oashdihasidhasuidhiasdhiashdiuasdhasd and AGPro Infections

SpeedHokie · February 24, 2010

Hi.

I hope I am in the correct place; I followed the "I'm infected" link of another part of this site. I am having a problem with the constant returning of these items;

1) C:\Documents and Settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd ...a 1k file

2) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Regedit32

3) AGPro

I removed the actual Regedit trojan program (c:\windows\system32\regedit.exe) being called by the run command. The registry entry continues to return but it is referencing a program that does not exist any longer and has not returned (after my one delete). mbam will remove these 2 items and that prevents the repeated attempt to add the registry key (#2 above) and removes oashdihasidhasuidhiasdhiashdiuasdhasd ...until the next reboot. Additionally, my CD drive has disappeared from Windows Explorer and multiple instances of svchost.exe keep crashing and wreaking havoc with routine functions. I assume that this is the residual effects of the remaining items.

In the interest of full disclosure, this is a work laptop and I've just returned from working 4.5 weeks overseas where the offices' firewalls were less than stellar. I quickly picked up viruses, and running rkill/MBAM and ComboFix eventually became a daily necessity in order to have a semi-functioning laptop.

I am running Windows XP Pro with all the latest updates from Microsoft that had been pushed out by my work prior to my departure (other than IE8) on a Dell d630 laptop. I made sure mbam have up-to-date definition files. I'm running Norton Anti-Virus, though that started malfunctioning after one round of viruses as well.

Per the instructions of the general post, I am pasting the MBAM log and DDS log and attaching a WinZip with the GMER, Attach, and ComboFix logs. MBAM picks up the infected values; ComboFix does not. If I allow mbam to clean it; I think the initial reboot is clean and mbam finds nothing, but a subsequent reboot will have them back, identical to the previous infection.

Thank you for whatever time, effort and help you can provide. ---Arin Speed

--------------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.44

Database version: 3774

Windows 5.1.2600 Service Pack 2 (Safe Mode)

Internet Explorer 8.0.6001.18702

02/23/2010 4:40:25 PM

mbam-log-2010-02-23 (16-40-05).txt

Scan type: Quick Scan

Objects scanned: 162639

Time elapsed: 4 minute(s), 33 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> No action taken.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\regedit32 (Trojan.Agent) -> No action taken.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\aspeed\oashdihasidhasuidhiasdhiashdiuasdhasd (Malware.Trace) -> No action taken.

============================================================

DDS (Ver_09-12-01.01) - NTFSx86 NETWORK

Run by aspeed at 4:38:16.38 on 02/24/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3582.3099 [GMT -5:00]

AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Symantec AntiVirus\Smc.exe

c:\windows\system32\svchost.exe -k netsvcs

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Symantec AntiVirus\SmcGui.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Documents and Settings\aspeed\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = hxxp://www.msh.org/

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: Aide pour le lien d'Adobe PDF Reader: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [GoToMeeting] c:\program files\citrix\gotomeeting\320\g2mstart.exe "/Trigger RunAtLogon"

uRun: [bitTorrent DNA] "c:\program files\dna\btdna.exe"

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [syncMan] c:\documents and settings\aspeed\SyncMan.exe

mRun: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /installquiet

mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Apoint] c:\program files\apoint\Apoint.exe

mRun: [ChangeTPMAuth] c:\program files\wave systems corp\common\ChangeTPMAuth.exe /T:NTRU12

mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe

mRun: [Document Manager] c:\program files\wave systems corp\services manager\docmgr\bin\docmgr.exe

mRun: [EmbassySecurityCheck] "c:\program files\wave systems corp\embassy security setup\EMBASSYSecurityCheck.exe"

mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup

mRun: [intelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

mRun: [intelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"

mRun: [secureUpgrade] c:\program files\wave systems corp\SecureUpgrade.exe

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [syncMan] c:\windows\system32\SyncMan.exe

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\tcjnwkjfk .exe" /runcleanupscript

