Jump to content

Google Redirects, security alerts, and hidden files


Recommended Posts

Hello,

I've decided to finally post out here since everything I've tried on my own hasn't been successful. Thank you in advance for your help.

The problem started on my wife's laptop months ago with Google redirects. That problem was resolved by running Malwarebytes and installing Microsoft Security Essentials, but has since returned over the past week. (Mentioning this because I don't know if it's possible for this malware to infest over a home network.)

Over the last month, our desktop got hit with the fake Windows Security alerts. Then came the onslaught of the Google redirects, hidden files, processes/controls being disabled (such as Windows Firewall). IE starts randomly and freezes. My Print dialog box also opens intermittently.

I was finally able to run MBAM this morning on the desktop after installing it to a new directory. Previously, it was hidden and I couldn't run it. After removing the infected files and rebooting, MBAM remained visible while numerous other applications remained hidden. I was also now able to access Windows Firewall. However, the redirects continue.

MBAM & DDS logs posted below. Running GMER and will zip and attach with Attach.txt when complete. All logs pertain only to our desktop running XP SP2.

Thanks for the help!

Jim

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7279

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

7/26/2011 7:37:24 AM

mbam-log-2011-07-26 (07-37-24).txt

Scan type: Quick scan

Objects scanned: 218063

Time elapsed: 12 minute(s), 14 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 3

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

c:\WINDOWS\system32\dapv.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{ADF964F8-2C49-4104-B562-7326B828BE38} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ADF964F8-2C49-4104-B562-7326B828BE38} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ADF964F8-2C49-4104-B562-7326B828BE38} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\system32\dapv.dll (Trojan.Agent) -> Delete on reboot.

c:\documents and settings\all users\application data\fvsvfgfvfkpeqty.exe (Trojan.FakeHDD) -> Quarantined and deleted successfully.

--- dds.txt ---

.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 6.0.2900.2180

Run by Microsoft User at 7:59:21 on 2011-07-26

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.169 [GMT -4:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE

C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\DivX\DivX Update\DivXUpdate.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Mozilla Firefox\firefox.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

mStart Page = about:blank

mWindow Title = Microsoft Internet Explorer provided by Comcast

mDefault_Page_URL = about:blank

mDefault_Search_URL =

mSearch Page =

mSearch Bar =

mURLSearchHooks: H - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [sunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe

mRun: [VSPDXP] c:\program files\vspd xp\vspdconfig.exe /quiet

mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [iJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.EXE

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\microsoft user\start menu\programs\ultimatebet\UltimateBet.lnk

IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\documents and settings\microsoft user\desktop\PartyPoker.lnk

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}

DPF: {0000000A-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB

DPF: {01118400-3E00-11D2-8470-0060089874ED} - hxxp://activex.microsoft.com/objects/ocget.dll

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab

DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} - hxxp://easohseroom02.napa.ad.etn.com/eRoomSetup/client.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-150-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-150-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} - hxxps://disney.go.com/games/downloads/gamemanager/DIGGameManager.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://na2.eportal.eaton.com/dana-cached/setup/JuniperSetupSP1.cab

TCP: DhcpNameServer = 68.87.68.166 68.87.74.166

TCP: Interfaces\{307A9912-EE77-40A9-A0C5-C8741FEFA5E1} : DhcpNameServer = 68.87.68.166 68.87.74.166

TCP: Interfaces\{70C0F37E-27F5-4474-A658-17252A36550C} : DhcpNameServer = 68.87.68.162 68.87.74.162

TCP: Interfaces\{DB5C870E-D776-49AA-8C26-5CE4A43A6754} : DhcpNameServer = 68.87.68.166 68.87.74.166

TCP: Interfaces\{FFE176FB-D77D-4EC7-A33A-8C1AC0EC8A9B} : DhcpNameServer = 68.87.68.162 68.87.74.162

Notify: ckpNotify - ckpNotify.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\microsoft user\application data\mozilla\firefox\profiles\o2kw9dxc.default\

FF - prefs.js: browser.search.selectedEngine - Answers.com

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

FF - prefs.js: network.proxy.http - proxy.etn.com

FF - prefs.js: network.proxy.http_port - 8080

FF - prefs.js: network.proxy.type - 4

FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npclntax.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npmnqmp07030901.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll

.

============= SERVICES / DRIVERS ===============

.

R2 Scap;SecureClient Application Policy Module;c:\windows\system32\drivers\scap.sys [2010-10-1 17456]

R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [2010-10-1 670128]

R3 evserial;Virtual Serial Ports Driver (Eltima Softwate);c:\windows\system32\drivers\evserial.sys [2008-4-27 54016]

R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [2010-10-1 2041904]

R3 VSBC;Virtual Serial Bus Enumerator (Eltima Software);c:\windows\system32\drivers\evsbc.sys [2008-4-27 26880]

S0 hurjc;hurjc;c:\windows\system32\drivers\qfdoxjhj.sys --> c:\windows\system32\drivers\qfdoxjhj.sys [?]

S2 Crypto;Crypto;\??\c:\windows\system32\drivers\crypto.sys --> c:\windows\system32\drivers\Crypto.sys [?]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-4-23 41272]

S3 ncvcp;Network Connect Virtual Com Port;c:\windows\system32\drivers\nsvcp.sys --> c:\windows\system32\drivers\nsvcp.sys [?]

S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [2010-10-1 14924]

.

=============== Created Last 30 ================

.

2011-07-26 11:19:46 -------- d-----w- c:\program files\new

2011-07-22 22:51:48 1409 ----a-w- c:\windows\QTFont.for

2011-07-22 21:50:25 -------- d-----w- c:\documents and settings\microsoft user\application data\ImTOO

2011-07-22 21:48:48 -------- d-----w- c:\documents and settings\all users\application data\ImTOO

.

==================== Find3M ====================

.

2011-07-06 23:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-02 17:53:02 94208 ----a-w- c:\windows\system32\dpl100.dll

2004-07-14 06:20:03 56832 --sha-w- c:\windows\cienw.dll

2004-08-21 13:18:43 56832 --sha-w- c:\windows\dillf.dll

2004-08-06 09:44:36 56832 --sha-w- c:\windows\ldwpn.dll

2004-08-19 03:52:22 56832 --sha-w- c:\windows\mzuok.dll

2004-08-16 16:34:50 56832 --sha-w- c:\windows\nwndi.dll

2004-08-24 07:47:27 56832 --sha-w- c:\windows\ohsxy.dll

2004-09-04 06:02:37 56832 --sha-w- c:\windows\pnhru.dll

2004-08-27 14:40:25 56832 --sha-w- c:\windows\vjpys.dll

2000-06-03 01:01:12 56832 --sha-w- c:\windows\system32\aafrs.dll

2004-08-06 21:16:41 56832 --sha-w- c:\windows\system32\dapve.dll

2004-08-17 23:14:39 56832 --sha-w- c:\windows\system32\ecxcy.dll

2004-08-11 20:51:43 56832 --sha-w- c:\windows\system32\glsuc.dll

2004-08-23 10:31:33 56832 --sha-w- c:\windows\system32\hmzvg.dll

2004-08-09 05:09:50 56832 --sha-w- c:\windows\system32\lvwif.dll

2004-08-08 11:21:19 56832 --sha-w- c:\windows\system32\nrjbj.dll

2004-08-12 21:26:32 56832 --sha-w- c:\windows\system32\psept.dll

2004-08-08 03:02:44 56832 --sha-w- c:\windows\system32\qxbij.dll

2004-08-18 19:35:19 56832 --sha-w- c:\windows\system32\slrhh.dll

2004-08-13 18:54:56 26624 --sha-w- c:\windows\system32\sysht.exe

2004-07-22 14:11:54 56832 --sha-w- c:\windows\system32\vbggb.dll

2004-08-16 13:42:55 56832 --sha-w- c:\windows\system32\vynkt.dll

.

============= FINISH: 8:00:33.37 ===============

Attach.zip (GMER.txt & attach.txt) attached.

attach.zip

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Thanks for the reply. Sorry it's taken so long to respond. Updated logs provide as requested.

MBAM

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7364

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

8/3/2011 7:02:57 AM

mbam-log-2011-08-03 (07-02-56).txt

Scan type: Quick scan

Objects scanned: 223429

Time elapsed: 17 minute(s), 19 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

-- combofix --

ComboFix 11-08-03.02 - Microsoft User 08/03/2011 7:09.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.220 [GMT -4:00]

Running from: c:\documents and settings\Microsoft User\Desktop\ComboFix.exe

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\All Users\Application Data\Setup

c:\documents and settings\All Users\Application Data\Setup\setup.fil

c:\documents and settings\All Users\Application Data\Setup\setup.ini

c:\documents and settings\Microsoft User\Application Data\ebrs.exe

c:\documents and settings\Microsoft User\WINDOWS

c:\program files\Mozilla Firefox\components\npclntax.xpt

c:\program files\Mozilla Firefox\plugins\npclntax.dll

c:\windows\addbq32.exe

c:\windows\apinv.exe

c:\windows\apioj.exe

c:\windows\ippe32.exe

c:\windows\ipxh32.exe

c:\windows\iun6002.exe

.

.

((((((((((((((((((((((((( Files Created from 2011-07-03 to 2011-08-03 )))))))))))))))))))))))))))))))

.

.

2011-07-26 11:19 . 2011-07-26 11:20 -------- d-----w- c:\program files\new

2011-07-22 21:50 . 2011-07-22 21:50 -------- d-----w- c:\documents and settings\Microsoft User\Application Data\ImTOO

2011-07-22 21:48 . 2011-07-22 21:48 -------- d-----w- c:\documents and settings\All Users\Application Data\ImTOO

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-06 23:52 . 2011-04-23 13:40 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-02 17:53 . 2011-06-02 17:53 94208 ----a-w- c:\windows\system32\dpl100.dll

2006-02-23 13:16 . 2009-01-11 16:33 34048 ----a-w- c:\program files\mozilla firefox\plugins\upd62i9x.dll

2006-02-23 13:16 . 2009-01-11 16:33 45056 ----a-w- c:\program files\mozilla firefox\plugins\upd62int.dll

2011-06-25 17:36 . 2011-05-08 13:19 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2004-07-14 06:20 56832 --sha-w- c:\windows\cienw.dll

2004-08-21 13:18 56832 --sha-w- c:\windows\dillf.dll

2004-08-06 09:44 56832 --sha-w- c:\windows\ldwpn.dll

2004-08-19 03:52 56832 --sha-w- c:\windows\mzuok.dll

2004-08-16 16:34 56832 --sha-w- c:\windows\nwndi.dll

2004-08-24 07:47 56832 --sha-w- c:\windows\ohsxy.dll

2004-09-04 06:02 56832 --sha-w- c:\windows\pnhru.dll

2004-08-27 14:40 56832 --sha-w- c:\windows\vjpys.dll

2000-06-03 01:01 56832 --sha-w- c:\windows\system32\aafrs.dll

2004-08-06 21:16 56832 --sha-w- c:\windows\system32\dapve.dll

2004-08-17 23:14 56832 --sha-w- c:\windows\system32\ecxcy.dll

2004-08-11 20:51 56832 --sha-w- c:\windows\system32\glsuc.dll

2004-08-23 10:31 56832 --sha-w- c:\windows\system32\hmzvg.dll

2004-08-09 05:09 56832 --sha-w- c:\windows\system32\lvwif.dll

2004-08-08 11:21 56832 --sha-w- c:\windows\system32\nrjbj.dll

2004-08-12 21:26 56832 --sha-w- c:\windows\system32\psept.dll

2004-08-08 03:02 56832 --sha-w- c:\windows\system32\qxbij.dll

2004-08-18 19:35 56832 --sha-w- c:\windows\system32\slrhh.dll

2004-08-13 18:54 26624 --sha-w- c:\windows\system32\sysht.exe

2004-07-22 14:11 56832 --sha-w- c:\windows\system32\vbggb.dll

2004-08-16 13:42 56832 --sha-w- c:\windows\system32\vynkt.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]

