Jump to content

Recommended Posts

I've been having a number of issues lately, which seem to get worse in severity. I'll write a brief background of the problem, but if you want to gloss over that, my latest issue seems to be what's described as Trojan.Fakefrag here:

http://www.theinquirer.net/inquirer/news/2071601/criminals-fake-hard-drive-disk-failures-cash

System

Windows XP Home SP3

AVG Antivirus 8.5 Free edition

SuperAntiSpyware

Internet Explorer 8

Firefox 3

Background

13 May - browser shut down whilst browsing. Got popups from XP Home Security 2011.

Ran SuperAntiSpyware. Removed virus, but let system unable to run EXE files (broken association). Installed Malwarebytes' Anti-Malware from pen drive. Fixed issue.

Items detected:

SuperAntiSpyware:

Disabled.SecurityCenterOption

System.BrokenFileAssociation

Trojan.Agent/Gen-KryptSec

(JLK.EXE & JLK.EXE-0A82C9F4.pf)

Trojan.Agent/Gen-TazeBama[Variant]

(DOMINO.EXE)

MBAM:

Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Retro\Local Settings\Application Data\jlk.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Retro\Local Settings\Application Data\jlk.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Retro\Local Settings\Application Data\jlk.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("C:\Documents and Settings\Retro\Local Settings\Application Data\jlk.exe" -a "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Retro\application data\Sun\Java\deployment\cache\6.0\47\6c73a5af-69ff8e6f (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\Retro\local settings\application data\Xenocode\Sandbox\Safari\3.2.1 (525.27.1)\2009.03.19t00.55\Virtual\STUBEXE\@programfiles@\Safari\Safari.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Retro\local settings\Temp\0.8436577705674967.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

17 May - as above, same fake scanner. MBAM wouldn't run - rebooted into safe mode (administrator) to run (running user account resulted in same issue as normal boot). Rescanned in normal mode to complete - again had issue with broken EXE file, had to copy MABM to a .COM to run. Fixed issue.

Items detected:

Safe mode:

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Retro\Local Settings\Application Data\byj.exe" -a "firefox.exe) Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Retro\Local Settings\Application Data\byj.exe" -a "firefox.exe -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Retro\Local Settings\Application Data\byj.exe" -a "iexplore.exe) Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\ANTIVIRUSDISABLENOTIFY (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FIREWALLDISABLENOTIFY (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UPDATESDISABLENOTIFY (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Retro\application data\Sun\Java\deployment\cache\6.0\16\55acbf90-2e5df69b (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\Retro\local settings\application data\byj.exe (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.

Normal mode:

Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("C:\Documents and Settings\Retro\Local Settings\Application Data\byj.exe" -a "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.

18 May - whilst using computer, a popup came saying there were issues detected with my hard drive, which may be on the way out, and to reboot. Kept coming up. Eventually had to reboot anyway. Upon rebooting, my desktop picture had disappeared, my quick launch items had gone and most of my programs were missing from my start menu. Task manager was disabled. Browser redirected, particularly going to pages such as this forum. The computer keeps playing music that's not on the computer. MBAM and AVG wouldn't update. Ran MBAM, found items, unlocked task manager but did not fix issue. AVG wouldn't update. Combofix wouldn't run with AVG installed. AVG wouldn't uninstall - had to use removal tool. Running Combofix restored the quick launch bar.

Items detected:

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\all users\application data\rhhkieeenua.exe (Rogue.Installer.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\Retro\application data\Sun\Java\deployment\cache\6.0\61\33036cfd-67a1a30c (Rogue.Installer.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\17489700.exe (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.

Current issues

- MBAM will not update. I get PROGRAM_ERROR_UPDATING (5, 0, CreateFile) - Access is denied.

(I ran the manual update from http://data.mbamupdates.com/tools/mbam-rules.exe - confusingly, it said "

This will install Malwarebytes' Anti-Malware version 1.6516.0.0 on your computer.", not just the updates. However, after running it successfully, it gave a message saying "The database is outdated by 16 days. Would you like to update now?" When I said yes, it again failed. Running update still attempts to download an approx. 6Mb file, and fails. Update reports the update as 5/22/2011 version 6640, 320703 fingerprints loaded.)

- Avira gave error during install "Unable to load plugin 'General'. Error:

LoadLibrary() failed.", but said it installed successfully. After install, Avira tried to do a scan. It got to 97% (sptd.sys) and froze. Had to reboot.

- Avira now gives two other messages: "The ordinal 6929 cound not be located in the dynamic link library mfc90u.dll" and "No pages are available. XML file is corrupted!" and won't open.

- When trying to go to many websites, especially security-related sites, the browser will redirect. Example sites that it has redirected to are hydraulis.us and danriver.com.

- The computer randomly plays music. The music is not on the computer, and no player is open. The music was often short clips that faded out. This appears to be related to:

- iexplore.exe is running in processes when the computer is started, but no Internet Explorer window is open. During attempted uninstall of AVG, it told me windows needed to be shut, and listed websites that weren't visibly open.

- Internet Explorer randomly opens itself to a random website.

- My start menu programs list is not restored. All the folders in the start menu folder are empty. Icons are in a temp folder (as described on the website mentioned).

- My show desktop icon is missing from the quick launch bar.

I have followed the forum instructions, but obviously couldn't update MBAM (other than manually - I have no idea whether it is successfully updated) or run Avira. Defogger ran successfully.

I see little point in attaching my latest MBAM log, as it is empty - likewise with a HijackThis log, as it appears to be clean.

Also, I haven't attached the requested attach.txt as it contains no pertinent information, but it does contain information on a failed IP lease and I don't wish for my leased IP addresses to be made public.

Here is the contents of dds.txt:

.

DDS (Ver_11-05-19.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Retro at 0:01:24 on 2011-05-23

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1270.554 [GMT 1:00]

.

AV: AVG Anti-Virus Free *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\CDBurnerXP\NMSAccessU.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\VM301Snap.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

C:\Documents and Settings\Retro\Desktop\dds.scr

C:\WINDOWS\system32\WSCRIPT.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.co.uk/

mStart Page = hxxp://uk.yahoo.com

uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://uk.search.yahoo.com

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll

BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll

BHO: HttpWatch Basic: {f1f69322-008f-4895-b2bf-ad194219825a} - c:\program files\httpwatch\httpwatchsc.dll

TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File

EB: HttpWatch Basic: {2b4c4770-27fd-4a09-b17d-33ca580965fb} - c:\program files\httpwatch\httpwatch.dll

uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [iMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE

mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [bigDogPath] c:\windows\VM301Snap.exe Vimicro USB PC Camera (ZC0301PL)

mRun: [TrojanScanner] c:\program files\trojan remover\Trjscan.exe /boot

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {E59EB121-F339-4851-A3BA-FE49C35617C2} - c:\program files\icq6.5\ICQ.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL

IE: {D103E85B-5D67-42c1-8C83-F01079DBAB26} - {2B4C4770-27FD-4A09-B17D-33CA580965FB} - c:\program files\httpwatch\httpwatch.dll

DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab

DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab

DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1220898385967

DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab

DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} - hxxp://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab

DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab

DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

DPF: {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://213.129.66.245:8081/activex/AMC.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab

DPF: {EF58E341-49C3-4156-A3C4-5FFCA7C1EAB7} - hxxp://www.euras.com/euras/EIS/plugin/euras.cab

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\retro\application data\mozilla\firefox\profiles\mdqdjcy1.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/

FF - prefs.js: network.proxy.type - 0

FF - component: c:\program files\google\google gears\firefox\lib\ff36\gears.dll

FF - plugin: c:\documents and settings\retro\application data\facebook\npfbplugin_1_0_0.dll

FF - plugin: c:\documents and settings\retro\application data\facebook\npfbplugin_1_0_1.dll

FF - plugin: c:\documents and settings\retro\application data\facebook\npfbplugin_1_0_3.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll

FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Ext: Flash Video Resources Downloader: max@subfighter.com - %profile%\extensions\max@subfighter.com

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Google Gears: {000a9d1c-beef-4f90-9363-039d445309b8} - c:\program files\google\google gears\Firefox

.

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true

.

============= SERVICES / DRIVERS ===============

.

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-5-22 11608]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-9-3 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-9-3 67656]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-5-22 136360]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-5-22 269480]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-5-22 61960]

R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]

R3 Airgo3P;ASUS Networks AGN300 True MIMO Wireless Driver;c:\windows\system32\drivers\tmimo31P.sys [2008-9-8 780800]

S2 gupdate1c9b6f030b07240;Google Update Service (gupdate1c9b6f030b07240);c:\program files\google\update\GoogleUpdate.exe [2009-4-6 133104]

S3 appliandMP;appliandMP;c:\windows\system32\drivers\appliand.sys --> c:\windows\system32\drivers\appliand.sys [?]

S3 DrvSnSht;DrvSnSht;c:\program files\r-drive image\DrvSnSht.sys [2007-12-21 94608]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-4-6 133104]

S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2006-2-28 14336]

S3 R-ImageDisk;R-ImageDisk;c:\program files\r-drive image\R-ImageDisk.sys [2008-8-7 126551]

S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-9-3 12872]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys --> c:\windows\system32\drivers\wdcsam.sys [?]

.

=============== Created Last 30 ================

.

2011-05-22 15:31:49 -------- d-----w- c:\windows\system32\NtmsData

2011-05-22 15:26:16 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-05-22 15:26:15 -------- d-----w- c:\program files\Avira

2011-05-22 15:26:15 -------- d-----w- c:\documents and settings\all users\application data\Avira

2011-05-22 12:20:24 -------- d-sha-r- C:\cmdcons

2011-05-22 12:10:25 89088 ----a-w- c:\windows\MBR.exe

2011-05-22 12:10:24 98816 ----a-w- c:\windows\sed.exe

2011-05-22 12:10:24 256512 ----a-w- c:\windows\PEV.exe

2011-05-22 12:10:24 161792 ----a-w- c:\windows\SWREG.exe

2011-05-22 12:00:59 1163104 ----a-w- C:\avg_remover_stf_x86_2011_1322.exe

2011-05-22 02:39:17 77312 ----a-w- c:\windows\system32\ztvunace26.dll

2011-05-22 02:39:17 75264 ----a-w- c:\windows\system32\unacev2.dll

2011-05-22 02:39:17 69632 ----a-w- c:\windows\system32\ztvcabinet.dll

2011-05-22 02:39:17 162304 ----a-w- c:\windows\system32\ztvunrar36.dll

2011-05-22 02:39:16 153088 ----a-w- c:\windows\system32\UNRAR3.dll

2011-05-22 02:39:15 -------- d-----w- c:\program files\Trojan Remover

2011-05-22 02:39:15 -------- d-----w- c:\documents and settings\retro\application data\Simply Super Software

2011-05-22 02:39:15 -------- d-----w- c:\documents and settings\all users\application data\Simply Super Software

2011-05-19 19:43:38 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2011-05-19 19:05:29 -------- d-----w- C:\combo

2011-05-15 11:43:00 -------- d-----w- c:\documents and settings\retro\application data\RMCBackup

2011-05-13 18:03:55 -------- d-----w- c:\documents and settings\retro\application data\Malwarebytes

2011-05-13 18:03:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-13 18:03:48 -------- d--h--w- c:\documents and settings\all users\application data\Malwarebytes

2011-05-13 18:03:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-05-05 02:14:04 -------- d-----w- C:\301PL_DRV_WIN2K_XP_VISTA_X86_X64_20070404

.

==================== Find3M ====================

.

.

============= FINISH: 0:02:47.47 ===============

Any assistance would be greatly appreciated. Thanks in advance!

ark.zip

Link to post
Share on other sites

Hi retroap

:welcome:

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

---------------------------------------------------------------------------------------------

Please use AVG Removal tool, for the leftovers of AVG at:

http://www.avg.com/us-en/download-tools

Select:

AVG Remover(32bit) 2011 (Version 2011.1322)

Click on Run on the box that pops up and follow the prompts.

Restart your computer completes removal of AVG.

Next

  1. Download ComboFix from below:
    Combofix download
    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    cfRC_screen_1.png
    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
    The Recovery Console was successfully installed.
    cfRC_screen_2.png
    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

Link to post
Share on other sites

Hi Kenny94, thanks for your quick reply! Apologies for the delay in getting back to you - I was having difficulties getting back to this forum without being redirected to brownlove.com!