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\powerg~1.lnk - c:\program files\concepts data systems\power ge'ez 2005\pg2005.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\totalm~1.lnk - c:\program files\arcsoft\totalmedia backup & record\uBBMonitor.exe

mPolicies-explorer: NoWelcomeScreen = 1 (0x1)

IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

LSP: c:\windows\system32\biolsp.dll

Trusted Zone: msh.org\ctt

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1152710934850

DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} - hxxp://eroom.msh.org/eRoomSetup/client.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182874779218

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/webgames/popcaploader_v10.cab

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

LSA: Authentication Packages = msv1_0 wvauth

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\aspeed\applic~1\mozilla\firefox\profiles\6iwleti0.default\

FF - prefs.js: browser.startup.homepage - www.google.com/ig

FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

FF - plugin: c:\documents and settings\aspeed\application data\mozilla\firefox\profiles\6iwleti0.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll

FF - plugin: c:\program files\emusic download manager\plugin\npemusic.dll

FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npeRoom7.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-4-16 108392]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-4-16 108392]

R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec antivirus\Rtvscan.exe [2008-4-16 2189240]

S0 ktmsixpn;ktmsixpn;c:\windows\system32\drivers\pakc.sys --> c:\windows\system32\drivers\pakc.sys [?]

S1 cdfdrv;Cdfdrv;c:\windows\system32\drivers\cdfdrv.sys [2006-10-9 21744]

S2 ctxpidmn;ctxpidmn;c:\windows\system32\drivers\ctxpidmn.sys [2007-2-9 22952]

S2 CtxSbx;CtxSbx;c:\windows\system32\drivers\CtxSbx.sys [2007-2-9 161320]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-11 135664]

S2 iPCAgent;iPCAgent;c:\program files\ipass\ipassconnect cgnet travel access\iPCAgent.exe [2006-7-12 90112]

S2 RadeSvc;Citrix Streaming Service;c:\program files\citrix\streaming client\RadeSvc.exe [2007-2-9 241664]

S2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [2004-8-4 5120]

S3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2006-11-2 97536]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-1-12 102448]

S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\googledesktop.exe [2008-10-8 30192]

S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100223.004\NAVENG.SYS [2010-2-23 84912]

S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100223.004\NAVEX15.SYS [2010-2-23 1324720]

S4 vsdatant;vsdatant;a --> a [?]

=============== Created Last 30 ================

2010-02-24 09:37:07 0 ----a-w- c:\documents and settings\aspeed\defogger_reenable

2010-02-24 08:43:28 0 d-----w- c:\program files\Trend Micro

2010-02-24 04:16:34 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-02-20 23:01:11 98816 ----a-w- c:\windows\sed.exe

2010-02-20 23:01:11 77312 ----a-w- c:\windows\MBR.exe

2010-02-20 23:01:11 261632 ----a-w- c:\windows\PEV.exe

2010-02-20 23:01:11 161792 ----a-w- c:\windows\SWREG.exe

2010-02-18 09:02:13 0 d-----w- C:\Autoruns

2010-02-17 10:33:14 6895599 ----a-w- C:\Quantimed_FRENCH_FINAL_9.28.07.zip

2010-02-15 17:24:13 19456 ----a-w- C:\Major and minor changes to the ADT.xls

2010-02-15 10:07:58 73728 ----a-w- c:\windows\system32\MouseWheelDVPNoReg.dll

2010-02-15 10:07:58 114688 ----a-w- c:\windows\system32\SNAPVIEW.OCX

2010-02-15 10:07:41 0 d-----w- c:\program files\SIGVIH

2010-02-10 16:29:30 0 d-----w- C:\Sample Data

2010-02-08 09:33:39 47616 ----a-w- C:\EDT Implementation Readiness Checklist and Assessment FINAL.doc

2010-02-05 14:23:28 0 d-----w- C:\EDT

2010-02-03 07:46:27 0 d-----w- C:\EDTBackup

2010-02-02 17:26:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-02-02 17:26:16 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-02-02 17:26:16 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-02 15:45:03 0 d-----w- c:\program files\Restoration

