Jump to content

Fake Antivirus Has Taken Over multiple PC's


Recommended Posts

Well a few weeks ago i made a thread asking for help to remove XP antivirus 2011 from my laptop, through many scans and updates i ended up removing it fully in safe-mode. However today i was listening to youtube on my gaming desktop for which is only and i mean only used to game and stream music, as i was changing a song Vista Antivirus 2012 poped up I instantly knew what it was. So i went into action grabed the previously infected laptop and downloaded Mbam and a manual update rebooted into safe-mode to install and this is where thing went crazy. I have always used save mode to scan an infected PC with no issues untill yet, as safe-mode minimal booted the virus was still active which was confusing to me because to my knowlege save mode booted the minimal exe's to run the PC and nothing else so why was the virus still active... Anyhow whilst fighting the virus on my desktop my laptop contracted it AGAIN WTF. could the flash drive be infected??? So to sum things up My laptop got the virus first which was thought to be removed then my desktop got it somehow and whislt removing the virus from the desktop my laptop re-contracted the virus yet again.

Specs: Laptop runs Mbam and Superantispyware free

Specs: Desktop just runs Mbam.

As for the laptop i have already ran Mbam as iexplorer.exe and have the logs ready, the desktop is still running mbam currently 6 infected objects found, however i dont know if the virus will interfere with the scan since it is active in safe-mode.

I desperately need help i have final thesis due next week and ALL MY PC'S HAVE BEEN INFECTED BY THIS DAMN VIRUS.

Link to post
Share on other sites

Maybe this will expedite things i noticed on other posts you would ask for Log files so i Downloaded TDSSKiller and DDS and i ran both here are my log's FOR THE LAPTOP ONLY. i shall take things one at a time Laptop first then Desktop as the laptop is much more important. I'm currently on a different computer as the Laptop cannot access the Internet due to Ping.exe eating the processing power so with out further due.

23:00:57.0765 2432 TDSS rootkit removing tool 2.6.22.0 Dec 7 2011 13:21:06

23:00:59.0734 2432 ============================================================

23:00:59.0734 2432 Current date / time: 2011/12/11 23:00:59.0734

23:00:59.0734 2432 SystemInfo:

23:00:59.0734 2432

23:00:59.0734 2432 OS Version: 5.1.2600 ServicePack: 3.0

23:00:59.0734 2432 Product type: Workstation

23:00:59.0734 2432 ComputerName: YOUR-0CDC4F5844

23:00:59.0734 2432 UserName: Owner

23:00:59.0734 2432 Windows directory: C:\WINDOWS

23:00:59.0734 2432 System windows directory: C:\WINDOWS

23:00:59.0734 2432 Processor architecture: Intel x86

23:00:59.0734 2432 Number of processors: 1

23:00:59.0734 2432 Page size: 0x1000

23:00:59.0734 2432 Boot type: Normal boot

23:00:59.0734 2432 ============================================================

23:01:00.0218 2432 Initialize success

23:01:08.0265 4064 ============================================================

23:01:08.0265 4064 Scan started

23:01:08.0265 4064 Mode: Manual; SigCheck; TDLFS;

23:01:08.0265 4064 ============================================================

23:01:10.0843 4064 Abiosdsk - ok

23:01:10.0937 4064 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS

23:01:13.0265 4064 abp480n5 - ok

23:01:13.0484 4064 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

23:01:13.0640 4064 ACPI - ok

23:01:13.0687 4064 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys

23:01:13.0828 4064 ACPIEC - ok

23:01:13.0890 4064 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys

23:01:14.0031 4064 adpu160m - ok

23:01:14.0109 4064 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

23:01:14.0281 4064 aec - ok

23:01:14.0343 4064 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys

23:01:14.0406 4064 AFD - ok

23:01:14.0656 4064 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys

23:01:14.0796 4064 agp440 - ok

23:01:14.0843 4064 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys

23:01:14.0984 4064 agpCPQ - ok

23:01:15.0031 4064 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys

23:01:15.0125 4064 Aha154x - ok

23:01:15.0187 4064 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys

23:01:15.0359 4064 aic78u2 - ok

23:01:15.0562 4064 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys

23:01:15.0703 4064 aic78xx - ok

23:01:15.0765 4064 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys

23:01:15.0921 4064 AliIde - ok

23:01:15.0984 4064 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys

23:01:16.0125 4064 alim1541 - ok

23:01:16.0171 4064 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys

23:01:16.0312 4064 amdagp - ok

23:01:16.0359 4064 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys

23:01:16.0453 4064 amsint - ok

23:01:16.0703 4064 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

23:01:16.0843 4064 Arp1394 - ok

23:01:16.0890 4064 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys

23:01:17.0046 4064 asc - ok

23:01:17.0078 4064 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys

23:01:17.0171 4064 asc3350p - ok

23:01:17.0218 4064 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys

23:01:17.0375 4064 asc3550 - ok

23:01:17.0562 4064 Aspi32 (54ab078660e536da72b21a27f56b035b) C:\WINDOWS\system32\drivers\aspi32.sys

23:01:17.0625 4064 Aspi32 ( UnsignedFile.Multi.Generic ) - warning

23:01:17.0625 4064 Aspi32 - detected UnsignedFile.Multi.Generic (1)

23:01:17.0718 4064 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

23:01:17.0859 4064 AsyncMac - ok

23:01:17.0953 4064 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

23:01:18.0078 4064 atapi - ok

23:01:18.0187 4064 Atdisk - ok

23:01:18.0328 4064 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

23:01:18.0500 4064 Atmarpc - ok

23:01:18.0578 4064 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

23:01:18.0734 4064 audstub - ok

23:01:18.0859 4064 BCM43XX (37f385a93c620cbe0f89c17e45f697a1) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys

23:01:19.0078 4064 BCM43XX - ok

23:01:19.0093 4064 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

23:01:19.0250 4064 Beep - ok

23:01:19.0375 4064 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys

23:01:19.0562 4064 cbidf - ok

23:01:19.0718 4064 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

23:01:19.0875 4064 cbidf2k - ok

23:01:19.0953 4064 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys

23:01:20.0015 4064 cd20xrnt - ok

23:01:20.0062 4064 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

23:01:20.0281 4064 Cdaudio - ok

23:01:20.0328 4064 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

23:01:20.0515 4064 Cdfs - ok

23:01:20.0609 4064 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

23:01:20.0750 4064 Cdrom - ok

23:01:20.0875 4064 Changer - ok

23:01:20.0937 4064 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

23:01:21.0078 4064 CmBatt - ok

23:01:21.0156 4064 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys

23:01:21.0343 4064 CmdIde - ok

23:01:21.0390 4064 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

23:01:21.0531 4064 Compbatt - ok

23:01:21.0625 4064 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys

23:01:21.0781 4064 Cpqarray - ok

23:01:21.0843 4064 cpuz132 (097a0a4899b759a4f032bd464963b4be) C:\WINDOWS\system32\drivers\cpuz132_x32.sys

23:01:21.0875 4064 cpuz132 ( UnsignedFile.Multi.Generic ) - warning

23:01:21.0875 4064 cpuz132 - detected UnsignedFile.Multi.Generic (1)