I had already run the AVG remover prior to installing Avira, but I re-downloaded it and re-ran it just in case, rebooting afterwards. The AVG directory remains in Program Files, empty other than \AVG8\cfg\mail.cfg.

I also re-downloaded Combofix to the desktop and re-ran it, allowing it to update first. Here is the log:

ComboFix 11-05-22.01 - Retro 23/05/2011 7:02.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1270.839 [GMT 1:00]

Running from: c:\documents and settings\Retro\Desktop\ComboFix.exe

AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

AV: AVG Anti-Virus Free *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

.

((((((((((((((((((((((((( Files Created from 2011-04-23 to 2011-05-23 )))))))))))))))))))))))))))))))

.

.

2011-05-22 15:31 . 2011-05-22 15:32 -------- d-----w- c:\windows\system32\NtmsData

2011-05-22 15:26 . 2011-04-01 16:07 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-05-22 15:26 . 2011-04-01 16:07 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-05-22 15:26 . 2010-06-17 14:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2011-05-22 15:26 . 2010-06-17 14:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2011-05-22 15:26 . 2011-05-22 15:26 -------- d-----w- c:\program files\Avira

2011-05-22 15:26 . 2011-05-22 15:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2011-05-22 12:00 . 2011-05-22 12:01 1163104 ----a-w- C:\avg_remover_stf_x86_2011_1322.exe

2011-05-22 02:55 . 2011-05-22 02:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\Simply Super Software

2011-05-22 02:39 . 2006-06-19 11:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll

2011-05-22 02:39 . 2006-05-25 13:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll

2011-05-22 02:39 . 2005-08-25 23:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll

2011-05-22 02:39 . 2002-03-05 23:00 75264 ----a-w- c:\windows\system32\unacev2.dll

2011-05-22 02:39 . 2003-02-02 18:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll

2011-05-22 02:39 . 2011-05-22 02:39 -------- d-----w- c:\program files\Trojan Remover

2011-05-22 02:39 . 2011-05-22 02:39 -------- d-----w- c:\documents and settings\Retro\Application Data\Simply Super Software

2011-05-22 02:39 . 2011-05-22 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software

2011-05-19 19:43 . 2011-05-19 19:43 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2011-05-19 19:05 . 2011-05-22 12:09 -------- d-----w- C:\combo

2011-05-18 11:11 . 2011-05-18 11:12 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe

2011-05-18 11:09 . 2011-05-18 11:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX

2011-05-18 11:09 . 2011-05-18 11:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\Media Player Classic

2011-05-18 11:07 . 2011-05-18 11:07 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2011-05-16 19:21 . 2011-05-16 19:21 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2011-05-16 19:21 . 2011-05-16 19:21 -------- d--h--w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2011-05-15 11:43 . 2011-05-15 11:43 -------- d-----w- c:\documents and settings\Retro\Application Data\RMCBackup

2011-05-13 18:03 . 2011-05-13 18:03 -------- d-----w- c:\documents and settings\Retro\Application Data\Malwarebytes

2011-05-13 18:03 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-13 18:03 . 2011-05-13 18:03 -------- d--h--w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-05-13 18:03 . 2011-05-17 02:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-05-05 02:14 . 2011-05-05 02:14 -------- d-----w- C:\301PL_DRV_WIN2K_XP_VISTA_X86_X64_20070404

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

------- Sigcheck -------

.

[-] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys

[-] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\atapi.sys

[-] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\drivers\atapi.sys

[-] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\ReinstallBackups\0011\DriverFiles\i386\atapi.sys

.

[-] 2008-04-13 . B153AFFAC761E7F5FCFA822B9C4E97BC . 14336 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\asyncmac.sys

[-] 2008-04-13 . B153AFFAC761E7F5FCFA822B9C4E97BC . 14336 . . [5.1.2600.5512] . . c:\windows\system32\drivers\asyncmac.sys

.

[-] 2006-02-28 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\system32\dllcache\beep.sys

[-] 2006-02-28 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\system32\drivers\beep.sys

.

[-] 2008-04-13 . 463C1EC80CD17420A542B7F36A36F128 . 24576 . . [5.1.2600.5512] . . c:\windows\system32\drivers\kbdclass.sys

[-] 2008-04-13 . 463C1EC80CD17420A542B7F36A36F128 . 24576 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\kbdclass.sys

.

[-] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ndis.sys

[-] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ndis.sys

.

[-] 2008-04-13 . 78A08DD6A8D65E697C18E1DB01C5CDCA . 574976 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ntfs.sys

[-] 2008-04-13 . 78A08DD6A8D65E697C18E1DB01C5CDCA . 574976 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ntfs.sys

.

[-] 2006-02-28 . 73C1E1F395918BC2C6DD67AF7591A3AD . 2944 . . [5.1.2600.0] . . c:\windows\system32\dllcache\null.sys

[-] 2006-02-28 . 73C1E1F395918BC2C6DD67AF7591A3AD . 2944 . . [5.1.2600.0] . . c:\windows\system32\drivers\null.sys

.

[-] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys

[-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys

[-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys

[-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys

.

[-] 2008-04-14 . A06CE3399D16DB864F55FAEB1F1927A9 . 77824 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\browser.dll

[-] 2008-04-14 . A06CE3399D16DB864F55FAEB1F1927A9 . 77824 . . [5.1.2600.5512] . . c:\windows\system32\browser.dll

.

[-] 2008-04-14 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\lsass.exe

[-] 2008-04-14 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . c:\windows\system32\lsass.exe

.

[-] 2008-04-14 . 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE . 198144 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\netman.dll

[-] 2008-04-14 . 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE . 198144 . . [5.1.2600.5512] . . c:\windows\system32\netman.dll

.

[-] 2008-04-14 00:11 . 1280A158C722FA95A80FB7AEBE78FA7D . 792064 . . [2001.12.4414.700] . . c:\windows\ServicePackFiles\i386\comres.dll

[-] 2008-04-14 00:11 . 1280A158C722FA95A80FB7AEBE78FA7D . 792064 . . [2001.12.4414.700] . . c:\windows\system32\comres.dll

.

[-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\ServicePackFiles\i386\qmgr.dll

[-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\system32\qmgr.dll

[-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\system32\bits\qmgr.dll

.

[-] 2009-02-09 . 6B27A5C03DFB94B4245739065431322C . 401408 . . [5.1.2600.5755] . . c:\windows\system32\rpcss.dll

[-] 2009-02-09 . 6B27A5C03DFB94B4245739065431322C . 401408 . . [5.1.2600.5755] . . c:\windows\system32\dllcache\rpcss.dll

[-] 2009-02-09 . 9222562D44021B988B9F9F62207FB6F2 . 401408 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\rpcss.dll

[-] 2008-04-14 . 2589FE6015A316C0F5D5112B4DA7B509 . 399360 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\rpcss.dll

.

[-] 2009-02-06 . 65DF52F5B8B6E9BBD183505225C37315 . 110592 . . [5.1.2600.5755] . . c:\windows\system32\services.exe

[-] 2009-02-06 . 65DF52F5B8B6E9BBD183505225C37315 . 110592 . . [5.1.2600.5755] . . c:\windows\system32\dllcache\services.exe

[-] 2009-02-06 . 020CEAAEDC8EB655B6506B8C70D53BB6 . 110592 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe

[-] 2008-04-14 . 0E776ED5F7CC9F94299E70461B7B8185 . 108544 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\services.exe

.

[-] 2010-08-17 . 258DD5D4283FD9F9A7166BE9AE45CE73 . 58880 . . [5.1.2600.6024] . . c:\windows\$hf_mig$\KB2347290\SP3QFE\spoolsv.exe

[-] 2010-08-17 . 60784F891563FB1B767F70117FC2428F . 58880 . . [5.1.2600.6024] . . c:\windows\system32\spoolsv.exe

[-] 2010-08-17 . 60784F891563FB1B767F70117FC2428F . 58880 . . [5.1.2600.6024] . . c:\windows\system32\dllcache\spoolsv.exe

[-] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB2347290$\spoolsv.exe

[-] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\spoolsv.exe

.

[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\winlogon.exe

[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

.

[-] 2010-08-23 . 93AFB83FBC1F9443CAC722FCA63D73BF . 617472 . . [5.82] . . c:\windows\SoftwareDistribution\Download\21cbd3f70584651805685eba1753505f\SP3QFE\comctl32.dll

[-] 2010-08-23 . 736B12B725AEB2B07F0241A9F680CB10 . 1054208 . . [6.0] . . c:\windows\SoftwareDistribution\Download\21cbd3f70584651805685eba1753505f\asms\60\msft\windows\common\controls\comctl32.dll

[-] 2010-08-23 . 736B12B725AEB2B07F0241A9F680CB10 . 1054208 . . [6.0] . . c:\windows\SoftwareDistribution\Download\21cbd3f70584651805685eba1753505f\SP3QFE\asms\60\msft\windows\common\controls\comctl32.dll

[-] 2008-04-14 . BD38D1EBE24A46BD3EDA059560AFBA12 . 1054208 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll

[-] 2008-04-14 . 06F247492BC786CE5C24A23E178C711A . 617472 . . [5.82] . . c:\windows\ServicePackFiles\i386\comctl32.dll

[-] 2008-04-14 . 06F247492BC786CE5C24A23E178C711A . 617472 . . [5.82] . . c:\windows\system32\comctl32.dll

[-] 2006-02-28 . AEF3D788DBF40C7C4D204EA45EB0C505 . 921088 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll

[-] 2006-02-28 . 5AF68A5E44734A082442668E9C787743 . 1050624 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll

.

[-] 2008-04-14 . 3D4E199942E29207970E04315D02AD3B . 62464 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\cryptsvc.dll

[-] 2008-04-14 . 3D4E199942E29207970E04315D02AD3B . 62464 . . [5.1.2600.5512] . . c:\windows\system32\cryptsvc.dll

.

[-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\system32\es.dll

[-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\system32\dllcache\es.dll

[-] 2008-07-07 20:23 . F17F6226BDC0CD5F0BEF0DAF84D29BEC . 253952 . . [2001.12.4414.706] . . c:\windows\$hf_mig$\KB950974\SP3QFE\es.dll

[-] 2008-04-14 00:11 . 19A799805B24990867B00C120D300C3A . 246272 . . [2001.12.4414.701] . . c:\windows\ServicePackFiles\i386\es.dll

.

[-] 2008-04-14 . 0DA85218E92526972A821587E6A8BF8F . 110080 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\imm32.dll

[-] 2008-04-14 . 0DA85218E92526972A821587E6A8BF8F . 110080 . . [5.1.2600.5512] . . c:\windows\system32\imm32.dll

.

[-] 2009-03-21 . B921FB870C9AC0D509B2CCABBBBE95F3 . 989696 . . [5.1.2600.5781] . . c:\windows\system32\kernel32.dll

[-] 2009-03-21 . B921FB870C9AC0D509B2CCABBBBE95F3 . 989696 . . [5.1.2600.5781] . . c:\windows\system32\dllcache\kernel32.dll

[-] 2009-03-21 . DA11D9D6ECBDF0F93436A4B7C13F7BEC . 991744 . . [5.1.2600.5781] . . c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll

[-] 2008-04-14 . C24B983D211C34DA8FCC1AC38477971D . 989696 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\kernel32.dll

.

[-] 2008-04-14 . 2DC5A8019E2387987905F77C664E4BE2 . 19968 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\linkinfo.dll

[-] 2008-04-14 . 2DC5A8019E2387987905F77C664E4BE2 . 19968 . . [5.1.2600.5512] . . c:\windows\system32\linkinfo.dll

.

[-] 2008-04-14 . 012DF358CEBAA23ACB26D82077820817 . 22016 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\lpk.dll

[-] 2008-04-14 . 012DF358CEBAA23ACB26D82077820817 . 22016 . . [5.1.2600.5512] . . c:\windows\system32\lpk.dll

.

