View Full Version : Win64:Sirefef Infection
dinosaur58
2012-07-11, 18:42
HAVE SUBSCRIBED to this topic with instant notification.
Google getting hijacked, Avast blocking Win64:Sirefef variants every minute or so. hourglass cursor appears frequently, Taskmanager shows 9-35% CPU usage briefly with no visible process using it.
Followed advice @http://technojourney.com/google/easily-remove-google-redirect-virus-your-computer/
DLed and ran TDSS rootkit removing tool 2.7.45.0 failed to solve problem [Log follows DDS logs].
This is my only computer, so will stay offline other than this forum.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_31
Run by Administrator at 9:19:52 on 2012-07-11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3455.2540 [GMT -6:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Alwil Software\Avast6\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atwtusb.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Alwil Software\Avast6\avastUI.exe
C:\WINDOWS\system32\TBLMOUSE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
"C:\WINDOWS\System32\svchost.exe" -k LocalServiceDns
"C:\WINDOWS\System32\svchost.exe" -k LocalServiceDns
"C:\WINDOWS\System32\svchost.exe" -k LocalServiceDns
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
mRun: [atwtusb] atwtusb.exe
mRun: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [avast] "c:\program files\alwil software\avast6\avastUI.exe" /nogui
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
uPolicies-explorer: NoLogoff = 01000000
uPolicies-explorer: NoRecentDocsNetHood = 01000000
uPolicies-explorer: NoSMMyDocs = 01000000
uPolicies-explorer: NoSMMyPictures = 01000000
uPolicies-explorer: NoNetworkConnections = 01000000
uPolicies-explorer: StartMenuLogOff = 1 (0x1)
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: mswsock.dll
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206762645578
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{4D24E198-7EA7-41BB-ABF0-0D5092022758} : DhcpNameServer = 192.168.1.254
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator.computer\application data\mozilla\firefox\profiles\bvvl5608.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - blank
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q=
FF - plugin: c:\program files\java\jre6\bin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\npjpi160_31.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_262.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
.
============= SERVICES / DRIVERS ===============
.
R0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys [2007-1-31 5632]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-12-21 64288]
R1 aiptektp;Pen Pad;c:\windows\system32\drivers\aiptektp.sys [2008-7-1 22528]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-12-9 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-12-9 337880]
R1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\AvgArCln.sys [2007-12-13 3968]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-12-9 20696]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast6\AvastSvc.exe [2011-12-9 44768]
R2 BCMNTIO;BCMNTIO;c:\progra~1\checkit\diagno~1\BCMNTIO.sys [2007-12-20 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\checkit\diagno~1\MAPMEM.sys [2007-12-20 3904]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2011-7-30 14976]
R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\drivers\vrtaucbl.sys [2009-9-22 50944]
R3 MEITUNER;FireBus MPEG2TS Tuner Subunit Device;c:\windows\system32\drivers\meistb.sys [2011-3-22 22891]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2011-2-5 56992]
S2 MDP100;MDP100 Video Capture;c:\windows\system32\drivers\MDP100_XP.sys [2007-4-15 611360]
S2 portD;CMS PortIO Service;c:\windows\system32\drivers\portd2k.sys --> c:\windows\system32\drivers\portd2k.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2011-2-5 1691480]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1e.tmp --> c:\windows\system32\1E.tmp [?]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [2011-10-25 12984]
S4 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-1-16 161064]
S4 WWMZYS;WWMZYS;c:\docume~1\admini~1.com\locals~1\temp\wwmzys.exe --> c:\docume~1\admini~1.com\locals~1\temp\WWMZYS.exe [?]
.
=============== Created Last 30 ================
.
2012-07-11 14:33:34 -------- d-----w- C:\TDSSKiller_Quarantine
.
==================== Find3M ====================
.
2012-07-11 14:37:55 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2012-07-05 13:32:46 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-05 13:32:46 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2004-04-09 22:13:00 114688 ----a-w- c:\program files\NETGEAR DG632 USB Driveruninstalldrv.exe
2006-05-03 18:06:54 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 19:47:16 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 21:30:52 216064 --sha-r- c:\windows\system32\nbDX.dll
.
============= FINISH: 9:20:32.03 ===============
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
TDSS Log
08:30:36.0515 2756 TDSS rootkit removing tool 2.7.45.0 Jul 9 2012 12:46:35
08:30:36.0546 2756 ============================================================
08:30:36.0546 2756 Current date / time: 2012/07/11 08:30:36.0546
08:30:36.0546 2756 SystemInfo:
08:30:36.0546 2756
08:30:36.0546 2756 OS Version: 5.1.2600 ServicePack: 2.0
08:30:36.0546 2756 Product type: Workstation
08:30:36.0546 2756 ComputerName: COMPUTER
08:30:36.0546 2756 UserName: Administrator
08:30:36.0546 2756 Windows directory: C:\WINDOWS
08:30:36.0546 2756 System windows directory: C:\WINDOWS
08:30:36.0546 2756 Processor architecture: Intel x86
08:30:36.0546 2756 Number of processors: 4
08:30:36.0546 2756 Page size: 0x1000
08:30:36.0546 2756 Boot type: Normal boot
08:30:36.0546 2756 ============================================================
08:30:40.0265 2756 Drive \Device\Harddisk0\DR0 - Size: 0x15D50F66000 (1397.27 Gb), SectorSize: 0x200, Cylinders: 0x2C881, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
08:30:40.0265 2756 Drive \Device\Harddisk1\DR1 - Size: 0xE8E0DB6000 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1DB01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
08:30:40.0281 2756 Drive \Device\Harddisk2\DR6 - Size: 0xE8E0DB6000 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1DB01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
08:30:40.0281 2756 ============================================================
08:30:40.0281 2756 \Device\Harddisk0\DR0:
08:30:40.0281 2756 MBR partitions:
08:30:40.0281 2756 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x37F06434
08:30:40.0281 2756 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x37F06473, BlocksNum 0x76B802CE
08:30:40.0281 2756 \Device\Harddisk1\DR1:
08:30:40.0281 2756 MBR partitions:
08:30:40.0281 2756 \Device\Harddisk1\DR1\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x65A06555
08:30:40.0281 2756 \Device\Harddisk2\DR6:
08:30:40.0281 2756 MBR partitions:
08:30:40.0281 2756 \Device\Harddisk2\DR6\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x74705982
08:30:40.0281 2756 ============================================================
08:30:40.0312 2756 C: <-> \Device\Harddisk0\DR0\Partition0
08:30:40.0359 2756 D: <-> \Device\Harddisk0\DR0\Partition1
08:30:40.0375 2756 J: <-> \Device\Harddisk2\DR6\Partition0
08:30:40.0421 2756 E: <-> \Device\Harddisk1\DR1\Partition0
08:30:40.0421 2756 ============================================================
08:30:40.0421 2756 Initialize success
08:30:40.0421 2756 ============================================================
08:31:11.0468 3592 ============================================================
08:31:11.0468 3592 Scan started
08:31:11.0468 3592 Mode: Manual;
08:31:11.0468 3592 ============================================================
08:31:11.0953 3592 61883 (86d7b1e70661d754685b9ac6d749aae5) C:\WINDOWS\system32\DRIVERS\61883.sys
08:31:11.0953 3592 61883 - ok
08:31:11.0968 3592 Aavmker4 (473f97edc5a5312f3665ab2921196c0c) C:\WINDOWS\system32\drivers\Aavmker4.sys
08:31:11.0968 3592 Aavmker4 - ok
08:31:11.0968 3592 Abiosdsk - ok
08:31:11.0984 3592 abp480n5 - ok
08:31:12.0015 3592 ACDaemon - ok
08:31:12.0046 3592 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
08:31:12.0046 3592 ACPI - ok
08:31:12.0062 3592 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
08:31:12.0062 3592 ACPIEC - ok
08:31:12.0093 3592 AcrSch2Svc (4a00e527bb34fca0e458db1089f97b3b) C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
08:31:12.0109 3592 AcrSch2Svc - ok
08:31:12.0125 3592 adpu160m - ok
08:31:12.0140 3592 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
08:31:12.0140 3592 aec - ok
08:31:12.0140 3592 Afc - ok
08:31:12.0171 3592 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
08:31:12.0171 3592 AFD - ok
08:31:12.0171 3592 Aha154x - ok
08:31:12.0171 3592 aic78u2 - ok
08:31:12.0187 3592 aic78xx - ok
08:31:12.0187 3592 aiptektp (14a9ba653838164a2ae148e362640197) C:\WINDOWS\system32\DRIVERS\aiptektp.sys
08:31:12.0187 3592 aiptektp - ok
08:31:12.0187 3592 ALCXWDM - ok
08:31:12.0218 3592 Alerter (c7ae0fd3867db0d42b03b73c18f3d671) C:\WINDOWS\system32\alrsvc.dll
08:31:12.0218 3592 Alerter - ok
08:31:12.0218 3592 ALG - ok
08:31:12.0234 3592 AliIde - ok
08:31:12.0312 3592 Ambfilt (267fc636801edc5ab28e14036349e3be) C:\WINDOWS\system32\drivers\Ambfilt.sys
08:31:12.0328 3592 Ambfilt - ok
08:31:12.0406 3592 AmdPPM (033448d435e65c4bd72e70521fd05c76) C:\WINDOWS\system32\DRIVERS\AmdPPM.sys
08:31:12.0406 3592 AmdPPM - ok
08:31:12.0406 3592 amsint - ok
08:31:12.0421 3592 AnyDVD (cb5f75ea66bf555ba6dff01c1e63ab84) C:\WINDOWS\system32\Drivers\AnyDVD.sys
08:31:12.0421 3592 AnyDVD - ok
08:31:12.0437 3592 AppMgmt (9c3c12975c97119412802b181fbeeffe) C:\WINDOWS\System32\appmgmts.dll
08:31:12.0453 3592 AppMgmt - ok
08:31:12.0468 3592 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
08:31:12.0468 3592 Arp1394 - ok
08:31:12.0468 3592 asc - ok
08:31:12.0468 3592 asc3350p - ok
08:31:12.0484 3592 asc3550 - ok
08:31:12.0484 3592 Aspi32 (54ab078660e536da72b21a27f56b035b) C:\WINDOWS\system32\drivers\aspi32.sys
08:31:12.0484 3592 Aspi32 - ok
08:31:12.0531 3592 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
08:31:12.0531 3592 aspnet_state - ok
08:31:12.0546 3592 aswFsBlk (0ae43c6c411254049279c2ee55630f95) C:\WINDOWS\system32\drivers\aswFsBlk.sys
08:31:12.0546 3592 aswFsBlk - ok
08:31:12.0546 3592 aswMon2 (8c30b7ddd2f1d8d138ebe40345af2b11) C:\WINDOWS\system32\drivers\aswMon2.sys
08:31:12.0546 3592 aswMon2 - ok
08:31:12.0562 3592 aswRdr (da12626fd9a67f4e917e2f2fbe1e1764) C:\WINDOWS\system32\drivers\aswRdr.sys
08:31:12.0562 3592 aswRdr - ok
08:31:12.0609 3592 aswSnx (dcb199b967375753b5019ec15f008f53) C:\WINDOWS\system32\drivers\aswSnx.sys
08:31:12.0625 3592 aswSnx - ok
08:31:12.0640 3592 aswSP (b32873e5a1443c0a1e322266e203bf10) C:\WINDOWS\system32\drivers\aswSP.sys
08:31:12.0640 3592 aswSP - ok
08:31:12.0656 3592 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
08:31:12.0656 3592 AsyncMac - ok
08:31:12.0671 3592 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
08:31:12.0671 3592 atapi - ok
08:31:12.0671 3592 Atdisk - ok
08:31:12.0687 3592 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
08:31:12.0687 3592 Atmarpc - ok
08:31:12.0703 3592 AudioSrv (db66db626e4882ebef55f136f12c1829) C:\WINDOWS\System32\audiosrv.dll
08:31:12.0703 3592 AudioSrv - ok
08:31:12.0703 3592 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
08:31:12.0718 3592 audstub - ok
08:31:12.0796 3592 avast! Antivirus (4041d31508a2a084dfb42c595854090f) C:\Program Files\Alwil Software\Avast6\AvastSvc.exe
08:31:12.0796 3592 avast! Antivirus - ok
08:31:12.0828 3592 Avc (87c223adb8f7596b31caae3c67b16ddd) C:\WINDOWS\system32\DRIVERS\avc.sys
08:31:12.0828 3592 Avc - ok
08:31:12.0859 3592 AVCSTRM (867d73a2e43b2ddaf0b0263f88e217ac) C:\WINDOWS\system32\DRIVERS\avcstrm.sys
08:31:12.0859 3592 AVCSTRM - ok
08:31:12.0859 3592 AVG Anti-Rootkit (e8054a423e5d2bdae6062bab6da159c4) C:\WINDOWS\system32\DRIVERS\avgarkt.sys
08:31:12.0859 3592 AVG Anti-Rootkit - ok
08:31:12.0875 3592 AvgArCln (ec08d1625f5c6cf2a57b79eb35186f8c) C:\WINDOWS\system32\DRIVERS\AvgArCln.sys
08:31:12.0875 3592 AvgArCln - ok
08:31:12.0906 3592 BCMNTIO (90a87d49205b3893281203a477f66fe5) C:\PROGRA~1\CHECKIT\DIAGNO~1\BCMNTIO.sys
08:31:12.0906 3592 BCMNTIO - ok
08:31:12.0906 3592 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
08:31:12.0906 3592 Beep - ok
08:31:12.0937 3592 BITS (2c69ec7e5a311334d10dd95f338fccea) C:\WINDOWS\system32\qmgr.dll
08:31:12.0953 3592 BITS - ok
08:31:12.0968 3592 Browser (e3cfccdda4edd1d0dc9168b2e18f27b8) C:\WINDOWS\System32\browser.dll
08:31:12.0968 3592 Browser - ok
08:31:12.0968 3592 catchme - ok
08:31:12.0984 3592 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
08:31:12.0984 3592 cbidf2k - ok
08:31:13.0000 3592 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
08:31:13.0000 3592 CCDECODE - ok
08:31:13.0000 3592 cd20xrnt - ok
08:31:13.0015 3592 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
08:31:13.0015 3592 Cdaudio - ok
08:31:13.0015 3592 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
08:31:13.0015 3592 Cdfs - ok
08:31:13.0031 3592 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
08:31:13.0031 3592 Cdrom - ok
08:31:13.0031 3592 Changer - ok
08:31:13.0031 3592 CiSvc (3192bd04d032a9c4a85a3278c268a13a) C:\WINDOWS\system32\cisvc.exe
08:31:13.0046 3592 CiSvc - ok
08:31:13.0046 3592 ClipSrv (c8dec22c4137d7a90f8bdf41ca4b82ae) C:\WINDOWS\system32\clipsrv.exe
08:31:13.0046 3592 ClipSrv - ok
08:31:13.0078 3592 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
08:31:13.0078 3592 clr_optimization_v2.0.50727_32 - ok
08:31:13.0093 3592 CmdIde - ok
08:31:13.0093 3592 COMSysApp - ok
08:31:13.0093 3592 Cpqarray - ok
08:31:13.0125 3592 CryptSvc (10654f9ddcea9c46cfb77554231be73b) C:\WINDOWS\System32\cryptsvc.dll
08:31:13.0125 3592 CryptSvc - ok
08:31:13.0125 3592 dac2w2k - ok
08:31:13.0125 3592 dac960nt - ok
08:31:13.0187 3592 DcomLaunch (01095febf33beea00c2a0730b9b3ec28) C:\WINDOWS\system32\rpcss.dll
08:31:13.0203 3592 DcomLaunch - ok
08:31:13.0218 3592 Dhcp (ef545e1a4b043da4c84e230dd471c55f) C:\WINDOWS\System32\dhcpcsvc.dll
08:31:13.0218 3592 Dhcp - ok
08:31:13.0218 3592 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
08:31:13.0218 3592 Disk - ok
08:31:13.0218 3592 dmadmin - ok
08:31:13.0265 3592 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
08:31:13.0265 3592 dmboot - ok
08:31:13.0281 3592 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\DRIVERS\dmio.sys
08:31:13.0281 3592 dmio - ok
08:31:13.0281 3592 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
08:31:13.0296 3592 dmload - ok
08:31:13.0296 3592 dmserver (1639d9964c9e1b2ecca95c8217d3e70d) C:\WINDOWS\System32\dmserver.dll
08:31:13.0296 3592 dmserver - ok
08:31:13.0312 3592 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
08:31:13.0312 3592 DMusic - ok
08:31:13.0343 3592 Dnscache (aac8ffbfd61e784fa3bac851d4a0bd5f) C:\WINDOWS\System32\dnsrslvr.dll
08:31:13.0343 3592 Dnscache - ok
08:31:13.0343 3592 dpti2o - ok
08:31:13.0359 3592 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
08:31:13.0359 3592 drmkaud - ok
08:31:13.0375 3592 ElbyCDIO (178cc9403816c082d22a1d47fa1f9c85) C:\WINDOWS\system32\Drivers\ElbyCDIO.sys
08:31:13.0375 3592 ElbyCDIO - ok
08:31:13.0375 3592 ElbyDelay (e205c313417da6fa7afe85912a310a65) C:\WINDOWS\system32\Drivers\ElbyDelay.sys
08:31:13.0375 3592 ElbyDelay - ok
08:31:13.0375 3592 ERSvc (67dff7bbbd0e80aab7b3cf061448db8a) C:\WINDOWS\System32\ersvc.dll
08:31:13.0406 3592 ERSvc - ok
08:31:13.0421 3592 EuMusDesignVirtualAudioCableWdm (b27707bce98cb02eac9be5967096e75a) C:\WINDOWS\system32\DRIVERS\vrtaucbl.sys
08:31:13.0421 3592 EuMusDesignVirtualAudioCableWdm - ok
08:31:13.0437 3592 Eventlog (37561f8d4160d62da86d24ae41fae8de) C:\WINDOWS\system32\services.exe
08:31:13.0453 3592 Eventlog - ok
08:31:13.0468 3592 EventSystem (60d1a6342238378bfb7545c81ee3606c) C:\WINDOWS\system32\es.dll
08:31:13.0484 3592 EventSystem - ok
08:31:13.0500 3592 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
08:31:13.0500 3592 Fastfat - ok
08:31:13.0531 3592 FastUserSwitchingCompatibility (6815def9b810aefac107eeaf72da6f82) C:\WINDOWS\System32\shsvcs.dll
08:31:13.0531 3592 FastUserSwitchingCompatibility - ok
08:31:13.0531 3592 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
08:31:13.0531 3592 Fdc - ok
08:31:13.0546 3592 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
08:31:13.0546 3592 Fips - ok
08:31:13.0546 3592 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
08:31:13.0546 3592 Flpydisk - ok
08:31:13.0578 3592 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
08:31:13.0578 3592 FltMgr - ok
08:31:13.0593 3592 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
08:31:13.0593 3592 FontCache3.0.0.0 - ok
08:31:13.0687 3592 FreeAgentGoNext Service (eb1951e61c28b3b7d812a47adb976e60) C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
08:31:13.0703 3592 FreeAgentGoNext Service - ok
08:31:13.0703 3592 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
08:31:13.0703 3592 Fs_Rec - ok
08:31:13.0718 3592 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
08:31:13.0718 3592 Ftdisk - ok
08:31:13.0734 3592 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
08:31:13.0734 3592 Gpc - ok
08:31:13.0781 3592 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
08:31:13.0781 3592 HDAudBus - ok
08:31:13.0812 3592 helpsvc (8827911a8c37e40c027cbfc88e69d967) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
08:31:13.0812 3592 helpsvc - ok
08:31:13.0812 3592 HidServ - ok
08:31:13.0828 3592 hidusb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
08:31:13.0828 3592 hidusb - ok
08:31:13.0828 3592 hpn - ok
08:31:13.0921 3592 hpqcxs08 (f50f7984fdd151edd8a70a8dbd9e2a44) C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll
08:31:13.0921 3592 hpqcxs08 - ok
08:31:13.0953 3592 hpqddsvc (df446ba625cc441617843e87798ce048) C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll
08:31:13.0953 3592 hpqddsvc - ok
08:31:13.0968 3592 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
08:31:13.0968 3592 HPZid412 - ok
08:31:13.0984 3592 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
08:31:13.0984 3592 HPZipr12 - ok
08:31:13.0984 3592 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
08:31:14.0000 3592 HPZius12 - ok
08:31:14.0015 3592 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
08:31:14.0031 3592 HTTP - ok
08:31:14.0046 3592 HTTPFilter (064d8581adf77c25133e7d751d917d83) C:\WINDOWS\System32\w3ssl.dll
08:31:14.0062 3592 HTTPFilter - ok
08:31:14.0062 3592 i2omgmt - ok
08:31:14.0062 3592 i2omp - ok
08:31:14.0078 3592 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
08:31:14.0078 3592 i8042prt - ok
08:31:14.0125 3592 IDriverT (6f95324909b502e2651442c1548ab12f) C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
08:31:14.0140 3592 IDriverT - ok
08:31:14.0234 3592 idsvc (c01ac32dc5c03076cfb852cb5da5229c) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
08:31:14.0250 3592 idsvc - ok
08:31:14.0281 3592 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
08:31:14.0281 3592 Imapi - ok
08:31:14.0328 3592 ImapiService (fa788520bcac0f5d9d5cde5615c0d931) C:\WINDOWS\system32\imapi.exe
08:31:14.0328 3592 ImapiService - ok
08:31:14.0343 3592 ini910u - ok
08:31:14.0531 3592 IntcAzAudAddService (09e73e7455e7eac14e25739b30e16b52) C:\WINDOWS\system32\drivers\RtkHDAud.sys
08:31:14.0625 3592 IntcAzAudAddService - ok
08:31:14.0671 3592 IntelIde - ok
08:31:14.0687 3592 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
08:31:14.0687 3592 Ip6Fw - ok
08:31:14.0703 3592 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
08:31:14.0703 3592 IpFilterDriver - ok
08:31:14.0734 3592 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
08:31:14.0734 3592 IpInIp - ok
08:31:14.0765 3592 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
08:31:14.0781 3592 IpNat - ok
08:31:14.0796 3592 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
08:31:14.0796 3592 IPSec - ok
08:31:14.0812 3592 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
08:31:14.0812 3592 IRENUM - ok
08:31:14.0828 3592 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
08:31:14.0828 3592 isapnp - ok
08:31:14.0828 3592 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
08:31:14.0828 3592 Kbdclass - ok
08:31:14.0843 3592 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
08:31:14.0843 3592 kmixer - ok
08:31:14.0859 3592 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
08:31:14.0859 3592 KSecDD - ok
08:31:14.0890 3592 lanmanserver (0cb3af149a0bac0836022ca307c7a0f8) C:\WINDOWS\System32\srvsvc.dll
08:31:14.0890 3592 lanmanserver - ok
08:31:14.0906 3592 lanmanworkstation (e1f27cfcd114ec9f1e1f44674b2ff9f0) C:\WINDOWS\System32\wkssvc.dll
08:31:14.0921 3592 lanmanworkstation - ok
08:31:14.0921 3592 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\WINDOWS\system32\DRIVERS\Lbd.sys
08:31:14.0921 3592 Lbd - ok
08:31:14.0921 3592 lbrtfdc - ok
08:31:14.0968 3592 LmHosts (b3eff6d938c572e90a07b3d87a3c7657) C:\WINDOWS\System32\lmhsvc.dll
08:31:14.0968 3592 LmHosts - ok
08:31:15.0015 3592 MAPMEM (61330a29bd4230505a7618bc41693cbb) C:\PROGRA~1\CHECKIT\DIAGNO~1\MAPMEM.sys
08:31:15.0031 3592 MAPMEM - ok
08:31:15.0046 3592 MDP100 (fbb9954bb0e54d77abdd78aba5572ba7) C:\WINDOWS\system32\DRIVERS\MDP100_XP.sys
08:31:15.0046 3592 MDP100 - ok
08:31:15.0062 3592 MEITUNER (1968aa72f5c23c5010a126b5ee0c3539) C:\WINDOWS\system32\DRIVERS\meistb.sys
