Jump to content

Westablished

Members
  • Posts

    9
  • Joined

  • Last visited

Reputation

0 Neutral
  1. I deleted most of them based on the results of the scans.
  2. Oooootay. I uninstalled Viewpoint Media Player and ran all but one file through virustotal.com. The file c:\windows\system32\drivers\rkyagwy.sys would not go through. I also ran an MBAM Quick Scan and Full Scan and removed what was found. Here are the results for both scans. Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4422 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 8/12/2010 2:15:35 PM mbam-log-2010-08-12 (14-15-35).txt Scan type: Quick scan Objects scanned: 136177 Time elapsed: 4 minute(s), 56 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\Software\SolutionAV (Rogue.AntivirSolutionPro) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4422 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 8/12/2010 6:10:40 PM mbam-log-2010-08-12 (18-10-40).txt Scan type: Full scan (C:\|D:\|) Objects scanned: 187305 Time elapsed: 30 minute(s), 37 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Qoobox\Quarantine\C\WINDOWS\wpadotpt.dll.vir (Trojan.Hiloti) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{E61B02F4-AD35-4CB9-98BE-9E5EB8FBF421}\RP9\A0000633.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
  3. Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 7:27:47 AM, on 8/9/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\No-IP\DUC20.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\UPHClean\uphclean.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\system32\SearchIndexer.exe C:\WINDOWS\system32\taskswitch.exe C:\Program Files\PowerMenu\PowerMenu.exe C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\PROGRA~1\MICROS~4\rapimgr.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\SearchProtocolHost.exe C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe O4 - HKLM\..\Run: [PowerMenu] C:\Program Files\PowerMenu\PowerMenu.exe -hideself on O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe" O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user') O4 - Startup: SpeedFan.lnk = C:\Program Files\SpeedFan\speedfan.exe O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing) O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll O16 - DPF: {6e32070a-766d-4ee6-879c-dc1fa91d2fc3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1139406804265 O20 - Winlogon Notify: !SASWinLogon - Invalid registry found O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: UNCFAT DMS (OTFSDMS) - Unknown owner - C:\Program Files\AddinForUNCFAT\UNCFATDMS.exe (file missing) O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 7898 bytes
  4. ComboFix 10-08-08.02 - Administrator 08/09/2010 7:06.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.689 [GMT -7:00] Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Administrator\Local Settings\Application Data\{1F7AA594-8150-4C01-8292-ADEBCB94D774} c:\documents and settings\Administrator\Local Settings\Application Data\{1F7AA594-8150-4C01-8292-ADEBCB94D774}\chrome.manifest c:\documents and settings\Administrator\Local Settings\Application Data\{1F7AA594-8150-4C01-8292-ADEBCB94D774}\chrome\content\_cfg.js c:\documents and settings\Administrator\Local Settings\Application Data\{1F7AA594-8150-4C01-8292-ADEBCB94D774}\chrome\content\overlay.xul c:\documents and settings\Administrator\Local Settings\Application Data\{1F7AA594-8150-4C01-8292-ADEBCB94D774}\install.rdf c:\documents and settings\Guest\Local Settings\Application Data\{5E21170E-3270-43C9-9C44-4BD23782507B} c:\documents and settings\Guest\Local Settings\Application Data\{5E21170E-3270-43C9-9C44-4BD23782507B}\chrome.manifest c:\documents and settings\Guest\Local Settings\Application Data\{5E21170E-3270-43C9-9C44-4BD23782507B}\chrome\content\_cfg.js c:\documents and settings\Guest\Local Settings\Application Data\{5E21170E-3270-43C9-9C44-4BD23782507B}\chrome\content\overlay.xul c:\documents and settings\Guest\Local Settings\Application Data\{5E21170E-3270-43C9-9C44-4BD23782507B}\install.rdf C:\install.exe c:\program files\\setup.exe c:\program files\Mozilla Firefox\searchplugins\google_search.xml c:\program files\Setup.exe C:\settingsxx.exe c:\settingsxx.exe\config.bin c:\windows\ogakuwafonutuliv.dll c:\windows\system32\Install.txt c:\windows\system32\msippsth.dll c:\windows\system32\szetyj67v.txt c:\windows\uhitiholuracan.dll c:\windows\wpadotpt.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_6TO4 -------\Legacy_TCPIP_PASS-THROUGH_FILTER -------\Service_6to4 -------\Service_TCPIP Pass-through Filter ((((((((((((((((((((((((( Files Created from 2010-07-09 to 2010-08-09 ))))))))))))))))))))))))))))))) . 2010-07-29 22:55 . 2010-08-09 12:32 120 ----a-w- c:\windows\Vconocubale.dat 2010-07-29 22:55 . 2010-08-09 12:32 0 ----a-w- c:\windows\Gqeletaso.bin 2010-07-29 10:44 . 2010-08-09 13:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\Tor 2010-07-29 10:44 . 2010-08-09 14:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\Vidalia 2010-07-29 10:44 . 2010-07-29 10:44 -------- d-----w- c:\program files\Vidalia Bundle 2010-07-29 01:45 . 2010-07-29 01:45 -------- d-----w- c:\windows\system32\1033 2010-07-29 01:45 . 2010-07-29 01:45 -------- d-----w- c:\windows\srchasst 2010-07-29 01:45 . 2010-07-29 01:45 -------- d-----w- c:\windows\mui 2010-07-29 01:45 . 2010-07-29 01:45 -------- d-----w- c:\windows\msagent 2010-07-29 01:45 . 2010-07-29 01:45 -------- d-----w- c:\windows\ime 2010-07-29 01:45 . 2010-08-09 14:11 -------- d-----w- c:\windows\apppatch 2010-07-29 01:37 . 2010-07-29 01:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\FastSum 2010-07-28 11:54 . 2010-07-28 11:54 8192 ----a-w- c:\windows\system32\jvgrdfr.dll 2010-07-28 00:41 . 2010-07-28 12:34 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\dyvaediqa 2010-07-28 00:19 . 2010-07-28 12:34 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\bvnykhuqo 2010-07-28 00:16 . 2010-07-28 12:34 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\wspqfonro 2010-07-28 00:13 . 2002-09-20 18:53 235100 ----a-w- c:\windows\system32\drivers\MidiSyn.sys 2010-07-28 00:12 . 2004-04-26 17:49 381056 ----a-w- c:\windows\system32\drivers\senfilt.sys 2010-07-28 00:12 . 2001-09-11 22:20 30208 ----a-w- c:\windows\system32\wdmioctl.dll 2010-07-28 00:12 . 2001-09-11 22:20 1285632 ----a-w- c:\windows\system32\SMMedia.dll 2010-07-28 00:12 . 2010-07-28 00:12 -------- d-----w- c:\windows\VirtualEar 2010-07-28 00:12 . 2010-07-28 00:12 -------- d-----w- c:\program files\Analog Devices 2010-07-28 00:12 . 2003-08-20 02:36 65536 ----a-w- c:\windows\system32\Audio3d.dll 2010-07-28 00:12 . 2003-06-16 15:32 49152 ----a-w- c:\windows\system32\DSndUp.exe 2010-07-28 00:12 . 2002-04-17 22:05 45056 ----a-w- c:\windows\system32\CleanUp.exe 2010-07-28 00:12 . 2001-10-04 22:50 991232 ----a-w- c:\windows\system32\virtear.dll 2010-07-28 00:12 . 2001-09-19 20:47 765952 ----a-w- c:\windows\system\crlds3d.dll 2010-07-28 00:02 . 2010-07-28 12:34 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\qkrmbqijv 2010-07-27 23:55 . 2010-07-27 23:55 84480 ----a-w- c:\documents and settings\Administrator\Application Data\SystemRequirementsLab\srlproxy_intel_4.1.66.0A.dll 2010-07-27 21:32 . 2010-07-28 12:34 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\fygaahjkc 2010-07-27 09:57 . 