[-] 2010-12-20 . 1EDCEC5D649DBAC37ED9FFB5A14CEB0C . 5961216 . . [8.00.6001.19019] . . c:\windows\SoftwareDistribution\Download\d6a0858506d9996856009eb3a494a8c1\SP3GDR\mshtml.dll

[-] 2010-12-20 . 2A2C070EC691CE410533A1DA7AA3CD86 . 5962240 . . [8.00.6001.23111] . . c:\windows\SoftwareDistribution\Download\d6a0858506d9996856009eb3a494a8c1\SP3QFE\mshtml.dll

[-] 2010-06-24 . 94DC7E938C57F3C3D1BC4A0F68FC5830 . 5954560 . . [8.00.6001.23037] . . c:\windows\$hf_mig$\KB2183461-IE8\SP3QFE\mshtml.dll

[-] 2010-06-24 . 4D7EF94795384CD2BBAAB078B7929FEA . 5951488 . . [8.00.6001.18939] . . c:\windows\system32\mshtml.dll

[-] 2010-06-24 . 4D7EF94795384CD2BBAAB078B7929FEA . 5951488 . . [8.00.6001.18939] . . c:\windows\system32\dllcache\mshtml.dll

[-] 2010-05-06 . C7B7A88CC7D7ABA5C395145BF92F46F7 . 5950976 . . [8.00.6001.18928] . . c:\windows\ie8updates\KB2183461-IE8\mshtml.dll

[-] 2010-05-06 . 9BE28F749A7FE7F8F177C6AA2E9DA609 . 5953024 . . [8.00.6001.23019] . . c:\windows\$hf_mig$\KB982381-IE8\SP3QFE\mshtml.dll

[-] 2010-02-25 . 7054F6ADC9B670887659F1561603B0D0 . 5944832 . . [8.00.6001.18904] . . c:\windows\ie8updates\KB982381-IE8\mshtml.dll

[-] 2010-02-25 . 974772C74DA7C7A8E7C813A9908A845F . 5946880 . . [8.00.6001.22995] . . c:\windows\$hf_mig$\KB980182-IE8\SP3QFE\mshtml.dll

[-] 2009-12-21 . BE6EEBEF636773A8E7A82214E81C563A . 5942784 . . [8.00.6001.18876] . . c:\windows\ie8updates\KB980182-IE8\mshtml.dll

[-] 2009-12-21 . E6B64C6C729BBC38AB7CC92CE33F97A5 . 5945856 . . [8.00.6001.22967] . . c:\windows\$hf_mig$\KB978207-IE8\SP3QFE\mshtml.dll

[-] 2009-10-29 . C0F9AC6FAB2C788FFEE3E69585A0E93F . 5944320 . . [8.00.6001.22945] . . c:\windows\$hf_mig$\KB976325-IE8\SP3QFE\mshtml.dll

[-] 2009-10-29 . CBB1EF54B86EDB78649909DD1699E5CA . 5940736 . . [8.00.6001.18854] . . c:\windows\ie8updates\KB978207-IE8\mshtml.dll

[-] 2009-10-22 . CDA69BC1C23B0EA033B989F67CB722FF . 5939712 . . [8.00.6001.18852] . . c:\windows\ie8updates\KB976325-IE8\mshtml.dll

[-] 2009-10-22 . A6CF28C6E0B6D10098AB601D85EE55E8 . 5943296 . . [8.00.6001.22942] . . c:\windows\$hf_mig$\KB976749-IE8\SP3QFE\mshtml.dll

[-] 2009-08-29 . 0E49677EE57A928765FC47FFBACD5326 . 5940224 . . [8.00.6001.18828] . . c:\windows\ie8updates\KB976749-IE8\mshtml.dll

[-] 2009-08-29 . B68F6E6C66D17D9EDABF3D5DA71046DA . 5942272 . . [8.00.6001.22918] . . c:\windows\$hf_mig$\KB974455-IE8\SP3QFE\mshtml.dll

[-] 2009-07-19 . 5A32B43A48D6DCA339BF24105D9A028F . 5937152 . . [8.00.6001.18812] . . c:\windows\ie8updates\KB974455-IE8\mshtml.dll

[-] 2009-07-19 . F25D866DD486AD30E05E5596CB363C3E . 5938176 . . [8.00.6001.22902] . . c:\windows\$hf_mig$\KB972260-IE8\SP3QFE\mshtml.dll

[-] 2009-05-13 . EEAADAA744B20E68CF5EB4FBB4F8AFA9 . 5936128 . . [8.00.6001.18783] . . c:\windows\ie8updates\KB972260-IE8\mshtml.dll

[-] 2009-05-13 . 1290E417BF806185CC7B2845E78A104E . 5936128 . . [8.00.6001.22873] . . c:\windows\$hf_mig$\KB969897-IE8\SP3QFE\mshtml.dll

[-] 2009-03-08 . D469A0EBA2EF5C6BEE8065B7E3196E5E . 5937152 . . [8.00.6001.18702] . . c:\windows\ie8updates\KB969897-IE8\mshtml.dll

[-] 2008-12-14 . 2973F5FC57D2755AB57ED14FFF8DDA47 . 5699584 . . [8.00.6001.22342] . . c:\windows\$hf_mig$\KB960714-IE8\SP3QFE\mshtml.dll

[-] 2008-06-25 . 04EEC0FF4DD3C7041628973CA6832C33 . 3067904 . . [6.00.2900.5626] . . c:\windows\$hf_mig$\KB953838\SP3QFE\mshtml.dll

[-] 2008-06-24 . EC936148284F557F19C333178768109B . 3592192 . . [7.00.6000.16705] . . c:\windows\ie8\mshtml.dll

[-] 2008-06-24 . EC936148284F557F19C333178768109B . 3592192 . . [7.00.6000.16705] . . c:\windows\SoftwareDistribution\Download\b4e75dba041bc21ee94fbcfa88cb49de\SP2GDR\mshtml.dll

[-] 2008-06-23 . 28B8231CA8D55FC85E027A57C90F5C88 . 3594240 . . [7.00.6000.20861] . . c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\mshtml.dll

[-] 2008-06-23 . 28B8231CA8D55FC85E027A57C90F5C88 . 3594240 . . [7.00.6000.20861] . . c:\windows\SoftwareDistribution\Download\b4e75dba041bc21ee94fbcfa88cb49de\SP2QFE\mshtml.dll

[-] 2008-06-23 . F433136C23D13B120412B300D1324A7E . 3067392 . . [6.00.2900.5626] . . c:\windows\ie7\mshtml.dll

[-] 2008-04-14 . A706E122B398FE1AB85CB9B75D044223 . 3066880 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\mshtml.dll

[-] 2007-08-13 . C6EC2493346ED8888A549F59210A8ED3 . 3578368 . . [7.00.5730.13] . . c:\windows\ie7updates\KB953838-IE7\mshtml.dll

[-] 2006-02-21 . C6E663C066E3BEA5B0BB70D87D0701E9 . 3052032 . . [6.00.2900.2853] . . c:\windows\$hf_mig$\KB911164\SP2QFE\mshtml.dll

.

[-] 2008-04-14 . D7075E95AA599EE77B7A89D39296BD3D . 343040 . . [7.0.2600.5512] . . c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.5512_x-ww_3fd60d63\msvcrt.dll

[-] 2008-04-14 . 355EDBB4D412B01F1740C17E3F50FA00 . 343040 . . [7.0.2600.5512] . . c:\windows\ServicePackFiles\i386\msvcrt.dll

[-] 2008-04-14 . 355EDBB4D412B01F1740C17E3F50FA00 . 343040 . . [7.0.2600.5512] . . c:\windows\system32\msvcrt.dll

[-] 2006-02-28 . 4200BE3808F6406DBE45A7B88DAE5035 . 322560 . . [7.0.2600.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a\msvcrt.dll

[-] 2006-02-28 . 98EC447E00229AFD88D5161A25D065DA . 343040 . . [7.0.2600.2180] . . c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll

.

[-] 2008-06-20 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625] . . c:\windows\system32\mswsock.dll

[-] 2008-06-20 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\mswsock.dll

[-] 2008-06-20 . FCEE5FCB99F7C724593365C706D28388 . 245248 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\mswsock.dll

[-] 2008-04-14 . B4138E99236F0F57D4CF49BAE98A0746 . 245248 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\mswsock.dll

.

[-] 2008-04-14 . 1B7F071C51B77C272875C3A23E1E4550 . 407040 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\netlogon.dll

[-] 2008-04-14 . 1B7F071C51B77C272875C3A23E1E4550 . 407040 . . [5.1.2600.5512] . . c:\windows\system32\netlogon.dll

.

[-] 2008-04-14 . 50A166237A0FA771261275A405646CC0 . 17408 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\powrprof.dll

[-] 2008-04-14 . 50A166237A0FA771261275A405646CC0 . 17408 . . [6.00.2900.5512] . . c:\windows\system32\powrprof.dll

.

[-] 2008-04-14 . A86BB5E61BF3E39B62AB4C7E7085A084 . 181248 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\scecli.dll

[-] 2008-04-14 . A86BB5E61BF3E39B62AB4C7E7085A084 . 181248 . . [5.1.2600.5512] . . c:\windows\system32\scecli.dll

.

[-] 2008-04-14 . 96E1C926F22EE1BFBAE82901A35F6BF3 . 5120 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\sfc.dll

[-] 2008-04-14 . 96E1C926F22EE1BFBAE82901A35F6BF3 . 5120 . . [5.1.2600.5512] . . c:\windows\system32\sfc.dll

.

[-] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\svchost.exe

[-] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe

.

[-] 2008-04-14 . 3CB78C17BB664637787C9A1C98F79C38 . 249856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tapisrv.dll

[-] 2008-04-14 . 3CB78C17BB664637787C9A1C98F79C38 . 249856 . . [5.1.2600.5512] . . c:\windows\system32\tapisrv.dll

.

[-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\user32.dll

[-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll

.

[-] 2008-04-14 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\userinit.exe

[-] 2008-04-14 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . c:\windows\system32\userinit.exe

.

[-] 2010-12-20 . 88014D62B5E3CDB0AC67948D86C926C8 . 916480 . . [8.00.6001.19019] . . c:\windows\SoftwareDistribution\Download\d6a0858506d9996856009eb3a494a8c1\SP3GDR\wininet.dll

[-] 2010-12-20 . 5504B4ECCE892EB82CD2C5FA71940AC1 . 919552 . . [8.00.6001.23111] . . c:\windows\SoftwareDistribution\Download\d6a0858506d9996856009eb3a494a8c1\SP3QFE\wininet.dll

[-] 2010-06-24 . 60237E50D575FBA9BEC9BC043F157149 . 919040 . . [8.00.6001.23037] . . c:\windows\$hf_mig$\KB2183461-IE8\SP3QFE\wininet.dll

[-] 2010-06-24 . D3DEB6B2B424AC93DE3801EAEB21A9A5 . 916480 . . [8.00.6001.18939] . . c:\windows\system32\wininet.dll

[-] 2010-06-24 . D3DEB6B2B424AC93DE3801EAEB21A9A5 . 916480 . . [8.00.6001.18939] . . c:\windows\system32\dllcache\wininet.dll

[-] 2010-05-06 . 2D9C7B010409372C34F725DA5CCED083 . 916480 . . [8.00.6001.18923] . . c:\windows\ie8updates\KB2183461-IE8\wininet.dll

[-] 2010-05-06 . C1490F68B44AF8B781F52F12F564625D . 919040 . . [8.00.6001.23014] . . c:\windows\$hf_mig$\KB982381-IE8\SP3QFE\wininet.dll

[-] 2010-02-25 . 7A42CFED96CDA7F2FB1A26D1F9F65775 . 916480 . . [8.00.6001.18904] . . c:\windows\ie8updates\KB982381-IE8\wininet.dll

[-] 2010-02-25 . 4458D59F2B0369F4D3B137541D284041 . 919040 . . [8.00.6001.22995] . . c:\windows\$hf_mig$\KB980182-IE8\SP3QFE\wininet.dll

[-] 2009-12-21 . FF4241C74E0C0A5AFFFE05F584213ECB . 916480 . . [8.00.6001.18876] . . c:\windows\ie8updates\KB980182-IE8\wininet.dll

[-] 2009-12-21 . 5E1F666B8955FD77E65D65C4C4D882A3 . 916480 . . [8.00.6001.22967] . . c:\windows\$hf_mig$\KB978207-IE8\SP3QFE\wininet.dll

[-] 2009-10-29 . 6AF52998B90F72FF2325D84D90EDA1CC . 916480 . . [8.00.6001.22945] . . c:\windows\$hf_mig$\KB976325-IE8\SP3QFE\wininet.dll

[-] 2009-10-29 . 75240F6EDBCE7B85DF66874407D38A4F . 916480 . . [8.00.6001.18854] . . c:\windows\ie8updates\KB978207-IE8\wininet.dll

