Westablished Posted July 27, 2010 ID:291013 Share Posted July 27, 2010 Okay, here's the deal. I've been trying to remove malware from my computer for 2 days. I've used superantispyware, spybot search and destroy, malware bytes, and hijackthis, all updated. I've been using rkill to slow it down enough to try to fix it. It keeps changing my lan settings to over-ride my web browser and disguise it as virus protection. I did google searches on some of the suspicious processes that were running and it looks like mebroot might be a possibility. I'll post my most recent hijackthis log and hope for a speedy response. Thanks for the help.Logfile of Trend Micro HijackThis v2.0.4Scan saved at 6:48:21 PM, on 7/26/2010Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\No-IP\DUC20.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\UPHClean\uphclean.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\WINDOWS\system32\SearchIndexer.exeC:\WINDOWS\system32\taskswitch.exeC:\Program Files\PowerMenu\PowerMenu.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\RALINK\Common\RaUI.exeC:\Program Files\SpeedFan\speedfan.exeC:\WINDOWS\system32\rundll32.exeC:\WINDOWS\system32\rundll32.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\WINDOWS\system32\rundll32.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\WINDOWS\explorer.exeC:\WINDOWS\System32\svchost.exeC:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exeC:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exeC:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exeC:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exeC:\Documents and Settings\LocalService\Local Settings\Application Data\yhkihvfgt\dvtcqmgtssd.exeC:\Program Files\Trend Micro\HiJackThis\HiJackThis.exeC:\WINDOWS\system32\SearchProtocolHost.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5643O2 - BHO: C:\WINDOWS\system32\a03pss.dll - {C2BA40A2-75F1-51BD-F413-04B15A2C8950} - C:\WINDOWS\system32\a03pss.dllO4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exeO4 - HKLM\..\Run: [PowerMenu] C:\Program Files\PowerMenu\PowerMenu.exe -hideself onO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [sta] rundll32 "qvlmp.dll",,RunO4 - HKLM\..\Run: [MChk] C:\WINDOWS\system32\dvlmp.exeO4 - HKLM\..\Run: [cfeptaou] C:\Documents and Settings\Administrator\Local Settings\Application Data\mkbgvwvwl\utivjcatssd.exeO4 - HKLM\..\Run: [Qwuyemizufa] rundll32.exe "C:\WINDOWS\orujuzakaxod.dll",StartupO4 - HKLM\..\Run: [weiepiuc] C:\Documents and Settings\Administrator\Local Settings\Application Data\htwuesfir\wnkqbjttssd.exeO4 - HKLM\..\Run: [kgalfvix] C:\Documents and Settings\LocalService\Local Settings\Application Data\yhkihvfgt\dvtcqmgtssd.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [Fkoqofibo] rundll32.exe "C:\WINDOWS\wpadotpt.dll",StartupO4 - HKCU\..\Run: [mcexecwin] rundll32.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nz96ac.dll, RestoreWindowsO4 - HKCU\..\Run: [uiha98uiohf873yuiadnhgjesgregas] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\cbb5s.exeO4 - HKCU\..\Run: [hsehf98u34i9tjioaugy987iuegdsg] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\taskmgr.exeO4 - HKCU\..\Run: [cfeptaou] C:\Documents and Settings\Administrator\Local Settings\Application Data\mkbgvwvwl\utivjcatssd.exeO4 - HKCU\..\Run: [weiepiuc] C:\Documents and Settings\Administrator\Local Settings\Application Data\htwuesfir\wnkqbjttssd.exeO4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [kgalfvix] C:\Documents and Settings\LocalService\Local Settings\Application Data\yhkihvfgt\dvtcqmgtssd.exe (User 'SYSTEM')O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [kgalfvix] C:\Documents and Settings\LocalService\Local Settings\Application Data\yhkihvfgt\dvtcqmgtssd.exe (User 'Default user')O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')O4 - Startup: SpeedFan.lnk = C:\Program Files\SpeedFan\speedfan.exeO4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exeO8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTMO8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTMO8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTMO8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTMO9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dllO9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dllO9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dllO9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dllO9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dllO9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dllO9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO16 - DPF: {6e32070a-766d-4ee6-879c-dc1fa91d2fc3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1139406804265O20 - Winlogon Notify: !SASWinLogon - Invalid registry foundO22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dllO22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dllO22 - SharedTaskScheduler: jkzoiefu9s3huishf87efushdjkfgyuisfiud - {C2BA40A2-75F1-51BD-F413-04B15A2C8950} - C:\WINDOWS\system32\a03pss.dllO23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exeO23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: UNCFAT DMS (OTFSDMS) - Unknown owner - C:\Program Files\AddinForUNCFAT\UNCFATDMS.exe (file missing)O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe--End of file - 8005 bytes Link to post Share on other sites More sharing options...
Westablished Posted July 27, 2010 Author ID:291029 Share Posted July 27, 2010 It has also managed to remove the drivers from my sound card. I tried to re-install them, didn't work. Link to post Share on other sites More sharing options...
Westablished Posted July 27, 2010 Author ID:291446 Share Posted July 27, 2010 Here is my most recent mbam log as well.Malwarebytes' Anti-Malware 1.46www.malwarebytes.orgDatabase version: 4349Windows 5.1.2600 Service Pack 3 (Safe Mode)Internet Explorer 8.0.6001.187027/27/2010 3:48:39 AMmbam-log-2010-07-27 (03-48-39).txtScan type: Full scan (C:\|D:\|)Objects scanned: 191354Time elapsed: 21 minute(s), 4 second(s)Memory Processes Infected: 0Memory Modules Infected: 1Registry Keys Infected: 28Registry Values Infected: 15Registry Data Items Infected: 1Folders Infected: 1Files Infected: 83Memory Processes Infected:(No malicious items detected)Memory Modules Infected:C:\WINDOWS\system32\a03pss.dll (Virus.Ertfor) -> Delete on reboot.Registry Keys Infected:HKEY_CLASSES_ROOT\CLSID\{c2ba40a2-75f1-51bd-f413-04b15a2c8950} (Virus.Ertfor) -> Delete on reboot.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c2ba40a2-75f1-51bd-f413-04b15a2c8950} (Virus.Ertfor) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c2ba40a2-75f1-51bd-f413-04b15a2c8950} (Virus.Ertfor) -> Delete on reboot.HKEY_CLASSES_ROOT\cscrptxt.cscrptxt (Adware.EZlife) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{00d8c5d6-3539-4ae8-bfc5-1fd389abac2d} (Adware.EZlife) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{0f614c99-8096-4bc2-8da5-4ea1bbde27ad} (Adware.EZlife) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{3143df68-515b-49d6-908f-8e337c59edca} (Adware.EZlife) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{75b56ef1-0a67-4990-b81f-ee3e31bfcb80} (Adware.EZlife) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{c7f4ea56-feb5-4c17-adbd-49085510220b} (Adware.EZlife) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{d5cb8838-4341-41fe-a0c4-9792262e0adc} (Adware.EZlife) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{e0ec6fba-f009-3535-95d6-b6390db27da1} (Adware.EZlife) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{f1b74f9e-99a8-4a7c-b67d-a36721cd9f78} (Adware.EZlife) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\cscrptxt.cscrptxt.1.0 (Adware.EZlife) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\AppID\{84c3c236-f588-4c93-84f4-147b2abbe67b} (Adware.Adrotator) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\AppID\{38061edc-40bb-4618-a8da-e56353347e6d} (Adware.EZlife) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\AppID\{7b6a2552-e65b-4a9e-add4-c45577ffd8fd} (Adware.EZLife) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{0741eff9-a6b9-4cdb-b523-66ae04c7744c} (Adware.BHO) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{431d4628-87e2-4b32-aabf-49c6b3aef11c} (Adware.BHO) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{7057c1a5-aafa-4cc5-ace8-5ecc69726188} (Adware.BHO) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{943025ac-698c-45d3-9199-3784f505d821} (Adware.BHO) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{9df72ebc-8990-4af4-87fc-19eb608c01d8} (Adware.BHO) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{a18373c8-f70a-4cc3-a7f0-d73c93bf6ec1} (Adware.BHO) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{e60e66a6-6bad-403c-95df-ae659646a293} (Adware.BHO) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\adgj.aghlp (Adware.EZLife) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\adgj.aghlp.1 (Adware.EZLife) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\adshothlpr.adshothlpr (Adware.Adrotator) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\adshothlpr.adshothlpr.1.0 (Adware.Adrotator) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$NtUninstallMTF1011$ (Adware.Adrotator) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c2ba40a2-75f1-51bd-f413-04b15a2c8950} (Virus.Ertfor) -> Delete on reboot.