2010-07-27 09:57 -------- d-----w- c:\program files\Intel Desktop Board Audio Driver 2010-07-27 04:39 . 2010-07-27 04:39 -------- d-----w- c:\windows\Java 2010-07-27 04:39 . 2010-07-27 04:39 -------- d-----w- c:\program files\CPUID 2010-07-27 01:46 . 2010-07-27 10:48 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\yhkihvfgt 2010-07-27 01:07 . 2010-07-27 10:48 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\htwuesfir 2010-07-27 00:51 . 2010-07-27 10:48 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\mkbgvwvwl 2010-07-26 23:37 . 2010-07-26 23:37 152 ----a-w- c:\documents and settings\Administrator\144609.BAT 2010-07-26 23:36 . 2010-07-27 00:47 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\uaslvvroh 2010-07-26 22:54 . 2010-07-26 22:54 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2010-07-26 22:54 . 2010-07-26 22:54 -------- d-----w- c:\program files\Trend Micro 2010-07-26 22:43 . 2010-07-26 23:29 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\kdltoslhj 2010-07-26 22:38 . 2010-07-26 23:29 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\fkueepkru 2010-07-26 22:35 . 2010-07-26 23:29 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\vgqyxjbef 2010-07-26 22:13 . 2010-07-26 22:14 -------- d-----w- C:\709a56d30d630d308b 2010-07-26 21:44 . 2010-07-26 21:45 -------- d-----w- C:\3b843a0df5cc5ac51ec48e9e 2010-07-26 21:32 . 2010-07-26 23:29 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\txoduqrfx 2010-07-26 21:09 . 2010-07-26 23:29 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\fovjyxvgr 2010-07-26 21:07 . 2010-07-26 23:29 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\cthsvwycx 2010-07-26 20:06 . 2010-07-26 20:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\wvblwbdgp 2010-07-26 19:56 . 2010-07-26 20:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\eptbcghmw 2010-07-26 12:37 . 2010-07-26 20:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\boivscjnv 2010-07-26 12:37 . 2010-07-26 12:37 8192 ----a-w- c:\windows\system32\vsxrg.dll 2010-07-26 12:33 . 2010-07-26 12:33 8192 ----a-w- c:\windows\system32\anap.dll 2010-07-26 12:30 . 2010-07-26 12:30 8192 ----a-w- c:\windows\system32\mslnn.dll 2010-07-26 11:32 . 2010-07-26 12:17 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ttaqkdjes 2010-07-26 04:17 . 2010-07-26 04:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2010-07-26 04:17 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-07-26 04:17 . 2010-07-26 04:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-07-26 04:17 . 2010-07-26 04:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-07-26 04:17 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-07-26 04:06 . 2010-07-26 04:58 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\bpfjlwwky 2010-07-26 04:05 . 2010-07-26 04:05 -------- d-----w- c:\windows\system32\xircom 2010-07-26 04:05 . 2010-07-26 04:05 -------- d-----w- c:\windows\system32\wbem\snmp 2010-07-26 04:05 . 2010-07-26 04:05 -------- d-----w- c:\program files\microsoft frontpage 2010-07-26 03:15 . 2010-07-26 03:53 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\huvbjrvho 2010-07-25 21:38 . 2010-07-25 21:38 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache 2010-07-25 21:29 . 2010-08-09 14:20 766464 ----a-w- c:\windows\system32\drivers\rkyagwy.sys 2010-07-25 21:29 . 2010-07-25 22:04 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\dtxykhtbs 2010-07-25 21:28 . 2010-07-28 12:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Update 2010-07-25 18:34 . 2010-07-25 22:37 -------- d-----w- c:\program files\Spybot - Search & Destroy 2010-07-25 18:34 . 2010-07-25 18:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-07-25 17:33 . 2010-07-28 12:37 63488 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll 2010-07-25 17:32 . 2010-07-25 17:32 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll 2010-07-25 17:32 . 2010-07-28 12:37 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2010-07-25 17:31 . 2010-07-25 17:31 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2010-07-25 17:31 . 2010-07-25 17:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com 2010-07-25 17:31 . 2010-07-25 17:31 -------- d-----w- c:\program files\SUPERAntiSpyware 2010-07-13 22:15 . 2010-07-12 18:32 822784 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\iho3qriw.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll 2010-07-12 23:39 . 2010-08-06 14:34 -------- d-----w- c:\program files\Steam 2010-07-11 10:02 . 2010-07-11 10:02 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX 2010-07-11 00:19 . 2010-07-11 00:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\Canneverbe Limited 2010-07-11 00:18 . 2010-07-11 00:18 1556992 ----a-w- c:\windows\is-Q5O1S.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-08-09 14:19 . 2009-08-30 04:00 -------- d-----w- c:\program files\SpeedFan 2010-07-30 02:35 . 2009-09-02 03:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent 2010-07-29 01:43 . 2009-10-27 00:33 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-07-28 20:49 . 2009-08-29 21:03 -------- d-----w- c:\program files\Unlocker 2010-07-28 00:12 . 2009-08-29 21:44 -------- d--h--w- c:\program files\InstallShield Installation Information 2010-07-27 23:55 . 2010-05-21 02:20 -------- d-----w- c:\program files\SystemRequirementsLab 2010-07-27 23:55 . 2010-05-21 02:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\SystemRequirementsLab 2010-07-27 01:45 . 2010-07-09 12:27 1324 ----a-w- c:\windows\system32\d3d9caps.dat 2010-07-25 17:45 . 2009-11-03 19:58 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9 2010-07-11 00:27 . 2009-09-29 06:48 -------- d-----w- c:\program files\CDBurnerXP 2010-07-04 05:05 . 2010-07-04 05:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\Media Player Classic 2010-07-04 05:05 . 2009-11-25 22:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc 2010-06-17 02:16 . 2010-06-17 02:16 50354 ----a-w- c:\documents and settings\Administrator\Application Data\Facebook\uninstall.exe 2010-06-17 02:16 . 2010-06-17 02:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Facebook 2010-06-10 19:49 . 2009-10-21 09:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! 2010-06-10 19:49 . 2009-10-21 09:06 -------- d-----w- c:\program files\Yahoo! 2010-06-10 19:46 . 2009-12-07 02:25 -------- d-----w- c:\program files\Google 2010-06-10 01:04 . 2009-08-30 03:30 14048 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-06-09 10:45 . 2010-06-09 10:45 5591040 ----a-w- c:\documents and settings\Administrator\Application Data\Facebook\npfbplugin_1_0_3.dll 2010-06-08 20:57 . 2009-12-19 21:37 14048 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-05-24 21:14 . 2010-05-24 21:14 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-2fc107a8-n\msvcp71.dll 2010-05-24 21:14 . 2010-05-24 21:14 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-2fc107a8-n\jmc.dll 2010-05-24 21:14 . 2010-05-24 21:14 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-2fc107a8-n\msvcr71.dll 2010-05-21 02:20 . 2010-05-21 02:20 85504 ----a-w- c:\documents and settings\Administrator\Application Data\SystemRequirementsLab\srlproxy_cyri_4.1.71.0A.dll 2010-05-20 06:13 . 2009-09-06 09:27 64768 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat 1997-04-28 16:52 . 2009-12-01 23:56 112 ------r- c:\program files\SETUP.M_E 1997-04-28 16:48 . 