[-] 2009-08-29 . CF0A5FE05BF614C24950D8FAEC1BC309 . 916480 . . [8.00.6001.18828] . . c:\windows\ie8updates\KB976325-IE8\wininet.dll

[-] 2009-08-29 . 972B226BDAD71C55F3CC9A72BBF8F1C1 . 916480 . . [8.00.6001.22918] . . c:\windows\$hf_mig$\KB974455-IE8\SP3QFE\wininet.dll

[-] 2009-07-03 . 7E8A47A2E6561274B83E257CE74803FD . 915456 . . [8.00.6001.18806] . . c:\windows\ie8updates\KB974455-IE8\wininet.dll

[-] 2009-07-03 . 38114DAB42FB2EB84D1726C42B8D80C5 . 915456 . . [8.00.6001.22896] . . c:\windows\$hf_mig$\KB972260-IE8\SP3QFE\wininet.dll

[-] 2009-05-13 . 366C72AF6970DB7BB39AB0142BF09DB5 . 915456 . . [8.00.6001.18783] . . c:\windows\ie8updates\KB972260-IE8\wininet.dll

[-] 2009-05-13 . C0EB6850C8A02A154281749DC61FAF22 . 915456 . . [8.00.6001.22873] . . c:\windows\$hf_mig$\KB969897-IE8\SP3QFE\wininet.dll

[-] 2009-03-08 . 6CE32F7778061CCC5814D5E0F282D369 . 914944 . . [8.00.6001.18702] . . c:\windows\ie8updates\KB969897-IE8\wininet.dll

[-] 2008-06-23 . 8C13D4A7479FA0A026EDA8ABCE82C0ED . 826368 . . [7.00.6000.16705] . . c:\windows\ie8\wininet.dll

[-] 2008-06-23 . 8C13D4A7479FA0A026EDA8ABCE82C0ED . 826368 . . [7.00.6000.16705] . . c:\windows\SoftwareDistribution\Download\b4e75dba041bc21ee94fbcfa88cb49de\SP2GDR\wininet.dll

[-] 2008-06-23 . C66402A06B83B036C195242C0C8CF83C . 827904 . . [7.00.6000.20861] . . c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll

[-] 2008-06-23 . C66402A06B83B036C195242C0C8CF83C . 827904 . . [7.00.6000.20861] . . c:\windows\SoftwareDistribution\Download\b4e75dba041bc21ee94fbcfa88cb49de\SP2QFE\wininet.dll

[-] 2008-06-23 . F12FBB673DE9CC802C5DC518FE99AA2F . 666112 . . [6.00.2900.5626] . . c:\windows\ie7\wininet.dll

[-] 2008-06-23 . 972299B7241EC325D8C7E5638C884925 . 666624 . . [6.00.2900.5626] . . c:\windows\$hf_mig$\KB953838\SP3QFE\wininet.dll

[-] 2008-04-14 . 7A4F775ABB2F1C97DEF3E73AFA2FAEDD . 666112 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\wininet.dll

[-] 2007-08-13 . A4A0FC92358F39538A6494C42EF99FE9 . 818688 . . [7.00.5730.13] . . c:\windows\ie7updates\KB953838-IE7\wininet.dll

.

[-] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ws2_32.dll

[-] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\system32\ws2_32.dll

.

[-] 2008-04-14 . 9789E95E1D88EEB4B922BF3EA7779C28 . 19968 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ws2help.dll

[-] 2008-04-14 . 9789E95E1D88EEB4B922BF3EA7779C28 . 19968 . . [5.1.2600.5512] . . c:\windows\system32\ws2help.dll

.

[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe

[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe

.

[-] 2008-04-14 . 058710B720282CA82B909912D3EF28DB . 146432 . . [5.1.2600.5512] . . c:\windows\regedit.exe

[-] 2008-04-14 . 058710B720282CA82B909912D3EF28DB . 146432 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\regedit.exe

.

[-] 2010-07-16 . 7A6A7900B5E322763430BA6FD9A31224 . 1288192 . . [5.1.2600.6010] . . c:\windows\SoftwareDistribution\Download\e104dcd29adf1c6c473a5efad2d509be\sp3gdr\ole32.dll

[-] 2010-07-16 . 8D51FB47062F2A1A9EFECCEF338A4C46 . 1289216 . . [5.1.2600.6010] . . c:\windows\SoftwareDistribution\Download\e104dcd29adf1c6c473a5efad2d509be\sp3qfe\ole32.dll

[-] 2008-04-14 . ECCE74BC6168375016450A86A164D976 . 1287168 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ole32.dll

[-] 2008-04-14 . ECCE74BC6168375016450A86A164D976 . 1287168 . . [5.1.2600.5512] . . c:\windows\system32\ole32.dll

.

[-] 2010-04-16 . 9E03DC5AB51CFD0190541CE2038D819D . 406016 . . [1.0420.2600.5969] . . c:\windows\system32\usp10.dll

[-] 2010-04-16 . 9E03DC5AB51CFD0190541CE2038D819D . 406016 . . [1.0420.2600.5969] . . c:\windows\system32\dllcache\usp10.dll

[-] 2010-04-16 . F8894BCC961D461674002B4BAE7AECC1 . 406016 . . [1.0420.2600.5969] . . c:\windows\$hf_mig$\KB981322\SP3QFE\usp10.dll

[-] 2008-04-14 . 7D7D8501F3CB45D0408CDEFA08CDAEFF . 406016 . . [1.0420.2600.5512] . . c:\windows\$NtUninstallKB981322$\usp10.dll

[-] 2008-04-14 . 7D7D8501F3CB45D0408CDEFA08CDAEFF . 406016 . . [1.0420.2600.5512] . . c:\windows\ServicePackFiles\i386\usp10.dll

.

[-] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\srsvc.dll

[-] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\system32\srsvc.dll

.

[-] 2008-04-14 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\wscntfy.exe

[-] 2008-04-14 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\system32\wscntfy.exe

.

[-] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\xmlprov.dll

[-] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\system32\xmlprov.dll

.

[-] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\eventlog.dll

[-] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\system32\eventlog.dll

.

[-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\sfcfiles.dll

[-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

.

[-] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ctfmon.exe

[-] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe

.

[-] 2009-07-27 . 99BC0B50F511924348BE19C7C7313BBF . 135168 . . [6.00.2900.5853] . . c:\windows\system32\shsvcs.dll

[-] 2009-07-27 . 99BC0B50F511924348BE19C7C7313BBF . 135168 . . [6.00.2900.5853] . . c:\windows\system32\dllcache\shsvcs.dll

[-] 2009-07-27 . 888CD7B39C37E13A2419BECFAAF0A28C . 135168 . . [6.00.2900.5853] . . c:\windows\$hf_mig$\KB971029\SP3QFE\shsvcs.dll

[-] 2008-04-14 . 1926899BF9FFE2602B63074971700412 . 135168 . . [6.00.2900.5512] . . c:\windows\$NtUninstallKB971029$\shsvcs.dll

[-] 2008-04-14 . 1926899BF9FFE2602B63074971700412 . 135168 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\shsvcs.dll

.

[-] 2008-04-14 . 5B19B557B0C188210A56A6B699D90B8F . 59904 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\regsvc.dll

[-] 2008-04-14 . 5B19B557B0C188210A56A6B699D90B8F . 59904 . . [5.1.2600.5512] . . c:\windows\system32\regsvc.dll

.

[-] 2008-04-14 . 0A9A7365A1CA4319AA7C1D6CD8E4EAFA . 192512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\schedsvc.dll

[-] 2008-04-14 . 0A9A7365A1CA4319AA7C1D6CD8E4EAFA . 192512 . . [5.1.2600.5512] . . c:\windows\system32\schedsvc.dll

.

[-] 2008-04-14 . 0A5679B3714EDAB99E357057EE88FCA6 . 71680 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ssdpsrv.dll

[-] 2008-04-14 . 0A5679B3714EDAB99E357057EE88FCA6 . 71680 . . [5.1.2600.5512] . . c:\windows\system32\ssdpsrv.dll

.

[-] 2008-04-14 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\termsrv.dll

[-] 2008-04-14 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . c:\windows\system32\termsrv.dll

.

[-] 2008-04-14 . 3CB32D3B8CBE79899D63280BB7A83CD9 . 344064 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\hnetcfg.dll

[-] 2008-04-14 . 3CB32D3B8CBE79899D63280BB7A83CD9 . 344064 . . [5.1.2600.5512] . . c:\windows\system32\hnetcfg.dll

.

[-] 2006-02-28 . 9859C0F6936E723E4892D7141B1327D5 . 11648 . . [5.1.2600.0] . . c:\windows\system32\drivers\acpiec.sys

.

[-] 2008-04-13 16:39 . 8BED39E3C35D6A489438B8141717A557 . 142592 . . [5.1.2601.3142] . . c:\windows\system32\dllcache\aec.sys

[-] 2008-04-13 16:39 . 8BED39E3C35D6A489438B8141717A557 . 142592 . . [5.1.2601.3142] . . c:\windows\system32\drivers\aec.sys

[-] 2008-04-13 16:39 . 8BED39E3C35D6A489438B8141717A557 . 142592 . . [5.1.2601.3142] . . c:\windows\ServicePackFiles\i386\aec.sys

.

[-] 2008-04-13 . 08FD04AA961BDC77FB983F328334E3D7 . 42368 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\agp440.sys

[-] 2008-04-13 . 08FD04AA961BDC77FB983F328334E3D7 . 42368 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\agp440.sys

[-] 2008-04-13 . 08FD04AA961BDC77FB983F328334E3D7 . 42368 . . [5.1.2600.5512] . . c:\windows\system32\drivers\AGP440.SYS

[-] 2008-04-13 . 08FD04AA961BDC77FB983F328334E3D7 . 42368 . . [5.1.2600.5512] . . c:\windows\system32\ReinstallBackups\0003\DriverFiles\i386\AGP440.SYS

.

[-] 2008-04-13 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ip6fw.sys

[-] 2008-04-13 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ip6fw.sys

.

[-] 2010-09-18 07:18 . 842900DEDBC8E3E8DBCCCB298FD88F65 . 953856 . . [4.1.6151] . . c:\windows\SoftwareDistribution\Download\b91377d1d56820d9d699c0c2dc7c8e80\SP3QFE\mfc40u.dll

[-] 2010-09-18 06:53 . E76A5C202E68AF5A322D16B5A78F48B9 . 953856 . . [4.1.6151] . . c:\windows\SoftwareDistribution\Download\b91377d1d56820d9d699c0c2dc7c8e80\SP3GDR\mfc40u.dll

[-] 2008-04-14 00:11 . CDDD4416B2B4C7295FE3FDB6DDE57E4E . 927504 . . [4.1.0.61] . . c:\windows\ServicePackFiles\i386\mfc40u.dll

[-] 2008-04-14 00:11 . CDDD4416B2B4C7295FE3FDB6DDE57E4E . 927504 . . [4.1.0.61] . . c:\windows\system32\mfc40u.dll

.

[-] 2008-04-14 . 986B1FF5814366D71E0AC5755C88F2D3 . 33792 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\msgsvc.dll

[-] 2008-04-14 . 986B1FF5814366D71E0AC5755C88F2D3 . 33792 . . [5.1.2600.5512] . . c:\windows\system32\msgsvc.dll

.

[-] 2006-10-18 20:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\mspmsnsv.dll

[-] 2006-10-18 20:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\dllcache\mspmsnsv.dll

.