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uiha98uiohf873yuiadnhgjesgregas (Trojan.Downloader) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hsehf98u34i9tjioaugy987iuegdsg (Trojan.Ransom) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cfeptaou (Trojan.Dropper) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cfeptaou (Trojan.Dropper) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weiepiuc (Trojan.Dropper) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weiepiuc (Trojan.Dropper) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mchk (Trojan.Adware) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kgalfvix (Trojan.Dropper) -> Quarantined and deleted successfully.HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kgalfvix (Trojan.Dropper) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sta (Trojan.Agent.Gen) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mcexecwin (Trojan.Agent) -> Quarantined and deleted successfully.Registry Data Items Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.Folders Infected:C:\WINDOWS\$NtUninstallMTF1011$ (Adware.Adrotator) -> Quarantined and deleted successfully.Files Infected:C:\WINDOWS\system32\a03pss.dll (Virus.Ertfor) -> Delete on reboot.C:\Documents and Settings\Administrator\Local Settings\Temp\snprdx5.dll (Virus.Ertfor) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\t22s264fz.exe (Trojan.Downloader) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\winamp.exe (Trojan.Ransom) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Application Data\mkbgvwvwl\utivjcatssd.exe (Trojan.Dropper) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Application Data\htwuesfir\wnkqbjttssd.exe (Trojan.Dropper) -> Quarantined and deleted successfully.C:\WINDOWS\system32\dvlmp.exe (Trojan.Adware) -> Quarantined and deleted successfully.C:\Documents and Settings\LocalService\Local Settings\Application Data\yhkihvfgt\dvtcqmgtssd.exe (Trojan.Dropper) -> Quarantined and deleted successfully.C:\WINDOWS\system32\qvlmp.dll (Adware.EZlife) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\061.exe (Trojan.Dropper) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\1496439120.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\171304636.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\2174818482.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\2502925274.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\3054956524.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\57364.exe (Trojan.Dropper) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\acgpuwna.exe (Trojan.Agent) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\avp.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\b5hhruz4fpyc1.exe (Trojan.Ransom) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\cbb5s.exe (Trojan.Downloader) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\cmd.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\debug.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\drweb.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\dtzc2t6py.exe (Trojan.Ransom) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\flao7ow5.exe (Trojan.Downloader) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\gamkxw.exe (Trojan.Dropper) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\gcet6b6gbt7n.exe (Trojan.Ransom) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\gdi32.exe (Trojan.Ransom) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\hfb0z6.exe (Trojan.Downloader) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\hrku.exe (Trojan.Clicker) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\ilvu.exe (Adware.BHO) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\lc8vvfkulz.dll (Virus.Ertfor) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\login.exe (Trojan.Ransom) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\mdm.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\notepad.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\npi6pdqzhe.exe (Trojan.Ransom) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\nvsvc32.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\nwvy3.dll (Virus.Ertfor) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\nz96ac.dll (Virus.Ertfor) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\o3ccty9.exe (Trojan.Downloader) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\ok0ryc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\q7aupm7a9h.exe (Trojan.Downloader) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\s6m918o64.exe (Trojan.Downloader) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\se6kfq26.exe (Trojan.Downloader) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\setup.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\smss.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\spoolsv.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.exe (Trojan.Ransom) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\system.exe (Trojan.Ransom) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\taskmgr.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\user.exe (Trojan.Ransom) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\wg2rogun.exe (Trojan.LVBP) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\win.exe (Trojan.Ransom) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\win16.exe (Trojan.Ransom) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\win32.exe (Trojan.Ransom) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\winlogon.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\wzj5nkwdl.dll (Virus.Ertfor) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\xf5gjlfw.exe (Trojan.Dropper) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\y4cb2ube.exe (Trojan.Downloader) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temp\y4ddjhdlf.exe (Trojan.Ransom) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KZTQH3TG\jjelg[1].htm (Trojan.Clicker) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MYNU3EYW\aaidkfmhfa[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MYNU3EYW\cgaickiqk[1].htm (Adware.BHO) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MYNU3EYW\imhbjepxrz[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MYNU3EYW\jjelg[1].htm (Trojan.Clicker) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MYNU3EYW\kofmhoahpk[1].htm (Trojan.Agent) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\QY64URA6\sjnvpnidk[2].htm (Trojan.Dropper) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\X7LEHFTB\cgaickiqk[1].htm (Adware.BHO) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\X7LEHFTB\jjelg[1].htm (Trojan.Clicker) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\X7LEHFTB\used[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.C:\Documents and Settings\All Users\Application Data\Update\seupd.exe (Trojan.Clicker) -> Quarantined and deleted successfully.C:\WINDOWS\system32\mvlmp.dll (Adware.BHO) -> Quarantined and deleted successfully.C:\WINDOWS\system32\ny4x1f5.dll (Virus.Ertfor) -> Quarantined and deleted successfully.C:\WINDOWS\system32\s29lacoa7.dll (Virus.Ertfor) -> Quarantined and deleted successfully.C:\WINDOWS\system32\szetyj67vx.exe (Trojan.LVBP) -> Quarantined and deleted successfully.C:\WINDOWS\system32\u253bpey.dll (Virus.Ertfor) -> Quarantined and deleted successfully.C:\WINDOWS\system32\v5njc.dll (Virus.Ertfor) -> Quarantined and deleted successfully.C:\WINDOWS\Temp\0.0772832240166178.exe (Trojan.Dropper) -> Quarantined and deleted successfully.C:\WINDOWS\$NtUninstallMTF1011$\apUninstall.exe (Adware.Adrotator) -> Quarantined and deleted successfully.C:\WINDOWS\$NtUninstallMTF1011$\zrpt.xml (Adware.Adrotator) -> Quarantined and deleted successfully.C:\WINDOWS\system32\comsats.sys (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\service.sys (Rootkit.Agent) -> Quarantined and deleted successfully. Link to post Share on other sites More sharing options...
Staff screen317 Posted August 5, 2010 Staff ID:295904 Share Posted August 5, 2010 Hi and welcome to Malwarebytes.My apologies for the extended delay. Do you still need help? Link to post Share on other sites More sharing options...
Westablished Posted August 6, 2010 Author ID:296773 Share Posted August 6, 2010 Hi and welcome to Malwarebytes.My apologies for the extended delay. Do you still need help?Hello and thank you for your assistance. I'm fairly sure that it is some form of the sasser virus. "lsass.exe" is running in the processes list. It appears to have bound itself to a major system process to prevent itself from being removed. I've tried using Unlocker to delete it to no avail. Any assistance would be greatly appreciated. Link to post Share on other sites More sharing options...
Staff screen317 Posted August 6, 2010 Staff ID:296975 Share Posted August 6, 2010 Hi,Sasser is ancient and lsass.exe is a legitimate file. Please do not try to delete it anymore..You do have a plethora of other infections though. Let's continue.Please update MBAM, run a Quick Scan, and post its log.After that, please visit this webpage for instructions for running ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofixWhen the tool is finished, it will produce a report for you.Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.-screen317 Link to post Share on other sites More sharing options...
Westablished Posted August 9, 2010 Author ID:298276 Share Posted August 9, 2010 Malwarebytes' Anti-Malware 1.46www.malwarebytes.orgDatabase version: 4410Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.187028/9/2010 6:29:10 AMmbam-log-2010-08-09 (06-29-10).txtScan type: Quick scanObjects scanned: 146535Time elapsed: 10 minute(s), 36 second(s)Memory Processes Infected: 0Memory Modules Infected: 1Registry Keys Infected: 3Registry Values Infected: 1Registry Data Items Infected: 0Folders Infected: 1Files Infected: 3Memory Processes Infected:(No malicious items detected)Memory Modules Infected:C:\WINDOWS\wpadotpt.dll (Trojan.Hiloti) -> No action taken.Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ddb0fd13-0059-4d78-54f8-6f60902f6f75} (Trojan.BHO.H) -> No action taken.HKEY_CLASSES_ROOT\CLSID\{ddb0fd13-0059-4d78-54f8-6f60902f6f75} (Trojan.BHO.H) -> No action taken.HKEY_CURRENT_USER\Software\SolutionAV (Rogue.AntivirSolutionPro) -> No action taken.Registry Values Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fkoqofibo (Trojan.Hiloti) -> No action taken.Registry Data Items Infected:(No malicious items detected)Folders Infected:C:\settingsxx.exe (Spyware.SpyEyes) -> No action taken.Files Infected:C:\WINDOWS\ogakuwafonutuliv.dll (Trojan.BHO.H) -> No action taken.C:\WINDOWS\wpadotpt.dll (Trojan.Hiloti) -> No action taken.C:\settingsxx.exe\config.bin (Spyware.SpyEyes) -> No action taken. Link to post Share on other sites More sharing options...