23:01:22.0171 4064 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys

23:01:22.0453 4064 dac2w2k - ok

23:01:22.0843 4064 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys

23:01:23.0046 4064 dac960nt - ok

23:01:23.0296 4064 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

23:01:23.0406 4064 Disk - ok

23:01:23.0484 4064 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

23:01:23.0703 4064 dmboot - ok

23:01:23.0718 4064 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

23:01:23.0890 4064 dmio - ok

23:01:23.0937 4064 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

23:01:24.0109 4064 dmload - ok

23:01:24.0343 4064 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

23:01:24.0484 4064 DMusic - ok

23:01:24.0515 4064 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys

23:01:24.0687 4064 dpti2o - ok

23:01:24.0734 4064 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

23:01:24.0843 4064 drmkaud - ok

23:01:24.0890 4064 eabfiltr (b5cb3084046146fd2587d8c9b219feb4) C:\WINDOWS\system32\DRIVERS\eabfiltr.sys

23:01:24.0921 4064 eabfiltr - ok

23:01:24.0953 4064 eabusb (231f4547ae1e4b3e60eca66c3a96d218) C:\WINDOWS\system32\DRIVERS\eabusb.sys

23:01:25.0031 4064 eabusb - ok

23:01:25.0343 4064 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

23:01:25.0500 4064 Fastfat - ok

23:01:25.0546 4064 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

23:01:25.0671 4064 Fdc - ok

23:01:25.0703 4064 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

23:01:25.0843 4064 Fips - ok

23:01:25.0875 4064 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

23:01:26.0015 4064 Flpydisk - ok

23:01:26.0078 4064 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

23:01:26.0281 4064 FltMgr - ok

23:01:26.0500 4064 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

23:01:26.0718 4064 Fs_Rec - ok

23:01:26.0750 4064 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

23:01:26.0906 4064 Ftdisk - ok

23:01:26.0968 4064 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys

23:01:27.0000 4064 GEARAspiWDM - ok

23:01:27.0078 4064 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

23:01:27.0203 4064 Gpc - ok

23:01:27.0375 4064 HBtnKey (4d4d97671c63c3af869b3518e6054204) C:\WINDOWS\system32\DRIVERS\cpqbttn.sys

23:01:27.0375 4064 HBtnKey - ok

23:01:27.0531 4064 HdAudAddService (34af2366ae5ba06626b023c81369039e) C:\WINDOWS\system32\drivers\CHDAud.sys

23:01:27.0671 4064 HdAudAddService - ok

23:01:27.0734 4064 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

23:01:27.0906 4064 HDAudBus - ok

23:01:28.0078 4064 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

23:01:28.0218 4064 HidUsb - ok

23:01:28.0390 4064 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys

23:01:28.0578 4064 hpn - ok

23:01:28.0875 4064 HSFHWAZL (89e256c5f5346be265d9f86ac8625d4f) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys

23:01:28.0984 4064 HSFHWAZL - ok

23:01:29.0125 4064 HSF_DPV (0e44af3828111d4c3e73c33ac95226d8) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys

23:01:29.0343 4064 HSF_DPV - ok

23:01:29.0500 4064 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

23:01:29.0625 4064 HTTP - ok

23:01:29.0718 4064 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys

23:01:29.0859 4064 i2omgmt - ok

23:01:29.0968 4064 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys

23:01:30.0125 4064 i2omp - ok

23:01:30.0250 4064 i8042prt (e8af789ad11f7431c50da241cada07e0) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

23:01:30.0281 4064 i8042prt ( UnsignedFile.Multi.Generic ) - warning

23:01:30.0281 4064 i8042prt - detected UnsignedFile.Multi.Generic (1)

23:01:30.0609 4064 ialm (48846b31be5a4fa662ccfde7a1ba86b9) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys

23:01:31.0218 4064 ialm - ok

23:01:31.0484 4064 iaStor (309c4d86d989fb1fcf64bd30dc81c51b) C:\WINDOWS\system32\DRIVERS\iaStor.sys

23:01:31.0609 4064 iaStor - ok

23:01:31.0703 4064 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

23:01:31.0828 4064 Imapi - ok

23:01:31.0875 4064 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys

23:01:32.0078 4064 ini910u - ok

23:01:32.0296 4064 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

23:01:32.0468 4064 IntelIde - ok

23:01:32.0531 4064 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

23:01:32.0640 4064 intelppm - ok

23:01:32.0671 4064 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

23:01:32.0796 4064 Ip6Fw - ok

23:01:32.0843 4064 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

23:01:33.0015 4064 IpFilterDriver - ok

23:01:33.0078 4064 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

23:01:33.0203 4064 IpInIp - ok

23:01:33.0406 4064 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

23:01:33.0578 4064 IpNat - ok

23:01:33.0609 4064 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

23:01:33.0734 4064 IPSec - ok

23:01:33.0781 4064 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

23:01:33.0906 4064 IRENUM - ok

23:01:33.0953 4064 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

23:01:34.0109 4064 isapnp - ok

23:01:34.0187 4064 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

23:01:34.0343 4064 Kbdclass - ok

23:01:34.0515 4064 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

23:01:34.0640 4064 kbdhid - ok

23:01:34.0671 4064 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

23:01:34.0812 4064 kmixer - ok

23:01:34.0859 4064 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

23:01:35.0031 4064 KSecDD - ok

23:01:35.0046 4064 lbrtfdc - ok

23:01:35.0125 4064 MBAMSwissArmy - ok

23:01:35.0312 4064 mdmxsdk (74f4372af97a587ecec527ec34955712) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys

23:01:35.0328 4064 mdmxsdk - ok

23:01:35.0421 4064 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys

23:01:35.0468 4064 MHNDRV ( UnsignedFile.Multi.Generic ) - warning

23:01:35.0468 4064 MHNDRV - detected UnsignedFile.Multi.Generic (1)

23:01:35.0531 4064 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

23:01:35.0687 4064 mnmdd - ok

23:01:35.0796 4064 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

23:01:35.0921 4064 Modem - ok

23:01:36.0000 4064 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

23:01:36.0140 4064 Mouclass - ok

23:01:36.0328 4064 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

23:01:36.0484 4064 mouhid - ok

23:01:36.0531 4064 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

23:01:36.0687 4064 MountMgr - ok

23:01:36.0750 4064 MQAC (70c14f5cca5cf73f8a645c73a01d8726) C:\WINDOWS\system32\drivers\mqac.sys