"VSPDXP"="c:\program files\VSPD XP\vspdconfig.exe" [2003-11-13 974848]

"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]

"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-08-21 180269]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2004-08-23 35528]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

VPN Client.lnk - c:\windows\Installer\{21E247D4-5E27-4BEA-AA4D-19A81203FE2A}\Icon3E5562ED7.ico [2011-1-13 6144]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]

2005-03-01 23:49 24672 ----a-w- c:\windows\system32\ckpNotify.dll

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax DllCmd 3.5.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\eFax DllCmd 3.5.lnk

backup=c:\windows\pss\eFax DllCmd 3.5.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax Tray Menu 3.5.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\eFax Tray Menu 3.5.lnk

backup=c:\windows\pss\eFax Tray Menu 3.5.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NetScreen-Remote.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NetScreen-Remote.lnk

backup=c:\windows\pss\NetScreen-Remote.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]

2008-03-18 01:06 1848648 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]

2008-12-12 01:31 722256 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

2006-09-14 20:09 157592 ----a-w- c:\program files\DAEMON Tools\daemon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FLMK08KB]

2005-02-21 18:17 207360 ----a-w- c:\program files\Multimedia keyboard utility\1.3\MMKEYBD.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2006-10-30 14:36 256576 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2005-05-09 20:00 1658080 ----a-w- c:\program files\Messenger\Msmsgs.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]

2001-07-09 10:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTVOICE]

2001-08-18 05:36 86016 ----a-w- c:\windows\system32\pctspk.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ProxyPD]

2006-02-02 17:27 262144 ----a-w- c:\windows\system32\ProxyPD.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2006-10-25 23:58 282624 ----a-w- c:\program files\QuickTime\qttask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiS Tray]

2003-10-30 21:10 667648 ----a-w- c:\windows\system32\sistray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

2004-02-26 08:53 65024 ----a-r- c:\windows\SOUNDMAN.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

2010-12-18 19:53 1242448 ----a-w- c:\program files\Steam\Steam.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2004-08-21 21:11 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"ose"=3 (0x3)

"MpfService"=2 (0x2)

"mcupdmgr.exe"=3 (0x3)

"IDriverT"=3 (0x3)

"Neoteris Setup Service"=2 (0x2)

"iPod Service"=3 (0x3)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Azureus\\Azureus.exe"=

"c:\\Program Files\\WinMX\\WinMX.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32\\dpnsvr.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\StubInstaller.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=

"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=

"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=

"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=

"c:\\Program Files\\Steam\\Steam.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"137:TCP"= 137:TCP:137

"138:TCP"= 138:TCP:138

.

R2 Scap;SecureClient Application Policy Module;c:\windows\system32\drivers\scap.sys [10/1/2010 6:10 PM 17456]

R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [10/1/2010 6:10 PM 670128]

R3 evserial;Virtual Serial Ports Driver (Eltima Softwate);c:\windows\system32\drivers\evserial.sys [4/27/2008 4:51 PM 54016]

R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [10/1/2010 6:10 PM 2041904]

R3 VSBC;Virtual Serial Bus Enumerator (Eltima Software);c:\windows\system32\drivers\evsbc.sys [4/27/2008 4:51 PM 26880]

S0 hurjc;hurjc;c:\windows\system32\drivers\qfdoxjhj.sys --> c:\windows\system32\drivers\qfdoxjhj.sys [?]

S2 Crypto;Crypto;\??\c:\windows\system32\Drivers\Crypto.sys --> c:\windows\system32\Drivers\Crypto.sys [?]

S3 ncvcp;Network Connect Virtual Com Port;c:\windows\system32\DRIVERS\nsvcp.sys --> c:\windows\system32\DRIVERS\nsvcp.sys [?]

S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [10/1/2010 6:10 PM 14924]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/10/2006 7:52 PM 611064]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mStart Page = about:blank

mWindow Title = Microsoft Internet Explorer provided by Comcast

mSearch Bar =

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 68.87.68.166 68.87.74.166

FF - ProfilePath - c:\documents and settings\Microsoft User\Application Data\Mozilla\Firefox\Profiles\o2kw9dxc.default\

FF - prefs.js: browser.search.selectedEngine - Answers.com

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

FF - prefs.js: network.proxy.http - proxy.etn.com

FF - prefs.js: network.proxy.http_port - 8080

FF - prefs.js: network.proxy.type - 4

.

- - - - ORPHANS REMOVED - - - -

.

BHO-{28CAEFF3-0F18-4036-B504-51D73BD81C3A} - REG_SZ

MSConfigStartUp-atlvt32 - c:\windows\atlvt32.exe

MSConfigStartUp-Cmaudio - cmicnfg.cpl

MSConfigStartUp-Desktop Weather 3 - c:\progra~1\THEWEA~1\THEWEA~1.EXE

MSConfigStartUp-DWHeartbeatMonitor - c:\progra~1\THEWEA~1\DWHeartbeatMonitor.exe

MSConfigStartUp-Finding Nemo ScreenMate - c:\program files\Finding Nemo ScreenMate\Finding Nemo ScreenMate.exe

MSConfigStartUp-fVsVFGfVFkPeQTy - c:\documents and settings\All Users\Application Data\fVsVFGfVFkPeQTy.exe

MSConfigStartUp-gah95on6 - c:\windows\System32\gah95on6.exe

MSConfigStartUp-Gpq - c:\windows\System32\melpxv.exe

MSConfigStartUp-Internet Optimizer - c:\program files\Internet Optimizer\optimize.exe

MSConfigStartUp-MCAgentExe - c:\progra~1\McAfee.com\Agent\McAgent.exe

MSConfigStartUp-MCUpdateExe - c:\progra~1\McAfee.com\Agent\McUpdate.exe

MSConfigStartUp-Media Access - c:\program files\Media Access\MediaAccK.exe

MSConfigStartUp-Media Gateway - c:\progra~1\MEDIAG~1\MEDIAG~1.EXE

MSConfigStartUp-MPFExe - c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe

MSConfigStartUp-msge - c:\windows\msge.exe

MSConfigStartUp-MySpaceIM - c:\program files\MySpace\IM\MySpaceIM.exe

MSConfigStartUp-nwiz - nwiz.exe

MSConfigStartUp-pirmd - c:\windows\pirmd.exe

MSConfigStartUp-salm - c:\temp\salm.exe

MSConfigStartUp-seekmo - c:\program files\seekmo\seekmo.exe

MSConfigStartUp-Ssso - c:\documents and settings\Microsoft User\Application Data\ebrs.exe

MSConfigStartUp-Sys29 - c:\windows\system32\winzhy32.exe

MSConfigStartUp-SysA - c:\windows\system32\winvbs32.exe

MSConfigStartUp-tadgdat - c:\windows\tadgdat.exe

MSConfigStartUp-tgcmd - c:\program files\support.com\bin\tgcmd.exe

MSConfigStartUp-Zone Labs Client - c:\program files\Zone Labs\Integrity Client\iclient.exe

AddRemove-Cool's_Codec_pack_4.12 - c:\windows\iun6002.exe

AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe

AddRemove-ReaGIF_is1 - c:\program files\ReaSoft\ReaGIF\unins000.exe

AddRemove-Virtual Serial Ports Driver_is1 - c:\games\AEROFLY PROFESSIONAL DELUXE\Virtual Serial Port Driver 6.0\unins000.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-08-03 07:25

Windows 5.1.2600 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

.