Westablished Posted August 9, 2010 Author ID:298290 Share Posted August 9, 2010 ComboFix 10-08-08.02 - Administrator 08/09/2010 7:06.1.2 - x86Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.689 [GMT -7:00]Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\documents and settings\Administrator\Local Settings\Application Data\{1F7AA594-8150-4C01-8292-ADEBCB94D774}c:\documents and settings\Administrator\Local Settings\Application Data\{1F7AA594-8150-4C01-8292-ADEBCB94D774}\chrome.manifestc:\documents and settings\Administrator\Local Settings\Application Data\{1F7AA594-8150-4C01-8292-ADEBCB94D774}\chrome\content\_cfg.jsc:\documents and settings\Administrator\Local Settings\Application Data\{1F7AA594-8150-4C01-8292-ADEBCB94D774}\chrome\content\overlay.xulc:\documents and settings\Administrator\Local Settings\Application Data\{1F7AA594-8150-4C01-8292-ADEBCB94D774}\install.rdfc:\documents and settings\Guest\Local Settings\Application Data\{5E21170E-3270-43C9-9C44-4BD23782507B}c:\documents and settings\Guest\Local Settings\Application Data\{5E21170E-3270-43C9-9C44-4BD23782507B}\chrome.manifestc:\documents and settings\Guest\Local Settings\Application Data\{5E21170E-3270-43C9-9C44-4BD23782507B}\chrome\content\_cfg.jsc:\documents and settings\Guest\Local Settings\Application Data\{5E21170E-3270-43C9-9C44-4BD23782507B}\chrome\content\overlay.xulc:\documents and settings\Guest\Local Settings\Application Data\{5E21170E-3270-43C9-9C44-4BD23782507B}\install.rdfC:\install.exec:\program files\\setup.exec:\program files\Mozilla Firefox\searchplugins\google_search.xmlc:\program files\Setup.exeC:\settingsxx.exec:\settingsxx.exe\config.binc:\windows\ogakuwafonutuliv.dllc:\windows\system32\Install.txtc:\windows\system32\msippsth.dllc:\windows\system32\szetyj67v.txtc:\windows\uhitiholuracan.dllc:\windows\wpadotpt.dll.((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_6TO4-------\Legacy_TCPIP_PASS-THROUGH_FILTER-------\Service_6to4-------\Service_TCPIP Pass-through Filter((((((((((((((((((((((((( Files Created from 2010-07-09 to 2010-08-09 ))))))))))))))))))))))))))))))).2010-07-29 22:55 . 2010-08-09 12:32 120 ----a-w- c:\windows\Vconocubale.dat2010-07-29 22:55 . 2010-08-09 12:32 0 ----a-w- c:\windows\Gqeletaso.bin2010-07-29 10:44 . 2010-08-09 13:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\Tor2010-07-29 10:44 . 2010-08-09 14:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\Vidalia2010-07-29 10:44 . 2010-07-29 10:44 -------- d-----w- c:\program files\Vidalia Bundle2010-07-29 01:45 . 2010-07-29 01:45 -------- d-----w- c:\windows\system32\10332010-07-29 01:45 . 2010-07-29 01:45 -------- d-----w- c:\windows\srchasst2010-07-29 01:45 . 2010-07-29 01:45 -------- d-----w- c:\windows\mui2010-07-29 01:45 . 2010-07-29 01:45 -------- d-----w- c:\windows\msagent2010-07-29 01:45 . 2010-07-29 01:45 -------- d-----w- c:\windows\ime2010-07-29 01:45 . 2010-08-09 14:11 -------- d-----w- c:\windows\apppatch2010-07-29 01:37 . 2010-07-29 01:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\FastSum2010-07-28 11:54 . 2010-07-28 11:54 8192 ----a-w- c:\windows\system32\jvgrdfr.dll2010-07-28 00:41 . 2010-07-28 12:34 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\dyvaediqa2010-07-28 00:19 . 2010-07-28 12:34 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\bvnykhuqo2010-07-28 00:16 . 2010-07-28 12:34 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\wspqfonro2010-07-28 00:13 . 2002-09-20 18:53 235100 ----a-w- c:\windows\system32\drivers\MidiSyn.sys2010-07-28 00:12 . 2004-04-26 17:49 381056 ----a-w- c:\windows\system32\drivers\senfilt.sys2010-07-28 00:12 . 2001-09-11 22:20 30208 ----a-w- c:\windows\system32\wdmioctl.dll2010-07-28 00:12 . 2001-09-11 22:20 1285632 ----a-w- c:\windows\system32\SMMedia.dll2010-07-28 00:12 . 2010-07-28 00:12 -------- d-----w- c:\windows\VirtualEar2010-07-28 00:12 . 2010-07-28 00:12 -------- d-----w- c:\program files\Analog Devices2010-07-28 00:12 . 2003-08-20 02:36 65536 ----a-w- c:\windows\system32\Audio3d.dll2010-07-28 00:12 . 2003-06-16 15:32 49152 ----a-w- c:\windows\system32\DSndUp.exe2010-07-28 00:12 . 2002-04-17 22:05 45056 ----a-w- c:\windows\system32\CleanUp.exe2010-07-28 00:12 . 2001-10-04 22:50 991232 ----a-w- c:\windows\system32\virtear.dll2010-07-28 00:12 . 2001-09-19 20:47 765952 ----a-w- c:\windows\system\crlds3d.dll2010-07-28 00:02 . 2010-07-28 12:34 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\qkrmbqijv2010-07-27 23:55 . 2010-07-27 23:55 84480 ----a-w- c:\documents and settings\Administrator\Application Data\SystemRequirementsLab\srlproxy_intel_4.1.66.0A.dll2010-07-27 21:32 . 2010-07-28 12:34 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\fygaahjkc2010-07-27 09:57 . 2010-07-27 09:57 -------- d-----w- c:\program files\Intel Desktop Board Audio Driver2010-07-27 04:39 . 2010-07-27 04:39 -------- d-----w- c:\windows\Java2010-07-27 04:39 . 2010-07-27 04:39 -------- d-----w- c:\program files\CPUID2010-07-27 01:46 . 2010-07-27 10:48 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\yhkihvfgt2010-07-27 01:07 . 2010-07-27 10:48 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\htwuesfir2010-07-27 00:51 . 2010-07-27 10:48 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\mkbgvwvwl2010-07-26 23:37 . 2010-07-26 23:37 152 ----a-w- c:\documents and settings\Administrator\144609.BAT2010-07-26 23:36 . 2010-07-27 00:47 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\uaslvvroh2010-07-26 22:54 . 2010-07-26 22:54 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe2010-07-26 22:54 . 2010-07-26 22:54 -------- d-----w- c:\program files\Trend Micro2010-07-26 22:43 . 2010-07-26 23:29 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\kdltoslhj2010-07-26 22:38 . 2010-07-26 23:29 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\fkueepkru2010-07-26 22:35 . 2010-07-26 23:29 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\vgqyxjbef2010-07-26 22:13 . 2010-07-26 22:14 -------- d-----w- C:\709a56d30d630d308b2010-07-26 21:44 . 2010-07-26 21:45 -------- d-----w- C:\3b843a0df5cc5ac51ec48e9e2010-07-26 21:32 . 2010-07-26 23:29 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\txoduqrfx2010-07-26 21:09 . 2010-07-26 23:29 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\fovjyxvgr2010-07-26 21:07 . 2010-07-26 23:29 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\cthsvwycx2010-07-26 20:06 . 2010-07-26 20:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\wvblwbdgp2010-07-26 19:56 . 2010-07-26 20:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\eptbcghmw2010-07-26 12:37 . 2010-07-26 20:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\boivscjnv2010-07-26 12:37 . 2010-07-26 12:37 8192 ----a-w- c:\windows\system32\vsxrg.dll2010-07-26 12:33 . 2010-07-26 12:33 8192 ----a-w- c:\windows\system32\anap.dll2010-07-26 12:30 . 2010-07-26 12:30 8192 ----a-w- c:\windows\system32\mslnn.dll2010-07-26 11:32 . 2010-07-26 12:17 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ttaqkdjes2010-07-26 04:17 . 2010-07-26 04:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes2010-07-26 04:17 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2010-07-26 04:17 . 2010-07-26 04:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2010-07-26 04:17 . 2010-07-26 04:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes2010-07-26 04:17 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys2010-07-26 04:06 . 2010-07-26 04:58 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\bpfjlwwky2010-07-26 04:05 . 2010-07-26 04:05 -------- d-----w- c:\windows\system32\xircom2010-07-26 04:05 . 2010-07-26 04:05 -------- d-----w- c:\windows\system32\wbem\snmp2010-07-26 04:05 . 2010-07-26 04:05 -------- d-----w- c:\program files\microsoft frontpage2010-07-26 03:15 . 2010-07-26 03:53 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\huvbjrvho2010-07-25 21:38 . 2010-07-25 21:38 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache2010-07-25 21:29 . 2010-08-09 14:20 766464 ----a-w- c:\windows\system32\drivers\rkyagwy.sys2010-07-25 21:29 . 2010-07-25 22:04 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\dtxykhtbs2010-07-25 21:28 . 