[-] 2010-12-09 . F67CD97282E0ABFAF91A9A1359B16F2D . 2069376 . . [5.1.2600.6055] . . c:\windows\SoftwareDistribution\Download\f35839bf00bc83543dbda7acaf1e2a3b\SP3QFE\ntkrnlpa.exe

[-] 2010-12-09 . 84FF488E249DBD2050EB39EA81C6F5C2 . 2069376 . . [5.1.2600.6055] . . c:\windows\SoftwareDistribution\Download\f35839bf00bc83543dbda7acaf1e2a3b\SP3GDR\ntkrnlpa.exe

[-] 2010-04-28 . 756362706DE8BC92F11E197C98A73844 . 2066944 . . [5.1.2600.5973] . . c:\windows\$hf_mig$\KB981852\SP3QFE\ntkrnlpa.exe

[-] 2010-04-27 . DC57ABED7BDE1487E658968B4423BED7 . 2066816 . . [5.1.2600.5973] . . c:\windows\Driver Cache\i386\ntkrnlpa.exe

[-] 2010-04-27 . DC57ABED7BDE1487E658968B4423BED7 . 2066816 . . [5.1.2600.5973] . . c:\windows\system32\ntkrnlpa.exe

[-] 2010-04-27 . DC57ABED7BDE1487E658968B4423BED7 . 2066816 . . [5.1.2600.5973] . . c:\windows\system32\dllcache\ntkrnlpa.exe

[-] 2010-02-16 . A046C627EC20456E2959B7BD628E1FD0 . 2066816 . . [5.1.2600.5938] . . c:\windows\$NtUninstallKB981852$\ntkrnlpa.exe

[-] 2010-02-16 . DED8B5A89B085284634502E9D75AC78C . 2066944 . . [5.1.2600.5938] . . c:\windows\$hf_mig$\KB979683\SP3QFE\ntkrnlpa.exe

[-] 2009-12-09 . FFDCE1EEA79C678C40237D4E031E5B51 . 2066176 . . [5.1.2600.5913] . . c:\windows\$hf_mig$\KB977165-v2\SP3QFE\ntkrnlpa.exe

[-] 2009-12-08 . FFDCE1EEA79C678C40237D4E031E5B51 . 2066176 . . [5.1.2600.5913] . . c:\windows\SoftwareDistribution\Download\1e737459aaabc35cf71b0434922b4d59\SP3QFE\ntkrnlpa.exe

[-] 2009-12-08 . A6683E23468776F75EB2D8C6A02AAD3B . 2066048 . . [5.1.2600.5913] . . c:\windows\SoftwareDistribution\Download\1e737459aaabc35cf71b0434922b4d59\SP3GDR\ntkrnlpa.exe

[-] 2009-12-08 . 384B15FBDCE2A54089A922886DED4EA0 . 2057728 . . [5.1.2600.3654] . . c:\windows\SoftwareDistribution\Download\1e737459aaabc35cf71b0434922b4d59\SP2GDR\ntkrnlpa.exe

[-] 2009-12-08 . BC123D9238A0C9BB3D853E407EE77254 . 2063104 . . [5.1.2600.3654] . . c:\windows\SoftwareDistribution\Download\1e737459aaabc35cf71b0434922b4d59\SP2QFE\ntkrnlpa.exe

[-] 2009-08-04 . 363B2BBEE0AEDC9E5433616D0AD0236A . 2066176 . . [5.1.2600.5857] . . c:\windows\$hf_mig$\KB971486\SP3QFE\ntkrnlpa.exe

[-] 2009-02-06 . 607352B9CB3D708C67F6039097801B5A . 2066176 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe

[-] 2008-08-14 . A25E9B86EFFB2AF33BF51E676B68BFB0 . 2066048 . . [5.1.2600.5657] . . c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe

[-] 2008-04-13 . 109F8E3E3C82E337BB71B6BC9B895D61 . 2065792 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ntkrnlpa.exe

.

[-] 2008-04-14 00:12 . 156F64A3345BD23C600655FB4D10BC08 . 435200 . . [5.1.2400.5512] . . c:\windows\ServicePackFiles\i386\ntmssvc.dll

[-] 2008-04-14 00:12 . 156F64A3345BD23C600655FB4D10BC08 . 435200 . . [5.1.2400.5512] . . c:\windows\system32\ntmssvc.dll

.

[-] 2008-04-14 . 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 . 185856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\upnphost.dll

[-] 2008-04-14 . 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 . 185856 . . [5.1.2600.5512] . . c:\windows\system32\upnphost.dll

.

[-] 2008-04-14 . 4D83ED8BDDEC431FC8AD907B47CFB6E3 . 367616 . . [5.3.2600.5512] . . c:\windows\ServicePackFiles\i386\dsound.dll

[-] 2008-04-14 . 4D83ED8BDDEC431FC8AD907B47CFB6E3 . 367616 . . [5.3.2600.5512] . . c:\windows\system32\dsound.dll

.

[-] 2008-04-14 . 0607CBC6FA20114CB491EFE4B2F9EFAD . 1689088 . . [5.03.2600.5512] . . c:\windows\ServicePackFiles\i386\d3d9.dll

[-] 2008-04-14 . 0607CBC6FA20114CB491EFE4B2F9EFAD . 1689088 . . [5.03.2600.5512] . . c:\windows\system32\d3d9.dll

.

[-] 2008-04-14 . A340CD71EB535A3DD751B5F28723E50C . 279552 . . [5.03.2600.5512] . . c:\windows\ServicePackFiles\i386\ddraw.dll

[-] 2008-04-14 . A340CD71EB535A3DD751B5F28723E50C . 279552 . . [5.03.2600.5512] . . c:\windows\system32\ddraw.dll

.

[-] 2008-04-14 00:12 . 5652F6CE1D9E9D8068B9D29BC21B5409 . 84992 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\olepro32.dll

[-] 2008-04-14 00:12 . 5652F6CE1D9E9D8068B9D29BC21B5409 . 84992 . . [5.1.2600.5512] . . c:\windows\system32\olepro32.dll

.

[-] 2008-04-14 . DBE2B62353660ECCA0D75EA307A717E9 . 39936 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\perfctrs.dll

[-] 2008-04-14 . DBE2B62353660ECCA0D75EA307A717E9 . 39936 . . [5.1.2600.5512] . . c:\windows\system32\perfctrs.dll

.

[-] 2008-04-14 . C7CE131408739B0B3A318BE2D0032719 . 18944 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\version.dll

[-] 2008-04-14 . C7CE131408739B0B3A318BE2D0032719 . 18944 . . [5.1.2600.5512] . . c:\windows\system32\version.dll

.

[-] 2010-12-09 . A531BBD3DE13121C1380ED7DC99082DB . 2192768 . . [5.1.2600.6055] . . c:\windows\SoftwareDistribution\Download\f35839bf00bc83543dbda7acaf1e2a3b\SP3QFE\ntoskrnl.exe

[-] 2010-12-09 . 64C1ADF6DF629F340C5A439FE0EF8ED1 . 2192768 . . [5.1.2600.6055] . . c:\windows\SoftwareDistribution\Download\f35839bf00bc83543dbda7acaf1e2a3b\SP3GDR\ntoskrnl.exe

[-] 2010-04-28 . 472059774023F80EB7227EAF9A7ACDA1 . 2189952 . . [5.1.2600.5973] . . c:\windows\Driver Cache\i386\ntoskrnl.exe

[-] 2010-04-28 . 472059774023F80EB7227EAF9A7ACDA1 . 2189952 . . [5.1.2600.5973] . . c:\windows\system32\ntoskrnl.exe

[-] 2010-04-28 . 472059774023F80EB7227EAF9A7ACDA1 . 2189952 . . [5.1.2600.5973] . . c:\windows\system32\dllcache\ntoskrnl.exe

[-] 2010-04-27 . A2ABBEC40CDB57454645D06B7EBD22F5 . 2190080 . . [5.1.2600.5973] . . c:\windows\$hf_mig$\KB981852\SP3QFE\ntoskrnl.exe

[-] 2010-02-17 . D41C3CBAD0E1C0728D1CDFD541F60CFA . 2189952 . . [5.1.2600.5938] . . c:\windows\$NtUninstallKB981852$\ntoskrnl.exe

[-] 2010-02-16 . E1F653A542449D54FA2D27463D99B6B6 . 2190080 . . [5.1.2600.5938] . . c:\windows\$hf_mig$\KB979683\SP3QFE\ntoskrnl.exe

[-] 2009-12-09 . 05BE3D9A71972223AFF6A3C823BA51B1 . 2189312 . . [5.1.2600.5913] . . c:\windows\$hf_mig$\KB977165-v2\SP3QFE\ntoskrnl.exe

[-] 2009-12-08 . 05BE3D9A71972223AFF6A3C823BA51B1 . 2189312 . . [5.1.2600.5913] . . c:\windows\SoftwareDistribution\Download\1e737459aaabc35cf71b0434922b4d59\SP3QFE\ntoskrnl.exe

[-] 2009-12-08 . 78EC47F9B9A3A1D539262D8834C896CE . 2189184 . . [5.1.2600.5913] . . c:\windows\SoftwareDistribution\Download\1e737459aaabc35cf71b0434922b4d59\SP3GDR\ntoskrnl.exe

[-] 2009-12-08 . 5648297DBF1C631164F779863DF9D5BF . 2180352 . . [5.1.2600.3654] . . c:\windows\SoftwareDistribution\Download\1e737459aaabc35cf71b0434922b4d59\SP2GDR\ntoskrnl.exe

[-] 2009-12-08 . 128D88B3176E70B2E3088ECEB842B673 . 2185984 . . [5.1.2600.3654] . . c:\windows\SoftwareDistribution\Download\1e737459aaabc35cf71b0434922b4d59\SP2QFE\ntoskrnl.exe

[-] 2009-08-04 . FDE779EA1A564EBFE16F4E0F82B61BAD . 2189312 . . [5.1.2600.5857] . . c:\windows\$hf_mig$\KB971486\SP3QFE\ntoskrnl.exe

[-] 2009-02-07 . EFE8EACE83EAAD5849A7A548FB75B584 . 2189184 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe

[-] 2008-08-14 . 31914172342BFF330063F343AC6958FE . 2189184 . . [5.1.2600.5657] . . c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe

[-] 2008-04-13 . 0C89243C7C3EE199B96FCC16990E0679 . 2188928 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ntoskrnl.exe

.

[-] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\srsvc.dll

[-] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\system32\srsvc.dll

.

[-] 2008-04-14 . 54AF4B1D5459500EF0937F6D33B1914F . 175104 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\w32time.dll

[-] 2008-04-14 . 54AF4B1D5459500EF0937F6D33B1914F . 175104 . . [5.1.2600.5512] . . c:\windows\system32\w32time.dll

.

[-] 2008-04-14 . 8BAD69CBAC032D4BBACFCE0306174C30 . 333824 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\wiaservc.dll

[-] 2008-04-14 . 8BAD69CBAC032D4BBACFCE0306174C30 . 333824 . . [5.1.2600.5512] . . c:\windows\system32\wiaservc.dll

.

[-] 2008-04-14 . 5C12660A97822F6E61576943B49AAAD6 . 18944 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\midimap.dll

[-] 2008-04-14 . 5C12660A97822F6E61576943B49AAAD6 . 18944 . . [5.1.2600.5512] . . c:\windows\system32\midimap.dll

.

[-] 2008-04-14 . 6F9BEF24C578D5D6740E080BEDD6A448 . 7680 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\rasadhlp.dll

[-] 2008-04-14 . 6F9BEF24C578D5D6740E080BEDD6A448 . 7680 . . [5.1.2600.5512] . . c:\windows\system32\rasadhlp.dll

.

((((((((((((((((((((((((((((( SnapShot@2011-05-22_12.35.58 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-05-22 15:26 . 2010-06-17 14:27 28520 c:\windows\system32\drivers\ssmdrv.sys

+ 2008-09-08 17:31 . 2011-05-23 02:33 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2008-09-08 17:31 . 2011-05-20 06:15 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2008-09-08 17:31 . 2011-05-23 02:33 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2008-09-08 17:31 . 2011-05-20 06:15 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2011-05-23 02:33 . 2011-05-23 02:33 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2008-09-08 17:31 . 2011-05-20 06:15 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2010-04-16 3872080]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-05-13 2424192]

"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-02-07 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-02-07 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-02-07 118784]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-02-28 208952]

"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2006-02-28 44032]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2006-02-28 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]

"BigDogPath"="c:\windows\VM301Snap.exe" [2007-03-27 49152]

"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2010-11-24 1233856]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2010-03-09 08:40 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WDDMStatus.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WDDMStatus.lnk

backup=c:\windows\pss\WDDMStatus.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WDSmartWare.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WDSmartWare.lnk

backup=c:\windows\pss\WDSmartWare.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-09-20 23:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2010-09-23 04:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPath]

2007-03-27 16:24 49152 ----a-w- c:\windows\VM301Snap.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-11-10 23:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

2009-04-06 19:43 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\mIRC\\mirc.exe"=

"c:\\Program Files\\eMule\\emule.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\K-Lite Codec Pack\\Media Player Classic\\mplayerc.exe"=

"c:\\Program Files\\ICQ6.5\\ICQ.exe"=

"c:\\Program Files\\UltraVNC\\vncviewer.exe"=

"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=

"c:\\Documents and Settings\\Retro\\Local Settings\\Apps\\2.0\\5COK2JCA.HYY\\6N1ZER5B.Q8Y\\laun..tion_34737269cb897780_0001.0000_d109b91ee67cdb5b\\openvpn.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\WINDOWS\\system32\\ftp.exe"=

"c:\\Program Files\\Spotify\\spotify.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5900:TCP"= 5900:TCP:vnc5900

"5800:TCP"= 5800:TCP:vnc5800

"5500:TCP"= 5500:TCP:UltraVNC Listen

.

