Jump to content

jojomesozoic

Members
  • Posts

    13
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Thank you for your help. The Boss knows about this one computer, but I'm afraid that while writing the above post and in a effort to remove the virus, it was connected to a network which had 9 other copmuters and internet access. It is unplugged from the network/internet now, but are any of the other computers at risk? As far as an office "IT" goes, I'm it. And "IT" is in quotes for a reason. I was hired at this position to do other work and sorta became the "tech guy" because I knew how to setup computers and solve simple networking issues with printers and such. That being said, I've done my best to try and keep these computers at low risk, but things like this are. . . well, outside my "areas of expertise". As far as that goes, I have all the computers set to automatically create restore points and backups once a week. However, my first idea was to go to one of the restore points and when I looked there werent any of either. I checked the other machines and they all still have restore and backup points. I don't know if another user turned them off for that one machine a long time ago and I never checked, if I made a mistake and forgot to turn them on, or if the virus could have deleted them (can they do that?). The only option I have other than working with your help to get it removed is to make a backup of the important files and either wipe it myself and reload windows and office, or have my boss take it down the street to the shop that he bought it from and they'll likely just do the same thing. If that's the best way to go, I'll recomend it to those in charge of the office. As for data being compromised, what kind of data is targeted by this virus? We are not a buisness, but an Lab/Office on a college campus so the type of data we've been collecting is largely stored on Excel, GIS softwre, and other third party data analsys software. Should we be worried?
  2. Thank you very much. I was not aware that I was posting in the incorrect forum. I will copy my post there. Please feel free to delete this post.
  3. Merged 3 post (Reposted from PC Help - Thank you mods for pointing me to the correct forum) This is going to be a mouthfull, so a million thank-you's before hand. I'm working on a shared computer my office. I come in after several days off to find that the computer has a fake antivirus program. I don't know who downloaded it or from where. I run Malwarebytes Antimalware and Superantispyware as my protection programs. I was unable to update due to the fake antivurus, so I restarted in safe mode and ran some scans there. I ran a scan for both Malwarebytes and Superantispyware and this is what I found (Note to readers: The logs say "No Action Taken" becuase I saved the logfile before I quarantened and removed the malware with the above mentioned programs). Superantispyware Log: SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 05/29/2012 at 03:14 PM Application Version : 5.0.1148 Core Rules Database Version : 8601 Trace Rules Database Version: 6413 Scan type : Complete Scan Total Scan Time : 00:25:36 Operating System Information Windows 7 Professional 32-bit (Build 6.01.7600) UAC Off - Administrator Memory items scanned : 342 Memory threats detected : 0 Registry items scanned : 42788 Registry threats detected : 1 File items scanned : 31213 File threats detected : 17 Adware.Tracking Cookie C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@advertising[2].txt [ Cookie:brent@advertising.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@atdmt[1].txt [ Cookie:brent@atdmt.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@pointroll[2].txt [ Cookie:brent@pointroll.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@ru4[2].txt [ Cookie:brent@ru4.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@adbrite[2].txt [ Cookie:brent@adbrite.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@c.atdmt[2].txt [ Cookie:brent@c.atdmt.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@lucidmedia[1].txt [ Cookie:brent@lucidmedia.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@yieldmanager[1].txt [ Cookie:brent@yieldmanager.net/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@serving-sys[2].txt [ Cookie:brent@serving-sys.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@kanoodle[2].txt [ Cookie:brent@kanoodle.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@legolas-media[2].txt [ Cookie:brent@legolas-media.com/ ] ds.serving-sys.com [ C:\USERS\BRENT\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\N59VDAZK ] socialstreamingplayer.crystalmedianetworks.com [ C:\USERS\BRENT\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\N59VDAZK ] C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\SYSTEM@S3.TRAFFICNO[2].TXT [ /S3.TRAFFICNO ] Trojan.Agent/Gen-FakeAlert[Local] C:\PROGRAMDATA\B7E8586B000083BB67CF2E1FA6014588\B7E8586B000083BB67CF2E1FA6014588.EXE C:\$RECYCLE.BIN\S-1-5-21-1557514261-2431698323-2000263041-1000\$RM1A0AX.LNK [b7E8586B000083BB67CF2E1FA6014588] C:\PROGRAMDATA\B7E8586B000083BB67CF2E1FA6014588\B7E8586B000083BB67CF2E1FA6014588.EXE C:\USERS\USER\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\SMART FORTRESS 2012\SMART FORTRESS 2012.LNK Malwarebytes Log: Malwarebytes Anti-Malware 1.61.0.1400 www.malwarebytes.org Database version: v2012.05.29.07 Windows 7 x86 NTFS (Safe Mode) Internet Explorer 8.0.7600.16385 User :: QUERCUSCRUSADER [administrator] 5/29/2012 3:28:07 PM mbam-log-2012-05-29 (15-54-52).txt Scan type: Full scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 364709 Time elapsed: 26 minute(s), 31 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 2 HKCR\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) -> Bad: (C:\Users\User\AppData\Local\{4d4830d5-5942-7a78-b692-ddf374d48a2e}\n.) Good: (%SystemRoot%\system32\shdocvw.dll) -> No action taken. HKCR\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32| (Trojan.Zaccess) -> Bad: (\\.\globalroot\systemroot\Installer\{4d4830d5-5942-7a78-b692-ddf374d48a2e}\n.) Good: (%systemroot%\system32\wbem\wbemess.dll) -> No action taken. Folders Detected: 0 (No malicious items detected) Files Detected: 4 C:\Users\User\AppData\Local\uzsqvv.exe (Trojan.Agent) -> No action taken. C:\Windows\Installer\{4d4830d5-5942-7a78-b692-ddf374d48a2e}\U\00000001.@ (Trojan.Small) -> No action taken. C:\Windows\Installer\{4d4830d5-5942-7a78-b692-ddf374d48a2e}\U\80000000.@ (Trojan.Sirefef) -> No action taken. C:\Windows\Installer\{4d4830d5-5942-7a78-b692-ddf374d48a2e}\U\800000cb.@ (Rootkit.0Access) -> No action taken. (end) After doing this in safemode, I restarted the copmuter, updaded both programs to the current versions, and restarted again in safemode and scanned again. Only Malwarebytes found infected files this time. Scan log follows (Note to readers: Again, the logs say "No Action Taken" becuase I saved the logfile before I quarantened and removed the malware with the above mentioned programs). Malwarebytes Anti-Malware 1.61.0.1400 www.malwarebytes.org Database version: v2012.05.15.06 Windows 7 x86 NTFS (Safe Mode) Internet Explorer 8.0.7600.16385 User :: QUERCUSCRUSADER [administrator] 5/29/2012 2:49:26 PM mbam-log-2012-05-29 (15-16-54).txt Scan type: Full scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 361863 Time elapsed: 26 minute(s), 42 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 1 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Smart Fortress 2012 (Trojan.LameShield) -> No action taken. Registry Values Detected: 3 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|ipcofmon (IPH.Trojan.Agent.CPN) -> Data: rundll32 "C:\Users\User\AppData\Local\Temp\audiicpl.dll",CreateProcessNotify -> No action taken. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|MdRandomGeneratorCtrl (Trojan.Agent.SZ) -> Data: "C:\Users\User\AppData\Local\MdRandomGeneratorCtrl\MdRandomGeneratorCtrl.exe" /w -> No action taken. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|B7E8586B000083BB67CF2E1FA6014588 (Trojan.LameShield) -> Data: C:\ProgramData\B7E8586B000083BB67CF2E1FA6014588\B7E8586B000083BB67CF2E1FA6014588.exe -> No action taken. Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 6 C:\Users\User\AppData\Local\Temp\audiicpl.dll (IPH.Trojan.Agent.CPN) -> No action taken. C:\Users\User\AppData\Local\MdRandomGeneratorCtrl\MdRandomGeneratorCtrl.exe (Trojan.Agent.SZ) -> No action taken. C:\ProgramData\B7E8586B000083BB67CF2E1FA6014588\B7E8586B000083BB67CF2E1FA6014588.exe (Trojan.LameShield) -> No action taken. C:\Users\User\AppData\Local\Temp\~!#6BC0.tmp (Trojan.Agent.SZ) -> No action taken. C:\Users\User\AppData\Local\{4d4830d5-5942-7a78-b692-ddf374d48a2e}\n (Trojan.Dropper.PE4) -> No action taken. C:\Windows\Installer\{4d4830d5-5942-7a78-b692-ddf374d48a2e}\n (Trojan.Dropper.PE4) -> No action taken. (end) I restarted in safe mode, scanned a third time and found nothing. I wasn't convinced it was gone, however, and decided ot try one more scan. I restarted regularly this time and scanned a third time to try and catch anything that might only be visible to the program after a normal startup. Malwarebytes Anti-Malware 1.61.0.1400 www.malwarebytes.org Database version: v2012.06.02.05 Windows 7 x86 NTFS Internet Explorer 8.0.7600.16385 User :: QUERCUSCRUSADER [administrator] 6/2/2012 10:24:55 AM mbam-log-2012-06-02 (10-24-55).txt Scan type: Full scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 369234 Time elapsed: 32 minute(s), 52 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 1 C:\Users\User\AppData\Local\Temp\qeupd.dll (Trojan.Agent) -> Delete on reboot. Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 1 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|qeupd (Trojan.Agent) -> Data: rundll32.exe "C:\Users\User\AppData\Local\Temp\qeupd.dll",SteamAPI_GetSteamInstallPath -> Quarantined and deleted successfully. Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 1 C:\Users\User\AppData\Local\Temp\qeupd.dll (Trojan.Agent) -> Delete on reboot. (end) I scanned several times after, both in safe mode as well as after a normal startup, and found nothing. I kept an eye on the machine for several days, updating and scanning whenever I could. Today is about 5 days later, I even scanned this morning and didn't find any problems. This is where things get. . . wierd. . . I noticed while trying to work that a Microsoft Word file wouldn't open. There was no error message, the mouse would show the Windows loading wheel for about one full second and then. . . Nothing. Even after a restart, no joy. I tried Excel and PowerPoint as well. Same thing. Then I tried to open a new, blank document. Same thing. At this point, I'm confused so I go into program files and find. . .nothing (See attached "Office Clip 1-3"). By now, I'm sure it has something to do with the virus. So I downlaod and Install HijackThis and run the scan, copy the log into two different online analyzers. Both of these didn't come up with anything that could be dnagerous (to my limited knowledge and experience). The log follows. Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 10:57:47 AM, on 6/5/2012 Platform: Windows 7 (WinNT 6.00.3504) MSIE: Internet Explorer v8.00 (8.00.7600.16385) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\taskhost.exe C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe C:\Program Files\Microsoft IntelliPoint\ipoint.exe C:\Program Files\Sophos\AutoUpdate\ALMon.exe C:\Program Files\Microsoft IntelliType Pro\itype.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe C:\Program Files\WordWeb\wweb32.exe C:\Windows\System32\rundll32.exe C:\Program Files\NVIDIA Corporation\Display\nvtray.exe C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s O4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe O4 - HKLM\..\Run: [intelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKLM\..\Run: [sophos AutoUpdate Monitor] C:\Program Files\Sophos\AutoUpdate\almon.exe O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKCU\..\Run: [WordWeb] "C:\Program Files\WordWeb\wweb32.exe" -startup O4 - HKCU\..\Run: [nemsv] rundll32.exe "C:\Users\User\AppData\Local\Temp\nemsv.dll",RectPatchSize O4 - HKUS\S-1-5-21-1557514261-2431698323-2000263041-1000\..\Run: [WordWeb] "C:\Program Files\WordWeb\wweb32.exe" -startup (User '?') O4 - HKUS\S-1-5-21-1557514261-2431698323-2000263041-1000\..\Run: [nemsv] rundll32.exe "C:\Users\User\AppData\Local\Temp\nemsv.dll",RectPatchSize (User '?') O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE O23 - Service: ArcGIS License Manager - Acresso Software Inc. - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Intel® Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe O23 - Service: Intel® Management & Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe -- End of file - 5523 bytes I know that some viruses begin with a startup file, so here is also a log of my startup files copied out of CCleaner. Yes HKCU:Run nemsv rundll32.exe "C:\Users\User\AppData\Local\Temp\nemsv.dll",RectPatchSize Yes HKCU:Run WordWeb "C:\Program Files\WordWeb\wweb32.exe" -startup Yes HKLM:Run Adobe ARM "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" Yes HKLM:Run Adobe Reader Speed Launcher "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" Yes HKLM:Run HotKeysCmds C:\Windows\system32\hkcmd.exe Yes HKLM:Run IgfxTray C:\Windows\system32\igfxtray.exe Yes HKLM:Run IntelliPoint "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" Yes HKLM:Run itype "C:\Program Files\Microsoft IntelliType Pro\itype.exe" Yes HKLM:Run Malwarebytes Anti-Malware (reboot) "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript Yes HKLM:Run Persistence C:\Windows\system32\igfxpers.exe Yes HKLM:Run RtHDVCpl C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s Yes HKLM:Run Sophos AutoUpdate Monitor C:\Program Files\Sophos\AutoUpdate\almon.exe Yes HKLM:Run SunJavaUpdateSched "C:\Program Files\Common Files\Java\Java Update\jusched.exe" So, this is the gist of it. I have no clue what to do here, I don't even know what's wrong. I would just relaod MS Office, but I have a code key without a disk (for activating computers preloaded with MS Office) and I think you guys can help me better than having to jump through hoops to have Microsoft send me a CD with office on it. If I'm missing any information that is relevant, please let me know and I'll update as soon as possible. UPDATE: I scanned again this morning, two more hits. Scrrencap attached with removal log. Malwarebytes Anti-Malware 1.61.0.1400 www.malwarebytes.org Database version: v2012.06.06.04 Windows 7 x86 NTFS Internet Explorer 8.0.7600.16385 User :: QUERCUSCRUSADER [administrator] 6/6/2012 7:49:59 AM mbam-log-2012-06-06 (07-49-59).txt Scan type: Full scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 370594 Time elapsed: 32 minute(s), 57 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 2 C:\Users\User\AppData\Local\Temp\tempfiles.exe (Trojan.Agent.H) -> Quarantined and deleted successfully. C:\Users\User\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\41dd9ccd-7ef6735c (Trojan.Agent.H) -> Quarantined and deleted successfully. (end) Forgot to attach to above.
  4. This is going to be a mouthfull, so a million thank-you's before hand. I'm working on a shared computer my office. I come in after several days off to find that the computer has a fake antivirus program. I don't know who downloaded it or from where. I run Malwarebytes Antimalware and Superantispyware as my protection programs. I was unable to update due to the fake antivurus, so I restarted in safe mode and ran some scans there. I ran a scan for both Malwarebytes and Superantispyware and this is what I found (Note to readers: The logs say "No Action Taken" becuase I saved the logfile before I quarantened and removed the malware with the above mentioned programs). Superantispyware Log: SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 05/29/2012 at 03:14 PM Application Version : 5.0.1148 Core Rules Database Version : 8601 Trace Rules Database Version: 6413 Scan type : Complete Scan Total Scan Time : 00:25:36 Operating System Information Windows 7 Professional 32-bit (Build 6.01.7600) UAC Off - Administrator Memory items scanned : 342 Memory threats detected : 0 Registry items scanned : 42788 Registry threats detected : 1 File items scanned : 31213 File threats detected : 17 Adware.Tracking Cookie C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@advertising[2].txt [ Cookie:brent@advertising.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@atdmt[1].txt [ Cookie:brent@atdmt.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@pointroll[2].txt [ Cookie:brent@pointroll.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@ru4[2].txt [ Cookie:brent@ru4.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@adbrite[2].txt [ Cookie:brent@adbrite.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@c.atdmt[2].txt [ Cookie:brent@c.atdmt.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@lucidmedia[1].txt [ Cookie:brent@lucidmedia.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@yieldmanager[1].txt [ Cookie:brent@yieldmanager.net/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@serving-sys[2].txt [ Cookie:brent@serving-sys.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@kanoodle[2].txt [ Cookie:brent@kanoodle.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@legolas-media[2].txt [ Cookie:brent@legolas-media.com/ ] ds.serving-sys.com [ C:\USERS\BRENT\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\N59VDAZK ] socialstreamingplayer.crystalmedianetworks.com [ C:\USERS\BRENT\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\N59VDAZK ] C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\SYSTEM@S3.TRAFFICNO[2].TXT [ /S3.TRAFFICNO ] Trojan.Agent/Gen-FakeAlert[Local] C:\PROGRAMDATA\B7E8586B000083BB67CF2E1FA6014588\B7E8586B000083BB67CF2E1FA6014588.EXE C:\$RECYCLE.BIN\S-1-5-21-1557514261-2431698323-2000263041-1000\$RM1A0AX.LNK [b7E8586B000083BB67CF2E1FA6014588] C:\PROGRAMDATA\B7E8586B000083BB67CF2E1FA6014588\B7E8586B000083BB67CF2E1FA6014588.EXE C:\USERS\USER\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\SMART FORTRESS 2012\SMART FORTRESS 2012.LNK Malwarebytes Log: Malwarebytes Anti-Malware 1.61.0.1400 www.malwarebytes.org Database version: v2012.05.29.07 Windows 7 x86 NTFS (Safe Mode) Internet Explorer 8.0.7600.16385 User :: QUERCUSCRUSADER [administrator] 5/29/2012 3:28:07 PM mbam-log-2012-05-29 (15-54-52).txt Scan type: Full scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 364709 Time elapsed: 26 minute(s), 31 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 2 HKCR\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) -> Bad: (C:\Users\User\AppData\Local\{4d4830d5-5942-7a78-b692-ddf374d48a2e}\n.) Good: (%SystemRoot%\system32\shdocvw.dll) -> No action taken. HKCR\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32| (Trojan.Zaccess) -> Bad: (\\.\globalroot\systemroot\Installer\{4d4830d5-5942-7a78-b692-ddf374d48a2e}\n.) Good: (%systemroot%\system32\wbem\wbemess.dll) -> No action taken. Folders Detected: 0 (No malicious items detected) Files Detected: 4 C:\Users\User\AppData\Local\uzsqvv.exe (Trojan.Agent) -> No action taken. C:\Windows\Installer\{4d4830d5-5942-7a78-b692-ddf374d48a2e}\U\00000001.@ (Trojan.Small) -> No action taken. C:\Windows\Installer\{4d4830d5-5942-7a78-b692-ddf374d48a2e}\U\80000000.@ (Trojan.Sirefef) -> No action taken. C:\Windows\Installer\{4d4830d5-5942-7a78-b692-ddf374d48a2e}\U\800000cb.@ (Rootkit.0Access) -> No action taken. (end) After doing this in safemode, I restarted the copmuter, updaded both programs to the current versions, and restarted again in safemode and scanned again. Only Malwarebytes found infected files this time. Scan log follows (Note to readers: Again, the logs say "No Action Taken" becuase I saved the logfile before I quarantened and removed the malware with the above mentioned programs). Malwarebytes Anti-Malware 1.61.0.1400 www.malwarebytes.org Database version: v2012.05.15.06 Windows 7 x86 NTFS (Safe Mode) Internet Explorer 8.0.7600.16385 User :: QUERCUSCRUSADER [administrator] 5/29/2012 2:49:26 PM mbam-log-2012-05-29 (15-16-54).txt Scan type: Full scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 361863 Time elapsed: 26 minute(s), 42 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 1 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Smart Fortress 2012 (Trojan.LameShield) -> No action taken. Registry Values Detected: 3 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|ipcofmon (IPH.Trojan.Agent.CPN) -> Data: rundll32 "C:\Users\User\AppData\Local\Temp\audiicpl.dll",CreateProcessNotify -> No action taken. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|MdRandomGeneratorCtrl (Trojan.Agent.SZ) -> Data: "C:\Users\User\AppData\Local\MdRandomGeneratorCtrl\MdRandomGeneratorCtrl.exe" /w -> No action taken. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|B7E8586B000083BB67CF2E1FA6014588 (Trojan.LameShield) -> Data: C:\ProgramData\B7E8586B000083BB67CF2E1FA6014588\B7E8586B000083BB67CF2E1FA6014588.exe -> No action taken. Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 6 C:\Users\User\AppData\Local\Temp\audiicpl.dll (IPH.Trojan.Agent.CPN) -> No action taken. C:\Users\User\AppData\Local\MdRandomGeneratorCtrl\MdRandomGeneratorCtrl.exe (Trojan.Agent.SZ) -> No action taken. C:\ProgramData\B7E8586B000083BB67CF2E1FA6014588\B7E8586B000083BB67CF2E1FA6014588.exe (Trojan.LameShield) -> No action taken. C:\Users\User\AppData\Local\Temp\~!