2010-02-02 09:26:02 0 d-----r- C:\GraviTy

2010-02-02 08:23:22 147968 ----a-w- c:\windows\7z.exe

2010-02-02 08:23:22 122880 ----a-w- c:\windows\system32\blat.dll

2010-01-26 14:34:15 126979 ----a-w- c:\windows\system32\nepalicalendar.ocx

2010-01-26 06:55:18 168 ----a-w- c:\windows\system32\VAT.SDC

2010-01-26 06:55:18 0 ----a-w- c:\windows\widsne.dll

2010-01-26 06:55:18 0 ----a-w- c:\windows\osdatt.ttf

2010-01-26 06:54:58 81920 ----a-w- c:\windows\system32\Flash_Button.ocx

2010-01-26 06:54:58 294912 ----a-w- c:\windows\system32\SkinControl.ocx

2010-01-26 06:54:58 135168 ----a-w- c:\windows\system32\Calendar.ocx

2010-01-26 06:54:57 0 d-----w- c:\program files\Concepts Data Systems

2010-01-26 06:54:43 0 d-----w- C:\POWER GEEZ 2005

2010-01-25 12:50:53 81987 ----a-w- c:\windows\system32\AUCPLMNT.DLL

==================== Find3M ====================

2010-02-19 08:18:17 13072 ----a-w- c:\windows\system32\nvModes.dat

2010-02-18 08:26:43 182912 ----a-w- c:\windows\system32\drivers\ndis.sys

2010-02-10 17:15:05 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL

2009-12-21 19:14:05 916480 ------w- c:\windows\system32\wininet.dll

2008-10-07 16:38:18 153088 ----a-w- c:\program files\screen shot.doc

============= FINISH: 4:38:42.05 ===============

ARK_and_Attach_and_CF.zip

Elise · February 24, 2010

Hello , and welcome to Malwarebytes forums!

P2P WARNING

-------------------

Going over your logs I noticed that you have BitTorrent installed.

[*] Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.

[*]They are a security risk which can make your computer susceptible to a sm

SpeedHokie · February 26, 2010

Hi:

Thank you very much for your help - sorry for the delay in replying.

1. I am able to access the internet, but I have to run my computer in safe mode and I have to run MBAM first in safe mode. This catches the AGPro infection in the registry. If I run my computer in normal mode, it's MBAM catches the previous three infections, and it's almost impossible to access the network, as something dominates the network signal.

2. I've removed the BitTorrent application.

3. I ran ComboFix in Safe Mode. The log is below.

Thanks again.

-Arin Speed

----------------------------------------------------------------------------------------------------------------

ComboFix 10-02-25.02 - aspeed 02/26/2010 10:59:37.15.1 - x86 NETWORK

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3582.3222 [GMT -5:00]

Running from: c:\documents and settings\aspeed\Desktop\ComboFix.exe

AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

-- Previous Run --

c:\windows\system32\drivers\cdrom.sys . . . is missing!!

--------

c:\windows\system32\drivers\cdrom.sys . . . is missing!!

.

((((((((((((((((((((((((( Files Created from 2010-01-26 to 2010-02-26 )))))))))))))))))))))))))))))))

.

2010-02-24 08:43 . 2010-02-24 08:43 -------- d-----w- c:\program files\Trend Micro

2010-02-24 04:16 . 2010-02-24 04:16 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-02-18 09:02 . 2010-02-18 09:02 -------- d-----w- C:\Autoruns

2010-02-17 10:33 . 2007-10-18 11:05 6895599 ----a-w- C:\Quantimed_FRENCH_FINAL_9.28.07.zip

2010-02-15 10:25 . 2010-02-15 10:25 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google

2010-02-15 10:07 . 2006-09-11 23:06 73728 ----a-w- c:\windows\system32\MouseWheelDVPNoReg.dll

2010-02-15 10:07 . 2010-02-22 10:04 -------- d-----w- c:\program files\SIGVIH

2010-02-11 08:55 . 2010-02-11 08:55 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