c:\windows\msmqinst.log:shmewq 29278 bytes executable

c:\windows\nemo.jpg:rsnlg 89666 bytes executable

c:\windows\netfxocm.log:hwknmd 66560 bytes executable

c:\windows\NSUninst.exe:zcdyn 29278 bytes executable

c:\windows\setupapi.log.0.old:jgxkx 10240 bytes executable

c:\windows\setupapi.log.0.old:mabfp 10240 bytes executable

c:\windows\SiSport.sys:gaero 10240 bytes executable

c:\windows\Sti_Trace.log:xbeyl 10240 bytes executable

c:\windows\FaxSetup.log:nucll 56832 bytes executable

c:\windows\FeatherTexture.bmp:pdzbp 26624 bytes executable

c:\windows\iis6.log:lzjdr 56832 bytes executable

c:\windows\ukcqo.txt:qdoxhi 35544 bytes executable

c:\windows\UPGRADE.TXT:irfro 10240 bytes executable

c:\windows\vb.ini:fclyd 10240 bytes executable

c:\windows\vb.ini:mgtlv 10240 bytes executable

c:\windows\vejvw.txt:bspei 26624 bytes executable

c:\windows\vjpys.dll:ycvdf 26624 bytes executable

c:\windows\vmmreg32.dll:ahzor 56832 bytes executable

c:\windows\winamp.ini:qmlfwf 12020 bytes executable

c:\windows\Windows Update.log:bftpb 93405 bytes executable

c:\windows\Windows Update.log:zjvsd 10240 bytes executable

c:\windows\comsetup.log:kstfok 12020 bytes executable

c:\windows\comsetup.log:pldwp 26624 bytes executable

c:\windows\comsetup.log:zarkr 26624 bytes executable

c:\windows\control.ini:owpse 10240 bytes executable

c:\windows\control.ini:sulgs 26624 bytes executable

c:\windows\desktop.ini:lqfft 10240 bytes executable

c:\windows\DHCPUPG.LOG:arpgk 10240 bytes executable

c:\windows\DHCPUPG.LOG:dtlkjv 35544 bytes executable

c:\windows\DHCPUPG.LOG:psdts 26624 bytes executable

c:\windows\oodcg.txt:qyetm 103850 bytes executable

c:\windows\winhelp.exe:uyevd 10240 bytes executable

c:\windows\Wininit.ini:hgoha 26624 bytes executable

c:\windows\Wininit.ini:jnelqp 35544 bytes executable

c:\windows\winnt256.bmp:ryhbwm 12020 bytes executable

c:\windows\WINNT32.LOG:gcwswu 35544 bytes executable

c:\windows\KB828741.log:ytmbuc 35544 bytes executable

c:\windows\clock.avi:vkuqn 56832 bytes executable

c:\windows\CMIRmDriver.dll:ylcfy 26624 bytes executable

c:\windows\CMISETUP.INI:ukcqo 10240 bytes executable

c:\windows\CMIUninstall.exe:wltru 10240 bytes executable

c:\windows\KB890175.log:rxlucb 12020 bytes executable

c:\windows\KB890859.log:pablhl 12020 bytes executable

c:\windows\KB891711.log:btzdwo 12020 bytes executable

c:\windows\KB891711.log:kxdzel 35544 bytes executable

c:\windows\KB891781.log:hbuqjv 12020 bytes executable

c:\windows\KB892944.log:nsruu 66560 bytes executable

c:\windows\KB893086.log:scewdg 35544 bytes executable

c:\windows\KB893086.log:ttjjqr 12020 bytes executable

c:\windows\KB893086.log:xzigjw 12020 bytes executable

c:\windows\KB893803.log:airhks 12020 bytes executable

c:\windows\n_flbfhk.log:ljmid 12020 bytes executable

c:\windows\n_gbxxaf.dat:cjyttk 12020 bytes executable

c:\windows\n_hhrfbs.log:mduupw 12020 bytes executable

c:\windows\n_hhrfbs.log:mndvgf 12020 bytes executable

c:\windows\n_hlfmxg.dat:hofyte 12020 bytes executable

c:\windows\n_hlfmxg.dat:inabpy 12020 bytes executable

c:\windows\n_qyyvul.txt:tpcaed 12020 bytes executable

c:\windows\n_rufgkq.dat:bzdqq 29278 bytes executable

c:\windows\n_rufgkq.dat:mqmngn 35544 bytes executable

c:\windows\n_keokaf.txt:ucgpfg 12020 bytes executable

c:\windows\n_kttfvh.dat:mdychr 12020 bytes executable

c:\windows\n_laxpuf.log:zxmfvr 35544 bytes executable

c:\windows\n_lolcwh.log:fdrhbb 35544 bytes executable

c:\windows\n_mwbwin.txt:blukgi 35544 bytes executable

c:\windows\n_mzqzcb.log:woqrhr 12020 bytes executable

c:\windows\n_nnfuhc.dat:xmlwna 12020 bytes executable

c:\windows\n_uupums.dat:mitfwz 12020 bytes executable

c:\windows\n_wggnfg.txt:fqdnfg 12020 bytes executable

c:\windows\n_yjvljc.dat:vbovsv 12020 bytes executable

c:\windows\n_zfpkte.log:xqoshq 35544 bytes executable

c:\windows\ocgen.log:othbug 12020 bytes executable

c:\windows\ocmsn.log:bahmae 66560 bytes executable

c:\windows\ocmsn.log:blluh 93405 bytes executable

c:\windows\ODBC.INI:oecofx 35544 bytes executable

c:\windows\ODBCINST.INI:gurooq 35544 bytes executable

c:\windows\KB896422.log:tjjmmd 35544 bytes executable

c:\windows\KB896426.log:aatzxj 35544 bytes executable

c:\windows\KB896426.log:wsjand 12020 bytes executable

c:\windows\KB897715-OE6SP1-20050503.210336.log:dxophr 12020 bytes executable

c:\windows\KB898461.log:olcghg 35544 bytes executable

c:\windows\KB899588.log:wygujt 35544 bytes executable

c:\windows\DtcInstall.log:hxayh 26624 bytes executable

c:\windows\TASKMAN.EXE:qcwdg 26624 bytes executable

c:\windows\tjjmm.dat:gcwsmg 12020 bytes executable

c:\windows\twain.dll:itxpa 10240 bytes executable

c:\windows\ntdtcsetup.log:yjsad 84825 bytes executable

c:\windows\kzsoy.dat:qdvlzb 35544 bytes executable

c:\windows\regedit(2).exe:jyfhr 93700 bytes executable

c:\windows\regedit(3).exe:bzhei 29278 bytes executable

c:\windows\regedit(3).exe:jyfhr 93700 bytes executable

c:\windows\regedit(4).exe:jyfhr 93700 bytes executable

c:\windows\regedit(5).exe:jyfhr 93700 bytes executable

c:\windows\Zapotec.bmp:pmyge 84825 bytes executable

c:\windows\_default.pif:bwgrhu 12020 bytes executable

c:\windows\_default.pif:bwklbt 35544 bytes executable

c:\windows\_default.pif:cidvsy 29278 bytes executable

c:\windows\_default.pif:dwbdgf 35544 bytes executable

c:\windows\_default.pif:eqqjpa 35544 bytes executable

c:\windows\_default.pif:etopxz 12020 bytes executable

c:\windows\_default.pif:fjyvfi 35544 bytes executable

c:\windows\_default.pif:gwgywn 12020 bytes executable

c:\windows\_default.pif:hsjcod 66560 bytes executable

c:\windows\_default.pif:ilajuy 29278 bytes executable

c:\windows\_default.pif:ivrghj 12020 bytes executable

c:\windows\_default.pif:khlipo 12020 bytes executable

c:\windows\_default.pif:kvqqmv 12020 bytes executable

c:\windows\_default.pif:kxnkvw 29278 bytes executable

c:\windows\_default.pif:lpxdvy 12020 bytes executable

c:\windows\_default.pif:nazhlt 35544 bytes executable

c:\windows\_default.pif:nroply 12020 bytes executable

c:\windows\_default.pif:oofcir 35544 bytes executable

c:\windows\_default.pif:qkhesw 12020 bytes executable

c:\windows\_default.pif:qvzbey 12020 bytes executable

c:\windows\_default.pif:swveat 12020 bytes executable

c:\windows\_default.pif:tpfytn 12020 bytes executable

c:\windows\_default.pif:txzejw 35544 bytes executable

c:\windows\_default.pif:vzgcqj 12020 bytes executable

c:\windows\_default.pif:wompoo 12020 bytes executable

c:\windows\_default.pif:xugurk 35544 bytes executable

c:\windows\_default.pif:xuonkw 12020 bytes executable

c:\windows\_default.pif:zxydyq 35544 bytes executable

c:\windows\KB899591.log:xcdgfq 12020 bytes executable

c:\windows\msdfmap.ini:pegzj 56832 bytes executable

c:\windows\n_cqfzwd.dat:ujzvta 35544 bytes executable

c:\windows\n_hscwhb.log:femzjg 35544 bytes executable

c:\windows\n_hscwhb.log:xnwiaq 12020 bytes executable

c:\windows\preInsMM.exe:jdehn 56832 bytes executable

c:\windows\Santa Fe Stucco.bmp:homqc 26624 bytes executable

c:\windows\twunk_32.exe:auquu 26624 bytes executable

c:\windows\WindowsUpdate.log:nbemuj 12020 bytes executable

c:\windows\WindowsUpdate.log:wyvms 56832 bytes executable

c:\windows\WindowsUpdate.log:zypwcc 12020 bytes executable

c:\windows\blocklist.reg:gxdxw 10240 bytes executable

c:\windows\blocklist.reg:njrmc 93405 bytes executable

c:\windows\KB893803v2.log:izaldg 12020 bytes executable

c:\windows\KB893803v2.log:mucosb 35544 bytes executable

.

scan completed successfully

hidden files: 137

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-299502267-329068152-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F2C6A728-99B6-9E70-ECCD-B16FE0B39194}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"iafijmabgajgabfild"=hex:6a,61,67,70,67,6d,68,67,67,67,66,6c,65,68,6a,69,61,6b,

6f,67,00,00

"haphphdgoikhlnhd"=hex:6a,61,67,70,67,6d,68,67,67,67,66,6c,65,68,6a,69,61,6b,

6f,67,00,a6

.

Completion time: 2011-08-03 07:28:48

ComboFix-quarantined-files.txt 2011-08-03 11:28

.

Pre-Run: 1,575,927,808 bytes free

Post-Run: 2,094,759,936 bytes free

.

- - End Of File - - 62BBBC9E41F52DFEACC99DABC7F4A2AF

-- dds.txt --

.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 6.0.2900.2180

Run by Microsoft User at 7:39:10 on 2011-08-03

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.29 [GMT -4:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE

C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe

C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\DivX\DivX Update\DivXUpdate.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\NOTEPAD.EXE

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

mStart Page = about:blank

mWindow Title = Microsoft Internet Explorer provided by Comcast

mSearch Bar =

mURLSearchHooks: H - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup

mRun: [sunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe

mRun: [VSPDXP] c:\program files\vspd xp\vspdconfig.exe /quiet

mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [iJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.EXE

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{21e247d4-5e27-4bea-aa4d-19a81203fe2a}\Icon3E5562ED7.ico

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\microsoft user\start menu\programs\ultimatebet\UltimateBet.lnk

IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\documents and settings\microsoft user\desktop\PartyPoker.lnk

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}

DPF: {0000000A-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB

DPF: {01118400-3E00-11D2-8470-0060089874ED} - hxxp://activex.microsoft.com/objects/ocget.dll

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab

DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} - hxxp://easohseroom02.napa.ad.etn.com/eRoomSetup/client.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-150-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-150-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} - hxxps://disney.go.com/games/downloads/gamemanager/DIGGameManager.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://na2.eportal.eaton.com/dana-cached/setup/JuniperSetupSP1.cab

TCP: DhcpNameServer = 68.87.68.166 68.87.74.166

TCP: Interfaces\{307A9912-EE77-40A9-A0C5-C8741FEFA5E1} : DhcpNameServer = 68.87.68.166 68.87.74.166

TCP: Interfaces\{70C0F37E-27F5-4474-A658-17252A36550C} : DhcpNameServer = 68.87.68.162 68.87.74.162

TCP: Interfaces\{DB5C870E-D776-49AA-8C26-5CE4A43A6754} : DhcpNameServer = 68.87.68.166 68.87.74.166

TCP: Interfaces\{FFE176FB-D77D-4EC7-A33A-8C1AC0EC8A9B} : DhcpNameServer = 68.87.68.162 68.87.74.162

Notify: ckpNotify - ckpNotify.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\microsoft user\application data\mozilla\firefox\profiles\o2kw9dxc.default\

FF - prefs.js: browser.search.selectedEngine - Answers.com

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

FF - prefs.js: network.proxy.http - proxy.etn.com

FF - prefs.js: network.proxy.http_port - 8080

FF - prefs.js: network.proxy.type - 4

FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npmnqmp07030901.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll

.

============= SERVICES / DRIVERS ===============

.

R2 Scap;SecureClient Application Policy Module;c:\windows\system32\drivers\scap.sys [2010-10-1 17456]

R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [2010-10-1 670128]

R3 evserial;Virtual Serial Ports Driver (Eltima Softwate);c:\windows\system32\drivers\evserial.sys [2008-4-27 54016]

R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [2010-10-1 2041904]

R3 VSBC;Virtual Serial Bus Enumerator (Eltima Software);c:\windows\system32\drivers\evsbc.sys [2008-4-27 26880]

S0 hurjc;hurjc;c:\windows\system32\drivers\qfdoxjhj.sys --> c:\windows\system32\drivers\qfdoxjhj.sys [?]

S2 Crypto;Crypto;\??\c:\windows\system32\drivers\crypto.sys --> c:\windows\system32\drivers\Crypto.sys [?]

S3 ncvcp;Network Connect Virtual Com Port;c:\windows\system32\drivers\nsvcp.sys --> c:\windows\system32\drivers\nsvcp.sys [?]

S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [2010-10-1 14924]

.

=============== Created Last 30 ================

.

2011-08-03 11:06:28 98816 ----a-w- c:\windows\sed.exe

2011-08-03 11:06:28 518144 ----a-w- c:\windows\SWREG.exe

2011-08-03 11:06:28 256000 ----a-w- c:\windows\PEV.exe

2011-08-03 11:06:28 208896 ----a-w- c:\windows\MBR.exe

2011-07-26 11:19:46 -------- d-----w- c:\program files\new

2011-07-22 21:50:25 -------- d-----w- c:\documents and settings\microsoft user\application data\ImTOO

2011-07-22 21:48:48 -------- d-----w- c:\documents and settings\all users\application data\ImTOO

.

==================== Find3M ====================

.

2011-07-06 23:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-02 17:53:02 94208 ----a-w- c:\windows\system32\dpl100.dll

2004-07-14 06:20:03 56832 --sha-w- c:\windows\cienw.dll

2004-08-21 13:18:43 56832 --sha-w- c:\windows\dillf.dll

2004-08-06 09:44:36 56832 --sha-w- c:\windows\ldwpn.dll

2004-08-19 03:52:22 56832 --sha-w- c:\windows\mzuok.dll

2004-08-16 16:34:50 56832 --sha-w- c:\windows\nwndi.dll

2004-08-24 07:47:27 56832 --sha-w- c:\windows\ohsxy.dll

2004-09-04 06:02:37 56832 --sha-w- c:\windows\pnhru.dll

2004-08-27 14:40:25 56832 --sha-w- c:\windows\vjpys.dll

2000-06-03 01:01:12 56832 --sha-w- c:\windows\system32\aafrs.dll

2004-08-06 21:16:41 56832 --sha-w- c:\windows\system32\dapve.dll

2004-08-17 23:14:39 56832 --sha-w- c:\windows\system32\ecxcy.dll

2004-08-11 20:51:43 56832 --sha-w- c:\windows\system32\glsuc.dll

2004-08-23 10:31:33 56832 --sha-w- c:\windows\system32\hmzvg.dll

2004-08-09 05:09:50 56832 --sha-w- c:\windows\system32\lvwif.dll

2004-08-08 11:21:19 56832 --sha-w- c:\windows\system32\nrjbj.dll

2004-08-12 21:26:32 56832 --sha-w- c:\windows\system32\psept.dll

2004-08-08 03:02:44 56832 --sha-w- c:\windows\system32\qxbij.dll

2004-08-18 19:35:19 56832 --sha-w- c:\windows\system32\slrhh.dll

2004-08-13 18:54:56 26624 --sha-w- c:\windows\system32\sysht.exe

2004-07-22 14:11:54 56832 --sha-w- c:\windows\system32\vbggb.dll

2004-08-16 13:42:55 56832 --sha-w- c:\windows\system32\vynkt.dll

.