#6BC0.tmp (Trojan.Agent.SZ) -> No action taken. C:\Users\User\AppData\Local\{4d4830d5-5942-7a78-b692-ddf374d48a2e}\n (Trojan.Dropper.PE4) -> No action taken. C:\Windows\Installer\{4d4830d5-5942-7a78-b692-ddf374d48a2e}\n (Trojan.Dropper.PE4) -> No action taken. (end) I restarted in safe mode, scanned a third time and found nothing. I wasn't convinced it was gone, however, and decided ot try one more scan. I restarted regularly this time and scanned a third time to try and catch anything that might only be visible to the program after a normal startup. Malwarebytes Anti-Malware 1.61.0.1400 www.malwarebytes.org Database version: v2012.06.02.05 Windows 7 x86 NTFS Internet Explorer 8.0.7600.16385 User :: QUERCUSCRUSADER [administrator] 6/2/2012 10:24:55 AM mbam-log-2012-06-02 (10-24-55).txt Scan type: Full scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 369234 Time elapsed: 32 minute(s), 52 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 1 C:\Users\User\AppData\Local\Temp\qeupd.dll (Trojan.Agent) -> Delete on reboot. Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 1 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|qeupd (Trojan.Agent) -> Data: rundll32.exe "C:\Users\User\AppData\Local\Temp\qeupd.dll",SteamAPI_GetSteamInstallPath -> Quarantined and deleted successfully. Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 1 C:\Users\User\AppData\Local\Temp\qeupd.dll (Trojan.Agent) -> Delete on reboot. (end) I scanned several times after, both in safe mode as well as after a normal startup, and found nothing. I kept an eye on the machine for several days, updating and scanning whenever I could. Today is about 5 days later, I even scanned this morning and didn't find any problems. This is where things get. . . wierd. . . I noticed while trying to work that a Microsoft Word file wouldn't open. There was no error message, the mouse would show the Windows loading wheel for about one full second and then. . . Nothing. Even after a restart, no joy. I tried Excel and PowerPoint as well. Same thing. Then I tried to open a new, blank document. Same thing. At this point, I'm confused so I go into program files and find. . .nothing (See attached "Office Clip 1-3"). By now, I'm sure it has something to do with the virus. So I downlaod and Install HijackThis and run the scan, copy the log into two different online analyzers. Both of these didn't come up with anything that could be dnagerous (to my limited knowledge and experience). The log follows. Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 10:57:47 AM, on 6/5/2012 Platform: Windows 7 (WinNT 6.00.3504) MSIE: Internet Explorer v8.00 (8.00.7600.16385) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\taskhost.exe C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe C:\Program Files\Microsoft IntelliPoint\ipoint.exe C:\Program Files\Sophos\AutoUpdate\ALMon.exe C:\Program Files\Microsoft IntelliType Pro\itype.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe C:\Program Files\WordWeb\wweb32.exe C:\Windows\System32\rundll32.exe C:\Program Files\NVIDIA Corporation\Display\nvtray.exe C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s O4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe O4 - HKLM\..\Run: [intelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKLM\..\Run: [sophos AutoUpdate Monitor] C:\Program Files\Sophos\AutoUpdate\almon.exe O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKCU\..\Run: [WordWeb] "C:\Program Files\WordWeb\wweb32.exe" -startup O4 - HKCU\..\Run: [nemsv] rundll32.exe "C:\Users\User\AppData\Local\Temp\nemsv.dll",RectPatchSize O4 - HKUS\S-1-5-21-1557514261-2431698323-2000263041-1000\..\Run: [WordWeb] "C:\Program Files\WordWeb\wweb32.exe" -startup (User '?') O4 - HKUS\S-1-5-21-1557514261-2431698323-2000263041-1000\..\Run: [nemsv] rundll32.exe "C:\Users\User\AppData\Local\Temp\nemsv.dll",RectPatchSize (User '?') O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE O23 - Service: ArcGIS License Manager - Acresso Software Inc. - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Intel® Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe O23 - Service: Intel® Management & Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe -- End of file - 5523 bytes I know that some viruses begin with a startup file, so here is also a log of my startup files copied out of CCleaner. Yes HKCU:Run nemsv rundll32.exe "C:\Users\User\AppData\Local\Temp\nemsv.dll",RectPatchSize Yes HKCU:Run WordWeb "C:\Program Files\WordWeb\wweb32.exe" -startup Yes HKLM:Run Adobe ARM "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" Yes HKLM:Run Adobe Reader Speed Launcher "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" Yes HKLM:Run HotKeysCmds C:\Windows\system32\hkcmd.exe Yes HKLM:Run IgfxTray C:\Windows\system32\igfxtray.exe Yes HKLM:Run IntelliPoint "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" Yes HKLM:Run itype "C:\Program Files\Microsoft IntelliType Pro\itype.exe" Yes HKLM:Run Malwarebytes Anti-Malware (reboot) "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript Yes HKLM:Run Persistence C:\Windows\system32\igfxpers.exe Yes HKLM:Run RtHDVCpl C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s Yes HKLM:Run Sophos AutoUpdate Monitor C:\Program Files\Sophos\AutoUpdate\almon.exe Yes HKLM:Run SunJavaUpdateSched "C:\Program Files\Common Files\Java\Java Update\jusched.exe" So, this is the gist of it. I have no clue what to do here, I don't even know what's wrong. I would just relaod MS Office, but I have a code key without a disk (for activating computers preloaded with MS Office) and I think you guys can help me better than having to jump through hoops to have Microsoft send me a CD with office on it. If I'm missing any information that is relevant, please let me know and I'll update as soon as possible.
  5. All steps completed. Unfortunately, the "cleanup" that OTM ran, for some reason, deleted itself and the copy I saved of the results window. Also since the cleanup, my PC seems to be thinking VERY hard all the time.
  6. I saved as "all file types" and a different icon appeared. A screen shot is attached. icon_example.bmp
  7. I made the "fixes.bat" file and saved it to my desktop. When I double clicked, it just opened in notepad again. Is that supposed to happen? When you say delete, do you mean uninstall for DDS and RKUnhooker? I simply highlighted and deleted everythign except defogger. I ran TFC and uninstalled combofix. Thanks for your unwavering help. You and your team are internet superheros.
  8. -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0: scan report Saturday, September 25, 2010 Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Saturday, September 25, 2010 02:42:42 Records in database: 4236916 -------------------------------------------------------------------------------- Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yes Scan area - My Computer: C:\ D:\ E:\ F:\ G:\ H:\ I:\ Scan statistics: Objects scanned: 82720 Threats found: 5 Infected objects found: 8 Suspicious objects found: 0 Scan duration: 02:08:19 File name / Threat / Threats count C:\9E.tmp Infected: Trojan-Downloader.Win32.Small.gvr 1 C:\A5.tmp Infected: Trojan-Downloader.Win32.Small.gll 1 C:\Qoobox\Quarantine\C\WINDOWS\ipv6lpr.dll.vir Infected: Backdoor.Win32.Papras.sh 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\oqqeayv.sys.vir Infected: Rootkit.Win32.Agent.biiu 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_oqqeayv_.sys.zip Infected: Rootkit.Win32.Agent.biiu 1 C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP242\A0054462.dll Infected: Backdoor.Win32.Papras.sa 1 C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP247\A0059479.dll Infected: Backdoor.Win32.Papras.sh 1 C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP247\A0059520.sys Infected: Rootkit.Win32.Agent.biiu 1 Selected area has been scanned.
  9. The Combofix Log ComboFix 10-09-23.01 - Disdoxian Vain 09/23/2010 18:31:30.3.2 - x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.677 [GMT -7:00] Running from: c:\documents and settings\Disdoxian Vain\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Disdoxian Vain\Desktop\CFScript.txt * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . --------------- FCopy --------------- c:\i386\sfcfiles.dll --> c:\windows\system32\sfcfiles.dll . ((((((((((((((((((((((((( Files Created from 2010-08-24 to 2010-09-24 ))))))))))))))))))))))))))))))) . 2010-09-19 07:00 . 2010-09-19 07:00 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys 2010-09-19 07:00 . 2010-09-19 07:00 -------- d-----w- c:\documents and settings\Disdoxian Vain\log 2010-09-19 06:07 . 2010-09-19 08:12 -------- d-----w- c:\program files\CCleaner 2010-09-19 06:06 . 2010-09-19 06:06 3427248 ----a-w- c:\program files\ccsetup235.exe 2010-09-19 05:56 . 2010-09-19 06:05 -------- d-----w- c:\program files\Active PC Optimizer 2010-09-19 05:04 . 2010-09-19 05:04 388096 ----a-r- c:\documents and settings\Disdoxian Vain\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2010-09-19 05:03 . 2010-09-19 05:03 1402880 ----a-w- c:\program files\HiJackThis.msi 2010-09-16 01:49 . 2010-09-16 01:54 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-09-19 05:55 . 2010-05-12 02:22 63488 ----a-w- c:\documents and settings\Disdoxian Vain\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll 2010-09-19 05:54 . 2009-04-03 22:38 117760 ----a-w- c:\documents and settings\Disdoxian Vain\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2010-09-19 05:04 . 2006-08-08 03:45 -------- d-----w- c:\program files\Trend Micro 2010-09-17 06:49 . 2006-08-08 03:46 -------- d-----w- c:\program files\Microsoft Works 2010-09-16 01:45 . 2007-12-05 06:31 -------- d-----w- c:\program files\SUPERAntiSpyware 2010-09-15 04:11 . 2006-09-12 22:27 -------- d-----w- c:\program files\Dl_cats 2010-09-02 03:24 . 2007-11-20 06:08 664 ----a-w- c:\windows\system32\d3d9caps.dat 2010-08-24 21:54 . 2006-08-18 17:29 -------- d-----w- c:\program files\Furcadia 2009-11-19 05:17 . 2009-11-19 05:17 401728 -c--a-w- c:\program files\setup223.exe 2009-10-20 06:01 . 2009-10-20 05:59 27386280 -c--a-w- c:\program files\AdbeRdr920_en_US.exe 2009-10-09 03:39 . 2008-09-30 16:20 4045528 -c--a-w- c:\program files\mbam-setup.exe 2009-09-27 05:58 . 2009-09-27 05:58 570208 -c--a-w- c:\program files\googleupdatesetup.exe 2009-07-29 07:39 . 2009-07-29 07:38 6664816 -c--a-w- c:\program files\garden_setup.exe 2009-07-29 07:38 . 2009-07-29 07:38 448832 -c--a-w- c:\program files\smartdraw_11C_D79QM_setup.exe 2009-07-21 16:44 . 2009-07-21 16:42 25685128 -c--a-w- c:\program files\wordview_en-us.exe 2009-07-10 02:34 . 2009-07-10 02:34 1878888 -c--a-w- c:\program files\install_flash_player.exe 2009-02-02 07:11 . 2006-08-18 17:27 188064 -c--a-w- c:\program files\furcdownload.exe 2008-11-30 23:12 . 2008-11-30 23:12 1825783 -c--a-w- c:\program files\CurseSetup-2.0.0.14.exe 2007-03-22 21:16 . 