Jump to content

Most elusive malware ever...


Recommended Posts

Okay, here's the deal. I've been trying to remove malware from my computer for 2 days. I've used superantispyware, spybot search and destroy, malware bytes, and hijackthis, all updated. I've been using rkill to slow it down enough to try to fix it. It keeps changing my lan settings to over-ride my web browser and disguise it as virus protection. I did google searches on some of the suspicious processes that were running and it looks like mebroot might be a possibility. I'll post my most recent hijackthis log and hope for a speedy response. Thanks for the help.

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 6:48:21 PM, on 7/26/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\No-IP\DUC20.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\UPHClean\uphclean.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\taskswitch.exe

C:\Program Files\PowerMenu\PowerMenu.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\RALINK\Common\RaUI.exe

C:\Program Files\SpeedFan\speedfan.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\explorer.exe

C:\WINDOWS\System32\svchost.exe

C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\LocalService\Local Settings\Application Data\yhkihvfgt\dvtcqmgtssd.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5643

O2 - BHO: C:\WINDOWS\system32\a03pss.dll - {C2BA40A2-75F1-51BD-F413-04B15A2C8950} - C:\WINDOWS\system32\a03pss.dll

O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe

O4 - HKLM\..\Run: [PowerMenu] C:\Program Files\PowerMenu\PowerMenu.exe -hideself on

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [sta] rundll32 "qvlmp.dll",,Run

O4 - HKLM\..\Run: [MChk] C:\WINDOWS\system32\dvlmp.exe

O4 - HKLM\..\Run: [cfeptaou] C:\Documents and Settings\Administrator\Local Settings\Application Data\mkbgvwvwl\utivjcatssd.exe

O4 - HKLM\..\Run: [Qwuyemizufa] rundll32.exe "C:\WINDOWS\orujuzakaxod.dll",Startup

O4 - HKLM\..\Run: [weiepiuc] C:\Documents and Settings\Administrator\Local Settings\Application Data\htwuesfir\wnkqbjttssd.exe

O4 - HKLM\..\Run: [kgalfvix] C:\Documents and Settings\LocalService\Local Settings\Application Data\yhkihvfgt\dvtcqmgtssd.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Fkoqofibo] rundll32.exe "C:\WINDOWS\wpadotpt.dll",Startup

O4 - HKCU\..\Run: [mcexecwin] rundll32.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nz96ac.dll, RestoreWindows

O4 - HKCU\..\Run: [uiha98uiohf873yuiadnhgjesgregas] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\cbb5s.exe

O4 - HKCU\..\Run: [hsehf98u34i9tjioaugy987iuegdsg] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\taskmgr.exe

O4 - HKCU\..\Run: [cfeptaou] C:\Documents and Settings\Administrator\Local Settings\Application Data\mkbgvwvwl\utivjcatssd.exe

O4 - HKCU\..\Run: [weiepiuc] C:\Documents and Settings\Administrator\Local Settings\Application Data\htwuesfir\wnkqbjttssd.exe

O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [kgalfvix] C:\Documents and Settings\LocalService\Local Settings\Application Data\yhkihvfgt\dvtcqmgtssd.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [kgalfvix] C:\Documents and Settings\LocalService\Local Settings\Application Data\yhkihvfgt\dvtcqmgtssd.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')

O4 - Startup: SpeedFan.lnk = C:\Program Files\SpeedFan\speedfan.exe

O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe

O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM

O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM

O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM

O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM

O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O16 - DPF: {6e32070a-766d-4ee6-879c-dc1fa91d2fc3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1139406804265

O20 - Winlogon Notify: !SASWinLogon - Invalid registry found

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: jkzoiefu9s3huishf87efushdjkfgyuisfiud - {C2BA40A2-75F1-51BD-F413-04B15A2C8950} - C:\WINDOWS\system32\a03pss.dll

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: UNCFAT DMS (OTFSDMS) - Unknown owner - C:\Program Files\AddinForUNCFAT\UNCFATDMS.exe (file missing)

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 8005 bytes

Link to post
Share on other sites

Here is my most recent mbam log as well.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4349

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

7/27/2010 3:48:39 AM

mbam-log-2010-07-27 (03-48-39).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 191354

Time elapsed: 21 minute(s), 4 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 28

Registry Values Infected: 15

Registry Data Items Infected: 1

Folders Infected: 1

Files Infected: 83

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\a03pss.dll (Virus.Ertfor) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{c2ba40a2-75f1-51bd-f413-04b15a2c8950} (Virus.Ertfor) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c2ba40a2-75f1-51bd-f413-04b15a2c8950} (Virus.Ertfor) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c2ba40a2-75f1-51bd-f413-04b15a2c8950} (Virus.Ertfor) -> Delete on reboot.

HKEY_CLASSES_ROOT\cscrptxt.cscrptxt (Adware.EZlife) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{00d8c5d6-3539-4ae8-bfc5-1fd389abac2d} (Adware.EZlife) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{0f614c99-8096-4bc2-8da5-4ea1bbde27ad} (Adware.EZlife) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{3143df68-515b-49d6-908f-8e337c59edca} (Adware.EZlife) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{75b56ef1-0a67-4990-b81f-ee3e31bfcb80} (Adware.EZlife) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{c7f4ea56-feb5-4c17-adbd-49085510220b} (Adware.EZlife) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{d5cb8838-4341-41fe-a0c4-9792262e0adc} (Adware.EZlife) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{e0ec6fba-f009-3535-95d6-b6390db27da1} (Adware.EZlife) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{f1b74f9e-99a8-4a7c-b67d-a36721cd9f78} (Adware.EZlife) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\cscrptxt.cscrptxt.1.0 (Adware.EZlife) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\AppID\{84c3c236-f588-4c93-84f4-147b2abbe67b} (Adware.Adrotator) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\AppID\{38061edc-40bb-4618-a8da-e56353347e6d} (Adware.EZlife) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\AppID\{7b6a2552-e65b-4a9e-add4-c45577ffd8fd} (Adware.EZLife) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{0741eff9-a6b9-4cdb-b523-66ae04c7744c} (Adware.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{431d4628-87e2-4b32-aabf-49c6b3aef11c} (Adware.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{7057c1a5-aafa-4cc5-ace8-5ecc69726188} (Adware.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{943025ac-698c-45d3-9199-3784f505d821} (Adware.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{9df72ebc-8990-4af4-87fc-19eb608c01d8} (Adware.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{a18373c8-f70a-4cc3-a7f0-d73c93bf6ec1} (Adware.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{e60e66a6-6bad-403c-95df-ae659646a293} (Adware.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\adgj.aghlp (Adware.EZLife) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\adgj.aghlp.1 (Adware.EZLife) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\adshothlpr.adshothlpr (Adware.Adrotator) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\adshothlpr.adshothlpr.1.0 (Adware.Adrotator) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$NtUninstallMTF1011$ (Adware.Adrotator) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c2ba40a2-75f1-51bd-f413-04b15a2c8950} (Virus.Ertfor) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uiha98uiohf873yuiadnhgjesgregas (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hsehf98u34i9tjioaugy987iuegdsg (Trojan.Ransom) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cfeptaou (Trojan.Dropper) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cfeptaou (Trojan.Dropper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weiepiuc (Trojan.Dropper) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weiepiuc (Trojan.Dropper) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mchk (Trojan.Adware) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kgalfvix (Trojan.Dropper) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kgalfvix (Trojan.Dropper) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sta (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mcexecwin (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

C:\WINDOWS\$NtUninstallMTF1011$ (Adware.Adrotator) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\system32\a03pss.dll (Virus.Ertfor) -> Delete on reboot.