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [03/09/2008 14:07 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [03/09/2008 14:07 67656]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [22/05/2011 16:26 136360]

R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [25/06/2010 18:07 35088]

R3 Airgo3P;ASUS Networks AGN300 True MIMO Wireless Driver;c:\windows\system32\drivers\tmimo31P.sys [08/09/2008 18:34 780800]

S2 gupdate1c9b6f030b07240;Google Update Service (gupdate1c9b6f030b07240);c:\program files\Google\Update\GoogleUpdate.exe [06/04/2009 20:45 133104]

S3 appliandMP;appliandMP;c:\windows\system32\DRIVERS\appliand.sys --> c:\windows\system32\DRIVERS\appliand.sys [?]

S3 DrvSnSht;DrvSnSht;c:\program files\R-Drive Image\DrvSnSht.sys [21/12/2007 13:39 94608]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [06/04/2009 20:45 133104]

S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [28/02/2006 13:00 14336]

S3 R-ImageDisk;R-ImageDisk;c:\program files\R-Drive Image\R-ImageDisk.sys [07/08/2008 15:32 126551]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [03/09/2008 14:07 12872]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys --> c:\windows\system32\DRIVERS\wdcsam.sys [?]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [04/02/2009 02:58 717296]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper

.

Contents of the 'Scheduled Tasks' folder

.

2011-05-23 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-31 19:43]

.

2011-05-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-06 19:44]

.

2011-05-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-06 19:44]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/

mStart Page = hxxp://uk.yahoo.com

uInternet Settings,ProxyServer = 123.123.123.123:8080

uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://uk.search.yahoo.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://213.129.66.245:8081/activex/AMC.cab

FF - ProfilePath - c:\documents and settings\Retro\Application Data\Mozilla\Firefox\Profiles\mdqdjcy1.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Ext: Flash Video Resources Downloader: max@subfighter.com - %profile%\extensions\max@subfighter.com

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Google Gears: {000a9d1c-beef-4f90-9363-039d445309b8} - c:\program files\Google\Google Gears\Firefox

FF - user.js: yahoo.homepage.dontask - true

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-05-23 07:19

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1292428093-920026266-1060284298-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{71F63C56-E014-984D-8A39-E2CD0AB85EF5}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"oaghagpfjpcajoimdmonkeehiohdah"=hex:6a,61,6b,62,65,6a,6d,67,6b,61,62,63,63,6e,

6d,69,6a,6f,6f,6e,00,21

"naalfodihjffgkjinadccfgbchib"=hex:6a,61,6b,62,65,6a,6d,67,6b,61,62,63,63,6e,

6d,69,6a,6f,6f,6e,00,21

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]

"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,

bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1524)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

.

- - - - - - - > 'explorer.exe'(1480)

c:\windows\system32\WININET.dll

c:\windows\system32\msi.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2011-05-23 07:26:39

ComboFix-quarantined-files.txt 2011-05-23 06:26

ComboFix2.txt 2011-05-22 12:43

.

Pre-Run: 2,206,990,336 bytes free

Post-Run: 2,501,849,088 bytes free

.

- - End Of File - - A2D7E5EDC4AAF17997C4B4F267932AB4

Link to post
Share on other sites

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

  • Please download Dial-A-Fix from one of the following mirrors:

    [*]Extract the zip file to your desktop.

    [*]Double click Dial-a-Fix.exe to start the program. Dial-A-Fix might give you a lot errors, just ignore them and ClickOK.jpg to continue.

    [*]Press the green double checkmark box (Looks like this:

    checkmark.png

    [*]UNcheck Empty Temp Folders, as well as Adjust Time/Date in the prep section. The prep section should then look like this:

    ncheck.png

    Window.png[*]

    [*]Click on Go

    [*]Wait for Dial-A-Fix to finish (All the checks marks will be all gone)

    [*]Close Dial-A-Fix

Next

  • Close any open browsers.
  • Open Notepad by click start
  • Click Run
  • Type notepad into the box and click enter
  • Notepad will open
  • Copy and Paste everything from the Code box into Notepad:

KILLALL::
DDS::
uInternet Settings,ProxyServer = 123.123.123.123:8080
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"=-
"5800:TCP"=-
"5500:TCP"=-

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

Thank you again for your quick reply - most impressive!

I have taken the steps you requested. However, please note the following:

  • As I stated before, 123.123.123.123:8080 was a fake IP address inserted by me. The genuine (disabled) IP address was a company IP that I did not wish to disclose.
  • To remedy this, I changed the proxy server to 123.123.123.123:8080 in Internet Explorer, then disabled the proxy server. This should allow your script to work as planned.
  • You mentioned ports 5500, 5800 and 5900 being open in my firewall. Please note that this is intentional, as I use a VNC for work purposes. However, I left the script unaltered and ran it anyway.
  • Combofix rebooted twice. On the second occasion, as it was preparing the log file, Avira came on and kept finding infected files in the Qoobox folder. I hope this has not interfered with the results from Combofix, but I had disabled Avira before restart so this was unavoidable.

Combofix found a rootkit, although it restarted before I could see the infected file. I assume it may have been the volsnap.sys mentioned in the log.

I had previously uninstalled Java, as I always do when an infected Java file is found, so it is not currently on my system.

What is "Kitty had a snack :P"? This sounds rather ominous!

Thanks again for your help. Please advise if I need to take further steps.

I have not re-enabled the CD emulation disabled by defogger yet.

Here is the log file:

ComboFix 11-05-22.02 - Retro 23/05/2011 15:52:02.3.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1270.850 [GMT 1:00]

Running from: c:\documents and settings\Retro\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Retro\Desktop\CFScript.txt

AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

AV: AVG Anti-Virus Free *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected

Restored copy from - Kitty had a snack :P

.

((((((((((((((((((((((((( Files Created from 2011-04-23 to 2011-05-23 )))))))))))))))))))))))))))))))

.

.

2011-05-23 14:31 . 2011-05-23 15:11 -------- d-----w- c:\windows\system32\CatRoot2

2011-05-22 15:31 . 2011-05-22 15:32 -------- d-----w- c:\windows\system32\NtmsData

2011-05-22 15:26 . 2011-04-01 16:07 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-05-22 15:26 . 2011-04-01 16:07 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-05-22 15:26 . 2010-06-17 14:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2011-05-22 15:26 . 2010-06-17 14:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2011-05-22 15:26 . 2011-05-22 15:26 -------- d-----w- c:\program files\Avira

2011-05-22 15:26 . 2011-05-22 15:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2011-05-22 12:00 . 2011-05-22 12:01 1163104 ----a-w- C:\avg_remover_stf_x86_2011_1322.exe

2011-05-22 02:55 . 2011-05-22 02:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\Simply Super Software

2011-05-22 02:39 . 2006-06-19 11:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll

2011-05-22 02:39 . 2006-05-25 13:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll

2011-05-22 02:39 . 2005-08-25 23:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll

2011-05-22 02:39 . 2002-03-05 23:00 75264 ----a-w- c:\windows\system32\unacev2.dll

2011-05-22 02:39 . 2003-02-02 18:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll

2011-05-22 02:39 . 2011-05-22 02:39 -------- d-----w- c:\program files\Trojan Remover

2011-05-22 02:39 . 2011-05-22 02:39 -------- d-----w- c:\documents and settings\Retro\Application Data\Simply Super Software

2011-05-22 02:39 . 2011-05-22 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software

2011-05-19 19:43 . 2011-05-19 19:43 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2011-05-19 19:05 . 2011-05-22 12:09 -------- d-----w- C:\combo

2011-05-18 11:11 . 2011-05-18 11:12 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe

2011-05-18 11:09 . 2011-05-18 11:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX

2011-05-18 11:09 . 2011-05-18 11:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\Media Player Classic

2011-05-18 11:07 . 2011-05-18 11:07 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2011-05-16 19:21 . 2011-05-16 19:21 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2011-05-16 19:21 . 2011-05-16 19:21 -------- d--h--w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2011-05-15 11:43 . 2011-05-15 11:43 -------- d-----w- c:\documents and settings\Retro\Application Data\RMCBackup

2011-05-13 18:03 . 2011-05-13 18:03 -------- d-----w- c:\documents and settings\Retro\Application Data\Malwarebytes

2011-05-13 18:03 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-13 18:03 . 2011-05-13 18:03 -------- d--h--w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-05-13 18:03 . 2011-05-17 02:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-05-05 02:14 . 2011-05-05 02:14 -------- d-----w- C:\301PL_DRV_WIN2K_XP_VISTA_X86_X64_20070404

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2010-04-16 3872080]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-05-13 2424192]

"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-02-07 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-02-07 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-02-07 118784]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-02-28 208952]

"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2006-02-28 44032]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2006-02-28 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]

"BigDogPath"="c:\windows\VM301Snap.exe" [2007-03-27 49152]

"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2010-11-24 1233856]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2010-03-09 08:40 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WDDMStatus.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WDDMStatus.lnk

backup=c:\windows\pss\WDDMStatus.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WDSmartWare.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WDSmartWare.lnk

backup=c:\windows\pss\WDSmartWare.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-09-20 23:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2010-09-23 04:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPath]

2007-03-27 16:24 49152 ----a-w- c:\windows\VM301Snap.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-11-10 23:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

2009-04-06 19:43 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\mIRC\\mirc.exe"=

"c:\\Program Files\\eMule\\emule.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\K-Lite Codec Pack\\Media Player Classic\\mplayerc.exe"=

"c:\\Program Files\\ICQ6.5\\ICQ.exe"=

"c:\\Program Files\\UltraVNC\\vncviewer.exe"=

"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=

"c:\\Documents and Settings\\Retro\\Local Settings\\Apps\\2.0\\5COK2JCA.HYY\\6N1ZER5B.Q8Y\\laun..tion_34737269cb897780_0001.0000_d109b91ee67cdb5b\\openvpn.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\WINDOWS\\system32\\ftp.exe"=

"c:\\Program Files\\Spotify\\spotify.exe"=

.

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [03/09/2008 14:07 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [03/09/2008 14:07 67656]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [22/05/2011 16:26 136360]

R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [25/06/2010 18:07 35088]

R3 Airgo3P;ASUS Networks AGN300 True MIMO Wireless Driver;c:\windows\system32\drivers\tmimo31P.sys [08/09/2008 18:34 780800]

S2 gupdate1c9b6f030b07240;Google Update Service (gupdate1c9b6f030b07240);c:\program files\Google\Update\GoogleUpdate.exe [06/04/2009 20:45 133104]

S3 appliandMP;appliandMP;c:\windows\system32\DRIVERS\appliand.sys --> c:\windows\system32\DRIVERS\appliand.sys [?]

S3 DrvSnSht;DrvSnSht;c:\program files\R-Drive Image\DrvSnSht.sys [21/12/2007 13:39 94608]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [06/04/2009 20:45 133104]

S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [28/02/2006 13:00 14336]

S3 R-ImageDisk;R-ImageDisk;c:\program files\R-Drive Image\R-ImageDisk.sys [07/08/2008 15:32 126551]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [03/09/2008 14:07 12872]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys --> c:\windows\system32\DRIVERS\wdcsam.sys [?]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [04/02/2009 02:58 717296]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper

.

Contents of the 'Scheduled Tasks' folder

.

2011-05-23 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-31 19:43]

.

2011-05-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-06 19:44]

.