23:01:36.0921 4064 MQAC - ok

23:01:36.0968 4064 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys

23:01:37.0109 4064 mraid35x - ok

23:01:37.0140 4064 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

23:01:37.0296 4064 MRxDAV - ok

23:01:37.0375 4064 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

23:01:37.0484 4064 MRxSmb - ok

23:01:37.0687 4064 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

23:01:37.0843 4064 Msfs - ok

23:01:37.0890 4064 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

23:01:38.0000 4064 MSKSSRV - ok

23:01:38.0046 4064 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

23:01:38.0218 4064 MSPCLOCK - ok

23:01:38.0234 4064 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

23:01:38.0375 4064 MSPQM - ok

23:01:38.0453 4064 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

23:01:38.0578 4064 mssmbios - ok

23:01:38.0812 4064 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys

23:01:38.0875 4064 Mup - ok

23:01:38.0953 4064 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

23:01:39.0093 4064 NDIS - ok

23:01:39.0140 4064 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

23:01:39.0203 4064 NdisTapi - ok

23:01:39.0234 4064 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

23:01:39.0390 4064 Ndisuio - ok

23:01:39.0593 4064 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

23:01:39.0796 4064 NdisWan - ok

23:01:39.0859 4064 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

23:01:39.0906 4064 NDProxy - ok

23:01:39.0937 4064 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

23:01:40.0062 4064 NetBIOS - ok

23:01:40.0187 4064 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

23:01:40.0375 4064 NetBT - ok

23:01:40.0640 4064 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

23:01:40.0796 4064 NIC1394 - ok

23:01:40.0828 4064 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

23:01:40.0937 4064 Npfs - ok

23:01:41.0000 4064 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

23:01:41.0187 4064 Ntfs - ok

23:01:41.0265 4064 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

23:01:41.0406 4064 Null - ok

23:01:41.0484 4064 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

23:01:41.0640 4064 NwlnkFlt - ok

23:01:41.0687 4064 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

23:01:41.0859 4064 NwlnkFwd - ok

23:01:42.0078 4064 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

23:01:42.0218 4064 ohci1394 - ok

23:01:42.0437 4064 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys

23:01:42.0656 4064 Parport - ok

23:01:42.0906 4064 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

23:01:43.0031 4064 PartMgr - ok

23:01:43.0093 4064 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

23:01:43.0265 4064 ParVdm - ok

23:01:43.0281 4064 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

23:01:43.0421 4064 PCI - ok

23:01:43.0453 4064 PCIDump - ok

23:01:43.0468 4064 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

23:01:43.0640 4064 PCIIde - ok

23:01:43.0656 4064 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys

23:01:43.0796 4064 Pcmcia - ok

23:01:43.0812 4064 PDCOMP - ok

23:01:43.0828 4064 PDFRAME - ok

23:01:43.0859 4064 PDRELI - ok

23:01:43.0875 4064 PDRFRAME - ok

23:01:43.0921 4064 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys

23:01:44.0062 4064 perc2 - ok

23:01:44.0109 4064 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys

23:01:44.0281 4064 perc2hib - ok

23:01:44.0531 4064 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

23:01:44.0656 4064 PptpMiniport - ok

23:01:44.0687 4064 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

23:01:44.0859 4064 PSched - ok

23:01:44.0890 4064 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

23:01:45.0062 4064 Ptilink - ok

23:01:45.0093 4064 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys

23:01:45.0125 4064 PxHelp20 - ok

23:01:45.0187 4064 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys

23:01:45.0390 4064 ql1080 - ok

23:01:45.0562 4064 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys

23:01:45.0718 4064 Ql10wnt - ok

23:01:45.0734 4064 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys

23:01:45.0875 4064 ql12160 - ok

23:01:45.0906 4064 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys

23:01:46.0093 4064 ql1240 - ok

23:01:46.0156 4064 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys

23:01:46.0281 4064 ql1280 - ok

23:01:46.0421 4064 QWAVEDRV (2bb1d2baf3493362e5c1949c5f210d5f) C:\WINDOWS\system32\DRIVERS\qwavedrv.sys

23:01:46.0453 4064 QWAVEDRV ( UnsignedFile.Multi.Generic ) - warning

23:01:46.0453 4064 QWAVEDRV - detected UnsignedFile.Multi.Generic (1)

23:01:46.0609 4064 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

23:01:46.0765 4064 RasAcd - ok

23:01:46.0875 4064 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

23:01:47.0000 4064 Rasl2tp - ok

23:01:47.0031 4064 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

23:01:47.0171 4064 RasPppoe - ok

23:01:47.0234 4064 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

23:01:47.0390 4064 Raspti - ok

23:01:47.0421 4064 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

23:01:47.0546 4064 Rdbss - ok

23:01:47.0562 4064 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

23:01:47.0718 4064 RDPCDD - ok

23:01:47.0875 4064 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

23:01:48.0015 4064 rdpdr - ok

23:01:48.0140 4064 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys

23:01:48.0296 4064 RDPWD - ok

23:01:48.0390 4064 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

23:01:48.0546 4064 redbook - ok

23:01:48.0734 4064 RMCAST (96f7a9a7bf0c9c0440a967440065d33c) C:\WINDOWS\system32\drivers\RMCast.sys

23:01:48.0812 4064 RMCAST - ok

23:01:48.0937 4064 RTL8023xp (cf84b1f0e8b14d4120aaf9cf35cbb265) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys

23:01:49.0062 4064 RTL8023xp - ok

23:01:49.0125 4064 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS

23:01:49.0218 4064 rtl8139 - ok

23:01:49.0359 4064 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS

23:01:49.0375 4064 SASDIFSV - ok

23:01:49.0421 4064 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS

23:01:49.0421 4064 SASKUTIL - ok

23:01:49.0671 4064 SCDEmu (16b1abe7f3e35f21dac57592b6c5d464) C:\WINDOWS\system32\drivers\SCDEmu.sys

23:01:49.0750 4064 SCDEmu ( UnsignedFile.Multi.Generic ) - warning

23:01:49.0750 4064 SCDEmu - detected UnsignedFile.Multi.Generic (1)

23:01:49.0828 4064 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys

23:01:50.0000 4064 sdbus - ok

23:01:50.0046 4064 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

23:01:50.0218 4064 Secdrv - ok

23:01:50.0453 4064 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys

23:01:50.0609 4064 Serial - ok

23:01:50.0656 4064 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

23:01:50.0796 4064 Sfloppy - ok

23:01:50.0812 4064 Simbad - ok

23:01:50.0906 4064 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys

23:01:51.0062 4064 sisagp - ok

23:01:51.0125 4064 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys

23:01:51.0203 4064 Sparrow - ok

23:01:51.0375 4064 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

23:01:51.0562 4064 splitter - ok

23:01:51.0687 4064 sptd (cdddec541bc3c96f91ecb48759673505) C:\WINDOWS\system32\Drivers\sptd.sys

23:01:51.0687 4064 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505

23:01:51.0687 4064 sptd ( LockedFile.Multi.Generic ) - warning

23:01:51.0687 4064 sptd - detected LockedFile.Multi.Generic (1)

23:01:51.0734 4064 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

23:01:51.0890 4064 sr - ok

23:01:51.0937 4064 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys

23:01:52.0046 4064 Srv - ok

23:01:52.0234 4064 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

23:01:52.0359 4064 swenum - ok

23:01:52.0453 4064 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

23:01:52.0578 4064 swmidi - ok

23:01:52.0640 4064 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys

23:01:52.0796 4064 symc810 - ok

23:01:52.0828 4064 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys

23:01:53.0000 4064 symc8xx - ok

23:01:53.0015 4064 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys

23:01:53.0187 4064 sym_hi - ok

23:01:53.0218 4064 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys

23:01:53.0359 4064 sym_u3 - ok

23:01:53.0437 4064 SynTP (0f332c0ba9b968ebc8cbb906416f8597) C:\WINDOWS\system32\DRIVERS\SynTP.sys

23:01:53.0578 4064 SynTP - ok

23:01:53.0781 4064 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

23:01:53.0937 4064 sysaudio - ok

23:01:54.0031 4064 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

23:01:54.0140 4064 Tcpip - ok

23:01:54.0187 4064 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

23:01:54.0328 4064 TDPIPE - ok

23:01:54.0453 4064 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

23:01:54.0625 4064 TDTCP - ok

23:01:54.0718 4064 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

23:01:54.0890 4064 TermDD - ok

23:01:54.0953 4064 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys

23:01:55.0109 4064 TosIde - ok

23:01:55.0218 4064 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

23:01:55.0390 4064 Udfs - ok

23:01:55.0578 4064 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys

23:01:55.0640 4064 ultra - ok

23:01:55.0750 4064 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

23:01:55.0953 4064 Update - ok

23:01:56.0046 4064 USBAAPL (c1ca131f4e3ed63d6bc89a35ffad4cda) C:\WINDOWS\system32\Drivers\usbaapl.sys