C:\Documents and Settings\Administrator\Local Settings\Temp\snprdx5.dll (Virus.Ertfor) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\t22s264fz.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\winamp.exe (Trojan.Ransom) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Application Data\mkbgvwvwl\utivjcatssd.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Application Data\htwuesfir\wnkqbjttssd.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\dvlmp.exe (Trojan.Adware) -> Quarantined and deleted successfully.

C:\Documents and Settings\LocalService\Local Settings\Application Data\yhkihvfgt\dvtcqmgtssd.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\qvlmp.dll (Adware.EZlife) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\061.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\1496439120.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\171304636.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\2174818482.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\2502925274.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\3054956524.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\57364.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\acgpuwna.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\avp.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\b5hhruz4fpyc1.exe (Trojan.Ransom) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\cbb5s.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\cmd.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\debug.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\drweb.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\dtzc2t6py.exe (Trojan.Ransom) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\flao7ow5.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\gamkxw.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\gcet6b6gbt7n.exe (Trojan.Ransom) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\gdi32.exe (Trojan.Ransom) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\hfb0z6.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\hrku.exe (Trojan.Clicker) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\ilvu.exe (Adware.BHO) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\lc8vvfkulz.dll (Virus.Ertfor) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\login.exe (Trojan.Ransom) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\mdm.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\notepad.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\npi6pdqzhe.exe (Trojan.Ransom) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\nvsvc32.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\nwvy3.dll (Virus.Ertfor) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\nz96ac.dll (Virus.Ertfor) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\o3ccty9.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\ok0ryc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\q7aupm7a9h.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\s6m918o64.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\se6kfq26.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\setup.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\smss.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\spoolsv.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.exe (Trojan.Ransom) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\system.exe (Trojan.Ransom) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\taskmgr.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\user.exe (Trojan.Ransom) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\wg2rogun.exe (Trojan.LVBP) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\win.exe (Trojan.Ransom) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\win16.exe (Trojan.Ransom) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\win32.exe (Trojan.Ransom) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\winlogon.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\wzj5nkwdl.dll (Virus.Ertfor) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\xf5gjlfw.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\y4cb2ube.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\y4ddjhdlf.exe (Trojan.Ransom) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KZTQH3TG\jjelg[1].htm (Trojan.Clicker) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MYNU3EYW\aaidkfmhfa[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MYNU3EYW\cgaickiqk[1].htm (Adware.BHO) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MYNU3EYW\imhbjepxrz[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MYNU3EYW\jjelg[1].htm (Trojan.Clicker) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MYNU3EYW\kofmhoahpk[1].htm (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\QY64URA6\sjnvpnidk[2].htm (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\X7LEHFTB\cgaickiqk[1].htm (Adware.BHO) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\X7LEHFTB\jjelg[1].htm (Trojan.Clicker) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\X7LEHFTB\used[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\Update\seupd.exe (Trojan.Clicker) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\mvlmp.dll (Adware.BHO) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ny4x1f5.dll (Virus.Ertfor) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\s29lacoa7.dll (Virus.Ertfor) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\szetyj67vx.exe (Trojan.LVBP) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\u253bpey.dll (Virus.Ertfor) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\v5njc.dll (Virus.Ertfor) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\0.0772832240166178.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\WINDOWS\$NtUninstallMTF1011$\apUninstall.exe (Adware.Adrotator) -> Quarantined and deleted successfully.

C:\WINDOWS\$NtUninstallMTF1011$\zrpt.xml (Adware.Adrotator) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\comsats.sys (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\service.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

Link to post
Share on other sites

  • 2 weeks later...
Hi and welcome to Malwarebytes.

My apologies for the extended delay. Do you still need help?

Hello and thank you for your assistance. I'm fairly sure that it is some form of the sasser virus. "lsass.exe" is running in the processes list. It appears to have bound itself to a major system process to prevent itself from being removed. I've tried using Unlocker to delete it to no avail. Any assistance would be greatly appreciated.

Link to post
Share on other sites

  • Staff

Hi,

Sasser is ancient and lsass.exe is a legitimate file. Please do not try to delete it anymore..

You do have a plethora of other infections though. Let's continue.

Please update MBAM, run a Quick Scan, and post its log.

After that, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4410

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

8/9/2010 6:29:10 AM

mbam-log-2010-08-09 (06-29-10).txt

Scan type: Quick scan

Objects scanned: 146535

Time elapsed: 10 minute(s), 36 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 3

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 1

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\wpadotpt.dll (Trojan.Hiloti) -> No action taken.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ddb0fd13-0059-4d78-54f8-6f60902f6f75} (Trojan.BHO.H) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{ddb0fd13-0059-4d78-54f8-6f60902f6f75} (Trojan.BHO.H) -> No action taken.

HKEY_CURRENT_USER\Software\SolutionAV (Rogue.AntivirSolutionPro) -> No action taken.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fkoqofibo (Trojan.Hiloti) -> No action taken.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\settingsxx.exe (Spyware.SpyEyes) -> No action taken.

Files Infected:

C:\WINDOWS\ogakuwafonutuliv.dll (Trojan.BHO.H) -> No action taken.

C:\WINDOWS\wpadotpt.dll (Trojan.Hiloti) -> No action taken.

C:\settingsxx.exe\config.bin (Spyware.SpyEyes) -> No action taken.

Link to post
Share on other sites

ComboFix 10-08-08.02 - Administrator 08/09/2010 7:06.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.689 [GMT -7:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Administrator\Local Settings\Application Data\{1F7AA594-8150-4C01-8292-ADEBCB94D774}

c:\documents and settings\Administrator\Local Settings\Application Data\{1F7AA594-8150-4C01-8292-ADEBCB94D774}\chrome.manifest

c:\documents and settings\Administrator\Local Settings\Application Data\{1F7AA594-8150-4C01-8292-ADEBCB94D774}\chrome\content\_cfg.js

c:\documents and settings\Administrator\Local Settings\Application Data\{1F7AA594-8150-4C01-8292-ADEBCB94D774}\chrome\content\overlay.xul

c:\documents and settings\Administrator\Local Settings\Application Data\{1F7AA594-8150-4C01-8292-ADEBCB94D774}\install.rdf

c:\documents and settings\Guest\Local Settings\Application Data\{5E21170E-3270-43C9-9C44-4BD23782507B}

c:\documents and settings\Guest\Local Settings\Application Data\{5E21170E-3270-43C9-9C44-4BD23782507B}\chrome.manifest

c:\documents and settings\Guest\Local Settings\Application Data\{5E21170E-3270-43C9-9C44-4BD23782507B}\chrome\content\_cfg.js

c:\documents and settings\Guest\Local Settings\Application Data\{5E21170E-3270-43C9-9C44-4BD23782507B}\chrome\content\overlay.xul

c:\documents and settings\Guest\Local Settings\Application Data\{5E21170E-3270-43C9-9C44-4BD23782507B}\install.rdf

C:\install.exe

c:\program files\\setup.exe

c:\program files\Mozilla Firefox\searchplugins\google_search.xml

c:\program files\Setup.exe

C:\settingsxx.exe

c:\settingsxx.exe\config.bin

c:\windows\ogakuwafonutuliv.dll

c:\windows\system32\Install.txt

c:\windows\system32\msippsth.dll

c:\windows\system32\szetyj67v.txt

c:\windows\uhitiholuracan.dll

c:\windows\wpadotpt.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_6TO4

-------\Legacy_TCPIP_PASS-THROUGH_FILTER

-------\Service_6to4

-------\Service_TCPIP Pass-through Filter

((((((((((((((((((((((((( Files Created from 2010-07-09 to 2010-08-09 )))))))))))))))))))))))))))))))

.