2009-12-01 23:56 78 ------r- c:\program files\SETUP.M_C 2009-12-17 04:23 . 2009-12-17 09:16 908248 --sh--r- c:\windows\windomgr.exe . ------- Sigcheck ------- [-] 2008-12-30 . 5AE1C2695F6523AD98B948F2887D8C5E . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys [7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys [7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys c:\windows\System32\wscntfy.exe ... is missing !! . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Vidalia"="c:\program files\Vidalia Bundle\Vidalia\vidalia.exe" [2010-05-25 5475403] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-20 45632] "PowerMenu"="c:\program files\PowerMenu\PowerMenu.exe" [2002-12-20 57344] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-04 13670504] "SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 1388544] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "_nltide_3"="advpack.dll" [2009-03-08 128512] c:\documents and settings\Administrator\Start Menu\Programs\Startup\ SpeedFan.lnk - c:\program files\SpeedFan\speedfan.exe [2009-8-9 3986552] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Ralink Wireless Utility.lnk - c:\program files\RALINK\Common\RaUI.exe [2009-8-29 593920] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoResolveTrack"= 1 (0x1) "NoSMConfigurePrograms"= 1 (0x1) [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoResolveTrack"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Digsby.lnk] path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Digsby.lnk backup=c:\windows\pss\Digsby.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^No-IP DUC.lnk] path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\No-IP DUC.lnk backup=c:\windows\pss\No-IP DUC.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2008-04-14 10:00 15360 ----a-w- c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent] 2006-11-13 20:39 1289000 ----a-w- c:\progra~1\MICROS~4\wcescomm.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IEHistory] 2006-12-13 08:24 138752 ----a-w- c:\program files\IEHistoryPH\IEHistoryShellNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] 2006-01-13 00:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] 2010-04-04 02:23 13670504 ----a-w- c:\windows\system32\nvcpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] 2010-04-04 02:23 110696 ----a-w- c:\windows\system32\nvmctray.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE] 2007-08-07 00:05 200704 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run StartupMonitor] 2000-05-21 00:23 86016 ----a-w- c:\windows\StartupMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam] 2010-07-12 23:39 1238352 ----a-w- c:\program files\Steam\Steam.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2009-10-11 12:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant] 2008-05-02 07:15 15872 ----a-w- c:\program files\Unlocker\UnlockerAssistant.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] 2010-01-13 22:44 37888 ----a-w- c:\program files\Winamp\winampa.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender] 2006-11-04 02:20 866584 ----a-w- c:\program files\Windows Defender\MSASCui.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"= "c:\\Program Files\\Steam\\Steam.exe"= "c:\\Program Files\\Steam\\steamapps\\johngaltman69@yahoo.com\\counter-strike source\\hl2.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service "3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009 "16015:TCP"= 16015:TCP:BitComet 16015 TCP "16015:UDP"= 16015:UDP:BitComet 16015 UDP R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/6/2009 7:53 PM 24652] R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/6/2010 11:57 AM 136176] S2 OTFSDMS;UNCFAT DMS;"c:\program files\AddinForUNCFAT\UNCFATDMS.exe" --> c:\program files\AddinForUNCFAT\UNCFATDMS.exe [?] S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 10:58 AM 11336] --- Other Services/Drivers In Memory --- *NewlyCreated* - ASPI32 *Deregistered* - rkyagwy *Deregistered* - uphcleanhlp . Contents of the 'Scheduled Tasks' folder 2010-08-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-06 18:57] 2010-08-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-06 18:57] 2010-08-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1482476501-1326574676-1177238915-500Core.job - c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-25 18:57] 2010-08-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1482476501-1326574676-1177238915-500UA.job - c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-25 18:57] 2010-08-09 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM LSP: c:\windows\system32\jvgrdfr.dll FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\iho3qriw.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: keyword.URL - hxxp://search.search-star.net/?sid=10101047100&s= FF - prefs.js: network.proxy.http - 127.0.0.1 FF - prefs.js: network.proxy.http_port - 8118 FF - prefs.js: network.proxy.socks - 127.0.0.1 FF - prefs.js: network.proxy.socks_port - 9050 FF - prefs.js: network.proxy.ssl - 127.0.0.1 FF - prefs.js: network.proxy.ssl_port - 8118 FF - prefs.js: network.proxy.type - 1 FF - plugin: c:\documents and settings\Administrator\Application Data\Facebook\npfbplugin_1_0_3.dll FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll ---- FIREFOX POLICIES ---- FF - user.js: browser.search.selectedEngine - Google FF - user.js: browser.search.order.1 - Google FF - user.js: keyword.URL - hxxp://search.search-star.net/?sid=10101047100&s=c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); . . ------- File Associations ------- . regfile\shell\edit\command=%SystemRoot%\system32\NOTEPAD.EXE %1 . - - - - ORPHANS REMOVED - - - - WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file) HKCU-Run-Fkoqofibo - c:\windows\wpadotpt.dll HKLM-Run-Qwuyemizufa - c:\windows\ogakuwafonutuliv.dll MSConfigStartUp-BitComet - c:\program files\BitComet\BitComet.exe MSConfigStartUp-Fkoqofibo - c:\windows\wpadotpt.dll MSConfigStartUp-FreeCall - c:\program files\FreeCall.com\FreeCall\FreeCall.exe MSConfigStartUp-hsehf98u34i9tjioaugy987iuegdsg - c:\docume~1\ADMINI~1\LOCALS~1\Temp\win16.exe MSConfigStartUp-jhudhrti - c:\documents and settings\Administrator\Local Settings\Application Data\cthsvwycx\lateywrtssd.exe MSConfigStartUp-jodkdbbu - c:\documents and settings\Administrator\Local Settings\Application Data\fovjyxvgr\mgssfdatssd.exe MSConfigStartUp-kqiooyhr - c:\documents and settings\Administrator\Local Settings\Application Data\txoduqrfx\poepfshtssd.exe MSConfigStartUp-mcexecwin - c:\docume~1\ADMINI~1\LOCALS~1\Temp\rctkzsj.dll MSConfigStartUp-MChk - c:\windows\system32\dvlmp.exe MSConfigStartUp-MSMSGS - c:\progra~1\MESSEN~1\Msmsgs.exe MSConfigStartUp-OTFSDMS - c:\program files\AddinForUNCFAT\UNCFATDMS.exe MSConfigStartUp-Qwuyemizufa - c:\windows\ixequyiwifa.dll MSConfigStartUp-sta - qvlmp.dll MSConfigStartUp-uiha98uiohf873yuiadnhgjesgregas - c:\docume~1\ADMINI~1\LOCALS~1\Temp\twuk0z860.exe MSConfigStartUp-xgukxzrvux - c:\xgukxzrvux.exe\xgukxzrvux.