============= FINISH: 7:39:51.39 ===============

Link to post
Share on other sites

I attempted to locate these files and upload to Virustotal but the files are no longer there. I will post an updated MBAM log, along with combofix and DDS.txt again shortly.

Should I be leaving my computer on throughout this? Whatever this infection is, it seems to be pretty active and so I've been powering down.

Thanks,

Jim

Link to post
Share on other sites

Here are the updated logs. I'll attempt to keep the pc on.

MBAM

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7392

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

8/6/2011 7:04:26 AM

mbam-log-2011-08-06 (07-04-26).txt

Scan type: Quick scan

Objects scanned: 205768

Time elapsed: 6 minute(s), 27 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

COMBOFIX

ComboFix 11-08-05.03 - Microsoft User 08/06/2011 6:36.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.261 [GMT -4:00]

Running from: c:\documents and settings\Microsoft User\Desktop\ComboFix.exe

* Created a new restore point

.

.

((((((((((((((((((((((((( Files Created from 2011-07-06 to 2011-08-06 )))))))))))))))))))))))))))))))

.

.

2011-07-26 11:19 . 2011-07-26 11:20 -------- d-----w- c:\program files\new

2011-07-22 21:50 . 2011-07-22 21:50 -------- d-----w- c:\documents and settings\Microsoft User\Application Data\ImTOO

2011-07-22 21:48 . 2011-07-22 21:48 -------- d-----w- c:\documents and settings\All Users\Application Data\ImTOO

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-06 23:52 . 2011-04-23 13:40 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-02 17:53 . 2011-06-02 17:53 94208 ----a-w- c:\windows\system32\dpl100.dll

2006-02-23 13:16 . 2009-01-11 16:33 34048 ----a-w- c:\program files\mozilla firefox\plugins\upd62i9x.dll

2006-02-23 13:16 . 2009-01-11 16:33 45056 ----a-w- c:\program files\mozilla firefox\plugins\upd62int.dll

2011-06-25 17:36 . 2011-05-08 13:19 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2004-07-14 06:20 56832 --sha-w- c:\windows\cienw.dll

2004-08-21 13:18 56832 --sha-w- c:\windows\dillf.dll

2004-08-06 09:44 56832 --sha-w- c:\windows\ldwpn.dll

2004-08-19 03:52 56832 --sha-w- c:\windows\mzuok.dll

2004-08-16 16:34 56832 --sha-w- c:\windows\nwndi.dll

2004-08-24 07:47 56832 --sha-w- c:\windows\ohsxy.dll

2004-09-04 06:02 56832 --sha-w- c:\windows\pnhru.dll

2004-08-27 14:40 56832 --sha-w- c:\windows\vjpys.dll

2000-06-03 01:01 56832 --sha-w- c:\windows\system32\aafrs.dll

2004-08-06 21:16 56832 --sha-w- c:\windows\system32\dapve.dll

2004-08-17 23:14 56832 --sha-w- c:\windows\system32\ecxcy.dll

2004-08-11 20:51 56832 --sha-w- c:\windows\system32\glsuc.dll

2004-08-23 10:31 56832 --sha-w- c:\windows\system32\hmzvg.dll

2004-08-09 05:09 56832 --sha-w- c:\windows\system32\lvwif.dll

2004-08-08 11:21 56832 --sha-w- c:\windows\system32\nrjbj.dll

2004-08-12 21:26 56832 --sha-w- c:\windows\system32\psept.dll

2004-08-08 03:02 56832 --sha-w- c:\windows\system32\qxbij.dll

2004-08-18 19:35 56832 --sha-w- c:\windows\system32\slrhh.dll

2004-08-13 18:54 26624 --sha-w- c:\windows\system32\sysht.exe

2004-07-22 14:11 56832 --sha-w- c:\windows\system32\vbggb.dll

2004-08-16 13:42 56832 --sha-w- c:\windows\system32\vynkt.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]

"VSPDXP"="c:\program files\VSPD XP\vspdconfig.exe" [2003-11-13 974848]

"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]

"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-08-21 180269]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2004-08-23 35528]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

VPN Client.lnk - c:\windows\Installer\{21E247D4-5E27-4BEA-AA4D-19A81203FE2A}\Icon3E5562ED7.ico [2011-1-13 6144]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]

2005-03-01 23:49 24672 ----a-w- c:\windows\system32\ckpNotify.dll

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax DllCmd 3.5.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\eFax DllCmd 3.5.lnk

backup=c:\windows\pss\eFax DllCmd 3.5.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax Tray Menu 3.5.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\eFax Tray Menu 3.5.lnk

backup=c:\windows\pss\eFax Tray Menu 3.5.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NetScreen-Remote.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NetScreen-Remote.lnk

backup=c:\windows\pss\NetScreen-Remote.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]

2008-03-18 01:06 1848648 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]

2008-12-12 01:31 722256 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

2006-09-14 20:09 157592 ----a-w- c:\program files\DAEMON Tools\daemon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FLMK08KB]

2005-02-21 18:17 207360 ----a-w- c:\program files\Multimedia keyboard utility\1.3\MMKEYBD.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2006-10-30 14:36 256576 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2005-05-09 20:00 1658080 ----a-w- c:\program files\Messenger\Msmsgs.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]

2001-07-09 10:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTVOICE]

2001-08-18 05:36 86016 ----a-w- c:\windows\system32\pctspk.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ProxyPD]

2006-02-02 17:27 262144 ----a-w- c:\windows\system32\ProxyPD.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2006-10-25 23:58 282624 ----a-w- c:\program files\QuickTime\qttask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiS Tray]

2003-10-30 21:10 667648 ----a-w- c:\windows\system32\sistray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

2004-02-26 08:53 65024 ----a-r- c:\windows\SOUNDMAN.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

2010-12-18 19:53 1242448 ----a-w- c:\program files\Steam\Steam.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2004-08-21 21:11 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"ose"=3 (0x3)

"MpfService"=2 (0x2)

"mcupdmgr.exe"=3 (0x3)

"IDriverT"=3 (0x3)

"Neoteris Setup Service"=2 (0x2)

"iPod Service"=3 (0x3)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Azureus\\Azureus.exe"=

"c:\\Program Files\\WinMX\\WinMX.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32\\dpnsvr.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\StubInstaller.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=

"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=

"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=

"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=

"c:\\Program Files\\Steam\\Steam.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"137:TCP"= 137:TCP:137

"138:TCP"= 138:TCP:138

.

R2 Scap;SecureClient Application Policy Module;c:\windows\system32\drivers\scap.sys [10/1/2010 6:10 PM 17456]

R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [10/1/2010 6:10 PM 670128]

R3 evserial;Virtual Serial Ports Driver (Eltima Softwate);c:\windows\system32\drivers\evserial.sys [4/27/2008 4:51 PM 54016]

R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [10/1/2010 6:10 PM 2041904]

R3 VSBC;Virtual Serial Bus Enumerator (Eltima Software);c:\windows\system32\drivers\evsbc.sys [4/27/2008 4:51 PM 26880]

S0 hurjc;hurjc;c:\windows\system32\drivers\qfdoxjhj.sys --> c:\windows\system32\drivers\qfdoxjhj.sys [?]

S2 Crypto;Crypto;\??\c:\windows\system32\Drivers\Crypto.sys --> c:\windows\system32\Drivers\Crypto.sys [?]

S3 ncvcp;Network Connect Virtual Com Port;c:\windows\system32\DRIVERS\nsvcp.sys --> c:\windows\system32\DRIVERS\nsvcp.sys [?]

S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [10/1/2010 6:10 PM 14924]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/10/2006 7:52 PM 611064]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mStart Page = about:blank

mWindow Title = Microsoft Internet Explorer provided by Comcast

mSearch Bar =

uInternet Settings,ProxyServer = 0.0.0.0:80

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 68.87.68.166 68.87.74.166

FF - ProfilePath - c:\documents and settings\Microsoft User\Application Data\Mozilla\Firefox\Profiles\o2kw9dxc.default\

FF - prefs.js: browser.search.selectedEngine - Answers.com

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

FF - prefs.js: network.proxy.http - proxy.etn.com

FF - prefs.js: network.proxy.http_port - 8080

FF - prefs.js: network.proxy.type - 4

.

- - - - ORPHANS REMOVED - - - -

.

BHO-{28CAEFF3-0F18-4036-B504-51D73BD81C3A} - REG_SZ

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-08-06 06:50

Windows 5.1.2600 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

.