2007-03-22 21:16 7718504 -c--a-w- c:\program files\winzip110.exe 2006-12-02 19:34 . 2006-12-02 19:34 36808256 -c--a-w- c:\program files\iTunesSetup.exe 2006-10-24 04:41 . 2006-10-24 04:41 1663036 -c--a-w- c:\program files\LineRider_beta.exe 2006-12-21 18:46 . 2006-08-15 20:30 88 -csha-r- c:\windows\system32\6BE62BFEC7.sys 2006-12-21 18:46 . 2006-08-15 20:30 3766 -csha-w- c:\windows\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((( SnapShot@2010-09-21_04.45.21 ))))))))))))))))))))))))))))))))))))))))) . + 2010-09-24 00:56 . 2010-09-24 00:56 16384 c:\windows\temp\Perflib_Perfdata_750.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DellSupport"="c:\progra~1\DELLSU~1\DSAgnt.exe" [2005-05-15 332800] "MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-09-16 2424560] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392] "DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940] "DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-09-14 73728] "dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-10-21 430080] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576] "SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-26 282624] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280] c:\documents and settings\Disdoxian Vain\Start Menu\Programs\Startup\ WordWeb.lnk - c:\program files\WordWeb\wweb32.exe [2006-8-18 19968] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-8-7 24576] Wireless USB 2.0 WLAN Card Utility.lnk - c:\program files\Dell Wireless\PRISMCFG.exe [2006-8-7 921704] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoThumbnailCache"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-22 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-05 20:34 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PRISMAPI.DLL] 2005-12-23 01:08 450646 ----a-w- c:\windows\system32\PRISMAPI.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Dell Wireless\\PRISMCFG.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 "3713:UDP"= 3713:UDP:Windows Media Format SDK (wmplayer.exe) "3712:UDP"= 3712:UDP:Windows Media Format SDK (wmplayer.exe) "6112:TCP"= 6112:TCP:Blizzard Downloader: 6112 R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [10/10/2006 2:53 PM 12872] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/27/2007 1:39 PM 67656] R2 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [8/7/2006 8:35 PM 61526] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 6:51 PM 12872] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.my.yahoo.com/ IE: &WordWeb... - c:\windows\wweb32.dll/lookup.html IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 Trusted Zone: musicmatch.com\online FF - ProfilePath - c:\documents and settings\Disdoxian Vain\Application Data\Mozilla\Firefox\Profiles\26dn1w53.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.my.yahoo.com/ FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); . ************************************************************************** scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? scanning hidden files ... scan completed successfully hidden files: ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(820) c:\program files\SUPERAntiSpyware\SASWINLO.DLL - - - - - - - > 'explorer.exe'(2212) c:\windows\system32\ieframe.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2010-09-23 18:37:00 ComboFix-quarantined-files.txt 2010-09-24 01:36 ComboFix2.txt 2010-09-21 16:16 ComboFix3.txt 2010-09-21 04:49 Pre-Run: 120,649,457,664 bytes free Post-Run: 120,651,575,296 bytes free - - End Of File - - B41CEEA0563AC6AA5447312344E20440 And the Malwarebytes log Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4678 Windows 5.1.2600 Service Pack 2 Internet Explorer 6.0.2900.2180 9/23/2010 8:08:42 PM mbam-log-2010-09-23 (20-08-42).txt Scan type: Quick scan Objects scanned: 155995 Time elapsed: 6 minute(s), 39 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Wow. It looks like its gone. I am still waiting for conformation from you, however. Also, when do I use Defogger again to turn on my CD Emulation drivers? Brian Payne
  10. Here is the SystemLook file SystemLook 04.09.10 by jpshortstuff Log created at 09:23 on 21/09/2010 by Disdoxian Vain Administrator - Elevation successful ========== filefind ========== Searching for "sfcfiles.*" C:\i386\sfcfiles.dll --a--c- 1580544 bytes [15:37 18/08/2006] [10:00 10/08/2004] 30A609E00BD1D4FFC49D6B5A432BE7F2 C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\sfcfiles.dll --a--c- 1614848 bytes [21:42 16/10/2009] [00:12 14/04/2008] 9DD07AF82244867CA36681EA2D29CE79 C:\WINDOWS\system32\sfcfiles.dll --a--c- 1580544 bytes [00:00 24/03/2009] [00:00 24/03/2009] 32272BF10467C8ACF1F83138C61D541E -= EOF =- Here is the new ComboFix logfile ComboFix 10-09-20.07 - Disdoxian Vain 09/21/2010 9:06.2.2 - x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.606 [GMT -7:00] Running from: c:\documents and settings\Disdoxian Vain\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Disdoxian Vain\Desktop\CFScript.txt FILE :: "c:\windows\Hjuvifi.bin" file zipped: c:\windows\Ehoma.dat file zipped: c:\windows\system32\drivers\oopuhnpkpjv.sys file zipped: c:\windows\system32\drivers\uvtfwnspgygfg.sys . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\Ehoma.dat c:\windows\Hjuvifi.bin c:\windows\system32\drivers\oopuhnpkpjv.sys c:\windows\system32\drivers\uvtfwnspgygfg.sys . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_khqlmxop -------\Service_meokxf ((((((((((((((((((((((((( Files Created from 2010-08-21 to 2010-09-21 ))))))))))))))))))))))))))))))) . 2010-09-19 07:00 . 2010-09-19 07:00 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys 2010-09-19 07:00 . 2010-09-19 07:00 -------- d-----w- c:\documents and settings\Disdoxian Vain\log 2010-09-19 06:07 . 2010-09-19 08:12 -------- d-----w- c:\program files\CCleaner 2010-09-19 06:06 . 2010-09-19 06:06 3427248 ----a-w- c:\program files\ccsetup235.exe 2010-09-19 05:56 . 2010-09-19 06:05 -------- d-----w- c:\program files\Active PC Optimizer 2010-09-19 05:04 . 2010-09-19 05:04 388096 ----a-r- c:\documents and settings\Disdoxian Vain\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2010-09-19 05:03 . 2010-09-19 05:03 1402880 ----a-w- c:\program files\HiJackThis.msi 2010-09-16 01:49 . 2010-09-16 01:54 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-09-19 05:55 . 2010-05-12 02:22 63488 ----a-w- c:\documents and settings\Disdoxian Vain\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll 2010-09-19 05:54 . 2009-04-03 22:38 117760 ----a-w- c:\documents and settings\Disdoxian Vain\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2010-09-19 05:04 . 2006-08-08 03:45 -------- d-----w- c:\program files\Trend Micro 2010-09-17 06:49 . 2006-08-08 03:46 -------- d-----w- c:\program files\Microsoft Works 2010-09-16 01:45 . 2007-12-05 06:31 -------- d-----w- c:\program files\SUPERAntiSpyware 2010-09-15 04:11 . 2006-09-12 22:27 -------- d-----w- c:\program files\Dl_cats 2010-09-02 03:24 . 2007-11-20 06:08 664 ----a-w- c:\windows\system32\d3d9caps.dat 2010-08-24 21:54 . 2006-08-18 17:29 -------- d-----w- c:\program files\Furcadia 2009-11-19 05:17 . 2009-11-19 05:17 401728 -c--a-w- c:\program files\setup223.exe 2009-10-20 06:01 . 2009-10-20 05:59 27386280 -c--a-w- c:\program files\AdbeRdr920_en_US.exe 2009-10-09 03:39 . 2008-09-30 16:20 4045528 -c--a-w- c:\program files\mbam-setup.exe 2009-09-27 05:58 . 2009-09-27 05:58 570208 -c--a-w- c:\program files\googleupdatesetup.exe 2009-07-29 07:39 . 2009-07-29 07:38 6664816 -c--a-w- c:\program files\garden_setup.exe 2009-07-29 07:38 . 2009-07-29 07:38 448832 -c--a-w- c:\program files\smartdraw_11C_D79QM_setup.exe 2009-07-21 16:44 . 2009-07-21 16:42 25685128 -c--a-w- c:\program files\wordview_en-us.exe 2009-07-10 02:34 . 2009-07-10 02:34 1878888 -c--a-w- c:\program files\install_flash_player.exe 2009-02-02 07:11 . 2006-08-18 17:27 188064 -c--a-w- c:\program files\furcdownload.exe 2008-11-30 23:12 . 2008-11-30 23:12 1825783 -c--a-w- c:\program files\CurseSetup-2.0.0.14.exe 2007-03-22 21:16 . 2007-03-22 21:16 7718504 -c--a-w- c:\program files\winzip110.exe 2006-12-02 19:34 . 2006-12-02 19:34 36808256 -c--a-w- c:\program files\iTunesSetup.exe 2006-10-24 04:41 . 2006-10-24 04:41 1663036 -c--a-w- c:\program files\LineRider_beta.exe 2006-12-21 18:46 . 2006-08-15 20:30 88 -csha-r- c:\windows\system32\6BE62BFEC7.sys 2006-12-21 18:46 . 2006-08-15 20:30 3766 -csha-w- c:\windows\system32\KGyGaAvL.sys . ------- Sigcheck ------- [-] 2009-03-24 . 32272BF10467C8ACF1F83138C61D541E . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll [-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\sfcfiles.dll . ((((((((((((((((((((((((((((( SnapShot@2010-09-21_04.45.21 ))))))))))))))))))))))))))))))))))))))))) . + 2010-09-21 16:12 . 2010-09-21 16:12 16384 c:\windows\temp\Perflib_Perfdata_758.dat - 2010-09-21 04:44 . 2010-09-21 04:44 16384 c:\windows\Temp\Perflib_Perfdata_758.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DellSupport"="c:\progra~1\DELLSU~1\DSAgnt.exe" [2005-05-15 332800] "MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-09-16 2424560] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392] "DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940] "DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-09-14 73728] "dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-10-21 430080] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576] "SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-26 282624] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280] c:\documents and settings\Disdoxian Vain\Start Menu\Programs\Startup\ WordWeb.lnk - c:\program files\WordWeb\wweb32.exe [2006-8-18 19968] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-8-7 24576] Wireless USB 2.0 WLAN Card Utility.lnk - c:\program files\Dell Wireless\PRISMCFG.exe [2006-8-7 921704] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoThumbnailCache"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-22 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-05 20:34 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PRISMAPI.DLL] 2005-12-23 01:08 450646 ----a-w- c:\windows\system32\PRISMAPI.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Dell Wireless\\PRISMCFG.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 "3713:UDP"= 3713:UDP:Windows Media Format SDK (wmplayer.exe) "3712:UDP"= 3712:UDP:Windows Media Format SDK (wmplayer.exe) "6112:TCP"= 6112:TCP:Blizzard Downloader: 6112 R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [10/10/2006 2:53 PM 12872] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/27/2007 1:39 PM 67656] R2 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [8/7/2006 8:35 PM 61526] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 6:51 PM 12872] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.my.yahoo.com/ IE: &WordWeb... - c:\windows\wweb32.dll/lookup.html IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 Trusted Zone: musicmatch.com\online FF - ProfilePath - c:\documents and settings\Disdoxian Vain\Application Data\Mozilla\Firefox\Profiles\26dn1w53.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.my.yahoo.com/ FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-09-21 09:12 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(824) c:\program files\SUPERAntiSpyware\SASWINLO.DLL - - - - - - - > 'explorer.exe'(2304) c:\windows\system32\ieframe.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\program files\Java\jre6\bin\jqs.exe c:\windows\ehome\mcrdsvc.exe c:\windows\system32\PRISMSVR.EXE c:\windows\stsystra.exe c:\windows\system32\dlcccoms.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2010-09-21 09:16:44 - machine was rebooted ComboFix-quarantined-files.txt 2010-09-21 16:16 ComboFix2.txt 2010-09-21 04:49 Pre-Run: 120,682,545,152 bytes free Post-Run: 120,689,041,408 bytes free - - End Of File - - E2EF7FE98F96ADBFE89840E7592B63CD Unfortunately, I have to go on an impromptu business trip and I won't be able to check back here until late Thursday evening so please don't delete this post. I wanted to thank you for your continued help. It means a lot that you're still helping. Brian Payne
  11. ComboFix 10-09-20.02 - Disdoxian Vain 09/20/2010 21:38:44.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.495 [GMT -7:00] Running from: c:\documents and settings\Disdoxian Vain\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Disdoxian Vain\Local Settings\Application Data\{E6AC3765-C228-410D-86A9-69D658E67A26} c:\documents and settings\Disdoxian Vain\Local Settings\Application Data\{E6AC3765-C228-410D-86A9-69D658E67A26}\chrome.manifest c:\documents and settings\Disdoxian Vain\Local Settings\Application Data\{E6AC3765-C228-410D-86A9-69D658E67A26}\chrome\content\_cfg.js c:\documents and settings\Disdoxian Vain\Local Settings\Application Data\{E6AC3765-C228-410D-86A9-69D658E67A26}\chrome\content\overlay.xul c:\documents and settings\Disdoxian Vain\Local Settings\Application Data\{E6AC3765-C228-410D-86A9-69D658E67A26}\install.rdf c:\documents and settings\Disdoxian Vain\System c:\documents and settings\Disdoxian Vain\System\win_qs8.jqx c:\program files\Internet Explorer\SET5B1.tmp c:\windows\ipv6lpr.dll c:\windows\system32\_005198_.tmp.dll c:\windows\system32\_005199_.tmp.dll c:\windows\system32\_005200_.tmp.dll c:\windows\system32\_005201_.tmp.dll c:\windows\system32\_005208_.tmp.dll c:\windows\system32\_005209_.tmp.dll c:\windows\system32\_005210_.tmp.dll c:\windows\system32\_005211_.tmp.dll c:\windows\system32\_005213_.tmp.dll c:\windows\system32\_005214_.tmp.dll c:\windows\system32\_005217_.tmp.dll c:\windows\system32\_005218_.tmp.dll c:\windows\system32\_005220_.tmp.dll c:\windows\system32\_005221_.tmp.dll c:\windows\system32\_005222_.tmp.dll c:\windows\system32\_005224_.tmp.dll c:\windows\system32\_005227_.tmp.dll c:\windows\system32\_005228_.tmp.dll c:\windows\system32\_005232_.tmp.dll c:\windows\system32\_005233_.tmp.dll c:\windows\system32\_005235_.tmp.dll c:\windows\system32\_005238_.tmp.dll c:\windows\system32\_005240_.tmp.dll c:\windows\system32\_005241_.tmp.dll c:\windows\system32\_005242_.tmp.dll c:\windows\system32\_005243_.tmp.dll c:\windows\system32\_005244_.tmp.dll c:\windows\system32\_005247_.tmp.dll c:\windows\system32\_005248_.tmp.dll c:\windows\system32\_005249_.tmp.dll c:\windows\system32\_005250_.tmp.dll c:\windows\system32\_005251_.tmp.dll c:\windows\system32\_005256_.tmp.dll c:\windows\system32\_005258_.tmp.dll c:\windows\system32\_005259_.tmp.dll c:\windows\system32\driVERs\oqqeayv.sys c:\windows\system32\SET1AA.tmp c:\windows\system32\SET432.tmp . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_oqqeayv -------\Service_oqqeayv ((((((((((((((((((((((((( Files Created from 2010-08-21 to 2010-09-21 ))))))))))))))))))))))))))))))) . 2010-09-19 07:00 . 2010-09-19 07:00 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys 2010-09-19 07:00 . 2010-09-19 07:00 -------- d-----w- c:\documents and settings\Disdoxian Vain\log 2010-09-19 06:07 . 2010-09-19 08:12 -------- d-----w- c:\program files\CCleaner 2010-09-19 06:06 . 2010-09-19 06:06 3427248 ----a-w- c:\program files\ccsetup235.exe 2010-09-19 05:56 . 2010-09-19 06:05 -------- d-----w- c:\program files\Active PC Optimizer 2010-09-19 05:04 . 2010-09-19 05:04 388096 ----a-r- c:\documents and settings\Disdoxian Vain\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2010-09-19 05:03 . 2010-09-19 05:03 1402880 ----a-w- c:\program files\HiJackThis.msi 2010-09-16 01:49 . 2010-09-16 01:54 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure 2010-09-15 05:11 . 2010-09-15 05:24 69504 ----a-w- c:\windows\system32\drivers\uvtfwnspgygfg.sys 2010-09-14 17:03 . 2010-09-14 17:03 120 ----a-w- c:\windows\Ehoma.dat 2010-09-14 17:03 . 2010-09-14 17:03 0 ----a-w- c:\windows\Hjuvifi.bin 2010-09-14 17:01 . 2010-09-15 05:24 69504 ----a-w- c:\windows\system32\drivers\oopuhnpkpjv.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-09-19 05:55 . 2010-05-12 02:22 63488 ----a-w- c:\documents and settings\Disdoxian Vain\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll 2010-09-19 05:54 . 2009-04-03 22:38 117760 ----a-w- c:\documents and settings\Disdoxian Vain\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2010-09-19 05:04 . 2006-08-08 03:45 -------- d-----w- c:\program files\Trend Micro 2010-09-17 06:49 . 2006-08-08 03:46 -------- d-----w- c:\program files\Microsoft Works 2010-09-16 01:45 . 2007-12-05 06:31 -------- d-----w- c:\program files\SUPERAntiSpyware 2010-09-15 04:11 . 2006-09-12 22:27 -------- d-----w- c:\program files\Dl_cats 2010-09-02 03:24 . 2007-11-20 06:08 664 ----a-w- c:\windows\system32\d3d9caps.dat 2010-08-24 21:54 . 2006-08-18 17:29 -------- d-----w- c:\program files\Furcadia 2009-11-19 05:17 . 2009-11-19 05:17 401728 -c--a-w- c:\program files\setup223.exe 2009-10-20 06:01 . 2009-10-20 05:59 27386280 -c--a-w- c:\program files\AdbeRdr920_en_US.exe 2009-10-09 03:39 . 2008-09-30 16:20 4045528 -c--a-w- c:\program files\mbam-setup.exe 2009-09-27 05:58 . 2009-09-27 05:58 570208 -c--a-w- c:\program files\googleupdatesetup.exe 2009-07-29 07:39 . 2009-07-29 07:38 6664816 -c--a-w- c:\program files\garden_setup.exe 2009-07-29 07:38 . 2009-07-29 07:38 448832 -c--a-w- c:\program files\smartdraw_11C_D79QM_setup.exe 2009-07-21 16:44 . 2009-07-21 16:42 25685128 -c--a-w- c:\program files\wordview_en-us.exe 2009-07-10 02:34 . 2009-07-10 02:34 1878888 -c--a-w- c:\program files\install_flash_player.exe 2009-02-02 07:11 . 2006-08-18 17:27 188064 -c--a-w- c:\program files\furcdownload.exe 2008-11-30 23:12 . 2008-11-30 23:12 1825783 -c--a-w- c:\program files\CurseSetup-2.0.0.14.exe 2007-03-22 21:16 . 2007-03-22 21:16 7718504 -c--a-w- c:\program files\winzip110.exe 2006-12-02 19:34 . 2006-12-02 19:34 36808256 -c--a-w- c:\program files\iTunesSetup.exe 2006-10-24 04:41 . 2006-10-24 04:41 1663036 -c--a-w- c:\program files\LineRider_beta.exe 2006-12-21 18:46 . 2006-08-15 20:30 88 -csha-r- c:\windows\system32\6BE62BFEC7.sys 2006-12-21 18:46 . 2006-08-15 20:30 3766 -csha-w- c:\windows\system32\KGyGaAvL.sys . ------- Sigcheck ------- [-] 2009-03-24 . 32272BF10467C8ACF1F83138C61D541E . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll [-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\sfcfiles.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DellSupport"="c:\progra~1\DELLSU~1\DSAgnt.exe" [2005-05-15 332800] "MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-09-16 2424560] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392] "DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940] "DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-09-14 73728] "dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-10-21 430080] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576] "SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-26 282624] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280] c:\documents and settings\Disdoxian Vain\Start Menu\Programs\Startup\ WordWeb.lnk - c:\program files\WordWeb\wweb32.exe [2006-8-18 19968] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-8-7 24576] Wireless USB 2.0 WLAN Card Utility.lnk - c:\program files\Dell Wireless\PRISMCFG.exe [2006-8-7 921704] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoThumbnailCache"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-22 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-05 20:34 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PRISMAPI.DLL] 2005-12-23 01:08 450646 ----a-w- c:\windows\system32\PRISMAPI.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Dell Wireless\\PRISMCFG.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 "3713:UDP"= 3713:UDP:Windows Media Format SDK (wmplayer.exe) "3712:UDP"= 3712:UDP:Windows Media Format SDK (wmplayer.exe) "6112:TCP"= 6112:TCP:Blizzard Downloader: 6112 R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [10/10/2006 2:53 PM 12872] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/27/2007 1:39 PM 67656] R2 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [8/7/2006 8:35 PM 61526] S0 khqlmxop;khqlmxop;c:\windows\system32\drivers\oopuhnpkpjv.sys [9/14/2010 10:01 AM 69504] S0 meokxf;meokxf;c:\windows\system32\drivers\uvtfwnspgygfg.sys [9/14/2010 10:11 PM 69504] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 6:51 PM 12872] . Contents of the 'Scheduled Tasks' folder . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.my.yahoo.com/ IE: &WordWeb... - c:\windows\wweb32.dll/lookup.html IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 Trusted Zone: musicmatch.com\online FF - ProfilePath - c:\documents and settings\Disdoxian Vain\Application Data\Mozilla\Firefox\Profiles\26dn1w53.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.my.yahoo.com/ FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); . - - - - ORPHANS REMOVED - - - - SafeBoot-wanatw4.sys AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-09-20 21:45 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(824) c:\program files\SUPERAntiSpyware\SASWINLO.DLL - - - - - - - > 'explorer.exe'(2936) c:\windows\system32\ieframe.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\program files\Java\jre6\bin\jqs.exe c:\windows\ehome\mcrdsvc.exe c:\windows\system32\PRISMSVR.EXE c:\windows\stsystra.exe c:\windows\system32\dlcccoms.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2010-09-20 21:49:16 - machine was rebooted ComboFix-quarantined-files.txt 2010-09-21 04:49 Pre-Run: 120,686,833,664 bytes free Post-Run: 120,642,707,456 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect - - End Of File - - 060E2741F6E4FA55E40FE226C2344F66 ComboFix File, thanks again for the help and all the speedy replies!
  12. I wasn't sure if I should quote you or just post another reply, so I quoted. Here is the RKU scan log. After scanning I simply exited. I found that the same problem file (oqqeayv) shows up here as well as a locked file. I don't know if my pointing it out is wrong, or annoying. I can stop if you like. RkU Version: 3.8.388.590, Type LE (SR2) ============================================== OS Name: Windows XP Version 5.1.2600 (Service Pack 2) Number of processors #2 ============================================== >Drivers ============================================== 0xBF0B2000 C:\WINDOWS\System32\ati3duag.dll 2367488 bytes (ATI Technologies Inc. , ati3duag.dll) 0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2142208 bytes (Microsoft Corporation, NT Kernel & System) 0x804D7000 PnpManager 2142208 bytes 0x804D7000 RAW 2142208 bytes 0x804D7000 WMIxWDM 2142208 bytes 0xBF800000 Win32k 1851392 bytes 0xBF800000 C:\WINDOWS\System32\win32k.sys 1851392 bytes (Microsoft Corporation, Multi-User Win32 Driver) 0xF684D000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 1331200 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver) 0xF6698000 C:\WINDOWS\system32\DRIVERS\HSF_DP.sys 1044480 bytes (Conexant Systems, Inc., HSF_DP driver) 0xF43B6000 C:\WINDOWS\system32\drivers\sthda.sys 1015808 bytes (SigmaTel, Inc., NDRC) 0xF65F1000 C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 684032 bytes (Conexant Systems, Inc., HSF_CNXT driver) 0xBF2F4000 C:\WINDOWS\System32\ativvaxx.dll 643072 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver) 0xF7483000 oqqeayv.sys 585728 bytes 0xF733A000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver) 0xF3E6B000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 454656 bytes (Microsoft Corporation, Windows NT SMB Minirdr) 0xF6519000 C:\WINDOWS\system32\DRIVERS\update.sys 364544 bytes (Microsoft Corporation, Update Driver) 0xF405A000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 360448 bytes (Microsoft Corporation, TCP/IP Protocol Driver) 0xF2DDE000 C:\WINDOWS\system32\DRIVERS\PRISMA02.sys 356352 bytes (Conexant Systems, Inc., PRISM Wireless NDIS 5.1 Driver) 0xEE160000 C:\WINDOWS\system32\DRIVERS\srv.sys 335872 bytes (Microsoft Corporation, Server driver) 0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver) 0xEE1DA000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack) 0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 225280 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver) 0xBF07D000 C:\WINDOWS\System32\atikvmag.dll 217088 bytes (ATI Technologies Inc., Virtual Command And Memory Manager) 0xBF049000 C:\WINDOWS\System32\ati2cqag.dll 212992 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module) 0xF67BA000 C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys 212992 bytes (Conexant Systems, Inc., HSF_HWB2 WDM driver) 0xF6572000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 200704 bytes (Microsoft Corporation, Microsoft RDP Device redirector) 0xF7523000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT) 0xF730D000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver) 0xEE26B000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 180224 bytes (Microsoft Corporation, Windows NT WebDav Minirdr) 0xECEC3000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer) 0xF3EDA000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver) 0xF6811000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a) 0xF4032000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver) 0xF743E000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver) 0xF65CB000 C:\WINDOWS\system32\DRIVERS\e100b325.sys 155648 bytes (Intel Corporation, Intel® PRO/100 Adapter NDIS 5.1 driver) 0xF4392000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices)) 0xF0393000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 143360 bytes (Microsoft Corporation, Fast FAT File System Driver) 0xF6797000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library) 0xF67EE000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 143360 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver) 0xF3FEF000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock) 0xF3F05000 C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys 139264 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASKUTIL.SYS) 0xF4011000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 135168 bytes (Microsoft Corporation, IP Network Address Translator) 0x806E2000 ACPI_HAL 134400 bytes 0x806E2000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL) 0xF7406000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager) 0xF7464000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver) 0xF72F2000 Mup.sys 110592 bytes (Microsoft Corporation, Multiple UNC Provider driver) 0xF7426000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver) 0xEE34D000 C:\WINDOWS\System32\DLA\DLAUDFAM.SYS 98304 bytes (Sonic Solutions, Drive Letter Access Component) 0xF037B000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes 0xF73C7000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface) 0xF65B4000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption)) 0xEE365000 C:\WINDOWS\System32\DLA\DLAIFS_M.SYS 90112 bytes (Sonic Solutions, Drive Letter Access Component) 0xEE337000 C:\WINDOWS\System32\DLA\DLAUDF_M.SYS 90112 bytes (Sonic Solutions, Drive Letter Access Component) 0xF73DE000 DRVMCDB.SYS 90112 bytes (Sonic Solutions, Device Driver) 0xEDEF3000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper) 0xF6839000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver) 0xF40B2000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver) 0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver) 0xF73F4000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver) 0xF7512000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator) 0xF65A3000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler) 0xF2295000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver) 0xF7872000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter) 0xF77D2000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver) 0xF1A55000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter) 0xF78B2000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB) 0xF77C2000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 53248 bytes (Microsoft Corporation, SCSI CD-ROM Driver) 0xF7692000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll) 0xF77F2000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver) 0xF7672000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver) 0xF7812000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol) 0xF77E2000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver) 0xF7662000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager) 0xF7802000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver) 0xF251A000 C:\WINDOWS\System32\Drivers\DRVNDDM.SYS 40960 bytes (Sonic Solutions, Device Driver Manager) 0xF7842000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy) 0xF7832000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver) 0xF7682000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver) 0xF69C2000 C:\WINDOWS\System32\Drivers\Fips.SYS 36864 bytes (Microsoft Corporation, FIPS Crypto Driver) 0xF2118000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library) 0xF77B2000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver) 0xF7652000 isapnp.sys 36864 bytes (Microsoft Corporation, PNP ISA Bus Driver) 0xF7822000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier) 0xF69E2000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver) 0xEDF30000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver) 0xF69F2000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver) 0xF7912000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver) 0xF79A2000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver) 0xF7A22000 C:\WINDOWS\System32\DLA\DLABOIOM.SYS 28672 bytes (Sonic Solutions, Drive Letter Access Component) 0xF791A000 C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys 28672 bytes (GEAR Software Inc., CD/DVD Class Filter Driver) 0xF798A000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library) 0xF78D2000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension) 0xF78F2000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 28672 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver) 0xF79F2000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver) 0xF7982000 C:\WINDOWS\System32\Drivers\DLARTL_N.SYS 24576 bytes (Sonic Solutions, Shared Driver Component) 0xF793A000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver) 0xF7942000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver) 0xF79AA000 C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS 24576 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASDIFSV.SYS) 0xF7992000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver) 0xF7A32000 C:\WINDOWS\system32\DRIVERS\AegisP.sys 20480 bytes (Meetinghouse Data Communications, IEEE 802.1X Protocol Driver) 0xF799A000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver) 0xF78DA000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager) 0xF792A000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library) 0xF78E2000 PxHelp20.sys 20480 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP) 0xF7932000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver) 0xF7922000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper) 0xF7A5A000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 20480 bytes (Microsoft Corporation, UHCI USB Miniport Driver) 0xF794A000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver) 0xEDF10000 C:\WINDOWS\system32\DRIVERS\asyncmac.sys 16384 bytes (Microsoft Corporation, MS Remote Access serial network driver) 0xF2BD7000 C:\WINDOWS\System32\DLA\DLAOPIOM.SYS 16384 bytes (Sonic Solutions, Drive Letter Access Component) 0xF4221000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver) 0xF7B1A000 C:\WINDOWS\system32\drivers\MODEMCSA.sys 16384 bytes (Microsoft Corporation, Unimodem CSA Filter) 0xF6B51000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver) 0xF093B000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver) 0xF7A62000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver) 0xF03BA000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver) 0xF4229000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices) 0xEE2AB000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 12288 bytes (Conexant, Diagnostic Interface DRIVER) 0xF421D000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver) 0xF6B6D000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver) 0xF7B46000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver) 0xF72BD000 C:\WINDOWS\System32\drivers\ws2ifsl.sys 12288 bytes (Microsoft Corporation, Winsock2 IFS Layer) 0xF7BAE000 C:\WINDOWS\System32\Drivers\ASCTRM.SYS 8192 bytes (Windows ® 2000 DDK provider, TR Manager) 0xF7BA6000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver) 0xF7B84000 C:\WINDOWS\System32\Drivers\DLACDBHM.SYS 8192 bytes (Sonic Solutions, Shared Driver Component) 0xF7B5A000 C:\WINDOWS\System32\DLA\DLAPoolM.SYS 8192 bytes (Sonic Solutions, Drive Letter Access Component) 0xF7B56000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver) 0xF7C02000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes 0xF7BA4000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver) 0xF7BA2000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 8192 bytes (Microsoft Corporation, I2O Utility Filter) 0xF7B52000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL) 0xF7BA8000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator) 0xF7BAA000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport) 0xF7B86000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator) 0xF7B8E000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver) 0xF7B54000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll) 0xF7C5F000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver) 0xF7CE2000 C:\WINDOWS\System32\DLA\DLADResN.SYS 4096 bytes (Sonic Solutions, Drive Letter Access Component) 0xF7C54000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk) 0xF7D56000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver) 0xF7C1A000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver) 0x8695C270 unknown_irp_handler 3472 bytes 0x86DE2638 unknown_irp_handler 2504 bytes ============================================== >Stealth ============================================== WARNING: Virus alike driver modification [bthpan.sys] WARNING: Virus alike driver modification [adpu160m.sys] WARNING: Virus alike driver modification [sffp_mmc.sys] WARNING: Virus alike driver modification [sffp_sd.sys] WARNING: Virus alike driver modification [hsfdpsp2.sys] WARNING: Virus alike driver modification [HSF_DP.sys] WARNING: Virus alike driver modification [sthda.sys] WARNING: Virus alike driver modification [dxapi.sys] WARNING: Virus alike driver modification [atinrvxx.sys] WARNING: Virus alike driver modification [mup.sys] WARNING: Virus alike driver modification [mhndrv.sys] WARNING: Virus alike driver modification [mdmxsdk.sys] WARNING: Virus alike driver modification [sffdisk.sys] WARNING: Virus alike driver modification [irenum.sys] WARNING: Virus alike driver modification [wadv08nt.sys] WARNING: Virus alike driver modification [Hdaudio.sys] WARNING: Virus alike driver modification [sfloppy.sys] WARNING: Virus alike driver modification [ati1mdxx.sys] WARNING: Virus alike driver modification [acpiec.sys] WARNING: Virus alike driver modification [cpqdap01.sys] WARNING: Virus alike driver modification [wadv07nt.sys] WARNING: Virus alike driver modification [wadv09nt.sys] WARNING: Virus alike driver modification [wadv11nt.sys] WARNING: Virus alike driver modification [pcmcia.sys] WARNING: Virus alike driver modification [amsint.sys] WARNING: Virus alike driver modification [nikedrv.sys] WARNING: Virus alike driver modification [rio8drv.sys] WARNING: Virus alike driver modification [riodrv.sys] WARNING: Virus alike driver modification [ws2ifsl.sys] WARNING: Virus alike driver modification [tdpipe.sys] WARNING: Virus alike driver modification [ati1pdxx.sys] WARNING: Virus alike driver modification [fsvga.sys] WARNING: Virus alike driver modification [mouhid.sys] WARNING: Virus alike driver modification [nwlnkflt.sys] WARNING: Virus alike driver modification [tunmp.sys] WARNING: Virus alike driver modification [ftdisk.sys] WARNING: Virus alike driver modification [mtlmnt5.sys] WARNING: Virus alike driver modification [mutohpen.sys] WARNING: Virus alike driver modification [usb8023.sys] WARNING: Virus alike driver modification [usb8023x.sys] WARNING: Virus alike driver modification [ati2mtag.sys] WARNING: Virus alike driver modification [aha154x.sys] WARNING: Virus alike driver modification [ndisuio.sys] WARNING: Virus alike driver modification [slnt7554.sys] WARNING: Virus alike driver modification [mtlstrm.sys] WARNING: Virus alike driver modification [slwdmsup.sys] WARNING: Virus alike driver modification [wacompen.sys] WARNING: Virus alike driver modification [recagent.sys] WARNING: Virus alike driver modification [atinmdxx.sys] WARNING: Virus alike driver modification [atinttxx.sys] WARNING: Virus alike driver modification [afd.sys] WARNING: Virus alike driver modification [cbidf2k.sys] WARNING: Virus alike driver modification [ks.sys] WARNING: Virus alike driver modification [diskdump.sys] WARNING: Virus alike driver modification [usbport.sys] WARNING: Virus alike driver modification [asyncmac.sys] WARNING: Virus alike driver modification [atinpdxx.sys] WARNING: Virus alike driver modification [fastfat.sys] WARNING: Virus alike driver modification [hdaudbus.sys] WARNING: Virus alike driver modification [portcls.sys] WARNING: Virus alike driver modification [smclib.sys] WARNING: Virus alike driver modification [dac960nt.sys] WARNING: Virus alike driver modification [asc3550.sys] WARNING: Virus alike driver modification [kbdhid.sys] WARNING: Virus alike driver modification [cpqarray.sys] WARNING: Virus alike driver modification [tape.sys] WARNING: Virus alike driver modification [usbscan.sys] WARNING: Virus alike driver modification [dmio.sys] WARNING: Virus alike driver modification [mssmbios.sys] WARNING: Virus alike driver modification [serenum.sys] WARNING: Virus alike driver modification [e100b325.sys] WARNING: Virus alike driver modification [GEARAspiWDM.sys] WARNING: Virus alike driver modification [ini910u.sys] WARNING: Virus alike driver modification [usbintel.sys] WARNING: Virus alike driver modification [MODEMCSA.sys] WARNING: Virus alike driver modification [symc810.sys] WARNING: Virus alike driver modification [netbt.sys] WARNING: Virus alike driver modification [raspti.sys] WARNING: Virus alike driver modification [s3gnbm.sys] WARNING: Virus alike driver modification [bthenum.sys] WARNING: Virus alike driver modification [hidir.sys] WARNING: Virus alike driver modification [mraid35x.sys] WARNING: Virus alike driver modification [ptilink.sys] WARNING: Virus alike driver modification [dac2w2k.sys] WARNING: Virus alike driver modification [ntmtlfax.sys] WARNING: Virus alike driver modification [ndis.sys] WARNING: Virus alike driver modification [i2omp.sys] WARNING: Virus alike driver modification [tdi.sys] WARNING: Virus alike driver modification [cdaudio.sys] WARNING: Virus alike driver modification [partmgr.sys] WARNING: Virus alike driver modification [acpi.sys] WARNING: Virus alike driver modification [bthusb.sys] WARNING: Virus alike driver modification [wpdusb.sys] WARNING: Virus alike driver modification [nv4_mini.sys] WARNING: Virus alike driver modification [msfs.sys] WARNING: Virus alike driver modification [sparrow.sys] WARNING: Virus alike driver modification [iqvw32.sys] WARNING: Virus alike driver modification [rdpdr.sys] WARNING: Virus alike driver modification [pxhelp20.sys] WARNING: Virus alike driver modification [dpti2o.sys] WARNING: Virus alike driver modification [rmcast.sys] WARNING: Virus alike driver modification [flpydisk.sys] WARNING: Virus alike driver modification [usbuhci.sys] WARNING: Virus alike driver modification [AegisP.sys] WARNING: Virus alike driver modification [mbam.sys] WARNING: Virus alike driver modification [ipinip.sys] WARNING: Virus alike driver modification [vga.sys] WARNING: Virus alike driver modification [HSFHWBS2.sys] WARNING: Virus alike driver modification [ati1ttxx.sys] WARNING: Virus alike driver modification [tsbvcap.sys] WARNING: Virus alike driver modification [tdtcp.sys] WARNING: Virus alike driver modification [hsfbs2s2.sys] WARNING: Virus alike driver modification [watv06nt.sys] WARNING: Virus alike driver modification [asc3350p.sys] WARNING: Virus alike driver modification [tcpip6.sys] WARNING: Virus alike driver modification [DLARTL_N.SYS] WARNING: Virus alike driver modification [mouclass.sys] WARNING: Virus alike driver modification [abp480n5.sys] WARNING: Virus alike driver modification [usbcamd.sys] WARNING: Virus alike driver modification [usbcamd2.sys] WARNING: Virus alike driver modification [kbdclass.sys] WARNING: Virus alike driver modification [hidparse.sys] WARNING: Virus alike driver modification [pciidex.sys] WARNING: Virus alike driver modification [watv10nt.sys] WARNING: Virus alike driver modification [sonydcam.sys] WARNING: Virus alike driver modification [hidbth.sys] WARNING: Virus alike driver modification [usbprint.sys] WARNING: Virus alike driver modification [hpn.sys] WARNING: Virus alike driver modification [cinemst2.sys] WARNING: Virus alike driver modification [ati1snxx.sys] WARNING: Virus alike driver modification [asc.sys] WARNING: Virus alike driver modification [usbstor.sys] WARNING: Virus alike driver modification [usbehci.sys] WARNING: Virus alike driver modification [bthport.sys] WARNING: Virus alike driver modification [perc2.sys] WARNING: Virus alike driver modification [fdc.sys] WARNING: Virus alike driver modification [sym_hi.sys] WARNING: Virus alike driver modification [atinsnxx.sys] WARNING: Virus alike driver modification [ip6fw.sys] WARNING: Virus alike driver modification [ati1xbxx.sys] WARNING: Virus alike driver modification [modem.sys] WARNING: Virus alike driver modification [rndismp.sys] WARNING: Virus alike driver modification [rndismpx.sys] WARNING: Virus alike driver modification [ati1raxx.sys] WARNING: Virus alike driver modification [sym_u3.sys] WARNING: Virus alike driver modification [npfs.sys] WARNING: Virus alike driver modification [atmepvc.sys] WARNING: Virus alike driver modification [usbccgp.sys] WARNING: Virus alike driver modification [atinxbxx.sys] WARNING: Virus alike driver modification [nwlnkfwd.sys] WARNING: Virus alike driver modification [symc8xx.sys] WARNING: Virus alike driver modification [ati2mtaa.sys] WARNING: Virus alike driver modification [ipfltdrv.sys] WARNING: Virus alike driver modification [ql10wnt.sys] WARNING: Virus alike driver modification [srv.sys] WARNING: Virus alike driver modification [rawwan.sys] WARNING: File locked for read access [C:\WINDOWS\system32\drivers\oqqeayv.sys] WARNING: Virus alike driver modification [netbios.sys] WARNING: Virus alike driver modification [wanarp.sys] WARNING: Virus alike driver modification [ati1xsxx.sys] WARNING: Virus alike driver modification [fips.sys] WARNING: Virus alike driver modification [msgpc.sys] WARNING: Virus alike driver modification [atmuni.sys] WARNING: Virus alike driver modification [processr.sys] WARNING: Virus alike driver modification [PRISMA02.sys] WARNING: Virus alike driver modification [bthprint.sys] WARNING: Virus alike driver modification [isapnp.sys] WARNING: Virus alike driver modification [tcpip.sys] WARNING: Virus alike driver modification [intelppm.sys] WARNING: Virus alike driver modification [hidclass.sys] WARNING: Virus alike driver modification [disk.sys] WARNING: Virus alike driver modification [ati1tuxx.sys] WARNING: Virus alike driver modification [crusoe.sys] WARNING: Virus alike driver modification [ultra.sys] WARNING: Virus alike driver modification [amdk6.sys] WARNING: Virus alike driver modification [amdk7.sys] WARNING: Virus alike driver modification [bthmodem.sys] WARNING: Virus alike driver modification [ndproxy.sys] WARNING: Virus alike driver modification [mbamswissarmy.sys] WARNING: Virus alike driver modification [nmnt.sys] WARNING: Virus alike driver modification [ql1080.sys] WARNING: Virus alike driver modification [ql1240.sys] WARNING: Virus alike driver modification [slntamr.sys] WARNING: Virus alike driver modification [DRVNDDM.SYS] WARNING: Virus alike driver modification [termdd.sys] WARNING: Virus alike driver modification [sisagp.sys] WARNING: Virus alike driver modification [raspppoe.sys] WARNING: Virus alike driver modification [imapi.sys] WARNING: Virus alike driver modification [beep.sys] WARNING: Virus alike driver modification [mnmdd.sys] WARNING: Virus alike driver modification [rdpcdd.sys] WARNING: Virus alike driver modification [mountmgr.sys] WARNING: Virus alike driver modification [viaagp.sys] WARNING: Virus alike driver modification [agp440.sys] WARNING: Virus alike driver modification [p3.sys] WARNING: Virus alike driver modification [alim1541.sys] WARNING: Virus alike driver modification [amdagp.sys] WARNING: Virus alike driver modification [swenum.sys] WARNING: Virus alike driver modification [wmilib.sys] WARNING: Virus alike driver modification [uagp35.sys] WARNING: Virus alike driver modification [agpcpq.sys] WARNING: Virus alike driver modification [mtxparhm.sys] WARNING: Virus alike driver modification [ql12160.sys] WARNING: Virus alike driver modification [irbus.sys] WARNING: Virus alike driver modification [gagp30kx.sys] WARNING: Virus alike driver modification [usbd.sys] WARNING: Virus alike driver modification [raspptp.sys] WARNING: Virus alike driver modification [stream.sys] WARNING: Virus alike driver modification [ql1280.sys] WARNING: Virus alike driver modification [cdrom.sys] WARNING: Virus alike driver modification [classpnp.sys] WARNING: Virus alike driver modification [mspqm.sys] WARNING: Virus alike driver modification [toside.sys] WARNING: Virus alike driver modification [rasl2tp.sys] WARNING: Virus alike driver modification [tosdvd.sys] WARNING: Virus alike driver modification [atinraxx.sys] WARNING: Virus alike driver modification [volsnap.sys] WARNING: Virus alike driver modification [aliide.sys] WARNING: Virus alike driver modification [i8042prt.sys] WARNING: Virus alike driver modification [dmusic.sys] WARNING: Virus alike driver modification [mspclock.sys] WARNING: Virus alike driver modification [viaide.sys] WARNING: Virus alike driver modification [swmidi.sys] WARNING: Virus alike driver modification [intelide.sys] WARNING: Virus alike driver modification [perc2hib.sys] WARNING: Virus alike driver modification [aic78u2.sys] WARNING: Virus alike driver modification [atmlane.sys] WARNING: Virus alike driver modification [nwlnkspx.sys] WARNING: Virus alike driver modification [DLACDBHM.SYS] WARNING: Virus alike driver modification [ati1btxx.sys] WARNING: Virus alike driver modification [aic78xx.sys] WARNING: Virus alike driver modification [redbook.sys] WARNING: Virus alike driver modification [usbhub.sys] WARNING: Virus alike driver modification [atinbtxx.sys] WARNING: Virus alike driver modification [vdmindvd.sys] WARNING: Virus alike driver modification [dmload.sys] WARNING: Virus alike driver modification [rootmdm.sys] WARNING: Virus alike driver modification [rfcomm.sys] WARNING: Virus alike driver modification [atmarpc.sys] WARNING: Virus alike driver modification [smbali.sys] WARNING: Virus alike driver modification [drmk.sys] WARNING: Virus alike driver modification [arp1394.sys] WARNING: Virus alike driver modification [sysaudio.sys] WARNING: Virus alike driver modification [nic1394.sys] WARNING: Virus alike driver modification [nwlnknb.sys] WARNING: Virus alike driver modification [atinxsxx.sys] WARNING: Virus alike driver modification [ati1rvxx.sys] WARNING: Virus alike driver modification [cdfs.sys] WARNING: Virus alike driver modification [mf.sys] WARNING: Virus alike driver modification [serial.sys] WARNING: Virus alike driver modification [udfs.sys] WARNING: Virus alike driver modification [cmdide.sys] WARNING: Virus alike driver modification [sdbus.sys] WARNING: Virus alike driver modification [parvdm.sys] WARNING: Virus alike driver modification [HSF_CNXT.sys] WARNING: Virus alike driver modification [pci.sys] WARNING: Virus alike driver modification [hsfcxts2.sys] WARNING: Virus alike driver modification [psched.sys] WARNING: Virus alike driver modification [bridge.sys] WARNING: Virus alike driver modification [atintuxx.sys] WARNING: Virus alike driver modification [sr.sys] WARNING: Virus alike driver modification [ipsec.sys] WARNING: Virus alike driver modification [mskssrv.sys] WARNING: Virus alike driver modification [cd20xrnt.sys] WARNING: Virus alike driver modification [mcd.sys] WARNING: Virus alike driver modification [WudfPf.sys] WARNING: Virus alike driver modification [usbvideo.sys] WARNING: Virus alike driver modification [fs_rec.sys] WARNING: Virus alike driver modification [videoprt.sys] WARNING: Virus alike driver modification [dmboot.sys] WARNING: Virus alike driver modification [parport.sys] WARNING: Virus alike driver modification [i2omgmt.sys] WARNING: Virus alike driver modification [WudfRd.sys] WARNING: Virus alike driver modification [asctrm.sys] WARNING: Virus alike driver modification [rasacd.sys] WARNING: Virus alike driver modification [nwlnkipx.sys] WARNING: Virus alike driver modification [DRVMCDB.SYS] WARNING: Virus alike driver modification [mqac.sys] WARNING: Virus alike driver modification [ndiswan.sys] WARNING: Virus alike driver modification [ksecdd.sys] WARNING: Virus alike driver modification [atapi.sys] WARNING: Virus alike driver modification [slnthal.sys] WARNING: Virus alike driver modification [hidusb.sys] WARNING: Virus alike driver modification [ndistapi.sys] WARNING: Virus alike driver modification [scsiport.sys] ============================================== >Files ============================================== ============================================== >Hooks ============================================== Key object-->ParseProcedure, Type: Kernel Object [unknown_code_page] ntkrnlpa.exe+0x0006DF0E, Type: Inline - RelativeJump 0x80544F0E-->80544F15 [ntkrnlpa.exe] [1628]explorer.exe-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x01001228-->00000000 [kernel32.dll] [1628]explorer.exe-->shell32.dll-->advapi32.dll-->CreateProcessAsUserW, Type: IAT modification 0x7C9C108C-->00000000 [advapi32.dll] [1628]explorer.exe-->shell32.dll-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x7C9C148C-->00000000 [kernel32.dll] [1628]explorer.exe-->user32.dll-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x7E41127C-->00000000 [kernel32.dll] [2052]DLACTRLW.EXE-->shell32.dll-->advapi32.dll-->CreateProcessAsUserW, Type: IAT modification 0x7C9C108C-->00000000 [advapi32.dll] [2052]DLACTRLW.EXE-->shell32.dll-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x7C9C148C-->00000000 [kernel32.dll] [2052]DLACTRLW.EXE-->user32.dll-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x7E41127C-->00000000 [kernel32.dll] [2096]dlccmon.exe-->kernel32.dll-->CreateProcessA, Type: IAT modification 0x00422074-->00000000 [kernel32.dll] [2096]dlccmon.exe-->shell32.dll-->advapi32.dll-->CreateProcessAsUserW, Type: IAT modification 0x7C9C108C-->00000000 [advapi32.dll] [2096]dlccmon.exe-->shell32.dll-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x7C9C148C-->00000000 [kernel32.dll] [2096]dlccmon.exe-->user32.dll-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x7E41127C-->00000000 [kernel32.dll] [2108]iTunesHelper.exe-->kernel32.dll-->CreateProcessA, Type: IAT modification 0x0041F0A4-->00000000 [kernel32.dll] [2108]iTunesHelper.exe-->user32.dll-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x7E41127C-->00000000 [kernel32.dll] [2120]stsystra.exe-->kernel32.dll-->CreateProcessA, Type: IAT modification 0x004241A4-->00000000 [kernel32.dll] [2120]stsystra.exe-->shell32.dll-->advapi32.dll-->CreateProcessAsUserW, Type: IAT modification 0x7C9C108C-->00000000 [advapi32.dll] [2120]stsystra.exe-->shell32.dll-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x7C9C148C-->00000000 [kernel32.dll] [2120]stsystra.exe-->user32.dll-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x7E41127C-->00000000 [kernel32.dll] [2356]jusched.exe-->kernel32.dll-->CreateProcessA, Type: IAT modification 0x004170AC-->00000000 [kernel32.dll] [2356]jusched.exe-->shell32.dll-->advapi32.dll-->CreateProcessAsUserW, Type: IAT modification 0x7C9C108C-->00000000 [advapi32.dll] [2356]jusched.exe-->shell32.dll-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x7C9C148C-->00000000 [kernel32.dll] [2356]jusched.exe-->user32.dll-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x7E41127C-->00000000 [kernel32.dll] [2472]DSAgnt.exe-->kernel32.dll-->CreateProcessA, Type: IAT modification 0x004380A4-->00000000 [kernel32.dll] [2472]DSAgnt.exe-->shell32.dll-->advapi32.dll-->CreateProcessAsUserW, Type: IAT modification 0x7C9C108C-->00000000 [advapi32.dll] [2472]DSAgnt.exe-->shell32.dll-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x7C9C148C-->00000000 [kernel32.dll] [2472]DSAgnt.exe-->user32.dll-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x7E41127C-->00000000 [kernel32.dll] [2496]msnmsgr.exe-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x004011C8-->00000000 [kernel32.dll] [2496]msnmsgr.exe-->shell32.dll-->advapi32.dll-->CreateProcessAsUserW, Type: IAT modification 0x7C9C108C-->00000000 [advapi32.dll] [2496]msnmsgr.exe-->shell32.dll-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x7C9C148C-->00000000 [kernel32.dll] [2496]msnmsgr.exe-->user32.dll-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x7E41127C-->00000000 [kernel32.dll] [2572]SUPERANTISPYWARE.EXE-->kernel32.dll-->CreateProcessA, Type: IAT modification 0x0053D27C-->00000000 [kernel32.dll] [2572]SUPERANTISPYWARE.EXE-->shell32.dll-->advapi32.dll-->CreateProcessAsUserW, Type: IAT modification 0x7C9C108C-->00000000 [advapi32.dll] [2572]SUPERANTISPYWARE.EXE-->shell32.dll-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x7C9C148C-->00000000 [kernel32.dll] [2572]SUPERANTISPYWARE.EXE-->user32.dll-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x7E41127C-->00000000 [kernel32.dll] [2592]msmsgs.exe-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x01001334-->00000000 [kernel32.dll] [2592]msmsgs.exe-->shell32.dll-->advapi32.dll-->CreateProcessAsUserW, Type: IAT modification 0x7C9C108C-->00000000 [advapi32.dll] [2592]msmsgs.exe-->shell32.dll-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x7C9C148C-->00000000 [kernel32.dll] [2592]msmsgs.exe-->user32.dll-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x7E41127C-->00000000 [kernel32.dll] [2616]DLG.exe-->shell32.dll-->advapi32.dll-->CreateProcessAsUserW, Type: IAT modification 0x7C9C108C-->00000000 [advapi32.dll] [2616]DLG.exe-->shell32.dll-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x7C9C148C-->00000000 [kernel32.dll] [2616]DLG.exe-->user32.dll-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x7E41127C-->00000000 [kernel32.dll] [2628]PRISMCFG.exe-->kernel32.dll-->CreateProcessA, Type: IAT modification 0x004412DC-->00000000 [kernel32.dll] [2628]PRISMCFG.exe-->shell32.dll-->advapi32.dll-->CreateProcessAsUserW, Type: IAT modification 0x7C9C108C-->00000000 [advapi32.dll] [2628]PRISMCFG.exe-->shell32.dll-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x7C9C148C-->00000000 [kernel32.dll] [2628]PRISMCFG.exe-->user32.dll-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x7E41127C-->00000000 [kernel32.dll] [2640]wweb32.exe-->shell32.dll-->advapi32.dll-->CreateProcessAsUserW, Type: IAT modification 0x7C9C108C-->00000000 [advapi32.dll] [2640]wweb32.exe-->shell32.dll-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x7C9C148C-->00000000 [kernel32.dll] [2640]wweb32.exe-->user32.dll-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x7E41127C-->00000000 [kernel32.dll] [568]DMXLauncher.exe-->shell32.dll-->advapi32.dll-->CreateProcessAsUserW, Type: IAT modification 0x7C9C108C-->00000000 [advapi32.dll] [568]DMXLauncher.exe-->shell32.dll-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x7C9C148C-->00000000 [kernel32.dll] [568]DMXLauncher.exe-->user32.dll-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x7E41127C-->00000000 [kernel32.dll] [776]firefox.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C915CBB-->00000000 [firefox.exe] [776]firefox.exe-->shell32.dll-->advapi32.dll-->CreateProcessAsUserW, Type: IAT modification 0x7C9C108C-->00000000 [advapi32.dll] [776]firefox.exe-->shell32.dll-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x7C9C148C-->00000000 [kernel32.dll] [776]firefox.exe-->user32.dll-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x7E41127C-->00000000 [kernel32.dll] Thanks for the prompt reply, Brian Payne
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.