact TR/SPy.Keylogger.qme

SuperDave

Re: Malware Issues - PE_Perfect pecompact TR/SPy.Keylogger.qme

stonemanjr

Re: Malware Issues - PE_Perfect pecompact TR/SPy.Keylogger.qme

SuperDave

Re: Malware Issues - PE_Perfect pecompact TR/SPy.Keylogger.qme

stonemanjr

Re: Malware Issues - PE_Perfect pecompact TR/SPy.Keylogger.qme