c:\windows\msmqinst.log:shmewq 29278 bytes executable

c:\windows\nemo.jpg:rsnlg 89666 bytes executable

c:\windows\netfxocm.log:hwknmd 66560 bytes executable

c:\windows\NSUninst.exe:zcdyn 29278 bytes executable

c:\windows\setupapi.log.0.old:jgxkx 10240 bytes executable

c:\windows\setupapi.log.0.old:mabfp 10240 bytes executable

c:\windows\SiSport.sys:gaero 10240 bytes executable

c:\windows\Sti_Trace.log:xbeyl 10240 bytes executable

c:\windows\FaxSetup.log:nucll 56832 bytes executable

c:\windows\FeatherTexture.bmp:pdzbp 26624 bytes executable

c:\windows\iis6.log:lzjdr 56832 bytes executable

c:\windows\ukcqo.txt:qdoxhi 35544 bytes executable

c:\windows\UPGRADE.TXT:irfro 10240 bytes executable

c:\windows\vb.ini:fclyd 10240 bytes executable

c:\windows\vb.ini:mgtlv 10240 bytes executable

c:\windows\vejvw.txt:bspei 26624 bytes executable

c:\windows\vjpys.dll:ycvdf 26624 bytes executable

c:\windows\vmmreg32.dll:ahzor 56832 bytes executable

c:\windows\winamp.ini:qmlfwf 12020 bytes executable

c:\windows\Windows Update.log:bftpb 93405 bytes executable

c:\windows\Windows Update.log:zjvsd 10240 bytes executable

c:\windows\comsetup.log:kstfok 12020 bytes executable

c:\windows\comsetup.log:pldwp 26624 bytes executable

c:\windows\comsetup.log:zarkr 26624 bytes executable

c:\windows\control.ini:owpse 10240 bytes executable

c:\windows\control.ini:sulgs 26624 bytes executable

c:\windows\desktop.ini:lqfft 10240 bytes executable

c:\windows\DHCPUPG.LOG:arpgk 10240 bytes executable

c:\windows\DHCPUPG.LOG:dtlkjv 35544 bytes executable

c:\windows\DHCPUPG.LOG:psdts 26624 bytes executable

c:\windows\oodcg.txt:qyetm 103850 bytes executable

c:\windows\winhelp.exe:uyevd 10240 bytes executable

c:\windows\Wininit.ini:hgoha 26624 bytes executable

c:\windows\Wininit.ini:jnelqp 35544 bytes executable

c:\windows\winnt256.bmp:ryhbwm 12020 bytes executable

c:\windows\WINNT32.LOG:gcwswu 35544 bytes executable

c:\windows\KB828741.log:ytmbuc 35544 bytes executable

c:\windows\clock.avi:vkuqn 56832 bytes executable

c:\windows\CMIRmDriver.dll:ylcfy 26624 bytes executable

c:\windows\CMISETUP.INI:ukcqo 10240 bytes executable

c:\windows\CMIUninstall.exe:wltru 10240 bytes executable

c:\windows\KB890175.log:rxlucb 12020 bytes executable

c:\windows\KB890859.log:pablhl 12020 bytes executable

c:\windows\KB891711.log:btzdwo 12020 bytes executable

c:\windows\KB891711.log:kxdzel 35544 bytes executable

c:\windows\KB891781.log:hbuqjv 12020 bytes executable

c:\windows\KB892944.log:nsruu 66560 bytes executable

c:\windows\KB893086.log:scewdg 35544 bytes executable

c:\windows\KB893086.log:ttjjqr 12020 bytes executable

c:\windows\KB893086.log:xzigjw 12020 bytes executable

c:\windows\KB893803.log:airhks 12020 bytes executable

c:\windows\n_flbfhk.log:ljmid 12020 bytes executable

c:\windows\n_gbxxaf.dat:cjyttk 12020 bytes executable

c:\windows\n_hhrfbs.log:mduupw 12020 bytes executable

c:\windows\n_hhrfbs.log:mndvgf 12020 bytes executable

c:\windows\n_hlfmxg.dat:hofyte 12020 bytes executable

c:\windows\n_hlfmxg.dat:inabpy 12020 bytes executable

c:\windows\n_qyyvul.txt:tpcaed 12020 bytes executable

c:\windows\n_rufgkq.dat:bzdqq 29278 bytes executable

c:\windows\n_rufgkq.dat:mqmngn 35544 bytes executable

c:\windows\n_keokaf.txt:ucgpfg 12020 bytes executable

c:\windows\n_kttfvh.dat:mdychr 12020 bytes executable

c:\windows\n_laxpuf.log:zxmfvr 35544 bytes executable

c:\windows\n_lolcwh.log:fdrhbb 35544 bytes executable

c:\windows\n_mwbwin.txt:blukgi 35544 bytes executable

c:\windows\n_mzqzcb.log:woqrhr 12020 bytes executable

c:\windows\n_nnfuhc.dat:xmlwna 12020 bytes executable

c:\windows\n_uupums.dat:mitfwz 12020 bytes executable

c:\windows\n_wggnfg.txt:fqdnfg 12020 bytes executable

c:\windows\n_yjvljc.dat:vbovsv 12020 bytes executable

c:\windows\n_zfpkte.log:xqoshq 35544 bytes executable

c:\windows\ocgen.log:othbug 12020 bytes executable

c:\windows\ocmsn.log:bahmae 66560 bytes executable

c:\windows\ocmsn.log:blluh 93405 bytes executable

c:\windows\ODBC.INI:oecofx 35544 bytes executable

c:\windows\ODBCINST.INI:gurooq 35544 bytes executable

c:\windows\KB896422.log:tjjmmd 35544 bytes executable

c:\windows\KB896426.log:aatzxj 35544 bytes executable

c:\windows\KB896426.log:wsjand 12020 bytes executable

c:\windows\KB897715-OE6SP1-20050503.210336.log:dxophr 12020 bytes executable

c:\windows\KB898461.log:olcghg 35544 bytes executable

c:\windows\KB899588.log:wygujt 35544 bytes executable

c:\windows\DtcInstall.log:hxayh 26624 bytes executable

c:\windows\TASKMAN.EXE:qcwdg 26624 bytes executable

c:\windows\tjjmm.dat:gcwsmg 12020 bytes executable

c:\windows\twain.dll:itxpa 10240 bytes executable

c:\windows\ntdtcsetup.log:yjsad 84825 bytes executable

c:\windows\kzsoy.dat:qdvlzb 35544 bytes executable

c:\windows\regedit(2).exe:jyfhr 93700 bytes executable

c:\windows\regedit(3).exe:bzhei 29278 bytes executable

c:\windows\regedit(3).exe:jyfhr 93700 bytes executable

c:\windows\regedit(4).exe:jyfhr 93700 bytes executable

c:\windows\regedit(5).exe:jyfhr 93700 bytes executable

c:\windows\Zapotec.bmp:pmyge 84825 bytes executable

c:\windows\_default.pif:bwgrhu 12020 bytes executable

c:\windows\_default.pif:bwklbt 35544 bytes executable

c:\windows\_default.pif:cidvsy 29278 bytes executable

c:\windows\_default.pif:dwbdgf 35544 bytes executable

c:\windows\_default.pif:eqqjpa 35544 bytes executable

c:\windows\_default.pif:etopxz 12020 bytes executable

c:\windows\_default.pif:fjyvfi 35544 bytes executable

c:\windows\_default.pif:gwgywn 12020 bytes executable

c:\windows\_default.pif:hsjcod 66560 bytes executable

c:\windows\_default.pif:ilajuy 29278 bytes executable

c:\windows\_default.pif:ivrghj 12020 bytes executable

c:\windows\_default.pif:khlipo 12020 bytes executable

c:\windows\_default.pif:kvqqmv 12020 bytes executable

c:\windows\_default.pif:kxnkvw 29278 bytes executable

c:\windows\_default.pif:lpxdvy 12020 bytes executable

c:\windows\_default.pif:nazhlt 35544 bytes executable

c:\windows\_default.pif:nroply 12020 bytes executable

c:\windows\_default.pif:oofcir 35544 bytes executable

c:\windows\_default.pif:qkhesw 12020 bytes executable

c:\windows\_default.pif:qvzbey 12020 bytes executable

c:\windows\_default.pif:swveat 12020 bytes executable

c:\windows\_default.pif:tpfytn 12020 bytes executable

c:\windows\_default.pif:txzejw 35544 bytes executable

c:\windows\_default.pif:vzgcqj 12020 bytes executable

c:\windows\_default.pif:wompoo 12020 bytes executable

c:\windows\_default.pif:xugurk 35544 bytes executable

c:\windows\_default.pif:xuonkw 12020 bytes executable

c:\windows\_default.pif:zxydyq 35544 bytes executable

c:\windows\KB899591.log:xcdgfq 12020 bytes executable

c:\windows\msdfmap.ini:pegzj 56832 bytes executable

c:\windows\n_cqfzwd.dat:ujzvta 35544 bytes executable

c:\windows\n_hscwhb.log:femzjg 35544 bytes executable

c:\windows\n_hscwhb.log:xnwiaq 12020 bytes executable

c:\windows\preInsMM.exe:jdehn 56832 bytes executable

c:\windows\Santa Fe Stucco.bmp:homqc 26624 bytes executable

c:\windows\twunk_32.exe:auquu 26624 bytes executable

c:\windows\WindowsUpdate.log:nbemuj 12020 bytes executable

c:\windows\WindowsUpdate.log:wyvms 56832 bytes executable

c:\windows\WindowsUpdate.log:zypwcc 12020 bytes executable

c:\windows\blocklist.reg:gxdxw 10240 bytes executable

c:\windows\blocklist.reg:njrmc 93405 bytes executable

c:\windows\KB893803v2.log:izaldg 12020 bytes executable

c:\windows\KB893803v2.log:mucosb 35544 bytes executable

.

scan completed successfully

hidden files: 137

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-299502267-329068152-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F2C6A728-99B6-9E70-ECCD-B16FE0B39194}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"iafijmabgajgabfild"=hex:6a,61,67,70,67,6d,68,67,67,67,66,6c,65,68,6a,69,61,6b,

6f,67,00,00

"haphphdgoikhlnhd"=hex:6a,61,67,70,67,6d,68,67,67,67,66,6c,65,68,6a,69,61,6b,

6f,67,00,a6

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(2480)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2011-08-06 06:54:36

ComboFix-quarantined-files.txt 2011-08-06 10:54

ComboFix2.txt 2011-08-03 11:28

.

Pre-Run: 2,002,321,408 bytes free

Post-Run: 2,030,235,648 bytes free

.

- - End Of File - - 4E11CDFFA7A11D01CAB859DA823831B4

DDS

.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 6.0.2900.2180

Run by Microsoft User at 7:06:25 on 2011-08-06

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.133 [GMT -4:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE

C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe

C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\DivX\DivX Update\DivXUpdate.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe

C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\new\Malwarebytes' Anti-Malware\mbam.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

mStart Page = about:blank

mWindow Title = Microsoft Internet Explorer provided by Comcast

mSearch Bar =

uInternet Settings,ProxyServer = 0.0.0.0:80

mURLSearchHooks: H - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup

mRun: [sunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe

mRun: [VSPDXP] c:\program files\vspd xp\vspdconfig.exe /quiet

mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [iJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.EXE

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{21e247d4-5e27-4bea-aa4d-19a81203fe2a}\Icon3E5562ED7.ico

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\microsoft user\start menu\programs\ultimatebet\UltimateBet.lnk

IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\documents and settings\microsoft user\desktop\PartyPoker.lnk

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}

DPF: {0000000A-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB

DPF: {01118400-3E00-11D2-8470-0060089874ED} - hxxp://activex.microsoft.com/objects/ocget.dll

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab

DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} - hxxp://easohseroom02.napa.ad.etn.com/eRoomSetup/client.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-150-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-150-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} - hxxps://disney.go.com/games/downloads/gamemanager/DIGGameManager.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://na2.eportal.eaton.com/dana-cached/setup/JuniperSetupSP1.cab

TCP: DhcpNameServer = 68.87.68.166 68.87.74.166

TCP: Interfaces\{307A9912-EE77-40A9-A0C5-C8741FEFA5E1} : DhcpNameServer = 68.87.68.166 68.87.74.166

TCP: Interfaces\{70C0F37E-27F5-4474-A658-17252A36550C} : DhcpNameServer = 68.87.68.162 68.87.74.162

TCP: Interfaces\{DB5C870E-D776-49AA-8C26-5CE4A43A6754} : DhcpNameServer = 68.87.68.166 68.87.74.166

TCP: Interfaces\{FFE176FB-D77D-4EC7-A33A-8C1AC0EC8A9B} : DhcpNameServer = 68.87.68.162 68.87.74.162

Notify: ckpNotify - ckpNotify.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\microsoft user\application data\mozilla\firefox\profiles\o2kw9dxc.default\

FF - prefs.js: browser.search.selectedEngine - Answers.com

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

FF - prefs.js: network.proxy.http - proxy.etn.com

FF - prefs.js: network.proxy.http_port - 8080

FF - prefs.js: network.proxy.type - 4

FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npmnqmp07030901.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll

.

============= SERVICES / DRIVERS ===============

.

R2 Scap;SecureClient Application Policy Module;c:\windows\system32\drivers\scap.sys [2010-10-1 17456]

R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [2010-10-1 670128]

R3 evserial;Virtual Serial Ports Driver (Eltima Softwate);c:\windows\system32\drivers\evserial.sys [2008-4-27 54016]

R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [2010-10-1 2041904]

R3 VSBC;Virtual Serial Bus Enumerator (Eltima Software);c:\windows\system32\drivers\evsbc.sys [2008-4-27 26880]

S0 hurjc;hurjc;c:\windows\system32\drivers\qfdoxjhj.sys --> c:\windows\system32\drivers\qfdoxjhj.sys [?]

S2 Crypto;Crypto;\??\c:\windows\system32\drivers\crypto.sys --> c:\windows\system32\drivers\Crypto.sys [?]

S3 ncvcp;Network Connect Virtual Com Port;c:\windows\system32\drivers\nsvcp.sys --> c:\windows\system32\drivers\nsvcp.sys [?]

S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [2010-10-1 14924]

.

=============== Created Last 30 ================

.

2011-08-03 11:06:28 98816 ----a-w- c:\windows\sed.exe

2011-08-03 11:06:28 518144 ----a-w- c:\windows\SWREG.exe

2011-08-03 11:06:28 256000 ----a-w- c:\windows\PEV.exe

2011-08-03 11:06:28 208896 ----a-w- c:\windows\MBR.exe

2011-07-26 11:19:46 -------- d-----w- c:\program files\new

2011-07-22 21:50:25 -------- d-----w- c:\documents and settings\microsoft user\application data\ImTOO

2011-07-22 21:48:48 -------- d-----w- c:\documents and settings\all users\application data\ImTOO

.

==================== Find3M ====================

.