08:31:15.0062 3592 MEITUNER - ok
08:31:15.0078 3592 MEMSWEEP2 - ok
08:31:15.0093 3592 Messenger (95fd808e4ac22aba025a7b3eac0375d2) C:\WINDOWS\System32\msgsvc.dll
08:31:15.0093 3592 Messenger - ok
08:31:15.0109 3592 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
08:31:15.0109 3592 mnmdd - ok
08:31:15.0125 3592 mnmsrvc (f6415361201915b9fe3896b0e4e724ff) C:\WINDOWS\system32\mnmsrvc.exe
08:31:15.0125 3592 mnmsrvc - ok
08:31:15.0140 3592 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
08:31:15.0140 3592 Modem - ok
08:31:15.0250 3592 Monfilt (c7d9f9717916b34c1b00dd4834af485c) C:\WINDOWS\system32\drivers\Monfilt.sys
08:31:15.0281 3592 Monfilt - ok
08:31:15.0343 3592 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
08:31:15.0343 3592 Mouclass - ok
08:31:15.0359 3592 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
08:31:15.0359 3592 mouhid - ok
08:31:15.0359 3592 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
08:31:15.0359 3592 MountMgr - ok
08:31:15.0359 3592 MPE (55a9a7e6bb297bf0f5b144029dcb79cc) C:\WINDOWS\system32\DRIVERS\MPE.sys
08:31:15.0359 3592 MPE - ok
08:31:15.0375 3592 mraid35x - ok
08:31:15.0390 3592 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
08:31:15.0390 3592 MRxDAV - ok
08:31:15.0421 3592 MRxSmb (629c6d19002911b807cf4d2a941bc251) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
08:31:15.0421 3592 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\mrxsmb.sys. Real md5: 629c6d19002911b807cf4d2a941bc251, Fake md5: fb6c89bb3ce282b08bdb1e3c179e1c39
08:31:15.0421 3592 MRxSmb ( Virus.Win32.ZAccess.aml ) - infected
08:31:15.0421 3592 MRxSmb - detected Virus.Win32.ZAccess.aml (0)
08:31:15.0453 3592 MSDTC (c7c3d89eb0a6f3dba622ea737fa335b1) C:\WINDOWS\system32\msdtc.exe
08:31:15.0453 3592 MSDTC - ok
08:31:15.0453 3592 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
08:31:15.0453 3592 Msfs - ok
08:31:15.0453 3592 MSIServer - ok
08:31:15.0468 3592 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
08:31:15.0468 3592 MSKSSRV - ok
08:31:15.0468 3592 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
08:31:15.0468 3592 MSPCLOCK - ok
08:31:15.0484 3592 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
08:31:15.0484 3592 MSPQM - ok
08:31:15.0484 3592 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
08:31:15.0484 3592 mssmbios - ok
08:31:15.0500 3592 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys
08:31:15.0500 3592 MSTEE - ok
08:31:15.0515 3592 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
08:31:15.0515 3592 Mup - ok
08:31:15.0515 3592 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
08:31:15.0531 3592 NABTSFEC - ok
08:31:15.0640 3592 NBService (f46070ddada5c396b1f2ebf1c46dbb08) C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
08:31:15.0640 3592 NBService - ok
08:31:15.0656 3592 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
08:31:15.0656 3592 NDIS - ok
08:31:15.0671 3592 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
08:31:15.0671 3592 NdisIP - ok
08:31:15.0671 3592 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
08:31:15.0671 3592 NdisTapi - ok
08:31:15.0671 3592 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
08:31:15.0671 3592 Ndisuio - ok
08:31:15.0687 3592 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
08:31:15.0687 3592 NdisWan - ok
08:31:15.0703 3592 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
08:31:15.0703 3592 NDProxy - ok
08:31:15.0718 3592 Net Driver HPZ12 (51c6d8bfbd4ea5b62a1ba7f4469250d3) C:\WINDOWS\system32\HPZinw12.dll
08:31:15.0718 3592 Net Driver HPZ12 - ok
08:31:15.0734 3592 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
08:31:15.0734 3592 NetBIOS - ok
08:31:15.0734 3592 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
08:31:15.0750 3592 NetBT - ok
08:31:15.0765 3592 NetDDE (05afb5ad06462257bea7495283c86d50) C:\WINDOWS\system32\netdde.exe
08:31:15.0765 3592 NetDDE - ok
08:31:15.0765 3592 NetDDEdsdm (05afb5ad06462257bea7495283c86d50) C:\WINDOWS\system32\netdde.exe
08:31:15.0765 3592 NetDDEdsdm - ok
08:31:15.0796 3592 Netlogon (84885f9b82f4d55c6146ebf6065d75d2) C:\WINDOWS\system32\lsass.exe
08:31:15.0796 3592 Netlogon - ok
08:31:15.0812 3592 Netman (36739b39267914ba69ad0610a0299732) C:\WINDOWS\System32\netman.dll
08:31:15.0812 3592 Netman - ok
08:31:15.0890 3592 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
08:31:15.0890 3592 NetTcpPortSharing - ok
08:31:15.0906 3592 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
08:31:15.0906 3592 NIC1394 - ok
08:31:15.0937 3592 Nla (097722f235a1fb698bf9234e01b52637) C:\WINDOWS\System32\mswsock.dll
08:31:15.0953 3592 Nla - ok
08:31:16.0000 3592 NMIndexingService (433049770b810d7c83c5c94cdb3e09d2) C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
08:31:16.0000 3592 NMIndexingService - ok
08:31:16.0015 3592 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
08:31:16.0015 3592 Npfs - ok
08:31:16.0046 3592 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
08:31:16.0062 3592 Ntfs - ok
08:31:16.0062 3592 NtLmSsp (84885f9b82f4d55c6146ebf6065d75d2) C:\WINDOWS\system32\lsass.exe
08:31:16.0062 3592 NtLmSsp - ok
08:31:16.0093 3592 NtmsSvc (b62f29c00ac55a761b2e45877d85ea0f) C:\WINDOWS\system32\ntmssvc.dll
08:31:16.0109 3592 NtmsSvc - ok
08:31:16.0156 3592 nTuneService - ok
08:31:16.0156 3592 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
08:31:16.0156 3592 Null - ok
08:31:16.0453 3592 nv (ed9816dbaf6689542ea7d022631906a1) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
08:31:16.0578 3592 nv - ok
08:31:16.0656 3592 NVENETFD (5110ccb98c9883177754549f033f7f89) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
08:31:16.0656 3592 NVENETFD - ok
08:31:16.0687 3592 NVHDA (d8d01cb94e1312bb64f78392d9617714) C:\WINDOWS\system32\drivers\nvhda32.sys
08:31:16.0703 3592 NVHDA - ok
08:31:16.0718 3592 nvnetbus (a5f0ee23d37e375d2f93691b6eeff7a0) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
08:31:16.0718 3592 nvnetbus - ok
08:31:16.0734 3592 nvsmu (f13618f0cb1e95232f4c2401592a59e9) C:\WINDOWS\system32\DRIVERS\nvsmu.sys
08:31:16.0734 3592 nvsmu - ok
08:31:16.0765 3592 nvsvc (a2322c6207ebb0761a6c8cc9003ebacf) C:\WINDOWS\system32\nvsvc32.exe
08:31:16.0765 3592 nvsvc - ok
08:31:16.0796 3592 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
08:31:16.0796 3592 NwlnkFlt - ok
08:31:16.0796 3592 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
08:31:16.0812 3592 NwlnkFwd - ok
08:31:16.0812 3592 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
08:31:16.0828 3592 ohci1394 - ok
08:31:16.0843 3592 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
08:31:16.0843 3592 Parport - ok
08:31:16.0859 3592 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
08:31:16.0859 3592 PartMgr - ok
08:31:16.0875 3592 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
08:31:16.0875 3592 ParVdm - ok
08:31:16.0875 3592 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
08:31:16.0875 3592 PCI - ok
08:31:16.0875 3592 PCIDump - ok
08:31:16.0890 3592 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
08:31:16.0890 3592 PCIIde - ok
08:31:16.0906 3592 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
08:31:16.0906 3592 Pcmcia - ok
08:31:16.0906 3592 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys
08:31:16.0921 3592 pcouffin - ok
08:31:16.0921 3592 PDCOMP - ok
08:31:16.0921 3592 PDFRAME - ok
08:31:16.0921 3592 PDRELI - ok
08:31:16.0937 3592 PDRFRAME - ok
08:31:16.0937 3592 perc2 - ok
08:31:16.0937 3592 perc2hib - ok
08:31:16.0968 3592 PlugPlay (37561f8d4160d62da86d24ae41fae8de) C:\WINDOWS\system32\services.exe
08:31:16.0984 3592 PlugPlay - ok
08:31:17.0000 3592 Pml Driver HPZ12 (79834aa2fbf9fe81eebb229024f6f7fc) C:\WINDOWS\system32\HPZipm12.dll
08:31:17.0000 3592 Pml Driver HPZ12 - ok
08:31:17.0015 3592 Pnp680r (a1d7a9214b71ebbb6f31cb84aac15525) C:\WINDOWS\system32\DRIVERS\pnp680r.sys
08:31:17.0015 3592 Pnp680r - ok
08:31:17.0046 3592 PolicyAgent (84885f9b82f4d55c6146ebf6065d75d2) C:\WINDOWS\system32\lsass.exe
08:31:17.0046 3592 PolicyAgent - ok
08:31:17.0046 3592 portD - ok
08:31:17.0046 3592 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
08:31:17.0062 3592 PptpMiniport - ok
08:31:17.0062 3592 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys
08:31:17.0062 3592 Processor - ok
08:31:17.0078 3592 ProtectedStorage (84885f9b82f4d55c6146ebf6065d75d2) C:\WINDOWS\system32\lsass.exe
08:31:17.0078 3592 ProtectedStorage - ok
08:31:17.0078 3592 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
08:31:17.0078 3592 PSched - ok
08:31:17.0093 3592 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
08:31:17.0093 3592 Ptilink - ok
08:31:17.0093 3592 ql1080 - ok
08:31:17.0093 3592 Ql10wnt - ok
08:31:17.0109 3592 ql12160 - ok
08:31:17.0109 3592 ql1240 - ok
08:31:17.0109 3592 ql1280 - ok
08:31:17.0125 3592 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\RASACD.SYS
08:31:17.0125 3592 RasAcd - ok
08:31:17.0140 3592 RasAuto (44db7a9bdd2fb58747d123fbf1d35adb) C:\WINDOWS\System32\rasauto.dll
08:31:17.0140 3592 RasAuto - ok
08:31:17.0156 3592 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
08:31:17.0156 3592 Rasl2tp - ok
08:31:17.0171 3592 RasMan (49b5eed5fb89d39456a2f616ccd8ba5d) C:\WINDOWS\System32\rasmans.dll
08:31:17.0187 3592 RasMan - ok
08:31:17.0187 3592 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
08:31:17.0187 3592 RasPppoe - ok
08:31:17.0203 3592 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
08:31:17.0203 3592 Raspti - ok
08:31:17.0218 3592 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
08:31:17.0218 3592 Rdbss - ok
08:31:17.0218 3592 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
08:31:17.0218 3592 RDPCDD - ok
08:31:17.0250 3592 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
08:31:17.0250 3592 rdpdr - ok
08:31:17.0265 3592 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
08:31:17.0265 3592 RDPWD - ok
08:31:17.0296 3592 RDSessMgr (729798e0933076b8fcfcd9934698f164) C:\WINDOWS\system32\sessmgr.exe
08:31:17.0296 3592 RDSessMgr - ok
08:31:17.0296 3592 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
08:31:17.0312 3592 redbook - ok
08:31:17.0328 3592 RemoteAccess (3046db917e3cfa040632799dd9b14865) C:\WINDOWS\System32\mprdim.dll
08:31:17.0328 3592 RemoteAccess - ok
08:31:17.0343 3592 RemoteRegistry (3151427db7d87107d1c5be58fac53960) C:\WINDOWS\system32\regsvc.dll
08:31:17.0343 3592 RemoteRegistry - ok
08:31:17.0375 3592 RpcLocator (793f04a09b15e7c6c11dbdffaf06c0ab) C:\WINDOWS\system32\locator.exe
08:31:17.0375 3592 RpcLocator - ok
08:31:17.0406 3592 RpcSs (01095febf33beea00c2a0730b9b3ec28) C:\WINDOWS\System32\rpcss.dll
08:31:17.0406 3592 RpcSs - ok
08:31:17.0421 3592 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
08:31:17.0437 3592 RSVP - ok
08:31:17.0437 3592 SamSs (84885f9b82f4d55c6146ebf6065d75d2) C:\WINDOWS\system32\lsass.exe
08:31:17.0437 3592 SamSs - ok
08:31:17.0453 3592 SBKUPNT (729248b54aff21e740054acebfdbcb1c) C:\WINDOWS\system32\Drivers\SBKUPNT.SYS
08:31:17.0453 3592 SBKUPNT - ok
08:31:17.0453 3592 SCardSvr (25d8de134df108e3dbc8d7d23b1aa58e) C:\WINDOWS\System32\SCardSvr.exe
08:31:17.0468 3592 SCardSvr - ok
08:31:17.0500 3592 Schedule (92360854316611f6cc471612213c3d92) C:\WINDOWS\system32\schedsvc.dll
08:31:17.0500 3592 Schedule - ok
08:31:17.0515 3592 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
08:31:17.0515 3592 Secdrv - ok
08:31:17.0515 3592 seclogon (b1e0ce09895376871746f36dc5773b4f) C:\WINDOWS\System32\seclogon.dll
08:31:17.0531 3592 seclogon - ok
08:31:17.0546 3592 SENS (dfd9870cf39c791d86c4c209da9fa919) C:\WINDOWS\system32\sens.dll
08:31:17.0546 3592 SENS - ok
08:31:17.0546 3592 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
08:31:17.0546 3592 serenum - ok
08:31:17.0562 3592 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
08:31:17.0562 3592 Serial - ok
08:31:17.0578 3592 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
08:31:17.0578 3592 Sfloppy - ok
08:31:17.0593 3592 ShellHWDetection (6815def9b810aefac107eeaf72da6f82) C:\WINDOWS\System32\shsvcs.dll
08:31:17.0593 3592 ShellHWDetection - ok
08:31:17.0593 3592 Simbad - ok
08:31:17.0609 3592 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
08:31:17.0609 3592 SLIP - ok
08:31:17.0640 3592 snapman (c3bf55189aa92b8f919108ef9e4accae) C:\WINDOWS\system32\DRIVERS\snapman.sys
08:31:17.0640 3592 snapman - ok
08:31:17.0640 3592 Sparrow - ok
08:31:17.0656 3592 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
08:31:17.0656 3592 splitter - ok
08:31:17.0656 3592 Spooler (da81ec57acd4cdc3d4c51cf3d409af9f) C:\WINDOWS\system32\spoolsv.exe
08:31:17.0671 3592 Spooler - ok
08:31:17.0671 3592 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
08:31:17.0671 3592 sr - ok
08:31:17.0703 3592 srservice (92bdf74f12d6cbec43c94d4b7f804838) C:\WINDOWS\system32\srsvc.dll
08:31:17.0718 3592 srservice - ok
08:31:17.0750 3592 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
08:31:17.0750 3592 Srv - ok
08:31:17.0765 3592 SSDPSRV (4b8d61792f7175bed48859cc18ce4e38) C:\WINDOWS\System32\ssdpsrv.dll
08:31:17.0765 3592 SSDPSRV - ok
08:31:17.0796 3592 stisvc (b6763f8534ac547cf1af98afdff2edc8) C:\WINDOWS\system32\wiaservc.dll
08:31:17.0812 3592 stisvc - ok
08:31:17.0828 3592 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
08:31:17.0828 3592 streamip - ok
08:31:17.0859 3592 SWDUMon (ab7f6435b3dc381919c3e2cb4d94c7fb) C:\WINDOWS\system32\DRIVERS\SWDUMon.sys
08:31:17.0859 3592 SWDUMon - ok
08:31:17.0859 3592 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
08:31:17.0859 3592 swenum - ok
08:31:17.0875 3592 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
08:31:17.0875 3592 swmidi - ok
08:31:17.0875 3592 SwPrv - ok
08:31:17.0875 3592 symc810 - ok
08:31:17.0875 3592 symc8xx - ok
08:31:17.0890 3592 sym_hi - ok
08:31:17.0890 3592 sym_u3 - ok
08:31:17.0906 3592 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
08:31:17.0906 3592 sysaudio - ok
08:31:17.0906 3592 SysmonLog (8b54aa346d1b1b113ffaa75501b8b1b2) C:\WINDOWS\system32\smlogsvc.exe
08:31:17.0921 3592 SysmonLog - ok
08:31:17.0953 3592 TapiSrv (fb78839b36025aa286a51289ed28b73e) C:\WINDOWS\System32\tapisrv.dll
08:31:17.0953 3592 TapiSrv - ok
08:31:18.0000 3592 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
08:31:18.0000 3592 Tcpip - ok
08:31:18.0015 3592 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
08:31:18.0031 3592 TDPIPE - ok
08:31:18.0046 3592 tdrpman (3b7b6779eb231f731bba8f9fe67aadfc) C:\WINDOWS\system32\DRIVERS\tdrpman.sys
08:31:18.0062 3592 tdrpman - ok
08:31:18.0062 3592 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
08:31:18.0062 3592 TDTCP - ok
08:31:18.0062 3592 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
08:31:18.0078 3592 TermDD - ok
08:31:18.0093 3592 TermService (b60c877d16d9c880b952fda04adf16e6) C:\WINDOWS\System32\termsrv.dll
08:31:18.0093 3592 TermService - ok
08:31:18.0109 3592 Themes (6815def9b810aefac107eeaf72da6f82) C:\WINDOWS\System32\shsvcs.dll
08:31:18.0125 3592 Themes - ok
08:31:18.0125 3592 tifsfilter (b0b3122bff3910e0ba97014045467778) C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
08:31:18.0125 3592 tifsfilter - ok
08:31:18.0171 3592 timounter (13bfe330880ac0ce8672d00aa5aff738) C:\WINDOWS\system32\DRIVERS\timntr.sys
08:31:18.0187 3592 timounter - ok
08:31:18.0187 3592 TlntSvr (37db0a7d097310e8b4de803fc3119c78) C:\WINDOWS\system32\tlntsvr.exe
08:31:18.0203 3592 TlntSvr - ok
08:31:18.0203 3592 TosIde - ok
08:31:18.0218 3592 TrkWks (6d9ac544b30f96c57f8206566c1fb6a1) C:\WINDOWS\system32\trkwks.dll
08:31:18.0234 3592 TrkWks - ok
08:31:18.0312 3592 TryAndDecideService (bc236bbb0b16049392e020e53f17d04c) C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
08:31:18.0312 3592 TryAndDecideService - ok
08:31:18.0328 3592 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
08:31:18.0328 3592 Udfs - ok
08:31:18.0343 3592 ultra - ok
08:31:18.0359 3592 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
08:31:18.0375 3592 Update - ok
08:31:18.0406 3592 upnphost (aca5d98663d879c6baafcea7e2f1b710) C:\WINDOWS\System32\upnphost.dll
08:31:18.0421 3592 upnphost - ok
08:31:18.0421 3592 UPS (3f5df65b0758675f95a2d43918a740a3) C:\WINDOWS\System32\ups.exe
08:31:18.0421 3592 UPS - ok
08:31:18.0437 3592 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
08:31:18.0437 3592 usbccgp - ok
08:31:18.0453 3592 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
08:31:18.0453 3592 usbehci - ok
08:31:18.0468 3592 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
08:31:18.0468 3592 usbhub - ok
08:31:18.0484 3592 usbohci (bdfe799a8531bad8a5a985821fe78760) C:\WINDOWS\system32\DRIVERS\usbohci.sys
08:31:18.0484 3592 usbohci - ok
08:31:18.0500 3592 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
08:31:18.0500 3592 usbprint - ok
08:31:18.0500 3592 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
08:31:18.0500 3592 usbscan - ok
08:31:18.0515 3592 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
08:31:18.0515 3592 USBSTOR - ok
08:31:18.0531 3592 VClone (e986f81fa0b3aed21f188a0fd044d80e) C:\WINDOWS\system32\DRIVERS\VClone.sys
08:31:18.0531 3592 VClone - ok
08:31:18.0531 3592 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
08:31:18.0531 3592 VgaSave - ok
08:31:18.0531 3592 ViaIde - ok
08:31:18.0546 3592 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
08:31:18.0546 3592 VolSnap - ok
08:31:18.0578 3592 VSS (3ee00364ae0fd8d604f46cbaf512838a) C:\WINDOWS\System32\vssvc.exe
08:31:18.0593 3592 VSS - ok
08:31:18.0625 3592 W32Time (2b281958f5d0cf99ed626e3ef39d5c8d) C:\WINDOWS\system32\w32time.dll
08:31:18.0625 3592 W32Time - ok
08:31:18.0640 3592 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
08:31:18.0640 3592 Wanarp - ok
08:31:18.0640 3592 WDICA - ok
08:31:18.0656 3592 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
08:31:18.0656 3592 wdmaud - ok
08:31:18.0687 3592 WebClient (265f534ef76832435afbf771ec97176d) C:\WINDOWS\System32\webclnt.dll
08:31:18.0687 3592 WebClient - ok
08:31:18.0734 3592 winmgmt (f399242a80c4066fd155efa4cf96658e) C:\WINDOWS\system32\wbem\WMIsvc.dll
08:31:18.0734 3592 winmgmt - ok
08:31:18.0750 3592 WmdmPmSN (482069cda24aa0e94b1351e30eb3d01f) C:\WINDOWS\system32\MsPMSNSv.dll
08:31:18.0750 3592 WmdmPmSN - ok
08:31:18.0812 3592 Wmi (1081c185aed0660b2b5f173c3e023b23) C:\WINDOWS\System32\advapi32.dll
08:31:18.0828 3592 Wmi - ok
08:31:18.0859 3592 WmiAcpi (ae2c8544e747c20062db27456ea2d67a) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
08:31:18.0859 3592 WmiAcpi - ok
08:31:18.0875 3592 WmiApSrv (ba8cecc3e813e1f7c441b20393d4f86c) C:\WINDOWS\system32\wbem\wmiapsrv.exe
08:31:18.0875 3592 WmiApSrv - ok
08:31:18.0890 3592 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
08:31:18.0890 3592 WSTCODEC - ok
08:31:18.0921 3592 wuauserv (13d72740963cba12d9ff76a7f218bcd8) C:\WINDOWS\system32\wuauserv.dll
08:31:18.0921 3592 wuauserv - ok
08:31:19.0015 3592 WWMZYS - ok
08:31:19.0031 3592 WZCSVC (5a91e6feab9f901302fa7ff768c0120f) C:\WINDOWS\System32\wzcsvc.dll
08:31:19.0046 3592 WZCSVC - ok
08:31:19.0062 3592 xmlprov (eef46dab68229a14da3d8e73c99e2959) C:\WINDOWS\System32\xmlprov.dll
08:31:19.0062 3592 xmlprov - ok
08:31:19.0078 3592 MBR (0x1B8) (fca24a102012d6b4252520fb84559228) \Device\Harddisk0\DR0
08:31:19.0375 3592 \Device\Harddisk0\DR0 - ok
08:31:19.0390 3592 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk1\DR1
08:31:19.0421 3592 \Device\Harddisk1\DR1 - ok
08:31:19.0421 3592 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk2\DR6
08:31:19.0421 3592 \Device\Harddisk2\DR6 - ok
08:31:19.0437 3592 Boot (0x1200) (c6c99e8c3ff41dc545b4bb0dd3b48a79) \Device\Harddisk0\DR0\Partition0
08:31:19.0437 3592 \Device\Harddisk0\DR0\Partition0 - ok
08:31:19.0453 3592 Boot (0x1200) (cea2f4d045e7becf063f70c01281788c) \Device\Harddisk0\DR0\Partition1
08:31:19.0453 3592 \Device\Harddisk0\DR0\Partition1 - ok
08:31:19.0453 3592 Boot (0x1200) (aa987f9837d2e10da6067fa316b3a8b1) \Device\Harddisk1\DR1\Partition0
08:31:19.0453 3592 \Device\Harddisk1\DR1\Partition0 - ok
08:31:19.0453 3592 Boot (0x1200) (228c3e157765f831952081ec4c264158) \Device\Harddisk2\DR6\Partition0
08:31:19.0468 3592 \Device\Harddisk2\DR6\Partition0 - ok
08:31:19.0468 3592 ============================================================
08:31:19.0468 3592 Scan finished
08:31:19.0468 3592 ============================================================
08:31:19.0468 2716 Detected object count: 1
08:31:19.0468 2716 Actual detected object count: 1
08:33:34.0734 2716 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys - copied to quarantine
08:33:34.0765 2716 C:\WINDOWS\$NtUninstallKB14732$\2870514324\@ - copied to quarantine
08:33:34.0828 2716 C:\WINDOWS\$NtUninstallKB14732$\2870514324\Desktop.ini - copied to quarantine
08:33:34.0843 2716 C:\WINDOWS\$NtUninstallKB14732$\2870514324\L\00000004.@ - copied to quarantine
08:33:34.0843 2716 C:\WINDOWS\$NtUninstallKB14732$\2870514324\L\201d3dde - copied to quarantine
08:33:34.0859 2716 C:\WINDOWS\$NtUninstallKB14732$\2870514324\L\waknjude - copied to quarantine
08:33:34.0859 2716 C:\WINDOWS\$NtUninstallKB14732$\2870514324\U\00000004.@ - copied to quarantine
08:33:35.0062 2716 C:\WINDOWS\$NtUninstallKB14732$\2870514324\U\00000008.@ - copied to quarantine
08:33:35.0062 2716 C:\WINDOWS\$NtUninstallKB14732$\2870514324\U\000000cb.@ - copied to quarantine
08:33:35.0078 2716 C:\WINDOWS\$NtUninstallKB14732$\2870514324\U\80000000.@ - copied to quarantine
08:33:35.0078 2716 C:\WINDOWS\$NtUninstallKB14732$\2870514324\U\80000032.@ - copied to quarantine
08:33:35.0593 2716 Backup copy found, using it..