23:01:56.0093 4064 USBAAPL ( UnsignedFile.Multi.Generic ) - warning

23:01:56.0093 4064 USBAAPL - detected UnsignedFile.Multi.Generic (1)

23:01:56.0359 4064 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

23:01:56.0531 4064 usbccgp - ok

23:01:56.0593 4064 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

23:01:56.0734 4064 usbehci - ok

23:01:56.0796 4064 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

23:01:56.0968 4064 usbhub - ok

23:01:57.0062 4064 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

23:01:57.0218 4064 usbprint - ok

23:01:57.0406 4064 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

23:01:57.0546 4064 usbscan - ok

23:01:57.0640 4064 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

23:01:57.0781 4064 USBSTOR - ok

23:01:57.0843 4064 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

23:01:57.0984 4064 usbuhci - ok

23:01:58.0093 4064 usb_rndisx (b6cc50279d6cd28e090a5d33244adc9a) C:\WINDOWS\system32\DRIVERS\usb8023x.sys

23:01:58.0218 4064 usb_rndisx - ok

23:01:58.0343 4064 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

23:01:58.0468 4064 VgaSave - ok

23:01:58.0546 4064 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys

23:01:58.0687 4064 viaagp - ok

23:01:58.0718 4064 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys

23:01:58.0875 4064 ViaIde - ok

23:01:58.0937 4064 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

23:01:59.0078 4064 VolSnap - ok

23:01:59.0234 4064 vsdatant (050c38ebb22512122e54b47dc278bccd) C:\WINDOWS\system32\vsdatant.sys

23:01:59.0296 4064 vsdatant - ok

23:01:59.0609 4064 w39n51 (c79918a5bd269035f3a34d157401b9df) C:\WINDOWS\system32\DRIVERS\w39n51.sys

23:01:59.0859 4064 w39n51 - ok

23:01:59.0937 4064 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

23:02:00.0093 4064 Wanarp - ok

23:02:00.0156 4064 wceusbsh (46a247f6617526afe38b6f12f5512120) C:\WINDOWS\system32\DRIVERS\wceusbsh.sys

23:02:00.0218 4064 wceusbsh - ok

23:02:00.0390 4064 WDICA - ok

23:02:00.0437 4064 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

23:02:00.0593 4064 wdmaud - ok

23:02:00.0703 4064 winachsf (214bc3ad84907ad6ad655ac5465f449a) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys

23:02:00.0828 4064 winachsf - ok

23:02:01.0078 4064 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys

23:02:01.0203 4064 WmiAcpi - ok

23:02:01.0296 4064 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

23:02:01.0375 4064 WudfPf - ok

23:02:01.0421 4064 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

23:02:01.0437 4064 WudfRd - ok

23:02:01.0515 4064 MBR (0x1B8) (5ae5a393505cffd37fe98c4a7922908d) \Device\Harddisk0\DR0

23:02:01.0625 4064 \Device\Harddisk0\DR0 - ok

23:02:01.0625 4064 MBR (0x1B8) (864f38b7b4ac5c2ce40d0c5084fb67bc) \Device\Harddisk1\DR3

23:02:08.0500 4064 \Device\Harddisk1\DR3 - ok

23:02:08.0515 4064 Boot (0x1200) (f850f8c27cfeec5595badd3d4df97501) \Device\Harddisk0\DR0\Partition0

23:02:08.0515 4064 \Device\Harddisk0\DR0\Partition0 - ok

23:02:08.0546 4064 Boot (0x1200) (74ba6ba6ed7e4e803c3486ed56170ea4) \Device\Harddisk0\DR0\Partition1

23:02:08.0546 4064 \Device\Harddisk0\DR0\Partition1 - ok

23:02:08.0546 4064 ============================================================

23:02:08.0546 4064 Scan finished

23:02:08.0546 4064 ============================================================

23:02:08.0671 1520 Detected object count: 8

23:02:08.0671 1520 Actual detected object count: 8

23:02:19.0546 1520 Aspi32 ( UnsignedFile.Multi.Generic ) - skipped by user

23:02:19.0546 1520 Aspi32 ( UnsignedFile.Multi.Generic ) - User select action: Skip

23:02:19.0546 1520 cpuz132 ( UnsignedFile.Multi.Generic ) - skipped by user

23:02:19.0546 1520 cpuz132 ( UnsignedFile.Multi.Generic ) - User select action: Skip

23:02:19.0546 1520 i8042prt ( UnsignedFile.Multi.Generic ) - skipped by user

23:02:19.0546 1520 i8042prt ( UnsignedFile.Multi.Generic ) - User select action: Skip

23:02:19.0546 1520 MHNDRV ( UnsignedFile.Multi.Generic ) - skipped by user

23:02:19.0546 1520 MHNDRV ( UnsignedFile.Multi.Generic ) - User select action: Skip

23:02:19.0562 1520 QWAVEDRV ( UnsignedFile.Multi.Generic ) - skipped by user

23:02:19.0562 1520 QWAVEDRV ( UnsignedFile.Multi.Generic ) - User select action: Skip

23:02:19.0562 1520 SCDEmu ( UnsignedFile.Multi.Generic ) - skipped by user

23:02:19.0562 1520 SCDEmu ( UnsignedFile.Multi.Generic ) - User select action: Skip

23:02:19.0562 1520 sptd ( LockedFile.Multi.Generic ) - skipped by user

23:02:19.0562 1520 sptd ( LockedFile.Multi.Generic ) - User select action: Skip

23:02:19.0562 1520 USBAAPL ( UnsignedFile.Multi.Generic ) - skipped by user

23:02:19.0562 1520 USBAAPL ( UnsignedFile.Multi.Generic ) - User select action: Skip

Link to post
Share on other sites

And this is the DDS log file

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_19

Run by Owner at 23:04:06 on 2011-12-11

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.165 [GMT -5:00]

.

FW: ZoneAlarm Firewall *Disabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\SUPERAntiSpyware\SASCORE.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\ehome\RMSvc.exe

svchost.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\mqsvc.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\WINDOWS\system32\mqtgsvc.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\DAEMON Tools Pro\DTProShellHlp.exe

C:\WINDOWS\System32\ping.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop

uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=presario&pf=laptop

mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - c:\program files\winamp toolbar\winamptb.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

{7febefe3-6b19-4349-98d2-ffb09d4b49ca}

TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [hpWirelessAssistant] "c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe"

mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [iSUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup

mRun: [synTPStart] "c:\program files\synaptics\syntp\SynTPStart.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

LSP: mswsock.dll

DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

mASetup: {BEED0B2B-3EBC-BFCF-C0FD-FBF9FCBFC6FE} - c:\documents and settings\owner\application data\sys\test.exe

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\gwnvkwhh.default\

FF - prefs.js: browser.startup.homepage - hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop

FF - prefs.js: network.proxy.type - 4

FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\TrustCheckerMozillaPlugin.dll

FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll

FF - plugin: c:\program files\nos\bin\np_gp.dll

.