2010-07-28 12:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Update2010-07-25 18:34 . 2010-07-25 22:37 -------- d-----w- c:\program files\Spybot - Search & Destroy2010-07-25 18:34 . 2010-07-25 18:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy2010-07-25 17:33 . 2010-07-28 12:37 63488 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll2010-07-25 17:32 . 2010-07-25 17:32 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll2010-07-25 17:32 . 2010-07-28 12:37 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL2010-07-25 17:31 . 2010-07-25 17:31 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com2010-07-25 17:31 . 2010-07-25 17:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com2010-07-25 17:31 . 2010-07-25 17:31 -------- d-----w- c:\program files\SUPERAntiSpyware2010-07-13 22:15 . 2010-07-12 18:32 822784 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\iho3qriw.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll2010-07-12 23:39 . 2010-08-06 14:34 -------- d-----w- c:\program files\Steam2010-07-11 10:02 . 2010-07-11 10:02 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX2010-07-11 00:19 . 2010-07-11 00:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\Canneverbe Limited2010-07-11 00:18 . 2010-07-11 00:18 1556992 ----a-w- c:\windows\is-Q5O1S.exe.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2010-08-09 14:19 . 2009-08-30 04:00 -------- d-----w- c:\program files\SpeedFan2010-07-30 02:35 . 2009-09-02 03:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent2010-07-29 01:43 . 2009-10-27 00:33 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP2010-07-28 20:49 . 2009-08-29 21:03 -------- d-----w- c:\program files\Unlocker2010-07-28 00:12 . 2009-08-29 21:44 -------- d--h--w- c:\program files\InstallShield Installation Information2010-07-27 23:55 . 2010-05-21 02:20 -------- d-----w- c:\program files\SystemRequirementsLab2010-07-27 23:55 . 2010-05-21 02:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\SystemRequirementsLab2010-07-27 01:45 . 2010-07-09 12:27 1324 ----a-w- c:\windows\system32\d3d9caps.dat2010-07-25 17:45 . 2009-11-03 19:58 -------- d-----w- c:\documents and settings\All Users\Application Data\avg92010-07-11 00:27 . 2009-09-29 06:48 -------- d-----w- c:\program files\CDBurnerXP2010-07-04 05:05 . 2010-07-04 05:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\Media Player Classic2010-07-04 05:05 . 2009-11-25 22:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc2010-06-17 02:16 . 2010-06-17 02:16 50354 ----a-w- c:\documents and settings\Administrator\Application Data\Facebook\uninstall.exe2010-06-17 02:16 . 2010-06-17 02:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Facebook2010-06-10 19:49 . 2009-10-21 09:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!2010-06-10 19:49 . 2009-10-21 09:06 -------- d-----w- c:\program files\Yahoo!2010-06-10 19:46 . 2009-12-07 02:25 -------- d-----w- c:\program files\Google2010-06-10 01:04 . 2009-08-30 03:30 14048 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT2010-06-09 10:45 . 2010-06-09 10:45 5591040 ----a-w- c:\documents and settings\Administrator\Application Data\Facebook\npfbplugin_1_0_3.dll2010-06-08 20:57 . 2009-12-19 21:37 14048 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT2010-05-24 21:14 . 2010-05-24 21:14 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-2fc107a8-n\msvcp71.dll2010-05-24 21:14 . 2010-05-24 21:14 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-2fc107a8-n\jmc.dll2010-05-24 21:14 . 2010-05-24 21:14 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-2fc107a8-n\msvcr71.dll2010-05-21 02:20 . 2010-05-21 02:20 85504 ----a-w- c:\documents and settings\Administrator\Application Data\SystemRequirementsLab\srlproxy_cyri_4.1.71.0A.dll2010-05-20 06:13 . 2009-09-06 09:27 64768 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat1997-04-28 16:52 . 2009-12-01 23:56 112 ------r- c:\program files\SETUP.M_E1997-04-28 16:48 . 2009-12-01 23:56 78 ------r- c:\program files\SETUP.M_C2009-12-17 04:23 . 2009-12-17 09:16 908248 --sh--r- c:\windows\windomgr.exe.------- Sigcheck -------[-] 2008-12-30 . 5AE1C2695F6523AD98B948F2887D8C5E . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sysc:\windows\System32\wscntfy.exe ... is missing !!.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Vidalia"="c:\program files\Vidalia Bundle\Vidalia\vidalia.exe" [2010-05-25 5475403][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-20 45632]"PowerMenu"="c:\program files\PowerMenu\PowerMenu.exe" [2002-12-20 57344]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-04 13670504]"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 1388544][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]"_nltide_3"="advpack.dll" [2009-03-08 128512]c:\documents and settings\Administrator\Start Menu\Programs\Startup\SpeedFan.lnk - c:\program files\SpeedFan\speedfan.exe [2009-8-9 3986552]c:\documents and settings\All Users\Start Menu\Programs\Startup\Ralink Wireless Utility.lnk - c:\program files\RALINK\Common\RaUI.exe [2009-8-29 593920][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]"NoResolveTrack"= 1 (0x1)"NoSMConfigurePrograms"= 1 (0x1)[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]"NoResolveTrack"= 1 (0x1)[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]@="Service"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]@="Service"[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Digsby.lnk]path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Digsby.lnkbackup=c:\windows\pss\Digsby.lnkStartup[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^No-IP DUC.lnk]path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\No-IP DUC.lnkbackup=c:\windows\pss\No-IP DUC.lnkStartup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]2008-04-14 10:00 15360 ----a-w- c:\windows\system32\ctfmon.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]2006-11-13 20:39 1289000 ----a-w- c:\progra~1\MICROS~4\wcescomm.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IEHistory]2006-12-13 08:24 138752 ----a-w- c:\program files\IEHistoryPH\IEHistoryShellNotifier.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]2006-01-13 00:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]2010-04-04 02:23 13670504 ----a-w- c:\windows\system32\nvcpl.dll[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]2010-04-04 02:23 110696 ----a-w- c:\windows\system32\nvmctray.dll[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]2007-08-07 00:05 200704 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run StartupMonitor]2000-05-21 00:23 86016 ----a-w- c:\windows\StartupMonitor.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]2010-07-12 23:39 1238352 ----a-w- c:\program files\Steam\Steam.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]2009-10-11 12:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]2008-05-02 07:15 15872 ----a-w- c:\program files\Unlocker\UnlockerAssistant.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]2010-01-13 22:44 37888 ----a-w- c:\program files\Winamp\winampa.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]2006-11-04 02:20 866584 ----a-w- c:\program files\Windows Defender\MSASCui.exe[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\system32\\sessmgr.exe"="c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"c:\\Program Files\\Mozilla Firefox\\firefox.exe"="c:\\Program Files\\Java\\jre6\\bin\\java.exe"="c:\\Program Files\\uTorrent\\uTorrent.exe"="c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"="c:\\Program Files\\Steam\\Steam.exe"="c:\\Program Files\\Steam\\steamapps\\johngaltman69@yahoo.com\\counter-strike source\\hl2.