08:33:35.0609 2716 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys - will be cured on reboot
08:33:36.0250 2716 C:\WINDOWS\$NtUninstallKB14732$\2034695612 - will be deleted on reboot
08:33:36.0250 2716 C:\WINDOWS\$NtUninstallKB14732$\2870514324\@ - will be deleted on reboot
08:33:36.0250 2716 C:\WINDOWS\$NtUninstallKB14732$\2870514324\Desktop.ini - will be deleted on reboot
08:33:36.0265 2716 C:\WINDOWS\$NtUninstallKB14732$\2870514324\U\00000004.@ - will be deleted on reboot
08:33:36.0265 2716 C:\WINDOWS\$NtUninstallKB14732$\2870514324\U\00000008.@ - will be deleted on reboot
08:33:36.0265 2716 C:\WINDOWS\$NtUninstallKB14732$\2870514324\U\000000cb.@ - will be deleted on reboot
08:33:36.0265 2716 C:\WINDOWS\$NtUninstallKB14732$\2870514324\U\80000000.@ - will be deleted on reboot
08:33:36.0265 2716 C:\WINDOWS\$NtUninstallKB14732$\2870514324\U\80000032.@ - will be deleted on reboot
08:33:36.0265 2716 MRxSmb ( Virus.Win32.ZAccess.aml ) - User select action: Cure
Hi,
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.
µTorrent
I'd like you to read this thread (http://forums.spybot.info/showthread.php?t=282).
Please uninstall the programs listed above (in red). Post fresh DDS logs after that.
dinosaur58
2012-07-14, 20:04
First of all thanks for such prompt reply. No problem dumping Utorrent, only ever used it when I missed episodes of TV shows. Haven't used it since getting my DVR [more than a year ago] - I can program/record as many events/series as I want.
A couple of questions:
1] Can I send emails to friends etc. as long as no attachments without risking infecting their PCs?
2] Is it better to leave my machine running [every 60 seconds there is a series of system sounds - open/close program] or should I shut down any time I'm not using it. The last shutdown/startup cycle the virus took down my website access [ALL sites = 'server not found']. I'm only back online because of restore using the ERUNT backup your site recommends. When not online I disconnect my modem/router.
FYI-
Avast [I set the realtime shields to highest levels of protection] has been detecting the following malware activity:
Object: C:\WINDOWS\assembly\GAC\Desktop.ini
Win64:Sirefef-PL [Rtk]
Process: C:\WINDOWS\Explorer.EXE
Others include JS:ScriptlP-inf [Trj] and Win64:Sirefef-A [Trj]. Infections detected in svchost processes.
It seems like any program I run except anti-malware will show up as infected. I have not used anything but Exlporer.exe, Notepad{getting DEP closings}, Winrar{clean so far}, Photoshop{already infected anyway} and various anti-malware progs since infected.
As a last resort I have a 15 month old full backup. Unfortunately it is for C: partition only. I only found out that restore from these backups formats and repartitions the drive, after the new machine was up and running with 650 Gb copied to the D: partition [too big to back up - it's data only, no software so small risk of infection]. If we can get this infection cleared up I will buy a drive for C: [OS and other software, currently only 65 Gb - easy to backup] and keep up-to-date backups. Have been meaning to do this - Duh.
Thanks again for helping me. DDS log follows.
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_31
Run by Administrator at 9:58:27 on 2012-07-14
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3455.2765 [GMT -6:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Alwil Software\Avast6\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atwtusb.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Alwil Software\Avast6\avastUI.exe
C:\WINDOWS\system32\TBLMOUSE.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil32_11_3_300_262_Plugin.exe -update plugin
mRun: [atwtusb] atwtusb.exe
mRun: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [avast] "c:\program files\alwil software\avast6\avastUI.exe" /nogui
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
uPolicies-explorer: NoLogoff = 01000000
uPolicies-explorer: NoRecentDocsNetHood = 01000000
uPolicies-explorer: NoSMMyDocs = 01000000
uPolicies-explorer: NoSMMyPictures = 01000000
uPolicies-explorer: NoNetworkConnections = 01000000
uPolicies-explorer: StartMenuLogOff = 1 (0x1)
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: mswsock.dll
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206762645578
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator.computer\application data\mozilla\firefox\profiles\bvvl5608.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - blank
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q=
FF - plugin: c:\program files\java\jre6\bin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\npjpi160_31.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_262.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
.
============= SERVICES / DRIVERS ===============
.
R0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys [2007-1-31 5632]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-12-21 64288]
R1 aiptektp;Pen Pad;c:\windows\system32\drivers\aiptektp.sys [2008-7-1 22528]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-12-9 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-12-9 337880]
R1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\AvgArCln.sys [2007-12-13 3968]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-12-9 20696]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast6\AvastSvc.exe [2011-12-9 44768]
R2 BCMNTIO;BCMNTIO;c:\progra~1\checkit\diagno~1\BCMNTIO.sys [2007-12-20 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\checkit\diagno~1\MAPMEM.sys [2007-12-20 3904]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2011-7-30 14976]
R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\drivers\vrtaucbl.sys [2009-9-22 50944]
R3 MEITUNER;FireBus MPEG2TS Tuner Subunit Device;c:\windows\system32\drivers\meistb.sys [2011-3-22 22891]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2011-2-5 56992]
S2 MDP100;MDP100 Video Capture;c:\windows\system32\drivers\MDP100_XP.sys [2007-4-15 611360]
S2 portD;CMS PortIO Service;c:\windows\system32\drivers\portd2k.sys --> c:\windows\system32\drivers\portd2k.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2011-2-5 1691480]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1e.tmp --> c:\windows\system32\1E.tmp [?]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [2011-10-25 12984]
S4 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-1-16 161064]
S4 WWMZYS;WWMZYS;c:\docume~1\admini~1.com\locals~1\temp\wwmzys.exe --> c:\docume~1\admini~1.com\locals~1\temp\WWMZYS.exe [?]
.
=============== Created Last 30 ================
.
2012-07-11 14:33:34 -------- d-----w- C:\TDSSKiller_Quarantine
.
==================== Find3M ====================
.
2012-07-11 14:37:55 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2012-07-05 13:32:46 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-05 13:32:46 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2004-04-09 22:13:00 114688 ----a-w- c:\program files\NETGEAR DG632 USB Driveruninstalldrv.exe
2006-05-03 18:06:54 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 19:47:16 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 21:30:52 216064 --sha-r- c:\windows\system32\nbDX.dll
.
============= FINISH: 9:59:12.85 ===============
Hi,
I think it's ok to say 'yes' to both your questions above :)
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully first.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New dds log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
dinosaur58
2012-07-15, 00:31
Looks like I should have checked back sooner. I've been afraid to get online often knowing that someone has a backdoor. I am beginning the Combofix run now, but I work nights, snd so must get some sleep. I will post the log in about 6 hours when I get up. I'll have to go to work an hour later and not back for 10 hours, but then I'll have some time.
That's ok. I won't be back here checking in next 10hrs either :)
dinosaur58
2012-07-15, 07:34
I notice in the Combofix log entries referring to a search toolbar. I never had one [?] so no problem if these are gone.
I also noticed the following deletions:
c:\windows\system32\Filters\ffdshow\ffdshow.ax
c:\windows\system32\Filters\ffdshow\ffdshow.ax.manifest
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1028.tc
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1029.cz
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1031.de
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1033.en
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1034.es
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1036.fr
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1038.hu
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1040.it
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1041.ja
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1041.jp
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1045.pl
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1046.br
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1049.ru
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1051.sk
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1053.se
c:\windows\system32\Filters\ffdshow\languages\ffdshow.2052.sc
c:\windows\system32\Filters\ffdshow\libavcodec.dll
c:\windows\system32\Filters\ffdshow\libmpeg2_ff.dll
c:\windows\system32\Filters\ffdshow\libmplayer.dll
c:\windows\system32\Filters\ffdshow\reg\ffdshow.reg
c:\windows\system32\Filters\ffdshow\reg\reg.exe
c:\windows\system32\Filters\ffdshow\reg\rempc.reg
c:\windows\system32\Filters\ffdshow\TomsMoComp_ff.dll
c:\windows\system32\Filters\FLVSplitter.ax
c:\windows\system32\Filters\MatroskaSplitter.ax
c:\windows\system32\Filters\MP4Splitter.ax
c:\windows\system32\Filters\Quicktime.ax
c:\windows\system32\Filters\RealMediaSplitter.ax
These are used to play/edit various video files [I do some video mixing]. Would it be a problem to restore any of these after we are finished? No more systmem sounds [previously mentioned]. No more Avast pop-ups.
I'll be back Sunday morning [USA Mountain Time]
Did not attach file Attach.txt [zip] as you did not request it, other logs follow.
ComboFix 12-07-14.01 - Administrator 07/14/2012 21:31:32.18.4 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3455.3065 [GMT -6:00]
Running from: c:\documents and settings\Administrator.COMPUTER\My Documents\Anti-Smitfraud\Country10.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator.COMPUTER\Application Data\Mozilla\Firefox\Profiles\bvvl5608.default\searchplugins\bing-zugo.xml
c:\documents and settings\Administrator.COMPUTER\Application Data\vso_ts_preview.xml
c:\documents and settings\Administrator.COMPUTER\Desktop\-.lnk
c:\documents and settings\Administrator.COMPUTER\Local Settings\Application Data\{cc67cdb6-5a41-d556-a43b-bd5fc73e94ed}
c:\documents and settings\Administrator.COMPUTER\Local Settings\Application Data\{cc67cdb6-5a41-d556-a43b-bd5fc73e94ed}\@
c:\documents and settings\Administrator.COMPUTER\Local Settings\Application Data\{cc67cdb6-5a41-d556-a43b-bd5fc73e94ed}\L\00000004.@
c:\documents and settings\Administrator.COMPUTER\Local Settings\Application Data\{cc67cdb6-5a41-d556-a43b-bd5fc73e94ed}\n
c:\documents and settings\Administrator.COMPUTER\Local Settings\Application Data\{cc67cdb6-5a41-d556-a43b-bd5fc73e94ed}\U\00000004.@
c:\documents and settings\Administrator.COMPUTER\Local Settings\Application Data\{cc67cdb6-5a41-d556-a43b-bd5fc73e94ed}\U\00000008.@
c:\documents and settings\Administrator.COMPUTER\Local Settings\Application Data\{cc67cdb6-5a41-d556-a43b-bd5fc73e94ed}\U\000000cb.@
c:\documents and settings\Administrator.COMPUTER\Local Settings\Application Data\{cc67cdb6-5a41-d556-a43b-bd5fc73e94ed}\U\80000032.@
c:\documents and settings\Administrator.COMPUTER\WINDOWS
c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
c:\documents and settings\All Users.WINDOWS\Application Data\TEMP\0C232DFB.TMP
c:\documents and settings\All Users.WINDOWS\Application Data\TEMP\1CA73D29.TMP
c:\documents and settings\All Users.WINDOWS\Application Data\TEMP\403EAC7C.TMP
c:\documents and settings\All Users.WINDOWS\Application Data\TEMP\4BF2F6B5.TMP
c:\documents and settings\All Users.WINDOWS\Application Data\TEMP\5C321E34.TMP
c:\documents and settings\All Users.WINDOWS\Application Data\TEMP\BFE23423.TMP
c:\documents and settings\All Users.WINDOWS\Application Data\TEMP\C7D0F96D.TMP
c:\documents and settings\All Users.WINDOWS\Application Data\TEMP\D1AB3412.TMP
c:\documents and settings\All Users.WINDOWS\Application Data\TEMP\D5876FBA.TMP
c:\program files\Downloaded Installers
c:\program files\Downloaded Installers\{67cdd5a0-c572-4d2c-a354-6492b51f4138}\setup.msi
c:\program files\Search Toolbar
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\SearchToolbar.dll
c:\program files\Search Toolbar\SearchToolbarUninstall.exe
c:\program files\Search Toolbar\SearchToolbarUpdater.exe
c:\windows\system32\asw3B.tmp
c:\windows\system32\Bass.dll
c:\windows\system32\drivers\etc\hosts.txt
c:\windows\system32\drivers\tcpip.copy
c:\windows\system32\Filters
c:\windows\system32\Filters\AviSplitter.ax
c:\windows\system32\Filters\ffdshow\custom matrices\andreas_78er.matrix.xcm
c:\windows\system32\Filters\ffdshow\custom matrices\andreas_doppelte_99er.matrix.xcm
c:\windows\system32\Filters\ffdshow\custom matrices\andreas_einfache_99er.matrix.xcm
c:\windows\system32\Filters\ffdshow\custom matrices\Bulletproof's Heavy Compression Matrix.xcm
c:\windows\system32\Filters\ffdshow\custom matrices\Bulletproof's High Quality Matrix.xcm
c:\windows\system32\Filters\ffdshow\custom matrices\CG-Animation Matrix.xcm
c:\windows\system32\Filters\ffdshow\custom matrices\hvs-best-picture.xcm
c:\windows\system32\Filters\ffdshow\custom matrices\hvs-better-picture.xcm
c:\windows\system32\Filters\ffdshow\custom matrices\hvs-good-picture.xcm
c:\windows\system32\Filters\ffdshow\custom matrices\Low Bitrate Matrix.xcm
c:\windows\system32\Filters\ffdshow\custom matrices\MPEG.xcm
c:\windows\system32\Filters\ffdshow\custom matrices\pvcd.xcm
c:\windows\system32\Filters\ffdshow\custom matrices\Soulhunters V3.xcm
c:\windows\system32\Filters\ffdshow\custom matrices\Soulhunters V5.xcm
c:\windows\system32\Filters\ffdshow\custom matrices\Standard.xcm
c:\windows\system32\Filters\ffdshow\custom matrices\Ultimate Matrix.xcm
c:\windows\system32\Filters\ffdshow\custom matrices\Ultra Low Bitrate Matrix.xcm
c:\windows\system32\Filters\ffdshow\custom matrices\Very Low Bitrate Matrix.xcm
c:\windows\system32\Filters\ffdshow\dict\Czech.dic
c:\windows\system32\Filters\ffdshow\dict\dicts.txt
c:\windows\system32\Filters\ffdshow\dict\Greek.dic
c:\windows\system32\Filters\ffdshow\dict\Polski.dic
c:\windows\system32\Filters\ffdshow\ff_kernelDeint.dll
c:\windows\system32\Filters\ffdshow\ff_liba52.dll
c:\windows\system32\Filters\ffdshow\ff_libdts.dll
c:\windows\system32\Filters\ffdshow\ff_libfaad2.dll
c:\windows\system32\Filters\ffdshow\ff_libmad.dll
c:\windows\system32\Filters\ffdshow\ff_realaac.dll
c:\windows\system32\Filters\ffdshow\ff_samplerate.dll
c:\windows\system32\Filters\ffdshow\ff_theora.dll
c:\windows\system32\Filters\ffdshow\ff_tremor.dll
c:\windows\system32\Filters\ffdshow\ff_unrar.dll
c:\windows\system32\Filters\ffdshow\ff_wmv9.dll
c:\windows\system32\Filters\ffdshow\ff_x264.dll
c:\windows\system32\Filters\ffdshow\ffdshow.ax
c:\windows\system32\Filters\ffdshow\ffdshow.ax.manifest
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1028.tc
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1029.cz
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1031.de
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1033.en
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1034.es
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1036.fr
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1038.hu
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1040.it
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1041.ja
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1041.jp
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1045.pl
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1046.br
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1049.ru
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1051.sk
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1053.se
c:\windows\system32\Filters\ffdshow\languages\ffdshow.2052.sc
c:\windows\system32\Filters\ffdshow\libavcodec.dll
c:\windows\system32\Filters\ffdshow\libmpeg2_ff.dll
c:\windows\system32\Filters\ffdshow\libmplayer.dll
c:\windows\system32\Filters\ffdshow\reg\ffdshow.reg
c:\windows\system32\Filters\ffdshow\reg\reg.exe
c:\windows\system32\Filters\ffdshow\reg\rempc.reg
c:\windows\system32\Filters\ffdshow\TomsMoComp_ff.dll
c:\windows\system32\Filters\FLVSplitter.ax
c:\windows\system32\Filters\MatroskaSplitter.ax
c:\windows\system32\Filters\MP4Splitter.ax
c:\windows\system32\Filters\Quicktime.ax
c:\windows\system32\Filters\RealMediaSplitter.ax
c:\windows\system32\Filters\VSFilter.dll
c:\windows\system32\MSMAsk32.ocx
c:\windows\system32\NEW11.tmp
c:\windows\system32\NEW12.tmp
c:\windows\system32\NEW26.tmp
c:\windows\system32\NEW2E.tmp
c:\windows\system32\NEW2F.tmp
c:\windows\system32\NEWB.tmp
J:\Autorun.inf
.
Infected copy of c:\windows\system32\Services.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\services.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-06-15 to 2012-07-15 )))))))))))))))))))))))))))))))
.
.
2012-07-11 14:33 . 2012-07-11 14:33 -------- d-----w- C:\TDSSKiller_Quarantine
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-11 14:37 . 2007-12-14 01:00 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2012-07-05 13:32 . 2012-04-05 13:33 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-05 13:32 . 2011-05-24 12:01 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2004-04-09 22:13 . 2007-10-23 23:35 114688 ----a-w- c:\program files\NETGEAR DG632 USB Driveruninstalldrv.exe
2006-05-03 18:06 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 19:47 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 21:30 216064 --sha-r- c:\windows\system32\nbDX.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15 123536 ----a-w- c:\program files\Alwil Software\Avast6\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-05 81920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"atwtusb"="atwtusb.exe" [2007-03-21 315392]
"Tweak UI"="TWEAKUI.CPL" [1997-11-08 87312]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-10 153136]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"RTHDCPL"="RTHDCPL.EXE" [2000-01-01 20064872]
"avast"="c:\program files\Alwil Software\Avast6\avastUI.exe" [2012-03-06 4241512]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 01000000
"NoRecentDocsNetHood"= 01000000
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
"NoNetworkConnections"= 01000000
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk.disabled]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk.disabled
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnk.disabledCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^MyIRC.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\MyIRC.lnk
backup=c:\windows\pss\MyIRC.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^TotalMedia BackUp & Recorder Monitor.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\TotalMedia BackUp & Recorder Monitor.lnk
backup=c:\windows\pss\TotalMedia BackUp & Recorder Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^WinTV Recording Status..lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\WinTV Recording Status..lnk
backup=c:\windows\pss\WinTV Recording Status..lnkCommon Startup
.