---- FIREFOX POLICIES ----

FF - user.js: network.protocol-handler.warn-external.dnupdate - false

============= SERVICES / DRIVERS ===============

.

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-4-4 532224]

R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\McrdSvc.exe [2005-10-20 96256]

S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-7-16 12672]

S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]

S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2006-3-15 14336]

.

=============== Created Last 30 ================

.

2011-12-10 03:48:01 356864 ----a-w- c:\documents and settings\owner\local settings\application data\twi.exe

2011-11-29 01:50:36 518144 ----a-w- c:\windows\SWREG.exe

2011-11-29 01:50:36 256000 ----a-w- c:\windows\PEV.exe

2011-11-29 01:50:36 208896 ----a-w- c:\windows\MBR.exe

2011-11-29 01:50:35 98816 ----a-w- c:\windows\sed.exe

2011-11-29 01:48:58 -------- d-s---w- C:\ComboFix

2011-11-28 01:01:20 -------- d-----w- c:\documents and settings\owner\application data\SUPERAntiSpyware.com

2011-11-28 01:00:41 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com

2011-11-27 23:47:03 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-11-27 23:47:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.

==================== Find3M ====================

.

2011-11-16 17:39:42 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll

.

============= FINISH: 23:05:23.04 ===============

Link to post
Share on other sites

:welcome:

We look for post with 0 replies, so when you replied to your own topic, we assumed you were being helped.

Whether you wish to continue with cleaning or not, you should be aware that you may have been infected by a backdoor trojan. This type of program has the ability to steal passwords and other information from your system. If you are using your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

  • Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
  • Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
  • Consider what other private information could possibly have been taken from your computer and take appropriate steps
  • Removing this infection can also disable the ability to connect to the internet.

This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

Please post back to let me know how you wish to proceed.

Link to post
Share on other sites

If all the computers are sharing a router or network, remove the rest of the computers or you're wasting your time while trying to clean this one.

Please do not attach the scan results from Combofx. Use copy/paste.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have XP SP3, use the XP SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

combo fix log

ComboFix 11-12-16.03 - Owner 12/16/2011 15:42:43.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.247 [GMT -5:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Owner\Application Data\sys

c:\documents and settings\Owner\Local Settings\Application Data\twi.exe

c:\documents and settings\Owner\WINDOWS

c:\windows\$NtUninstallKB62280$\2413785156

c:\windows\$NtUninstallKB62280$\485945278\@

c:\windows\$NtUninstallKB62280$\485945278\bckfg.tmp

c:\windows\$NtUninstallKB62280$\485945278\cfg.ini

c:\windows\$NtUninstallKB62280$\485945278\Desktop.ini

c:\windows\$NtUninstallKB62280$\485945278\keywords

c:\windows\$NtUninstallKB62280$\485945278\kwrd.dll

c:\windows\$NtUninstallKB62280$\485945278\L\trbssmgb

c:\windows\$NtUninstallKB62280$\485945278\lsflt7.ver

c:\windows\$NtUninstallKB62280$\485945278\U\00000001.$

c:\windows\$NtUninstallKB62280$\485945278\U\00000001.@

c:\windows\$NtUninstallKB62280$\485945278\U\00000002.@

c:\windows\$NtUninstallKB62280$\485945278\U\00000004.@

c:\windows\$NtUninstallKB62280$\485945278\U\80000000.@

c:\windows\$NtUninstallKB62280$\485945278\U\80000004.@

c:\windows\$NtUninstallKB62280$\485945278\U\80000032.$

c:\windows\$NtUninstallKB62280$\485945278\U\80000032.@

c:\windows\CSC\d6

c:\windows\kb913800.exe

D:\Autorun.inf

c:\windows\$NtUninstallKB62280$ . . . . Failed to delete

.

.

((((((((((((((((((((((((( Files Created from 2011-11-16 to 2011-12-16 )))))))))))))))))))))))))))))))

.

.

2011-12-16 20:02 . 2011-12-16 20:02 -------- d-----w- c:\windows\Internet Logs

2011-12-12 03:14 . 2011-12-12 03:14 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2011-12-10 05:51 . 2011-12-10 05:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com

2011-12-10 04:49 . 2011-12-10 04:49 -------- d-s---w- c:\documents and settings\NetworkService\UserData

2011-11-28 01:01 . 2011-11-28 01:01 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com

2011-11-28 01:00 . 2011-11-28 01:00 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2011-11-27 23:47 . 2011-11-27 23:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-11-27 23:47 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-11-16 17:39 . 2011-05-20 20:17 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-10-10 14:22 . 2006-03-16 04:00 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-09-28 07:06 . 2006-03-16 04:00 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-26 15:41 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 15:41 . 2006-03-16 04:00 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 15:41 . 2006-03-16 04:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2011-11-27 23:12 . 2011-09-10 00:37 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2009-04-01 02:47 . 2009-01-02 07:16 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll

.

.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-02-09 11:27 . 2006-07-13 22:02 40960 c:\program files\Hewlett-Packard\Default Settings\bak\cpqset.exe

.

2007-05-08 20:24 . 2007-05-08 20:24 54840 c:\program files\HP\HP Software Update\bak\HPWuSchd2.exe

.

2006-09-12 05:14 . 2006-06-23 21:43 102400 c:\program files\HP\QuickPlay\bak\QPService.exe

.

2006-10-30 17:36 . 2006-10-30 17:36 256576 c:\program files\iTunes\bak\iTunesHelper.exe

2011-04-27 05:22 . 2011-04-27 05:22 421160 c:\program files\iTunes\iTunesHelper.exe

.

2006-10-26 02:58 . 2006-10-26 02:58 282624 c:\program files\QuickTime\bak\qttask.exe

2010-11-29 21:38 . 2010-11-29 21:38 421888 c:\program files\QuickTime\QTTask.exe

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-11-07 4617600]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]

"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-02 135168]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 249856]

"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]

.

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [N/A]

.

c:\documents and settings\Default User\Start Menu\Programs\Startup\

Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [N/A]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Extender Resource Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Extender Resource Monitor.lnk

backup=c:\windows\pss\Extender Resource Monitor.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk

backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]

path=c:\documents and settings\Owner\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk

backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Styler.lnk]

path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Styler.lnk

backup=c:\windows\pss\Styler.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]

c:\program files\Hewlett-Packard\Default Settings\cpqset.exe [N/A]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]

2009-12-18 10:24 427328 ----a-w- c:\program files\DAEMON Tools Pro\DTProAgent.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]

2005-08-06 04:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]

c:\progra~1\MICROS~2\wcescomm.exe [N/A]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]

2006-06-02 15:02 61952 ----a-w- c:\windows\system32\CHDAudPropShortcut.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]

2008-02-15 17:46 159744 ----a-w- c:\windows\system32\hkcmd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]

2008-02-15 17:46 131072 ----a-w- c:\windows\system32\igfxpers.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]

2008-02-15 17:46 135168 ----a-w- c:\windows\system32\igfxtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]

2005-08-11 23:30 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

2005-08-11 23:30 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert]

2008-04-14 00:11 177152 ----a-w- c:\windows\system32\mqrt.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerGuardian]

2005-09-18 23:40 1421824 ----a-w- c:\program files\PeerGuardian2\pg2.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

2009-11-09 03:17 180224 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecGuard]

2005-10-11 17:23 1187840 ------w- c:\windows\SMINST\Recguard.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]

c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [N/A]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

c:\program files\Steam\Steam.exe [N/A]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]

2011-11-07 18:04 4617600 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]

2007-09-15 06:27 1015808 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]

2011-06-20 02:05 399736 ----a-w- c:\program files\uTorrent\uTorrent.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\mqsvc.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Documents and Settings\\Owner\\My Documents\\My Music\\FrostWire\\FrostWire.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

"3776:UDP"= 3776:UDP:Media Center Extender Service

"3390:TCP"= 3390:TCP:Remote Media Center Experience

.