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009"16015:TCP"= 16015:TCP:BitComet 16015 TCP"16015:UDP"= 16015:UDP:BitComet 16015 UDPR1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/6/2009 7:53 PM 24652]R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/6/2010 11:57 AM 136176]S2 OTFSDMS;UNCFAT DMS;"c:\program files\AddinForUNCFAT\UNCFATDMS.exe" --> c:\program files\AddinForUNCFAT\UNCFATDMS.exe [?]S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 10:58 AM 11336]--- Other Services/Drivers In Memory ---*NewlyCreated* - ASPI32*Deregistered* - rkyagwy*Deregistered* - uphcleanhlp.Contents of the 'Scheduled Tasks' folder2010-08-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-06 18:57]2010-08-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-06 18:57]2010-08-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1482476501-1326574676-1177238915-500Core.job- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-25 18:57]2010-08-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1482476501-1326574676-1177238915-500UA.job- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-25 18:57]2010-08-09 c:\windows\Tasks\MP Scheduled Scan.job- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]..------- Supplementary Scan -------.uStart Page = hxxp://www.google.com/IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTMIE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTMIE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTMIE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTMLSP: c:\windows\system32\jvgrdfr.dllFF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\iho3qriw.default\FF - prefs.js: browser.search.selectedEngine - GoogleFF - prefs.js: keyword.URL - hxxp://search.search-star.net/?sid=10101047100&s=FF - prefs.js: network.proxy.http - 127.0.0.1FF - prefs.js: network.proxy.http_port - 8118FF - prefs.js: network.proxy.socks - 127.0.0.1FF - prefs.js: network.proxy.socks_port - 9050FF - prefs.js: network.proxy.ssl - 127.0.0.1FF - prefs.js: network.proxy.ssl_port - 8118FF - prefs.js: network.proxy.type - 1FF - plugin: c:\documents and settings\Administrator\Application Data\Facebook\npfbplugin_1_0_3.dllFF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dllFF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dllFF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dllFF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll---- FIREFOX POLICIES ----FF - user.js: browser.search.selectedEngine - GoogleFF - user.js: browser.search.order.1 - GoogleFF - user.js: keyword.URL - hxxp://search.search-star.net/?sid=10101047100&s=c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);..------- File Associations -------.regfile\shell\edit\command=%SystemRoot%\system32\NOTEPAD.EXE %1.- - - - ORPHANS REMOVED - - - -WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)HKCU-Run-Fkoqofibo - c:\windows\wpadotpt.dllHKLM-Run-Qwuyemizufa - c:\windows\ogakuwafonutuliv.dllMSConfigStartUp-BitComet - c:\program files\BitComet\BitComet.exeMSConfigStartUp-Fkoqofibo - c:\windows\wpadotpt.dllMSConfigStartUp-FreeCall - c:\program files\FreeCall.com\FreeCall\FreeCall.exeMSConfigStartUp-hsehf98u34i9tjioaugy987iuegdsg - c:\docume~1\ADMINI~1\LOCALS~1\Temp\win16.exeMSConfigStartUp-jhudhrti - c:\documents and settings\Administrator\Local Settings\Application Data\cthsvwycx\lateywrtssd.exeMSConfigStartUp-jodkdbbu - c:\documents and settings\Administrator\Local Settings\Application Data\fovjyxvgr\mgssfdatssd.exeMSConfigStartUp-kqiooyhr - c:\documents and settings\Administrator\Local Settings\Application Data\txoduqrfx\poepfshtssd.exeMSConfigStartUp-mcexecwin - c:\docume~1\ADMINI~1\LOCALS~1\Temp\rctkzsj.dllMSConfigStartUp-MChk - c:\windows\system32\dvlmp.exeMSConfigStartUp-MSMSGS - c:\progra~1\MESSEN~1\Msmsgs.exeMSConfigStartUp-OTFSDMS - c:\program files\AddinForUNCFAT\UNCFATDMS.exeMSConfigStartUp-Qwuyemizufa - c:\windows\ixequyiwifa.dllMSConfigStartUp-sta - qvlmp.dllMSConfigStartUp-uiha98uiohf873yuiadnhgjesgregas - c:\docume~1\ADMINI~1\LOCALS~1\Temp\twuk0z860.exeMSConfigStartUp-xgukxzrvux - c:\xgukxzrvux.exe\xgukxzrvux.exe**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2010-08-09 07:19Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.netdevice: opened successfullyuser: MBR read successfullycalled modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x864C2EC5]<< kernel: MBR read successfullydetected MBR rootkit hooks:\Driver\Disk -> CLASSPNP.SYS @ 0xf78c7f28\Driver\ACPI -> ACPI.sys @ 0xf781acb8\Driver\atapi -> atapi.sys @ 0xf76ea852IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e66aa ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e66aa ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1NDIS: -> SendCompleteHandler -> 0x0 PacketIndicateHandler -> 0x0 SendHandler -> 0x0user & kernel MBR OK **************************************************************************[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rkyagwy].--------------------- LOCKED REGISTRY KEYS ---------------------[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]@DACL=(02 0000)@="Wireless""ProcessGroupPolicy"="ProcessWIRELESSPolicy""DllName"=expand:"gptext.dll""NoUserPolicy"=dword:00000001"NoGPOListChanges"=dword:00000001[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0E28E245-9368-4853-AD84-6DA3BA35BB75}]@DACL=(02 0000)@="Group Policy Environment""DisplayName"=expand:"@gpprefcl.dll,-1""DllName"=expand:"gpprefcl.dll""EnableAsynchronousProcessing"=dword:00000001"EventSources"="(Group Policy Environment,Application)""GenerateGroupPolicy"="GenerateGroupPolicyEnviron""PerUserLocalSettings"=dword:00000001"ProcessGroupPolicy"="ProcessGroupPolicyEnviron""ProcessGroupPolicyEx"="ProcessGroupPolicyExEnviron""ProcessGroupPolicyEx 0"=""[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{17D89FEC-5C44-4972-B12D-241CAEF74509}]@DACL=(02 0000)@="Group Policy Local Users and Groups""DisplayName"=expand:"@gpprefcl.dll,-2""DllName"=expand:"gpprefcl.dll""EnableAsynchronousProcessing"=dword:00000001"EventSources"="(Group Policy Local Users and Groups,Application)""GenerateGroupPolicy"="GenerateGroupPolicyLocUsAndGroups""PerUserLocalSettings"=dword:00000001"ProcessGroupPolicy"="ProcessGroupPolicyLocUsAndGroups""ProcessGroupPolicyEx"="ProcessGroupPolicyExLocUsAndGroups"[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{1A6364EB-776B-4120-ADE1-B63A406A76B5}]@DACL=(02 0000)@="Group Policy Device Settings""DisplayName"=expand:"@gpprefcl.dll,-3""DllName"=expand:"gpprefcl.dll""EnableAsynchronousProcessing"=dword:00000001"EventSources"="(Group Policy Device Settings,Application)""GenerateGroupPolicy"="GenerateGroupPolicyDevices""PerUserLocalSettings"=dword:00000001"ProcessGroupPolicy"="ProcessGroupPolicyDevices""ProcessGroupPolicyEx"="ProcessGroupPolicyExDevices"[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]@DACL=(02 0000)@="Folder Redirection""ProcessGroupPolicyEx"="ProcessGroupPolicyEx""DllName"=expand:"fdeploy.dll""NoMachinePolicy"=dword:00000001"NoSlowLink"=dword:00000001"PerUserLocalSettings"=dword:00000001"NoGPOListChanges"=dword:00000000"NoBackgroundPolicy"=dword:00000000"GenerateGroupPolicy"="GenerateGroupPolicy""EventSources"=multi:"(Folder Redirection,Application)\00\00"[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]@DACL=(02 0000)@="Microsoft Disk Quota""NoMachinePolicy"=dword:00000000"NoUserPolicy"=dword:00000001"NoSlowLink"=dword:00000001"NoBackgroundPolicy"=dword:00000001"NoGPOListChanges"=dword:00000001"PerUserLocalSettings"=dword:00000000"RequiresSuccessfulRegistry"=dword:00000001"EnableAsynchronousProcessing"=dword:00000000"DllName"=expand:"dskquota.dll""ProcessGroupPolicy"="ProcessGroupPolicy"[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3A0DBA37-F8B2-4356-83DE-3E90BD5C261F}]@DACL=(02 0000)@="Group Policy Network Options""DisplayName"=expand:"@gpprefcl.dll,-4""DllName"=expand:"gpprefcl.dll""EnableAsynchronousProcessing"=dword:00000001"EventSources"="(Group Policy Network Options,Application)""GenerateGroupPolicy"="GenerateGroupPolicyNetworkOptions""PerUserLocalSettings"=dword:00000001"ProcessGroupPolicy"="ProcessGroupPolicyNetworkOptions""ProcessGroupPolicyEx"="ProcessGroupPolicyExNetworkOptions"[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]@DACL=(02 0000)@="QoS Packet Scheduler""ProcessGroupPolicy"="ProcessPSCHEDPolicy""DllName"=expand:"gptext.dll""NoUserPolicy"=dword:00000001"NoGPOListChanges"=dword:00000001[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}]@DACL=(02 0000)@="Scripts""ProcessGroupPolicy"="ProcessScriptsGroupPolicy""ProcessGroupPolicyEx"="ProcessScriptsGroupPolicyEx""GenerateGroupPolicy"="GenerateScriptsGroupPolicy""DllName"=expand:"gptext.dll""NoSlowLink"=dword:00000001"NoGPOListChanges"=dword:00000001"NotifyLinkTransition"=dword:00000001[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]@DACL=(02 