2011-07-06 23:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-02 17:53:02 94208 ----a-w- c:\windows\system32\dpl100.dll

2004-07-14 06:20:03 56832 --sha-w- c:\windows\cienw.dll

2004-08-21 13:18:43 56832 --sha-w- c:\windows\dillf.dll

2004-08-06 09:44:36 56832 --sha-w- c:\windows\ldwpn.dll

2004-08-19 03:52:22 56832 --sha-w- c:\windows\mzuok.dll

2004-08-16 16:34:50 56832 --sha-w- c:\windows\nwndi.dll

2004-08-24 07:47:27 56832 --sha-w- c:\windows\ohsxy.dll

2004-09-04 06:02:37 56832 --sha-w- c:\windows\pnhru.dll

2004-08-27 14:40:25 56832 --sha-w- c:\windows\vjpys.dll

2000-06-03 01:01:12 56832 --sha-w- c:\windows\system32\aafrs.dll

2004-08-06 21:16:41 56832 --sha-w- c:\windows\system32\dapve.dll

2004-08-17 23:14:39 56832 --sha-w- c:\windows\system32\ecxcy.dll

2004-08-11 20:51:43 56832 --sha-w- c:\windows\system32\glsuc.dll

2004-08-23 10:31:33 56832 --sha-w- c:\windows\system32\hmzvg.dll

2004-08-09 05:09:50 56832 --sha-w- c:\windows\system32\lvwif.dll

2004-08-08 11:21:19 56832 --sha-w- c:\windows\system32\nrjbj.dll

2004-08-12 21:26:32 56832 --sha-w- c:\windows\system32\psept.dll

2004-08-08 03:02:44 56832 --sha-w- c:\windows\system32\qxbij.dll

2004-08-18 19:35:19 56832 --sha-w- c:\windows\system32\slrhh.dll

2004-08-13 18:54:56 26624 --sha-w- c:\windows\system32\sysht.exe

2004-07-22 14:11:54 56832 --sha-w- c:\windows\system32\vbggb.dll

2004-08-16 13:42:55 56832 --sha-w- c:\windows\system32\vynkt.dll

.

============= FINISH: 7:07:14.14 ===============

Link to post
Share on other sites

  • Staff

Hi,

Powering down isn't a bad idea. It's not necessary though.

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad. Copy and paste the text in the Code box below into Notepad:

http://forums.malwarebytes.org/index.php?showtopic=90750
Suspect::
c:\windows\winhelp.exe
c:\windows\regedit(5).exe
DDS::
uInternet Settings,ProxyServer = 0.0.0.0:80

Save this as CFScript.txt

CFScriptB-4.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  • Ensure you are connected to the internet and click OK on the message box.

Link to post
Share on other sites

ComboFix 11-08-11.01 - Microsoft User 08/11/2011 6:35.3.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.208 [GMT -4:00]

Running from: c:\documents and settings\Microsoft User\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Microsoft User\Desktop\CFScript.txt

* Created a new restore point

.

file zipped: c:\windows\regedit(5).exe

file zipped: c:\windows\winhelp.exe

.

.

((((((((((((((((((((((((( Files Created from 2011-07-11 to 2011-08-11 )))))))))))))))))))))))))))))))

.

.

2011-08-07 13:37 . 2011-08-07 13:51 -------- dc----w- c:\documents and settings\Microsoft User\Local Settings\Application Data\MigWiz

2011-08-07 13:12 . 2006-11-02 12:07 581192 ----a-w- c:\windows\system32\WinusbCoInstaller.dll

2011-08-07 13:12 . 2011-08-07 13:12 -------- dc----w- c:\windows\system32\DRVSTORE

2011-08-07 13:12 . 2006-11-02 13:09 1419232 ----a-w- c:\windows\system32\WdfCoInstaller01005.dll

2011-08-07 13:12 . 2011-08-07 13:12 -------- d-----w- c:\program files\Windows Easy Transfer 7

2011-08-07 13:10 . 2011-08-07 13:12 -------- d-----w- c:\windows\LastGood

2011-08-07 04:53 . 2011-08-07 04:53 1409 ----a-w- c:\windows\QTFont.for

2011-07-26 11:19 . 2011-07-26 11:20 -------- d-----w- c:\program files\new

2011-07-22 21:50 . 2011-07-22 21:50 -------- d-----w- c:\documents and settings\Microsoft User\Application Data\ImTOO

2011-07-22 21:48 . 2011-07-22 21:48 -------- d-----w- c:\documents and settings\All Users\Application Data\ImTOO

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-06 23:52 . 2011-04-23 13:40 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-02 17:53 . 2011-06-02 17:53 94208 ----a-w- c:\windows\system32\dpl100.dll

2006-02-23 13:16 . 2009-01-11 16:33 34048 ----a-w- c:\program files\mozilla firefox\plugins\upd62i9x.dll

2006-02-23 13:16 . 2009-01-11 16:33 45056 ----a-w- c:\program files\mozilla firefox\plugins\upd62int.dll

2011-06-25 17:36 . 2011-05-08 13:19 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2004-07-14 06:20 56832 --sha-w- c:\windows\cienw.dll

2004-08-21 13:18 56832 --sha-w- c:\windows\dillf.dll

2004-08-06 09:44 56832 --sha-w- c:\windows\ldwpn.dll

2004-08-19 03:52 56832 --sha-w- c:\windows\mzuok.dll

2004-08-16 16:34 56832 --sha-w- c:\windows\nwndi.dll

2004-08-24 07:47 56832 --sha-w- c:\windows\ohsxy.dll

2004-09-04 06:02 56832 --sha-w- c:\windows\pnhru.dll

2004-08-27 14:40 56832 --sha-w- c:\windows\vjpys.dll

2000-06-03 01:01 56832 --sha-w- c:\windows\system32\aafrs.dll

2004-08-06 21:16 56832 --sha-w- c:\windows\system32\dapve.dll

2004-08-17 23:14 56832 --sha-w- c:\windows\system32\ecxcy.dll

2004-08-11 20:51 56832 --sha-w- c:\windows\system32\glsuc.dll

2004-08-23 10:31 56832 --sha-w- c:\windows\system32\hmzvg.dll

2004-08-09 05:09 56832 --sha-w- c:\windows\system32\lvwif.dll

2004-08-08 11:21 56832 --sha-w- c:\windows\system32\nrjbj.dll

2004-08-12 21:26 56832 --sha-w- c:\windows\system32\psept.dll

2004-08-08 03:02 56832 --sha-w- c:\windows\system32\qxbij.dll

2004-08-18 19:35 56832 --sha-w- c:\windows\system32\slrhh.dll

2004-08-13 18:54 26624 --sha-w- c:\windows\system32\sysht.exe

2004-07-22 14:11 56832 --sha-w- c:\windows\system32\vbggb.dll

2004-08-16 13:42 56832 --sha-w- c:\windows\system32\vynkt.dll

.

.

((((((((((((((((((((((((((((( SnapShot@2011-08-03_11.25.06 )))))))))))))))))))))))))))))))))))))))))

.

+ 2006-11-02 11:00 . 2006-11-02 11:00 24136 c:\windows\system32\winusb.dll

+ 2005-06-30 11:29 . 2008-12-22 16:54 26144 c:\windows\system32\spupdsvc.exe

+ 2009-01-11 17:42 . 2008-12-22 16:54 16928 c:\windows\system32\spmsg.dll

+ 2009-07-13 22:20 . 2009-07-13 22:20 91728 c:\windows\system32\MigAutoPlay.exe

+ 2006-11-02 11:00 . 2006-11-02 11:00 39368 c:\windows\system32\drivers\winusb.sys

+ 2006-11-02 11:22 . 2006-11-02 11:22 32224 c:\windows\system32\drivers\wdfldr.sys

+ 2011-08-07 13:12 . 2006-11-02 12:07 581192 c:\windows\system32\DRVSTORE\TransferCa_FBC4C55696C581AE72F7C014EA9EA813252FB984\WinusbCoInstaller.dll

+ 2006-11-02 11:22 . 2006-11-02 11:22 492000 c:\windows\system32\drivers\wdf01000.sys

+ 2011-08-07 13:12 . 2006-11-02 13:09 1419232 c:\windows\system32\DRVSTORE\TransferCa_FBC4C55696C581AE72F7C014EA9EA813252FB984\WdfCoinstaller01005.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]

"VSPDXP"="c:\program files\VSPD XP\vspdconfig.exe" [2003-11-13 974848]

"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]

"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-08-21 180269]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2004-08-23 35528]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

VPN Client.lnk - c:\windows\Installer\{21E247D4-5E27-4BEA-AA4D-19A81203FE2A}\Icon3E5562ED7.ico [2011-1-13 6144]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]

2005-03-01 23:49 24672 ----a-w- c:\windows\system32\ckpNotify.dll

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax DllCmd 3.5.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\eFax DllCmd 3.5.lnk

backup=c:\windows\pss\eFax DllCmd 3.5.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax Tray Menu 3.5.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\eFax Tray Menu 3.5.lnk

backup=c:\windows\pss\eFax Tray Menu 3.5.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NetScreen-Remote.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NetScreen-Remote.lnk

backup=c:\windows\pss\NetScreen-Remote.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]

2008-03-18 01:06 1848648 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]

2008-12-12 01:31 722256 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

2006-09-14 20:09 157592 ----a-w- c:\program files\DAEMON Tools\daemon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FLMK08KB]

2005-02-21 18:17 207360 ----a-w- c:\program files\Multimedia keyboard utility\1.3\MMKEYBD.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2006-10-30 14:36 256576 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2005-05-09 20:00 1658080 ----a-w- c:\program files\Messenger\Msmsgs.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]

2001-07-09 10:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTVOICE]

2001-08-18 05:36 86016 ----a-w- c:\windows\system32\pctspk.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ProxyPD]

2006-02-02 17:27 262144 ----a-w- c:\windows\system32\ProxyPD.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2006-10-25 23:58 282624 ----a-w- c:\program files\QuickTime\qttask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiS Tray]

2003-10-30 21:10 667648 ----a-w- c:\windows\system32\sistray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

2004-02-26 08:53 65024 ----a-r- c:\windows\SOUNDMAN.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

2010-12-18 19:53 1242448 ----a-w- c:\program files\Steam\Steam.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2004-08-21 21:11 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"ose"=3 (0x3)

"MpfService"=2 (0x2)

"mcupdmgr.exe"=3 (0x3)

"IDriverT"=3 (0x3)

"Neoteris Setup Service"=2 (0x2)

"iPod Service"=3 (0x3)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Azureus\\Azureus.exe"=

"c:\\Program Files\\WinMX\\WinMX.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32\\dpnsvr.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\StubInstaller.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=

"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=

"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=

"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=

"c:\\Program Files\\Steam\\Steam.exe"=

"c:\\Program Files\\Windows Easy Transfer 7\\migwiz.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"137:TCP"= 137:TCP:137

"138:TCP"= 138:TCP:138

"7000:TCP"= 7000:TCP:Windows Easy Transfer TCP port

"7000:UDP"= 7000:UDP:Windows Easy Transfer UDP port

.

R2 Scap;SecureClient Application Policy Module;c:\windows\system32\drivers\scap.sys [10/1/2010 6:10 PM 17456]

R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [10/1/2010 6:10 PM 670128]

R3 evserial;Virtual Serial Ports Driver (Eltima Softwate);c:\windows\system32\drivers\evserial.sys [4/27/2008 4:51 PM 54016]

R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [10/1/2010 6:10 PM 2041904]

R3 VSBC;Virtual Serial Bus Enumerator (Eltima Software);c:\windows\system32\drivers\evsbc.sys [4/27/2008 4:51 PM 26880]

S0 hurjc;hurjc;c:\windows\system32\drivers\qfdoxjhj.sys --> c:\windows\system32\drivers\qfdoxjhj.sys [?]

S2 Crypto;Crypto;\??\c:\windows\system32\Drivers\Crypto.sys --> c:\windows\system32\Drivers\Crypto.sys [?]