[HKLM\~\startupfolder\C:^DOCUME~1^ADMINI~1.COM^Start Menu^Programs^Startup^QuickShelf 2000.lnk]
path=c:\docume~1\ADMINI~1.COM\Start Menu\Programs\Startup\QuickShelf 2000.lnk
backup=c:\windows\pss\QuickShelf 2000.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2008-04-10 03:14 136472 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2008-04-10 03:23 909208 ----a-w- c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 09:06 976832 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
2009-01-16 23:31 181544 ----a-w- c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-07-09 22:24 13923432 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
2007-09-05 02:25 81920 ----a-w- c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 23:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2008-04-10 03:11 2595792 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)
"AntiVirService"=2 (0x2)
"AntiVirSchedulerService"=2 (0x2)
"ACDaemon"=3 (0x3)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AdobeBridge"=
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"VirtualCloneDrive"="c:\program files\VirtualCloneDrive\VCDDaemon.exe" /s
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"hpqSRMon"=c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe
"SoundMan"=SOUNDMAN.EXE
"nwiz"=c:\program files\NVIDIA Corporation\nView\nwiz.exe /install
"RTHDCPL"=RTHDCPL.EXE
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [12/21/2010 03:29 AM 64288]
R1 aiptektp;Pen Pad;c:\windows\system32\drivers\aiptektp.sys [7/1/2008 11:33 PM 22528]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [12/9/2011 09:10 AM 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/9/2011 09:10 AM 337880]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/9/2011 09:10 AM 20696]
R2 BCMNTIO;BCMNTIO;c:\progra~1\CHECKIT\DIAGNO~1\BCMNTIO.sys [12/20/2007 05:11 AM 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\CHECKIT\DIAGNO~1\MAPMEM.sys [12/20/2007 05:11 AM 3904]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [7/30/2011 09:57 PM 14976]
R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\drivers\vrtaucbl.sys [9/22/2009 04:59 AM 50944]
R3 MEITUNER;FireBus MPEG2TS Tuner Subunit Device;c:\windows\system32\drivers\meistb.sys [3/22/2011 01:55 AM 22891]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2/5/2011 02:31 PM 56992]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\PCOUFFIN.SYS [3/3/2009 12:43 AM 47360]
S2 MDP100;MDP100 Video Capture;c:\windows\system32\drivers\MDP100_XP.sys [4/15/2007 09:17 PM 611360]
S2 portD;CMS PortIO Service;c:\windows\system32\DRIVERS\portd2k.sys --> c:\windows\system32\DRIVERS\portd2k.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2/5/2011 02:30 PM 1691480]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1E.tmp --> c:\windows\system32\1E.tmp [?]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [10/25/2011 02:36 AM 12984]
S4 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [1/16/2009 05:31 PM 161064]
S4 WWMZYS;WWMZYS;c:\docume~1\ADMINI~1.COM\LOCALS~1\Temp\WWMZYS.exe --> c:\docume~1\ADMINI~1.COM\LOCALS~1\Temp\WWMZYS.exe [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
FF - ProfilePath - c:\documents and settings\Administrator.COMPUTER\Application Data\Mozilla\Firefox\Profiles\bvvl5608.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - blank
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-16507403.sys
MSConfigStartUp-ArcSoft Connection Service - c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
MSConfigStartUp-LoginScreen - c:\windows\aIg.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-14 21:42
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{08437B63-CA86-7C11-1E25-5A214BD5C952}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abnllihdbjplkgkdpkebpdfihejcgiaodb"=hex:61,62,6c,65,69,61,66,69,69,68,6d,65,
63,6d,6c,6e,63,67,63,66,6d,6a,6b,63,64,6d,67,61,68,66,62,70,65,61,00,00
"bbnllihdbjplkgkdpkfbdachibjdfkjonkac"=hex:61,62,67,67,63,64,64,61,65,69,68,62,
66,6d,63,70,63,64,65,68,6d,67,6e,6c,65,67,6a,6e,70,67,6e,6d,6f,63,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3740)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Alwil Software\Avast6\AvastSvc.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\RTHDCPL.EXE
.
**************************************************************************
.
Completion time: 2012-07-14 21:45:15 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-15 03:45
ComboFix2.txt 2010-12-30 20:21
.
Pre-Run: 412,054,997,504 bytes free
Post-Run: 412,079,539,712 bytes free
.
- - End Of File - - D160B9B213AA34D55F4E0B0841104C87
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_31
Run by Administrator at 21:59:31 on 2012-07-14
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3455.2916 [GMT -6:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\Alwil Software\Avast6\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Alwil Software\Avast6\avastUI.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\FIREFOX.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
mRun: [atwtusb] atwtusb.exe
mRun: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [avast] "c:\program files\alwil software\avast6\avastUI.exe" /nogui
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
uPolicies-explorer: NoLogoff = 01000000
uPolicies-explorer: NoRecentDocsNetHood = 01000000
uPolicies-explorer: NoSMMyDocs = 01000000
uPolicies-explorer: NoSMMyPictures = 01000000
uPolicies-explorer: NoNetworkConnections = 01000000
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206762645578
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator.computer\application data\mozilla\firefox\profiles\bvvl5608.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - blank
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q=
FF - plugin: c:\program files\java\jre6\bin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\npjpi160_31.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_262.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
.
============= SERVICES / DRIVERS ===============
.
R0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys [2007-1-31 5632]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-12-21 64288]
R1 aiptektp;Pen Pad;c:\windows\system32\drivers\aiptektp.sys [2008-7-1 22528]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-12-9 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-12-9 337880]
R1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\AvgArCln.sys [2007-12-13 3968]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-12-9 20696]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast6\AvastSvc.exe [2011-12-9 44768]
R2 BCMNTIO;BCMNTIO;c:\progra~1\checkit\diagno~1\BCMNTIO.sys [2007-12-20 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\checkit\diagno~1\MAPMEM.sys [2007-12-20 3904]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2011-7-30 14976]
R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\drivers\vrtaucbl.sys [2009-9-22 50944]
R3 MEITUNER;FireBus MPEG2TS Tuner Subunit Device;c:\windows\system32\drivers\meistb.sys [2011-3-22 22891]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2011-2-5 56992]
S2 MDP100;MDP100 Video Capture;c:\windows\system32\drivers\MDP100_XP.sys [2007-4-15 611360]
S2 portD;CMS PortIO Service;c:\windows\system32\drivers\portd2k.sys --> c:\windows\system32\drivers\portd2k.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2011-2-5 1691480]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1e.tmp --> c:\windows\system32\1E.tmp [?]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [2011-10-25 12984]
S4 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-1-16 161064]
S4 WWMZYS;WWMZYS;c:\docume~1\admini~1.com\locals~1\temp\wwmzys.exe --> c:\docume~1\admini~1.com\locals~1\temp\WWMZYS.exe [?]
.
=============== Created Last 30 ================
.
2012-07-14 21:38:32 98816 ----a-w- c:\windows\sed.exe
2012-07-14 21:38:32 518144 ----a-w- c:\windows\SWREG.exe
2012-07-14 21:38:32 256000 ----a-w- c:\windows\PEV.exe
2012-07-14 21:38:32 208896 ----a-w- c:\windows\MBR.exe
2012-07-11 14:33:34 -------- d-----w- C:\TDSSKiller_Quarantine
.
==================== Find3M ====================
.
2012-07-11 14:37:55 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2012-07-05 13:32:46 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-05 13:32:46 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2004-04-09 22:13:00 114688 ----a-w- c:\program files\NETGEAR DG632 USB Driveruninstalldrv.exe
2006-05-03 18:06:54 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 19:47:16 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 21:30:52 216064 --sha-r- c:\windows\system32\nbDX.dll
.
============= FINISH: 22:00:04.18 ===============
Hi again,
These are used to play/edit various video files . Would it be a problem to restore any of these after we are finished?
We can restore those a bit later.
Open notepad and copy/paste the text in the codebox below into it:
@echo off
for %%g in (
c:\qoobox\quarantine\c\windows\system32\Bass.dll.vir
c:\qoobox\quarantine\c\windows\system32\Filters\AviSplitter.ax.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\andreas_78er.matrix.xcm.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\andreas_doppelte_99er.matrix.xcm.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\andreas_einfache_99er.matrix.xcm.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\Bulletproof's Heavy Compression Matrix.xcm.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\Bulletproof's High Quality Matrix.xcm.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\CG-Animation Matrix.xcm.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\hvs-best-picture.xcm.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\hvs-better-picture.xcm.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\hvs-good-picture.xcm.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\Low Bitrate Matrix.xcm.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\MPEG.xcm.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\pvcd.xcm.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\Soulhunters V3.xcm.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\Soulhunters V5.xcm.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\Standard.xcm.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\Ultimate Matrix.xcm.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\Ultra Low Bitrate Matrix.xcm.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\Very Low Bitrate Matrix.xcm.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\dict\Czech.dic.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\dict\dicts.txt.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\dict\Greek.dic.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\dict\Polski.dic.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\ff_kernelDeint.dll.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\ff_liba52.dll.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\ff_libdts.dll.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\ff_libfaad2.dll.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\ff_libmad.dll.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\ff_realaac.dll.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\ff_samplerate.dll.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\ff_theora.dll.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\ff_tremor.dll.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\ff_unrar.dll.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\ff_wmv9.dll.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\ff_x264.dll.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\ffdshow.ax.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\ffdshow.ax.manifest.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\languages\ffdshow.1028.tc.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\languages\ffdshow.1029.cz.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\languages\ffdshow.1031.de.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\languages\ffdshow.1033.en.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\languages\ffdshow.1034.es.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\languages\ffdshow.1036.fr.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\languages\ffdshow.1038.hu.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\languages\ffdshow.1040.it.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\languages\ffdshow.1041.ja.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\languages\ffdshow.1041.jp.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\languages\ffdshow.1045.pl.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\languages\ffdshow.1046.br.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\languages\ffdshow.1049.ru.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\languages\ffdshow.1051.sk.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\languages\ffdshow.1053.se.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\languages\ffdshow.2052.sc.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\libavcodec.dll.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\libmpeg2_ff.dll.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\libmplayer.dll.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\reg\ffdshow.reg.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\reg\reg.exe.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\reg\rempc.reg.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\TomsMoComp_ff.dll.vir
c:\qoobox\quarantine\c\windows\system32\Filters\FLVSplitter.ax.vir
c:\qoobox\quarantine\c\windows\system32\Filters\MatroskaSplitter.ax.vir
c:\qoobox\quarantine\c\windows\system32\Filters\MP4Splitter.ax.vir
c:\qoobox\quarantine\c\windows\system32\Filters\Quicktime.ax.vir
c:\qoobox\quarantine\c\windows\system32\Filters\RealMediaSplitter.ax.vir
c:\qoobox\quarantine\c\windows\system32\Filters\VSFilter.dll.vir
c:\qoobox\quarantine\c\windows\system32\MSMAsk32.ocx.vir
) do zip Files_for_submission %%g
del %0
Save this as grab.bat
Choose to Save type as - All Files
Save it on your desktop.
It should look like this: http://www.techsupportforum.com/sectools/tetonbob/bat_icon.gif
Double click on grab.bat & allow it to run
A file, Files_for_submission.zip will be created on your desktop.
Please upload that zip file to this website (http://www.bleepingcomputer.com/submit-malware.php?channel=76). Kindly include a link to this topic in the message.
I see there's still ancient Internet Explorer 6 version installed. Is there anything preventing upgrading to version 8 (a bit later)?
----------------
Open notepad and copy/paste the text in the quotebox below into it:
Firefox::
FF - ProfilePath - c:\documents and settings\administrator.computer\application data\mozilla\firefox\profiles\bvvl5608.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - blank
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q=
File::
c:\docume~1\ADMINI~1.COM\LOCALS~1\Temp\WWMZYS.exe
Driver::
WWMZYS
RegNull::
[HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{08437B63-CA86-7C11-1E25-5A214BD5C952}*]
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe (let the tool to update itself if prompted).
Then post the resultant log.
Uninstall old Adobe Reader versions and get the latest one (Adobe Reader 10.1 and separate 10.1.1, 10.1.2 & 10.1.3 updates for it) here (http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't (unless you want to) install toolbar if choose Foxit Reader! You may also check free readers introduced here (http://pdfreaders.org/).
Uninstall your current Adobe shockwave player and get the fresh one here (http://get.adobe.com/shockwave/) if needed.
Uninstall vulnerable Flash versions by following instructions here (http://kb2.adobe.com/cps/141/tn_14157.html). Fresh version can be obtained here (http://get.adobe.com/flashplayer/).
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 7 Update 5 (http://www.oracle.com/technetwork/java/javase/downloads/index.html).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
[i]Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-7u5-windows-i586.exe to install the newest version.
* Go here (http://www.eset.eu/online-scanner) to run an online scanner from ESET.
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
Click Scan
Wait for the scan to finish.
Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.
dinosaur58
2012-07-15, 21:28
A few problems. The 'files for submission.zip' file turned out 5.3 mb - just over the 5 mb limit for file size, so it will have to be split up? Uninstalled Adobe [Reader, Flash, Shockwave] Plus Java before running Combofix with script - have not installed new versions yet. Both runs of Combofix [forgot to tell you last time - oops] encountered a problem at stage 2 with PEV.3xe but continued to run after Windows closed this application. Combofix still reports infected with Rootkit Zero-access.
As for IExplorer, no special reason [it's unnecessarily huge and acts like it wants to take over everything]. I NEVER use it except for when absolutely required by totally trusted sites [I think just Microsoft.com].
Re ESET online test. I already have Trend Micro online tester installed on my system. I could run one of their scans sooner and with less system clutter if that's ok. If you feel that ESET is substantially better I will install that.
Figured there was no point in running a DDS scan untill these issues were resolved. Combofix log follows:
ComboFix 12-07-14.01 - Administrator 07/15/2012 11:38:04.19.4 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3455.3061 [GMT -6:00]
Running from: c:\documents and settings\Administrator.COMPUTER\My Documents\Anti-Smitfraud\Country10.exe
Command switches used :: c:\documents and settings\Administrator.COMPUTER\My Documents\Anti-Smitfraud\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
FILE ::
"c:\docume~1\ADMINI~1.COM\LOCALS~1\Temp\WWMZYS.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_WWMZYS
-------\Service_WWMZYS
.
.
((((((((((((((((((((((((( Files Created from 2012-06-15 to 2012-07-15 )))))))))))))))))))))))))))))))
.
.
2012-07-11 14:33 . 2012-07-11 14:33 -------- d-----w- C:\TDSSKiller_Quarantine
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-11 14:37 . 2007-12-14 01:00 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2004-04-09 22:13 . 2007-10-23 23:35 114688 ----a-w- c:\program files\NETGEAR DG632 USB Driveruninstalldrv.exe
2006-05-03 18:06 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 19:47 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 21:30 216064 --sha-r- c:\windows\system32\nbDX.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-07-15_03.42.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-23 22:42 . 2012-07-15 17:41 82954 c:\windows\system32\perfc009.dat
- 2007-10-23 22:42 . 2012-07-15 03:34 82954 c:\windows\system32\perfc009.dat
+ 2007-12-14 01:00 . 2004-08-04 08:00 44544 c:\windows\system32\alg.exe
+ 2007-10-23 22:42 . 2012-07-15 17:41 466936 c:\windows\system32\perfh009.dat
- 2007-10-23 22:42 . 2012-07-15 03:34 466936 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15 123536 ----a-w- c:\program files\Alwil Software\Avast6\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-05 81920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"atwtusb"="atwtusb.exe" [2007-03-21 315392]
"Tweak UI"="TWEAKUI.CPL" [1997-11-08 87312]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-10 153136]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"RTHDCPL"="RTHDCPL.EXE" [2000-01-01 20064872]
"avast"="c:\program files\Alwil Software\Avast6\avastUI.exe" [2012-03-06 4241512]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 01000000
"NoRecentDocsNetHood"= 01000000
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
"NoNetworkConnections"= 01000000
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk.disabled]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk.disabled
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnk.disabledCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^MyIRC.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\MyIRC.lnk
backup=c:\windows\pss\MyIRC.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^TotalMedia BackUp & Recorder Monitor.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\TotalMedia BackUp & Recorder Monitor.lnk
backup=c:\windows\pss\TotalMedia BackUp & Recorder Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^WinTV Recording Status..lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\WinTV Recording Status..lnk
backup=c:\windows\pss\WinTV Recording Status..lnkCommon Startup
.
[HKLM\~\startupfolder\C:^DOCUME~1^ADMINI~1.COM^Start Menu^Programs^Startup^QuickShelf 2000.lnk]
path=c:\docume~1\ADMINI~1.COM\Start Menu\Programs\Startup\QuickShelf 2000.lnk
backup=c:\windows\pss\QuickShelf 2000.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2008-04-10 03:14 136472 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2008-04-10 03:23 909208 ----a-w- c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
2009-01-16 23:31 181544 ----a-w- c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-07-09 22:24 13923432 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
2007-09-05 02:25 81920 ----a-w- c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 23:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2008-04-10 03:11 2595792 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)
"AntiVirService"=2 (0x2)
"AntiVirSchedulerService"=2 (0x2)
"ACDaemon"=3 (0x3)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AdobeBridge"=
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"VirtualCloneDrive"="c:\program files\VirtualCloneDrive\VCDDaemon.exe" /s
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"hpqSRMon"=c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe
"SoundMan"=SOUNDMAN.EXE
"nwiz"=c:\program files\NVIDIA Corporation\nView\nwiz.exe /install
"RTHDCPL"=RTHDCPL.EXE
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [12/21/2010 03:29 AM 64288]
R1 aiptektp;Pen Pad;c:\windows\system32\drivers\aiptektp.sys [7/1/2008 11:33 PM 22528]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [12/9/2011 09:10 AM 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/9/2011 09:10 AM 337880]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/9/2011 09:10 AM 20696]
R2 BCMNTIO;BCMNTIO;c:\progra~1\CHECKIT\DIAGNO~1\BCMNTIO.sys [12/20/2007 05:11 AM 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\CHECKIT\DIAGNO~1\MAPMEM.sys [12/20/2007 05:11 AM 3904]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [7/30/2011 09:57 PM 14976]
R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\drivers\vrtaucbl.sys [9/22/2009 04:59 AM 50944]
R3 MEITUNER;FireBus MPEG2TS Tuner Subunit Device;c:\windows\system32\drivers\meistb.sys [3/22/2011 01:55 AM 22891]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2/5/2011 02:31 PM 56992]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\PCOUFFIN.SYS [3/3/2009 12:43 AM 47360]
S2 MDP100;MDP100 Video Capture;c:\windows\system32\drivers\MDP100_XP.sys [4/15/2007 09:17 PM 611360]
S2 portD;CMS PortIO Service;c:\windows\system32\DRIVERS\portd2k.sys --> c:\windows\system32\DRIVERS\portd2k.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2/5/2011 02:30 PM 1691480]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1E.tmp --> c:\windows\system32\1E.tmp [?]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [10/25/2011 02:36 AM 12984]
S4 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [1/16/2009 05:31 PM 161064]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Administrator.COMPUTER\Application Data\Mozilla\Firefox\Profiles\bvvl5608.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - blank
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-Adobe ARM - c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
AddRemove-KB923789 - c:\windows\system32\MacroMed\Flash\genuinst.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-15 11:46
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2452)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Alwil Software\Avast6\AvastSvc.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\RTHDCPL.EXE
.
**************************************************************************
.
Completion time: 2012-07-15 11:49:15 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-15 17:49
ComboFix2.txt 2012-07-15 03:45
ComboFix3.txt 2010-12-30 20:21
.
Pre-Run: 412,165,657,088 bytes free
Post-Run: 412,106,697,216 bytes free
.
- - End Of File - - BEFA14583C764203915D27261DEA2848
Hi,
I will find out if all those samples need to be uploaded or if we can create a smaller zip. I'll let you know asap.
Hi,
No need to upload samples for this :)
As for IExplorer, no special reason [it's unnecessarily huge and acts like it wants to take over everything]. I NEVER use it except for when absolutely required by totally trusted sites [I think just Microsoft.com].
Under the hood IE plays quite an important role of Windows. Even if it wasn't used for surfing you should keep it up-to-date. Vulnerable browser is one top target of malware.
Re ESET online test. I already have Trend Micro online tester installed on my system. I could run one of their scans sooner and with less system clutter if that's ok. If you feel that ESET is substantially better I will install that.
Scanners behave differently. I recommend running ESET at this point. It can be uninstalled when we've finished the cleaning :)
Open notepad and copy/paste the text in the quotebox below into it:
Firefox::
FF - ProfilePath - c:\documents and settings\administrator.computer\application data\mozilla\firefox\profiles\bvvl5608.default\
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q=
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe (let the tool to update itself when prompted).
Then post the resultant log.
dinosaur58
2012-07-16, 20:24
Updated and ran Combofix with script. Still getting error/close on pev.3XE after 'Completed Stage_2'. Combofix still reports "infected with Rootkit.ZeroAcess!". Restart actually worked for this CF run [it has never worked since I built this PC]. As you can see I have installed Foxit and newest versions of Flash [required Firefox update], Shockwave, and Java. As requested installed latest version of IExplorer and ran ESET scan [ESET took a looong time - too bad it can't be configured to skip the D: and E: drives from now on]. Google search results no longer hijacked. Can't understand how I ended up with that Bing search. I always check very carefully when installing/updating software for extra stuff like that. I wouldn't mind deleting it, along with registry values for [now uninstalled] Adobe Reader + old Java versions [justsched-can't seem to get rid of that startup entry even with new preferences set to no auto-update].
1]Combofix 2]ESET and 3]DDS logs follow:
ComboFix 12-07-16.01 - Administrator 07/16/2012 7:56.20.4 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3455.3059 [GMT -6:00]
Running from: c:\documents and settings\Administrator.COMPUTER\My Documents\Anti-Smitfraud\Country10.exe
Command switches used :: c:\documents and settings\Administrator.COMPUTER\My Documents\Anti-Smitfraud\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
.
.
((((((((((((((((((((((((( Files Created from 2012-06-16 to 2012-07-16 )))))))))))))))))))))))))))))))
.
.
2012-07-15 20:07 . 2012-07-15 20:07 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-07-15 20:07 . 2012-07-15 20:07 772592 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-07-15 20:07 . 2012-07-15 20:07 -------- d-----w- c:\program files\Java
2012-07-15 20:04 . 2012-07-15 20:04 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-15 19:42 . 2012-07-15 19:42 -------- d-----w- c:\program files\Foxit Software
2012-07-11 14:33 . 2012-07-11 14:33 -------- d-----w- C:\TDSSKiller_Quarantine
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-15 20:07 . 2010-07-04 16:11 687600 ----a-w- c:\windows\system32\deployJava1.dll
2012-07-11 14:37 . 2007-12-14 01:00 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2004-04-09 22:13 . 2007-10-23 23:35 114688 ----a-w- c:\program files\NETGEAR DG632 USB Driveruninstalldrv.exe
2012-07-15 19:49 . 2012-07-15 19:49 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 18:06 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 19:47 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 21:30 216064 --sha-r- c:\windows\system32\nbDX.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-07-15_03.42.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-23 22:42 . 2012-07-16 13:59 82954 c:\windows\system32\perfc009.dat
- 2007-10-23 22:42 . 2012-07-15 03:34 82954 c:\windows\system32\perfc009.dat
+ 2007-12-14 01:00 . 2004-08-04 08:00 44544 c:\windows\system32\alg.exe
+ 2012-07-15 20:05 . 2012-07-15 20:05 87944 c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
+ 2012-07-05 08:04 . 2012-07-05 08:04 86016 c:\windows\system32\Adobe\Shockwave 11\SwMenu.dll
+ 2012-07-05 07:48 . 2012-07-05 07:48 73408 c:\windows\system32\Adobe\Shockwave 11\gtapi.dll
+ 2012-07-05 07:48 . 2012-07-05 07:48 64512 c:\windows\system32\Adobe\Shockwave 11\gcapi_dll.dll
+ 2012-07-05 08:05 . 2012-07-05 08:05 12800 c:\windows\system32\Adobe\Shockwave 11\DynaPlayer.dll
+ 2012-07-15 20:05 . 2012-07-15 20:05 10134 c:\windows\Installer\{612C34C7-5E90-47D8-9B5C-0F717DD82726}\ARPPRODUCTICON.exe
- 2007-10-23 22:42 . 2012-07-15 03:34 466936 c:\windows\system32\perfh009.dat
+ 2007-10-23 22:42 . 2012-07-16 13:59 466936 c:\windows\system32\perfh009.dat
+ 2012-07-15 20:04 . 2012-07-15 20:04 245408 c:\windows\system32\Macromed\Flash\FlashUtil10ze_Plugin.exe
+ 2012-07-15 20:07 . 2012-07-15 20:07 227824 c:\windows\system32\javaws.exe
+ 2012-07-15 20:07 . 2012-07-15 20:07 174064 c:\windows\system32\javaw.exe
+ 2012-07-15 20:07 . 2012-07-15 20:07 174064 c:\windows\system32\java.exe
+ 2012-07-05 07:48 . 2012-07-05 07:48 284600 c:\windows\system32\Adobe\Shockwave 11\SymCCIS.dll
+ 2012-07-05 08:04 . 2012-07-05 08:04 114176 c:\windows\system32\Adobe\Shockwave 11\SwInit.exe
+ 2012-07-05 08:05 . 2012-07-05 08:05 434176 c:\windows\system32\Adobe\Shockwave 11\Proj.dll
+ 2012-07-05 08:05 . 2012-07-05 08:05 366592 c:\windows\system32\Adobe\Shockwave 11\Plugin.dll
+ 2012-07-05 07:52 . 2012-07-05 07:52 990208 c:\windows\system32\Adobe\Shockwave 11\iml32.dll
+ 2012-07-05 08:04 . 2012-07-05 08:04 544256 c:\windows\system32\Adobe\Shockwave 11\Control.dll
+ 2012-07-05 08:11 . 2012-07-05 08:11 143840 c:\windows\system32\Adobe\Director\SWDNLD.EXE
+ 2012-07-05 08:11 . 2012-07-05 08:11 323552 c:\windows\system32\Adobe\Director\SwDir_1165635.dll
+ 2012-07-05 08:05 . 2012-07-05 08:05 195584 c:\windows\system32\Adobe\Director\np32dsw_1165635.dll
+ 2012-07-15 20:25 . 2012-07-15 20:25 176128 c:\windows\Installer\878217.msi
+ 2012-07-15 20:07 . 2012-07-15 20:07 863744 c:\windows\Installer\74a2f0.msi
+ 2012-07-15 20:05 . 2012-07-15 20:05 430592 c:\windows\Installer\74a2ec.msi
+ 2012-07-15 20:04 . 2012-07-15 20:04 6277280 c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2012-07-05 08:11 . 2012-07-05 08:11 1040864 c:\windows\system32\Adobe\Shockwave 11\SwHelper_1165635.exe
+ 2012-07-05 07:48 . 2012-07-05 07:48 2376368 c:\windows\system32\Adobe\Shockwave 11\gt.exe
+ 2012-07-05 07:48 . 2012-07-05 07:48 1292288 c:\windows\system32\Adobe\Shockwave 11\gi.dll
+ 2012-07-05 07:54 . 2012-07-05 07:54 1742336 c:\windows\system32\Adobe\Shockwave 11\dirapi.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15 123536 ----a-w- c:\program files\Alwil Software\Avast6\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-05 81920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"atwtusb"="atwtusb.exe" [2007-03-21 315392]
"Tweak UI"="TWEAKUI.CPL" [1997-11-08 87312]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-10 153136]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"RTHDCPL"="RTHDCPL.EXE" [2000-01-01 20064872]
"avast"="c:\program files\Alwil Software\Avast6\avastUI.exe" [2012-03-06 4241512]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 01000000
"NoRecentDocsNetHood"= 01000000
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
"NoNetworkConnections"= 01000000
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk.disabled]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk.disabled
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnk.disabledCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^MyIRC.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\MyIRC.lnk
backup=c:\windows\pss\MyIRC.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^TotalMedia BackUp & Recorder Monitor.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\TotalMedia BackUp & Recorder Monitor.lnk
backup=c:\windows\pss\TotalMedia BackUp & Recorder Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^WinTV Recording Status..lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\WinTV Recording Status..lnk
backup=c:\windows\pss\WinTV Recording Status..lnkCommon Startup
.
[HKLM\~\startupfolder\C:^DOCUME~1^ADMINI~1.COM^Start Menu^Programs^Startup^QuickShelf 2000.lnk]
path=c:\docume~1\ADMINI~1.COM\Start Menu\Programs\Startup\QuickShelf 2000.lnk
backup=c:\windows\pss\QuickShelf 2000.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2008-04-10 03:14 136472 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2008-04-10 03:23 909208 ----a-w- c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
2009-01-16 23:31 181544 ----a-w- c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-07-09 22:24 13923432 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
2007-09-05 02:25 81920 ----a-w- c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 23:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2008-04-10 03:11 2595792 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)
"AntiVirService"=2 (0x2)
"AntiVirSchedulerService"=2 (0x2)
"ACDaemon"=3 (0x3)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AdobeBridge"=
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"VirtualCloneDrive"="c:\program files\VirtualCloneDrive\VCDDaemon.exe" /s
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"hpqSRMon"=c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe
"SoundMan"=SOUNDMAN.EXE
"nwiz"=c:\program files\NVIDIA Corporation\nView\nwiz.exe /install
"RTHDCPL"=RTHDCPL.EXE
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [12/21/2010 03:29 AM 64288]
R1 aiptektp;Pen Pad;c:\windows\system32\drivers\aiptektp.sys [7/1/2008 11:33 PM 22528]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [12/9/2011 09:10 AM 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/9/2011 09:10 AM 337880]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/9/2011 09:10 AM 20696]
R2 BCMNTIO;BCMNTIO;c:\progra~1\CHECKIT\DIAGNO~1\BCMNTIO.sys [12/20/2007 05:11 AM 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\CHECKIT\DIAGNO~1\MAPMEM.sys [12/20/2007 05:11 AM 3904]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [7/30/2011 09:57 PM 14976]
R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\drivers\vrtaucbl.sys [9/22/2009 04:59 AM 50944]
R3 MEITUNER;FireBus MPEG2TS Tuner Subunit Device;c:\windows\system32\drivers\meistb.sys [3/22/2011 01:55 AM 22891]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2/5/2011 02:31 PM 56992]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\PCOUFFIN.SYS [3/3/2009 12:43 AM 47360]
S2 MDP100;MDP100 Video Capture;c:\windows\system32\drivers\MDP100_XP.sys [4/15/2007 09:17 PM 611360]
S2 portD;CMS PortIO Service;c:\windows\system32\DRIVERS\portd2k.sys --> c:\windows\system32\DRIVERS\portd2k.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2/5/2011 02:30 PM 1691480]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1E.tmp --> c:\windows\system32\1E.tmp [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [7/15/2012 01:49 PM 129976]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [10/25/2011 02:36 AM 12984]
S4 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [1/16/2009 05:31 PM 161064]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Administrator.COMPUTER\Application Data\Mozilla\Firefox\Profiles\bvvl5608.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - blank
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-16 08:02
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-07-16 08:03:59
ComboFix-quarantined-files.txt 2012-07-16 14:03
ComboFix2.txt 2012-07-15 17:49
ComboFix3.txt 2012-07-15 03:45
ComboFix4.txt 2010-12-30 20:21
.
Pre-Run: 411,891,145,216 bytes free
Post-Run: 411,906,132,480 bytes free
.
- - End Of File - - D7533ABC61112568ABFA7BB7FB286BDD
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
C:\Program Files\YTD Setup\trafficplace-us-2-silent.exe Win32/Toolbar.Zugo application
C:\Qoobox\Quarantine\C\Documents and Settings\Administrator.COMPUTER\Local Settings\Application Data\{cc67cdb6-5a41-d556-a43b-bd5fc73e94ed}\n.vir Win32/Sirefef.EV trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Administrator.COMPUTER\Local Settings\Application Data\{cc67cdb6-5a41-d556-a43b-bd5fc73e94ed}\U\80000032.@.vir a variant of Win32/Sirefef.FD trojan
C:\Qoobox\Quarantine\C\Program Files\Search Toolbar\SearchToolbar.dll.vir Win32/Toolbar.Zugo application
C:\System Volume Information\_restore{A08155B8-3425-4173-9474-2C7C1FC3A3D2}\RP482\A0107142.ini Win32/Sirefef.EZ trojan
C:\System Volume Information\_restore{A08155B8-3425-4173-9474-2C7C1FC3A3D2}\RP482\A0107157.ini Win32/Sirefef.EZ trojan
C:\System Volume Information\_restore{A08155B8-3425-4173-9474-2C7C1FC3A3D2}\RP483\A0107164.ini Win32/Sirefef.EZ trojan
C:\System Volume Information\_restore{A08155B8-3425-4173-9474-2C7C1FC3A3D2}\RP485\A0107242.dll Win32/Toolbar.Zugo application
C:\TDSSKiller_Quarantine\11.07.2012_08.30.36\rtkt0000\svc0000\tsk0000.dta a variant of Win32/Rootkit.Kryptik.NF trojan
C:\TDSSKiller_Quarantine\11.07.2012_08.30.36\rtkt0000\zafs0000\tsk0001.dta Win32/Sirefef.EZ trojan
C:\TDSSKiller_Quarantine\11.07.2012_08.30.36\rtkt0000\zafs0000\tsk0008.dta a variant of Win32/Sirefef.FA trojan
C:\TDSSKiller_Quarantine\11.07.2012_08.30.36\rtkt0000\zafs0000\tsk0009.dta a variant of Win32/Sirefef.FD trojan
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.5.0
Run by Administrator at 11:05:47 on 2012-07-16
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3455.2675 [GMT -6:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\Alwil Software\Avast6\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atwtusb.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\TBLMOUSE.EXE
C:\Program Files\Alwil Software\Avast6\avastUI.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
mRun: [atwtusb] atwtusb.exe
mRun: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [avast] "c:\program files\alwil software\avast6\avastUI.exe" /nogui
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
uPolicies-explorer: NoLogoff = 01000000
uPolicies-explorer: NoRecentDocsNetHood = 01000000
uPolicies-explorer: NoSMMyDocs = 01000000
uPolicies-explorer: NoSMMyPictures = 01000000
uPolicies-explorer: NoNetworkConnections = 01000000
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206762645578
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{4D24E198-7EA7-41BB-ABF0-0D5092022758} : DhcpNameServer = 192.168.1.254
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator.computer\application data\mozilla\firefox\profiles\bvvl5608.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - blank
FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1165635.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys [2007-1-31 5632]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-12-21 64288]
R1 aiptektp;Pen Pad;c:\windows\system32\drivers\aiptektp.sys [2008-7-1 22528]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-12-9 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-12-9 337880]
R1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\AvgArCln.sys [2007-12-13 3968]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-12-9 20696]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast6\AvastSvc.exe [2011-12-9 44768]
R2 BCMNTIO;BCMNTIO;c:\progra~1\checkit\diagno~1\BCMNTIO.sys [2007-12-20 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\checkit\diagno~1\MAPMEM.sys [2007-12-20 3904]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2011-7-30 14976]
R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\drivers\vrtaucbl.sys [2009-9-22 50944]
R3 MEITUNER;FireBus MPEG2TS Tuner Subunit Device;c:\windows\system32\drivers\meistb.sys [2011-3-22 22891]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2011-2-5 56992]
S2 MDP100;MDP100 Video Capture;c:\windows\system32\drivers\MDP100_XP.sys [2007-4-15 611360]
S2 portD;CMS PortIO Service;c:\windows\system32\drivers\portd2k.sys --> c:\windows\system32\drivers\portd2k.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2011-2-5 1691480]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1e.tmp --> c:\windows\system32\1E.tmp [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-7-15 129976]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [2011-10-25 12984]
S4 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-1-16 161064]
.
=============== Created Last 30 ================
.
2012-07-16 14:49:29 -------- d-sh--w- c:\documents and settings\administrator.computer\PrivacIE
2012-07-16 14:43:56 -------- d-sh--w- c:\documents and settings\administrator.computer\IETldCache
2012-07-16 14:40:08 -------- d-----w- c:\windows\ie8updates
2012-07-16 14:37:30 -------- dc-h--w- c:\windows\ie8
2012-07-16 14:34:05 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll
2012-07-16 14:34:05 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2012-07-16 14:34:05 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2012-07-16 14:34:04 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2012-07-16 14:34:04 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2012-07-16 14:34:04 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2012-07-16 14:34:03 11076096 ------w- c:\windows\system32\dllcache\ieframe.dll
2012-07-15 20:07:27 772592 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-07-15 20:07:27 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-07-15 20:04:46 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-15 19:42:28 -------- d-----w- c:\program files\Foxit Software
2012-07-14 21:38:32 98816 ----a-w- c:\windows\sed.exe
2012-07-14 21:38:32 518144 ----a-w- c:\windows\SWREG.exe
2012-07-14 21:38:32 256000 ----a-w- c:\windows\PEV.exe
2012-07-14 21:38:32 208896 ----a-w- c:\windows\MBR.exe
2012-07-11 14:33:34 -------- d-----w- C:\TDSSKiller_Quarantine
.
==================== Find3M ====================
.
2012-07-15 20:07:11 687600 ----a-w- c:\windows\system32\deployJava1.dll
2012-07-11 14:37:55 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2004-04-09 22:13:00 114688 ----a-w- c:\program files\NETGEAR DG632 USB Driveruninstalldrv.exe
2006-05-03 18:06:54 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 19:47:16 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 21:30:52 216064 --sha-r- c:\windows\system32\nbDX.dll
.
============= FINISH: 11:06:39.59 ===============
Hi,
Combofix still reports "infected with Rootkit.ZeroAcess!"
Logs look ok now regarding ZA and if symptoms are gone then the above is likely a false alert.
Please create CFScript.txt with the contents below and then run ComboFix with it like earlier. Post back the reports.
File::
C:\Program Files\YTD Setup\trafficplace-us-2-silent.exe
DeQuarantine::
c:\qoobox\quarantine\c\windows\system32\Bass.dll.vir
c:\qoobox\quarantine\c\windows\system32\Filters
Quit::
dinosaur58
2012-07-17, 11:51
Ran Combofix with script. It didn't create the usual log, just the list posted below. When I tried to return here to post the log I found that ALL websites gave the 'Connection Reset' error. I guess ZA must have been hiding somewhere. I restored from the most recent ERUNT reg backup which brought back website access. FYI BASS.dll is an ajdunct [needed to open certain kinds of audio file] to an audio track editing software package [Behappy - an Avisynth GUI].
Combofix DeQuarantine log follows:
c:\qoobox\quarantine\c\windows\system32\Bass.dll.vir -> c:\windows\system32\Bass.dll ( 92216 bytes )
C:\qoobox\quarantine\c\windows\system32\Filters\AviSplitter.ax -> C:\windows\system32\Filters\AviSplitter.ax
C:\qoobox\quarantine\c\windows\system32\Filters\FLVSplitter.ax -> C:\windows\system32\Filters\FLVSplitter.ax
C:\qoobox\quarantine\c\windows\system32\Filters\MatroskaSplitter.ax -> C:\windows\system32\Filters\MatroskaSplitter.ax
C:\qoobox\quarantine\c\windows\system32\Filters\MP4Splitter.ax -> C:\windows\system32\Filters\MP4Splitter.ax
C:\qoobox\quarantine\c\windows\system32\Filters\Quicktime.ax -> C:\windows\system32\Filters\Quicktime.ax
C:\qoobox\quarantine\c\windows\system32\Filters\RealMediaSplitter.ax -> C:\windows\system32\Filters\RealMediaSplitter.ax
C:\qoobox\quarantine\c\windows\system32\Filters\VSFilter.dll -> C:\windows\system32\Filters\VSFilter.dll
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\ffdshow.ax -> C:\windows\system32\Filters\ffdshow\ffdshow.ax
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\ffdshow.ax.manifest -> C:\windows\system32\Filters\ffdshow\ffdshow.ax.manifest
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\ff_kernelDeint.dll -> C:\windows\system32\Filters\ffdshow\ff_kernelDeint.dll
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\ff_liba52.dll -> C:\windows\system32\Filters\ffdshow\ff_liba52.dll
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\ff_libdts.dll -> C:\windows\system32\Filters\ffdshow\ff_libdts.dll
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\ff_libfaad2.dll -> C:\windows\system32\Filters\ffdshow\ff_libfaad2.dll
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\ff_libmad.dll -> C:\windows\system32\Filters\ffdshow\ff_libmad.dll
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\ff_realaac.dll -> C:\windows\system32\Filters\ffdshow\ff_realaac.dll
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\ff_samplerate.dll -> C:\windows\system32\Filters\ffdshow\ff_samplerate.dll
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\ff_theora.dll -> C:\windows\system32\Filters\ffdshow\ff_theora.dll
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\ff_tremor.dll -> C:\windows\system32\Filters\ffdshow\ff_tremor.dll
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\ff_unrar.dll -> C:\windows\system32\Filters\ffdshow\ff_unrar.dll
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\ff_wmv9.dll -> C:\windows\system32\Filters\ffdshow\ff_wmv9.dll
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\ff_x264.dll -> C:\windows\system32\Filters\ffdshow\ff_x264.dll
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\libavcodec.dll -> C:\windows\system32\Filters\ffdshow\libavcodec.dll
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\libmpeg2_ff.dll -> C:\windows\system32\Filters\ffdshow\libmpeg2_ff.dll
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\libmplayer.dll -> C:\windows\system32\Filters\ffdshow\libmplayer.dll
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\TomsMoComp_ff.dll -> C:\windows\system32\Filters\ffdshow\TomsMoComp_ff.dll
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\andreas_78er.matrix.xcm -> C:\windows\system32\Filters\ffdshow\custom matrices\andreas_78er.matrix.xcm
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\andreas_doppelte_99er.matrix.xcm -> C:\windows\system32\Filters\ffdshow\custom matrices\andreas_doppelte_99er.matrix.xcm
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\andreas_einfache_99er.matrix.xcm -> C:\windows\system32\Filters\ffdshow\custom matrices\andreas_einfache_99er.matrix.xcm
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\Bulletproof's Heavy Compression Matrix.xcm -> C:\windows\system32\Filters\ffdshow\custom matrices\Bulletproof's Heavy Compression Matrix.xcm
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\Bulletproof's High Quality Matrix.xcm -> C:\windows\system32\Filters\ffdshow\custom matrices\Bulletproof's High Quality Matrix.xcm
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\CG-Animation Matrix.xcm -> C:\windows\system32\Filters\ffdshow\custom matrices\CG-Animation Matrix.xcm
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\hvs-best-picture.xcm -> C:\windows\system32\Filters\ffdshow\custom matrices\hvs-best-picture.xcm
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\hvs-better-picture.xcm -> C:\windows\system32\Filters\ffdshow\custom matrices\hvs-better-picture.xcm
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\hvs-good-picture.xcm -> C:\windows\system32\Filters\ffdshow\custom matrices\hvs-good-picture.xcm
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\Low Bitrate Matrix.xcm -> C:\windows\system32\Filters\ffdshow\custom matrices\Low Bitrate Matrix.xcm
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\MPEG.xcm -> C:\windows\system32\Filters\ffdshow\custom matrices\MPEG.xcm
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\pvcd.xcm -> C:\windows\system32\Filters\ffdshow\custom matrices\pvcd.xcm
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\Soulhunters V3.xcm -> C:\windows\system32\Filters\ffdshow\custom matrices\Soulhunters V3.xcm
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\Soulhunters V5.xcm -> C:\windows\system32\Filters\ffdshow\custom matrices\Soulhunters V5.xcm
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\Standard.xcm -> C:\windows\system32\Filters\ffdshow\custom matrices\Standard.xcm
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\Ultimate Matrix.xcm -> C:\windows\system32\Filters\ffdshow\custom matrices\Ultimate Matrix.xcm
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\Ultra Low Bitrate Matrix.xcm -> C:\windows\system32\Filters\ffdshow\custom matrices\Ultra Low Bitrate Matrix.xcm
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\Very Low Bitrate Matrix.xcm -> C:\windows\system32\Filters\ffdshow\custom matrices\Very Low Bitrate Matrix.xcm
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\dict\Czech.dic -> C:\windows\system32\Filters\ffdshow\dict\Czech.dic
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\dict\dicts.txt -> C:\windows\system32\Filters\ffdshow\dict\dicts.txt
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\dict\Greek.dic -> C:\windows\system32\Filters\ffdshow\dict\Greek.dic
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\dict\Polski.dic -> C:\windows\system32\Filters\ffdshow\dict\Polski.dic
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\languages\ffdshow.1028.tc -> C:\windows\system32\Filters\ffdshow\languages\ffdshow.1028.tc
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\languages\ffdshow.1029.cz -> C:\windows\system32\Filters\ffdshow\languages\ffdshow.1029.cz
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\languages\ffdshow.1031.de -> C:\windows\system32\Filters\ffdshow\languages\ffdshow.1031.de
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\languages\ffdshow.1033.en -> C:\windows\system32\Filters\ffdshow\languages\ffdshow.1033.en
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\languages\ffdshow.1034.es -> C:\windows\system32\Filters\ffdshow\languages\ffdshow.1034.es
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\languages\ffdshow.1036.fr -> C:\windows\system32\Filters\ffdshow\languages\ffdshow.1036.fr
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\languages\ffdshow.1038.hu -> C:\windows\system32\Filters\ffdshow\languages\ffdshow.1038.hu
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\languages\ffdshow.1040.it -> C:\windows\system32\Filters\ffdshow\languages\ffdshow.1040.it
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\languages\ffdshow.1041.ja -> C:\windows\system32\Filters\ffdshow\languages\ffdshow.1041.ja
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\languages\ffdshow.1041.jp -> C:\windows\system32\Filters\ffdshow\languages\ffdshow.1041.jp
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\languages\ffdshow.1045.pl -> C:\windows\system32\Filters\ffdshow\languages\ffdshow.1045.pl
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\languages\ffdshow.1046.br -> C:\windows\system32\Filters\ffdshow\languages\ffdshow.1046.br
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\languages\ffdshow.1049.ru -> C:\windows\system32\Filters\ffdshow\languages\ffdshow.1049.ru
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\languages\ffdshow.1051.sk -> C:\windows\system32\Filters\ffdshow\languages\ffdshow.1051.sk
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\languages\ffdshow.1053.se -> C:\windows\system32\Filters\ffdshow\languages\ffdshow.1053.se
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\languages\ffdshow.2052.sc -> C:\windows\system32\Filters\ffdshow\languages\ffdshow.2052.sc
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\reg\ffdshow.reg -> C:\windows\system32\Filters\ffdshow\reg\ffdshow.reg
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\reg\reg.exe -> C:\windows\system32\Filters\ffdshow\reg\reg.exe
C:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\reg\rempc.reg -> C:\windows\system32\Filters\ffdshow\reg\rempc.reg
66 File(s) copied
Hi,
If you run updated ComboFix does it still alert about ZeroAccess? Please post back its log + fresh dds log.
dinosaur58
2012-07-17, 15:03
Not sure if CF alerted on the last run. I let it run by itself while I got some sleep. I did manage to find the missing CF log from the previous run.
That CF log + New DDS log follow:
ComboFix 10-12-30.01 - Administrator 12/30/2010 13:11:44.17.2 - FAT32x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1982.1682 [GMT -7:00]
Running from: c:\documents and settings\Administrator.COMPUTER\My Documents\Anti-Smitfraud\ComboFix12.30.10.exe
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\spool\prtprocs\w32x86\Ppbiproc.dll
.
((((((((((((((((((((((((( Files Created from 2010-11-28 to 2010-12-30 )))))))))))))))))))))))))))))))
.