0000)@="Internet Explorer Zonemapping""DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll""ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap""NoGPOListChanges"=dword:00000001"RequiresSucessfulRegistry"=dword:00000001"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051""RequiresSuccessfulRegistry"=dword:00000001[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{5794DAFD-BE60-433f-88A2-1A31939AC01F}]@DACL=(02 0000)@="Group Policy Drive Maps""DisplayName"=expand:"@gpprefcl.dll,-5""DllName"=expand:"gpprefcl.dll""EventSources"="(Group Policy Drive Maps,Application)""GenerateGroupPolicy"="GenerateGroupPolicyDrives""NoBackgroundPolicy"=dword:00000001"PerUserLocalSettings"=dword:00000001"ProcessGroupPolicy"="ProcessGroupPolicyDrives""ProcessGroupPolicyEx"="ProcessGroupPolicyExDrives"[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{6232C319-91AC-4931-9385-E70C2B099F0E}]@DACL=(02 0000)@="Group Policy Folders""DisplayName"=expand:"@gpprefcl.dll,-6""DllName"=expand:"gpprefcl.dll""EnableAsynchronousProcessing"="""EventSources"="(Group Policy Folders,Application)""GenerateGroupPolicy"="GenerateGroupPolicyFolders""PerUserLocalSettings"=dword:00000001"ProcessGroupPolicy"="ProcessGroupPolicyFolders""ProcessGroupPolicyEx"="ProcessGroupPolicyExFolders"[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{6A4C88C6-C502-4f74-8F60-2CB23EDC24E2}]@DACL=(02 0000)@="Group Policy Network Shares""DisplayName"=expand:"@gpprefcl.dll,-7""DllName"=expand:"gpprefcl.dll""EnableAsynchronousProcessing"=dword:00000001"EventSources"="(Group Policy Network Shares,Application)""GenerateGroupPolicy"="GenerateGroupPolicyNetShares""NoUserPolicy"=dword:00000001"ProcessGroupPolicy"="ProcessGroupPolicyNetShares""ProcessGroupPolicyEx"="ProcessGroupPolicyExNetShares"[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7150F9BF-48AD-4da4-A49C-29EF4A8369BA}]@DACL=(02 0000)@="Group Policy Files""DisplayName"=expand:"@gpprefcl.dll,-8""DllName"=expand:"gpprefcl.dll""EnableAsynchronousProcessing"=dword:00000001"EventSources"="(Group Policy Files,Application)""GenerateGroupPolicy"="GenerateGroupPolicyFiles""PerUserLocalSettings"=dword:00000001"ProcessGroupPolicy"="ProcessGroupPolicyFiles""ProcessGroupPolicyEx"="ProcessGroupPolicyExFiles"[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{728EE579-943C-4519-9EF7-AB56765798ED}]@DACL=(02 0000)@="Group Policy Data Sources""DisplayName"=expand:"@gpprefcl.dll,-9""DllName"=expand:"gpprefcl.dll""EnableAsynchronousProcessing"=dword:00000001"EventSources"="(Group Policy Data Sources,Application)""GenerateGroupPolicy"="GenerateGroupPolicyDataSources""PerUserLocalSettings"=dword:00000001"ProcessGroupPolicy"="ProcessGroupPolicyDataSources""ProcessGroupPolicyEx"="ProcessGroupPolicyExDataSources"[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{74EE6C03-5363-4554-B161-627540339CAB}]@DACL=(02 0000)@="Group Policy Ini Files""DisplayName"=expand:"@gpprefcl.dll,-10""DllName"=expand:"gpprefcl.dll""EnableAsynchronousProcessing"=dword:00000001"EventSources"="(Group Policy Ini Files,Application)""GenerateGroupPolicy"="GenerateGroupPolicyIniFile""PerUserLocalSettings"=dword:00000001"ProcessGroupPolicy"="ProcessGroupPolicyIniFile""ProcessGroupPolicyEx"="ProcessGroupPolicyExIniFile"[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}]@DACL=(02 0000)@="Windows Search Group Policy Extension""DllName"=expand:"%SystemRoot%\\System32\\srchadmin.dll""EnableAsynchronousProcessing"=dword:00000001"NoBackgroundPolicy"=dword:00000000"NoGPOListChanges"=dword:00000001"NoMachinePolicy"=dword:00000000"NoSlowLink"=dword:00000000"NoUserPolicy"=dword:00000000"PerUserLocalSettings"=dword:00000000"ProcessGroupPolicy"="ProcessGroupPolicy""RequiresSuccessfulRegistry"=dword:00000001[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]@DACL=(02 0000)@="Internet Explorer User Accelerators""DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051""DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll""NoGPOListChanges"=dword:00000001"ProcessGroupPolicy"="ProcessGroupPolicyForActivities""ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx""RequiresSuccessfulRegistry"=dword:00000001[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]@DACL=(02 0000)"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO""GenerateGroupPolicy"="SceGenerateGroupPolicy""ExtensionRsopPlanningDebugLevel"=dword:00000001"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx""ExtensionDebugLevel"=dword:00000001"DllName"=expand:"scecli.dll"@="Security""NoUserPolicy"=dword:00000001"NoGPOListChanges"=dword:00000001"EnableAsynchronousProcessing"=dword:00000001"MaxNoGPOListChangesInterval"=dword:000003c0[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{91FBB303-0CD5-4055-BF42-E512A681B325}]@DACL=(02 0000)@="Group Policy Services""DisplayName"=expand:"@gpprefcl.dll,-11""DllName"=expand:"gpprefcl.dll""EnableAsynchronousProcessing"=dword:00000001"EventSources"="(Group Policy Services,Application)""GenerateGroupPolicy"="GenerateGroupPolicyServices""ProcessGroupPolicy"="ProcessGroupPolicyServices""ProcessGroupPolicyEx"="ProcessGroupPolicyExServices"[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]@DACL=(02 0000)"ProcessGroupPolicyEx"="ProcessGroupPolicyEx""GenerateGroupPolicy"="GenerateGroupPolicy""ProcessGroupPolicy"="ProcessGroupPolicy""DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"@="Internet Explorer Branding""NoSlowLink"=dword:00000001"NoBackgroundPolicy"=dword:00000000"NoGPOListChanges"=dword:00000001"NoMachinePolicy"=dword:00000001"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3014"[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A3F3E39B-5D83-4940-B954-28315B82F0A8}]@DACL=(02 0000)@="Group Policy Folder Options""DisplayName"=expand:"@gpprefcl.dll,-12""DllName"=expand:"gpprefcl.dll""EnableAsynchronousProcessing"=dword:00000001"EventSources"="(Group Policy Folder Options,Application)""GenerateGroupPolicy"="GenerateGroupPolicyFolderOptions""PerUserLocalSettings"=dword:00000001"ProcessGroupPolicy"="ProcessGroupPolicyFolderOptions""ProcessGroupPolicyEx"="ProcessGroupPolicyExFolderOptions"[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{AADCED64-746C-4633-A97C-D61349046527}]@DACL=(02 0000)@="Group Policy Scheduled Tasks""DisplayName"=expand:"@gpprefcl.dll,-13""DllName"=expand:"gpprefcl.dll""EnableAsynchronousProcessing"=dword:00000001"EventSources"="(Group Policy Scheduled Tasks,Application)""GenerateGroupPolicy"="GenerateGroupPolicySchedTasks""PerUserLocalSettings"=dword:00000001"ProcessGroupPolicy"="ProcessGroupPolicySchedTasks""ProcessGroupPolicyEx"="ProcessGroupPolicyExSchedTasks"[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B087BE9D-ED37-454f-AF9C-04291E351182}]@DACL=(02 0000)@="Group Policy Registry""DisplayName"=expand:"@gpprefcl.dll,-14""DllName"=expand:"gpprefcl.dll""EnableAsynchronousProcessing"=dword:00000001"EventSources"="(Group Policy Registry,Application)""GenerateGroupPolicy"="GenerateGroupPolicyRegistry""PerUserLocalSettings"=dword:00000001"ProcessGroupPolicy"="ProcessGroupPolicyRegistry""ProcessGroupPolicyEx"="ProcessGroupPolicyExRegistry"[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]@DACL=(02 0000)"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO""DllName"=expand:"scecli.dll"@="EFS recovery""NoUserPolicy"=dword:00000001"NoGPOListChanges"=dword:00000001"RequiresSuccessfulRegistry"=dword:00000001[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]@DACL=(02 0000)@="802.3 Group Policy""DisplayName"=expand:"@dot3gpclnt.dll,-100""ProcessGroupPolicyEx"="ProcessLANPolicyEx""GenerateGroupPolicy"="GenerateLANPolicy""DllName"=expand:"dot3gpclnt.dll""NoUserPolicy"=dword:00000001"NoGPOListChanges"=dword:00000001[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{BC75B1ED-5833-4858-9BB8-CBF0B166DF9D}]@DACL=(02 0000)@="Group Policy Printers""DisplayName"=expand:"@gpprefcl.dll,-16""DllName"=expand:"gpprefcl.dll""EnableAsynchronousProcessing"=dword:00000001"EventSources"="(Group Policy