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-08-09 07:19 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x864C2EC5]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xf78c7f28 \Driver\ACPI -> ACPI.sys @ 0xf781acb8 \Driver\atapi -> atapi.sys @ 0xf76ea852 IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e66aa ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1 \Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e66aa ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1 NDIS: -> SendCompleteHandler -> 0x0 PacketIndicateHandler -> 0x0 SendHandler -> 0x0 user & kernel MBR OK ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rkyagwy] . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}] @DACL=(02 0000) @="Wireless" "ProcessGroupPolicy"="ProcessWIRELESSPolicy" "DllName"=expand:"gptext.dll" "NoUserPolicy"=dword:00000001 "NoGPOListChanges"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0E28E245-9368-4853-AD84-6DA3BA35BB75}] @DACL=(02 0000) @="Group Policy Environment" "DisplayName"=expand:"@gpprefcl.dll,-1" "DllName"=expand:"gpprefcl.dll" "EnableAsynchronousProcessing"=dword:00000001 "EventSources"="(Group Policy Environment,Application)" "GenerateGroupPolicy"="GenerateGroupPolicyEnviron" "PerUserLocalSettings"=dword:00000001 "ProcessGroupPolicy"="ProcessGroupPolicyEnviron" "ProcessGroupPolicyEx"="ProcessGroupPolicyExEnviron" "ProcessGroupPolicyEx 0"="" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{17D89FEC-5C44-4972-B12D-241CAEF74509}] @DACL=(02 0000) @="Group Policy Local Users and Groups" "DisplayName"=expand:"@gpprefcl.dll,-2" "DllName"=expand:"gpprefcl.dll" "EnableAsynchronousProcessing"=dword:00000001 "EventSources"="(Group Policy Local Users and Groups,Application)" "GenerateGroupPolicy"="GenerateGroupPolicyLocUsAndGroups" "PerUserLocalSettings"=dword:00000001 "ProcessGroupPolicy"="ProcessGroupPolicyLocUsAndGroups" "ProcessGroupPolicyEx"="ProcessGroupPolicyExLocUsAndGroups" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{1A6364EB-776B-4120-ADE1-B63A406A76B5}] @DACL=(02 0000) @="Group Policy Device Settings" "DisplayName"=expand:"@gpprefcl.dll,-3" "DllName"=expand:"gpprefcl.dll" "EnableAsynchronousProcessing"=dword:00000001 "EventSources"="(Group Policy Device Settings,Application)" "GenerateGroupPolicy"="GenerateGroupPolicyDevices" "PerUserLocalSettings"=dword:00000001 "ProcessGroupPolicy"="ProcessGroupPolicyDevices" "ProcessGroupPolicyEx"="ProcessGroupPolicyExDevices" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}] @DACL=(02 0000) @="Folder Redirection" "ProcessGroupPolicyEx"="ProcessGroupPolicyEx" "DllName"=expand:"fdeploy.dll" "NoMachinePolicy"=dword:00000001 "NoSlowLink"=dword:00000001 "PerUserLocalSettings"=dword:00000001 "NoGPOListChanges"=dword:00000000 "NoBackgroundPolicy"=dword:00000000 "GenerateGroupPolicy"="GenerateGroupPolicy" "EventSources"=multi:"(Folder Redirection,Application)\00\00" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}] @DACL=(02 0000) @="Microsoft Disk Quota" "NoMachinePolicy"=dword:00000000 "NoUserPolicy"=dword:00000001 "NoSlowLink"=dword:00000001 "NoBackgroundPolicy"=dword:00000001 "NoGPOListChanges"=dword:00000001 "PerUserLocalSettings"=dword:00000000 "RequiresSuccessfulRegistry"=dword:00000001 "EnableAsynchronousProcessing"=dword:00000000 "DllName"=expand:"dskquota.dll" "ProcessGroupPolicy"="ProcessGroupPolicy" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3A0DBA37-F8B2-4356-83DE-3E90BD5C261F}] @DACL=(02 0000) @="Group Policy Network Options" "DisplayName"=expand:"@gpprefcl.dll,-4" "DllName"=expand:"gpprefcl.dll" "EnableAsynchronousProcessing"=dword:00000001 "EventSources"="(Group Policy Network Options,Application)" "GenerateGroupPolicy"="GenerateGroupPolicyNetworkOptions" "PerUserLocalSettings"=dword:00000001 "ProcessGroupPolicy"="ProcessGroupPolicyNetworkOptions" "ProcessGroupPolicyEx"="ProcessGroupPolicyExNetworkOptions" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}] @DACL=(02 0000) @="QoS Packet Scheduler" "ProcessGroupPolicy"="ProcessPSCHEDPolicy" "DllName"=expand:"gptext.dll" "NoUserPolicy"=dword:00000001 "NoGPOListChanges"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}] @DACL=(02 0000) @="Scripts" "ProcessGroupPolicy"="ProcessScriptsGroupPolicy" "ProcessGroupPolicyEx"="ProcessScriptsGroupPolicyEx" "GenerateGroupPolicy"="GenerateScriptsGroupPolicy" "DllName"=expand:"gptext.dll" "NoSlowLink"=dword:00000001 "NoGPOListChanges"=dword:00000001 "NotifyLinkTransition"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}] @DACL=(02 0000) @="Internet Explorer Zonemapping" "DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll" "ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap" "NoGPOListChanges"=dword:00000001 "RequiresSucessfulRegistry"=dword:00000001 "DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051" "RequiresSuccessfulRegistry"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{5794DAFD-BE60-433f-88A2-1A31939AC01F}] @DACL=(02 0000) @="Group Policy Drive Maps" "DisplayName"=expand:"@gpprefcl.dll,-5" "DllName"=expand:"gpprefcl.dll" "EventSources"="(Group Policy Drive Maps,Application)" "GenerateGroupPolicy"="GenerateGroupPolicyDrives" "NoBackgroundPolicy"=dword:00000001 "PerUserLocalSettings"=dword:00000001 "ProcessGroupPolicy"="ProcessGroupPolicyDrives" "ProcessGroupPolicyEx"="ProcessGroupPolicyExDrives" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{6232C319-91AC-4931-9385-E70C2B099F0E}] @DACL=(02 0000) @="Group Policy Folders" "DisplayName"=expand:"@gpprefcl.dll,-6" "DllName"=expand:"gpprefcl.dll" "EnableAsynchronousProcessing"="" "EventSources"="(Group Policy Folders,Application)" "GenerateGroupPolicy"="GenerateGroupPolicyFolders" "PerUserLocalSettings"=dword:00000001 "ProcessGroupPolicy"="ProcessGroupPolicyFolders" "ProcessGroupPolicyEx"="ProcessGroupPolicyExFolders" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{6A4C88C6-C502-4f74-8F60-2CB23EDC24E2}] @DACL=(02 0000) @="Group Policy Network Shares" "DisplayName"=expand:"@gpprefcl.dll,-7" "DllName"=expand:"gpprefcl.dll" "EnableAsynchronousProcessing"=dword:00000001 "EventSources"="(Group Policy Network Shares,Application)" "GenerateGroupPolicy"="GenerateGroupPolicyNetShares" "NoUserPolicy"=dword:00000001 "ProcessGroupPolicy"="ProcessGroupPolicyNetShares" "ProcessGroupPolicyEx"="ProcessGroupPolicyExNetShares" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7150F9BF-48AD-4da4-A49C-29EF4A8369BA}] @DACL=(02 0000) @="Group Policy Files" "DisplayName"=expand:"@gpprefcl.dll,-8" "DllName"=expand:"gpprefcl.dll" "EnableAsynchronousProcessing"=dword:00000001 "EventSources"="(Group Policy Files,Application)" "GenerateGroupPolicy"="GenerateGroupPolicyFiles" "PerUserLocalSettings"=dword:00000001 "ProcessGroupPolicy"="ProcessGroupPolicyFiles" "ProcessGroupPolicyEx"="ProcessGroupPolicyExFiles" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{728EE579-943C-4519-9EF7-AB56765798ED}] @DACL=(02 0000) @="Group Policy Data Sources" "DisplayName"=expand:"@gpprefcl.dll,-9" "DllName"=expand:"gpprefcl.dll" "EnableAsynchronousProcessing"=dword:00000001 "EventSources"="(Group Policy Data Sources,Application)" "GenerateGroupPolicy"="GenerateGroupPolicyDataSources" "PerUserLocalSettings"=dword:00000001 "ProcessGroupPolicy"="ProcessGroupPolicyDataSources" "ProcessGroupPolicyEx"="ProcessGroupPolicyExDataSources" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{74EE6C03-5363-4554-B161-627540339CAB}] @DACL=(02 0000) @="Group Policy Ini Files" "DisplayName"=expand:"@gpprefcl.dll,-10" "DllName"=expand:"gpprefcl.dll" "EnableAsynchronousProcessing"=dword:00000001 "EventSources"="(Group Policy Ini