2010-02-10 16:29 . 2010-02-10 16:29 -------- d-----w- C:\Sample Data

2010-02-05 14:23 . 2010-02-21 23:46 -------- d-----w- C:\EDT

2010-02-03 07:46 . 2010-02-03 07:46 -------- d-----w- C:\EDTBackup

2010-02-02 17:26 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-02-02 17:26 . 2010-02-18 14:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-02 17:26 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-02-02 15:45 . 2010-02-02 15:45 -------- d-----w- c:\program files\Restoration

2010-02-02 09:26 . 2010-02-02 09:26 -------- d-----r- C:\GraviTy

2010-02-02 08:23 . 2007-12-06 08:32 147968 ----a-w- c:\windows\7z.exe

2010-02-02 08:23 . 2007-02-25 17:06 122880 ----a-w- c:\windows\system32\blat.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-02-23 21:27 . 2008-10-08 21:23 -------- d-----w- c:\documents and settings\aspeed\Application Data\DNA

2010-02-23 05:41 . 2008-10-08 16:10 -------- d-----w- c:\documents and settings\aspeed\Application Data\Wave Systems Corp

2010-02-21 22:16 . 2008-10-08 16:10 -------- d-----w- c:\documents and settings\aspeed\Application Data\Skype

2010-02-21 22:14 . 2008-10-08 20:20 -------- d-----w- c:\documents and settings\aspeed\Application Data\skypePM

2010-02-19 08:18 . 2007-07-31 17:36 13072 ----a-w- c:\windows\system32\nvModes.dat

2010-02-18 14:24 . 2008-10-08 19:38 -------- d-----w- c:\program files\Winamp

2010-02-18 14:23 . 2007-07-31 17:11 -------- d-----w- c:\program files\Wave Systems Corp

2010-02-18 14:22 . 2009-10-23 05:32 -------- d-----w- c:\program files\iTunes

2010-02-18 14:13 . 2009-10-23 05:30 -------- d-----w- c:\program files\QuickTime

2010-02-18 14:10 . 2007-07-31 17:08 -------- d-----w- c:\program files\Apoint

2010-02-18 13:11 . 2006-07-12 16:35 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-02-18 08:26 . 2004-08-04 12:00 212736 ----a-w- c:\windows\system32\drivers\ndis.sys

2010-02-15 11:39 . 2007-07-31 17:40 68848 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-02-15 10:10 . 2008-04-07 23:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-02-15 10:08 . 2006-07-12 17:11 -------- d-----w- c:\program files\Common Files\Adobe

2010-02-11 08:55 . 2008-07-16 22:36 -------- d-----w- c:\program files\Google

2010-02-10 17:15 . 2008-10-17 18:00 -------- d-----w- c:\program files\Replay Music 3

2010-02-10 17:15 . 2008-10-17 18:00 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL

2010-01-26 06:54 . 2010-01-26 06:54 -------- d-----w- c:\program files\Concepts Data Systems

2010-01-26 06:54 . 2006-07-12 18:19 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-01-22 03:53 . 2008-10-08 19:16 -------- d-----w- c:\program files\7-Zip

2010-01-13 04:10 . 2010-01-13 04:10 -------- d-----w- c:\documents and settings\aspeed\Application Data\Malwarebytes

2010-01-13 04:06 . 2010-01-13 04:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-01-11 05:50 . 2009-04-04 19:49 3309072 ----a-w- c:\documents and settings\aspeed\Application Data\YouSendIt\Downloads\YouSendIt_Express.exe

2009-12-21 19:14 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll

2008-10-07 16:38 . 2008-10-07 16:38 153088 ----a-w- c:\program files\screen shot.doc

2009-12-17 13:51 . 2008-10-08 20:47 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

.