S3 ncvcp;Network Connect Virtual Com Port;c:\windows\system32\DRIVERS\nsvcp.sys --> c:\windows\system32\DRIVERS\nsvcp.sys [?]

S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [10/1/2010 6:10 PM 14924]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/10/2006 7:52 PM 611064]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WDF01000

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mStart Page = about:blank

mWindow Title = Microsoft Internet Explorer provided by Comcast

mSearch Bar =

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 68.87.68.166 68.87.74.166

FF - ProfilePath - c:\documents and settings\Microsoft User\Application Data\Mozilla\Firefox\Profiles\o2kw9dxc.default\

FF - prefs.js: browser.search.selectedEngine - Answers.com

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

FF - prefs.js: network.proxy.http - proxy.etn.com

FF - prefs.js: network.proxy.http_port - 8080

FF - prefs.js: network.proxy.type - 4

.

- - - - ORPHANS REMOVED - - - -

.

BHO-{28CAEFF3-0F18-4036-B504-51D73BD81C3A} - REG_SZ

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-08-11 07:00

Windows 5.1.2600 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

.

c:\windows\msmqinst.log:shmewq 29278 bytes executable

c:\windows\nemo.jpg:rsnlg 89666 bytes executable

c:\windows\netfxocm.log:hwknmd 66560 bytes executable

c:\windows\NSUninst.exe:zcdyn 29278 bytes executable

c:\windows\setupapi.log.0.old:jgxkx 10240 bytes executable

c:\windows\setupapi.log.0.old:mabfp 10240 bytes executable

c:\windows\SiSport.sys:gaero 10240 bytes executable

c:\windows\Sti_Trace.log:xbeyl 10240 bytes executable

c:\windows\FaxSetup.log:nucll 56832 bytes executable

c:\windows\FeatherTexture.bmp:pdzbp 26624 bytes executable

c:\windows\iis6.log:lzjdr 56832 bytes executable

c:\windows\ukcqo.txt:qdoxhi 35544 bytes executable

c:\windows\UPGRADE.TXT:irfro 10240 bytes executable

c:\windows\vb.ini:fclyd 10240 bytes executable

c:\windows\vb.ini:mgtlv 10240 bytes executable

c:\windows\vejvw.txt:bspei 26624 bytes executable

c:\windows\vjpys.dll:ycvdf 26624 bytes executable

c:\windows\vmmreg32.dll:ahzor 56832 bytes executable

c:\windows\winamp.ini:qmlfwf 12020 bytes executable

c:\windows\Windows Update.log:bftpb 93405 bytes executable

c:\windows\Windows Update.log:zjvsd 10240 bytes executable

c:\windows\comsetup.log:kstfok 12020 bytes executable

c:\windows\comsetup.log:pldwp 26624 bytes executable

c:\windows\comsetup.log:zarkr 26624 bytes executable

c:\windows\control.ini:owpse 10240 bytes executable

c:\windows\control.ini:sulgs 26624 bytes executable

c:\windows\desktop.ini:lqfft 10240 bytes executable

c:\windows\DHCPUPG.LOG:arpgk 10240 bytes executable

c:\windows\DHCPUPG.LOG:dtlkjv 35544 bytes executable

c:\windows\DHCPUPG.LOG:psdts 26624 bytes executable

c:\windows\oodcg.txt:qyetm 103850 bytes executable

c:\windows\winhelp.exe:uyevd 10240 bytes executable

c:\windows\Wininit.ini:hgoha 26624 bytes executable

c:\windows\Wininit.ini:jnelqp 35544 bytes executable

c:\windows\winnt256.bmp:ryhbwm 12020 bytes executable

c:\windows\WINNT32.LOG:gcwswu 35544 bytes executable

c:\windows\KB828741.log:ytmbuc 35544 bytes executable

c:\windows\clock.avi:vkuqn 56832 bytes executable

c:\windows\CMIRmDriver.dll:ylcfy 26624 bytes executable

c:\windows\CMISETUP.INI:ukcqo 10240 bytes executable

c:\windows\CMIUninstall.exe:wltru 10240 bytes executable

c:\windows\KB890175.log:rxlucb 12020 bytes executable

c:\windows\KB890859.log:pablhl 12020 bytes executable

c:\windows\KB891711.log:btzdwo 12020 bytes executable

c:\windows\KB891711.log:kxdzel 35544 bytes executable

c:\windows\KB891781.log:hbuqjv 12020 bytes executable

c:\windows\KB892944.log:nsruu 66560 bytes executable

c:\windows\KB893086.log:scewdg 35544 bytes executable

c:\windows\KB893086.log:ttjjqr 12020 bytes executable

c:\windows\KB893086.log:xzigjw 12020 bytes executable

c:\windows\KB893803.log:airhks 12020 bytes executable

c:\windows\n_flbfhk.log:ljmid 12020 bytes executable

c:\windows\n_gbxxaf.dat:cjyttk 12020 bytes executable

c:\windows\n_hhrfbs.log:mduupw 12020 bytes executable

c:\windows\n_hhrfbs.log:mndvgf 12020 bytes executable

c:\windows\n_hlfmxg.dat:hofyte 12020 bytes executable

c:\windows\n_hlfmxg.dat:inabpy 12020 bytes executable

c:\windows\n_qyyvul.txt:tpcaed 12020 bytes executable

c:\windows\n_rufgkq.dat:bzdqq 29278 bytes executable

c:\windows\n_rufgkq.dat:mqmngn 35544 bytes executable

c:\windows\n_keokaf.txt:ucgpfg 12020 bytes executable

c:\windows\n_kttfvh.dat:mdychr 12020 bytes executable

c:\windows\n_laxpuf.log:zxmfvr 35544 bytes executable

c:\windows\n_lolcwh.log:fdrhbb 35544 bytes executable

c:\windows\n_mwbwin.txt:blukgi 35544 bytes executable

c:\windows\n_mzqzcb.log:woqrhr 12020 bytes executable

c:\windows\n_nnfuhc.dat:xmlwna 12020 bytes executable

c:\windows\n_uupums.dat:mitfwz 12020 bytes executable

c:\windows\n_wggnfg.txt:fqdnfg 12020 bytes executable

c:\windows\n_yjvljc.dat:vbovsv 12020 bytes executable

c:\windows\n_zfpkte.log:xqoshq 35544 bytes executable

c:\windows\ocgen.log:othbug 12020 bytes executable

c:\windows\ocmsn.log:bahmae 66560 bytes executable

c:\windows\ocmsn.log:blluh 93405 bytes executable

c:\windows\ODBC.INI:oecofx 35544 bytes executable

c:\windows\ODBCINST.INI:gurooq 35544 bytes executable

c:\windows\KB896422.log:tjjmmd 35544 bytes executable

c:\windows\KB896426.log:aatzxj 35544 bytes executable

c:\windows\KB896426.log:wsjand 12020 bytes executable

c:\windows\KB897715-OE6SP1-20050503.210336.log:dxophr 12020 bytes executable

c:\windows\KB898461.log:olcghg 35544 bytes executable

c:\windows\KB899588.log:wygujt 35544 bytes executable

c:\windows\DtcInstall.log:hxayh 26624 bytes executable

c:\windows\TASKMAN.EXE:qcwdg 26624 bytes executable

c:\windows\tjjmm.dat:gcwsmg 12020 bytes executable

c:\windows\twain.dll:itxpa 10240 bytes executable

c:\windows\ntdtcsetup.log:yjsad 84825 bytes executable

c:\windows\kzsoy.dat:qdvlzb 35544 bytes executable

c:\windows\regedit(2).exe:jyfhr 93700 bytes executable

c:\windows\regedit(3).exe:bzhei 29278 bytes executable

c:\windows\regedit(3).exe:jyfhr 93700 bytes executable

c:\windows\regedit(4).exe:jyfhr 93700 bytes executable

c:\windows\regedit(5).exe:jyfhr 93700 bytes executable

c:\windows\Zapotec.bmp:pmyge 84825 bytes executable

c:\windows\_default.pif:bwgrhu 12020 bytes executable

c:\windows\_default.pif:bwklbt 35544 bytes executable

c:\windows\_default.pif:cidvsy 29278 bytes executable

c:\windows\_default.pif:dwbdgf 35544 bytes executable

c:\windows\_default.pif:eqqjpa 35544 bytes executable

c:\windows\_default.pif:etopxz 12020 bytes executable

c:\windows\_default.pif:fjyvfi 35544 bytes executable

c:\windows\_default.pif:gwgywn 12020 bytes executable

c:\windows\_default.pif:hsjcod 66560 bytes executable

c:\windows\_default.pif:ilajuy 29278 bytes executable

c:\windows\_default.pif:ivrghj 12020 bytes executable

c:\windows\_default.pif:khlipo 12020 bytes executable

c:\windows\_default.pif:kvqqmv 12020 bytes executable

c:\windows\_default.pif:kxnkvw 29278 bytes executable

c:\windows\_default.pif:lpxdvy 12020 bytes executable

c:\windows\_default.pif:nazhlt 35544 bytes executable

c:\windows\_default.pif:nroply 12020 bytes executable

c:\windows\_default.pif:oofcir 35544 bytes executable

c:\windows\_default.pif:qkhesw 12020 bytes executable

c:\windows\_default.pif:qvzbey 12020 bytes executable

c:\windows\_default.pif:swveat 12020 bytes executable

c:\windows\_default.pif:tpfytn 12020 bytes executable

c:\windows\_default.pif:txzejw 35544 bytes executable

c:\windows\_default.pif:vzgcqj 12020 bytes executable

c:\windows\_default.pif:wompoo 12020 bytes executable

c:\windows\_default.pif:xugurk 35544 bytes executable

c:\windows\_default.pif:xuonkw 12020 bytes executable

c:\windows\_default.pif:zxydyq 35544 bytes executable

c:\windows\KB899591.log:xcdgfq 12020 bytes executable

c:\windows\msdfmap.ini:pegzj 56832 bytes executable

c:\windows\n_cqfzwd.dat:ujzvta 35544 bytes executable

c:\windows\n_hscwhb.log:femzjg 35544 bytes executable

c:\windows\n_hscwhb.log:xnwiaq 12020 bytes executable

c:\windows\preInsMM.exe:jdehn 56832 bytes executable

c:\windows\Santa Fe Stucco.bmp:homqc 26624 bytes executable

c:\windows\twunk_32.exe:auquu 26624 bytes executable

c:\windows\WindowsUpdate.log:nbemuj 12020 bytes executable

c:\windows\WindowsUpdate.log:wyvms 56832 bytes executable

c:\windows\WindowsUpdate.log:zypwcc 12020 bytes executable

c:\windows\blocklist.reg:gxdxw 10240 bytes executable

c:\windows\blocklist.reg:njrmc 93405 bytes executable

c:\windows\KB893803v2.log:izaldg 12020 bytes executable

c:\windows\KB893803v2.log:mucosb 35544 bytes executable

.

scan completed successfully

hidden files: 137

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-299502267-329068152-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F2C6A728-99B6-9E70-ECCD-B16FE0B39194}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"iafijmabgajgabfild"=hex:6a,61,67,70,67,6d,68,67,67,67,66,6c,65,68,6a,69,61,6b,

6f,67,00,00

"haphphdgoikhlnhd"=hex:6a,61,67,70,67,6d,68,67,67,67,66,6c,65,68,6a,69,61,6b,

6f,67,00,a6

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(3080)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2011-08-11 07:04:48

ComboFix-quarantined-files.txt 2011-08-11 11:04

ComboFix2.txt 2011-08-06 10:54

ComboFix3.txt 2011-08-03 11:28

.

Pre-Run: 391,655,424 bytes free

Post-Run: 528,920,576 bytes free

.

- - End Of File - - C775F9AE08097A635585523B0353F0A2

Upload was successful

Link to post
Share on other sites

I have hidden files shown, but cannot find c:\windows\cienw.dll anywhere. VirusTotal allowed me to manually type in the file path and I got the follow analysis. But, again, I cannot find it in order to zip and attach. As a side note, the computer has not been restarted.