2011-05-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-06 19:44]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/

mStart Page = hxxp://uk.yahoo.com

uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://uk.search.yahoo.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://213.129.66.245:8081/activex/AMC.cab

FF - ProfilePath - c:\documents and settings\Retro\Application Data\Mozilla\Firefox\Profiles\mdqdjcy1.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Ext: Flash Video Resources Downloader: max@subfighter.com - %profile%\extensions\max@subfighter.com

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Google Gears: {000a9d1c-beef-4f90-9363-039d445309b8} - c:\program files\Google\Google Gears\Firefox

FF - user.js: yahoo.homepage.dontask - true

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-05-23 16:11

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1292428093-920026266-1060284298-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{71F63C56-E014-984D-8A39-E2CD0AB85EF5}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"oaghagpfjpcajoimdmonkeehiohdah"=hex:6a,61,6b,62,65,6a,6d,67,6b,61,62,63,63,6e,

6d,69,6a,6f,6f,6e,00,21

"naalfodihjffgkjinadccfgbchib"=hex:6a,61,6b,62,65,6a,6d,67,6b,61,62,63,63,6e,

6d,69,6a,6f,6f,6e,00,21

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]

"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,

bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1532)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

.

- - - - - - - > 'explorer.exe'(2944)

c:\windows\system32\WININET.dll

c:\windows\system32\msi.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Avira\AntiVir Desktop\avshadow.exe

c:\program files\CDBurnerXP\NMSAccessU.exe

c:\windows\system32\wscntfy.exe

c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

.

**************************************************************************

.

Completion time: 2011-05-23 16:24:06 - machine was rebooted

ComboFix-quarantined-files.txt 2011-05-23 15:23

ComboFix2.txt 2011-05-23 06:26

ComboFix3.txt 2011-05-22 12:43

.

Pre-Run: 2,327,519,232 bytes free

Post-Run: 2,358,837,248 bytes free

.

- - End Of File - - 888B7D3123F3460708772E23EA360F0E

Link to post
Share on other sites

Your PC had a rootkit that has replaced your ide driver volsnap.sys file with malware. Let's make there's no rootkit.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • Click the Report button and copy/paste the contents of it into your next reply

Note:It will also create a log in the C:\ directory.

Link to post
Share on other sites

Thanks again for your reply.

The scan reported 206 objects processed, infection not found.

Here is the report:

2011/05/23 18:21:02.0704 2340 TDSS rootkit removing tool 2.5.1.0 May 13 2011 13:20:29

2011/05/23 18:21:02.0815 2340 ================================================================================

2011/05/23 18:21:02.0815 2340 SystemInfo:

2011/05/23 18:21:02.0815 2340

2011/05/23 18:21:02.0815 2340 OS Version: 5.1.2600 ServicePack: 3.0

2011/05/23 18:21:02.0815 2340 Product type: Workstation

2011/05/23 18:21:02.0815 2340 ComputerName: LAPTOP

2011/05/23 18:21:02.0815 2340 UserName: Retro

2011/05/23 18:21:02.0815 2340 Windows directory: C:\WINDOWS

2011/05/23 18:21:02.0815 2340 System windows directory: C:\WINDOWS

2011/05/23 18:21:02.0815 2340 Processor architecture: Intel x86

2011/05/23 18:21:02.0815 2340 Number of processors: 1

2011/05/23 18:21:02.0815 2340 Page size: 0x1000

2011/05/23 18:21:02.0815 2340 Boot type: Normal boot

2011/05/23 18:21:02.0815 2340 ================================================================================

2011/05/23 18:21:03.0055 2340 Initialize success

2011/05/23 18:21:13.0720 1916 ================================================================================

2011/05/23 18:21:13.0720 1916 Scan started

2011/05/23 18:21:13.0720 1916 Mode: Manual;

2011/05/23 18:21:13.0720 1916 ================================================================================

2011/05/23 18:21:14.0772 1916 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/05/23 18:21:15.0032 1916 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys

2011/05/23 18:21:15.0493 1916 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys

2011/05/23 18:21:15.0763 1916 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2011/05/23 18:21:16.0024 1916 AegisP (2f7f3e8da380325866e566f5d5ec23d5) C:\WINDOWS\system32\DRIVERS\AegisP.sys

2011/05/23 18:21:16.0304 1916 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2011/05/23 18:21:16.0584 1916 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys

2011/05/23 18:21:17.0766 1916 Airgo3P (3c4fda626d65883b6856064f28d7aa32) C:\WINDOWS\system32\DRIVERS\TMIMO31P.sys

2011/05/23 18:21:18.0667 1916 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2011/05/23 18:21:19.0418 1916 ASNDIS5 (05a56c3156e1b6cc7bbd8e1d54d491f2) C:\WINDOWS\system32\ASNDIS5.SYS

2011/05/23 18:21:19.0709 1916 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/05/23 18:21:19.0999 1916 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/05/23 18:21:20.0470 1916 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/05/23 18:21:20.0740 1916 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/05/23 18:21:20.0871 1916 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys

2011/05/23 18:21:21.0191 1916 avgntflt (47b879406246ffdced59e18d331a0e7d) C:\WINDOWS\system32\DRIVERS\avgntflt.sys

2011/05/23 18:21:21.0491 1916 avipbb (5fedef54757b34fb611b9ec8fb399364) C:\WINDOWS\system32\DRIVERS\avipbb.sys

2011/05/23 18:21:21.0772 1916 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/05/23 18:21:22.0102 1916 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/05/23 18:21:22.0373 1916 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

2011/05/23 18:21:22.0883 1916 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/05/23 18:21:23.0164 1916 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/05/23 18:21:23.0494 1916 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/05/23 18:21:24.0025 1916 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

2011/05/23 18:21:24.0436 1916 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

2011/05/23 18:21:25.0247 1916 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/05/23 18:21:25.0717 1916 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2011/05/23 18:21:26.0088 1916 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2011/05/23 18:21:26.0338 1916 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/05/23 18:21:26.0639 1916 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2011/05/23 18:21:27.0170 1916 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/05/23 18:21:27.0320 1916 DrvSnSht (d61c44038a58fc8a9396432545b3ca2d) C:\Program Files\R-Drive Image\DrvSnSht.sys

2011/05/23 18:21:27.0630 1916 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/05/23 18:21:27.0961 1916 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

2011/05/23 18:21:28.0251 1916 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2011/05/23 18:21:28.0562 1916 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

2011/05/23 18:21:28.0872 1916 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2011/05/23 18:21:29.0182 1916 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/05/23 18:21:29.0513 1916 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/05/23 18:21:29.0783 1916 giveio (77ebf3e9386daa51551af429052d88d0) C:\WINDOWS\system32\giveio.sys

2011/05/23 18:21:30.0194 1916 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/05/23 18:21:30.0534 1916 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/05/23 18:21:31.0015 1916 HssDrv (80dbd37b4cebb3ead49bf31f552c3e4d) C:\WINDOWS\system32\DRIVERS\HssDrv.sys

2011/05/23 18:21:31.0346 1916 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/05/23 18:21:31.0987 1916 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/05/23 18:21:32.0617 1916 ialm (da91f5385cfc8ba0f110f2fde112b563) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys

2011/05/23 18:21:33.0198 1916 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/05/23 18:21:33.0639 1916 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

2011/05/23 18:21:33.0909 1916 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2011/05/23 18:21:34.0200 1916 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2011/05/23 18:21:34.0500 1916 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/05/23 18:21:34.0841 1916 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/05/23 18:21:35.0161 1916 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/05/23 18:21:35.0451 1916 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/05/23 18:21:35.0762 1916 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/05/23 18:21:36.0042 1916 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/05/23 18:21:36.0333 1916 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2011/05/23 18:21:36.0663 1916 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2011/05/23 18:21:36.0974 1916 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/05/23 18:21:37.0575 1916 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/05/23 18:21:37.0915 1916 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2011/05/23 18:21:38.0246 1916 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/05/23 18:21:38.0546 1916 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/05/23 18:21:38.0846 1916 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/05/23 18:21:39.0367 1916 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/05/23 18:21:39.0768 1916 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/05/23 18:21:40.0098 1916 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2011/05/23 18:21:40.0359 1916 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/05/23 18:21:40.0599 1916 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/05/23 18:21:40.0869 1916 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/05/23 18:21:41.0140 1916 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/05/23 18:21:41.0410 1916 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys

2011/05/23 18:21:41.0721 1916 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2011/05/23 18:21:42.0051 1916 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

2011/05/23 18:21:42.0412 1916 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2011/05/23 18:21:42.0692 1916 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

2011/05/23 18:21:42.0992 1916 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/05/23 18:21:43.0303 1916 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/05/23 18:21:43.0623 1916 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/05/23 18:21:43.0914 1916 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/05/23 18:21:44.0274 1916 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/05/23 18:21:44.0615 1916 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/05/23 18:21:44.0975 1916 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2011/05/23 18:21:45.0376 1916 NPF (b48dc6abcd3aeff8618350ccbdc6b09a) C:\WINDOWS\system32\drivers\npf.sys

2011/05/23 18:21:45.0676 1916 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2011/05/23 18:21:46.0137 1916 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/05/23 18:21:46.0377 1916 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/05/23 18:21:46.0618 1916 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/05/23 18:21:46.0898 1916 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/05/23 18:21:47.0379 1916 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2011/05/23 18:21:47.0679 1916 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys

2011/05/23 18:21:48.0010 1916 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/05/23 18:21:48.0310 1916 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/05/23 18:21:48.0630 1916 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/05/23 18:21:49.0091 1916 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2011/05/23 18:21:49.0372 1916 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys

2011/05/23 18:21:50.0723 1916 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/05/23 18:21:50.0994 1916 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/05/23 18:21:51.0264 1916 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/05/23 18:21:51.0495 1916 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2011/05/23 18:21:52.0606 1916 R-ImageDisk (aef63c638f2b8ae0b4c29d086397ea21) C:\Program Files\R-Drive Image\R-ImageDisk.sys

2011/05/23 18:21:52.0857 1916 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/05/23 18:21:53.0177 1916 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/05/23 18:21:53.0437 1916 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/05/23 18:21:53.0698 1916 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/05/23 18:21:54.0028 1916 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/05/23 18:21:54.0319 1916 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/05/23 18:21:54.0659 1916 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/05/23 18:21:54.0990 1916 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/05/23 18:21:55.0360 1916 RTL8023xp (3529828ec571fb2f64f6b142f9109993) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys

2011/05/23 18:21:55.0661 1916 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS

2011/05/23 18:21:55.0801 1916 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS

2011/05/23 18:21:55.0871 1916 SASENUM (7ce61c25c159f50f9eaf6d77fc83fa35) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS

2011/05/23 18:21:56.0001 1916 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys

2011/05/23 18:21:56.0311 1916 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/05/23 18:21:56.0632 1916 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys

2011/05/23 18:21:56.0952 1916 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2011/05/23 18:21:57.0493 1916 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys

2011/05/23 18:21:57.0964 1916 smwdm (f41896d591106713649b7eba668324e6) C:\WINDOWS\system32\drivers\smwdm.sys

2011/05/23 18:21:58.0505 1916 speedfan (5d6401db90ec81b71f8e2c5c8f0fef23) C:\WINDOWS\system32\speedfan.sys

2011/05/23 18:21:58.0735 1916 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2011/05/23 18:21:59.0206 1916 sptd (71e276f6d189413266ea22171806597b) C:\WINDOWS\System32\Drivers\sptd.sys

2011/05/23 18:21:59.0676 1916 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/05/23 18:22:00.0017 1916 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/05/23 18:22:00.0327 1916 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys

2011/05/23 18:22:00.0638 1916 ss_bus (bd15182e9d2d3fabc1d1313badbd2415) C:\WINDOWS\system32\DRIVERS\ss_bus.sys

2011/05/23 18:22:00.0938 1916 ss_mdfl (67d1144f249a3c5e03ebd7a2304dee11) C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys

2011/05/23 18:22:01.0269 1916 ss_mdm (954b7ce2d54c703d6a8471d6b05a5e13) C:\WINDOWS\system32\DRIVERS\ss_mdm.sys

2011/05/23 18:22:01.0539 1916 StarOpen (306521935042fc0a6988d528643619b3) C:\WINDOWS\system32\drivers\StarOpen.sys

2011/05/23 18:22:01.0819 1916 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

2011/05/23 18:22:02.0110 1916 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/05/23 18:22:02.0410 1916 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2011/05/23 18:22:03.0432 1916 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/05/23 18:22:03.0682 1916 tap0901 (2e644070f2240cca9775a6b79cae62cd) C:\WINDOWS\system32\DRIVERS\tap0901.sys

2011/05/23 18:22:03.0952 1916 tapvpn (27a2c318cd28cfb3eb2200fd96af1e58) C:\WINDOWS\system32\DRIVERS\tapvpn.sys

2011/05/23 18:22:04.0323 1916 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/05/23 18:22:04.0613 1916 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/05/23 18:22:04.0884 1916 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/05/23 18:22:05.0174 1916 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/05/23 18:22:05.0755 1916 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2011/05/23 18:22:06.0366 1916 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2011/05/23 18:22:06.0666 1916 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2011/05/23 18:22:06.0917 1916 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/05/23 18:22:07.0257 1916 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/05/23 18:22:07.0638 1916 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2011/05/23 18:22:07.0918 1916 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/05/23 18:22:08.0229 1916 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2011/05/23 18:22:08.0519 1916 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2011/05/23 18:22:09.0180 1916 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/05/23 18:22:09.0510 1916 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/05/23 18:22:10.0282 1916 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/05/23 18:22:10.0672 1916 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

2011/05/23 18:22:10.0963 1916 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2011/05/23 18:22:11.0263 1916 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2011/05/23 18:22:12.0004 1916 ZSMC301b (a1a3f0e6a4584f601e8acc92f526f5be) C:\WINDOWS\system32\Drivers\usbVM31b.sys

2011/05/23 18:22:12.0565 1916 ================================================================================

2011/05/23 18:22:12.0565 1916 Scan finished

2011/05/23 18:22:12.0565 1916 ================================================================================

Link to post
Share on other sites

Please run this online scan to help look for remnants.