<pre>
c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray .exe
c:\program files\Common Files\Symantec Shared\ccapp .exe
c:\program files\Malwarebytes' Anti-Malware\tcjnwkjfk .exe
</pre>

------- Sigcheck -------

[-] 2010-02-18 . 30757ACD6B3BFE4335E73460FBA14DE1 . 212736 . . [5.1.2600.2180] . . c:\windows\system32\drivers\ndis.sys

[-] 2010-02-18 08:26 . 1F4761387E0D5586FF86EBE19E00B86E . 212736 . . [------] . . c:\windows\system32\dllcache\ndis.sys

[-] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ndis.sys

.

((((((((((((((((((((((((((((( SnapShot@2010-02-20_23.09.18 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-02-26 15:39 . 2010-02-26 15:39 16384 c:\windows\Temp\Perflib_Perfdata_1ec.dat

+ 2006-07-12 13:12 . 2010-02-23 19:55 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2006-07-12 13:12 . 2010-02-20 16:14 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2006-07-12 13:12 . 2010-02-23 19:55 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2006-07-12 13:12 . 2010-02-20 16:14 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"GoToMeeting"="c:\program files\Citrix\GoToMeeting\320\g2mstart.exe" [2008-09-05 31552]

"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [N/A]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-17 68856]

"SyncMan"="c:\documents and settings\aspeed\SyncMan.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-28 8429568]

"nwiz"="nwiz.exe" [2007-04-28 1626112]

"NVHotkey"="nvHotkey.dll" [2007-04-28 67584]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-28 81920]

"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 303104]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]

"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-01-25 159744]

"ChangeTPMAuth"="c:\program files\Wave Systems Corp\Common\ChangeTPMAuth.exe" [2007-01-31 176128]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-08-03 1032192]

"Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2007-01-30 102400]

"EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2007-02-01 65536]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-12-17 30192]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]

"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-01-22 212992]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"SyncMan"="c:\windows\system32\SyncMan.exe" [N/A]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\tcjnwkjfk .exe" [2010-02-02 1394000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2006-7-12 25214]

Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-1-11 2150400]

Power Ge'ez 2005.lnk - c:\program files\Concepts Data Systems\Power Ge'ez 2005\pg2005.exe [2010-1-26 454656]

TotalMedia Backup Monitor.lnk - c:\program files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe [2008-10-24 278528]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S0 ktmsixpn;ktmsixpn;c:\windows\system32\drivers\pakc.sys --> c:\windows\system32\drivers\pakc.sys [?]

S1 cdfdrv;Cdfdrv;c:\windows\system32\drivers\cdfdrv.sys [10/09/2006 11:27 AM 21744]

S2 ctxpidmn;ctxpidmn;c:\windows\system32\drivers\ctxpidmn.sys [02/09/2007 6:51 PM 22952]

S2 CtxSbx;CtxSbx;c:\windows\system32\drivers\CtxSbx.sys [02/09/2007 7:23 PM 161320]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [02/11/2010 3:55 AM 135664]

S2 iPCAgent;iPCAgent;c:\program files\iPass\iPassConnect CGNET Travel Access\iPCAgent.exe [07/12/2006 1:19 PM 90112]

S2 RadeSvc;Citrix Streaming Service;c:\program files\Citrix\Streaming Client\RadeSvc.exe [02/09/2007 6:55 PM 241664]

S2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [08/04/2004 7:00 AM 5120]

S3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [11/02/2006 11:32 AM 97536]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [01/12/2010 9:55 PM 102448]

S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\googledesktop.exe [10/08/2008 3:47 PM 30192]

.

Contents of the 'Scheduled Tasks' folder

2010-02-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-11 08:55]

2010-02-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-11 08:55]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = hxxp://www.msh.org/

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

LSP: c:\windows\system32\biolsp.dll

Trusted Zone: msh.org\ctt

DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} - hxxp://eroom.msh.org/eRoomSetup/client.cab

DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/webgames/popcaploader_v10.cab

FF - ProfilePath - c:\documents and settings\aspeed\Application Data\Mozilla\Firefox\Profiles\6iwleti0.default\

FF - prefs.js: browser.startup.homepage - www.google.com/ig

FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll

FF - plugin: c:\documents and settings\aspeed\Application Data\Mozilla\Firefox\Profiles\6iwleti0.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll

FF - plugin: c:\program files\eMusic Download Manager\plugin\npemusic.dll

FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npeRoom7.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-02-26 11:01

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\vsdatant]

"ImagePath"="a"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(860)

c:\windows\system32\wvauth.dll

c:\windows\system32\biolsp.dll

- - - - - - - > 'explorer.exe'(2088)

c:\windows\system32\WININET.dll

.

Completion time: 2010-02-26 11:03:53

ComboFix-quarantined-files.txt 2010-02-26 16:03

ComboFix2.txt 2010-02-24 18:36

ComboFix3.txt 2010-02-24 11:51

ComboFix4.txt 2010-02-24 10:17

ComboFix5.txt 2010-02-25 05:15

Pre-Run: 77,017,853,952 bytes free

Post-Run: 76,965,191,680 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 57962A3C1D082ABB35A3C1E1E43A3197

Elise · February 26, 2010

Hello, no need to apologize for the delay

We still have quite some work to do here, but first of all, I need to know if you have an XP CD at hand, we need to copy two files that are missing/corrupted. If you don't have a CD, maybe you can borrow one from a friend/family member.

SpeedHokie · March 2, 2010

Aaaaaaand I'm back. I have now managed to get my hands on a XP install disk. I will await your further instructions.

Thanks,

Arin

Elise · March 2, 2010

Hello, welcome back

Please make sure you do the steps below in the order given, otherwise things will not work.

Insert your XP CD in the CD drive (I assume this is d:\, if not, please change the script below accordingly). I notice your log shows no CD drive, if this is the cause, post back here, do NOT continue!

If you can use your infected computers CD drive, you can continue safely.

Click Start > Run, type notepad in the runbox and press enter.

Copy/paste the text in the codebox below into Notepad and save it as copy.bat to your desktop.

@echo off
expand d:\i386\cdrom.sy_ c:\windows\system32\drivers\cdrom.sys
expand d:\i386\ndis.sy_ c:\windows\ndiscopy.sys

Exit Notepad and doubleclick on copy.bat to run it. This should copy two files to your computer. Afterwards, verify if the following file has been created: c:\windows\ndiscopy.sys

If this file has NOT been created, do NOT continue!

CF-SCRIPT

-------------

We need to execute a CF-script.

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:

RenV::
c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray .exe
c:\program files\Common Files\Symantec Shared\ccapp .exe
c:\program files\Malwarebytes' Anti-Malware\tcjnwkjfk .exe

FCopy::
c:\windows\ndiscopy.sys | c:\windows\system32\drivers\ndis.sys

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

SpeedHokie · March 2, 2010

Done and done. I've pasted the log below.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------

ComboFix 10-03-02.02 - aspeed 03/02/2010 18:49:42.16.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3582.2943 [GMT -5:00]

Running from: c:\documents and settings\aspeed\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\aspeed\Desktop\CFScript.txt

AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

--------------- FCopy ---------------

c:\windows\ndiscopy.sys --> c:\windows\system32\drivers\ndis.sys

.

((((((((((((((((((((((((( Files Created from 2010-02-02 to 2010-03-02 )))))))))))))))))))))))))))))))

.

2010-03-02 23:49 . 2010-03-02 23:49 -------- d-----w- c:\windows\LastGood

2010-03-02 23:44 . 2008-04-14 05:50 182656 ------w- c:\windows\ndiscopy.sys

2010-03-02 23:42 . 2004-08-04 03:59 49536 -c--a-w- c:\windows\system32\dllcache\cdrom.sys

2010-03-02 23:42 . 2004-08-04 03:59 49536 ----a-w- c:\windows\system32\drivers\cdrom.sys

2010-03-01 15:45 . 2010-03-01 16:49 -------- d-----w- C:\1-Flash Drive

2010-02-24 08:43 . 2010-02-24 08:43 -------- d-----w- c:\program files\Trend Micro

2010-02-24 04:16 . 2010-02-27 21:41 664 ----a-w- c:\windows\system32\d3d9caps.dat