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [4/3/2010 9:13 PM 691696]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]

R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 6:38 PM 116608]

S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]

S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [3/15/2006 11:00 PM 14336]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

QWAVE REG_MULTI_SZ QWAVE

getPlusHelper REG_MULTI_SZ getPlusHelper

nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{BEED0B2B-3EBC-BFCF-C0FD-FBF9FCBFC6FE}]

c:\documents and settings\Owner\Application Data\sys\test.exe [N/A]

.

Contents of the 'Scheduled Tasks' folder

.

2011-08-30 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\gwnvkwhh.default\

FF - prefs.js: browser.startup.homepage - hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop

FF - prefs.js: network.proxy.type - 4

FF - user.js: network.protocol-handler.warn-external.dnupdate - false

.

- - - - ORPHANS REMOVED - - - -

.

AddRemove-InstallShield_{0824EE6D-137F-4B83-9628-8E7B000BEBA6} - c:\program files\InstallShield Installation Information\{0824EE6D-137F-4B83-9628-8E7B000BEBA6}\_is2008.psi

AddRemove-IconTweaker - c:\program files\IconTweaker\Uninstall.exe

AddRemove-Xbox 360 Tools - c:\documents and settings\Owner\My Documents\Xbox 360 Tools\Uninstal.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-12-16 15:57

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-4088283669-2300671411-1786845415-1005\Software\TF6\U*b*e*r*L*i*g*h*t*m*a*p*T*o*o*l*"!\Layout]

"Height"=dword:000001b9

"Width"=dword:00000250

"X"=dword:00000000

"Y"=dword:00000000

.

[HKEY_USERS\S-1-5-21-4088283669-2300671411-1786845415-1005\Software\TF6\U*b*e*r*L*i*g*h*t*m*a*p*T*o*o*l*"!\Settings]

"MapDirectory"="c:\\Documents and Settings\\Owner\\My Documents\\My Music\\modded!!!\\modded maps\\4D53006400000001\\"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(952)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

- - - - - - - > 'explorer.exe'(3468)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\msdtc.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\eHome\ehRecvr.exe

c:\windows\eHome\ehSched.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\HPZipm12.exe

c:\windows\system32\PnkBstrA.exe

c:\windows\ehome\RMSvc.exe

c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe

c:\windows\ehome\McrdSvc.exe

c:\windows\system32\mqsvc.exe

c:\windows\system32\mqtgsvc.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\system32\dllhost.exe

.

**************************************************************************

.

Completion time: 2011-12-16 16:04:15 - machine was rebooted

ComboFix-quarantined-files.txt 2011-12-16 21:04

.

Pre-Run: 29,231,423,488 bytes free

Post-Run: 29,674,029,056 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

.

- - End Of File - - 5F51345F6D09B9F4C69D51FC1E5D57A9

Link to post
Share on other sites

ZeroAccess/Max++ rootkit remover to remove ZeroAccess (Sirefef/MAX++) rootkit.

http://deletemalware.blogspot.com/2011/09/zeroaccesssirefefmax-rootkit-removal.html

1. Download the ZeroAccess/Max++ rootkit remover: http://anywhere.webrootcloudav.com/antizeroaccess.exe

2. Double-click on antizeroaccess icon to run it. It will ask you to verify that you want to perform a System scan. Type Y and press Enter.

antizeroaccess.jpg

Once finished, press Enter or any key to continue.

3. If your computer is infected with Zero Access rootkit, you'll see the following warning: Your system is infected!!

mrxsmb_sys.jpg

Infected file: mrxsmb.sys. In your case it might be different. Type Y and press Enter to perform system cleanup.

You should know see the notification that ZeroAccess rootkit has been successfully removed from the system. Press any key to exit the utility and restart your computer.

zeroaccess_cleaned.jpg

4. Run ZeroAccess/Max++ rootkit remover once again to confirm that ZeroAccess/Sirefef/MAX++ rootkit was successfully removed from your computer.

zeroaccess_not_found.jpg

5. Please run a new MBAM scan being sure to update before scanning.

Post the scan results

Also please describe how your computer behaves at the moment.

Please don't attach the scans / logs, use "copy/paste".

Link to post
Share on other sites

Webroot AntiZeroAccess 0.8 Log File

Execution time: 16/12/2011 - 18:24

Host operation System: Windows Xp X86 version 5.1.2600 Service Pack 3

18:24:36 - CheckSystem - Begin to check system...

18:24:36 - OpenRootDrive - Opening system root volume and physical drive....

18:24:36 - C Root Drive: Disk number: 0 Start sector: 0x0000003F Partition Size: 0x080A9F0F sectors.

18:24:36 - PrevX Main driver extracted in "C:\WINDOWS\system32\drivers\ZeroAccess.sys".

18:24:36 - InstallAndStartDriver - Main driver was installed and now is running.

18:24:36 - CheckSystem - Disk class driver state is OK.

18:24:40 - CheckFile - Unable to read "sptd.sys" file. CreateFile last eror: 0x00000020.

18:24:42 - StopAndRemoveDriver - AntiZeroAccess Driver is stopped and removed.

18:24:42 - StopAndRemoveDriver - File "ZeroAccess.sys" was deleted!

18:24:42 - Execution Ended!

It gave me an error and it didnt find anything. After I ran it, the internal keyboard and mouse still doesnt work.

Link to post
Share on other sites

as to your first question, i do not have the windows os/install disk as that it was purchased through Hp and they dont come with one, unless you opt for it.

here is the log

Note: the internet is unplugged from the infected pc

Farbar Service Scanner

Ran by Owner (administrator) on 16-12-2011 at 19:30:04

Microsoft Windows XP Professional Service Pack 3 (X86)

********************************************************

Service Check:

==============

File Check:

===========

C:\WINDOWS\system32\svchost.exe => MD5 is legit

C:\WINDOWS\system32\rpcss.dll => MD5 is legit

C:\WINDOWS\system32\services.exe => MD5 is legit

C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit

C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit

C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

Connection Status:

==================

Localhost is accessible.

There is no connection to network.

Attempt to access Google IP returned error: Google IP is unreachable

Attempt to access Yahoo IP returend error: Yahoo IP is unreachable

**** End of log ****

Link to post
Share on other sites

new combo fix

Note: built-in keyboard and mouse still dont work on infected laptop

ComboFix 11-12-16.03 - Owner 12/16/2011 20:04:25.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.218 [GMT -5:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

.

.

((((((((((((((((((((((((( Files Created from 2011-11-17 to 2011-12-17 )))))))))))))))))))))))))))))))

.

.

2011-12-16 20:02 . 2011-12-16 20:02 -------- d-----w- c:\windows\Internet Logs

2011-12-12 03:14 . 2011-12-12 03:14 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2011-12-10 05:51 . 2011-12-10 05:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com

2011-12-10 04:49 . 2011-12-10 04:49 -------- d-s---w- c:\documents and settings\NetworkService\UserData

2011-11-28 01:01 . 2011-11-28 01:01 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com

2011-11-28 01:00 . 2011-11-28 01:00 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2011-11-27 23:47 . 2011-11-27 23:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-11-27 23:47 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-11-16 17:39 . 2011-05-20 20:17 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-10-10 14:22 . 2006-03-16 04:00 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-09-28 07:06 . 2006-03-16 04:00 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-26 15:41 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 15:41 . 2006-03-16 04:00 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 15:41 . 2006-03-16 04:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2011-11-27 23:12 . 2011-09-10 00:37 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2009-04-01 02:47 . 2009-01-02 07:16 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll

.

.

((((((((((((((((((((((((((((( SnapShot@2011-12-16_20.57.02 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-12-16 23:20 . 2011-12-16 23:20 16384 c:\windows\temp\Perflib_Perfdata_7d8.dat

+ 2011-12-16 23:20 . 2011-12-16 23:20 16384 c:\windows\temp\Perflib_Perfdata_6b4.dat

.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-02-09 11:27 . 2006-07-13 22:02 40960 c:\program files\Hewlett-Packard\Default Settings\bak\cpqset.exe

.

2007-05-08 20:24 . 2007-05-08 20:24 54840 c:\program files\HP\HP Software Update\bak\HPWuSchd2.exe

.

2006-09-12 05:14 . 2006-06-23 21:43 102400 c:\program files\HP\QuickPlay\bak\QPService.exe

.

2006-10-30 17:36 . 2006-10-30 17:36 256576 c:\program files\iTunes\bak\iTunesHelper.exe

2011-04-27 05:22 . 2011-04-27 05:22 421160 c:\program files\iTunes\iTunesHelper.exe

.

2006-10-26 02:58 . 2006-10-26 02:58 282624 c:\program files\QuickTime\bak\qttask.exe

2010-11-29 21:38 . 2010-11-29 21:38 421888 c:\program files\QuickTime\QTTask.exe

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-11-07 4617600]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]

"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-02 135168]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 249856]

"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]

.

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [N/A]

.

c:\documents and settings\Default User\Start Menu\Programs\Startup\

Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [N/A]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Extender Resource Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Extender Resource Monitor.lnk

backup=c:\windows\pss\Extender Resource Monitor.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk

backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]

path=c:\documents and settings\Owner\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk

backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Styler.lnk]

path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Styler.lnk

backup=c:\windows\pss\Styler.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]

c:\program files\Hewlett-Packard\Default Settings\cpqset.exe [N/A]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]

2009-12-18 10:24 427328 ----a-w- c:\program files\DAEMON Tools Pro\DTProAgent.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]

2005-08-06 04:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]

c:\progra~1\MICROS~2\wcescomm.exe [N/A]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]

2006-06-02 15:02 61952 ----a-w- c:\windows\system32\CHDAudPropShortcut.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]

2008-02-15 17:46 159744 ----a-w- c:\windows\system32\hkcmd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]

2008-02-15 17:46 131072 ----a-w- c:\windows\system32\igfxpers.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]

2008-02-15 17:46 135168 ----a-w- c:\windows\system32\igfxtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]

2005-08-11 23:30 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

2005-08-11 23:30 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert]

2008-04-14 00:11 177152 ----a-w- c:\windows\system32\mqrt.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerGuardian]

2005-09-18 23:40 1421824 ----a-w- c:\program files\PeerGuardian2\pg2.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

2009-11-09 03:17 180224 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecGuard]

2005-10-11 17:23 1187840 ------w- c:\windows\SMINST\Recguard.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]

c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [N/A]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

c:\program files\Steam\Steam.exe [N/A]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]

2011-11-07 18:04 4617600 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]

2007-09-15 06:27 1015808 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]

2011-06-20 02:05 399736 ----a-w- c:\program files\uTorrent\uTorrent.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\mqsvc.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Documents and Settings\\Owner\\My Documents\\My Music\\FrostWire\\FrostWire.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

"3776:UDP"= 3776:UDP:Media Center Extender Service

"3390:TCP"= 3390:TCP:Remote Media Center Experience

.

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [4/3/2010 9:13 PM 691696]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]

R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 6:38 PM 116608]

S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]

S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [3/15/2006 11:00 PM 14336]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

QWAVE REG_MULTI_SZ QWAVE

getPlusHelper REG_MULTI_SZ getPlusHelper

nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{BEED0B2B-3EBC-BFCF-C0FD-FBF9FCBFC6FE}]

c:\documents and settings\Owner\Application Data\sys\test.exe [N/A]

.

Contents of the 'Scheduled Tasks' folder

.

2011-08-30 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\gwnvkwhh.default\

FF - prefs.js: browser.startup.homepage - hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop

FF - prefs.js: network.proxy.type - 4

FF - user.js: network.protocol-handler.warn-external.dnupdate - false

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-12-16 20:13

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-4088283669-2300671411-1786845415-1005\Software\TF6\U*b*e*r*L*i*g*h*t*m*a*p*T*o*o*l*"!\Layout]

"Height"=dword:000001b9

"Width"=dword:00000250

"X"=dword:00000000

"Y"=dword:00000000

.

[HKEY_USERS\S-1-5-21-4088283669-2300671411-1786845415-1005\Software\TF6\U*b*e*r*L*i*g*h*t*m*a*p*T*o*o*l*"!\Settings]

"MapDirectory"="c:\\Documents and Settings\\Owner\\My Documents\\My Music\\modded!!!\\modded maps\\4D53006400000001\\"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(944)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

- - - - - - - > 'explorer.exe'(1976)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2011-12-16 20:16:39

ComboFix-quarantined-files.txt 2011-12-17 01:16

ComboFix2.txt 2011-12-16 21:04

.

Pre-Run: 29,985,513,472 bytes free

Post-Run: 29,966,598,144 bytes free

.

- - End Of File - - E5A51C259FEDEA39F0CFF83637B27549

Link to post
Share on other sites

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

KillAll::

File::
c:\documents and settings\Owner\Application Data\sys\test.exe

AWF::
c:\program files\Hewlett-Packard\Default Settings\bak\cpqset.exe
c:\program files\iTunes\bak\iTunesHelper.exe
c:\program files\QuickTime\bak\qttask.exe

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"=-
"3776:UDP"=-
"3390:TCP"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{BEED0B2B-3EBC-BFCF-C0FD-FBF9FCBFC6FE}]

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

CFScriptB-4.gif

Drag CFScript.txt into ComboFix.exe

Then post the results log using Copy / Paste

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

Here's the new log as for how the computer runs, the built-in keyboard and mouse still do not work.

ComboFix 11-12-16.03 - Owner 12/16/2011 21:36:11.3.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.232 [GMT -5:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

.

FILE ::

"c:\documents and settings\Owner\Application Data\sys\test.exe"

.

.

((((((((((((((((((((((((( Files Created from 2011-11-17 to 2011-12-17 )))))))))))))))))))))))))))))))

.

.

2011-12-16 20:02 . 2011-12-16 20:02 -------- d-----w- c:\windows\Internet Logs

2011-12-12 03:14 . 2011-12-12 03:14 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2011-12-10 05:51 . 2011-12-10 05:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com

2011-12-10 04:49 . 2011-12-10 04:49 -------- d-s---w- c:\documents and settings\NetworkService\UserData

2011-11-28 01:01 . 2011-11-28 01:01 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com

2011-11-28 01:00 . 2011-11-28 01:00 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2011-11-27 23:47 . 2011-11-27 23:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-11-27 23:47 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-11-16 17:39 . 2011-05-20 20:17 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-10-10 14:22 . 2006-03-16 04:00 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-09-28 07:06 . 2006-03-16 04:00 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-26 15:41 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 15:41 . 2006-03-16 04:00 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 15:41 . 2006-03-16 04:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2011-11-27 23:12 . 2011-09-10 00:37 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2009-04-01 02:47 . 2009-01-02 07:16 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll

.