Printers,Application)""GenerateGroupPolicy"="GenerateGroupPolicyPrinters""PerUserLocalSettings"=dword:00000001"ProcessGroupPolicy"="ProcessGroupPolicyPrinters""ProcessGroupPolicyEx"="ProcessGroupPolicyExPrinters"[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C418DD9D-0D14-4efb-8FBF-CFE535C8FAC7}]@DACL=(02 0000)@="Group Policy Shortcuts""DisplayName"=expand:"@gpprefcl.dll,-17""DllName"=expand:"gpprefcl.dll""EnableAsynchronousProcessing"=dword:00000001"EventSources"="(Group Policy Shortcuts,Application)""GenerateGroupPolicy"="GenerateGroupPolicyShortcuts""PerUserLocalSettings"=dword:00000001"ProcessGroupPolicy"="ProcessGroupPolicyShortcuts""ProcessGroupPolicyEx"="ProcessGroupPolicyExShortcuts"[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]@DACL=(02 0000)@="Microsoft Offline Files""DllName"=expand:"%SystemRoot%\\System32\\cscui.dll""EnableAsynchronousProcessing"=dword:00000000"NoBackgroundPolicy"=dword:00000000"NoGPOListChanges"=dword:00000000"NoMachinePolicy"=dword:00000000"NoSlowLink"=dword:00000000"NoUserPolicy"=dword:00000001"PerUserLocalSettings"=dword:00000000"ProcessGroupPolicy"="ProcessGroupPolicy""RequiresSuccessfulRegistry"=dword:00000001[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]@DACL=(02 0000)@="Software Installation""DllName"=expand:"appmgmts.dll""ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx""GenerateGroupPolicy"="GenerateGroupPolicy""NoBackgroundPolicy"=dword:00000000"RequiresSucessfulRegistry"=dword:00000000"NoSlowLink"=dword:00000001"PerUserLocalSettings"=dword:00000001"EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]@DACL=(02 0000)@="Internet Explorer Machine Accelerators""DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051""DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll""NoGPOListChanges"=dword:00000001"ProcessGroupPolicy"="ProcessGroupPolicyForActivities""ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx""RequiresSuccessfulRegistry"=dword:00000001[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]@DACL=(02 0000)@="IP Security""ProcessGroupPolicy"="ProcessIPSECPolicy""DllName"=expand:"gptext.dll""NoUserPolicy"=dword:00000001"NoGPOListChanges"=dword:00000000[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E47248BA-94CC-49c4-BBB5-9EB7F05183D0}]@DACL=(02 0000)@="Group Policy Internet Settings""DisplayName"=expand:"@gpprefcl.dll,-18""DllName"=expand:"gpprefcl.dll""EnableAsynchronousProcessing"=dword:00000001"EventSources"="(Group Policy Internet Settings,Application)""GenerateGroupPolicy"="GenerateGroupPolicyInternet""PerUserLocalSettings"=dword:00000001"ProcessGroupPolicy"="ProcessGroupPolicyShortcuts""ProcessGroupPolicyEx"="ProcessGroupPolicyExInternet"[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E4F48E54-F38D-4884-BFB9-D4D2E5729C18}]@DACL=(02 0000)@="Group Policy Start Menu Settings""DisplayName"=expand:"@gpprefcl.dll,-19""DllName"=expand:"gpprefcl.dll""EnableAsynchronousProcessing"=dword:00000001"EventSources"="(Group Policy Start Menu Settings,Application)""GenerateGroupPolicy"="GenerateGroupPolicyStartMenu""PerUserLocalSettings"=dword:00000001"ProcessGroupPolicy"="ProcessGroupPolicyStartMenu""ProcessGroupPolicyEx"="ProcessGroupPolicyExStartMenu"[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E5094040-C46C-4115-B030-04FB2E545B00}]@DACL=(02 0000)@="Group Policy Regional Options""DisplayName"=expand:"@gpprefcl.dll,-20""DllName"=expand:"gpprefcl.dll""EnableAsynchronousProcessing"=dword:00000001"EventSources"="(Group Policy Regional Options,Application)""GenerateGroupPolicy"="GenerateGroupPolicyRegionOptions""PerUserLocalSettings"=dword:00000001"ProcessGroupPolicy"="ProcessGroupPolicyRegionOptions""ProcessGroupPolicyEx"="ProcessGroupPolicyExRegionOptions"[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E62688F0-25FD-4c90-BFF5-F508B9D2E31F}]@DACL=(02 0000)@="Group Policy Power Options""DisplayName"=expand:"@gpprefcl.dll,-21""DllName"=expand:"gpprefcl.dll""EnableAsynchronousProcessing"=dword:00000001"EventSources"="(Group Policy Power Options,Application)""GenerateGroupPolicy"="GenerateGroupPolicyPowerOptions""PerUserLocalSettings"=dword:00000001"ProcessGroupPolicy"="ProcessGroupPolicyPowerOptions""ProcessGroupPolicyEx"="ProcessGroupPolicyExPowerOptions"[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{F9C77450-3A41-477E-9310-9ACD617BD9E3}]@DACL=(02 0000)@="Group Policy Applications""DisplayName"=expand:"@gpprefcl.dll,-15""DllName"=expand:"gpprefcl.dll""EnableAsynchronousProcessing"=dword:00000001"EventSources"="(Group Policy Applications,Application)""GenerateGroupPolicy"="GenerateGroupPolicyApplications""PerUserLocalSettings"=dword:00000001"ProcessGroupPolicy"="ProcessGroupPolicyApplications""ProcessGroupPolicyEx"="ProcessGroupPolicyExApplications"[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]@DACL=(02 0000)"DllName"="c:\\Program Files\\SUPERAntiSpyware\\SASWINLO.DLL""Logon"="SABWINLOLogon""Logoff"="SABWINLOLogoff""Startup"="SABWINLOStartup""Shutdown"="SABWINLOShutdown""Asynchronous"=dword:00000000"Impersonate"=dword:00000000[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]@DACL=(02 0000)"Asynchronous"=dword:00000000"Impersonate"=dword:00000000"DllName"=expand:"crypt32.dll""Logoff"="ChainWlxLogoffEvent"[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]@DACL=(02 0000)"Asynchronous"=dword:00000000"Impersonate"=dword:00000000"DllName"=expand:"cryptnet.dll""Logoff"="CryptnetWlxLogoffEvent"[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]@DACL=(02 0000)"DLLName"="cscdll.dll""Logon"="WinlogonLogonEvent""Logoff"="WinlogonLogoffEvent""ScreenSaver"="WinlogonScreenSaverEvent""Startup"="WinlogonStartupEvent""Shutdown"="WinlogonShutdownEvent""StartShell"="WinlogonStartShellEvent""Impersonate"=dword:00000000"Asynchronous"=dword:00000001[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]@DACL=(02 0000)"Asynchronous"=dword:00000001"DllName"=expand:"%SystemRoot%\\System32\\dimsntfy.dll""Startup"="WlDimsStartup""Shutdown"="WlDimsShutdown""Logon"="WlDimsLogon""Logoff"="WlDimsLogoff""StartShell"="WlDimsStartShell""Lock"="WlDimsLock""Unlock"="WlDimsUnlock"[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]@DACL=(02 0000)"DLLName"="wlnotify.dll""Logon"="SCardStartCertProp""Logoff"="SCardStopCertProp""Lock"="SCardSuspendCertProp""Unlock"="SCardResumeCertProp""Enabled"=dword:00000001"Impersonate"=dword:00000001"Asynchronous"=dword:00000001[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]@DACL=(02 0000)"Asynchronous"=dword:00000000"DllName"=expand:"wlnotify.dll""Impersonate"=dword:00000000"StartShell"="SchedStartShell""Logoff"="SchedEventLogOff"[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]@DACL=(02 0000)"Logoff"="WLEventLogoff""Impersonate"=dword:00000000"Asynchronous"=dword:00000001"DllName"=expand:"sclgntfy.dll"[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]@DACL=(02 0000)"DLLName"="WlNotify.dll""Lock"="SensLockEvent""Logon"="SensLogonEvent""Logoff"="SensLogoffEvent""Safe"=dword:00000001"MaxWait"=dword:00000258"StartScreenSaver"="SensStartScreenSaverEvent""StopScreenSaver"="SensStopScreenSaverEvent""Startup"="SensStartupEvent""Shutdown"="SensShutdownEvent""StartShell"="SensStartShellEvent""PostShell"="SensPostShellEvent""Disconnect"="SensDisconnectEvent""Reconnect"="SensReconnectEvent""Unlock"="SensUnlockEvent""Impersonate"=dword:00000001"Asynchronous"=dword:00000001[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]@DACL=(02 0000)"Asynchronous"=dword:00000000"DllName"=expand:"wlnotify.dll""Impersonate"=dword:00000000"Logoff"="TSEventLogoff""Logon"="TSEventLogon""PostShell"="TSEventPostShell""Shutdown"="TSEventShutdown""StartShell"="TSEventStartShell""Startup"="TSEventStartup""MaxWait"=dword:00000258"Reconnect"="TSEventReconnect""Disconnect"="TSEventDisconnect"[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]@DACL=(02 0000)"DLLName"="wlnotify.dll""Logon"="RegisterTicketExpiredNotificationEvent""Logoff"="UnregisterTicketExpiredNotificationEvent""Impersonate"=dword:00000001"Asynchronous"=dword:00000001[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]@DACL=(02 0000)"HelpAssistant"=dword:00000000"TsInternetUser"=dword:00000000"SQLAgentCmdExec"=dword:00000000"NetShowServices"=dword:00000000"IWAM_"=dword:00010000"IUSR_"=dword:00010000"VUSR_"=dword:00010000"ASPNET"=dword:00000000.