Files,Application)" "GenerateGroupPolicy"="GenerateGroupPolicyIniFile" "PerUserLocalSettings"=dword:00000001 "ProcessGroupPolicy"="ProcessGroupPolicyIniFile" "ProcessGroupPolicyEx"="ProcessGroupPolicyExIniFile" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}] @DACL=(02 0000) @="Windows Search Group Policy Extension" "DllName"=expand:"%SystemRoot%\\System32\\srchadmin.dll" "EnableAsynchronousProcessing"=dword:00000001 "NoBackgroundPolicy"=dword:00000000 "NoGPOListChanges"=dword:00000001 "NoMachinePolicy"=dword:00000000 "NoSlowLink"=dword:00000000 "NoUserPolicy"=dword:00000000 "PerUserLocalSettings"=dword:00000000 "ProcessGroupPolicy"="ProcessGroupPolicy" "RequiresSuccessfulRegistry"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}] @DACL=(02 0000) @="Internet Explorer User Accelerators" "DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051" "DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll" "NoGPOListChanges"=dword:00000001 "ProcessGroupPolicy"="ProcessGroupPolicyForActivities" "ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx" "RequiresSuccessfulRegistry"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}] @DACL=(02 0000) "ProcessGroupPolicy"="SceProcessSecurityPolicyGPO" "GenerateGroupPolicy"="SceGenerateGroupPolicy" "ExtensionRsopPlanningDebugLevel"=dword:00000001 "ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx" "ExtensionDebugLevel"=dword:00000001 "DllName"=expand:"scecli.dll" @="Security" "NoUserPolicy"=dword:00000001 "NoGPOListChanges"=dword:00000001 "EnableAsynchronousProcessing"=dword:00000001 "MaxNoGPOListChangesInterval"=dword:000003c0 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{91FBB303-0CD5-4055-BF42-E512A681B325}] @DACL=(02 0000) @="Group Policy Services" "DisplayName"=expand:"@gpprefcl.dll,-11" "DllName"=expand:"gpprefcl.dll" "EnableAsynchronousProcessing"=dword:00000001 "EventSources"="(Group Policy Services,Application)" "GenerateGroupPolicy"="GenerateGroupPolicyServices" "ProcessGroupPolicy"="ProcessGroupPolicyServices" "ProcessGroupPolicyEx"="ProcessGroupPolicyExServices" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}] @DACL=(02 0000) "ProcessGroupPolicyEx"="ProcessGroupPolicyEx" "GenerateGroupPolicy"="GenerateGroupPolicy" "ProcessGroupPolicy"="ProcessGroupPolicy" "DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll" @="Internet Explorer Branding" "NoSlowLink"=dword:00000001 "NoBackgroundPolicy"=dword:00000000 "NoGPOListChanges"=dword:00000001 "NoMachinePolicy"=dword:00000001 "DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3014" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A3F3E39B-5D83-4940-B954-28315B82F0A8}] @DACL=(02 0000) @="Group Policy Folder Options" "DisplayName"=expand:"@gpprefcl.dll,-12" "DllName"=expand:"gpprefcl.dll" "EnableAsynchronousProcessing"=dword:00000001 "EventSources"="(Group Policy Folder Options,Application)" "GenerateGroupPolicy"="GenerateGroupPolicyFolderOptions" "PerUserLocalSettings"=dword:00000001 "ProcessGroupPolicy"="ProcessGroupPolicyFolderOptions" "ProcessGroupPolicyEx"="ProcessGroupPolicyExFolderOptions" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{AADCED64-746C-4633-A97C-D61349046527}] @DACL=(02 0000) @="Group Policy Scheduled Tasks" "DisplayName"=expand:"@gpprefcl.dll,-13" "DllName"=expand:"gpprefcl.dll" "EnableAsynchronousProcessing"=dword:00000001 "EventSources"="(Group Policy Scheduled Tasks,Application)" "GenerateGroupPolicy"="GenerateGroupPolicySchedTasks" "PerUserLocalSettings"=dword:00000001 "ProcessGroupPolicy"="ProcessGroupPolicySchedTasks" "ProcessGroupPolicyEx"="ProcessGroupPolicyExSchedTasks" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B087BE9D-ED37-454f-AF9C-04291E351182}] @DACL=(02 0000) @="Group Policy Registry" "DisplayName"=expand:"@gpprefcl.dll,-14" "DllName"=expand:"gpprefcl.dll" "EnableAsynchronousProcessing"=dword:00000001 "EventSources"="(Group Policy Registry,Application)" "GenerateGroupPolicy"="GenerateGroupPolicyRegistry" "PerUserLocalSettings"=dword:00000001 "ProcessGroupPolicy"="ProcessGroupPolicyRegistry" "ProcessGroupPolicyEx"="ProcessGroupPolicyExRegistry" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}] @DACL=(02 0000) "ProcessGroupPolicy"="SceProcessEFSRecoveryGPO" "DllName"=expand:"scecli.dll" @="EFS recovery" "NoUserPolicy"=dword:00000001 "NoGPOListChanges"=dword:00000001 "RequiresSuccessfulRegistry"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}] @DACL=(02 0000) @="802.3 Group Policy" "DisplayName"=expand:"@dot3gpclnt.dll,-100" "ProcessGroupPolicyEx"="ProcessLANPolicyEx" "GenerateGroupPolicy"="GenerateLANPolicy" "DllName"=expand:"dot3gpclnt.dll" "NoUserPolicy"=dword:00000001 "NoGPOListChanges"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{BC75B1ED-5833-4858-9BB8-CBF0B166DF9D}] @DACL=(02 0000) @="Group Policy Printers" "DisplayName"=expand:"@gpprefcl.dll,-16" "DllName"=expand:"gpprefcl.dll" "EnableAsynchronousProcessing"=dword:00000001 "EventSources"="(Group Policy Printers,Application)" "GenerateGroupPolicy"="GenerateGroupPolicyPrinters" "PerUserLocalSettings"=dword:00000001 "ProcessGroupPolicy"="ProcessGroupPolicyPrinters" "ProcessGroupPolicyEx"="ProcessGroupPolicyExPrinters" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C418DD9D-0D14-4efb-8FBF-CFE535C8FAC7}] @DACL=(02 0000) @="Group Policy Shortcuts" "DisplayName"=expand:"@gpprefcl.dll,-17" "DllName"=expand:"gpprefcl.dll" "EnableAsynchronousProcessing"=dword:00000001 "EventSources"="(Group Policy Shortcuts,Application)" "GenerateGroupPolicy"="GenerateGroupPolicyShortcuts" "PerUserLocalSettings"=dword:00000001 "ProcessGroupPolicy"="ProcessGroupPolicyShortcuts" "ProcessGroupPolicyEx"="ProcessGroupPolicyExShortcuts" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}] @DACL=(02 0000) @="Microsoft Offline Files" "DllName"=expand:"%SystemRoot%\\System32\\cscui.dll" "EnableAsynchronousProcessing"=dword:00000000 "NoBackgroundPolicy"=dword:00000000 "NoGPOListChanges"=dword:00000000 "NoMachinePolicy"=dword:00000000 "NoSlowLink"=dword:00000000 "NoUserPolicy"=dword:00000001 "PerUserLocalSettings"=dword:00000000 "ProcessGroupPolicy"="ProcessGroupPolicy" "RequiresSuccessfulRegistry"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}] @DACL=(02 0000) @="Software Installation" "DllName"=expand:"appmgmts.dll" "ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx" "GenerateGroupPolicy"="GenerateGroupPolicy" "NoBackgroundPolicy"=dword:00000000 "RequiresSucessfulRegistry"=dword:00000000 "NoSlowLink"=dword:00000001 "PerUserLocalSettings"=dword:00000001 "EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}] @DACL=(02 0000) @="Internet Explorer Machine Accelerators" "DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051" "DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll" "NoGPOListChanges"=dword:00000001 "ProcessGroupPolicy"="ProcessGroupPolicyForActivities" "ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx" "RequiresSuccessfulRegistry"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}] @DACL=(02 0000) @="IP Security" "ProcessGroupPolicy"="ProcessIPSECPolicy" "DllName"=expand:"gptext.dll" "NoUserPolicy"=dword:00000001 "NoGPOListChanges"=dword:00000000 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E47248BA-94CC-49c4-BBB5-9EB7F05183D0}] @DACL=(02 0000) @="Group Policy Internet Settings" "DisplayName"=expand:"@gpprefcl.dll,-18" "DllName"=expand:"gpprefcl.dll" "EnableAsynchronousProcessing"=dword:00000001 "EventSources"="(Group Policy Internet Settings,Application)" "GenerateGroupPolicy"="GenerateGroupPolicyInternet" "PerUserLocalSettings"=dword:00000001 "ProcessGroupPolicy"="ProcessGroupPolicyShortcuts" "ProcessGroupPolicyEx"="ProcessGroupPolicyExInternet" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E4F48E54-F38D-4884-BFB9-D4D2E5729C18}] @DACL=(02 0000) @="Group Policy Start Menu Settings" "DisplayName"=expand:"@gpprefcl.dll,-19" "DllName"=expand:"gpprefcl.dll" "EnableAsynchronousProcessing"=dword:00000001 "EventSources"="(Group Policy Start Menu Settings,Application)" "GenerateGroupPolicy"="GenerateGroupPolicyStartMenu" "PerUserLocalSettings"=dword:00000001 "ProcessGroupPolicy"="ProcessGroupPolicyStartMenu" "ProcessGroupPolicyEx"="ProcessGroupPolicyExStartMenu" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E5094040-C46C-4115-B030-04FB2E545B00}] @DACL=(02 0000) @="Group Policy Regional Options" "DisplayName"=expand:"@gpprefcl.dll,-20" "DllName"=expand:"gpprefcl.dll" "EnableAsynchronousProcessing"=dword:00000001 "EventSources"="(Group Policy Regional Options,Application)" "GenerateGroupPolicy"="GenerateGroupPolicyRegionOptions" "PerUserLocalSettings"=dword:00000001 "ProcessGroupPolicy"="ProcessGroupPolicyRegionOptions" "ProcessGroupPolicyEx"="ProcessGroupPolicyExRegionOptions" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E62688F0-25FD-4c90-BFF5-F508B9D2E31F}] @DACL=(02 0000) @="Group Policy Power Options" "DisplayName"=expand:"@gpprefcl.dll,-21" "DllName"=expand:"gpprefcl.dll" "EnableAsynchronousProcessing"=dword:00000001 "EventSources"="(Group Policy Power Options,Application)" "GenerateGroupPolicy"="GenerateGroupPolicyPowerOptions" "PerUserLocalSettings"=dword:00000001 "ProcessGroupPolicy"="ProcessGroupPolicyPowerOptions" "ProcessGroupPolicyEx"="ProcessGroupPolicyExPowerOptions" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{F9C77450-3A41-477E-9310-9ACD617BD9E3}] @DACL=(02 0000) @="Group Policy Applications" "DisplayName"=expand:"@gpprefcl.dll,-15" "DllName"=expand:"gpprefcl.dll" "EnableAsynchronousProcessing"=dword:00000001 "EventSources"="(Group Policy Applications,Application)" "GenerateGroupPolicy"="GenerateGroupPolicyApplications" "PerUserLocalSettings"=dword:00000001 "ProcessGroupPolicy"="ProcessGroupPolicyApplications" "ProcessGroupPolicyEx"="ProcessGroupPolicyExApplications" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon] @DACL=(02 0000) "DllName"="c:\\Program Files\\SUPERAntiSpyware\\SASWINLO.DLL" "Logon"="SABWINLOLogon" "Logoff"="SABWINLOLogoff" "Startup"="SABWINLOStartup" "Shutdown"="SABWINLOShutdown" "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] @DACL=(02 0000) "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=expand:"crypt32.dll" "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] @DACL=(02 0000) "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=expand:"cryptnet.dll" "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] @DACL=(02 0000) "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy] @DACL=(02 0000) "Asynchronous"=dword:00000001 "DllName"=expand:"%SystemRoot%\\System32\\dimsntfy.dll" "Startup"="WlDimsStartup" "Shutdown"="WlDimsShutdown" "Logon"="WlDimsLogon" "Logoff"="WlDimsLogoff" "StartShell"="WlDimsStartShell" "Lock"="WlDimsLock" "Unlock"="WlDimsUnlock" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] @DACL=(02 0000) "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] @DACL=(02 0000) "Asynchronous"=dword:00000000 "DllName"=expand:"wlnotify.dll" "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] @DACL=(02 0000) "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=expand:"sclgntfy.dll" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] @DACL=(02 0000) "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] @DACL=(02 0000) "Asynchronous"=dword:00000000 "DllName"=expand:"wlnotify.dll" "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] @DACL=(02 0000) "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList] @DACL=(02 0000) "HelpAssistant"=dword:00000000 "TsInternetUser"=dword:00000000 "SQLAgentCmdExec"=dword:00000000 "NetShowServices"=dword:00000000 "IWAM_"=dword:00010000 "IUSR_"=dword:00010000 "VUSR_"=dword:00010000 "ASPNET"=dword:00000000 . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(756) c:\windows\system32\WININET.dll - - - - - - - > 'lsass.exe'(816) c:\windows\system32\WININET.dll - - - - - - - > 'explorer.exe'(1180) c:\windows\system32\WININET.dll c:\program files\PowerMenu\PowerMenuHook.dll c:\windows\system32\msi.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\nvsvc32.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\No-IP\DUC20.exe c:\program files\Analog Devices\SoundMAX\SMAgent.exe c:\program files\UPHClean\uphclean.exe c:\windows\system32\SearchIndexer.exe c:\program files\Microsoft ActiveSync\wcescomm.exe c:\progra~1\MICROS~4\rapimgr.exe c:\windows\system32\SearchProtocolHost.exe c:\windows\system32\SearchFilterHost.exe . ************************************************************************** . Completion time: 2010-08-09 07:25:04 - machine was rebooted ComboFix-quarantined-files.txt 2010-08-09 14:24 Pre-Run: 34,241,175,552 bytes free Post-Run: 34,718,134,272 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /noexecute=alwaysoff - - End Of File - - 0990A26500E1DAC4F70433D0691D7A25
  5. Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4410 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 8/9/2010 6:29:10 AM mbam-log-2010-08-09 (06-29-10).txt Scan type: Quick scan Objects scanned: 146535 Time elapsed: 10 minute(s), 36 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 3 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 1 Files Infected: 3 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\wpadotpt.dll (Trojan.Hiloti) -> No action taken. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ddb0fd13-0059-4d78-54f8-6f60902f6f75} (Trojan.BHO.H) -> No action taken. HKEY_CLASSES_ROOT\CLSID\{ddb0fd13-0059-4d78-54f8-6f60902f6f75} (Trojan.BHO.H) -> No action taken. HKEY_CURRENT_USER\Software\SolutionAV (Rogue.AntivirSolutionPro) -> No action taken. Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fkoqofibo (Trojan.Hiloti) -> No action taken. Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\settingsxx.exe (Spyware.SpyEyes) -> No action taken. Files Infected: C:\WINDOWS\ogakuwafonutuliv.dll (Trojan.BHO.H) -> No action taken. C:\WINDOWS\wpadotpt.dll (Trojan.Hiloti) -> No action taken. C:\settingsxx.exe\config.bin (Spyware.SpyEyes) -> No action taken.
  6. Hello and thank you for your assistance. I'm fairly sure that it is some form of the sasser virus. "lsass.exe" is running in the processes list. It appears to have bound itself to a major system process to prevent itself from being removed. I've tried using Unlocker to delete it to no avail. Any assistance would be greatly appreciated.