.

((((((((((((((((((((((((((((( SnapShot@2011-12-16_20.57.02 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-12-17 02:45 . 2011-12-17 02:45 16384 c:\windows\temp\Perflib_Perfdata_7a0.dat

+ 2011-12-17 02:45 . 2011-12-17 02:45 16384 c:\windows\temp\Perflib_Perfdata_600.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-11-07 4617600]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]

"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-02 135168]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 249856]

"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2006-10-26 282624]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]

.

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [N/A]

.

c:\documents and settings\Default User\Start Menu\Programs\Startup\

Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [N/A]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Extender Resource Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Extender Resource Monitor.lnk

backup=c:\windows\pss\Extender Resource Monitor.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk

backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]

path=c:\documents and settings\Owner\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk

backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Styler.lnk]

path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Styler.lnk

backup=c:\windows\pss\Styler.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]

2006-07-13 22:02 40960 ----a-w- c:\program files\Hewlett-Packard\Default Settings\cpqset.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]

2009-12-18 10:24 427328 ----a-w- c:\program files\DAEMON Tools Pro\DTProAgent.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]

2005-08-06 04:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]

2006-06-02 15:02 61952 ----a-w- c:\windows\system32\CHDAudPropShortcut.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]

2008-02-15 17:46 159744 ----a-w- c:\windows\system32\hkcmd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]

2008-02-15 17:46 131072 ----a-w- c:\windows\system32\igfxpers.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]

2008-02-15 17:46 135168 ----a-w- c:\windows\system32\igfxtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]

2005-08-11 23:30 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

2005-08-11 23:30 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert]

2008-04-14 00:11 177152 ----a-w- c:\windows\system32\mqrt.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerGuardian]

2005-09-18 23:40 1421824 ----a-w- c:\program files\PeerGuardian2\pg2.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

2009-11-09 03:17 180224 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecGuard]

2005-10-11 17:23 1187840 ------w- c:\windows\SMINST\Recguard.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]

2011-11-07 18:04 4617600 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]

2007-09-15 06:27 1015808 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]

2011-06-20 02:05 399736 ----a-w- c:\program files\uTorrent\uTorrent.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\mqsvc.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Documents and Settings\\Owner\\My Documents\\My Music\\FrostWire\\FrostWire.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [4/3/2010 9:13 PM 691696]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]

R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 6:38 PM 116608]

S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]

S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [3/15/2006 11:00 PM 14336]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

QWAVE REG_MULTI_SZ QWAVE

getPlusHelper REG_MULTI_SZ getPlusHelper

nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper

.

Contents of the 'Scheduled Tasks' folder

.

2011-08-30 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\gwnvkwhh.default\

FF - prefs.js: browser.startup.homepage - hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop

FF - prefs.js: network.proxy.type - 4

FF - user.js: network.protocol-handler.warn-external.dnupdate - false

.

- - - - ORPHANS REMOVED - - - -

.

MSConfigStartUp-PC Connection Agent - c:\progra~1\MICROS~2\wcescomm.exe

MSConfigStartUp-SpySweeper - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe

MSConfigStartUp-Steam - c:\program files\Steam\Steam.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-12-16 21:46

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-4088283669-2300671411-1786845415-1005\Software\TF6\U*b*e*r*L*i*g*h*t*m*a*p*T*o*o*l*"!\Layout]

"Height"=dword:000001b9

"Width"=dword:00000250

"X"=dword:00000000

"Y"=dword:00000000

.

[HKEY_USERS\S-1-5-21-4088283669-2300671411-1786845415-1005\Software\TF6\U*b*e*r*L*i*g*h*t*m*a*p*T*o*o*l*"!\Settings]

"MapDirectory"="c:\\Documents and Settings\\Owner\\My Documents\\My Music\\modded!!!\\modded maps\\4D53006400000001\\"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(952)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

- - - - - - - > 'explorer.exe'(2476)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\msdtc.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\eHome\ehRecvr.exe

c:\windows\eHome\ehSched.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\HPZipm12.exe

c:\windows\system32\PnkBstrA.exe

c:\windows\ehome\RMSvc.exe

c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe

c:\windows\ehome\McrdSvc.exe

c:\windows\system32\mqsvc.exe

c:\windows\system32\mqtgsvc.exe

c:\windows\system32\dllhost.exe

.

**************************************************************************

.

Completion time: 2011-12-16 21:51:45 - machine was rebooted

ComboFix-quarantined-files.txt 2011-12-17 02:51

ComboFix2.txt 2011-12-17 01:16

ComboFix3.txt 2011-12-16 21:04

.

Pre-Run: 29,980,958,720 bytes free

Post-Run: 29,961,355,264 bytes free

.

- - End Of File - - FB72B16FC1A4345077EC0B8EDF11CC3D

Link to post
Share on other sites

I don't see any infections left.

For the mouse / keypad, I suggest going to the manufacturer's support / driver download page and see if they have a driver for it.

The following will implement some cleanup procedures as well as reset System Restore points:

For XP:

  • Click START run
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

For Vista / Windows 7

  • Click START Search
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

If you used DeFogger

To re-enable your Emulation drivers, double click DeFogger to run the tool.

  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

Here's my usual all clean post

To be on the safe side, I would also change all my passwords.

This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.

Log looks good :D

  • Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week
    (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.
    Without a firewall your computer is succeptible to being hacked and taken over.
    I am very serious about this and see it happen almost every day with my clients.
    Simply using a Firewall in its default configuration can lower your risk greatly.
  • Using a secure browser plugin M86 SecureBrowsing makes it safe to search, surf and socialize online. This free browser plug-in displays security icons next to links on search engines and social networking sites like Facebook, Twitter and LinkedIn, so you'll know which pages are safe and which ones to avoid.
    •Free browser plug-in for Internet Explorer and Firefox
    •Real-time safety ratings
    •Ideal for Facebook, Twitter and LinkedIn
  • JAVA Click this link and click on the Free JAVA Download
  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
    This will ensure your computer has always the latest security updates available installed on your computer.
    If there are new updates to install, install them immediately, reboot your computer, and revisit the site
    until there are no more critical updates.

Only run one Anti-Virus and Firewall program.

I would suggest you read:

PC Safety and Security--What Do I Need?.

How to Prevent Malware:

The full version of Malwarebytes' Anti-Malware could have helped protect your computer against this threat.

We use different ways of protecting your computer(s):

  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention

Save yourself the hassle and get protected.

Link to post
Share on other sites

wow thank you for suggesting the windows update site i had 6 High-Priority security updates. The driver update fixed the keyboard and mouse, i re-downloaded Zone Alarm, Avira, and got the browser plugin. You have been a great help thank you very much i know i just got a "get out of jail" free card, however my custom gamming destop is still infected with the same virus. After reading online about the TDSS backdoor's i was directed to Hitman Pro which was a terriblae decision as it found the virus but upon the removal process i was asked to restart the pc to complete the removal, but upon rebooting the PC blue Screened i have since then been able to boot it properly could you assist in the disinfection of that pc as will?

Switchblade

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.