2010-07-29 22:55 . 2010-08-09 12:32 120 ----a-w- c:\windows\Vconocubale.dat

2010-07-29 22:55 . 2010-08-09 12:32 0 ----a-w- c:\windows\Gqeletaso.bin

2010-07-29 10:44 . 2010-08-09 13:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\Tor

2010-07-29 10:44 . 2010-08-09 14:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\Vidalia

2010-07-29 10:44 . 2010-07-29 10:44 -------- d-----w- c:\program files\Vidalia Bundle

2010-07-29 01:45 . 2010-07-29 01:45 -------- d-----w- c:\windows\system32\1033

2010-07-29 01:45 . 2010-07-29 01:45 -------- d-----w- c:\windows\srchasst

2010-07-29 01:45 . 2010-07-29 01:45 -------- d-----w- c:\windows\mui

2010-07-29 01:45 . 2010-07-29 01:45 -------- d-----w- c:\windows\msagent

2010-07-29 01:45 . 2010-07-29 01:45 -------- d-----w- c:\windows\ime

2010-07-29 01:45 . 2010-08-09 14:11 -------- d-----w- c:\windows\apppatch

2010-07-29 01:37 . 2010-07-29 01:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\FastSum

2010-07-28 11:54 . 2010-07-28 11:54 8192 ----a-w- c:\windows\system32\jvgrdfr.dll

2010-07-28 00:41 . 2010-07-28 12:34 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\dyvaediqa

2010-07-28 00:19 . 2010-07-28 12:34 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\bvnykhuqo

2010-07-28 00:16 . 2010-07-28 12:34 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\wspqfonro

2010-07-28 00:13 . 2002-09-20 18:53 235100 ----a-w- c:\windows\system32\drivers\MidiSyn.sys

2010-07-28 00:12 . 2004-04-26 17:49 381056 ----a-w- c:\windows\system32\drivers\senfilt.sys

2010-07-28 00:12 . 2001-09-11 22:20 30208 ----a-w- c:\windows\system32\wdmioctl.dll

2010-07-28 00:12 . 2001-09-11 22:20 1285632 ----a-w- c:\windows\system32\SMMedia.dll

2010-07-28 00:12 . 2010-07-28 00:12 -------- d-----w- c:\windows\VirtualEar

2010-07-28 00:12 . 2010-07-28 00:12 -------- d-----w- c:\program files\Analog Devices

2010-07-28 00:12 . 2003-08-20 02:36 65536 ----a-w- c:\windows\system32\Audio3d.dll

2010-07-28 00:12 . 2003-06-16 15:32 49152 ----a-w- c:\windows\system32\DSndUp.exe

2010-07-28 00:12 . 2002-04-17 22:05 45056 ----a-w- c:\windows\system32\CleanUp.exe

2010-07-28 00:12 . 2001-10-04 22:50 991232 ----a-w- c:\windows\system32\virtear.dll

2010-07-28 00:12 . 2001-09-19 20:47 765952 ----a-w- c:\windows\system\crlds3d.dll

2010-07-28 00:02 . 2010-07-28 12:34 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\qkrmbqijv

2010-07-27 23:55 . 2010-07-27 23:55 84480 ----a-w- c:\documents and settings\Administrator\Application Data\SystemRequirementsLab\srlproxy_intel_4.1.66.0A.dll

2010-07-27 21:32 . 2010-07-28 12:34 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\fygaahjkc

2010-07-27 09:57 . 2010-07-27 09:57 -------- d-----w- c:\program files\Intel Desktop Board Audio Driver

2010-07-27 04:39 . 2010-07-27 04:39 -------- d-----w- c:\windows\Java

2010-07-27 04:39 . 2010-07-27 04:39 -------- d-----w- c:\program files\CPUID

2010-07-27 01:46 . 2010-07-27 10:48 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\yhkihvfgt

2010-07-27 01:07 . 2010-07-27 10:48 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\htwuesfir

2010-07-27 00:51 . 2010-07-27 10:48 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\mkbgvwvwl

2010-07-26 23:37 . 2010-07-26 23:37 152 ----a-w- c:\documents and settings\Administrator\144609.BAT

2010-07-26 23:36 . 2010-07-27 00:47 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\uaslvvroh

2010-07-26 22:54 . 2010-07-26 22:54 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2010-07-26 22:54 . 2010-07-26 22:54 -------- d-----w- c:\program files\Trend Micro

2010-07-26 22:43 . 2010-07-26 23:29 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\kdltoslhj

2010-07-26 22:38 . 2010-07-26 23:29 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\fkueepkru

2010-07-26 22:35 . 2010-07-26 23:29 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\vgqyxjbef

2010-07-26 22:13 . 2010-07-26 22:14 -------- d-----w- C:\709a56d30d630d308b

2010-07-26 21:44 . 2010-07-26 21:45 -------- d-----w- C:\3b843a0df5cc5ac51ec48e9e

2010-07-26 21:32 . 2010-07-26 23:29 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\txoduqrfx

2010-07-26 21:09 . 2010-07-26 23:29 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\fovjyxvgr

2010-07-26 21:07 . 2010-07-26 23:29 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\cthsvwycx

2010-07-26 20:06 . 2010-07-26 20:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\wvblwbdgp

2010-07-26 19:56 . 2010-07-26 20:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\eptbcghmw

2010-07-26 12:37 . 2010-07-26 20:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\boivscjnv

2010-07-26 12:37 . 2010-07-26 12:37 8192 ----a-w- c:\windows\system32\vsxrg.dll

2010-07-26 12:33 . 2010-07-26 12:33 8192 ----a-w- c:\windows\system32\anap.dll

2010-07-26 12:30 . 2010-07-26 12:30 8192 ----a-w- c:\windows\system32\mslnn.dll

2010-07-26 11:32 . 2010-07-26 12:17 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ttaqkdjes

2010-07-26 04:17 . 2010-07-26 04:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-07-26 04:17 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-07-26 04:17 . 2010-07-26 04:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-07-26 04:17 . 2010-07-26 04:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-07-26 04:17 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-07-26 04:06 . 2010-07-26 04:58 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\bpfjlwwky

2010-07-26 04:05 . 2010-07-26 04:05 -------- d-----w- c:\windows\system32\xircom

2010-07-26 04:05 . 2010-07-26 04:05 -------- d-----w- c:\windows\system32\wbem\snmp

2010-07-26 04:05 . 2010-07-26 04:05 -------- d-----w- c:\program files\microsoft frontpage

2010-07-26 03:15 . 2010-07-26 03:53 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\huvbjrvho

2010-07-25 21:38 . 2010-07-25 21:38 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache

2010-07-25 21:29 . 2010-08-09 14:20 766464 ----a-w- c:\windows\system32\drivers\rkyagwy.sys

2010-07-25 21:29 . 2010-07-25 22:04 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\dtxykhtbs

2010-07-25 21:28 . 2010-07-28 12:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Update

2010-07-25 18:34 . 2010-07-25 22:37 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-07-25 18:34 . 2010-07-25 18:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-07-25 17:33 . 2010-07-28 12:37 63488 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

2010-07-25 17:32 . 2010-07-25 17:32 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-07-25 17:32 . 2010-07-28 12:37 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-07-25 17:31 . 2010-07-25 17:31 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-07-25 17:31 . 2010-07-25 17:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com

2010-07-25 17:31 . 2010-07-25 17:31 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-07-13 22:15 . 2010-07-12 18:32 822784 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\iho3qriw.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll

2010-07-12 23:39 . 2010-08-06 14:34 -------- d-----w- c:\program files\Steam

2010-07-11 10:02 . 2010-07-11 10:02 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX

2010-07-11 00:19 . 2010-07-11 00:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\Canneverbe Limited

2010-07-11 00:18 . 2010-07-11 00:18 1556992 ----a-w- c:\windows\is-Q5O1S.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-09 14:19 . 2009-08-30 04:00 -------- d-----w- c:\program files\SpeedFan

2010-07-30 02:35 . 2009-09-02 03:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent

2010-07-29 01:43 . 2009-10-27 00:33 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-07-28 20:49 . 2009-08-29 21:03 -------- d-----w- c:\program files\Unlocker

2010-07-28 00:12 . 2009-08-29 21:44 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-07-27 23:55 . 2010-05-21 02:20 -------- d-----w- c:\program files\SystemRequirementsLab

2010-07-27 23:55 . 2010-05-21 02:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\SystemRequirementsLab

2010-07-27 01:45 . 2010-07-09 12:27 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2010-07-25 17:45 . 2009-11-03 19:58 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-07-11 00:27 . 2009-09-29 06:48 -------- d-----w- c:\program files\CDBurnerXP

2010-07-04 05:05 . 2010-07-04 05:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\Media Player Classic

2010-07-04 05:05 . 2009-11-25 22:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc

2010-06-17 02:16 . 2010-06-17 02:16 50354 ----a-w- c:\documents and settings\Administrator\Application Data\Facebook\uninstall.exe

2010-06-17 02:16 . 2010-06-17 02:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Facebook

2010-06-10 19:49 . 2009-10-21 09:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!

2010-06-10 19:49 . 2009-10-21 09:06 -------- d-----w- c:\program files\Yahoo!

2010-06-10 19:46 . 2009-12-07 02:25 -------- d-----w- c:\program files\Google

2010-06-10 01:04 . 2009-08-30 03:30 14048 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-06-09 10:45 . 2010-06-09 10:45 5591040 ----a-w- c:\documents and settings\Administrator\Application Data\Facebook\npfbplugin_1_0_3.dll

2010-06-08 20:57 . 2009-12-19 21:37 14048 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-05-24 21:14 . 2010-05-24 21:14 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-2fc107a8-n\msvcp71.dll

2010-05-24 21:14 . 2010-05-24 21:14 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-2fc107a8-n\jmc.dll

2010-05-24 21:14 . 2010-05-24 21:14 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-2fc107a8-n\msvcr71.dll

2010-05-21 02:20 . 2010-05-21 02:20 85504 ----a-w- c:\documents and settings\Administrator\Application Data\SystemRequirementsLab\srlproxy_cyri_4.1.71.0A.dll

2010-05-20 06:13 . 2009-09-06 09:27 64768 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

1997-04-28 16:52 . 2009-12-01 23:56 112 ------r- c:\program files\SETUP.M_E

1997-04-28 16:48 . 2009-12-01 23:56 78 ------r- c:\program files\SETUP.M_C

2009-12-17 04:23 . 2009-12-17 09:16 908248 --sh--r- c:\windows\windomgr.exe

.

------- Sigcheck -------

[-] 2008-12-30 . 5AE1C2695F6523AD98B948F2887D8C5E . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys

[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys

c:\windows\System32\wscntfy.exe ... is missing !!

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Vidalia"="c:\program files\Vidalia Bundle\Vidalia\vidalia.exe" [2010-05-25 5475403]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-20 45632]

"PowerMenu"="c:\program files\PowerMenu\PowerMenu.exe" [2002-12-20 57344]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-04 13670504]

"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 1388544]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"_nltide_3"="advpack.dll" [2009-03-08 128512]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

SpeedFan.lnk - c:\program files\SpeedFan\speedfan.exe [2009-8-9 3986552]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Ralink Wireless Utility.lnk - c:\program files\RALINK\Common\RaUI.exe [2009-8-29 593920]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveTrack"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveTrack"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Digsby.lnk]

path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Digsby.lnk

backup=c:\windows\pss\Digsby.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^No-IP DUC.lnk]

path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\No-IP DUC.lnk

backup=c:\windows\pss\No-IP DUC.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 10:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]

2006-11-13 20:39 1289000 ----a-w- c:\progra~1\MICROS~4\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IEHistory]

2006-12-13 08:24 138752 ----a-w- c:\program files\IEHistoryPH\IEHistoryShellNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2006-01-13 00:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

2010-04-04 02:23 13670504 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

2010-04-04 02:23 110696 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

2007-08-07 00:05 200704 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run StartupMonitor]

2000-05-21 00:23 86016 ----a-w- c:\windows\StartupMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

2010-07-12 23:39 1238352 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2009-10-11 12:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]

2008-05-02 07:15 15872 ----a-w- c:\program files\Unlocker\UnlockerAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

2010-01-13 22:44 37888 ----a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]

2006-11-04 02:20 866584 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

"c:\\Program Files\\Steam\\Steam.exe"=

"c:\\Program Files\\Steam\\steamapps\\johngaltman69@yahoo.com\\counter-strike source\\hl2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

"16015:TCP"= 16015:TCP:BitComet 16015 TCP

"16015:UDP"= 16015:UDP:BitComet 16015 UDP

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/6/2009 7:53 PM 24652]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/6/2010 11:57 AM 136176]

S2 OTFSDMS;UNCFAT DMS;"c:\program files\AddinForUNCFAT\UNCFATDMS.exe" --> c:\program files\AddinForUNCFAT\UNCFATDMS.exe [?]

S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 10:58 AM 11336]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ASPI32

*Deregistered* - rkyagwy

*Deregistered* - uphcleanhlp

.

Contents of the 'Scheduled Tasks' folder

2010-08-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-06 18:57]

2010-08-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-06 18:57]

2010-08-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1482476501-1326574676-1177238915-500Core.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-25 18:57]

2010-08-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1482476501-1326574676-1177238915-500UA.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-25 18:57]

2010-08-09 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM

IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM

IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM

IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM

LSP: c:\windows\system32\jvgrdfr.dll

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\iho3qriw.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: keyword.URL - hxxp://search.search-star.net/?sid=10101047100&s=

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 8118

FF - prefs.js: network.proxy.socks - 127.0.0.1

FF - prefs.js: network.proxy.socks_port - 9050

FF - prefs.js: network.proxy.ssl - 127.0.0.1

FF - prefs.js: network.proxy.ssl_port - 8118

FF - prefs.js: network.proxy.type - 1

FF - plugin: c:\documents and settings\Administrator\Application Data\Facebook\npfbplugin_1_0_3.dll

FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll

FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----

FF - user.js: browser.search.selectedEngine - Google

FF - user.js: browser.search.order.1 - Google

FF - user.js: keyword.URL - hxxp://search.search-star.net/?sid=10101047100&s=c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

.

.

------- File Associations -------

.

regfile\shell\edit\command=%SystemRoot%\system32\NOTEPAD.EXE %1

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

HKCU-Run-Fkoqofibo - c:\windows\wpadotpt.dll

HKLM-Run-Qwuyemizufa - c:\windows\ogakuwafonutuliv.dll

MSConfigStartUp-BitComet - c:\program files\BitComet\BitComet.exe

MSConfigStartUp-Fkoqofibo - c:\windows\wpadotpt.dll

MSConfigStartUp-FreeCall - c:\program files\FreeCall.com\FreeCall\FreeCall.exe

MSConfigStartUp-hsehf98u34i9tjioaugy987iuegdsg - c:\docume~1\ADMINI~1\LOCALS~1\Temp\win16.exe

MSConfigStartUp-jhudhrti - c:\documents and settings\Administrator\Local Settings\Application Data\cthsvwycx\lateywrtssd.exe

MSConfigStartUp-jodkdbbu - c:\documents and settings\Administrator\Local Settings\Application Data\fovjyxvgr\mgssfdatssd.exe

MSConfigStartUp-kqiooyhr - c:\documents and settings\Administrator\Local Settings\Application Data\txoduqrfx\poepfshtssd.exe

MSConfigStartUp-mcexecwin - c:\docume~1\ADMINI~1\LOCALS~1\Temp\rctkzsj.dll

MSConfigStartUp-MChk - c:\windows\system32\dvlmp.exe

MSConfigStartUp-MSMSGS - c:\progra~1\MESSEN~1\Msmsgs.exe

MSConfigStartUp-OTFSDMS - c:\program files\AddinForUNCFAT\UNCFATDMS.exe

MSConfigStartUp-Qwuyemizufa - c:\windows\ixequyiwifa.dll

MSConfigStartUp-sta - qvlmp.dll

MSConfigStartUp-uiha98uiohf873yuiadnhgjesgregas - c:\docume~1\ADMINI~1\LOCALS~1\Temp\twuk0z860.exe

MSConfigStartUp-xgukxzrvux - c:\xgukxzrvux.exe\xgukxzrvux.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-08-09 07:19

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x864C2EC5]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf78c7f28

\Driver\ACPI -> ACPI.sys @ 0xf781acb8

\Driver\atapi -> atapi.sys @ 0xf76ea852

IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e66aa

ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e66aa

ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1

NDIS: -> SendCompleteHandler -> 0x0

PacketIndicateHandler -> 0x0

SendHandler -> 0x0

user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rkyagwy]

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]

@DACL=(02 0000)

@="Wireless"

"ProcessGroupPolicy"="ProcessWIRELESSPolicy"

"DllName"=expand:"gptext.dll"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0E28E245-9368-4853-AD84-6DA3BA35BB75}]

@DACL=(02 0000)

@="Group Policy Environment"

"DisplayName"=expand:"@gpprefcl.dll,-1"

"DllName"=expand:"gpprefcl.dll"

"EnableAsynchronousProcessing"=dword:00000001

"EventSources"="(Group Policy Environment,Application)"

"GenerateGroupPolicy"="GenerateGroupPolicyEnviron"

"PerUserLocalSettings"=dword:00000001

"ProcessGroupPolicy"="ProcessGroupPolicyEnviron"

"ProcessGroupPolicyEx"="ProcessGroupPolicyExEnviron"

"ProcessGroupPolicyEx 0"=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{17D89FEC-5C44-4972-B12D-241CAEF74509}]

@DACL=(02 0000)

@="Group Policy Local Users and Groups"

"DisplayName"=expand:"@gpprefcl.dll,-2"

"DllName"=expand:"gpprefcl.dll"

"EnableAsynchronousProcessing"=dword:00000001

"EventSources"="(Group Policy Local Users and Groups,Application)"

"GenerateGroupPolicy"="GenerateGroupPolicyLocUsAndGroups"

"PerUserLocalSettings"=dword:00000001

"ProcessGroupPolicy"="ProcessGroupPolicyLocUsAndGroups"

"ProcessGroupPolicyEx"="ProcessGroupPolicyExLocUsAndGroups"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{1A6364EB-776B-4120-ADE1-B63A406A76B5}]

@DACL=(02 0000)

@="Group Policy Device Settings"

"DisplayName"=expand:"@gpprefcl.dll,-3"

"DllName"=expand:"gpprefcl.dll"

"EnableAsynchronousProcessing"=dword:00000001

"EventSources"="(Group Policy Device Settings,Application)"

"GenerateGroupPolicy"="GenerateGroupPolicyDevices"

"PerUserLocalSettings"=dword:00000001

"ProcessGroupPolicy"="ProcessGroupPolicyDevices"

"ProcessGroupPolicyEx"="ProcessGroupPolicyExDevices"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]

@DACL=(02 0000)

@="Folder Redirection"

"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"

"DllName"=expand:"fdeploy.dll"

"NoMachinePolicy"=dword:00000001

"NoSlowLink"=dword:00000001

"PerUserLocalSettings"=dword:00000001

"NoGPOListChanges"=dword:00000000

"NoBackgroundPolicy"=dword:00000000

"GenerateGroupPolicy"="GenerateGroupPolicy"

"EventSources"=multi:"(Folder Redirection,Application)\00\00"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]

@DACL=(02 0000)

@="Microsoft Disk Quota"

"NoMachinePolicy"=dword:00000000

"NoUserPolicy"=dword:00000001

"NoSlowLink"=dword:00000001

"NoBackgroundPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"PerUserLocalSettings"=dword:00000000

"RequiresSuccessfulRegistry"=dword:00000001

"EnableAsynchronousProcessing"=dword:00000000

"DllName"=expand:"dskquota.dll"

"ProcessGroupPolicy"="ProcessGroupPolicy"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3A0DBA37-F8B2-4356-83DE-3E90BD5C261F}]

@DACL=(02 0000)

@="Group Policy Network Options"

"DisplayName"=expand:"@gpprefcl.dll,-4"

"DllName"=expand:"gpprefcl.dll"

"EnableAsynchronousProcessing"=dword:00000001

"EventSources"="(Group Policy Network Options,Application)"

"GenerateGroupPolicy"="GenerateGroupPolicyNetworkOptions"

"PerUserLocalSettings"=dword:00000001

"ProcessGroupPolicy"="ProcessGroupPolicyNetworkOptions"

"ProcessGroupPolicyEx"="ProcessGroupPolicyExNetworkOptions"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]

@DACL=(02 0000)

@="QoS Packet Scheduler"

"ProcessGroupPolicy"="ProcessPSCHEDPolicy"

"DllName"=expand:"gptext.dll"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}]

@DACL=(02 0000)

@="Scripts"

"ProcessGroupPolicy"="ProcessScriptsGroupPolicy"

"ProcessGroupPolicyEx"="ProcessScriptsGroupPolicyEx"

"GenerateGroupPolicy"="GenerateScriptsGroupPolicy"

"DllName"=expand:"gptext.dll"

"NoSlowLink"=dword:00000001

"NoGPOListChanges"=dword:00000001

"NotifyLinkTransition"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]

@DACL=(02 0000)

@="Internet Explorer Zonemapping"

"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"

"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"

"NoGPOListChanges"=dword:00000001

"RequiresSucessfulRegistry"=dword:00000001

"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"

"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{5794DAFD-BE60-433f-88A2-1A31939AC01F}]

@DACL=(02 0000)

@="Group Policy Drive Maps"

"DisplayName"=expand:"@gpprefcl.dll,-5"

"DllName"=expand:"gpprefcl.dll"

"EventSources"="(Group Policy Drive Maps,Application)"

"GenerateGroupPolicy"="GenerateGroupPolicyDrives"

"NoBackgroundPolicy"=dword:00000001

"PerUserLocalSettings"=dword:00000001

"ProcessGroupPolicy"="ProcessGroupPolicyDrives"

"ProcessGroupPolicyEx"="ProcessGroupPolicyExDrives"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{6232C319-91AC-4931-9385-E70C2B099F0E}]

@DACL=(02 0000)

@="Group Policy Folders"

"DisplayName"=expand:"@gpprefcl.dll,-6"

"DllName"=expand:"gpprefcl.dll"

"EnableAsynchronousProcessing"=""

"EventSources"="(Group Policy Folders,Application)"

"GenerateGroupPolicy"="GenerateGroupPolicyFolders"

"PerUserLocalSettings"=dword:00000001

"ProcessGroupPolicy"="ProcessGroupPolicyFolders"

"ProcessGroupPolicyEx"="ProcessGroupPolicyExFolders"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{6A4C88C6-C502-4f74-8F60-2CB23EDC24E2}]

@DACL=(02 0000)

@="Group Policy Network Shares"

"DisplayName"=expand:"@gpprefcl.dll,-7"

"DllName"=expand:"gpprefcl.dll"

"EnableAsynchronousProcessing"=dword:00000001

"EventSources"="(Group Policy Network Shares,Application)"

"GenerateGroupPolicy"="GenerateGroupPolicyNetShares"

"NoUserPolicy"=dword:00000001

"ProcessGroupPolicy"="ProcessGroupPolicyNetShares"

"ProcessGroupPolicyEx"="ProcessGroupPolicyExNetShares"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7150F9BF-48AD-4da4-A49C-29EF4A8369BA}]

@DACL=(02 0000)

@="Group Policy Files"

"DisplayName"=expand:"@gpprefcl.dll,-8"

"DllName"=expand:"gpprefcl.dll"

"EnableAsynchronousProcessing"=dword:00000001

"EventSources"="(Group Policy Files,Application)"

"GenerateGroupPolicy"="GenerateGroupPolicyFiles"

"PerUserLocalSettings"=dword:00000001

"ProcessGroupPolicy"="ProcessGroupPolicyFiles"

"ProcessGroupPolicyEx"="ProcessGroupPolicyExFiles"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{728EE579-943C-4519-9EF7-AB56765798ED}]

@DACL=(02 0000)

@="Group Policy Data Sources"

"DisplayName"=expand:"@gpprefcl.dll,-9"

"DllName"=expand:"gpprefcl.dll"

"EnableAsynchronousProcessing"=dword:00000001

"EventSources"="(Group Policy Data Sources,Application)"

"GenerateGroupPolicy"="GenerateGroupPolicyDataSources"

"PerUserLocalSettings"=dword:00000001

"ProcessGroupPolicy"="ProcessGroupPolicyDataSources"

"ProcessGroupPolicyEx"="ProcessGroupPolicyExDataSources"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{74EE6C03-5363-4554-B161-627540339CAB}]

@DACL=(02 0000)

@="Group Policy Ini Files"

"DisplayName"=expand:"@gpprefcl.dll,-10"

"DllName"=expand:"gpprefcl.dll"

"EnableAsynchronousProcessing"=dword:00000001

"EventSources"="(Group Policy Ini Files,Application)"

"GenerateGroupPolicy"="GenerateGroupPolicyIniFile"

"PerUserLocalSettings"=dword:00000001

"ProcessGroupPolicy"="ProcessGroupPolicyIniFile"

"ProcessGroupPolicyEx"="ProcessGroupPolicyExIniFile"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}]

@DACL=(02 0000)

@="Windows Search Group Policy Extension"

"DllName"=expand:"%SystemRoot%\\System32\\srchadmin.dll"

"EnableAsynchronousProcessing"=dword:00000001

"NoBackgroundPolicy"=dword:00000000

"NoGPOListChanges"=dword:00000001

"NoMachinePolicy"=dword:00000000

"NoSlowLink"=dword:00000000

"NoUserPolicy"=dword:00000000

"PerUserLocalSettings"=dword:00000000

"ProcessGroupPolicy"="ProcessGroupPolicy"

"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]

@DACL=(02 0000)

@="Internet Explorer User Accelerators"

"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"

"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"

"NoGPOListChanges"=dword:00000001

"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"

"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"

"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]

@DACL=(02 0000)

"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"

"GenerateGroupPolicy"="SceGenerateGroupPolicy"

"ExtensionRsopPlanningDebugLevel"=dword:00000001

"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"

"ExtensionDebugLevel"=dword:00000001

"DllName"=expand:"scecli.dll"

@="Security"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"EnableAsynchronousProcessing"=dword:00000001

"MaxNoGPOListChangesInterval"=dword:000003c0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{91FBB303-0CD5-4055-BF42-E512A681B325}]

@DACL=(02 0000)

@="Group Policy Services"

"DisplayName"=expand:"@gpprefcl.dll,-11"

"DllName"=expand:"gpprefcl.dll"

"EnableAsynchronousProcessing"=dword:00000001

"EventSources"="(Group Policy Services,Application)"

"GenerateGroupPolicy"="GenerateGroupPolicyServices"

"ProcessGroupPolicy"="ProcessGroupPolicyServices"

"ProcessGroupPolicyEx"="ProcessGroupPolicyExServices"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]

@DACL=(02 0000)

"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"

"GenerateGroupPolicy"="GenerateGroupPolicy"

"ProcessGroupPolicy"="ProcessGroupPolicy"

"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"

@="Internet Explorer Branding"

"NoSlowLink"=dword:00000001

"NoBackgroundPolicy"=dword:00000000

"NoGPOListChanges"=dword:00000001

"NoMachinePolicy"=dword:00000001

"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3014"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A3F3E39B-5D83-4940-B954-28315B82F0A8}]

@DACL=(02 0000)

@="Group Policy Folder Options"

"DisplayName"=expand:"@gpprefcl.dll,-12"

"DllName"=expand:"gpprefcl.dll"

"EnableAsynchronousProcessing"=dword:00000001

"EventSources"="(Group Policy Folder Options,Application)"

"GenerateGroupPolicy"="GenerateGroupPolicyFolderOptions"

"PerUserLocalSettings"=dword:00000001

"ProcessGroupPolicy"="ProcessGroupPolicyFolderOptions"

"ProcessGroupPolicyEx"="ProcessGroupPolicyExFolderOptions"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{AADCED64-746C-4633-A97C-D61349046527}]

@DACL=(02 0000)

@="Group Policy Scheduled Tasks"

"DisplayName"=expand:"@gpprefcl.dll,-13"

"DllName"=expand:"gpprefcl.dll"

"EnableAsynchronousProcessing"=dword:00000001

"EventSources"="(Group Policy Scheduled Tasks,Application)"

"GenerateGroupPolicy"="GenerateGroupPolicySchedTasks"

"PerUserLocalSettings"=dword:00000001

"ProcessGroupPolicy"="ProcessGroupPolicySchedTasks"

"ProcessGroupPolicyEx"="ProcessGroupPolicyExSchedTasks"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B087BE9D-ED37-454f-AF9C-04291E351182}]

@DACL=(02 0000)

@="Group Policy Registry"

"DisplayName"=expand:"@gpprefcl.dll,-14"

"DllName"=expand:"gpprefcl.dll"

"EnableAsynchronousProcessing"=dword:00000001

"EventSources"="(Group Policy Registry,Application)"

"GenerateGroupPolicy"="GenerateGroupPolicyRegistry"

"PerUserLocalSettings"=dword:00000001

"ProcessGroupPolicy"="ProcessGroupPolicyRegistry"

"ProcessGroupPolicyEx"="ProcessGroupPolicyExRegistry"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]

@DACL=(02 0000)

"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"

"DllName"=expand:"scecli.dll"

@="EFS recovery"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]

@DACL=(02 0000)

@="802.3 Group Policy"

"DisplayName"=expand:"@dot3gpclnt.dll,-100"

"ProcessGroupPolicyEx"="ProcessLANPolicyEx"

"GenerateGroupPolicy"="GenerateLANPolicy"

"DllName"=expand:"dot3gpclnt.dll"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{BC75B1ED-5833-4858-9BB8-CBF0B166DF9D}]

@DACL=(02 0000)

@="Group Policy Printers"

"DisplayName"=expand:"@gpprefcl.dll,-16"

"DllName"=expand:"gpprefcl.dll"

"EnableAsynchronousProcessing"=dword:00000001

"EventSources"="(Group Policy Printers,Application)"

"GenerateGroupPolicy"="GenerateGroupPolicyPrinters"

"PerUserLocalSettings"=dword:00000001

"ProcessGroupPolicy"="ProcessGroupPolicyPrinters"

"ProcessGroupPolicyEx"="ProcessGroupPolicyExPrinters"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C418DD9D-0D14-4efb-8FBF-CFE535C8FAC7}]

@DACL=(02 0000)

@="Group Policy Shortcuts"

"DisplayName"=expand:"@gpprefcl.dll,-17"

"DllName"=expand:"gpprefcl.dll"

"EnableAsynchronousProcessing"=dword:00000001

"EventSources"="(Group Policy Shortcuts,Application)"

"GenerateGroupPolicy"="GenerateGroupPolicyShortcuts"

"PerUserLocalSettings"=dword:00000001

"ProcessGroupPolicy"="ProcessGroupPolicyShortcuts"

"ProcessGroupPolicyEx"="ProcessGroupPolicyExShortcuts"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]

@DACL=(02 0000)

@="Microsoft Offline Files"

"DllName"=expand:"%SystemRoot%\\System32\\cscui.dll"

"EnableAsynchronousProcessing"=dword:00000000

"NoBackgroundPolicy"=dword:00000000

"NoGPOListChanges"=dword:00000000

"NoMachinePolicy"=dword:00000000

"NoSlowLink"=dword:00000000

"NoUserPolicy"=dword:00000001

"PerUserLocalSettings"=dword:00000000

"ProcessGroupPolicy"="ProcessGroupPolicy"

"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]

@DACL=(02 0000)

@="Software Installation"

"DllName"=expand:"appmgmts.dll"

"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"

"GenerateGroupPolicy"="GenerateGroupPolicy"

"NoBackgroundPolicy"=dword:00000000

"RequiresSucessfulRegistry"=dword:00000000

"NoSlowLink"=dword:00000001

"PerUserLocalSettings"=dword:00000001

"EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]

@DACL=(02 0000)

@="Internet Explorer Machine Accelerators"

"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"

"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"

"NoGPOListChanges"=dword:00000001

"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"

"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"

"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]

@DACL=(02 0000)

@="IP Security"

"ProcessGroupPolicy"="ProcessIPSECPolicy"

"DllName"=expand:"gptext.dll"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E47248BA-94CC-49c4-BBB5-9EB7F05183D0}]

@DACL=(02 0000)

@="Group Policy Internet Settings"

"DisplayName"=expand:"@gpprefcl.dll,-18"

"DllName"=expand:"gpprefcl.dll"

"EnableAsynchronousProcessing"=dword:00000001

"EventSources"="(Group Policy Internet Settings,Application)"

"GenerateGroupPolicy"="GenerateGroupPolicyInternet"

"PerUserLocalSettings"=dword:00000001

"ProcessGroupPolicy"="ProcessGroupPolicyShortcuts"

"ProcessGroupPolicyEx"="ProcessGroupPolicyExInternet"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E4F48E54-F38D-4884-BFB9-D4D2E5729C18}]

@DACL=(02 0000)

@="Group Policy Start Menu Settings"

"DisplayName"=expand:"@gpprefcl.dll,-19"

"DllName"=expand:"gpprefcl.dll"

"EnableAsynchronousProcessing"=dword:00000001

"EventSources"="(Group Policy Start Menu Settings,Application)"

"GenerateGroupPolicy"="GenerateGroupPolicyStartMenu"

"PerUserLocalSettings"=dword:00000001

"ProcessGroupPolicy"="ProcessGroupPolicyStartMenu"

"ProcessGroupPolicyEx"="ProcessGroupPolicyExStartMenu"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E5094040-C46C-4115-B030-04FB2E545B00}]

@DACL=(02 0000)

@="Group Policy Regional Options"

"DisplayName"=expand:"@gpprefcl.dll,-20"

"DllName"=expand:"gpprefcl.dll"

"EnableAsynchronousProcessing"=dword:00000001

"EventSources"="(Group Policy Regional Options,Application)"

"GenerateGroupPolicy"="GenerateGroupPolicyRegionOptions"

"PerUserLocalSettings"=dword:00000001

"ProcessGroupPolicy"="ProcessGroupPolicyRegionOptions"

"ProcessGroupPolicyEx"="ProcessGroupPolicyExRegionOptions"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E62688F0-25FD-4c90-BFF5-F508B9D2E31F}]

@DACL=(02 0000)

@="Group Policy Power Options"

"DisplayName"=expand:"@gpprefcl.dll,-21"

"DllName"=expand:"gpprefcl.dll"

"EnableAsynchronousProcessing"=dword:00000001

"EventSources"="(Group Policy Power Options,Application)"

"GenerateGroupPolicy"="GenerateGroupPolicyPowerOptions"

"PerUserLocalSettings"=dword:00000001

"ProcessGroupPolicy"="ProcessGroupPolicyPowerOptions"

"ProcessGroupPolicyEx"="ProcessGroupPolicyExPowerOptions"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{F9C77450-3A41-477E-9310-9ACD617BD9E3}]

@DACL=(02 0000)

@="Group Policy Applications"

"DisplayName"=expand:"@gpprefcl.dll,-15"

"DllName"=expand:"gpprefcl.dll"

"EnableAsynchronousProcessing"=dword:00000001

"EventSources"="(Group Policy Applications,Application)"

"GenerateGroupPolicy"="GenerateGroupPolicyApplications"

"PerUserLocalSettings"=dword:00000001

"ProcessGroupPolicy"="ProcessGroupPolicyApplications"

"ProcessGroupPolicyEx"="ProcessGroupPolicyExApplications"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]

@DACL=(02 0000)

"DllName"="c:\\Program Files\\SUPERAntiSpyware\\SASWINLO.DLL"

"Logon"="SABWINLOLogon"

"Logoff"="SABWINLOLogoff"

"Startup"="SABWINLOStartup"

"Shutdown"="SABWINLOShutdown"

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=expand:"crypt32.dll"

"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=expand:"cryptnet.dll"

"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

@DACL=(02 0000)

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]

@DACL=(02 0000)

"Asynchronous"=dword:00000001

"DllName"=expand:"%SystemRoot%\\System32\\dimsntfy.dll"

"Startup"="WlDimsStartup"

"Shutdown"="WlDimsShutdown"

"Logon"="WlDimsLogon"

"Logoff"="WlDimsLogoff"

"StartShell"="WlDimsStartShell"

"Lock"="WlDimsLock"

"Unlock"="WlDimsUnlock"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]

@DACL=(02 0000)

"DLLName"="wlnotify.dll"

"Logon"="SCardStartCertProp"

"Logoff"="SCardStopCertProp"

"Lock"="SCardSuspendCertProp"

"Unlock"="SCardResumeCertProp"

"Enabled"=dword:00000001

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"DllName"=expand:"wlnotify.dll"

"Impersonate"=dword:00000000

"StartShell"="SchedStartShell"

"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

@DACL=(02 0000)

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=expand:"sclgntfy.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

@DACL=(02 0000)

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"PostShell"="SensPostShellEvent"

"Disconnect"="SensDisconnectEvent"

"Reconnect"="SensReconnectEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"DllName"=expand:"wlnotify.dll"

"Impersonate"=dword:00000000

"Logoff"="TSEventLogoff"

"Logon"="TSEventLogon"

"PostShell"="TSEventPostShell"

"Shutdown"="TSEventShutdown"

"StartShell"="TSEventStartShell"

"Startup"="TSEventStartup"

"MaxWait"=dword:00000258

"Reconnect"="TSEventReconnect"

"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

@DACL=(02 0000)

"DLLName"="wlnotify.dll"

"Logon"="RegisterTicketExpiredNotificationEvent"

"Logoff"="UnregisterTicketExpiredNotificationEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]

@DACL=(02 0000)

"HelpAssistant"=dword:00000000

"TsInternetUser"=dword:00000000

"SQLAgentCmdExec"=dword:00000000

"NetShowServices"=dword:00000000

"IWAM_"=dword:00010000

"IUSR_"=dword:00010000

"VUSR_"=dword:00010000

"ASPNET"=dword:00000000

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)

c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(816)

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1180)

c:\windows\system32\WININET.dll

c:\program files\PowerMenu\PowerMenuHook.dll

c:\windows\system32\msi.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\No-IP\DUC20.exe

c:\program files\Analog Devices\SoundMAX\SMAgent.exe

c:\program files\UPHClean\uphclean.exe

c:\windows\system32\SearchIndexer.exe

c:\program files\Microsoft ActiveSync\wcescomm.exe

c:\progra~1\MICROS~4\rapimgr.exe

c:\windows\system32\SearchProtocolHost.exe

c:\windows\system32\SearchFilterHost.exe

.

**************************************************************************

.

Completion time: 2010-08-09 07:25:04 - machine was rebooted

ComboFix-quarantined-files.txt 2010-08-09 14:24

Pre-Run: 34,241,175,552 bytes free

Post-Run: 34,718,134,272 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /noexecute=alwaysoff

- - End Of File - - 0990A26500E1DAC4F70433D0691D7A25

Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 7:27:47 AM, on 8/9/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\No-IP\DUC20.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\UPHClean\uphclean.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\taskswitch.exe

C:\Program Files\PowerMenu\PowerMenu.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\PROGRA~1\MICROS~4\rapimgr.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe

O4 - HKLM\..\Run: [PowerMenu] C:\Program Files\PowerMenu\PowerMenu.exe -hideself on

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"

O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')

O4 - Startup: SpeedFan.lnk = C:\Program Files\SpeedFan\speedfan.exe

O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe

O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM

O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM

O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM

O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM

O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)

O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dll

O16 - DPF: {6e32070a-766d-4ee6-879c-dc1fa91d2fc3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1139406804265

O20 - Winlogon Notify: !SASWinLogon - Invalid registry found

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: UNCFAT DMS (OTFSDMS) - Unknown owner - C:\Program Files\AddinForUNCFAT\UNCFATDMS.exe (file missing)

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 7898 bytes

Link to post
Share on other sites

  • Staff

Hi,

I see you have Viewpoint installed...

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". I suggest you remove the program now. Navigate to Start --> Control Panel --> Add or Remove Programs and uninstall the following programs if present.


  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
  • Viewpoint Toolbar

Let me know if you decided to uninstall it.

Next, before we continue, please go to VirusTotal, and upload the following files for analysis:

c:\windows\system32\jvgrdfr.dll

c:\windows\Vconocubale.dat

c:\windows\system32\vsxrg.dll

c:\windows\system32\anap.dll

c:\windows\system32\mslnn.dll

c:\documents and settings\Administrator\144609.BAT

c:\windows\system32\drivers\rkyagwy.sys

c:\windows\system32\drivers\tcpip.sys

Next, please update MBAM, and run a Quick Scan. Remove what is found and post its log.

-screen317

Link to post
Share on other sites

Hi,

I see you have Viewpoint installed...

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". I suggest you remove the program now. Navigate to Start --> Control Panel --> Add or Remove Programs and uninstall the following programs if present.


  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
  • Viewpoint Toolbar

Let me know if you decided to uninstall it.

Next, before we continue, please go to VirusTotal, and upload the following files for analysis:

c:\windows\system32\jvgrdfr.dll

c:\windows\Vconocubale.dat

c:\windows\system32\vsxrg.dll

c:\windows\system32\anap.dll

c:\windows\system32\mslnn.dll

c:\documents and settings\Administrator\144609.BAT

c:\windows\system32\drivers\rkyagwy.sys

c:\windows\system32\drivers\tcpip.sys

Next, please update MBAM, and run a Quick Scan. Remove what is found and post its log.

-screen317

Oooootay. I uninstalled Viewpoint Media Player and ran all but one file through virustotal.com. The file c:\windows\system32\drivers\rkyagwy.sys would not go through. I also ran an MBAM Quick Scan and Full Scan and removed what was found. Here are the results for both scans.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4422

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

8/12/2010 2:15:35 PM

mbam-log-2010-08-12 (14-15-35).txt

Scan type: Quick scan

Objects scanned: 136177

Time elapsed: 4 minute(s), 56 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\Software\SolutionAV (Rogue.AntivirSolutionPro) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4422

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

8/12/2010 6:10:40 PM

mbam-log-2010-08-12 (18-10-40).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 187305

Time elapsed: 30 minute(s), 37 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Qoobox\Quarantine\C\WINDOWS\wpadotpt.dll.vir (Trojan.Hiloti) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E61B02F4-AD35-4CB9-98BE-9E5EB8FBF421}\RP9\A0000633.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.