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: EOLS1.gif
  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:

    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

[*]Now click on: EOLS3.gif

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on: EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Also, please let me know how things are running now and if you encountered any problems while you were following the instructions I posted.

Link to post
Share on other sites

Thanks again for the assistance.

The system is running much better now. The browser redirects appear to have stopped.

I think the only issue I had was the one mentioned previously - that Avira re-enabled itself when Combofix restarted the computer. I don't think this had any negative effect on Combofix, though.

ESET found 24 issues. I was rather surprised to see the Java cache when I had uninstalled Java.

Here is the log file:

C:\combo\SmitfraudFix.exe multiple threats

C:\combo\SmitfraudFix\Process.exe Win32/PrcView application

C:\combo\SmitfraudFix\restart.exe Win32/Shutdown.NAA application

C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\0\3512c40-29009769 Win32/Adware.SafetyAntiSpyware.A application

C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\0\6685d300-129f5d0a Java/Exploit.CVE-2010-4452.A trojan

C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\12\1dd6a40c-28fb456d multiple threats

C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\18\6f47d292-4a6002cb multiple threats

C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\29\42947d9d-106a4b7f multiple threats

C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\30\3b7a5a1e-5a452156 Java/TrojanDownloader.OpenStream.NCA trojan

C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\33\30feb821-72d164b2 multiple threats

C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\35\2a57d1a3-1d174144 Java/TrojanDownloader.OpenStream.NCA trojan

C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\36\46b18364-2c169d83 multiple threats

C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\4\473a5bc4-53c93992 Java/TrojanDownloader.OpenStream.NCA trojan

C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\4\4b83f3c4-75b224ff multiple threats

C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\43\6d1b776b-515ecfc2 multiple threats

C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\49\1eff1eb1-203d09cf a variant of Java/Exploit.CVE-2009-2843.B trojan

C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\52\31bba1f4-149511db probably a variant of Win32/Agent.DYXWUMY trojan

C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\53\42441975-3c4b9f22 a variant of Java/Exploit.CVE-2009-2843.B trojan

C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\55\56b104b7-5a541556 multiple threats

C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\57\4839f1b9-7522ba68 multiple threats

C:\Qoobox\Quarantine\C\WINDOWS\system32\Process.exe.vir Win32/PrcView application

C:\SDFix\apps\Process.exe Win32/PrcView application

C:\System Volume Information\_restore{6EF6F016-2B1D-434B-83BD-FD8C19D8AF61}\RP1\A0000087.exe Win32/PrcView application

C:\System Volume Information\_restore{6EF6F016-2B1D-434B-83BD-FD8C19D8AF61}\RP1\A0000777.sys Win32/Olmasco.E trojan

Link to post
Share on other sites

Were almost done here! Nice Job!

Please download the OTM by OldTimer.

  • Save it to your desktop.
  • Please double-click OTM.exe to run it. (Vista users, please right click on OTM.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    :Services

    :Reg

    :Files
    ipconfig /flushdns /c
    C:\combo\SmitfraudFix.exe
    C:\combo\SmitfraudFix\Process.exe
    C:\combo\SmitfraudFix\restart.exe
    C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\0\3512c40-29009769
    C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\0\6685d300-129f5d0a
    C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\12\1dd6a40c-28fb456d
    C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\18\6f47d292-4a6002cb
    C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\29\42947d9d-106a4b7f
    C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\30\3b7a5a1e-5a452156
    C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\33\30feb821-72d164b2
    C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\35\2a57d1a3-1d174144
    C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\36\46b18364-2c169d83
    C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\4\473a5bc4-53c93992
    C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\4\4b83f3c4-75b224ff
    C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\43\6d1b776b-515ecfc2
    C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\49\1eff1eb1-203d09cf
    C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\52\31bba1f4-149511db
    C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\53\42441975-3c4b9f22
    C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\55\56b104b7-5a541556
    C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\57\4839f1b9-7522ba68
    C:\Qoobox\Quarantine\C\WINDOWS\system32\Process.exe.vir Win32/PrcView application
    C:\SDFix\apps\Process.exe
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [CREATERESTOREPOINT]
    [EMPTYFLASH]
    [Reboot]

  • Return to OTM, right click in the "Paste instructions for items to be Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTM\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTM

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Link to post
Share on other sites

Thanks once again for your reply. Whilst I have enjoyed our time together, I am glad to hear we are nearing the end of the disinfection process! ;)

The scan gave an error message half way through - I forget what it said exactly, something about an invalid date format as far as I recall. The bottom-most item in the list on the right at the time was one of the Documents and Settings items. As explorer was not running at the time and it did not proceed, I had to click the button again to continue.

After rebooting, I now have three folders in the folder you mentioned, and two log files.

05242011_200056

Folder contains subfolders C_combo & C_Documents and settings

No log file.

05242011_200149

Folder contains subfolder C_WINDOWS

Log file as follows:

Files moved on Reboot...

Registry entries deleted on Reboot...

N.B. the above text file opened upon reboot.

05242011_200314

Folder is empty.

Log file as follows:

All processes killed
Error: Unable to interpret <[emptytemp] > in the current context!
Error: Unable to interpret <[CREATERESTOREPOINT] > in the current context!
Error: Unable to interpret <[EMPTYFLASH] > in the current context!
Error: Unable to interpret <[Reboot]> in the current context!

OTM by OldTimer - Version 3.1.18.0 log created on 05242011_200314

Link to post
Share on other sites

There was a error in my script. Drag OTM.exe icon into the recycle bin. Download another copy.

Please download the OTM by OldTimer.

  • Save it to your desktop.
  • Please double-click OTM.exe to run it. (Vista users, please right click on OTM.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    :Services

    :Reg

    :Files
    C:\combo\SmitfraudFix.exe
    C:\combo\SmitfraudFix\Process.exe
    C:\combo\SmitfraudFix\restart.exe
    C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\0\3512c40-29009769
    C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\0\6685d300-129f5d0a
    C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\12\1dd6a40c-28fb456d
    C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\18\6f47d292-4a6002cb
    C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\29\42947d9d-106a4b7f
    C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\30\3b7a5a1e-5a452156
    C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\33\30feb821-72d164b2
    C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\35\2a57d1a3-1d174144
    C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\36\46b18364-2c169d83
    C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\4\473a5bc4-53c93992
    C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\4\4b83f3c4-75b224ff
    C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\43\6d1b776b-515ecfc2
    C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\49\1eff1eb1-203d09cf
    C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\52\31bba1f4-149511db
    C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\53\42441975-3c4b9f22
    C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\55\56b104b7-5a541556
    C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\57\4839f1b9-7522ba68
    C:\SDFix\apps\Process.exe
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [CREATERESTOREPOINT]
    [EMPTYFLASH]
    [Reboot]


  • Return to OTM, right click in the "Paste instructions for items to be Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTM\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTM

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Link to post
Share on other sites

Thanks for the correction.

An odd program, in that it does a bunch of stuff, then pauses for ages - I assume deleting temp files, but it looked like it had crashed for a while. After a while, I noticed the progress meter was stuck and just flickering on and off one bar. When the process finished, the dialog box stating a restart was needed did not pop up - I had to tab to it.

It seems that somewhere in our process, the entire contents of my temp folder was deleted. Unfortunately, I had some files in there that I needed to keep, which were created when a program I use crashed. These are now gone. Whilst I appreciate most users will not want files in the temp folder and indeed some rogue items can 'hang out' in there, there are several applications that will use it during their process and if they crash, the files may be rescued from there. A mention that the temp folder was about to be emptied at whatever stage it was would have been good!

Anyway, here is the log file:

All processes killed

========== SERVICES/DRIVERS ==========

========== REGISTRY ==========

========== FILES ==========

File/Folder C:\combo\SmitfraudFix.exe not found.

File/Folder C:\combo\SmitfraudFix\Process.exe not found.

File/Folder C:\combo\SmitfraudFix\restart.exe not found.

File/Folder C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\0\3512c40-29009769 not found.

File/Folder C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\0\6685d300-129f5d0a not found.

File/Folder C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\12\1dd6a40c-28fb456d not found.

File/Folder C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\18\6f47d292-4a6002cb not found.

File/Folder C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\29\42947d9d-106a4b7f not found.

File/Folder C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\30\3b7a5a1e-5a452156 not found.

File/Folder C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\33\30feb821-72d164b2 not found.

File/Folder C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\35\2a57d1a3-1d174144 not found.

File/Folder C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\36\46b18364-2c169d83 not found.

File/Folder C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\4\473a5bc4-53c93992 not found.

File/Folder C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\4\4b83f3c4-75b224ff not found.

File/Folder C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\43\6d1b776b-515ecfc2 not found.

File/Folder C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\49\1eff1eb1-203d09cf not found.

File/Folder C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\52\31bba1f4-149511db not found.

File/Folder C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\53\42441975-3c4b9f22 not found.

File/Folder C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\55\56b104b7-5a541556 not found.

File/Folder C:\Documents and Settings\Retro\Application Data\Sun\Java\Deployment\cache\6.0\57\4839f1b9-7522ba68 not found.

C:\SDFix\apps\Process.exe moved successfully.

========== COMMANDS ==========

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.

HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 0 bytes

User: LocalService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: Retro

->Temp folder emptied: 418584 bytes

->Temporary Internet Files folder emptied: 16211863 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 56897430 bytes

->Google Chrome cache emptied: 0 bytes

->Flash cache emptied: 669035 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 2987864 bytes

%systemroot%\System32 .tmp files removed: 2832913 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes

RecycleBin emptied: 522752 bytes

Total Files Cleaned = 77.00 mb

Restore point Set: OTM Restore Point (0)

OTM by OldTimer - Version 3.1.18.0 log created on 05252011_024517

Files moved on Reboot...

Registry entries deleted on Reboot...

Link to post
Share on other sites

One of the new methods of malware, is to use the types of malware which may be lurking in temp/user account folders. As they know (the bad guys) most users don't clean temporary files on a daily/weekly basis.... :)

Your Computer is Clean

mr-clean.gif

Are you having any other problems?

If not, we have just a couple of last steps to perform and then you're all set.

Some final items:

To remove all of the tools we used and the files and folders they created, please do the following:

Please download OTC.exe by OldTimer:

  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Here are some additional links for you to check out to help you with your computer security.

Browsers

Just because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE.

If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust)

NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

Additional Security Measures

Secunia software inspector & update checker

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Cookienator- Scans your PC for tracking cookies in multiple browsers as well as in Adobe Flash.

Auslogics Disc Defrag or JKDefrag - Two good disc defragmenters for you to choose from to help speed up your computer.

Visit My Blog for Malware and Spyware Tips

6567E80CC55576485246E130E48A9FA8.png

Link to post
Share on other sites

Yes, it's understandable that it's the simplest method of dealing with items in the temp folder.

Thank you very much for your assistance - it is greatly appreciated.

There doesn't appear to any other issue.

The items not deleted by OTC were Dial-a-fix (zip and extracted folder) and the randomly-named GMER.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.