2010-12-22 10:45 . 2006-12-12 17:48 1440560 ----a-w- c:\program files\Mozilla Firefox\plugins\npLegitCheckPlugin.dll
2010-12-22 09:21 . 2010-12-22 09:21 -------- d-----w- C:\_XP
2010-12-22 08:37 . 2004-08-04 07:56 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-12-22 08:37 . 2001-08-18 05:36 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-12-22 08:37 . 2001-08-18 05:36 17408 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-12-22 08:37 . 2001-08-18 05:37 27648 ----a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-12-22 08:37 . 2001-08-18 05:37 4608 ----a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-12-22 08:35 . 2004-08-04 05:29 25471 ----a-w- c:\windows\system32\dllcache\watv10nt.sys
2010-12-22 08:34 . 2001-08-17 20:28 794399 ----a-w- c:\windows\system32\dllcache\usr1806v.sys
2010-12-22 08:33 . 2001-08-18 05:36 525568 ----a-w- c:\windows\system32\dllcache\tridxp.dll
2010-12-22 08:32 . 2001-08-17 19:13 37961 ----a-w- c:\windows\system32\dllcache\tdk100b.sys
2010-12-22 08:31 . 2001-08-18 05:36 53248 ----a-w- c:\windows\system32\dllcache\stlncoin.dll
2010-12-22 08:30 . 2001-08-17 19:51 58368 ----a-w- c:\windows\system32\dllcache\smiminib.sys
2010-12-22 08:29 . 2001-08-17 19:50 68608 ----a-w- c:\windows\system32\dllcache\sis6306p.sys
2010-12-22 08:28 . 2001-08-17 20:51 23936 ----a-w- c:\windows\system32\dllcache\sccmn50m.sys
2010-12-22 08:27 . 2001-08-18 05:36 26624 ----a-w- c:\windows\system32\dllcache\rw450ext.dll
2010-12-22 08:26 . 2001-08-17 20:52 33152 ----a-w- c:\windows\system32\dllcache\ql10wnt.sys
2010-12-22 08:25 . 2001-08-17 21:07 5504 ----a-w- c:\windows\system32\dllcache\perc2hib.sys
2010-12-22 08:24 . 2001-08-17 21:05 25216 ----a-w- c:\windows\system32\dllcache\ovsound2.sys
2010-12-22 08:23 . 2004-08-04 06:00 28672 ----a-w- c:\windows\system32\dllcache\nscirda.sys
2010-12-22 08:22 . 2001-08-18 05:36 19968 ----a-w- c:\windows\system32\dllcache\mxicfg.dll
2010-12-22 08:21 . 2001-08-17 21:56 235648 ----a-w- c:\windows\system32\dllcache\mgaud.dll
2010-12-22 08:20 . 2004-08-04 12:00 70656 ----a-w- c:\windows\system32\dllcache\korwbrkr.dll
2010-12-22 08:19 . 2001-08-17 20:52 16000 ----a-w- c:\windows\system32\dllcache\ini910u.sys
2010-12-22 08:18 . 2004-08-04 12:00 13463552 ----a-w- c:\windows\system32\dllcache\hwxjpn.dll
2010-12-22 08:17 . 2001-08-18 05:36 165888 ----a-w- c:\windows\system32\dllcache\hpgt53.dll
2010-12-22 08:16 . 2001-08-18 05:36 92160 ----a-w- c:\windows\system32\dllcache\fuusd.dll
2010-12-22 08:15 . 2001-08-18 05:36 61952 ----a-w- c:\windows\system32\dllcache\eqnloop.exe
2010-12-22 08:14 . 2001-08-18 05:36 37962 ----a-w- c:\windows\system32\dllcache\divaprop.dll
2010-12-22 08:13 . 2001-08-18 05:36 175104 ----a-w- c:\windows\system32\dllcache\csamsp.dll
2010-12-22 05:50 . 2000-07-21 17:40 2048 ----a-w- C:\w2ksect.bin
2010-12-22 02:33 . 2010-12-22 02:33 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Office Genuine Advantage
2010-12-21 13:14 . 2010-12-03 09:05 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-12-21 12:44 . 2010-12-21 12:44 -------- d-----w- C:\SP2
2010-12-21 11:43 . 2004-08-04 06:00 8192 ----a-w- c:\windows\system32\dllcache\changer.sys
2010-12-21 11:36 . 2001-08-18 05:36 102400 ----a-w- c:\windows\system32\dllcache\binlsvc.dll
2010-12-21 11:35 . 2001-08-17 20:52 12032 ----a-w- c:\windows\system32\dllcache\amsint.sys
2010-12-21 11:34 . 2001-08-17 21:56 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
2010-12-21 09:29 . 2010-12-03 09:05 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-12-21 09:29 . 2010-12-21 09:29 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-12-21 09:25 . 2010-12-21 09:25 -------- d-----w- c:\documents and settings\Administrator.COMPUTER\Local Settings\Application Data\Sunbelt Software
2010-12-21 09:24 . 2010-12-21 09:24 -------- d--h--w- c:\documents and settings\All Users.WINDOWS\Application Data\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
2010-12-21 09:24 . 2010-12-21 09:24 -------- d-----w- c:\program files\Lavasoft
2010-12-21 09:24 . 2010-12-21 09:24 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft
2010-12-19 22:13 . 2010-12-19 22:13 -------- d-----w- c:\documents and settings\Administrator.COMPUTER\Application Data\Avira
2010-12-19 21:03 . 2010-12-19 21:03 -------- d-----w- c:\windows\system32\wbem\Repository
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-21 01:09 . 2008-07-20 16:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-21 01:08 . 2008-07-20 16:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-20 04:34 . 2010-07-04 16:11 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-20 04:34 . 2009-01-12 15:26 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-12-01 01:48 . 2010-06-30 09:30 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-12-01 01:13 . 2010-06-30 09:30 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-11-10 09:41 . 2007-10-24 01:05 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-11-10 09:41 . 2007-10-24 01:05 348160 ----a-w- c:\windows\system32\msvcr71.dll
2004-04-09 22:13 . 2007-10-23 23:35 114688 ----a-w- c:\program files\NETGEAR DG632 USB Driveruninstalldrv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2007-09-17 1626112]
"atwtusb"="atwtusb.exe" [2007-03-21 315392]
"Tweak UI"="TWEAKUI.CPL" [1997-11-08 87312]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-10 153136]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-01 281768]
"WPA"="regedit.exe" [2004-08-04 146432]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 01000000
"NoRecentDocsNetHood"= 01000000
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
"NoNetworkConnections"= 01000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk.disabled]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk.disabled
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnk.disabledCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^MyIRC.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\MyIRC.lnk
backup=c:\windows\pss\MyIRC.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^TotalMedia BackUp & Recorder Monitor.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\TotalMedia BackUp & Recorder Monitor.lnk
backup=c:\windows\pss\TotalMedia BackUp & Recorder Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^DOCUME~1^ADMINI~1.COM^Start Menu^Programs^Startup^QuickShelf 2000.lnk]
path=c:\docume~1\ADMINI~1.COM\Start Menu\Programs\Startup\QuickShelf 2000.lnk
backup=c:\windows\pss\QuickShelf 2000.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2008-04-10 03:14 136472 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2008-04-10 03:23 909208 ----a-w- c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 09:06 976832 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2010-03-18 18:19 207360 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
2009-01-16 23:31 181544 ----a-w- c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 23:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2008-04-10 03:11 2595792 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AdobeBridge"=
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"VirtualCloneDrive"="c:\program files\VirtualCloneDrive\VCDDaemon.exe" /s
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"hpqSRMon"=c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe
"SoundMan"=SOUNDMAN.EXE
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\System32\\mmc.exe"=
"c:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12000:TCP"= 12000:TCP:Utor1
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [12/21/2010 02:29 AM 64288]
R1 aiptektp;Pen Pad;c:\windows\system32\drivers\aiptektp.sys [7/1/2008 10:33 PM 22528]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/30/2010 02:30 AM 135336]
R2 BCMNTIO;BCMNTIO;c:\progra~1\CHECKIT\DIAGNO~1\BCMNTIO.sys [12/20/2007 04:11 AM 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\CHECKIT\DIAGNO~1\MAPMEM.sys [12/20/2007 04:11 AM 3904]
R3 ArcCD;ArcCD Filter Driver Service;c:\windows\system32\drivers\ArcCD.sys [8/31/2010 03:43 AM 36224]
R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\drivers\vrtaucbl.sys [9/22/2009 03:59 AM 50944]
S2 MDP100;MDP100 Video Capture;c:\windows\system32\drivers\MDP100_XP.sys [4/15/2007 08:17 PM 611360]
S2 portD;CMS PortIO Service;c:\windows\system32\DRIVERS\portd2k.sys --> c:\windows\system32\DRIVERS\portd2k.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/3/2010 02:05 AM 1389400]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [12/3/2010 02:05 AM 15264]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1E.tmp --> c:\windows\system32\1E.tmp [?]
S3 WWMZYS;WWMZYS;c:\docume~1\ADMINI~1.COM\LOCALS~1\Temp\WWMZYS.exe --> c:\docume~1\ADMINI~1.COM\LOCALS~1\Temp\WWMZYS.exe [?]
S4 ArcUdfs;ArcUdfs FileSystem Driver Service;c:\windows\system32\drivers\ArcUdfs.sys [8/31/2010 03:43 AM 134912]
S4 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [1/16/2009 04:31 PM 161064]
--- Other Services/Drivers In Memory ---
*Deregistered* - ArcRec
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
2010-12-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-12-03 09:05]
2010-12-26 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1454471165-1979792683-725345543-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-10-21 01:32]
2010-12-30 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1454471165-1979792683-725345543-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-10-21 01:32]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
FF - ProfilePath - c:\documents and settings\Administrator.COMPUTER\Application Data\Mozilla\Firefox\Profiles\bvvl5608.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users.WINDOWS\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-TkBellExe - c:\program files\real\realplayer\update\realsched.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Common Files\Java\Java Update\jusched.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Common Files\Java\Java Update\jusched.exe
MSConfigStartUp-TkBellExe - c:\program files\real\realplayer\update\realsched.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-30 13:18
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{08437B63-CA86-7C11-1E25-5A214BD5C952}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abnllihdbjplkgkdpkebpdfihejcgiaodb"=hex:61,62,6c,65,69,61,66,69,69,68,6d,65,
63,6d,6c,6e,63,67,63,66,6d,6a,6b,63,64,6d,67,61,68,66,62,70,65,61,00,00
"bbnllihdbjplkgkdpkfbdachibjdfkjonkac"=hex:61,62,67,67,63,64,64,61,65,69,68,62,
66,6d,63,70,63,64,65,68,6d,67,6e,6c,65,67,6a,6e,70,67,6e,6d,6f,63,00,00
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3236)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WgaTray.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
.
**************************************************************************
.
Completion time: 2010-12-30 13:21:31 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-30 20:21
ComboFix2.txt 2010-07-22 19:01
Pre-Run: 70,173,196,288 bytes free
Post-Run: 70,038,913,024 bytes free
- - End Of File - - 4207D0E4F0E382D3299ADAC789A7F9D8
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.5.0
Run by Administrator at 5:55:47 on 2012-07-17
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3455.2816 [GMT -6:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\Alwil Software\Avast6\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atwtusb.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Alwil Software\Avast6\avastUI.exe
C:\WINDOWS\system32\TBLMOUSE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\FIREFOX.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
mRun: [atwtusb] atwtusb.exe
mRun: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [avast] "c:\program files\alwil software\avast6\avastUI.exe" /nogui
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
uPolicies-explorer: NoLogoff = 01000000
uPolicies-explorer: NoRecentDocsNetHood = 01000000
uPolicies-explorer: NoSMMyDocs = 01000000
uPolicies-explorer: NoSMMyPictures = 01000000
uPolicies-explorer: NoNetworkConnections = 01000000
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206762645578
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{4D24E198-7EA7-41BB-ABF0-0D5092022758} : DhcpNameServer = 192.168.1.254
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator.computer\application data\mozilla\firefox\profiles\bvvl5608.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - blank
FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1165635.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys [2007-1-31 5632]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-12-21 64288]
R1 aiptektp;Pen Pad;c:\windows\system32\drivers\aiptektp.sys [2008-7-1 22528]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-12-9 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-12-9 337880]
R1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\AvgArCln.sys [2007-12-13 3968]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-12-9 20696]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast6\AvastSvc.exe [2011-12-9 44768]
R2 BCMNTIO;BCMNTIO;c:\progra~1\checkit\diagno~1\BCMNTIO.sys [2007-12-20 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\checkit\diagno~1\MAPMEM.sys [2007-12-20 3904]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2011-7-30 14976]
R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\drivers\vrtaucbl.sys [2009-9-22 50944]
R3 MEITUNER;FireBus MPEG2TS Tuner Subunit Device;c:\windows\system32\drivers\meistb.sys [2011-3-22 22891]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2011-2-5 56992]
S2 MDP100;MDP100 Video Capture;c:\windows\system32\drivers\MDP100_XP.sys [2007-4-15 611360]
S2 portD;CMS PortIO Service;c:\windows\system32\drivers\portd2k.sys --> c:\windows\system32\drivers\portd2k.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2011-2-5 1691480]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1e.tmp --> c:\windows\system32\1E.tmp [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-7-15 129976]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [2011-10-25 12984]
S4 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-1-16 161064]
.
=============== Created Last 30 ================
.
2012-07-17 06:26:52 -------- d-----w- c:\windows\system32\Filters
2012-07-17 06:26:42 92216 ----a-w- c:\windows\system32\Bass.dll
2012-07-17 05:07:55 -------- d-s---w- C:\Country10
2012-07-16 14:49:29 -------- d-sh--w- c:\documents and settings\administrator.computer\PrivacIE
2012-07-16 14:43:56 -------- d-sh--w- c:\documents and settings\administrator.computer\IETldCache
2012-07-16 14:40:08 -------- d-----w- c:\windows\ie8updates
2012-07-16 14:37:30 -------- dc-h--w- c:\windows\ie8
2012-07-16 14:34:05 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll
2012-07-16 14:34:05 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2012-07-16 14:34:05 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2012-07-16 14:34:04 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2012-07-16 14:34:04 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2012-07-16 14:34:04 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2012-07-16 14:34:03 11076096 ------w- c:\windows\system32\dllcache\ieframe.dll
2012-07-15 20:07:27 772592 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-07-15 20:07:27 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-07-15 20:04:46 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-15 19:42:28 -------- d-----w- c:\program files\Foxit Software
2012-07-14 21:38:32 98816 ----a-w- c:\windows\sed.exe
2012-07-14 21:38:32 518144 ----a-w- c:\windows\SWREG.exe
2012-07-14 21:38:32 256000 ----a-w- c:\windows\PEV.exe
2012-07-14 21:38:32 208896 ----a-w- c:\windows\MBR.exe
2012-07-11 14:33:34 -------- d-----w- C:\TDSSKiller_Quarantine
.
==================== Find3M ====================
.
2012-07-15 20:07:11 687600 ----a-w- c:\windows\system32\deployJava1.dll
2012-07-11 14:37:55 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2004-04-09 22:13:00 114688 ----a-w- c:\program files\NETGEAR DG632 USB Driveruninstalldrv.exe
2006-05-03 18:06:54 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 19:47:16 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 21:30:52 216064 --sha-r- c:\windows\system32\nbDX.dll
.
============= FINISH: 5:56:29.04 ===============
Hi,
That ComboFix log is from year 2010 and not relevant anymore :)
Please run ComboFix (let it update itself if prompted) and then post back its log.
dinosaur58
2012-07-17, 15:35
Ninja'd! Sorry about that. I figured that out after I posted it. Did a new run of CF with no script. I will give a more detailed description of the run:
CF starts normally. Before 'Completed Stage_1' the run is interrupted with this message: "You are infected with Rootkit_ZeroAcess!. It has inserted itself into the TCP/IP stack. This is a particularly difficult infection..." The message only stayed up long enough to get that much, but the rest includes a warning about possible loss of internet access and instructions of how to recover if so. The machine then rboots. Startup gets as far as my wallpaper, then the CF window opens Before any icons load, and CF run starts from the beginning. As in all previous runs pev.3XE encounters a problem before 'Completed Stage_3' and closes, but this does not interfere with the rest of the run. All 50 stages complete, and log is generated. My icons appear after the log.
New CF log follows:
ComboFix 12-07-16.01 - Administrator 07/17/2012 6:10.21.4 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3455.3062 [GMT -6:00]
Running from: c:\documents and settings\Administrator.COMPUTER\My Documents\Anti-Smitfraud\Country10.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\FaxSetup.log
c:\windows\MedCtrOC.log
c:\windows\msmqinst.log
c:\windows\netfxocm.log
c:\windows\system32\Bass.dll
c:\windows\tabletoc.log
.
.
((((((((((((((((((((((((( Files Created from 2012-06-17 to 2012-07-17 )))))))))))))))))))))))))))))))
.
.
2012-07-17 06:26 . 2012-07-17 06:26 -------- d-----w- c:\windows\system32\Filters
2012-07-17 05:07 . 2012-07-17 06:27 -------- d-----w- C:\Country10
2012-07-16 14:49 . 2012-07-16 14:49 -------- d-sh--w- c:\documents and settings\Administrator.COMPUTER\PrivacIE
2012-07-16 14:43 . 2012-07-16 14:43 -------- d-sh--w- c:\documents and settings\Administrator.COMPUTER\IETldCache
2012-07-16 14:37 . 2012-07-16 14:38 -------- dc-h--w- c:\windows\ie8
2012-07-16 14:34 . 2010-05-06 10:41 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2012-07-16 14:34 . 2010-05-06 10:41 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll
2012-07-16 14:34 . 2010-05-06 10:41 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2012-07-16 14:34 . 2010-05-06 10:41 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2012-07-16 14:34 . 2010-05-06 10:41 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2012-07-16 14:34 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2012-07-16 14:34 . 2010-05-06 10:41 11076096 ------w- c:\windows\system32\dllcache\ieframe.dll
2012-07-15 20:07 . 2012-07-15 20:07 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-07-15 20:07 . 2012-07-15 20:07 772592 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-07-15 20:07 . 2012-07-15 20:07 -------- d-----w- c:\program files\Java
2012-07-15 20:04 . 2012-07-15 20:04 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-15 19:42 . 2012-07-15 19:42 -------- d-----w- c:\program files\Foxit Software
2012-07-11 14:33 . 2012-07-11 14:33 -------- d-----w- C:\TDSSKiller_Quarantine
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-15 20:07 . 2010-07-04 16:11 687600 ----a-w- c:\windows\system32\deployJava1.dll
2012-07-11 14:37 . 2007-12-14 01:00 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2004-04-09 22:13 . 2007-10-23 23:35 114688 ----a-w- c:\program files\NETGEAR DG632 USB Driveruninstalldrv.exe
2012-07-15 19:49 . 2012-07-15 19:49 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 18:06 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 19:47 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 21:30 216064 --sha-r- c:\windows\system32\nbDX.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-07-15_03.42.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-24 01:13 . 2009-01-08 00:21 26144 c:\windows\system32\spupdsvc.exe
+ 2011-04-05 09:23 . 2009-01-08 00:20 16928 c:\windows\system32\spmsg.dll
+ 2007-12-14 01:01 . 2009-03-08 10:31 46592 c:\windows\system32\pngfilt.dll
- 2007-10-23 22:42 . 2012-07-15 03:34 82954 c:\windows\system32\perfc009.dat
+ 2007-10-23 22:42 . 2012-07-17 12:13 82954 c:\windows\system32\perfc009.dat
+ 2009-01-08 00:20 . 2009-01-08 00:20 23552 c:\windows\system32\normaliz.dll
+ 2009-01-08 00:20 . 2009-01-08 00:20 24576 c:\windows\system32\nlsdl.dll
+ 2007-12-14 01:00 . 2009-03-08 10:31 48128 c:\windows\system32\mshtmler.dll
+ 2007-12-14 01:00 . 2009-03-08 10:31 66560 c:\windows\system32\mshtmled.dll
+ 2007-12-14 01:00 . 2009-03-08 10:31 45568 c:\windows\system32\mshta.exe
+ 2009-03-08 10:31 . 2009-03-08 10:31 13312 c:\windows\system32\msfeedssync.exe
+ 2009-03-08 10:31 . 2010-05-06 10:41 55296 c:\windows\system32\msfeedsbs.dll
+ 2007-12-14 01:00 . 2009-03-08 10:34 43008 c:\windows\system32\licmgr10.dll