  7. Here is my most recent mbam log as well. Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4349 Windows 5.1.2600 Service Pack 3 (Safe Mode) Internet Explorer 8.0.6001.18702 7/27/2010 3:48:39 AM mbam-log-2010-07-27 (03-48-39).txt Scan type: Full scan (C:\|D:\|) Objects scanned: 191354 Time elapsed: 21 minute(s), 4 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 28 Registry Values Infected: 15 Registry Data Items Infected: 1 Folders Infected: 1 Files Infected: 83 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\system32\a03pss.dll (Virus.Ertfor) -> Delete on reboot. Registry Keys Infected: HKEY_CLASSES_ROOT\CLSID\{c2ba40a2-75f1-51bd-f413-04b15a2c8950} (Virus.Ertfor) -> Delete on reboot. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c2ba40a2-75f1-51bd-f413-04b15a2c8950} (Virus.Ertfor) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c2ba40a2-75f1-51bd-f413-04b15a2c8950} (Virus.Ertfor) -> Delete on reboot. HKEY_CLASSES_ROOT\cscrptxt.cscrptxt (Adware.EZlife) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{00d8c5d6-3539-4ae8-bfc5-1fd389abac2d} (Adware.EZlife) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{0f614c99-8096-4bc2-8da5-4ea1bbde27ad} (Adware.EZlife) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{3143df68-515b-49d6-908f-8e337c59edca} (Adware.EZlife) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{75b56ef1-0a67-4990-b81f-ee3e31bfcb80} (Adware.EZlife) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{c7f4ea56-feb5-4c17-adbd-49085510220b} (Adware.EZlife) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{d5cb8838-4341-41fe-a0c4-9792262e0adc} (Adware.EZlife) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{e0ec6fba-f009-3535-95d6-b6390db27da1} (Adware.EZlife) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{f1b74f9e-99a8-4a7c-b67d-a36721cd9f78} (Adware.EZlife) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\cscrptxt.cscrptxt.1.0 (Adware.EZlife) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\AppID\{84c3c236-f588-4c93-84f4-147b2abbe67b} (Adware.Adrotator) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\AppID\{38061edc-40bb-4618-a8da-e56353347e6d} (Adware.EZlife) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\AppID\{7b6a2552-e65b-4a9e-add4-c45577ffd8fd} (Adware.EZLife) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{0741eff9-a6b9-4cdb-b523-66ae04c7744c} (Adware.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{431d4628-87e2-4b32-aabf-49c6b3aef11c} (Adware.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{7057c1a5-aafa-4cc5-ace8-5ecc69726188} (Adware.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{943025ac-698c-45d3-9199-3784f505d821} (Adware.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{9df72ebc-8990-4af4-87fc-19eb608c01d8} (Adware.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{a18373c8-f70a-4cc3-a7f0-d73c93bf6ec1} (Adware.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{e60e66a6-6bad-403c-95df-ae659646a293} (Adware.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\adgj.aghlp (Adware.EZLife) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\adgj.aghlp.1 (Adware.EZLife) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\adshothlpr.adshothlpr (Adware.Adrotator) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\adshothlpr.adshothlpr.1.0 (Adware.Adrotator) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$NtUninstallMTF1011$ (Adware.Adrotator) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c2ba40a2-75f1-51bd-f413-04b15a2c8950} (Virus.Ertfor) -> Delete on reboot. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uiha98uiohf873yuiadnhgjesgregas (Trojan.Downloader) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hsehf98u34i9tjioaugy987iuegdsg (Trojan.Ransom) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cfeptaou (Trojan.Dropper) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cfeptaou (Trojan.Dropper) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weiepiuc (Trojan.Dropper) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weiepiuc (Trojan.Dropper) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mchk (Trojan.Adware) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kgalfvix (Trojan.Dropper) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kgalfvix (Trojan.Dropper) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sta (Trojan.Agent.Gen) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mcexecwin (Trojan.Agent) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: C:\WINDOWS\$NtUninstallMTF1011$ (Adware.Adrotator) -> Quarantined and deleted successfully. Files Infected: C:\WINDOWS\system32\a03pss.dll (Virus.Ertfor) -> Delete on reboot. C:\Documents and Settings\Administrator\Local Settings\Temp\snprdx5.dll (Virus.Ertfor) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\t22s264fz.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\winamp.exe (Trojan.Ransom) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Application Data\mkbgvwvwl\utivjcatssd.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Application Data\htwuesfir\wnkqbjttssd.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\WINDOWS\system32\dvlmp.exe (Trojan.Adware) -> Quarantined and deleted successfully. C:\Documents and Settings\LocalService\Local Settings\Application Data\yhkihvfgt\dvtcqmgtssd.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\WINDOWS\system32\qvlmp.dll (Adware.EZlife) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\061.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\1496439120.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\171304636.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\2174818482.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\2502925274.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\3054956524.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\57364.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\acgpuwna.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\avp.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\b5hhruz4fpyc1.exe (Trojan.Ransom) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\cbb5s.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\cmd.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\debug.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\drweb.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\dtzc2t6py.exe (Trojan.Ransom) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\flao7ow5.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\gamkxw.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\gcet6b6gbt7n.exe (Trojan.Ransom) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\gdi32.exe (Trojan.Ransom) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\hfb0z6.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\hrku.exe (Trojan.Clicker) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\ilvu.exe (Adware.BHO) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\lc8vvfkulz.dll (Virus.Ertfor) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\login.exe (Trojan.Ransom) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\mdm.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\notepad.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\npi6pdqzhe.exe (Trojan.Ransom) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\nvsvc32.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\nwvy3.dll (Virus.Ertfor) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\nz96ac.dll (Virus.Ertfor) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\o3ccty9.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\ok0ryc.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\q7aupm7a9h.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\s6m918o64.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\se6kfq26.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\setup.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\smss.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\spoolsv.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.exe (Trojan.Ransom) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\system.exe (Trojan.Ransom) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\taskmgr.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\user.exe (Trojan.Ransom) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\wg2rogun.exe (Trojan.LVBP) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\win.exe (Trojan.Ransom) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\win16.exe (Trojan.Ransom) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\win32.exe (Trojan.Ransom) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\winlogon.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\wzj5nkwdl.dll (Virus.Ertfor) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\xf5gjlfw.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\y4cb2ube.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temp\y4ddjhdlf.exe (Trojan.Ransom) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KZTQH3TG\jjelg[1].htm (Trojan.Clicker) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MYNU3EYW\aaidkfmhfa[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MYNU3EYW\cgaickiqk[1].htm (Adware.BHO) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MYNU3EYW\imhbjepxrz[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MYNU3EYW\jjelg[1].htm (Trojan.Clicker) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MYNU3EYW\kofmhoahpk[1].htm (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\QY64URA6\sjnvpnidk[2].htm (Trojan.Dropper) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\X7LEHFTB\cgaickiqk[1].htm (Adware.BHO) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\X7LEHFTB\jjelg[1].htm (Trojan.Clicker) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\X7LEHFTB\used[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\Update\seupd.exe (Trojan.Clicker) -> Quarantined and deleted successfully. C:\WINDOWS\system32\mvlmp.dll (Adware.BHO) -> Quarantined and deleted successfully. C:\WINDOWS\system32\ny4x1f5.dll (Virus.Ertfor) -> Quarantined and deleted successfully. C:\WINDOWS\system32\s29lacoa7.dll (Virus.Ertfor) -> Quarantined and deleted successfully. C:\WINDOWS\system32\szetyj67vx.exe (Trojan.LVBP) -> Quarantined and deleted successfully. C:\WINDOWS\system32\u253bpey.dll (Virus.Ertfor) -> Quarantined and deleted successfully. C:\WINDOWS\system32\v5njc.dll (Virus.Ertfor) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\0.0772832240166178.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\WINDOWS\$NtUninstallMTF1011$\apUninstall.exe (Adware.Adrotator) -> Quarantined and deleted successfully. C:\WINDOWS\$NtUninstallMTF1011$\zrpt.xml (Adware.Adrotator) -> Quarantined and deleted successfully. C:\WINDOWS\system32\comsats.sys (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\service.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
  8. It has also managed to remove the drivers from my sound card. I tried to re-install them, didn't work.
  9. Okay, here's the deal. I've been trying to remove malware from my computer for 2 days. I've used superantispyware, spybot search and destroy, malware bytes, and hijackthis, all updated. I've been using rkill to slow it down enough to try to fix it. It keeps changing my lan settings to over-ride my web browser and disguise it as virus protection. I did google searches on some of the suspicious processes that were running and it looks like mebroot might be a possibility. I'll post my most recent hijackthis log and hope for a speedy response. Thanks for the help. Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 6:48:21 PM, on 7/26/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\No-IP\DUC20.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\UPHClean\uphclean.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\system32\SearchIndexer.exe C:\WINDOWS\system32\taskswitch.exe C:\Program Files\PowerMenu\PowerMenu.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\RALINK\Common\RaUI.exe C:\Program Files\SpeedFan\speedfan.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\rundll32.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\explorer.exe C:\WINDOWS\System32\svchost.exe C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\LocalService\Local Settings\Application Data\yhkihvfgt\dvtcqmgtssd.exe C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe C:\WINDOWS\system32\SearchProtocolHost.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5643 O2 - BHO: C:\WINDOWS\system32\a03pss.dll - {C2BA40A2-75F1-51BD-F413-04B15A2C8950} - C:\WINDOWS\system32\a03pss.dll O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe O4 - HKLM\..\Run: [PowerMenu] C:\Program Files\PowerMenu\PowerMenu.exe -hideself on O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [sta] rundll32 "qvlmp.dll",,Run O4 - HKLM\..\Run: [MChk] C:\WINDOWS\system32\dvlmp.exe O4 - HKLM\..\Run: [cfeptaou] C:\Documents and Settings\Administrator\Local Settings\Application Data\mkbgvwvwl\utivjcatssd.exe O4 - HKLM\..\Run: [Qwuyemizufa] rundll32.exe "C:\WINDOWS\orujuzakaxod.dll",Startup O4 - HKLM\..\Run: [weiepiuc] C:\Documents and Settings\Administrator\Local Settings\Application Data\htwuesfir\wnkqbjttssd.exe O4 - HKLM\..\Run: [kgalfvix] C:\Documents and Settings\LocalService\Local Settings\Application Data\yhkihvfgt\dvtcqmgtssd.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Fkoqofibo] rundll32.exe "C:\WINDOWS\wpadotpt.dll",Startup O4 - HKCU\..\Run: [mcexecwin] rundll32.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nz96ac.dll, RestoreWindows O4 - HKCU\..\Run: [uiha98uiohf873yuiadnhgjesgregas] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\cbb5s.exe O4 - HKCU\..\Run: [hsehf98u34i9tjioaugy987iuegdsg] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\taskmgr.exe O4 - HKCU\..\Run: [cfeptaou] C:\Documents and Settings\Administrator\Local Settings\Application Data\mkbgvwvwl\utivjcatssd.exe O4 - HKCU\..\Run: [weiepiuc] C:\Documents and Settings\Administrator\Local Settings\Application Data\htwuesfir\wnkqbjttssd.exe O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [kgalfvix] C:\Documents and Settings\LocalService\Local Settings\Application Data\yhkihvfgt\dvtcqmgtssd.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [kgalfvix] C:\Documents and Settings\LocalService\Local Settings\Application Data\yhkihvfgt\dvtcqmgtssd.exe (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user') O4 - Startup: SpeedFan.lnk = C:\Program Files\SpeedFan\speedfan.exe O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: {6e32070a-766d-4ee6-879c-dc1fa91d2fc3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1139406804265 O20 - Winlogon Notify: !SASWinLogon - Invalid registry found O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: jkzoiefu9s3huishf87efushdjkfgyuisfiud - {C2BA40A2-75F1-51BD-F413-04B15A2C8950} - C:\WINDOWS\system32\a03pss.dll O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: UNCFAT DMS (OTFSDMS) - Unknown owner - C:\Program Files\AddinForUNCFAT\UNCFATDMS.exe (file missing) O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 8005 bytes
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.