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(756)c:\windows\system32\WININET.dll- - - - - - - > 'lsass.exe'(816)c:\windows\system32\WININET.dll- - - - - - - > 'explorer.exe'(1180)c:\windows\system32\WININET.dllc:\program files\PowerMenu\PowerMenuHook.dllc:\windows\system32\msi.dllc:\windows\system32\ieframe.dllc:\windows\system32\webcheck.dllc:\windows\system32\WPDShServiceObj.dllc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\PortableDeviceApi.dll.------------------------ Other Running Processes ------------------------.c:\windows\system32\nvsvc32.exec:\program files\Java\jre6\bin\jqs.exec:\program files\No-IP\DUC20.exec:\program files\Analog Devices\SoundMAX\SMAgent.exec:\program files\UPHClean\uphclean.exec:\windows\system32\SearchIndexer.exec:\program files\Microsoft ActiveSync\wcescomm.exec:\progra~1\MICROS~4\rapimgr.exec:\windows\system32\SearchProtocolHost.exec:\windows\system32\SearchFilterHost.exe.**************************************************************************.Completion time: 2010-08-09 07:25:04 - machine was rebootedComboFix-quarantined-files.txt 2010-08-09 14:24Pre-Run: 34,241,175,552 bytes freePost-Run: 34,718,134,272 bytes freeWindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsmulti(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /noexecute=alwaysoff- - End Of File - - 0990A26500E1DAC4F70433D0691D7A25 Link to post Share on other sites More sharing options...
Westablished Posted August 9, 2010 Author ID:298292 Share Posted August 9, 2010 Logfile of Trend Micro HijackThis v2.0.4Scan saved at 7:27:47 AM, on 8/9/2010Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\No-IP\DUC20.exeC:\Program Files\Analog Devices\SoundMAX\SMAgent.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\UPHClean\uphclean.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\WINDOWS\system32\SearchIndexer.exeC:\WINDOWS\system32\taskswitch.exeC:\Program Files\PowerMenu\PowerMenu.exeC:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exeC:\Program Files\Microsoft ActiveSync\wcescomm.exeC:\PROGRA~1\MICROS~4\rapimgr.exeC:\WINDOWS\explorer.exeC:\WINDOWS\system32\SearchProtocolHost.exeC:\Program Files\Trend Micro\HiJackThis\HiJackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exeO4 - HKLM\..\Run: [PowerMenu] C:\Program Files\PowerMenu\PowerMenu.exe -hideself onO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exeO4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')O4 - Startup: SpeedFan.lnk = C:\Program Files\SpeedFan\speedfan.exeO4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exeO8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTMO8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTMO8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTMO8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTMO9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dllO9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dllO9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dllO9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dllO9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dllO9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dllO9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)O10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\jvgrdfr.dllO16 - DPF: {6e32070a-766d-4ee6-879c-dc1fa91d2fc3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1139406804265O20 - Winlogon Notify: !SASWinLogon - Invalid registry foundO22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dllO22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dllO23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exeO23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: UNCFAT DMS (OTFSDMS) - Unknown owner - C:\Program Files\AddinForUNCFAT\UNCFATDMS.exe (file missing)O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exeO23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe--End of file - 7898 bytes Link to post Share on other sites More sharing options...
Staff screen317 Posted August 10, 2010 Staff ID:298622 Share Posted August 10, 2010 Hi,I see you have Viewpoint installed...Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". I suggest you remove the program now. Navigate to Start --> Control Panel --> Add or Remove Programs and uninstall the following programs if present.ViewpointViewpoint ManagerViewpoint Media PlayerViewpoint ToolbarLet me know if you decided to uninstall it.Next, before we continue, please go to VirusTotal, and upload the following files for analysis:c:\windows\system32\jvgrdfr.dllc:\windows\Vconocubale.datc:\windows\system32\vsxrg.dllc:\windows\system32\anap.dllc:\windows\system32\mslnn.dllc:\documents and settings\Administrator\144609.BATc:\windows\system32\drivers\rkyagwy.sysc:\windows\system32\drivers\tcpip.sysNext, please update MBAM, and run a Quick Scan. Remove what is found and post its log.-screen317 Link to post Share on other sites More sharing options...
Westablished Posted August 13, 2010 Author ID:299901 Share Posted August 13, 2010 Hi,I see you have Viewpoint installed...Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". I suggest you remove the program now. Navigate to Start --> Control Panel --> Add or Remove Programs and uninstall the following programs if present.ViewpointViewpoint ManagerViewpoint Media PlayerViewpoint ToolbarLet me know if you decided to uninstall it.Next, before we continue, please go to VirusTotal, and upload the following files for analysis:c:\windows\system32\jvgrdfr.dllc:\windows\Vconocubale.datc:\windows\system32\vsxrg.dllc:\windows\system32\anap.dllc:\windows\system32\mslnn.dllc:\documents and settings\Administrator\144609.BATc:\windows\system32\drivers\rkyagwy.sysc:\windows\system32\drivers\tcpip.sysNext, please update MBAM, and run a Quick Scan. Remove what is found and post its log.-screen317Oooootay. I uninstalled Viewpoint Media Player and ran all but one file through virustotal.com. The file c:\windows\system32\drivers\rkyagwy.sys would not go through. I also ran an MBAM Quick Scan and Full Scan and removed what was found. Here are the results for both scans.Malwarebytes' Anti-Malware 1.46www.malwarebytes.orgDatabase version: 4422Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.187028/12/2010 2:15:35 PMmbam-log-2010-08-12 (14-15-35).txtScan type: Quick scanObjects scanned: 136177Time elapsed: 4 minute(s), 56 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_CURRENT_USER\Software\SolutionAV (Rogue.AntivirSolutionPro) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)Malwarebytes' Anti-Malware 1.46www.malwarebytes.orgDatabase version: 4422Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.187028/12/2010 6:10:40 PMmbam-log-2010-08-12 (18-10-40).txtScan type: Full scan (C:\|D:\|)Objects scanned: 187305Time elapsed: 30 minute(s), 37 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 2Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\Qoobox\Quarantine\C\WINDOWS\wpadotpt.dll.vir (Trojan.Hiloti) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{E61B02F4-AD35-4CB9-98BE-9E5EB8FBF421}\RP9\A0000633.dll (Trojan.Hiloti) -> Quarantined and deleted successfully. Link to post Share on other sites More sharing options...
Staff screen317 Posted August 15, 2010 Staff ID:300570 Share Posted August 15, 2010 Hi,Could you please copy and paste the results from VirusTotal here?Re-scan if need be. Link to post Share on other sites More sharing options...
Westablished Posted August 15, 2010 Author ID:300817 Share Posted August 15, 2010 Hi,Could you please copy and paste the results from VirusTotal here?Re-scan if need be.I deleted most of them based on the results of the scans. Link to post Share on other sites More sharing options...
Staff screen317 Posted August 17, 2010 Staff ID:301679 Share Posted August 17, 2010 Which remain? It's important that I know what you deleted and what you left behind, and also what the results on the remaining ones are. Link to post Share on other sites More sharing options...
Staff screen317 Posted August 29, 2010 Staff ID:306407 Share Posted August 29, 2010 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts