Jump to content

Response to I'm Infected: What do I do now?

Cooper81

By Cooper81
in Resolved Malware Removal Logs

 Share

Recommended Posts

Cooper81

Cooper81

Posted
Posted

My problem started when I noticed that Windows Security Center was being disabled (Win7 Enterprise). Google showed me how to manually start the service which would start but be turned off again after 30 sec or so. When I try now I get, "Windows could not start the Security Center service on Local Computer. Error 2: The system cannot find the file specified."

I also noticed Windows Defender cannot start. "The Windows Defender service on Local Computer started and then stopped. Some services stop automatically if they are not in use by other services or programs."

After more "Googling", I found the "I'm infected: What do I do now" thread and here I am.

The first quick scan I ran by Malwarebytes showed I was clean, then a full scan showed 16 issues, see below. The most recent shows I'm clean again.

As a double check I installed Avira and it found 6 files that could not be opened... see below.

I ran Defogger and disabled CD emulation, but I was never asked to reboot. I did anyway.

When I ran dds.scr it opens in AutoCAD. I'm not sure how to prevent this so I couldn't create the DDS.txt or Attach.txt files.

I attached the ark.txt file as ark.zip.

Thanks in advance for any help,

Cooper

FIRST MALWAREBYTES SCAN

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5755

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

2/13/2011 4:29:53 PM

mbam-log-2011-02-13 (16-29-53).txt

Scan type: Quick scan

Objects scanned: 143417

Time elapsed: 3 minute(s), 21 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

SECOND MALWAREBYTES SCAN

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5755

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

2/13/2011 6:06:09 PM

mbam-log-2011-02-13 (18-06-09).txt

Scan type: Full scan (C:\|)

Objects scanned: 285576

Time elapsed: 37 minute(s), 16 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 11

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\CE8SIIFGSU (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\NtWqIVLZEWZU (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CE8SIIFGSU (Trojan.Agent) -> Value: CE8SIIFGSU -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Users\user name\AppData\Local\Temp\Lg1.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\Users\user name\AppData\Local\Google\Chrome\user data\Default\Cache\f_00061f (Trojan.Agent) -> Quarantined and deleted successfully.

c:\Users\user name\AppData\Local\Temp\Lg0.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\Users\user name\AppData\Local\Temp\Lg2.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\Users\user name\AppData\Local\Temp\Lg3.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\Users\user name\AppData\Local\Temp\Lg4.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\Windows\Lharaa.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\Windows\Lharab.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\Windows\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

c:\Windows\Tasks\{62c40aa6-4406-467a-a5a5-dfdf1b559b7a}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Windows\Tasks\{bbaeaeaf-1275-40e2-bd6c-bc8f88bd114a}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

MOST RECENT MALWAREBYTES SCAN

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5783

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

2/17/2011 8:46:11 AM

mbam-log-2011-02-17 (08-46-11).txt

Scan type: Quick scan

Objects scanned: 146175

Time elapsed: 4 minute(s), 43 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

AVIRA REPORT

Avira AntiVir Personal

Report file date: Tuesday, February 15, 2011 18:55

Scanning for 2364983 virus strains and unwanted programs.

The program is running as an unrestricted full version.

Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows 7

Windows version : (plain) [6.1.7600]

Boot mode : Safe mode with network

Username : User Name

Computer name : HP-8510P

Version information:

BUILD.DAT : 10.0.0.611 31824 Bytes 1/14/2011 13:42:00

AVSCAN.EXE : 10.0.3.5 435368 Bytes 1/10/2011 19:23:31

AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 17:57:04

LUKE.DLL : 10.0.3.2 104296 Bytes 1/10/2011 19:23:40

LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 04:40:49

VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 14:05:36

VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 19:23:50

VBASE002.VDF : 7.11.0.1 2048 Bytes 12/14/2010 19:23:50

VBASE003.VDF : 7.11.0.2 2048 Bytes 12/14/2010 19:23:50

VBASE004.VDF : 7.11.0.3 2048 Bytes 12/14/2010 19:23:50

VBASE005.VDF : 7.11.0.4 2048 Bytes 12/14/2010 19:23:50

VBASE006.VDF : 7.11.0.5 2048 Bytes 12/14/2010 19:23:50

VBASE007.VDF : 7.11.0.6 2048 Bytes 12/14/2010 19:23:50

VBASE008.VDF : 7.11.0.7 2048 Bytes 12/14/2010 19:23:50

VBASE009.VDF : 7.11.0.8 2048 Bytes 12/14/2010 19:23:50

VBASE010.VDF : 7.11.0.9 2048 Bytes 12/14/2010 19:23:50

VBASE011.VDF : 7.11.0.10 2048 Bytes 12/14/2010 19:23:50

VBASE012.VDF : 7.11.0.11 2048 Bytes 12/14/2010 19:23:50

VBASE013.VDF : 7.11.0.52 128000 Bytes 12/16/2010 20:54:35

VBASE014.VDF : 7.11.0.91 226816 Bytes 12/20/2010 22:12:47

VBASE015.VDF : 7.11.0.122 136192 Bytes 12/21/2010 00:09:26

VBASE016.VDF : 7.11.0.156 122880 Bytes 12/24/2010 14:41:13

VBASE017.VDF : 7.11.0.185 146944 Bytes 12/27/2010 19:39:57

VBASE018.VDF : 7.11.0.228 132608 Bytes 12/30/2010 21:23:58

VBASE019.VDF : 7.11.1.5 148480 Bytes 1/3/2011 22:45:39

VBASE020.VDF : 7.11.1.37 156672 Bytes 1/7/2011 14:30:06

VBASE021.VDF : 7.11.1.65 140800 Bytes 1/10/2011 18:12:43

VBASE022.VDF : 7.11.1.87 225280 Bytes 1/11/2011 19:47:36

VBASE023.VDF : 7.11.1.88 2048 Bytes 1/11/2011 19:47:36

VBASE024.VDF : 7.11.1.89 2048 Bytes 1/11/2011 19:47:36

VBASE025.VDF : 7.11.1.90 2048 Bytes 1/11/2011 19:47:36

VBASE026.VDF : 7.11.1.91 2048 Bytes 1/11/2011 19:47:37

VBASE027.VDF : 7.11.1.92 2048 Bytes 1/11/2011 19:47:37

VBASE028.VDF : 7.11.1.93 2048 Bytes 1/11/2011 19:47:37

VBASE029.VDF : 7.11.1.94 2048 Bytes 1/11/2011 19:47:37

VBASE030.VDF : 7.11.1.95 2048 Bytes 1/11/2011 19:47:37

VBASE031.VDF : 7.11.1.117 94208 Bytes 1/13/2011 18:34:25

Engineversion : 8.2.4.140

AEVDF.DLL : 8.1.2.1 106868 Bytes 1/10/2011 19:23:26

AESCRIPT.DLL : 8.1.3.52 1282426 Bytes 1/6/2011 22:51:44

AESCN.DLL : 8.1.7.2 127349 Bytes 1/10/2011 19:23:26

AESBX.DLL : 8.1.3.2 254324 Bytes 1/10/2011 19:23:26

AERDL.DLL : 8.1.9.2 635252 Bytes 1/10/2011 19:23:25

AEPACK.DLL : 8.2.4.7 512375 Bytes 1/6/2011 22:51:44

AEOFFICE.DLL : 8.1.1.10 201084 Bytes 1/10/2011 19:23:25

AEHEUR.DLL : 8.1.2.64 3154294 Bytes 1/6/2011 22:51:44

AEHELP.DLL : 8.1.16.0 246136 Bytes 1/10/2011 19:23:19

AEGEN.DLL : 8.1.5.1 397683 Bytes 1/6/2011 22:51:43

AEEMU.DLL : 8.1.3.0 393589 Bytes 1/10/2011 19:23:18

AECORE.DLL : 8.1.19.0 196984 Bytes 1/10/2011 19:23:18

AEBB.DLL : 8.1.1.0 53618 Bytes 1/10/2011 19:23:18

AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/10/2011 19:23:32

AVPREF.DLL : 10.0.0.0 44904 Bytes 1/10/2011 19:23:30

AVREP.DLL : 10.0.0.8 62209 Bytes 6/17/2010 19:27:13

AVREG.DLL : 10.0.3.2 53096 Bytes 1/10/2011 19:23:31

AVSCPLR.DLL : 10.0.3.2 84328 Bytes 1/10/2011 19:23:31

AVARKT.DLL : 10.0.22.6 231784 Bytes 1/10/2011 19:23:27

AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/10/2011 19:23:28

SQLITE3.DLL : 3.6.19.0 355688 Bytes 6/17/2010 19:27:22

AVSMTP.DLL : 10.0.0.17 63848 Bytes 1/10/2011 19:23:31

NETNT.DLL : 10.0.0.0 11624 Bytes 6/17/2010 19:27:21

RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 18:10:20

RCTEXT.DLL : 10.0.58.0 97128 Bytes 1/10/2011 19:23:52

Configuration settings for the scan:

Jobname.............................: Complete system scan

Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\sysscan.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: C:,

Process scan........................: on

Extended process scan...............: on

Scan registry.......................: on

Search for rootkits.................: on

Integrity checking of system files..: off

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+PFS,+SPR,

Start of the scan: Tuesday, February 15, 2011 18:55

Starting search for hidden objects.

The driver could not be initialized.

The scan of running processes will be started

Scan process 'avscan.exe' - '65' Module(s) have been scanned

Scan process 'avcenter.exe' - '107' Module(s) have been scanned

Scan process 'avgnt.exe' - '68' Module(s) have been scanned

Scan process 'chrome.exe' - '57' Module(s) have been scanned

Scan process 'svchost.exe' - '38' Module(s) have been scanned

Scan process 'chrome.exe' - '41' Module(s) have been scanned

Scan process 'chrome.exe' - '128' Module(s) have been scanned

Scan process 'ctfmon.exe' - '19' Module(s) have been scanned

Scan process 'Explorer.EXE' - '194' Module(s) have been scanned

Scan process 'svchost.exe' - '54' Module(s) have been scanned

Scan process 'svchost.exe' - '20' Module(s) have been scanned

Scan process 'svchost.exe' - '68' Module(s) have been scanned

Scan process 'svchost.exe' - '30' Module(s) have been scanned

Scan process 'svchost.exe' - '82' Module(s) have been scanned

Scan process 'svchost.exe' - '58' Module(s) have been scanned

Scan process 'svchost.exe' - '38' Module(s) have been scanned

Scan process 'svchost.exe' - '37' Module(s) have been scanned

Scan process 'svchost.exe' - '51' Module(s) have been scanned

Scan process 'lsm.exe' - '16' Module(s) have been scanned

Scan process 'lsass.exe' - '69' Module(s) have been scanned

Scan process 'services.exe' - '33' Module(s) have been scanned

Scan process 'winlogon.exe' - '24' Module(s) have been scanned

Scan process 'csrss.exe' - '16' Module(s) have been scanned

Scan process 'wininit.exe' - '25' Module(s) have been scanned

Scan process 'csrss.exe' - '16' Module(s) have been scanned

Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Starting to scan executable files (registry).

C:\Windows\System32\Wat\WatAdminSvc.exe

[WARNING] The file could not be opened!

The registry was scanned ( '420' files ).

Starting the file scan:

Begin scan in 'C:\'

C:\Windows\System32\change9.dll

[WARNING] The file could not be opened!

C:\Windows\System32\Wat\npWatWeb.dll

[WARNING] The file could not be opened!

C:\Windows\System32\Wat\WatAdminSvc.exe

[WARNING] The file could not be opened!

C:\Windows\System32\Wat\WatUX.exe

[WARNING] The file could not be opened!

C:\Windows\System32\Wat\WatWeb.dll

[WARNING] The file could not be opened!

End of the scan: Tuesday, February 15, 2011 19:21

Used time: 26:19 Minute(s)

The scan has been done completely.

14982 Scanned directories

247301 Files were scanned

0 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

0 Files were moved to quarantine

0 Files were renamed

6 Files cannot be scanned

247295 Files not concerned

2098 Archives were scanned

6 Warnings

0 Notes

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Hello Cooper! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.
  • Post all of your log files, don't attach them.

Try alternative way to run DDS.

http://www.forospyware.com/sUBs/dds/

Post and logs from GMER.

Link to post
Share on other sites
Cooper81

Cooper81

Posted
  • Author
Posted

Maniac,

Thanks for your quick reply. Forgive my ignorance: I am new to Windows 7 and virus removal other than running AVG free.

When I try to open the new dds file, I get the following from Avira... "A virus or unwanted program was found." Since I know no better than to trust you, I disabled Avira guard and tried again.

I know you're going to tell me I shouldn't have used uTorrent, and I totally agree. I regret taking the advice from a friend to try it. I tried to uninstall it but it looks like there are still some .dll files around. Forgive me.

DDS FILE

DDS (Ver_10-12-12.01) - NTFSx86

Run by User Name at 10:19:51.07 on Thu 02/17/2011

Internet Explorer: 8.0.7600.16385

Microsoft Windows 7 Enterprise 6.1.7600.0.1252.1.1033.18.2047.988 [GMT -5:00]

SP: Spybot - Search and Destroy *Enabled/Updated* {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

SP: SUPERAntiSpyware *Disabled/Updated* {222A897C-5018-402e-943F-7E7AC8560DA7}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\system32\atiesrxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\Hpservice.exe

C:\Windows\system32\atieclxx.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\rundll32.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\AEADISRV.EXE

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Windows\system32\hasplms.exe

C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\svchost.exe -k bthsvcs

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Common Files\PC Tools\sMonitor\SSDMonitor.exe

C:\Program Files\PC Tools Security\BDT\FGuard.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Users\User Name\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\User Name\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\User Name\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\User Name\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\User Name\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Users\User Name\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Windows\system32\SnippingTool.exe

C:\Windows\SYSTEM32\WISPTIS.EXE

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Users\User Name\Desktop\dds.pif

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com

uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll

uURLSearchHooks: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\pc tools security\bdt\PCTBrowserDefender.dll

mURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\pc tools security\bdt\PCTBrowserDefender.dll

BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll

BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll

TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll

TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll

TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\pc tools security\bdt\PCTBrowserDefender.dll

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [<NO NAME>]

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRun: [sSDMonitor] c:\program files\common files\pc tools\smonitor\SSDMonitor.exe

mRun: [PCTools FGuard] c:\program files\pc tools security\bdt\FGuard.exe

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe

IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll

DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.4.16.0.cab

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll

Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2011-2-14 239168]

R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2011-2-14 338880]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-8-18 176128]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-2-15 135336]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-2-15 267944]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-2-15 61960]

R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]

R2 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2010-7-16 26168]

R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2011-2-14 632792]

R3 ATSwpWDF;AuthenTec TruePrint USB WBF WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2009-12-3 625224]

R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]

R3 RICOH SmartCard Reader;RICOH SmartCard Reader;c:\windows\system32\drivers\rismc32.sys [2006-10-3 47488]

R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]

R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]

R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]

R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-2-13 38224]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-2-14 1153368]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2011-2-14 39272]

S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-23 1493352]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\pc tools security\pctsAuxs.exe [2011-2-14 366840]

S3 sdCoreService;PC Tools Security Service;c:\program files\pc tools security\pctsSvc.exe [2011-2-14 1150936]

S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]

S3 WatAdminSvc;WatAdminSvc;c:\windows\system32\wat\WatAdminSvc.exe [2011-2-5 1343400]

S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]

=============== File Associations ===============

.scr=AutoCADLTScriptFile

=============== Created Last 30 ================

2011-02-15 23:52:00 -------- d-----w- c:\users\userna~1\appdata\roaming\Avira

2011-02-15 23:50:23 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-02-15 23:50:22 -------- d-----w- c:\program files\Avira

2011-02-15 23:50:22 -------- d-----w- c:\progra~2\Avira

2011-02-15 03:19:52 -------- d-----w- c:\users\userna~1\appdata\roaming\Registry Mechanic

2011-02-15 03:07:33 -------- d-----w- C:\VundoFix Backups

2011-02-14 22:31:03 -------- d-----w- c:\users\user name\DoctorWeb

2011-02-14 21:07:14 767952 ----a-w- c:\windows\BDTSupport.dll

2011-02-14 21:07:13 2000848 ----a-w- c:\windows\PCTBDCore.dll

2011-02-14 21:07:13 149456 ----a-w- c:\windows\SGDetectionTool.dll

2011-02-14 21:07:11 1533904 ----a-w- c:\windows\PCTBDRes.dll

2011-02-14 21:03:06 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys

2011-02-14 21:03:06 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys

2011-02-14 21:03:05 251560 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2011-02-14 21:03:05 103232 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys

2011-02-14 21:03:01 239168 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2011-02-14 21:03:01 160448 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2011-02-14 21:02:57 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2011-02-14 21:02:53 -------- d-----w- c:\users\userna~1\appdata\roaming\PC Tools

2011-02-14 21:02:53 -------- d-----w- c:\program files\PC Tools Security

2011-02-14 20:55:13 880640 ----a-w- c:\windows\system32\UniBox10.ocx

2011-02-14 20:55:13 506368 ----a-w- c:\windows\system32\msxml.dll

2011-02-14 20:55:13 37336 ----a-w- c:\windows\system32\CleanMFT32.exe

2011-02-14 20:55:13 212992 ----a-w- c:\windows\system32\UniBoxVB12.ocx

2011-02-14 20:55:13 1101824 ----a-w- c:\windows\system32\UniBox210.ocx

2011-02-14 20:55:10 -------- d-----w- c:\program files\common files\PC Tools

2011-02-14 20:14:43 -------- d-----w- c:\progra~2\PC Tools

2011-02-14 20:00:26 -------- d-----w- c:\users\userna~1\appdata\roaming\SUPERAntiSpyware.com

2011-02-14 20:00:26 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com

2011-02-14 20:00:17 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-02-14 19:32:21 -------- d-----w- c:\windows\en

2011-02-14 19:31:07 39272 ----a-w- c:\windows\system32\drivers\fssfltr.sys

2011-02-14 19:28:27 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition

2011-02-14 19:25:59 -------- d-----w- c:\program files\Microsoft

2011-02-14 19:25:43 -------- d-----w- c:\program files\Bing Bar Installer

2011-02-14 19:25:41 469256 ----a-w- c:\program files\common files\windows live\.cache\f6977b811cbcc7c08\InstallManager_WLE_WLE.exe

2011-02-14 19:25:09 15712 ----a-w- c:\program files\common files\windows live\.cache\e4d56f1f1cbcc7c07\MeshBetaRemover.exe

2011-02-14 19:25:06 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll

2011-02-14 19:25:06 515416 ----a-w- c:\windows\system32\XAudio2_5.dll

2011-02-14 19:25:06 453456 ----a-w- c:\windows\system32\d3dx10_42.dll

2011-02-14 19:25:04 94040 ----a-w- c:\program files\common files\windows live\.cache\e18dc2bb1cbcc7c06\DSETUP.dll

2011-02-14 19:25:04 525656 ----a-w- c:\program files\common files\windows live\.cache\e18dc2bb1cbcc7c06\DXSETUP.exe

2011-02-14 19:25:04 1691480 ----a-w- c:\program files\common files\windows live\.cache\e18dc2bb1cbcc7c06\dsetup32.dll

2011-02-14 19:24:59 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll

2011-02-14 19:24:57 94040 ----a-w- c:\program files\common files\windows live\.cache\dc8b56b41cbcc7c05\DSETUP.dll

2011-02-14 19:24:57 525656 ----a-w- c:\program files\common files\windows live\.cache\dc8b56b41cbcc7c05\DXSETUP.exe

2011-02-14 19:24:57 1691480 ----a-w- c:\program files\common files\windows live\.cache\dc8b56b41cbcc7c05\dsetup32.dll

2011-02-14 18:28:14 -------- d-sh--w- c:\windows\system32\%APPDATA%

2011-02-14 16:04:08 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-02-14 16:04:08 -------- d-----w- c:\progra~2\Spybot - Search & Destroy

2011-02-13 23:20:28 -------- d-----w- c:\users\userna~1\appdata\roaming\AVG10

2011-02-13 23:18:57 -------- d--h--w- c:\progra~2\Common Files

2011-02-13 23:17:20 -------- d-----w- c:\progra~2\AVG10

2011-02-13 23:16:35 -------- d-----w- c:\program files\AVG

2011-02-13 23:12:08 -------- d-----w- c:\program files\Synaptics

2011-02-13 23:10:44 -------- d-----w- c:\progra~2\MFAData

2011-02-13 21:52:50 135168 --sha-r- c:\windows\system32\change9.dll

2011-02-13 21:25:44 -------- d-----w- c:\users\userna~1\appdata\roaming\Malwarebytes

2011-02-13 21:25:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-02-13 21:25:27 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-02-13 01:02:19 -------- d-----w- c:\users\userna~1\appdata\roaming\PTC

2011-02-12 05:34:58 -------- d-----w- c:\progra~2\Malwarebytes

2011-02-12 05:34:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-02-12 05:31:54 -------- d-----w- c:\users\userna~1\appdata\roaming\DAEMON Tools Lite

2011-02-12 05:31:54 -------- d-----w- c:\progra~2\DAEMON Tools Lite

2011-02-12 05:28:31 -------- d-----w- c:\users\userna~1\appdata\roaming\DAEMON Tools Pro

2011-02-12 05:28:31 -------- d-----w- c:\progra~2\DAEMON Tools Pro

2011-02-12 02:24:09 -------- d-----w- c:\program files\Conduit

2011-02-12 02:24:06 -------- d-----w- c:\program files\ConduitEngine

2011-02-12 02:24:02 -------- d-----w- C:\extensions

2011-02-12 02:23:00 -------- d-----w- c:\users\userna~1\appdata\roaming\uTorrent

2011-02-11 20:40:18 -------- d-----w- c:\users\userna~1\appdata\local\Adobe

2011-02-11 20:30:57 5890896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{3c667c30-1ba8-4030-b979-a04b00e50bb9}\mpengine.dll

2011-02-09 18:36:07 -------- d-----w- c:\users\userna~1\appdata\local\LicomSystems

2011-02-09 18:35:59 -------- d-----w- c:\progra~2\Planit

2011-02-09 17:03:52 -------- d-----w- c:\program files\common files\Aladdin Shared

2011-02-09 17:03:51 4180576 ----a-w- c:\windows\system32\hasplms.exe

2011-02-09 00:23:29 -------- d-----w- c:\users\userna~1\appdata\local\PokerStars

2011-02-09 00:22:49 -------- d-----w- c:\program files\PokerStars

2011-02-09 00:10:05 -------- d-----w- c:\windows\system32\appmgmt

2011-02-08 20:44:39 -------- d-----w- c:\users\userna~1\appdata\local\Windows Live

2011-02-08 20:44:38 -------- d-----w- c:\program files\common files\Windows Live

2011-02-08 20:44:04 3181568 ----a-w- c:\windows\system32\mf.dll

2011-02-08 20:44:04 196608 ----a-w- c:\windows\system32\mfreadwrite.dll

2011-02-08 20:44:04 1619456 ----a-w- c:\windows\system32\WMVDECOD.DLL

2011-02-08 20:43:58 84992 ----a-w- c:\windows\system32\drivers\sdbus.sys

2011-02-08 20:43:58 12800 ----a-w- c:\windows\system32\drivers\sffp_sd.sys

2011-02-08 20:43:22 -------- d-----w- c:\program files\Analog Devices

2011-02-08 20:22:01 -------- d-----w- c:\progra~2\SafeNet Sentinel

2011-02-08 20:21:22 6656 ----a-w- c:\windows\system32\haspvdd.dll

2011-02-08 20:21:22 47616 ----a-w- c:\windows\system32\drivers\Haspnt.sys

2011-02-08 20:21:22 383 ----a-w- c:\windows\system32\haspdos.sys

2011-02-08 20:21:04 -------- d-----w- c:\program files\common files\SafeNet Sentinel

2011-02-08 20:20:23 -------- d-----w- C:\LICOMDIR

2011-02-08 20:20:08 -------- d-----w- C:\LICOMDAT

2011-02-08 20:19:18 -------- d-----w- c:\program files\ALPHAV8

2011-02-08 20:19:18 -------- d-----w- c:\progra~2\LicomSystems

2011-02-08 20:18:22 -------- d-----w- c:\program files\common files\Planit

2011-02-08 20:18:22 -------- d-----w- c:\program files\common files\Data Dynamics

2011-02-08 13:53:58 -------- d-----w- c:\windows\pss

2011-02-08 13:46:58 257024 ----a-w- c:\windows\system32\msv1_0.dll

2011-02-08 13:45:50 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll

2011-02-08 13:45:50 49472 ----a-w- c:\windows\system32\netfxperf.dll

2011-02-08 13:45:50 297808 ----a-w- c:\windows\system32\mscoree.dll

2011-02-08 13:45:50 295264 ----a-w- c:\windows\system32\PresentationHost.exe

2011-02-08 13:45:50 1130824 ----a-w- c:\windows\system32\dfshim.dll

2011-02-08 13:40:48 -------- d-----w- c:\users\userna~1\appdata\local\WindowsUpdate

2011-02-08 13:40:27 5890896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\backup\mpengine.dll

2011-02-08 13:40:10 190976 ----a-w- c:\windows\system32\drivers\ks.sys

2011-02-08 13:36:59 516096 ----a-w- c:\program files\windows mail\wab.exe

2011-02-08 13:36:59 37376 ----a-w- c:\windows\system32\rtutils.dll

2011-02-08 13:36:59 224256 ----a-w- c:\windows\system32\schannel.dll

2011-02-08 13:36:02 164864 ----a-w- c:\program files\windows media player\wmplayer.exe

2011-02-08 13:36:02 12625408 ----a-w- c:\windows\system32\wmploc.DLL

2011-02-08 13:33:59 91648 ----a-w- c:\windows\system32\avifil32.dll

2011-02-08 13:33:59 84480 ----a-w- c:\windows\system32\mciavi32.dll

2011-02-08 13:33:59 50176 ----a-w- c:\windows\system32\iyuv_32.dll

2011-02-08 13:33:59 31744 ----a-w- c:\windows\system32\msvidc32.dll

2011-02-08 13:33:59 22016 ----a-w- c:\windows\system32\msyuv.dll

2011-02-08 13:33:59 13312 ----a-w- c:\windows\system32\msrle32.dll

2011-02-08 13:33:59 1328640 ----a-w- c:\windows\system32\quartz.dll

2011-02-08 13:33:59 12288 ----a-w- c:\windows\system32\tsbyuv.dll

2011-02-08 13:33:12 314368 ----a-w- c:\windows\system32\webio.dll

2011-02-08 13:33:00 70656 ----a-w- c:\windows\system32\fontsub.dll

2011-02-08 13:31:15 26504 ----a-w- c:\windows\system32\drivers\Diskdump.sys

2011-02-08 13:13:41 33104 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\msonpppr.dll

2011-02-08 13:13:41 32656 ----a-w- c:\windows\system32\msonpmon.dll

2011-02-08 13:10:28 -------- d-----w- c:\users\userna~1\appdata\local\Microsoft Help

2011-02-08 12:47:38 -------- d-----w- c:\program files\AnswerWorks 4.0

2011-02-08 12:45:14 -------- d-----w- c:\users\userna~1\appdata\roaming\Autodesk

2011-02-08 12:45:14 -------- d-----w- c:\users\userna~1\appdata\local\Autodesk

2011-02-08 12:45:14 -------- d-----w- c:\program files\AutoCAD LT 2007

2011-02-08 12:43:58 -------- d-----w- c:\program files\common files\Autodesk Shared

2011-02-08 12:43:55 -------- d-----w- c:\program files\Autodesk

2011-02-06 21:50:33 -------- d-----w- c:\program files\Google Sketchup

2011-02-06 20:45:08 -------- d-----w- c:\program files\MSXML 4.0

2011-02-06 20:45:04 -------- d-----w- c:\program files\common files\Microsoft Games

2011-02-06 20:44:54 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll

2011-02-06 20:19:56 -------- d-----w- c:\windows\PCHEALTH

2011-02-06 20:19:24 -------- d-----w- c:\program files\Microsoft Games

2011-02-06 19:39:57 -------- d-----w- c:\users\userna~1\appdata\local\ElevatedDiagnostics

2011-02-06 19:39:42 -------- d-----w- c:\windows\system32\wocaffe

2011-02-06 19:39:42 -------- d-----w- c:\program files\TrueSuite

2011-02-06 19:39:42 -------- d-----w- c:\progra~2\TrueSuite

2011-02-06 19:39:39 -------- d-----w- c:\progra~2\Downloaded Installations

2011-02-06 18:33:10 -------- d-----w- c:\users\userna~1\appdata\local\Google

2011-02-06 18:33:02 -------- d-----w- c:\users\userna~1\appdata\local\Deployment

2011-02-06 18:33:02 -------- d-----w- c:\users\userna~1\appdata\local\Apps

2011-02-06 18:30:38 -------- d-----w- c:\users\userna~1\appdata\local\Diagnostics

2011-02-05 07:29:26 0 ----a-w- c:\windows\ativpsrm.bin

2011-02-05 07:26:19 -------- d-----w- c:\windows\Panther

2011-02-05 05:30:00 -------- d-----w- c:\windows\system32\Wat

2011-02-05 05:23:57 -------- d-----w- C:\hp

2011-02-05 05:14:22 -------- d-----w- c:\program files\HP

2011-02-05 05:14:08 -------- d-sh--w- c:\windows\Installer

2011-02-05 05:14:08 -------- d-----w- c:\windows\Downloaded Installations

2011-02-05 04:51:58 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-02-05 04:38:41 -------- d-----w- c:\windows\system32\wbem\Performance

==================== Find3M ====================

2011-02-05 05:30:10 409088 ----a-w- c:\windows\system32\systemcpl.dll

2011-02-05 05:29:38 811520 ----a-w- c:\windows\system32\user32.dll

2011-01-07 07:27:11 34304 ----a-w- c:\windows\system32\atmlib.dll

2011-01-07 05:33:11 294400 ----a-w- c:\windows\system32\atmfd.dll

2011-01-05 05:37:33 428032 ----a-w- c:\windows\system32\vbscript.dll

2011-01-05 03:37:38 2329088 ----a-w- c:\windows\system32\win32k.sys

2010-12-21 05:38:24 73728 ----a-w- c:\windows\system32\wscsvc.dll

2010-12-21 05:38:24 51200 ----a-w- c:\windows\system32\wscapi.dll

2010-12-21 05:38:22 981504 ----a-w- c:\windows\system32\wininet.dll

2010-12-21 05:38:22 350720 ----a-w- c:\windows\system32\winhttp.dll

2010-12-21 05:38:21 204800 ----a-w- c:\windows\system32\WebClnt.dll

2010-12-21 05:38:19 204288 ----a-w- c:\windows\system32\upnp.dll

2010-12-21 05:38:16 14336 ----a-w- c:\windows\system32\slwga.dll

2010-12-21 05:36:17 1389568 ----a-w- c:\windows\system32\msxml6.dll

2010-12-21 05:36:16 1236992 ----a-w- c:\windows\system32\msxml3.dll

2010-12-21 05:34:12 80384 ----a-w- c:\windows\system32\davclnt.dll

2010-12-18 05:29:40 44544 ----a-w- c:\windows\system32\licmgr10.dll

2010-12-18 05:29:31 541184 ----a-w- c:\windows\system32\kerberos.dll

2010-12-18 04:20:55 386048 ----a-w- c:\windows\system32\html.iec

2010-12-18 03:47:59 1638912 ----a-w- c:\windows\system32\mshtml.tlb

============= FINISH: 10:21:26.21 ===============

ATTACH.TXT

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.01)

Microsoft Windows 7 Enterprise

Boot Device: \Device\HarddiskVolume1

Install Date: 2/5/2011 12:01:16 AM

System Uptime: 2/17/2011 9:43:43 AM (1 hours ago)

Motherboard: Hewlett-Packard | | 30C5

Processor: Intel® Core2 Duo CPU T7300 @ 2.00GHz | U10 | 2001/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 149 GiB total, 104.682 GiB free.

D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID:

Description: Base System Device

Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_30C5103C&REV_10\4&2E16D763&0&34F0

Manufacturer:

Name: Base System Device

PNP Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_30C5103C&REV_10\4&2E16D763&0&34F0

Service:

==== System Restore Points ===================

RP22: 2/12/2011 12:33:05 AM - SPTD setup V1.76

RP23: 2/12/2011 3:00:11 AM - Windows Update

RP24: 2/13/2011 11:43:40 AM - Windows Update

RP25: 2/13/2011 6:03:13 PM - Windows Update

RP26: 2/13/2011 6:16:18 PM - Installed AVG 2011

RP27: 2/13/2011 6:16:47 PM - Installed AVG 2011

RP28: 2/14/2011 12:03:21 PM - Removed AVG 2011

RP29: 2/14/2011 12:05:06 PM - Removed AVG 2011

RP30: 2/14/2011 1:27:39 PM - Windows Update

RP31: 2/14/2011 2:20:11 PM - Windows Update

RP32: 2/14/2011 2:22:35 PM - Windows Update

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX

Adobe Reader X

Alphacam V8

AuthenTec TrueSuite

AutoCAD LT 2007 - English

Autodesk DWF Viewer

Avira AntiVir Personal - Free Antivirus

Bing Bar

Browser Defender 3.0

Conduit Engine

D3DX10

Google Chrome

Google SketchUp Pro 8

HP Product Detection

Junk Mail filter update

Malwarebytes' Anti-Malware

Mesh Runtime

Messenger Companion

Microsoft .NET Framework 4 Client Profile

Microsoft Application Error Reporting

Microsoft Flight Simulator X

Microsoft Office 2007 Service Pack 2 (SP2)

Microsoft Office Excel MUI (English) 2007

Microsoft Office Home and Student 2007

Microsoft Office OneNote MUI (English) 2007

Microsoft Office Outlook 2007

Microsoft Office Outlook Connector

Microsoft Office Outlook MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Word MUI (English) 2007

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

MSVCRT

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 4.0 SP2 Parser and SDK

PokerStars

Registry Mechanic 10.0

Security Update for 2007 Microsoft Office System (KB2288621)

Security Update for 2007 Microsoft Office System (KB2288931)

Security Update for 2007 Microsoft Office System (KB2289158)

Security Update for 2007 Microsoft Office System (KB2344875)

Security Update for 2007 Microsoft Office System (KB2345043)

Security Update for 2007 Microsoft Office System (KB969559)

Security Update for 2007 Microsoft Office System (KB976321)

Security Update for Microsoft Office Excel 2007 (KB2345035)

Security Update for Microsoft Office InfoPath 2007 (KB979441)

Security Update for Microsoft Office PowerPoint 2007 (KB982158)

Security Update for Microsoft Office PowerPoint Viewer (KB2413381)

Security Update for Microsoft Office system 2007 (972581)

Security Update for Microsoft Office system 2007 (KB974234)

Security Update for Microsoft Office Visio Viewer 2007 (KB973709)

Security Update for Microsoft Office Word 2007 (KB2344993)

Sentinel System Driver Installer 7.4.0

Spybot - Search & Destroy

Spyware Doctor 8.0

SUPERAntiSpyware

Synaptics Pointing Device Driver

Update for 2007 Microsoft Office System (KB967642)

Update for Microsoft Office 2007 Help for Common Features (KB963673)

Update for Microsoft Office Excel 2007 Help (KB963678)

Update for Microsoft Office OneNote 2007 (KB980729)

Update for Microsoft Office OneNote 2007 Help (KB963670)

Update for Microsoft Office Outlook 2007 (KB2412171)

Update for Microsoft Office Outlook 2007 Help (KB963677)

Update for Microsoft Office Powerpoint 2007 Help (KB963669)

Update for Microsoft Office Script Editor Help (KB963671)

Update for Microsoft Office Word 2007 Help (KB963665)

Update for Outlook 2007 Junk Email Filter (KB2492475)

Visual Basic for Applications ® Core

Visual Basic for Applications ® Core - English

Windows Live Communications Platform

Windows Live Essentials

Windows Live Family Safety

Windows Live ID Sign-in Assistant

Windows Live Installer

Windows Live Mail

Windows Live Mesh

Windows Live Mesh ActiveX Control for Remote Connections

Windows Live Messenger

Windows Live Messenger Companion Core

Windows Live MIME IFilter

Windows Live Movie Maker

Windows Live Photo Common

Windows Live Photo Gallery

Windows Live PIMT Platform

Windows Live Remote Client

Windows Live Remote Client Resources

Windows Live Remote Service

Windows Live Remote Service Resources

Windows Live SOXE

Windows Live SOXE Definitions

Windows Live UX Platform

Windows Live UX Platform Language Pack

Windows Live Writer

Windows Live Writer Resources

==== Event Viewer Messages From Past Week ========

2/17/2011 9:44:12 AM, Error: Service Control Manager [7001] - The SBSD Security Center Service service depends on the Security Center service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

2/17/2011 9:44:02 AM, Error: atikmdag [52236] - CPLIB :: General - Invalid Parameter

2/17/2011 9:44:02 AM, Error: atikmdag [43029] - Display is not active

2/17/2011 9:44:01 AM, Error: atikmdag [43015] - I2c return failed

2/17/2011 9:03:29 AM, Error: Service Control Manager [7000] - The Security Center service failed to start due to the following error: The system cannot find the file specified.

2/15/2011 7:25:55 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.

2/15/2011 6:34:28 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {D3DCB472-7261-43CE-924B-0704BD730D5F}

2/15/2011 6:34:28 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}

2/15/2011 6:33:47 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.

2/15/2011 6:31:10 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}

2/15/2011 6:31:10 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

2/15/2011 6:31:06 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

2/15/2011 6:30:58 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}

2/15/2011 6:23:54 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: discache SASDIFSV SASKUTIL spldr Wanarpv6

2/15/2011 6:16:52 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.

2/15/2011 6:13:55 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}

2/15/2011 6:04:52 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}

2/15/2011 6:04:52 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}

2/15/2011 6:04:36 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD CSC DfsC discache NetBIOS NetBT nsiproxy Psched rdbss SASDIFSV SASKUTIL spldr tdx Wanarpv6 WfpLwf ws2ifsl

2/15/2011 6:04:33 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

2/15/2011 6:04:33 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.

2/15/2011 6:04:33 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.

2/15/2011 6:04:33 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.

2/15/2011 6:04:33 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.

2/15/2011 6:04:33 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.

2/15/2011 6:04:33 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

2/15/2011 6:04:33 PM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

2/15/2011 6:04:33 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.

2/15/2011 6:04:33 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.

2/15/2011 6:00:44 PM, Error: Service Control Manager [7001] - The SBSD Security Center Service service depends on the Security Center service which failed to start because of the following error: The system cannot find the file specified.

2/14/2011 8:23:56 AM, Error: Service Control Manager [7000] - The Security Center service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.

2/14/2011 5:21:16 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

2/14/2011 4:11:56 PM, Error: Service Control Manager [7034] - The PC Tools Security Service service terminated unexpectedly. It has done this 1 time(s).

2/14/2011 2:45:45 PM, Error: Service Control Manager [7030] - The Windows Defender service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

2/13/2011 5:58:07 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.

2/13/2011 5:56:07 PM, Error: Service Control Manager [7034] - The Application Information service terminated unexpectedly. It has done this 1 time(s).

2/13/2011 5:56:07 PM, Error: Service Control Manager [7031] - The Windows Update service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

2/13/2011 5:56:07 PM, Error: Service Control Manager [7031] - The Windows Management Instrumentation service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.

2/13/2011 5:56:07 PM, Error: Service Control Manager [7031] - The User Profile Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.

2/13/2011 5:56:07 PM, Error: Service Control Manager [7031] - The Themes service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

2/13/2011 5:56:07 PM, Error: Service Control Manager [7031] - The Task Scheduler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

2/13/2011 5:56:07 PM, Error: Service Control Manager [7031] - The System Event Notification Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.

2/13/2011 5:56:07 PM, Error: Service Control Manager [7031] - The Shell Hardware Detection service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

2/13/2011 5:56:07 PM, Error: Service Control Manager [7031] - The Server service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

2/13/2011 5:56:07 PM, Error: Service Control Manager [7031] - The Multimedia Class Scheduler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.

2/13/2011 5:56:07 PM, Error: Service Control Manager [7031] - The IP Helper service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.

2/13/2011 5:56:07 PM, Error: Service Control Manager [7031] - The Group Policy Client service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.

2/13/2011 5:56:07 PM, Error: Service Control Manager [7031] - The Extensible Authentication Protocol service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.

2/13/2011 5:56:07 PM, Error: Service Control Manager [7031] - The Certificate Propagation service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.

2/13/2011 5:56:07 PM, Error: Service Control Manager [7031] - The Background Intelligent Transfer Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

2/13/2011 5:56:07 PM, Error: Service Control Manager [7031] - The Application Experience service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

2/13/2011 5:51:49 PM, Error: Service Control Manager [7023] - The SPP Notification Service service terminated with the following error: Access is denied.

==== End Of File ===========================

ARK.TXT

GMER 1.0.15.15530 - http://www.gmer.net

Rootkit scan 2011-02-15 20:57:40

Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS542516K9SA00 rev.BBCOC32P

Running: 3dxfo651.exe; Driver: C:\Users\USERNA~1\AppData\Local\Temp\pwtyipow.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0x88E4BF68]

SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0x88E4C230]

SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateUserProcess [0x88E4C52C]

SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0x88E4B9D8]

SSDT \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwCreateKey [0x82A0AFEC]

SSDT \SystemRoot\system32\ntkrnlpa.exe[unknown section] [82A0AFEC] ZwCreateKey [0x82A0AFEC]

SSDT \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwOpenKey [0x82A0AFF1]

SSDT \SystemRoot\system32\ntkrnlpa.exe[unknown section] [82A0AFF1] ZwOpenKey [0x82A0AFF1]

INT 0x03 \SystemRoot\system32\ntkrnlpa.exe[unknown section] 82A0AFF6

INT 0x06 \??\C:\Windows\system32\drivers\Haspnt.sys 9896816D

INT 0x0E \??\C:\Windows\system32\drivers\Haspnt.sys 98967FC2

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13BD 82A4D589 1 Byte [06]

.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A72092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}

.text ntkrnlpa.exe!RtlSidHashLookup + 308 82A79918 3 Bytes [EC, AF, A0]

.text ntkrnlpa.exe!RtlSidHashLookup + 32C 82A7993C 8 Bytes [68, BF, E4, 88, 30, C2, E4, ...] {PUSH 0x3088e4bf; RET 0x88e4}

.text ntkrnlpa.exe!RtlSidHashLookup + 364 82A79974 4 Bytes [2C, C5, E4, 88] {SUB AL, 0xc5; IN AL, 0x88}

.text ntkrnlpa.exe!RtlSidHashLookup + 4C8 82A79AD8 3 Bytes [F1, AF, A0]

.text ntkrnlpa.exe!RtlSidHashLookup + 7B8 82A79DC8 4 Bytes [D8, B9, E4, 88]

.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x93A2E000, 0x2D5378, 0xE8000020]

.text C:\Windows\system32\DRIVERS\aksfridge.sys section is writeable [0x9898E000, 0x48E1C, 0xE0000020]

.init C:\Windows\system32\DRIVERS\aksfridge.sys entry point in ".init" section [0x989E4224]

.init C:\Windows\system32\DRIVERS\aksfridge.sys unknown last code section [0x989E4000, 0x4000, 0xE20000E0]

.text C:\Windows\system32\drivers\hardlock.sys section is writeable [0x9B235400, 0x6EB98, 0xE8000020]

.protect

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Step 1

I see you are running Teatimer.

I suggest you to disable it because it can interfere with the changes you'll make on your system.

When everything is done and your log is clean again, you can enable it again.

If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

How to disable TeaTimer <== click me for instructions.

After you disabled Teatimer, download ResetTeaTimer.exe to your desktop.

Then run ResetTeaTimer.exe.

This will only take a few seconds.

Step 2

Please, uninstall the following applications:

  1. Conduit Engine
  2. Spyware Doctor 8.0

You can read, how to do this here:

Step 3

Please locate and manually delete the following files:

C:\Users\User Name\appdata\roaming\AVG10

C:\ProgramData\AVG10

C:\Program Files\AVG

Step 4

Please visit www.virustotal.com and upload one by one the following files:

c:\windows\system32\change9.dll

c:\windows\system32\hasplms.exe

Please post the resaults in your next reply.

In your next reply, please post these log(s):

  1. Virustotal resaults
  2. a new fresh DDS log only

Link to post
Share on other sites
Cooper81

Cooper81

Posted
  • Author
Posted

I'm not sure I've properly deactivated Teatimer. I folloed the directions from the link, and the check box is still not there next to Teatimer, but when i run Resetteatimer I see this.

ERROR: The process "TeaTimer.exe" not found.

ERROR: The process "spybotsd.exe" not found.

SPyBot and Tea Timer must be closed!!

Press any key to continue... (I did)

Finished

Press any key to continue... (and it closes)

Link to post
Share on other sites
Cooper81

Cooper81

Posted
  • Author
Posted

OK, I didn't find a file named C:/WINDOWS/System32/change9.dll but I did find, C:/WINDOWS/System32/change.dll (no #9) so I uploaded that instead.

CHANGE.DLL

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.

File name: change.exe

Submission date: 2010-10-17 02:55:27 (UTC)

Current status: finished

Result: 0 /43 (0.0%)

VT Community

not reviewed

Safety score: -

Compact

Print results

Antivirus Version Last Update Result

AhnLab-V3 2010.10.17.00 2010.10.16 -

AntiVir 7.10.12.230 2010.10.16 -

Antiy-AVL 2.0.3.7 2010.10.17 -

Authentium 5.2.0.5 2010.10.16 -

Avast 4.8.1351.0 2010.10.16 -

Avast5 5.0.594.0 2010.10.16 -

AVG 9.0.0.851 2010.10.16 -

BitDefender 7.2 2010.10.17 -

CAT-QuickHeal 11.00 2010.10.15 -

ClamAV 0.96.2.0-git 2010.10.17 -

Comodo 6411 2010.10.17 -

DrWeb 5.0.2.03300 2010.10.17 -

Emsisoft 5.0.0.50 2010.10.16 -

eSafe 7.0.17.0 2010.10.14 -

eTrust-Vet 36.1.7914 2010.10.15 -

F-Prot 4.6.2.117 2010.10.16 -

F-Secure 9.0.16160.0 2010.10.16 -

Fortinet 4.2.249.0 2010.10.16 -

GData 21 2010.10.17 -

Ikarus T3.1.1.90.0 2010.10.16 -

Jiangmin 13.0.900 2010.10.16 -

K7AntiVirus 9.66.2760 2010.10.15 -

Kaspersky 7.0.0.125 2010.10.17 -

McAfee 5.400.0.1158 2010.10.17 -

McAfee-GW-Edition 2010.1C 2010.10.17 -

Microsoft 1.6201 2010.10.16 -

NOD32 5538 2010.10.17 -

Norman 6.06.07 2010.10.16 -

nProtect 2010-10-16.01 2010.10.16 -

Panda 10.0.2.7 2010.10.16 -

PCTools 7.0.3.5 2010.10.17 -

Prevx 3.0 2010.10.17 -

Rising 22.69.04.03 2010.10.15 -

Sophos 4.58.0 2010.10.17 -

Sunbelt 7075 2010.10.16 -

SUPERAntiSpyware 4.40.0.1006 2010.10.17 -

Symantec 20101.2.0.161 2010.10.17 -

TheHacker 6.7.0.1.058 2010.10.17 -

TrendMicro 9.120.0.1004 2010.10.16 -

TrendMicro-HouseCall 9.120.0.1004 2010.10.17 -

VBA32 3.12.14.1 2010.10.15 -

ViRobot 2010.9.25.4060 2010.10.16 -

VirusBuster 12.69.2.0 2010.10.16 -

Additional informationShow all

MD5 : 8d727301f01b70603f257fe94c655b92

SHA1 : 52fbc0ebd8610031c30380b1afc40df585c62c9f

SHA256: 59355f25b384527175d815184d28aac2d4286de00f435cadd423b0f3e3140d2d

HASPLMS.EXE

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.

File name: aksllmtp.exe

Submission date: 2010-11-29 22:50:12 (UTC)

Current status: finished

Result: 1 /43 (2.3%)

VT Community

not reviewed

Safety score: -

Compact

Print results

Antivirus Version Last Update Result

AhnLab-V3 2010.11.29.03 2010.11.29 -

AntiVir 7.10.14.136 2010.11.29 -

Antiy-AVL 2.0.3.7 2010.11.29 -

Avast 4.8.1351.0 2010.11.29 -

Avast5 5.0.677.0 2010.11.29 -

AVG 9.0.0.851 2010.11.29 -

BitDefender 7.2 2010.11.29 -

CAT-QuickHeal 11.00 2010.11.29 -

ClamAV 0.96.4.0 2010.11.29 -

Command 5.2.11.5 2010.11.29 -

Comodo 6893 2010.11.29 -

DrWeb 5.0.2.03300 2010.11.29 -

Emsisoft 5.0.0.50 2010.11.29 -

eSafe 7.0.17.0 2010.11.29 -

eTrust-Vet 36.1.8007 2010.11.29 -

F-Prot 4.6.2.117 2010.11.29 -

F-Secure 9.0.16160.0 2010.11.29 -

Fortinet 4.2.254.0 2010.11.29 -

GData 21 2010.11.29 -

Ikarus T3.1.1.90.0 2010.11.29 -

Jiangmin 13.0.900 2010.11.29 -

K7AntiVirus 9.69.3115 2010.11.29 -

Kaspersky 7.0.0.125 2010.11.29 -

McAfee 5.400.0.1158 2010.11.29 -

McAfee-GW-Edition 2010.1C 2010.11.29 -

Microsoft 1.6402 2010.11.29 -

NOD32 5659 2010.11.29 -

Norman 6.06.10 2010.11.29 -

nProtect 2010-11-29.01 2010.11.29 -

Panda 10.0.2.7 2010.11.29 -

PCTools 7.0.3.5 2010.11.29 -

Prevx 3.0 2010.11.29 -

Rising 22.75.06.00 2010.11.29 -

Sophos 4.60.0 2010.11.29 Sus/UnkPacker

SUPERAntiSpyware 4.40.0.1006 2010.11.29 -

Symantec 20101.2.0.161 2010.11.29 -

TheHacker 6.7.0.1.092 2010.11.29 -

TrendMicro 9.120.0.1004 2010.11.29 -

TrendMicro-HouseCall 9.120.0.1004 2010.11.29 -

VBA32 3.12.14.2 2010.11.29 -

VIPRE 7448 2010.11.29 -

ViRobot 2010.11.29.4175 2010.11.29 -

VirusBuster 13.6.66.0 2010.11.29 -

Additional informationShow all

MD5 : fd1ddb4649944d941050e9f2bb6cdb54

SHA1 : fdd0bd2b83aee73262787bcb8c6946ab2926f447

SHA256: bdd08d0fc93a71b98bbea9ef3007656c5a49bf7f6e97d161f7eaece512585c9d

VT Community

DDS-2

DDS (Ver_10-12-12.01) - NTFSx86

Run by User Name at 11:46:02.66 on Thu 02/17/2011

Internet Explorer: 8.0.7600.16385

Microsoft Windows 7 Enterprise 6.1.7600.0.1252.1.1033.18.2047.1383 [GMT -5:00]

SP: Spybot - Search and Destroy *Enabled/Updated* {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

SP: SUPERAntiSpyware *Disabled/Updated* {222A897C-5018-402e-943F-7E7AC8560DA7}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\system32\atiesrxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\Hpservice.exe

C:\Windows\system32\atieclxx.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\rundll32.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\AEADISRV.EXE

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Windows\system32\hasplms.exe

C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\svchost.exe -k bthsvcs

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\System32\rundll32.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Common Files\PC Tools\sMonitor\SSDMonitor.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Users\User Name\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\User Name\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\User Name\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Users\User Name\Desktop\dds.pif

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com

uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll

mURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll

BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll

TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [<NO NAME>]

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRun: [sSDMonitor] c:\program files\common files\pc tools\smonitor\SSDMonitor.exe

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe

IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.4.16.0.cab

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll

Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-8-18 176128]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-2-15 135336]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-2-15 267944]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-2-15 61960]

R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]

R2 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2010-7-16 26168]

R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2011-2-14 632792]

R3 ATSwpWDF;AuthenTec TruePrint USB WBF WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2009-12-3 625224]

R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]

R3 RICOH SmartCard Reader;RICOH SmartCard Reader;c:\windows\system32\drivers\rismc32.sys [2006-10-3 47488]

R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]

R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]

R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-2-14 1153368]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2011-2-14 39272]

S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-23 1493352]

S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]

S3 WatAdminSvc;WatAdminSvc;c:\windows\system32\wat\WatAdminSvc.exe [2011-2-5 1343400]

S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]

=============== File Associations ===============

.scr=AutoCADLTScriptFile

=============== Created Last 30 ================

2011-02-17 16:27:40 -------- d-----w- c:\users\userna~1\appdata\local\Threat Expert

2011-02-15 23:52:00 -------- d-----w- c:\users\userna~1\appdata\roaming\Avira

2011-02-15 23:50:23 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-02-15 23:50:22 -------- d-----w- c:\program files\Avira

2011-02-15 23:50:22 -------- d-----w- c:\progra~2\Avira

2011-02-15 03:19:52 -------- d-----w- c:\users\userna~1\appdata\roaming\Registry Mechanic

2011-02-15 03:07:33 -------- d-----w- C:\VundoFix Backups

2011-02-14 22:31:03 -------- d-----w- c:\users\user name\DoctorWeb

2011-02-14 20:55:13 880640 ----a-w- c:\windows\system32\UniBox10.ocx

2011-02-14 20:55:13 506368 ----a-w- c:\windows\system32\msxml.dll

2011-02-14 20:55:13 37336 ----a-w- c:\windows\system32\CleanMFT32.exe

2011-02-14 20:55:13 212992 ----a-w- c:\windows\system32\UniBoxVB12.ocx

2011-02-14 20:55:13 1101824 ----a-w- c:\windows\system32\UniBox210.ocx

2011-02-14 20:55:10 -------- d-----w- c:\program files\common files\PC Tools

2011-02-14 20:14:43 -------- d-----w- c:\progra~2\PC Tools

2011-02-14 20:00:26 -------- d-----w- c:\users\userna~1\appdata\roaming\SUPERAntiSpyware.com

2011-02-14 20:00:26 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com

2011-02-14 20:00:17 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-02-14 19:32:21 -------- d-----w- c:\windows\en

2011-02-14 19:31:07 39272 ----a-w- c:\windows\system32\drivers\fssfltr.sys

2011-02-14 19:28:27 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition

2011-02-14 19:25:59 -------- d-----w- c:\program files\Microsoft

2011-02-14 19:25:43 -------- d-----w- c:\program files\Bing Bar Installer

2011-02-14 19:25:41 469256 ----a-w- c:\program files\common files\windows live\.cache\f6977b811cbcc7c08\InstallManager_WLE_WLE.exe

2011-02-14 19:25:09 15712 ----a-w- c:\program files\common files\windows live\.cache\e4d56f1f1cbcc7c07\MeshBetaRemover.exe

2011-02-14 19:25:06 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll

2011-02-14 19:25:06 515416 ----a-w- c:\windows\system32\XAudio2_5.dll

2011-02-14 19:25:06 453456 ----a-w- c:\windows\system32\d3dx10_42.dll

2011-02-14 19:25:04 94040 ----a-w- c:\program files\common files\windows live\.cache\e18dc2bb1cbcc7c06\DSETUP.dll

2011-02-14 19:25:04 525656 ----a-w- c:\program files\common files\windows live\.cache\e18dc2bb1cbcc7c06\DXSETUP.exe

2011-02-14 19:25:04 1691480 ----a-w- c:\program files\common files\windows live\.cache\e18dc2bb1cbcc7c06\dsetup32.dll

2011-02-14 19:24:59 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll

2011-02-14 19:24:57 94040 ----a-w- c:\program files\common files\windows live\.cache\dc8b56b41cbcc7c05\DSETUP.dll

2011-02-14 19:24:57 525656 ----a-w- c:\program files\common files\windows live\.cache\dc8b56b41cbcc7c05\DXSETUP.exe

2011-02-14 19:24:57 1691480 ----a-w- c:\program files\common files\windows live\.cache\dc8b56b41cbcc7c05\dsetup32.dll

2011-02-14 18:28:14 -------- d-sh--w- c:\windows\system32\%APPDATA%

2011-02-14 16:04:08 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-02-14 16:04:08 -------- d-----w- c:\progra~2\Spybot - Search & Destroy

2011-02-13 23:18:57 -------- d--h--w- c:\progra~2\Common Files

2011-02-13 23:12:08 -------- d-----w- c:\program files\Synaptics

2011-02-13 23:10:44 -------- d-----w- c:\progra~2\MFAData

2011-02-13 21:52:50 135168 --sha-r- c:\windows\system32\change9.dll

2011-02-13 21:25:44 -------- d-----w- c:\users\userna~1\appdata\roaming\Malwarebytes

2011-02-13 21:25:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-02-13 21:25:27 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-02-13 01:02:19 -------- d-----w- c:\users\userna~1\appdata\roaming\PTC

2011-02-12 05:34:58 -------- d-----w- c:\progra~2\Malwarebytes

2011-02-12 05:34:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-02-12 05:31:54 -------- d-----w- c:\users\userna~1\appdata\roaming\DAEMON Tools Lite

2011-02-12 05:31:54 -------- d-----w- c:\progra~2\DAEMON Tools Lite

2011-02-12 05:28:31 -------- d-----w- c:\users\userna~1\appdata\roaming\DAEMON Tools Pro

2011-02-12 05:28:31 -------- d-----w- c:\progra~2\DAEMON Tools Pro

2011-02-12 02:24:02 -------- d-----w- C:\extensions

2011-02-12 02:23:00 -------- d-----w- c:\users\userna~1\appdata\roaming\uTorrent

2011-02-11 20:40:18 -------- d-----w- c:\users\userna~1\appdata\local\Adobe

2011-02-11 20:30:57 5890896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{3c667c30-1ba8-4030-b979-a04b00e50bb9}\mpengine.dll

2011-02-09 18:36:07 -------- d-----w- c:\users\userna~1\appdata\local\LicomSystems

2011-02-09 18:35:59 -------- d-----w- c:\progra~2\Planit

2011-02-09 17:03:52 -------- d-----w- c:\program files\common files\Aladdin Shared

2011-02-09 17:03:51 4180576 ----a-w- c:\windows\system32\hasplms.exe

2011-02-09 00:23:29 -------- d-----w- c:\users\userna~1\appdata\local\PokerStars

2011-02-09 00:22:49 -------- d-----w- c:\program files\PokerStars

2011-02-09 00:10:05 -------- d-----w- c:\windows\system32\appmgmt

2011-02-08 20:44:39 -------- d-----w- c:\users\userna~1\appdata\local\Windows Live

2011-02-08 20:44:38 -------- d-----w- c:\program files\common files\Windows Live

2011-02-08 20:44:04 3181568 ----a-w- c:\windows\system32\mf.dll

2011-02-08 20:44:04 196608 ----a-w- c:\windows\system32\mfreadwrite.dll

2011-02-08 20:44:04 1619456 ----a-w- c:\windows\system32\WMVDECOD.DLL

2011-02-08 20:43:58 84992 ----a-w- c:\windows\system32\drivers\sdbus.sys

2011-02-08 20:43:58 12800 ----a-w- c:\windows\system32\drivers\sffp_sd.sys

2011-02-08 20:43:22 -------- d-----w- c:\program files\Analog Devices

2011-02-08 20:22:01 -------- d-----w- c:\progra~2\SafeNet Sentinel

2011-02-08 20:21:22 6656 ----a-w- c:\windows\system32\haspvdd.dll

2011-02-08 20:21:22 47616 ----a-w- c:\windows\system32\drivers\Haspnt.sys

2011-02-08 20:21:22 383 ----a-w- c:\windows\system32\haspdos.sys

2011-02-08 20:21:04 -------- d-----w- c:\program files\common files\SafeNet Sentinel

2011-02-08 20:20:23 -------- d-----w- C:\LICOMDIR

2011-02-08 20:20:08 -------- d-----w- C:\LICOMDAT

2011-02-08 20:19:18 -------- d-----w- c:\program files\ALPHAV8

2011-02-08 20:19:18 -------- d-----w- c:\progra~2\LicomSystems

2011-02-08 20:18:22 -------- d-----w- c:\program files\common files\Planit

2011-02-08 20:18:22 -------- d-----w- c:\program files\common files\Data Dynamics

2011-02-08 13:53:58 -------- d-----w- c:\windows\pss

2011-02-08 13:46:58 257024 ----a-w- c:\windows\system32\msv1_0.dll

2011-02-08 13:45:50 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll

2011-02-08 13:45:50 49472 ----a-w- c:\windows\system32\netfxperf.dll

2011-02-08 13:45:50 297808 ----a-w- c:\windows\system32\mscoree.dll

2011-02-08 13:45:50 295264 ----a-w- c:\windows\system32\PresentationHost.exe

2011-02-08 13:45:50 1130824 ----a-w- c:\windows\system32\dfshim.dll

2011-02-08 13:40:48 -------- d-----w- c:\users\userna~1\appdata\local\WindowsUpdate

2011-02-08 13:40:27 5890896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\backup\mpengine.dll

2011-02-08 13:40:10 190976 ----a-w- c:\windows\system32\drivers\ks.sys

2011-02-08 13:36:59 516096 ----a-w- c:\program files\windows mail\wab.exe

2011-02-08 13:36:59 37376 ----a-w- c:\windows\system32\rtutils.dll

2011-02-08 13:36:59 224256 ----a-w- c:\windows\system32\schannel.dll

2011-02-08 13:36:02 164864 ----a-w- c:\program files\windows media player\wmplayer.exe

2011-02-08 13:36:02 12625408 ----a-w- c:\windows\system32\wmploc.DLL

2011-02-08 13:33:59 91648 ----a-w- c:\windows\system32\avifil32.dll

2011-02-08 13:33:59 84480 ----a-w- c:\windows\system32\mciavi32.dll

2011-02-08 13:33:59 50176 ----a-w- c:\windows\system32\iyuv_32.dll

2011-02-08 13:33:59 31744 ----a-w- c:\windows\system32\msvidc32.dll

2011-02-08 13:33:59 22016 ----a-w- c:\windows\system32\msyuv.dll

2011-02-08 13:33:59 13312 ----a-w- c:\windows\system32\msrle32.dll

2011-02-08 13:33:59 1328640 ----a-w- c:\windows\system32\quartz.dll

2011-02-08 13:33:59 12288 ----a-w- c:\windows\system32\tsbyuv.dll

2011-02-08 13:33:12 314368 ----a-w- c:\windows\system32\webio.dll

2011-02-08 13:33:00 70656 ----a-w- c:\windows\system32\fontsub.dll

2011-02-08 13:31:15 26504 ----a-w- c:\windows\system32\drivers\Diskdump.sys

2011-02-08 13:13:41 33104 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\msonpppr.dll

2011-02-08 13:13:41 32656 ----a-w- c:\windows\system32\msonpmon.dll

2011-02-08 13:10:28 -------- d-----w- c:\users\userna~1\appdata\local\Microsoft Help

2011-02-08 12:47:38 -------- d-----w- c:\program files\AnswerWorks 4.0

2011-02-08 12:45:14 -------- d-----w- c:\users\userna~1\appdata\roaming\Autodesk

2011-02-08 12:45:14 -------- d-----w- c:\users\userna~1\appdata\local\Autodesk

2011-02-08 12:45:14 -------- d-----w- c:\program files\AutoCAD LT 2007

2011-02-08 12:43:58 -------- d-----w- c:\program files\common files\Autodesk Shared

2011-02-08 12:43:55 -------- d-----w- c:\program files\Autodesk

2011-02-06 21:50:33 -------- d-----w- c:\program files\Google Sketchup

2011-02-06 20:45:08 -------- d-----w- c:\program files\MSXML 4.0

2011-02-06 20:45:04 -------- d-----w- c:\program files\common files\Microsoft Games

2011-02-06 20:44:54 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll

2011-02-06 20:19:56 -------- d-----w- c:\windows\PCHEALTH

2011-02-06 20:19:24 -------- d-----w- c:\program files\Microsoft Games

2011-02-06 19:39:57 -------- d-----w- c:\users\userna~1\appdata\local\ElevatedDiagnostics

2011-02-06 19:39:42 -------- d-----w- c:\windows\system32\wocaffe

2011-02-06 19:39:42 -------- d-----w- c:\program files\TrueSuite

2011-02-06 19:39:42 -------- d-----w- c:\progra~2\TrueSuite

2011-02-06 19:39:39 -------- d-----w- c:\progra~2\Downloaded Installations

2011-02-06 18:33:10 -------- d-----w- c:\users\userna~1\appdata\local\Google

2011-02-06 18:33:02 -------- d-----w- c:\users\userna~1\appdata\local\Deployment

2011-02-06 18:33:02 -------- d-----w- c:\users\userna~1\appdata\local\Apps

2011-02-06 18:30:38 -------- d-----w- c:\users\userna~1\appdata\local\Diagnostics

2011-02-05 07:29:26 0 ----a-w- c:\windows\ativpsrm.bin

2011-02-05 07:26:19 -------- d-----w- c:\windows\Panther

2011-02-05 05:30:00 -------- d-----w- c:\windows\system32\Wat

2011-02-05 05:23:57 -------- d-----w- C:\hp

2011-02-05 05:14:22 -------- d-----w- c:\program files\HP

2011-02-05 05:14:08 -------- d-sh--w- c:\windows\Installer

2011-02-05 05:14:08 -------- d-----w- c:\windows\Downloaded Installations

2011-02-05 04:51:58 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-02-05 04:38:41 -------- d-----w- c:\windows\system32\wbem\Performance

==================== Find3M ====================

2011-02-05 05:30:10 409088 ----a-w- c:\windows\system32\systemcpl.dll

2011-02-05 05:29:38 811520 ----a-w- c:\windows\system32\user32.dll

2011-01-07 07:27:11 34304 ----a-w- c:\windows\system32\atmlib.dll

2011-01-07 05:33:11 294400 ----a-w- c:\windows\system32\atmfd.dll

2011-01-05 05:37:33 428032 ----a-w- c:\windows\system32\vbscript.dll

2011-01-05 03:37:38 2329088 ----a-w- c:\windows\system32\win32k.sys

2010-12-21 05:38:24 73728 ----a-w- c:\windows\system32\wscsvc.dll

2010-12-21 05:38:24 51200 ----a-w- c:\windows\system32\wscapi.dll

2010-12-21 05:38:22 981504 ----a-w- c:\windows\system32\wininet.dll

2010-12-21 05:38:22 350720 ----a-w- c:\windows\system32\winhttp.dll

2010-12-21 05:38:21 204800 ----a-w- c:\windows\system32\WebClnt.dll

2010-12-21 05:38:19 204288 ----a-w- c:\windows\system32\upnp.dll

2010-12-21 05:38:16 14336 ----a-w- c:\windows\system32\slwga.dll

2010-12-21 05:36:17 1389568 ----a-w- c:\windows\system32\msxml6.dll

2010-12-21 05:36:16 1236992 ----a-w- c:\windows\system32\msxml3.dll

2010-12-21 05:34:12 80384 ----a-w- c:\windows\system32\davclnt.dll

2010-12-18 05:29:40 44544 ----a-w- c:\windows\system32\licmgr10.dll

2010-12-18 05:29:31 541184 ----a-w- c:\windows\system32\kerberos.dll

2010-12-18 04:20:55 386048 ----a-w- c:\windows\system32\html.iec

2010-12-18 03:47:59 1638912 ----a-w- c:\windows\system32\mshtml.tlb

============= FINISH: 11:47:00.99 ===============

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Sorry, but what are these scanned files?

I want:

c:\windows\system32\change9.dll

c:\windows\system32\hasplms.exe

You post me:

File name: change.exe

File name: aksllmtp.exe

I don't need them!

If you can't find it, be sure that you can see hidden files and folders:

http://windows.microsoft.com/en-US/windows7/Show-hidden-files

Then try again.

Link to post
Share on other sites
Cooper81

Cooper81

Posted
  • Author
Posted

I'm sorry Maniac, I don't mean to make it difficult.

I still can't find change9.dll I turned on show hidden files, folders and drives. I attached a pic of what I see. Am I doing something else wrong?

I thought I had the hasplms.exe file chosen when I ran that one. Guess not. Here's what that one gave me.

Do you need another dds.txt?

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.

File name: hasplms.exe

Submission date: 2011-02-17 16:41:50 (UTC)

Current status: finished

Result: 0 /43 (0.0%)

VT Community

not reviewed

Safety score: -

Compact

Print results

Antivirus Version Last Update Result

AhnLab-V3 2011.02.14.02 2011.02.14 -

AntiVir 7.11.3.127 2011.02.17 -

Antiy-AVL 2.0.3.7 2011.02.17 -

Avast 4.8.1351.0 2011.02.17 -

Avast5 5.0.677.0 2011.02.17 -

AVG 10.0.0.1190 2011.02.17 -

BitDefender 7.2 2011.02.17 -

CAT-QuickHeal 11.00 2011.02.17 -

ClamAV 0.96.4.0 2011.02.17 -

Commtouch 5.2.11.5 2011.02.17 -

Comodo 7722 2011.02.17 -

DrWeb 5.0.2.03300 2011.02.17 -

Emsisoft 5.1.0.2 2011.02.17 -

eSafe 7.0.17.0 2011.02.16 -

eTrust-Vet 36.1.8165 2011.02.17 -

F-Prot 4.6.2.117 2011.02.17 -

F-Secure 9.0.16160.0 2011.02.17 -

Fortinet 4.2.254.0 2011.02.17 -

GData 21 2011.02.17 -

Ikarus T3.1.1.97.0 2011.02.17 -

Jiangmin 13.0.900 2011.02.17 -

K7AntiVirus 9.86.3882 2011.02.17 -

Kaspersky 7.0.0.125 2011.02.17 -

McAfee 5.400.0.1158 2011.02.17 -

McAfee-GW-Edition 2010.1C 2011.02.17 -

Microsoft 1.6502 2011.02.17 -

NOD32 5883 2011.02.17 -

Norman 6.07.03 2011.02.17 -

nProtect 2011-02-10.01 2011.02.15 -

Panda 10.0.3.5 2011.02.17 -

PCTools 7.0.3.5 2011.02.17 -

Prevx 3.0 2011.02.17 -

Rising 23.45.03.06 2011.02.17 -

Sophos 4.61.0 2011.02.17 -

SUPERAntiSpyware 4.40.0.1006 2011.02.17 -

Symantec 20101.3.0.103 2011.02.17 -

TheHacker 6.7.0.1.132 2011.02.17 -

TrendMicro 9.200.0.1012 2011.02.17 -

TrendMicro-HouseCall 9.200.0.1012 2011.02.15 -

VBA32 3.12.14.3 2011.02.17 -

VIPRE 8452 2011.02.17 -

ViRobot 2011.2.17.4315 2011.02.17 -

VirusBuster 13.6.206.0 2011.02.17 -

Additional informationShow all

MD5 : fd1ddb4649944d941050e9f2bb6cdb54

SHA1 : fdd0bd2b83aee73262787bcb8c6946ab2926f447

SHA256: bdd08d0fc93a71b98bbea9ef3007656c5a49bf7f6e97d161f7eaece512585c9d

VT Community

This file has never been reviewed by any VT Community member. Be the first one to comment on it!

VirusTotal Team

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted
I still can't find change9.dll I turned on show hidden files, folders and drives. I attached a pic of what I see. Am I doing something else wrong?

It's hidden, don't worry about that.

Do you need another dds.txt?

It's okay. Thanks!

  1. Please download the Suspicious File Packer (by Safer Networking Limited) and unzip to your desktop.
  2. Run sfp.exe
  3. Copy the following part of code box into the SFP window:
    c:\windows\system32\change9.dll


  4. Allow SFP to pack the file and then will be generate a CAB archive on your desktop.

Next, please upload the archive here:

http://forums.malwarebytes.org/index.php?showforum=51

But first read the rules:

http://forums.malwarebytes.org/index.php?showtopic=31067

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Oh, today is not my day...

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    ----------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites
Cooper81

Cooper81

Posted
  • Author
Posted

So I ran ComboFix and got a report, below. After the scan and without any input my PC asked me to insert the CD to install AutoCAD. Does it have a script blocker I should have disabled?

Also, without my input PC Tools Registry Mechanic ran a scan and found 1562 registry errors. I didn't realize I still had this program, and it's not registered so it can't make any changes.

Thanks for helping.

ComboFix 11-02-17.01 - User Name 02/17/2011 18:54:38.1.2 - x86

Microsoft Windows 7 Enterprise 6.1.7600.0.1252.1.1033.18.2047.1335 [GMT -5:00]

Running from: c:\users\User Name\Desktop\Combo-Fix.exe

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\programdata\Desktop

.

((((((((((((((((((((((((( Files Created from 2011-01-17 to 2011-02-17 )))))))))))))))))))))))))))))))

.

2011-02-17 23:58 . 2011-02-17 23:58 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-02-15 23:50 . 2011-01-10 19:23 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-02-15 23:50 . 2011-01-10 19:23 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-02-15 23:50 . 2011-02-15 23:50 -------- d-----w- c:\programdata\Avira

2011-02-15 23:50 . 2011-02-15 23:50 -------- d-----w- c:\program files\Avira

2011-02-15 03:07 . 2011-02-15 03:07 -------- d-----w- C:\VundoFix Backups

2011-02-14 20:55 . 2010-09-16 17:26 37336 ----a-w- c:\windows\system32\CleanMFT32.exe

2011-02-14 20:55 . 2008-04-02 21:54 1101824 ----a-w- c:\windows\system32\UniBox210.ocx

2011-02-14 20:55 . 2008-04-02 21:53 212992 ----a-w- c:\windows\system32\UniBoxVB12.ocx

2011-02-14 20:55 . 2008-04-02 21:53 880640 ----a-w- c:\windows\system32\UniBox10.ocx

2011-02-14 20:55 . 2004-08-04 13:00 506368 ----a-w- c:\windows\system32\msxml.dll

2011-02-14 20:55 . 2011-02-17 16:33 -------- d-----w- c:\program files\Common Files\PC Tools

2011-02-14 20:14 . 2011-02-17 16:29 -------- d-----w- c:\programdata\PC Tools

2011-02-14 20:00 . 2011-02-14 20:00 -------- d-----w- c:\programdata\SUPERAntiSpyware.com

2011-02-14 20:00 . 2011-02-14 21:01 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-02-14 19:32 . 2011-02-14 19:32 -------- d-----w- c:\windows\en

2011-02-14 19:31 . 2011-02-14 19:31 -------- dc----w- c:\windows\system32\DRVSTORE

2011-02-14 19:31 . 2010-09-23 05:21 39272 ----a-w- c:\windows\system32\drivers\fssfltr.sys

2011-02-14 19:28 . 2011-02-14 19:28 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition

2011-02-14 19:26 . 2011-02-14 19:33 -------- d-----w- c:\program files\Windows Live

2011-02-14 19:25 . 2011-02-14 20:11 -------- d-----w- c:\program files\Microsoft

2011-02-14 19:25 . 2011-02-14 19:26 -------- d-----w- c:\program files\Bing Bar Installer

2011-02-14 19:25 . 2009-09-04 22:44 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll

2011-02-14 19:25 . 2009-09-04 22:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll

2011-02-14 19:25 . 2009-09-04 22:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll

2011-02-14 19:24 . 2006-11-29 18:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll

2011-02-14 18:28 . 2011-02-14 18:28 -------- d-sh--w- c:\windows\system32\%APPDATA%

2011-02-14 16:04 . 2011-02-14 17:04 -------- d-----w- c:\programdata\Spybot - Search & Destroy

2011-02-14 16:04 . 2011-02-14 16:15 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-02-13 23:18 . 2011-02-13 23:18 -------- d--h--w- c:\programdata\Common Files

2011-02-13 23:12 . 2011-02-13 23:12 -------- d-----w- c:\program files\Synaptics

2011-02-13 23:10 . 2011-02-13 23:16 -------- d-----w- c:\programdata\MFAData

2011-02-13 23:10 . 2011-02-14 20:58 -------- d-----w- c:\program files\Microsoft Silverlight

2011-02-13 21:52 . 2011-02-13 21:52 135168 --sha-r- c:\windows\system32\change9.dll

2011-02-13 21:25 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-02-13 21:25 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-02-12 05:34 . 2011-02-12 05:34 -------- d-----w- c:\programdata\Malwarebytes

2011-02-12 05:34 . 2011-02-15 23:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-02-12 05:31 . 2011-02-12 05:31 -------- d-----w- c:\programdata\DAEMON Tools Lite

2011-02-12 05:28 . 2011-02-12 05:28 -------- d-----w- c:\programdata\DAEMON Tools Pro

2011-02-12 02:24 . 2011-02-12 02:24 -------- d-----w- C:\extensions

2011-02-11 20:30 . 2011-02-02 22:10 5890896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3C667C30-1BA8-4030-B979-A04B00E50BB9}\mpengine.dll

2011-02-10 22:01 . 2011-02-10 22:01 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help

2011-02-09 18:35 . 2011-02-09 18:35 -------- d-----w- c:\programdata\Planit

2011-02-09 17:03 . 2011-02-09 17:03 -------- d-----w- c:\program files\Common Files\Aladdin Shared

2011-02-09 17:03 . 2010-09-27 21:42 4180576 ----a-w- c:\windows\system32\hasplms.exe

2011-02-09 00:22 . 2011-02-09 00:44 -------- d-----w- c:\program files\PokerStars

2011-02-08 20:44 . 2011-02-08 20:44 -------- d-----w- c:\program files\Common Files\Windows Live

2011-02-08 20:44 . 2010-05-23 10:15 1619456 ----a-w- c:\windows\system32\WMVDECOD.DLL

2011-02-08 20:44 . 2010-05-23 10:11 196608 ----a-w- c:\windows\system32\mfreadwrite.dll

2011-02-08 20:44 . 2010-05-23 10:11 3181568 ----a-w- c:\windows\system32\mf.dll

2011-02-08 20:43 . 2009-10-10 02:57 12800 ----a-w- c:\windows\system32\drivers\sffp_sd.sys

2011-02-08 20:43 . 2009-10-10 02:31 84992 ----a-w- c:\windows\system32\drivers\sdbus.sys

2011-02-08 20:43 . 2011-02-08 20:43 -------- d-----w- c:\program files\Analog Devices

2011-02-08 20:22 . 2011-02-08 20:22 -------- d-----w- c:\programdata\SafeNet Sentinel

2011-02-08 20:21 . 2011-02-08 20:21 6656 ----a-w- c:\windows\system32\haspvdd.dll

2011-02-08 20:21 . 2011-02-08 20:21 47616 ----a-w- c:\windows\system32\drivers\Haspnt.sys

2011-02-08 20:21 . 2011-02-08 20:21 383 ----a-w- c:\windows\system32\haspdos.sys

2011-02-08 20:21 . 2011-02-08 20:21 -------- d-----w- c:\program files\Common Files\SafeNet Sentinel

2011-02-08 20:20 . 2011-02-08 20:20 -------- d-----w- C:\LICOMDIR

2011-02-08 20:20 . 2011-02-13 00:38 -------- d-----w- C:\LICOMDAT

2011-02-08 20:19 . 2011-02-09 18:33 -------- d-----w- c:\program files\ALPHAV8

2011-02-08 20:19 . 2011-02-08 20:19 -------- d-----w- c:\programdata\LicomSystems

2011-02-08 20:18 . 2011-02-08 20:18 -------- d-----w- c:\program files\Common Files\Planit

2011-02-08 20:18 . 2011-02-08 20:18 -------- d-----w- c:\program files\Common Files\Data Dynamics

2011-02-08 13:46 . 2009-09-10 05:52 257024 ----a-w- c:\windows\system32\msv1_0.dll

2011-02-08 13:45 . 2009-11-25 17:47 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll

2011-02-08 13:45 . 2009-11-25 17:47 49472 ----a-w- c:\windows\system32\netfxperf.dll

2011-02-08 13:45 . 2009-11-25 17:47 297808 ----a-w- c:\windows\system32\mscoree.dll

2011-02-08 13:45 . 2009-11-25 17:47 295264 ----a-w- c:\windows\system32\PresentationHost.exe

2011-02-08 13:45 . 2009-11-25 17:47 1130824 ----a-w- c:\windows\system32\dfshim.dll

2011-02-08 13:40 . 2010-03-04 03:57 190976 ----a-w- c:\windows\system32\drivers\ks.sys

2011-02-08 13:36 . 2010-10-12 04:25 516096 ----a-w- c:\program files\Windows Mail\wab.exe

2011-02-08 13:36 . 2010-08-21 05:36 224256 ----a-w- c:\windows\system32\schannel.dll

2011-02-08 13:36 . 2010-06-19 06:23 37376 ----a-w- c:\windows\system32\rtutils.dll

2011-02-08 13:36 . 2010-09-01 04:26 164864 ----a-w- c:\program files\Windows Media Player\wmplayer.exe

2011-02-08 13:36 . 2010-09-01 04:23 12625408 ----a-w- c:\windows\system32\wmploc.DLL

2011-02-08 13:33 . 2009-12-19 09:02 12288 ----a-w- c:\windows\system32\tsbyuv.dll

2011-02-08 13:33 . 2009-12-19 09:02 1328640 ----a-w- c:\windows\system32\quartz.dll

2011-02-08 13:33 . 2009-12-19 09:02 22016 ----a-w- c:\windows\system32\msyuv.dll

2011-02-08 13:33 . 2009-12-19 09:02 31744 ----a-w- c:\windows\system32\msvidc32.dll

2011-02-08 13:33 . 2009-12-19 09:02 13312 ----a-w- c:\windows\system32\msrle32.dll

2011-02-08 13:33 . 2009-12-19 09:02 84480 ----a-w- c:\windows\system32\mciavi32.dll

2011-02-08 13:33 . 2009-12-19 09:02 50176 ----a-w- c:\windows\system32\iyuv_32.dll

2011-02-08 13:33 . 2009-12-19 09:02 91648 ----a-w- c:\windows\system32\avifil32.dll

2011-02-08 13:33 . 2010-10-16 04:36 314368 ----a-w- c:\windows\system32\webio.dll

2011-02-08 13:33 . 2009-10-19 14:10 70656 ----a-w- c:\windows\system32\fontsub.dll

2011-02-08 13:31 . 2010-07-13 05:22 26504 ----a-w- c:\windows\system32\drivers\Diskdump.sys

2011-02-08 13:13 . 2008-11-10 16:41 32656 ----a-w- c:\windows\system32\msonpmon.dll

2011-02-08 13:13 . 2006-10-27 00:56 33104 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\msonpppr.dll

2011-02-08 13:13 . 2011-02-13 16:46 -------- d-----w- c:\program files\Microsoft Works

2011-02-08 13:10 . 2011-02-13 23:12 -------- d-----w- c:\programdata\Microsoft Help

2011-02-08 13:10 . 2011-02-08 13:10 -------- d-----r- C:\MSOCache

2011-02-08 12:58 . 2011-02-08 12:58 -------- d-----w- c:\program files\Common Files\Adobe

2011-02-08 12:47 . 2011-02-08 12:48 -------- d-----w- c:\program files\AnswerWorks 4.0

2011-02-08 12:45 . 2011-02-08 13:01 -------- d-----w- c:\program files\AutoCAD LT 2007

2011-02-08 12:45 . 2011-02-08 12:57 -------- d-----w- c:\programdata\Autodesk

2011-02-08 12:43 . 2011-02-08 12:48 -------- d-----w- c:\program files\Common Files\Autodesk Shared

2011-02-08 12:43 . 2011-02-08 12:43 -------- d-----w- c:\program files\Autodesk

2011-02-06 21:52 . 2011-02-06 21:52 -------- d-----w- c:\program files\Google

2011-02-06 21:50 . 2011-02-06 21:55 -------- d-----w- c:\program files\Google Sketchup

2011-02-06 20:45 . 2011-02-08 20:19 -------- d-----w- c:\program files\InstallShield Installation Information

2011-02-06 20:45 . 2011-02-06 20:45 -------- d-----w- c:\program files\MSXML 4.0

2011-02-06 20:45 . 2011-02-06 20:45 -------- d-----w- c:\program files\Common Files\Microsoft Games

2011-02-06 20:44 . 2005-05-26 20:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll

2011-02-06 20:19 . 2011-02-06 20:19 -------- d-----w- c:\windows\PCHEALTH

2011-02-06 20:19 . 2011-02-06 20:19 -------- d-----w- c:\program files\Microsoft Games

2011-02-06 20:17 . 2011-02-06 20:17 -------- d-----w- c:\program files\Common Files\InstallShield

2011-02-06 19:39 . 2011-02-06 19:39 -------- d-----w- c:\windows\system32\wocaffe

2011-02-06 19:39 . 2011-02-06 19:39 -------- d-----w- c:\programdata\TrueSuite

2011-02-06 19:39 . 2011-02-06 19:39 -------- d-----w- c:\program files\TrueSuite

2011-02-06 19:39 . 2011-02-06 19:39 -------- d-----w- c:\programdata\Downloaded Installations

2011-02-05 17:07 . 2011-02-05 17:07 -------- d-----w- c:\windows\system32\Macromed

2011-02-05 07:29 . 2011-02-05 07:29 0 ----a-w- c:\windows\ativpsrm.bin

2011-02-05 07:26 . 2011-02-05 05:01 -------- d-----w- c:\windows\Panther

2011-02-05 05:30 . 2011-02-05 05:30 -------- d-----w- c:\windows\system32\Wat

2011-02-05 05:23 . 2011-02-05 05:23 -------- d-----w- C:\hp

2011-02-05 05:14 . 2011-02-05 05:14 -------- d-----w- c:\program files\HP

2011-02-05 05:14 . 2011-02-14 20:11 -------- d-sh--w- c:\windows\Installer

2011-02-05 05:14 . 2011-02-08 20:21 -------- d-----w- c:\windows\Downloaded Installations

2011-02-05 05:01 . 2011-02-16 01:19 -------- d-----w- c:\users\User Name

2011-02-05 05:01 . 2011-02-05 05:01 -------- d-----w- C:\Recovery

2011-02-05 04:51 . 2011-02-02 22:11 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-02-05 04:38 . 2011-02-17 23:33 -------- d-----w- c:\windows\system32\wbem\Performance

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-02-05 05:30 . 2009-07-13 23:40 409088 ----a-w- c:\windows\system32\systemcpl.dll

2011-02-05 05:29 . 2009-07-13 23:24 811520 ----a-w- c:\windows\system32\user32.dll

.

------- Sigcheck -------

[-] 2011-02-05 . 7BD7F45FF37FA0669CD32CA0EF46E22C . 811520 . . [6.1.7600.16385] . . c:\windows\System32\user32.dll

[7] 2009-07-14 . 34B7E222E81FAFA885F0C5F2CFA56861 . 811520 . . [6.1.7600.16385] . . c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-01-13 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-02-21 1183744]

"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]

"SSDMonitor"="c:\program files\Common Files\PC Tools\sMonitor\SSDMonitor.exe" [2010-11-15 112600]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-01-10 281768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^AutoCAD LT Startup Accelerator.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\AutoCAD LT Startup Accelerator.lnk

backup=c:\windows\pss\AutoCAD LT Startup Accelerator.lnk.CommonStartup

backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-11-10 17:49 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2010-11-10 17:49 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2011-02-06 18:46 136176 ----atw- c:\users\User Name\AppData\Local\Google\Update\GoogleUpdate.exe

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]

R3 WatAdminSvc;WatAdminSvc;c:\windows\system32\Wat\WatAdminSvc.exe [2011-02-05 1343400]

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-08-18 176128]

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-01-10 135336]

S2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe [2010-09-27 4180576]

S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2010-07-16 26168]

S2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [2010-10-01 632792]

S3 ATSwpWDF;AuthenTec TruePrint USB WBF WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [2009-12-03 625224]

S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]

S3 RICOH SmartCard Reader;RICOH SmartCard Reader;c:\windows\system32\DRIVERS\rismc32.sys [2006-10-03 47488]

S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]

S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]

S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]

.

Contents of the 'Scheduled Tasks' folder

2011-02-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3410129240-2000560810-1667141114-1000Core.job

- c:\users\User Name\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-06 18:46]

2011-02-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3410129240-2000560810-1667141114-1000UA.job

- c:\users\User Name\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-06 18:46]

2011-02-15 c:\windows\Tasks\RMSchedule.job

- c:\program files\Registry Mechanic\RegMech.exe [2011-02-14 22:05]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

.

.

------- File Associations -------

.

.scr=AutoCADLTScriptFile

.

- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\uTorrentBar\tbuTor.dll

BHO-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\uTorrentBar\tbuTor.dll

Toolbar-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\uTorrentBar\tbuTor.dll

WebBrowser-{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - c:\program files\uTorrentBar\tbuTor.dll

MSConfigStartUp-SynTPEnh - %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2011-02-17 19:01:24

ComboFix-quarantined-files.txt 2011-02-18 00:01

Pre-Run: 113,263,976,448 bytes free

Post-Run: 112,791,814,144 bytes free

- - End Of File - - DDF353FC9743E6052D60C2E18C3048AC

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted
Also, without my input PC Tools Registry Mechanic ran a scan and found 1562 registry errors. I didn't realize I still had this program, and it's not registered so it can't make any changes.

Cooper, I seriously recommand you to uninstall of rigistry cleaners, especially - Registry Mechanic. Why? Here you go:

http://miekiemoes.blogspot.com/2008/02/registry-cleaners-and-system-tweaking_13.html

Now:

Open Notepad and copy and paste the text in the code box below into it:

http://forums.malwarebytes.org/index.php?showtopic=75682

Collect::[8]
c:\windows\system32\change9.dll

Fcopy::
c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll | c:\windows\System32\user32.dll

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites
Cooper81

Cooper81

Posted
  • Author
Posted

Hey Maniac,

Here's the next combofix report. It asked me to manually upload a file, C:\CF-Submit.htm. How do I do that?

ComboFix 11-02-17.01 - User Name 02/18/2011 13:21:26.2.2 - x86

Microsoft Windows 7 Enterprise 6.1.7600.0.1252.1.1033.18.2047.1441 [GMT -5:00]

Running from: c:\users\User Name\Desktop\Combo-Fix.exe

Command switches used :: c:\users\User Name\Desktop\CFScript.txt

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

file zipped: c:\windows\system32\change9.dll

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\change9.dll

.

--------------- FCopy ---------------

c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll --> c:\windows\System32\user32.dll

.

((((((((((((((((((((((((( Files Created from 2011-01-18 to 2011-02-18 )))))))))))))))))))))))))))))))

.

2011-02-18 18:25 . 2011-02-18 18:25 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-02-15 23:50 . 2011-01-10 19:23 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-02-15 23:50 . 2011-01-10 19:23 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-02-15 23:50 . 2011-02-15 23:50 -------- d-----w- c:\programdata\Avira

2011-02-15 23:50 . 2011-02-15 23:50 -------- d-----w- c:\program files\Avira

2011-02-15 03:07 . 2011-02-15 03:07 -------- d-----w- C:\VundoFix Backups

2011-02-14 20:55 . 2011-02-18 18:08 -------- d-----w- c:\program files\Common Files\PC Tools

2011-02-14 20:14 . 2011-02-17 16:29 -------- d-----w- c:\programdata\PC Tools

2011-02-14 20:00 . 2011-02-14 20:00 -------- d-----w- c:\programdata\SUPERAntiSpyware.com

2011-02-14 20:00 . 2011-02-14 21:01 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-02-14 19:32 . 2011-02-14 19:32 -------- d-----w- c:\windows\en

2011-02-14 19:31 . 2011-02-14 19:31 -------- dc----w- c:\windows\system32\DRVSTORE

2011-02-14 19:31 . 2010-09-23 05:21 39272 ----a-w- c:\windows\system32\drivers\fssfltr.sys

2011-02-14 19:28 . 2011-02-14 19:28 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition

2011-02-14 19:26 . 2011-02-14 19:33 -------- d-----w- c:\program files\Windows Live

2011-02-14 19:25 . 2011-02-14 20:11 -------- d-----w- c:\program files\Microsoft

2011-02-14 19:25 . 2011-02-14 19:26 -------- d-----w- c:\program files\Bing Bar Installer

2011-02-14 19:25 . 2009-09-04 22:44 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll

2011-02-14 19:25 . 2009-09-04 22:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll

2011-02-14 19:25 . 2009-09-04 22:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll

2011-02-14 19:24 . 2006-11-29 18:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll

2011-02-14 18:28 . 2011-02-14 18:28 -------- d-sh--w- c:\windows\system32\%APPDATA%

2011-02-14 16:04 . 2011-02-14 17:04 -------- d-----w- c:\programdata\Spybot - Search & Destroy

2011-02-14 16:04 . 2011-02-14 16:15 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-02-13 23:18 . 2011-02-13 23:18 -------- d--h--w- c:\programdata\Common Files

2011-02-13 23:12 . 2011-02-13 23:12 -------- d-----w- c:\program files\Synaptics

2011-02-13 23:10 . 2011-02-13 23:16 -------- d-----w- c:\programdata\MFAData

2011-02-13 23:10 . 2011-02-14 20:58 -------- d-----w- c:\program files\Microsoft Silverlight

2011-02-13 21:25 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-02-13 21:25 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-02-12 05:34 . 2011-02-12 05:34 -------- d-----w- c:\programdata\Malwarebytes

2011-02-12 05:34 . 2011-02-15 23:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-02-12 05:31 . 2011-02-12 05:31 -------- d-----w- c:\programdata\DAEMON Tools Lite

2011-02-12 05:28 . 2011-02-12 05:28 -------- d-----w- c:\programdata\DAEMON Tools Pro

2011-02-12 02:24 . 2011-02-12 02:24 -------- d-----w- C:\extensions

2011-02-11 20:30 . 2011-02-02 22:10 5890896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3C667C30-1BA8-4030-B979-A04B00E50BB9}\mpengine.dll

2011-02-10 22:01 . 2011-02-10 22:01 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help

2011-02-09 18:35 . 2011-02-09 18:35 -------- d-----w- c:\programdata\Planit

2011-02-09 17:03 . 2011-02-09 17:03 -------- d-----w- c:\program files\Common Files\Aladdin Shared

2011-02-09 17:03 . 2010-09-27 21:42 4180576 ----a-w- c:\windows\system32\hasplms.exe

2011-02-09 00:22 . 2011-02-09 00:44 -------- d-----w- c:\program files\PokerStars

2011-02-08 20:44 . 2011-02-08 20:44 -------- d-----w- c:\program files\Common Files\Windows Live

2011-02-08 20:44 . 2010-05-23 10:15 1619456 ----a-w- c:\windows\system32\WMVDECOD.DLL

2011-02-08 20:44 . 2010-05-23 10:11 196608 ----a-w- c:\windows\system32\mfreadwrite.dll

2011-02-08 20:44 . 2010-05-23 10:11 3181568 ----a-w- c:\windows\system32\mf.dll

2011-02-08 20:43 . 2009-10-10 02:57 12800 ----a-w- c:\windows\system32\drivers\sffp_sd.sys

2011-02-08 20:43 . 2009-10-10 02:31 84992 ----a-w- c:\windows\system32\drivers\sdbus.sys

2011-02-08 20:43 . 2011-02-08 20:43 -------- d-----w- c:\program files\Analog Devices

2011-02-08 20:22 . 2011-02-08 20:22 -------- d-----w- c:\programdata\SafeNet Sentinel

2011-02-08 20:21 . 2011-02-08 20:21 6656 ----a-w- c:\windows\system32\haspvdd.dll

2011-02-08 20:21 . 2011-02-08 20:21 47616 ----a-w- c:\windows\system32\drivers\Haspnt.sys

2011-02-08 20:21 . 2011-02-08 20:21 383 ----a-w- c:\windows\system32\haspdos.sys

2011-02-08 20:21 . 2011-02-08 20:21 -------- d-----w- c:\program files\Common Files\SafeNet Sentinel

2011-02-08 20:20 . 2011-02-08 20:20 -------- d-----w- C:\LICOMDIR

2011-02-08 20:20 . 2011-02-13 00:38 -------- d-----w- C:\LICOMDAT

2011-02-08 20:19 . 2011-02-09 18:33 -------- d-----w- c:\program files\ALPHAV8

2011-02-08 20:19 . 2011-02-08 20:19 -------- d-----w- c:\programdata\LicomSystems

2011-02-08 20:18 . 2011-02-08 20:18 -------- d-----w- c:\program files\Common Files\Planit

2011-02-08 20:18 . 2011-02-08 20:18 -------- d-----w- c:\program files\Common Files\Data Dynamics

2011-02-08 13:46 . 2009-09-10 05:52 257024 ----a-w- c:\windows\system32\msv1_0.dll

2011-02-08 13:45 . 2009-11-25 17:47 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll

2011-02-08 13:45 . 2009-11-25 17:47 49472 ----a-w- c:\windows\system32\netfxperf.dll

2011-02-08 13:45 . 2009-11-25 17:47 297808 ----a-w- c:\windows\system32\mscoree.dll

2011-02-08 13:45 . 2009-11-25 17:47 295264 ----a-w- c:\windows\system32\PresentationHost.exe

2011-02-08 13:45 . 2009-11-25 17:47 1130824 ----a-w- c:\windows\system32\dfshim.dll

2011-02-08 13:40 . 2010-03-04 03:57 190976 ----a-w- c:\windows\system32\drivers\ks.sys

2011-02-08 13:36 . 2010-10-12 04:25 516096 ----a-w- c:\program files\Windows Mail\wab.exe

2011-02-08 13:36 . 2010-08-21 05:36 224256 ----a-w- c:\windows\system32\schannel.dll

2011-02-08 13:36 . 2010-06-19 06:23 37376 ----a-w- c:\windows\system32\rtutils.dll

2011-02-08 13:36 . 2010-09-01 04:26 164864 ----a-w- c:\program files\Windows Media Player\wmplayer.exe

2011-02-08 13:36 . 2010-09-01 04:23 12625408 ----a-w- c:\windows\system32\wmploc.DLL

2011-02-08 13:33 . 2009-12-19 09:02 12288 ----a-w- c:\windows\system32\tsbyuv.dll

2011-02-08 13:33 . 2009-12-19 09:02 1328640 ----a-w- c:\windows\system32\quartz.dll

2011-02-08 13:33 . 2009-12-19 09:02 22016 ----a-w- c:\windows\system32\msyuv.dll

2011-02-08 13:33 . 2009-12-19 09:02 31744 ----a-w- c:\windows\system32\msvidc32.dll

2011-02-08 13:33 . 2009-12-19 09:02 13312 ----a-w- c:\windows\system32\msrle32.dll

2011-02-08 13:33 . 2009-12-19 09:02 84480 ----a-w- c:\windows\system32\mciavi32.dll

2011-02-08 13:33 . 2009-12-19 09:02 50176 ----a-w- c:\windows\system32\iyuv_32.dll

2011-02-08 13:33 . 2009-12-19 09:02 91648 ----a-w- c:\windows\system32\avifil32.dll

2011-02-08 13:33 . 2010-10-16 04:36 314368 ----a-w- c:\windows\system32\webio.dll

2011-02-08 13:33 . 2009-10-19 14:10 70656 ----a-w- c:\windows\system32\fontsub.dll

2011-02-08 13:31 . 2010-07-13 05:22 26504 ----a-w- c:\windows\system32\drivers\Diskdump.sys

2011-02-08 13:13 . 2008-11-10 16:41 32656 ----a-w- c:\windows\system32\msonpmon.dll

2011-02-08 13:13 . 2006-10-27 00:56 33104 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\msonpppr.dll

2011-02-08 13:13 . 2011-02-13 16:46 -------- d-----w- c:\program files\Microsoft Works

2011-02-08 13:10 . 2011-02-13 23:12 -------- d-----w- c:\programdata\Microsoft Help

2011-02-08 13:10 . 2011-02-08 13:10 -------- d-----r- C:\MSOCache

2011-02-08 12:58 . 2011-02-08 12:58 -------- d-----w- c:\program files\Common Files\Adobe

2011-02-08 12:47 . 2011-02-08 12:48 -------- d-----w- c:\program files\AnswerWorks 4.0

2011-02-08 12:45 . 2011-02-08 13:01 -------- d-----w- c:\program files\AutoCAD LT 2007

2011-02-08 12:45 . 2011-02-08 12:57 -------- d-----w- c:\programdata\Autodesk

2011-02-08 12:43 . 2011-02-08 12:48 -------- d-----w- c:\program files\Common Files\Autodesk Shared

2011-02-08 12:43 . 2011-02-08 12:43 -------- d-----w- c:\program files\Autodesk

2011-02-06 21:52 . 2011-02-06 21:52 -------- d-----w- c:\program files\Google

2011-02-06 21:50 . 2011-02-06 21:55 -------- d-----w- c:\program files\Google Sketchup

2011-02-06 20:45 . 2011-02-08 20:19 -------- d-----w- c:\program files\InstallShield Installation Information

2011-02-06 20:45 . 2011-02-06 20:45 -------- d-----w- c:\program files\MSXML 4.0

2011-02-06 20:45 . 2011-02-06 20:45 -------- d-----w- c:\program files\Common Files\Microsoft Games

2011-02-06 20:44 . 2005-05-26 20:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll

2011-02-06 20:19 . 2011-02-06 20:19 -------- d-----w- c:\windows\PCHEALTH

2011-02-06 20:19 . 2011-02-06 20:19 -------- d-----w- c:\program files\Microsoft Games

2011-02-06 20:17 . 2011-02-06 20:17 -------- d-----w- c:\program files\Common Files\InstallShield

2011-02-06 19:39 . 2011-02-06 19:39 -------- d-----w- c:\windows\system32\wocaffe

2011-02-06 19:39 . 2011-02-06 19:39 -------- d-----w- c:\programdata\TrueSuite

2011-02-06 19:39 . 2011-02-06 19:39 -------- d-----w- c:\program files\TrueSuite

2011-02-06 19:39 . 2011-02-06 19:39 -------- d-----w- c:\programdata\Downloaded Installations

2011-02-05 17:07 . 2011-02-05 17:07 -------- d-----w- c:\windows\system32\Macromed

2011-02-05 07:29 . 2011-02-05 07:29 0 ----a-w- c:\windows\ativpsrm.bin

2011-02-05 07:26 . 2011-02-05 05:01 -------- d-----w- c:\windows\Panther

2011-02-05 05:30 . 2011-02-05 05:30 -------- d-----w- c:\windows\system32\Wat

2011-02-05 05:23 . 2011-02-05 05:23 -------- d-----w- C:\hp

2011-02-05 05:14 . 2011-02-05 05:14 -------- d-----w- c:\program files\HP

2011-02-05 05:14 . 2011-02-18 00:21 -------- d-sh--w- c:\windows\Installer

2011-02-05 05:14 . 2011-02-08 20:21 -------- d-----w- c:\windows\Downloaded Installations

2011-02-05 05:01 . 2011-02-16 01:19 -------- d-----w- c:\users\User Name

2011-02-05 05:01 . 2011-02-05 05:01 -------- d-----w- C:\Recovery

2011-02-05 04:51 . 2011-02-02 22:11 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-02-05 04:38 . 2011-02-18 18:11 -------- d-----w- c:\windows\system32\wbem\Performance

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-02-05 05:30 . 2009-07-13 23:40 409088 ----a-w- c:\windows\system32\systemcpl.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-01-13 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-02-21 1183744]

"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-01-10 281768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^AutoCAD LT Startup Accelerator.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\AutoCAD LT Startup Accelerator.lnk

backup=c:\windows\pss\AutoCAD LT Startup Accelerator.lnk.CommonStartup

backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-11-10 17:49 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2010-11-10 17:49 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2011-02-06 18:46 136176 ----atw- c:\users\User Name\AppData\Local\Google\Update\GoogleUpdate.exe

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]

R3 WatAdminSvc;WatAdminSvc;c:\windows\system32\Wat\WatAdminSvc.exe [2011-02-05 1343400]

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-08-18 176128]

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-01-10 135336]

S2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe [2010-09-27 4180576]

S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2010-07-16 26168]

S3 ATSwpWDF;AuthenTec TruePrint USB WBF WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [2009-12-03 625224]

S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]

S3 RICOH SmartCard Reader;RICOH SmartCard Reader;c:\windows\system32\DRIVERS\rismc32.sys [2006-10-03 47488]

S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]

S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]

S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CFCATCHME

*Deregistered* - CFcatchme

.

Contents of the 'Scheduled Tasks' folder

2011-02-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3410129240-2000560810-1667141114-1000Core.job

- c:\users\User Name\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-06 18:46]

2011-02-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3410129240-2000560810-1667141114-1000UA.job

- c:\users\User Name\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-06 18:46]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2011-02-18 13:27:54

ComboFix-quarantined-files.txt 2011-02-18 18:27

ComboFix2.txt 2011-02-18 00:01

Pre-Run: 112,220,897,280 bytes free

Post-Run: 111,916,597,248 bytes free

- - End Of File - - 23A45B0885A3BBFFD0AB40904C067B7F

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

  1. Please visit this website: Submit Malware Sample
  2. Against the inscription: "Link to topic where this file was requested:", insert links pointing to this topic.
  3. Against the inscription: "Browse to the file you want to submit:", click on the Choose... button.
  4. Navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)
  5. Against the inscription: "Leave any comments, further information about this file, or contact information:" should be written as follows:
    Sent at the request of Borislav.
  6. Once you're ready, click the Send File button.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.