+ 2007-12-14 01:00 . 2010-05-06 10:41 25600 c:\windows\system32\jsproxy.dll
+ 2007-12-14 01:00 . 2009-03-08 10:32 94720 c:\windows\system32\inseng.dll
+ 2007-12-14 01:00 . 2009-03-08 10:31 34816 c:\windows\system32\imgutil.dll
+ 2009-03-08 10:32 . 2009-03-08 10:32 36864 c:\windows\system32\ieudinit.exe
+ 2007-12-14 01:00 . 2009-03-08 10:32 71680 c:\windows\system32\iesetup.dll
+ 2007-12-14 01:00 . 2009-03-08 10:32 55808 c:\windows\system32\iernonce.dll
+ 2009-01-08 00:20 . 2009-01-08 00:20 26112 c:\windows\system32\idndl.dll
+ 2009-03-08 10:31 . 2009-03-08 10:31 59904 c:\windows\system32\icardie.dll
+ 2012-07-17 06:26 . 2008-10-11 17:30 94208 c:\windows\system32\Filters\ffdshow\reg\reg.exe
+ 2012-07-17 06:26 . 2008-10-11 17:30 72704 c:\windows\system32\Filters\ffdshow\ff_tremor.dll
+ 2012-07-17 06:26 . 2008-10-11 17:30 92672 c:\windows\system32\Filters\ffdshow\ff_libmad.dll
+ 2012-07-17 06:26 . 2008-10-11 17:30 57344 c:\windows\system32\Filters\ffdshow\ff_liba52.dll
+ 2007-12-14 01:01 . 2009-03-08 10:31 46592 c:\windows\system32\dllcache\pngfilt.dll
+ 2007-12-14 01:00 . 2009-03-08 10:31 48128 c:\windows\system32\dllcache\mshtmler.dll
+ 2007-12-14 01:00 . 2009-03-08 10:31 66560 c:\windows\system32\dllcache\mshtmled.dll
+ 2007-12-14 01:00 . 2009-03-08 10:31 45568 c:\windows\system32\dllcache\mshta.exe
+ 2007-12-14 01:00 . 2009-03-08 10:34 43008 c:\windows\system32\dllcache\licmgr10.dll
+ 2007-12-14 01:00 . 2010-05-06 10:41 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2007-12-14 01:00 . 2009-03-08 10:32 94720 c:\windows\system32\dllcache\inseng.dll
+ 2007-12-14 01:00 . 2009-03-08 10:31 34816 c:\windows\system32\dllcache\imgutil.dll
+ 2007-12-14 01:00 . 2009-03-08 10:32 71680 c:\windows\system32\dllcache\iesetup.dll
+ 2007-12-14 01:00 . 2009-03-08 10:32 55808 c:\windows\system32\dllcache\iernonce.dll
+ 2007-10-23 07:47 . 2009-03-08 10:24 68608 c:\windows\system32\dllcache\hmmapi.dll
+ 2007-12-14 01:00 . 2009-03-08 10:33 18944 c:\windows\system32\dllcache\corpol.dll
+ 2007-12-14 01:00 . 2009-03-08 10:32 72704 c:\windows\system32\dllcache\admparse.dll
+ 2007-12-14 01:00 . 2009-03-08 10:33 18944 c:\windows\system32\corpol.dll
+ 2007-12-14 01:00 . 2004-08-04 08:00 44544 c:\windows\system32\alg.exe
+ 2012-07-15 20:05 . 2012-07-15 20:05 87944 c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
+ 2012-07-05 08:04 . 2012-07-05 08:04 86016 c:\windows\system32\Adobe\Shockwave 11\SwMenu.dll
+ 2012-07-05 07:48 . 2012-07-05 07:48 73408 c:\windows\system32\Adobe\Shockwave 11\gtapi.dll
+ 2012-07-05 07:48 . 2012-07-05 07:48 64512 c:\windows\system32\Adobe\Shockwave 11\gcapi_dll.dll
+ 2012-07-05 08:05 . 2012-07-05 08:05 12800 c:\windows\system32\Adobe\Shockwave 11\DynaPlayer.dll
+ 2007-12-14 01:00 . 2009-03-08 10:32 72704 c:\windows\system32\admparse.dll
+ 2012-07-15 20:05 . 2012-07-15 20:05 10134 c:\windows\Installer\{612C34C7-5E90-47D8-9B5C-0F717DD82726}\ARPPRODUCTICON.exe
+ 2012-07-16 14:40 . 2009-03-08 10:33 12288 c:\windows\ie8updates\KB982381-IE8\xpshims.dll
+ 2012-07-16 14:40 . 2009-03-08 10:31 55296 c:\windows\ie8updates\KB982381-IE8\msfeedsbs.dll
+ 2012-07-16 14:40 . 2009-03-08 10:33 25600 c:\windows\ie8updates\KB982381-IE8\jsproxy.dll
+ 2012-07-16 14:37 . 2004-08-04 08:00 37888 c:\windows\ie8\url.dll
+ 2012-07-16 14:38 . 2009-03-08 20:23 58464 c:\windows\ie8\spuninst\iecustom.dll
+ 2012-07-16 14:37 . 2010-04-16 16:36 39424 c:\windows\ie8\pngfilt.dll
+ 2012-07-16 14:37 . 2004-08-04 08:00 96256 c:\windows\ie8\occache.dll
+ 2012-07-16 14:37 . 2004-08-04 08:00 56832 c:\windows\ie8\mshtmler.dll
+ 2012-07-16 14:37 . 2004-08-04 08:00 29184 c:\windows\ie8\mshta.exe
+ 2012-07-16 14:37 . 2004-08-04 08:00 22016 c:\windows\ie8\licmgr10.dll
+ 2012-07-16 14:37 . 2010-04-16 16:36 16384 c:\windows\ie8\jsproxy.dll
+ 2012-07-16 14:37 . 2010-04-16 16:36 96256 c:\windows\ie8\inseng.dll
+ 2012-07-16 14:37 . 2004-08-04 08:00 35840 c:\windows\ie8\imgutil.dll
+ 2012-07-16 14:37 . 2004-08-04 08:00 93184 c:\windows\ie8\iexplore.exe
+ 2012-07-16 14:37 . 2004-08-04 08:00 62976 c:\windows\ie8\iesetup.dll
+ 2012-07-16 14:37 . 2004-08-04 08:00 48640 c:\windows\ie8\iernonce.dll
+ 2012-07-16 14:37 . 2010-04-16 16:36 81920 c:\windows\ie8\ieencode.dll
+ 2012-07-16 14:37 . 2004-08-04 08:00 34304 c:\windows\ie8\ie4uinit.exe
+ 2012-07-16 14:37 . 2004-08-04 08:00 38912 c:\windows\ie8\hmmapi.dll
+ 2012-07-16 14:37 . 2004-08-04 08:00 35328 c:\windows\ie8\corpol.dll
+ 2012-07-16 14:37 . 2004-08-04 08:00 99840 c:\windows\ie8\advpack.dll
+ 2012-07-16 14:37 . 2004-08-04 08:00 61440 c:\windows\ie8\admparse.dll
+ 2009-01-08 00:21 . 2009-01-08 00:21 121856 c:\windows\system32\xmllite.dll
+ 2007-12-14 01:01 . 2010-05-06 10:41 916480 c:\windows\system32\wininet.dll
+ 2009-03-08 10:34 . 2009-03-08 10:34 208384 c:\windows\system32\WinFXDocObj.exe
+ 2007-12-14 01:01 . 2009-03-08 10:34 236544 c:\windows\system32\webcheck.dll
+ 2007-12-14 01:01 . 2010-03-10 06:15 420352 c:\windows\system32\vbscript.dll
+ 2007-12-14 01:01 . 2009-03-08 10:34 105984 c:\windows\system32\url.dll
- 2007-10-23 22:42 . 2012-07-15 03:34 466936 c:\windows\system32\perfh009.dat
+ 2007-10-23 22:42 . 2012-07-17 12:13 466936 c:\windows\system32\perfh009.dat
+ 2007-12-14 01:00 . 2010-05-06 10:41 206848 c:\windows\system32\occache.dll
+ 2007-12-14 01:00 . 2010-05-06 10:41 611840 c:\windows\system32\mstime.dll
+ 2007-12-14 01:00 . 2009-03-08 10:34 193536 c:\windows\system32\msrating.dll
+ 2007-12-14 01:00 . 2009-03-08 10:22 156160 c:\windows\system32\msls31.dll
+ 2009-03-08 10:32 . 2010-05-06 10:41 599040 c:\windows\system32\msfeeds.dll
+ 2009-01-08 00:20 . 2009-01-08 00:20 265720 c:\windows\system32\msdbg2.dll
+ 2007-12-14 01:01 . 2008-02-26 11:59 294912 c:\windows\system32\msctf.dll
+ 2012-07-15 20:04 . 2012-07-15 20:04 245408 c:\windows\system32\Macromed\Flash\FlashUtil10ze_Plugin.exe
+ 2007-12-14 01:00 . 2009-12-09 05:53 726528 c:\windows\system32\jscript.dll
+ 2012-07-15 20:07 . 2012-07-15 20:07 227824 c:\windows\system32\javaws.exe
+ 2012-07-15 20:07 . 2012-07-15 20:07 174064 c:\windows\system32\javaw.exe
+ 2012-07-15 20:07 . 2012-07-15 20:07 174064 c:\windows\system32\java.exe
+ 2009-03-08 10:22 . 2009-03-08 10:22 164352 c:\windows\system32\ieui.dll
+ 2007-12-14 01:00 . 2010-05-06 10:41 184320 c:\windows\system32\iepeers.dll
+ 2007-12-14 01:00 . 2010-05-06 10:41 387584 c:\windows\system32\iedkcs32.dll
+ 2009-03-08 10:11 . 2009-03-08 10:11 445952 c:\windows\system32\ieapfltr.dll
+ 2007-12-14 01:00 . 2009-03-08 10:32 163840 c:\windows\system32\ieakui.dll
+ 2007-12-14 01:00 . 2009-03-08 10:33 229376 c:\windows\system32\ieaksie.dll
+ 2007-12-14 01:00 . 2009-03-08 10:33 125952 c:\windows\system32\ieakeng.dll
+ 2007-12-14 01:00 . 2010-05-05 13:30 173056 c:\windows\system32\ie4uinit.exe
+ 2012-07-17 06:26 . 2008-10-11 17:30 958464 c:\windows\system32\Filters\VSFilter.dll
+ 2012-07-17 06:26 . 2008-10-11 17:30 205312 c:\windows\system32\Filters\ffdshow\TomsMoComp_ff.dll
+ 2012-07-17 06:26 . 2008-10-11 17:30 428032 c:\windows\system32\Filters\ffdshow\libmplayer.dll
+ 2012-07-17 06:26 . 2008-10-11 17:30 124928 c:\windows\system32\Filters\ffdshow\libmpeg2_ff.dll
+ 2012-07-17 06:26 . 2008-10-11 17:30 399872 c:\windows\system32\Filters\ffdshow\ff_x264.dll
+ 2012-07-17 06:26 . 2008-10-11 17:30 103424 c:\windows\system32\Filters\ffdshow\ff_wmv9.dll
+ 2012-07-17 06:26 . 2008-10-11 17:30 126976 c:\windows\system32\Filters\ffdshow\ff_unrar.dll
+ 2012-07-17 06:26 . 2008-10-11 17:30 171008 c:\windows\system32\Filters\ffdshow\ff_theora.dll
+ 2012-07-17 06:26 . 2008-10-11 17:30 114688 c:\windows\system32\Filters\ffdshow\ff_samplerate.dll
+ 2012-07-17 06:26 . 2008-10-11 17:30 113664 c:\windows\system32\Filters\ffdshow\ff_realaac.dll
+ 2012-07-17 06:26 . 2008-10-11 17:30 353280 c:\windows\system32\Filters\ffdshow\ff_libfaad2.dll
+ 2012-07-17 06:26 . 2008-10-11 17:30 147456 c:\windows\system32\Filters\ffdshow\ff_libdts.dll
+ 2012-07-17 06:26 . 2008-10-11 17:30 228352 c:\windows\system32\Filters\ffdshow\ff_kernelDeint.dll
+ 2007-12-14 01:00 . 2009-03-08 10:31 216064 c:\windows\system32\dxtrans.dll
+ 2007-12-14 01:00 . 2009-03-08 10:31 348160 c:\windows\system32\dxtmsft.dll
+ 2007-12-14 01:01 . 2010-05-06 10:41 916480 c:\windows\system32\dllcache\wininet.dll
+ 2007-12-14 01:01 . 2009-03-08 10:34 236544 c:\windows\system32\dllcache\webcheck.dll
+ 2007-10-23 07:48 . 2009-03-08 10:33 759296 c:\windows\system32\dllcache\VGX.dll
+ 2007-12-14 01:01 . 2010-03-10 06:15 420352 c:\windows\system32\dllcache\vbscript.dll
+ 2007-12-14 01:01 . 2009-03-08 10:34 105984 c:\windows\system32\dllcache\url.dll
+ 2009-01-08 00:20 . 2009-01-08 00:20 134144 c:\windows\system32\dllcache\sqmapi.dll
+ 2007-12-14 01:00 . 2010-05-06 10:41 206848 c:\windows\system32\dllcache\occache.dll
+ 2007-12-14 01:00 . 2010-05-06 10:41 611840 c:\windows\system32\dllcache\mstime.dll
+ 2007-12-14 01:00 . 2009-03-08 10:34 193536 c:\windows\system32\dllcache\msrating.dll
+ 2007-12-14 01:00 . 2009-03-08 10:22 156160 c:\windows\system32\dllcache\msls31.dll
+ 2007-12-14 01:01 . 2008-02-26 11:59 294912 c:\windows\system32\dllcache\msctf.dll
+ 2007-12-14 01:00 . 2009-12-09 05:53 726528 c:\windows\system32\dllcache\jscript.dll
+ 2007-10-23 07:47 . 2009-03-08 20:09 638816 c:\windows\system32\dllcache\iexplore.exe
+ 2007-12-14 01:00 . 2010-05-06 10:41 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2007-12-14 01:00 . 2010-05-06 10:41 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2007-12-14 01:00 . 2009-03-08 10:32 163840 c:\windows\system32\dllcache\ieakui.dll
+ 2007-12-14 01:00 . 2009-03-08 10:33 229376 c:\windows\system32\dllcache\ieaksie.dll
+ 2007-12-14 01:00 . 2009-03-08 10:33 125952 c:\windows\system32\dllcache\ieakeng.dll
+ 2007-12-14 01:00 . 2010-05-05 13:30 173056 c:\windows\system32\dllcache\ie4uinit.exe
+ 2007-12-14 01:00 . 2009-03-08 10:31 216064 c:\windows\system32\dllcache\dxtrans.dll
+ 2007-12-14 01:00 . 2009-03-08 10:31 348160 c:\windows\system32\dllcache\dxtmsft.dll
+ 2007-12-14 01:00 . 2009-03-08 10:32 128512 c:\windows\system32\dllcache\advpack.dll
+ 2007-12-14 01:00 . 2009-03-08 10:32 128512 c:\windows\system32\advpack.dll
+ 2012-07-05 07:48 . 2012-07-05 07:48 284600 c:\windows\system32\Adobe\Shockwave 11\SymCCIS.dll
+ 2012-07-05 08:04 . 2012-07-05 08:04 114176 c:\windows\system32\Adobe\Shockwave 11\SwInit.exe
+ 2012-07-05 08:05 . 2012-07-05 08:05 434176 c:\windows\system32\Adobe\Shockwave 11\Proj.dll
+ 2012-07-05 08:05 . 2012-07-05 08:05 366592 c:\windows\system32\Adobe\Shockwave 11\Plugin.dll
+ 2012-07-05 07:52 . 2012-07-05 07:52 990208 c:\windows\system32\Adobe\Shockwave 11\iml32.dll
+ 2012-07-05 08:04 . 2012-07-05 08:04 544256 c:\windows\system32\Adobe\Shockwave 11\Control.dll
+ 2012-07-05 08:11 . 2012-07-05 08:11 143840 c:\windows\system32\Adobe\Director\SWDNLD.EXE
+ 2012-07-05 08:11 . 2012-07-05 08:11 323552 c:\windows\system32\Adobe\Director\SwDir_1165635.dll
+ 2012-07-05 08:05 . 2012-07-05 08:05 195584 c:\windows\system32\Adobe\Director\np32dsw_1165635.dll
+ 2012-07-15 20:25 . 2012-07-15 20:25 176128 c:\windows\Installer\878217.msi
+ 2012-07-15 20:07 . 2012-07-15 20:07 863744 c:\windows\Installer\74a2f0.msi
+ 2012-07-15 20:05 . 2012-07-15 20:05 430592 c:\windows\Installer\74a2ec.msi
+ 2012-07-16 14:40 . 2009-03-08 10:34 914944 c:\windows\ie8updates\KB982381-IE8\wininet.dll
+ 2012-07-16 14:40 . 2010-02-22 14:23 382840 c:\windows\ie8updates\KB982381-IE8\spuninst\updspapi.dll
+ 2012-07-16 14:40 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB982381-IE8\spuninst\spuninst.exe
+ 2012-07-16 14:40 . 2009-03-08 10:34 109568 c:\windows\ie8updates\KB982381-IE8\occache.dll
+ 2012-07-16 14:40 . 2009-03-08 10:32 611840 c:\windows\ie8updates\KB982381-IE8\mstime.dll
+ 2012-07-16 14:40 . 2009-03-08 10:32 594432 c:\windows\ie8updates\KB982381-IE8\msfeeds.dll
+ 2012-07-16 14:40 . 2009-03-08 10:33 246784 c:\windows\ie8updates\KB982381-IE8\ieproxy.dll
+ 2012-07-16 14:40 . 2009-03-08 10:31 183808 c:\windows\ie8updates\KB982381-IE8\iepeers.dll
+ 2012-07-16 14:40 . 2009-03-08 10:35 742912 c:\windows\ie8updates\KB982381-IE8\iedvtool.dll
+ 2012-07-16 14:40 . 2009-03-08 20:09 391536 c:\windows\ie8updates\KB982381-IE8\iedkcs32.dll
+ 2012-07-16 14:40 . 2009-03-08 10:32 173056 c:\windows\ie8updates\KB982381-IE8\ie4uinit.exe
+ 2012-07-17 11:51 . 2009-03-08 10:33 420352 c:\windows\ie8updates\KB981332-IE8\vbscript.dll
+ 2012-07-17 11:51 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB981332-IE8\spuninst\updspapi.dll
+ 2012-07-17 11:51 . 2009-05-26 11:40 231288 c:\windows\ie8updates\KB981332-IE8\spuninst\spuninst.exe
+ 2012-07-17 11:51 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976662-IE8\spuninst\updspapi.dll
+ 2012-07-17 11:51 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976662-IE8\spuninst\spuninst.exe
+ 2012-07-17 11:51 . 2009-06-22 06:44 726528 c:\windows\ie8updates\KB976662-IE8\jscript.dll
+ 2012-07-17 11:50 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB971961-IE8\spuninst\updspapi.dll
+ 2012-07-17 11:50 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB971961-IE8\spuninst\spuninst.exe
+ 2012-07-17 11:50 . 2009-03-08 10:33 726528 c:\windows\ie8updates\KB971961-IE8\jscript.dll
+ 2012-07-16 14:37 . 2010-04-16 16:36 662016 c:\windows\ie8\wininet.dll
+ 2012-07-16 14:37 . 2004-08-04 08:00 276480 c:\windows\ie8\webcheck.dll
+ 2012-07-16 14:37 . 2007-06-26 15:13 851968 c:\windows\ie8\vgx.dll
+ 2012-07-16 14:37 . 2010-03-10 09:02 417792 c:\windows\ie8\vbscript.dll
+ 2012-07-16 14:37 . 2010-04-16 16:36 624640 c:\windows\ie8\urlmon.dll
+ 2012-07-16 14:38 . 2009-01-08 00:21 382496 c:\windows\ie8\spuninst\updspapi.dll
+ 2012-07-16 14:38 . 2009-01-08 00:20 231456 c:\windows\ie8\spuninst\spuninst.exe
+ 2012-07-16 14:37 . 2010-04-16 16:36 532480 c:\windows\ie8\mstime.dll
+ 2012-07-16 14:37 . 2010-04-16 16:36 146432 c:\windows\ie8\msrating.dll
+ 2012-07-16 14:37 . 2004-08-04 08:00 146432 c:\windows\ie8\msls31.dll
+ 2012-07-16 14:37 . 2010-04-16 16:36 449024 c:\windows\ie8\mshtmled.dll
+ 2012-07-16 14:37 . 2009-08-21 10:46 450560 c:\windows\ie8\jscript.dll
+ 2012-07-16 14:37 . 2010-04-16 16:36 251392 c:\windows\ie8\iepeers.dll
+ 2012-07-16 14:37 . 2004-08-04 08:00 323584 c:\windows\ie8\iedkcs32.dll
+ 2012-07-16 14:37 . 2004-08-04 08:00 221184 c:\windows\ie8\ieakui.dll
+ 2012-07-16 14:37 . 2004-08-04 08:00 216576 c:\windows\ie8\ieaksie.dll
+ 2012-07-16 14:37 . 2004-08-04 08:00 139264 c:\windows\ie8\ieakeng.dll
+ 2012-07-16 14:37 . 2010-04-16 16:36 205312 c:\windows\ie8\dxtrans.dll
+ 2012-07-16 14:37 . 2010-04-16 16:36 357888 c:\windows\ie8\dxtmsft.dll
+ 2007-12-14 01:01 . 2010-05-06 10:41 1209344 c:\windows\system32\urlmon.dll
+ 2007-12-14 01:00 . 2010-05-06 10:41 5950976 c:\windows\system32\mshtml.dll
+ 2012-07-15 20:04 . 2012-07-15 20:04 6277280 c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2009-03-08 10:32 . 2010-05-06 10:41 1985536 c:\windows\system32\iertutil.dll
+ 2009-02-07 03:07 . 2009-02-07 03:07 3698584 c:\windows\system32\ieapfltr.dat
+ 2012-07-17 06:26 . 2008-10-11 17:30 2637824 c:\windows\system32\Filters\ffdshow\libavcodec.dll
+ 2007-12-14 01:01 . 2010-05-06 10:41 1209344 c:\windows\system32\dllcache\urlmon.dll
+ 2007-12-14 01:00 . 2010-05-06 10:41 5950976 c:\windows\system32\dllcache\mshtml.dll
+ 2012-07-05 08:11 . 2012-07-05 08:11 1040864 c:\windows\system32\Adobe\Shockwave 11\SwHelper_1165635.exe
+ 2012-07-05 07:48 . 2012-07-05 07:48 2376368 c:\windows\system32\Adobe\Shockwave 11\gt.exe
+ 2012-07-05 07:48 . 2012-07-05 07:48 1292288 c:\windows\system32\Adobe\Shockwave 11\gi.dll
+ 2012-07-05 07:54 . 2012-07-05 07:54 1742336 c:\windows\system32\Adobe\Shockwave 11\dirapi.dll
+ 2012-07-16 14:40 . 2009-03-08 10:34 1206784 c:\windows\ie8updates\KB982381-IE8\urlmon.dll
+ 2012-07-16 14:40 . 2009-03-08 10:41 5937152 c:\windows\ie8updates\KB982381-IE8\mshtml.dll
+ 2012-07-16 14:40 . 2009-03-08 10:32 1985024 c:\windows\ie8updates\KB982381-IE8\iertutil.dll
+ 2012-07-16 14:37 . 2010-04-16 16:36 3065344 c:\windows\ie8\mshtml.dll
+ 2009-03-08 10:39 . 2010-05-06 10:41 11076096 c:\windows\system32\ieframe.dll
+ 2012-07-16 14:40 . 2009-03-08 10:39 11063808 c:\windows\ie8updates\KB982381-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15 123536 ----a-w- c:\program files\Alwil Software\Avast6\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-05 81920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"atwtusb"="atwtusb.exe" [2007-03-21 315392]
"Tweak UI"="TWEAKUI.CPL" [1997-11-08 87312]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-10 153136]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"RTHDCPL"="RTHDCPL.EXE" [2000-01-01 20064872]
"avast"="c:\program files\Alwil Software\Avast6\avastUI.exe" [2012-03-06 4241512]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 01000000
"NoRecentDocsNetHood"= 01000000
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
"NoNetworkConnections"= 01000000
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk.disabled]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk.disabled
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnk.disabledCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^MyIRC.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\MyIRC.lnk
backup=c:\windows\pss\MyIRC.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^TotalMedia BackUp & Recorder Monitor.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\TotalMedia BackUp & Recorder Monitor.lnk
backup=c:\windows\pss\TotalMedia BackUp & Recorder Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^WinTV Recording Status..lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\WinTV Recording Status..lnk
backup=c:\windows\pss\WinTV Recording Status..lnkCommon Startup
.
[HKLM\~\startupfolder\C:^DOCUME~1^ADMINI~1.COM^Start Menu^Programs^Startup^QuickShelf 2000.lnk]
path=c:\docume~1\ADMINI~1.COM\Start Menu\Programs\Startup\QuickShelf 2000.lnk
backup=c:\windows\pss\QuickShelf 2000.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2008-04-10 03:14 136472 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2008-04-10 03:23 909208 ----a-w- c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
2009-01-16 23:31 181544 ----a-w- c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-07-09 22:24 13923432 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
2007-09-05 02:25 81920 ----a-w- c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 23:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2008-04-10 03:11 2595792 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)
"AntiVirService"=2 (0x2)
"AntiVirSchedulerService"=2 (0x2)
"ACDaemon"=3 (0x3)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AdobeBridge"=
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"VirtualCloneDrive"="c:\program files\VirtualCloneDrive\VCDDaemon.exe" /s
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"hpqSRMon"=c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe
"SoundMan"=SOUNDMAN.EXE
"nwiz"=c:\program files\NVIDIA Corporation\nView\nwiz.exe /install
"RTHDCPL"=RTHDCPL.EXE
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [12/21/2010 03:29 AM 64288]
R1 aiptektp;Pen Pad;c:\windows\system32\drivers\aiptektp.sys [7/1/2008 11:33 PM 22528]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [12/9/2011 09:10 AM 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/9/2011 09:10 AM 337880]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/9/2011 09:10 AM 20696]
R2 BCMNTIO;BCMNTIO;c:\progra~1\CHECKIT\DIAGNO~1\BCMNTIO.sys [12/20/2007 05:11 AM 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\CHECKIT\DIAGNO~1\MAPMEM.sys [12/20/2007 05:11 AM 3904]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [7/30/2011 09:57 PM 14976]
R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\drivers\vrtaucbl.sys [9/22/2009 04:59 AM 50944]
R3 MEITUNER;FireBus MPEG2TS Tuner Subunit Device;c:\windows\system32\drivers\meistb.sys [3/22/2011 01:55 AM 22891]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2/5/2011 02:31 PM 56992]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\PCOUFFIN.SYS [3/3/2009 12:43 AM 47360]
S2 MDP100;MDP100 Video Capture;c:\windows\system32\drivers\MDP100_XP.sys [4/15/2007 09:17 PM 611360]
S2 portD;CMS PortIO Service;c:\windows\system32\DRIVERS\portd2k.sys --> c:\windows\system32\DRIVERS\portd2k.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2/5/2011 02:30 PM 1691480]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1E.tmp --> c:\windows\system32\1E.tmp [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [7/15/2012 01:49 PM 129976]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [10/25/2011 02:36 AM 12984]
S4 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [1/16/2009 05:31 PM 161064]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Administrator.COMPUTER\Application Data\Mozilla\Firefox\Profiles\bvvl5608.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - blank
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-17 06:16
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
@Allowed: (Read) (RestrictedCode)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,50,86,4d,6e,6e,cd,af,4b,b0,38,0b,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,50,86,4d,6e,6e,cd,af,4b,b0,38,0b,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,50,86,4d,6e,6e,cd,af,4b,b0,38,0b,\
.
Completion time: 2012-07-17 06:18:14
ComboFix-quarantined-files.txt 2012-07-17 12:18
ComboFix2.txt 2012-07-16 14:03
ComboFix3.txt 2012-07-15 17:49
ComboFix4.txt 2012-07-15 03:45
ComboFix5.txt 2012-07-17 05:08
.
Pre-Run: 411,293,678,080 bytes free
Post-Run: 411,308,797,952 bytes free
.
- - End Of File - - 34B40C1A376EAFA571A1156CD51C9B5B
Hi,
Download GMER (http://www.gmer.net) here by clicking download exe -button and then saving it your desktop:
Double-click .exe that you downloaded
Click rootkit-tab, uncheck files option and then click scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log (if the log is long, archive it into a zip file and attach instead of posting) in your reply.
dinosaur58
2012-07-17, 23:36
Let me know if you want any of these scans run in Safe Mode. GMER scan run, log not too large.
GMER log follows:
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-07-17 14:31:22
Windows 5.1.2600 Service Pack 2
Running: _p7n01kzb.exe; Driver: C:\DOCUME~1\ADMINI~1.COM\LOCALS~1\Temp\pgliqpow.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xB4275DF8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0xB427685E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwClose [0xB42A2D5D]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xB427B2E4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xB427B330]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xB427B422]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0xB42A2711]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xB427B252]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xB427B374]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xB427B29A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xB427B3DC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xB4275E44]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteKey [0xB42A3423]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteValueKey [0xB42A36D9]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0xB42789A8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xB42A328E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xB42A30F9]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xB4275AD6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xB4275E90]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xB4278D1C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xB4276B02]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xB427B30E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xB427B352]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xB427B446]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0xB42A2A6D]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xB427B278]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0xB4278518]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xB427B3AE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xB427B2C2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0xB427874C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xB427B400]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0xB42A2F74]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xB42769CE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0xB42A2DC6]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xB43D4B68]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0xB42A1D84]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xB4275EDC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xB4275F28]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xB4275B46]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xB4275CEA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetValueKey [0xB42A352A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xB4275C92]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xB4275D5A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xB4275F74]
Code \??\C:\DOCUME~1\ADMINI~1.COM\LOCALS~1\Temp\catchme.sys pIofCallDriver
---- Kernel code sections - GMER 1.0.15 ----
PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A4F7E 4 Bytes CALL B427719F \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB70793A0, 0x59FFE5, 0xE8000020]
init C:\WINDOWS\system32\DRIVERS\aiptektp.sys entry point in "init" section [0xB840C480]
.text win32k.sys!EngFreeUserMem + 674 BF809B45 5 Bytes JMP B427A180 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngFreeUserMem + 35D0 BF80CAA1 5 Bytes JMP B427A07C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngDeleteSurface + 45 BF80FBC0 5 Bytes JMP B427A036 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!BRUSHOBJ_pvAllocRbrush + 11F0 BF81C962 5 Bytes JMP B4279724 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngPaint + 4EF BF8255ED 5 Bytes JMP B4278F84 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngUnmapFontFileFD + 1E5F BF8341A1 5 Bytes JMP B427A2EA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngUnmapFontFileFD + 237D BF8346BF 5 Bytes JMP B4279F3C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngUnmapFontFileFD + 4564 BF8368A6 5 Bytes JMP B427A4F2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngUnmapFontFileFD + EE3F BF841181 5 Bytes JMP B4278FF4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!FONTOBJ_pxoGetXform + DE42 BF85AD4E 5 Bytes JMP B4278E66 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngMulDiv + B5F2 BF8670A0 5 Bytes JMP B427970C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!XLATEOBJ_iXlate + 3474 BF87111B 5 Bytes JMP B4279384 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!XLATEOBJ_iXlate + 34FF BF8711A6 5 Bytes JMP B4279562 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStretchBlt + 35C1 BF87593B 5 Bytes JMP B427A0BA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngGetCurrentCodePage + 411E BF894CB8 5 Bytes JMP B427951C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngGetLastError + 1606 BF8B1EF6 5 Bytes JMP B42797FE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngGradientFill + 3AA1 BF8B6854 5 Bytes JMP B427A232 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStretchBltROP + 33F7 BF8BA1A0 5 Bytes JMP B42797E6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStretchBltROP + 34B7 BF8BA260 5 Bytes JMP B4278E4E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStretchBltROP + 8A22 BF8BF7CB 5 Bytes JMP B427A450 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngAlphaBlend + 3E8 BF8C333C 5 Bytes JMP B4279104 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngFillPath + 1517 BF8EB97D 5 Bytes JMP B42791AC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngFillPath + 1797 BF8EBBFD 5 Bytes JMP B42792E4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngFillPath + B223 BF8F5689 5 Bytes JMP B427973C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!PATHOBJ_bCloseFigure + 19EF BF8F9A43 5 Bytes JMP B4278D52 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateClip + 19C1 BF913245 5 Bytes JMP B4278F22 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateClip + 2595 BF913E19 5 Bytes JMP B42790B0 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateClip + 4EF4 BF916778 5 Bytes JMP B427967C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngPlgBlt + 18EC BF94468A 5 Bytes JMP B427A3A8 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
? C:\DOCUME~1\ADMINI~1.COM\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\System32\smss.exe[924] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62]
.text C:\WINDOWS\system32\csrss.exe[984] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62]
.text C:\WINDOWS\system32\csrss.exe[984] KERNEL32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62]
.text C:\WINDOWS\system32\winlogon.exe[1012] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62]
.text C:\WINDOWS\system32\winlogon.exe[1012] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62]
.text C:\WINDOWS\system32\services.exe[1056] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62]
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62]
.text C:\WINDOWS\system32\lsass.exe[1076] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62]
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62]
.text C:\WINDOWS\system32\nvsvc32.exe[1240] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62]
.text C:\WINDOWS\system32\nvsvc32.exe[1240] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1288] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1352] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62]
.text C:\Program Files\Mozilla Firefox\FIREFOX.EXE[1364] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 0128C930 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\FIREFOX.EXE[1364] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62]
.text C:\Program Files\Mozilla Firefox\FIREFOX.EXE[1364] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 014BE0AA C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\FIREFOX.EXE[1364] kernel32.dll!MapViewOfFile 7C80B915 5 Bytes JMP 014BE083 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\FIREFOX.EXE[1364] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62]
.text C:\Program Files\Mozilla Firefox\FIREFOX.EXE[1364] GDI32.dll!CreateDIBSection 77F19AA1 5 Bytes JMP 014BE00D C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\WINDOWS\System32\svchost.exe[1460] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[1460] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1612] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1612] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62]
.text C:\Program Files\Alwil Software\Avast6\AvastSvc.exe[1696] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62]
.text C:\Program Files\Alwil Software\Avast6\AvastSvc.exe[1696] kernel32.dll!SetUnhandledExceptionFilter 7C8447ED 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\Program Files\Alwil Software\Avast6\AvastSvc.exe[1696] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62]
.text C:\WINDOWS\system32\spoolsv.exe[1832] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62]
.text C:\WINDOWS\system32\spoolsv.exe[1832] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1896] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1992] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1992] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62]
.text C:\WINDOWS\explorer.exe[2236] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62]
.text C:\WINDOWS\explorer.exe[2236] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62]
.text C:\WINDOWS\System32\alg.exe[2404] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62]
.text C:\WINDOWS\System32\alg.exe[2404] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62]
.text C:\Documents and Settings\Administrator.COMPUTER\My Documents\Anti-Smitfraud\_p7n01kzb.exe[2836] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62]
.text C:\Documents and Settings\Administrator.COMPUTER\My Documents\Anti-Smitfraud\_p7n01kzb.exe[2836] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62]
.text C:\Program Files\Alwil Software\Avast6\AvastUI.exe[4020] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62]
.text C:\Program Files\Alwil Software\Avast6\AvastUI.exe[4020] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62]
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\WINDOWS\system32\services.exe[1056] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00370002
IAT C:\WINDOWS\system32\services.exe[1056] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00370000
IAT C:\Program Files\Alwil Software\Avast6\AvastSvc.exe[1696] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [64C8F6A0] C:\Program Files\Alwil Software\Avast6\aswCmnBS.dll (Common functions/AVAST Software)
IAT C:\Program Files\Alwil Software\Avast6\AvastUI.exe[4020] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [64C8F6A0] C:\Program Files\Alwil Software\Avast6\aswCmnBS.dll (Common functions/AVAST Software)
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswRdr.SYS (avast! TDI Redirect Driver/AVAST Software)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
Device \FileSystem\Fastfat \Fat B1F1AC8A
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0x2E 0xE8 0xE1 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x6A 0x9C 0xD6 0x61 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x25 0xDA 0xEC 0x7E ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x3E 0x1E 0x9E 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xE9 0x02 0x6C 0xFA ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0x50 0x93 0xE5 0xAB ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x97 0x20 0x4E 0x9A ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x01 0x3A 0x48 0xFC ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0x51 0xFA 0x6E 0x91 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x3D 0xCE 0xEA 0x26 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x6C 0x43 0x2D 0x1E ...
---- EOF - GMER 1.0.15 ----
Hi,
Do you remember what was the last thing you did before connection problem? Has it occured again?
Please run ComboFix with this cfscript:
DeQuarantine::
c:\qoobox\quarantine\c\windows\system32\Bass.dll.vir
Quit::
dinosaur58
2012-07-18, 13:23
Ran CF with script. Proceeded same as previous runs. Connection problem occurred again. After CF run - DeQuarantine log opens in Notepad. I searched for Normal CF log using Win Explorer but couldn't find one. I then double clicked on the Firefox icon on my desktop. Firefox opened normally and I clicked on the link to this website in the 'History' dropdown menu, but got the connection reset message. To be sure that it was a global problem I tried to connect to another website and got the same message.
As mentioned above, no CF log - DeQuarantine log follows:
c:\qoobox\quarantine\c\windows\system32\Bass.dll.vir -> c:\windows\system32\Bass.dll ( 92216 bytes )
Hi,
Has the problem occured only after these two previous ComboFix run where CFScript.txt was used?
If Files_for_submission.zip still exists on your desktop delete it. Then open notepad and copy/paste the text in the codebox below into it:
@echo off
for %%g in (
c:\windows\system32\Bass.dll
) do zip Files_for_submission %%g
del %0
Save this as grab.bat
Choose to Save type as - All Files
Save it on your desktop.
It should look like this: http://www.techsupportforum.com/sectools/tetonbob/bat_icon.gif
Double click on grab.bat & allow it to run
A file, Files_for_submission.zip will be created on your desktop.
Please upload that zip file to this website (http://www.bleepingcomputer.com/submit-malware.php?channel=76). Kindly include a link to this topic in the message.
dinosaur58
2012-07-18, 16:43
Problem also occured before first CF run, when infection had been acitve for several days. On that occurrence the loss of internet access recieved 'the server cannot be found' messages for all sites rather than 'Connection Reset'.
File submitted to bleepingcomputer. Also submitted to Virustotal [I use that site to check suspicious files] to see how they measure up: 0/42 detections.
Hi,
But during fix process connection issue has occured only with two latest CFScript.txt run, yes?
dinosaur58
2012-07-18, 18:05
Correct.
Ok, please download fresh copy of ComboFix to your desktop (replace the old one). Then run it in safe mode. Post back the log.
dinosaur58
2012-07-18, 19:54
CF run proceeded the same in safe mode. Not sure if problem recurred, since Safe Mode [no networking] required reboot, and reboot solved internet access problem last time.
CF log follows:
ComboFix 12-07-18.04 - Administrator 07/18/2012 10:34:02.22.4 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3455.3169 [GMT -6:00]
Running from: c:\documents and settings\Administrator.COMPUTER\Desktop\Country11.exe
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((( Files Created from 2012-06-18 to 2012-07-18 )))))))))))))))))))))))))))))))
.
.
2012-07-18 09:59 . 2012-07-18 09:59 92216 ----a-w- c:\windows\system32\Bass.dll
2012-07-17 06:26 . 2012-07-17 06:26 -------- d-----w- c:\windows\system32\Filters
2012-07-17 05:07 . 2012-07-17 06:27 -------- d-----w- C:\Country10
2012-07-16 14:49 . 2012-07-16 14:49 -------- d-sh--w- c:\documents and settings\Administrator.COMPUTER\PrivacIE
2012-07-16 14:43 . 2012-07-16 14:43 -------- d-sh--w- c:\documents and settings\Administrator.COMPUTER\IETldCache
2012-07-16 14:37 . 2012-07-16 14:38 -------- dc-h--w- c:\windows\ie8
2012-07-16 14:34 . 2010-05-06 10:41 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2012-07-16 14:34 . 2010-05-06 10:41 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll
2012-07-16 14:34 . 2010-05-06 10:41 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2012-07-16 14:34 . 2010-05-06 10:41 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2012-07-16 14:34 . 2010-05-06 10:41 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2012-07-16 14:34 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2012-07-16 14:34 . 2010-05-06 10:41 11076096 ------w- c:\windows\system32\dllcache\ieframe.dll
2012-07-15 20:07 . 2012-07-15 20:07 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-07-15 20:07 . 2012-07-15 20:07 772592 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-07-15 20:07 . 2012-07-15 20:07 -------- d-----w- c:\program files\Java
2012-07-15 20:04 . 2012-07-15 20:04 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-15 19:42 . 2012-07-15 19:42 -------- d-----w- c:\program files\Foxit Software
2012-07-11 14:33 . 2012-07-11 14:33 -------- d-----w- C:\TDSSKiller_Quarantine
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-15 20:07 . 2010-07-04 16:11 687600 ----a-w- c:\windows\system32\deployJava1.dll
2012-07-11 14:37 . 2007-12-14 01:00 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2004-04-09 22:13 . 2007-10-23 23:35 114688 ----a-w- c:\program files\NETGEAR DG632 USB Driveruninstalldrv.exe
2012-07-15 19:49 . 2012-07-15 19:49 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 18:06 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 19:47 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 21:30 216064 --sha-r- c:\windows\system32\nbDX.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2012-07-17_12.16.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-23 22:42 . 2012-07-18 16:37 82750 c:\windows\system32\perfc009.dat
+ 2007-10-23 22:42 . 2012-07-18 16:37 466606 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15 123536 ----a-w- c:\program files\Alwil Software\Avast6\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-05 81920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"atwtusb"="atwtusb.exe" [2007-03-21 315392]
"Tweak UI"="TWEAKUI.CPL" [1997-11-08 87312]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-10 153136]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"RTHDCPL"="RTHDCPL.EXE" [2000-01-01 20064872]
"avast"="c:\program files\Alwil Software\Avast6\avastUI.exe" [2012-03-06 4241512]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 01000000
"NoRecentDocsNetHood"= 01000000
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
"NoNetworkConnections"= 01000000
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk.disabled]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk.disabled
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnk.disabledCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^MyIRC.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\MyIRC.lnk
backup=c:\windows\pss\MyIRC.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^TotalMedia BackUp & Recorder Monitor.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\TotalMedia BackUp & Recorder Monitor.lnk
backup=c:\windows\pss\TotalMedia BackUp & Recorder Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^WinTV Recording Status..lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\WinTV Recording Status..lnk
backup=c:\windows\pss\WinTV Recording Status..lnkCommon Startup
.
[HKLM\~\startupfolder\C:^DOCUME~1^ADMINI~1.COM^Start Menu^Programs^Startup^QuickShelf 2000.lnk]
path=c:\docume~1\ADMINI~1.COM\Start Menu\Programs\Startup\QuickShelf 2000.lnk
backup=c:\windows\pss\QuickShelf 2000.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2008-04-10 03:14 136472 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2008-04-10 03:23 909208 ----a-w- c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
2009-01-16 23:31 181544 ----a-w- c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-07-09 22:24 13923432 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
2007-09-05 02:25 81920 ----a-w- c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 23:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2008-04-10 03:11 2595792 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)
"AntiVirService"=2 (0x2)
"AntiVirSchedulerService"=2 (0x2)
"ACDaemon"=3 (0x3)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AdobeBridge"=
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"VirtualCloneDrive"="c:\program files\VirtualCloneDrive\VCDDaemon.exe" /s
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"hpqSRMon"=c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe
"SoundMan"=SOUNDMAN.EXE
"nwiz"=c:\program files\NVIDIA Corporation\nView\nwiz.exe /install
"RTHDCPL"=RTHDCPL.EXE
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [12/21/2010 03:29 AM 64288]
R1 aiptektp;Pen Pad;c:\windows\system32\drivers\aiptektp.sys [7/1/2008 11:33 PM 22528]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [12/9/2011 09:10 AM 612184]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/9/2011 09:10 AM 337880]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/9/2011 09:10 AM 20696]
S2 BCMNTIO;BCMNTIO;c:\progra~1\CHECKIT\DIAGNO~1\BCMNTIO.sys [12/20/2007 05:11 AM 3744]
S2 MAPMEM;MAPMEM;c:\progra~1\CHECKIT\DIAGNO~1\MAPMEM.sys [12/20/2007 05:11 AM 3904]
S2 MDP100;MDP100 Video Capture;c:\windows\system32\DRIVERS\MDP100_XP.sys --> c:\windows\system32\DRIVERS\MDP100_XP.sys [?]
S2 portD;CMS PortIO Service;c:\windows\system32\DRIVERS\portd2k.sys --> c:\windows\system32\DRIVERS\portd2k.sys [?]
S2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [7/30/2011 09:57 PM 14976]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2/5/2011 02:30 PM 1691480]
S3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\drivers\vrtaucbl.sys [9/22/2009 04:59 AM 50944]
S3 MEITUNER;FireBus MPEG2TS Tuner Subunit Device;c:\windows\system32\drivers\meistb.sys [3/22/2011 01:55 AM 22891]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1E.tmp --> c:\windows\system32\1E.tmp [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [7/15/2012 01:49 PM 129976]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2/5/2011 02:31 PM 56992]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\PCOUFFIN.SYS [3/3/2009 12:43 AM 47360]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [10/25/2011 02:36 AM 12984]
S4 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [1/16/2009 05:31 PM 161064]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Administrator.COMPUTER\Application Data\Mozilla\Firefox\Profiles\bvvl5608.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - blank
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-18 10:40
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
@Allowed: (Read) (RestrictedCode)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,50,86,4d,6e,6e,cd,af,4b,b0,38,0b,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,50,86,4d,6e,6e,cd,af,4b,b0,38,0b,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,50,86,4d,6e,6e,cd,af,4b,b0,38,0b,\
.
Completion time: 2012-07-18 10:41:46
ComboFix-quarantined-files.txt 2012-07-18 16:41
ComboFix12.txt 2012-07-17 12:18
ComboFix13.txt 2012-07-16 14:03
ComboFix14.txt 2012-07-15 17:49
ComboFix15.txt 2012-07-18 09:53
.
Pre-Run: 411,279,839,232 bytes free
Post-Run: 411,304,819,200 bytes free
.
- - End Of File - - 838021B7BD7DAAA916BCAF738BD18092
dinosaur58
2012-07-18, 19:59
It's probably not important, but for some reason CF detects Avast realtime shields as active in safe mode. No processes for Avast show up in Task Mgr [only 15 total processes]. I started Avast just to be sure, and it showed shields off. I then closed Avast and checked using process explorer [no avast processes]. I clicked to proceed with scan anyway.
Hi,
Nothing in logs indicate remaining infection. Those two latest runs with CFScript were different compared to earlier ones. I believe that's why connection went off. I suggest to monitor situation for a few days now. If symptoms stay away then we can have a look at the final steps.
dinosaur58
2012-07-19, 00:14
System overall seems to be running better than in quite a while. I may even test some wmv or flv files. I have been unable to play these in any of my players for a long time without getting a BSOD.
Let's hope performance remains good :)
dinosaur58
2012-07-24, 13:26
Well, so far so good. Cursor freeze in Photoshop has returned [maybe never really gone?]. WMV files still don't play, but that's nothing to do with the virus. Everything else is running smoothly. No browser hijacks, no loss of internet access, no unknown startup/shutdown sounds. Looking good.
It's time to secure your system to prevent against further intrusions.
THESE STEPS ARE VERY IMPORTANT
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis
Now lets uninstall ComboFix:
Click START then RUN
Now copy-paste Combofix /uninstall in the runbox and click OK
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.
Download and run Secunia Personal Software Inspector (PSI) (http://secunia.com/vulnerability_scanning/personal/) and fix its findings. Leave the program installed so you'll stay alarmed about vulnerable components in future too.
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade :cool:
dinosaur58
2012-07-25, 10:17
System restore reset, Secunia PSI installed, and all programs that can be updated have been. It's too bad there are no settings in PSI for an 'ignore list' [unless I missed them]. It sees Adobe SVG viewer v1 and v2 [not on 'Add Remove Programs' list and I have v3 installed and updated. Also some programs I can't afford to update like Photoshop and MSFT Office [would need new versions].
The good news is that one of the updates restored wmv video capability. Restart seemed to be working for a while during the cleanup of the virus, but has returned to not working. Restart stops after BIOS screen with flashing cursor on black screen. I have researched the issue on line, but never found anything that worked. This is particularly inconvenient because I have my DVR hooked up to my PC, and Shutdown/Startup sends a backdoor power spike through the firewire cable [the setup with firewire is the only one I could get to work] which knocks out the guide for the 12 or so hours it takes to re-download from Comcast.
Still, overall much improved even over function before infection. If you think it's safe to do so I will find and purchase a HD Drive to install for my C: drive so I can make [and keep updated] a full Acronis backup.
Hi,
If you think it's safe to do so I will find and purchase a HD Drive to install for my C: drive so I can make [and keep updated] a full Acronis backup.
Yes, that would be a good idea :)
dinosaur58
2012-07-31, 17:59
Before we call this topic closed I have some questions.
1]Now that I have the ability to restore my system from backup how important would you say installing Service Pack 3 is? I did this for a friend when reinstalling his system from scratch [nothing to loose], but it was a big hassle - something about getting the installer to properly recognize administrative privileges. I couldn't have managed it without my PC up and running to use for web searches/fixes.
2]"Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly." I did visit it as part of your instructions, but all the updates had already been installed [except SP3 ^] by Automatic Updates. Do I still need to visit the site if I get regular automatic updates?
3]Can you recommend a forum for expert WinXP help getting my Restart problem fixed?
I would like to add - THANK YOU, Thank You,Thank You, Thank You VERY MUCH!!! for your help fixing my system.
Signed, Dinosaur58
Hi,
Please find some answers below :)
1) Very important. I strongly recommend getting it.
2) After SP3 is installed there'll likely be more updates offered. If AU is enabled then it's not that big must to visit the Windows Update site.
3) You could try WhatTheTech (http://forums.whatthetech.com).
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)
Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread.
If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.