File name:

cienw.dll

Submission date:

2011-08-12 10:28:16 (UTC)

Current status:

finished

Result:

29/ 40 (72.5%)

VT Community

not reviewed

Safety score: -

Compact

Print results

Antivirus Version Last Update Result

AhnLab-V3 2011.08.12.00 2011.08.12 Win-Spyware/CWS

AntiVir 7.11.13.30 2011.08.12 TR/Spy.Tofger.BI.5

Antiy-AVL 2.0.3.7 2011.08.12 Trojan/win32.agent.gen

Avast 4.8.1351.0 2011.08.12 Win32:WinShow-AF [Trj]

Avast5 5.0.677.0 2011.08.12 Win32:WinShow-AF [Trj]

AVG 10.0.0.1190 2011.08.11 Downloader.Winshow.AV

BitDefender 7.2 2011.08.12 Trojan.Winshow.JS.C

CAT-QuickHeal 11.00 2011.08.12 TrojanDownloader.WinShow.ak

ClamAV 0.97.0.0 2011.08.12 Trojan.Startpage-230

Commtouch 5.3.2.6 2011.08.12 W32/Malware!9105

Comodo 9712 2011.08.12 -

Emsisoft 5.1.0.8 2011.08.12 Trojan-Downloader.Win32.WinShow!IK

eSafe 7.0.17.0 2011.08.10 Spyware.Websearch

eTrust-Vet 36.1.8498 2011.08.12 -

F-Prot 4.6.2.117 2011.08.12 W32/Malware!9105

F-Secure 9.0.16440.0 2011.08.12 Trojan.Winshow.JS.C

Fortinet 4.2.257.0 2011.08.12 -

GData 22 2011.08.12 Trojan.Winshow.JS.C

Ikarus T3.1.1.107.0 2011.08.12 Trojan-Downloader.Win32.WinShow

Jiangmin 13.0.900 2011.08.11 -

K7AntiVirus 9.109.5003 2011.08.10 Riskware

Kaspersky 9.0.0.837 2011.08.12 Trojan-Downloader.Win32.WinShow.ak

Microsoft 1.7104 2011.08.11 TrojanDownloader:Win32/WinShow.AK

NOD32 6370 2011.08.12 Win32/TrojanDownloader.WinShow.AK

Norman 6.07.10 2011.08.12 -

nProtect 2011-08-12.01 2011.08.12 Trojan.Winshow.JS.C

Panda 10.0.3.5 2011.08.11 Adware/Winshow

PCTools 8.0.0.5 2011.08.12 Adware.Websearch!rem

Prevx 3.0 2011.08.12 -

Rising 23.70.04.03 2011.08.12 -

Sophos 4.67.0 2011.08.12 Troj/Iefeat-A

SUPERAntiSpyware 4.40.0.1006 2011.08.12 -

Symantec 20111.2.0.82 2011.08.12 Adware.Websearch

TheHacker 6.7.0.1.276 2011.08.12 Trojan/Downloader.winshow

TrendMicro 9.500.0.1008 2011.08.12 -

TrendMicro-HouseCall 9.500.0.1008 2011.08.12 -

VBA32 3.12.16.4 2011.08.10 TrojanDownloader.WinShow.ak

VIPRE 10146 2011.08.12 CWS.Winshow

ViRobot 2011.8.12.4619 2011.08.12 -

VirusBuster 14.0.164.0 2011.08.11 JS.Winshow.S

Additional information

MD5 : 97d38f0b73b2acb62f17955f1ce66b1f

SHA1 : 4de0daa64324e600c13ee3a2639fd841c950ebea

SHA256: 5e038b030387ec6f48d3a1961a4bcad86411324b4fe7b5abddfd4b5e58adf1a9

ssdeep: 1536:YTzEtkTzEOaTzE5GtTzECGJtwBi7Gxi29Yv4KP4UAFSyR8bPHiVPItatCnwkvq9P:YkmkB

kQtkBJ6P2XiXzl

File size : 56832 bytes

First seen: 2011-05-20 09:47:08

Last seen : 2011-08-12 10:28:16

TrID:

Win32 Executable Generic (68.0%)

Generic Win/DOS Executable (15.9%)

DOS Executable Generic (15.9%)

Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

sigcheck:

publisher....: n/a

copyright....: n/a

product......: n/a

description..: n/a

original name: n/a

internal name: n/a

file version.: n/a

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

PEInfo: PE structure information

[[ basic data ]]

entrypointaddress: 0x0

timedatestamp....: 0x3B7DFE16 (Sat Aug 18 05:33:10 2001)

machinetype......: 0x14c (I386)

[[ 2 section(s) ]]

name, viradd, virsiz, rawdsiz, ntropy, md5

.rsrc, 0x1000, 0xD86E, 0xDA00, 5.47, 29accead8aa6482937d879612e0a7190

.reloc, 0xF000, 0x8, 0x200, 0.02, 2c38765194d27b75f56d0565088a53ee

ExifTool:

file metadata

CodeSize: 0

EntryPoint: 0x0000

FileSize: 56 kB

FileType: Win32 DLL

ImageVersion: 5.1

InitializedDataSize: 56320

LinkerVersion: 7.0

MIMEType: application/octet-stream

MachineType: Intel 386 or later, and compatibles

OSVersion: 5.1

PEType: PE32

Subsystem: Windows GUI

SubsystemVersion: 4.0

TimeStamp: 2001:08:18 07:33:10+02:00

UninitializedDataSize: 0

Link to post
Share on other sites

  • Staff

Hi,

Update MBAM, run a Quick Scan, and post its log.

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad. Copy and paste the text in the Code box below into Notepad:

http://forums.malwarebytes.org/index.php?showtopic=90750
Collect::
c:\windows\cienw.dll
c:\windows\system32\sysht.exe
File::
c:\windows\dillf.dll
c:\windows\ldwpn.dll
c:\windows\mzuok.dll
c:\windows\nwndi.dll
c:\windows\ohsxy.dll
c:\windows\pnhru.dll
c:\windows\vjpys.dll
c:\windows\system32\aafrs.dll
c:\windows\system32\dapve.dll
c:\windows\system32\ecxcy.dll
c:\windows\system32\glsuc.dll
c:\windows\system32\hmzvg.dll
c:\windows\system32\lvwif.dll
c:\windows\system32\nrjbj.dll
c:\windows\system32\psept.dll
c:\windows\system32\qxbij.dll
c:\windows\system32\slrhh.dll
c:\windows\system32\vbggb.dll
c:\windows\system32\vynkt.dll

Save this as CFScript.txt

CFScriptB-4.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  • Ensure you are connected to the internet and click OK on the message box.

Link to post
Share on other sites

Hello,

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7477

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

8/16/2011 6:07:00 AM

mbam-log-2011-08-16 (06-07-00).txt

Scan type: Quick scan

Objects scanned: 220451

Time elapsed: 10 minute(s), 6 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

------

ComboFix 11-08-16.02 - Microsoft User 08/16/2011 7:27.4.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.317 [GMT -4:00]

Running from: c:\documents and settings\Microsoft User\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Microsoft User\Desktop\CFScript.txt

.

FILE ::

"c:\windows\dillf.dll"

"c:\windows\ldwpn.dll"

"c:\windows\mzuok.dll"

"c:\windows\nwndi.dll"

"c:\windows\ohsxy.dll"

"c:\windows\pnhru.dll"

"c:\windows\system32\aafrs.dll"

"c:\windows\system32\dapve.dll"

"c:\windows\system32\ecxcy.dll"

"c:\windows\system32\glsuc.dll"

"c:\windows\system32\hmzvg.dll"

"c:\windows\system32\lvwif.dll"

"c:\windows\system32\nrjbj.dll"

"c:\windows\system32\psept.dll"

"c:\windows\system32\qxbij.dll"

"c:\windows\system32\slrhh.dll"

"c:\windows\system32\vbggb.dll"

"c:\windows\system32\vynkt.dll"

"c:\windows\vjpys.dll"

.

file zipped: c:\windows\cienw.dll

file zipped: c:\windows\system32\sysht.exe

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\cienw.dll

c:\windows\dillf.dll

c:\windows\ldwpn.dll

c:\windows\mzuok.dll

c:\windows\nwndi.dll

c:\windows\ohsxy.dll

c:\windows\pnhru.dll

c:\windows\system32\aafrs.dll

c:\windows\system32\dapve.dll

c:\windows\system32\ecxcy.dll

c:\windows\system32\glsuc.dll

c:\windows\system32\hmzvg.dll

c:\windows\system32\lvwif.dll

c:\windows\system32\nrjbj.dll

c:\windows\system32\psept.dll

c:\windows\system32\qxbij.dll

c:\windows\system32\slrhh.dll

c:\windows\system32\sysht.exe

c:\windows\system32\vbggb.dll

c:\windows\system32\vynkt.dll

c:\windows\vjpys.dll

.

.

((((((((((((((((((((((((( Files Created from 2011-07-16 to 2011-08-16 )))))))))))))))))))))))))))))))

.

.

2011-08-07 13:37 . 2011-08-07 13:51 -------- dc----w- c:\documents and settings\Microsoft User\Local Settings\Application Data\MigWiz

2011-08-07 13:12 . 2006-11-02 12:07 581192 ----a-w- c:\windows\system32\WinusbCoInstaller.dll

2011-08-07 13:12 . 2011-08-07 13:12 -------- dc----w- c:\windows\system32\DRVSTORE

2011-08-07 13:12 . 2006-11-02 13:09 1419232 ----a-w- c:\windows\system32\WdfCoInstaller01005.dll

2011-08-07 13:12 . 2011-08-07 13:12 -------- d-----w- c:\program files\Windows Easy Transfer 7

2011-08-07 04:53 . 2011-08-07 04:53 1409 ----a-w- c:\windows\QTFont.for

2011-07-26 11:19 . 2011-07-26 11:20 -------- d-----w- c:\program files\new

2011-07-22 21:50 . 2011-07-22 21:50 -------- d-----w- c:\documents and settings\Microsoft User\Application Data\ImTOO

2011-07-22 21:48 . 2011-07-22 21:48 -------- d-----w- c:\documents and settings\All Users\Application Data\ImTOO

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-06 23:52 . 2011-04-23 13:40 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-02 17:53 . 2011-06-02 17:53 94208 ----a-w- c:\windows\system32\dpl100.dll

2006-02-23 13:16 . 2009-01-11 16:33 34048 ----a-w- c:\program files\mozilla firefox\plugins\upd62i9x.dll

2006-02-23 13:16 . 2009-01-11 16:33 45056 ----a-w- c:\program files\mozilla firefox\plugins\upd62int.dll

2011-06-25 17:36 . 2011-05-08 13:19 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((( SnapShot@2011-08-03_11.25.06 )))))))))))))))))))))))))))))))))))))))))

.

+ 2006-11-02 11:00 . 2006-11-02 11:00 24136 c:\windows\system32\winusb.dll

+ 2005-06-30 11:29 . 2008-12-22 16:54 26144 c:\windows\system32\spupdsvc.exe

+ 2009-01-11 17:42 . 2008-12-22 16:54 16928 c:\windows\system32\spmsg.dll

+ 2009-07-13 22:20 . 2009-07-13 22:20 91728 c:\windows\system32\MigAutoPlay.exe

+ 2006-11-02 11:00 . 2006-11-02 11:00 39368 c:\windows\system32\drivers\winusb.sys

+ 2006-11-02 11:22 . 2006-11-02 11:22 32224 c:\windows\system32\drivers\wdfldr.sys

+ 2011-08-07 13:12 . 2006-11-02 12:07 581192 c:\windows\system32\DRVSTORE\TransferCa_FBC4C55696C581AE72F7C014EA9EA813252FB984\WinusbCoInstaller.dll

+ 2006-11-02 11:22 . 2006-11-02 11:22 492000 c:\windows\system32\drivers\wdf01000.sys

+ 2011-08-07 13:12 . 2006-11-02 13:09 1419232 c:\windows\system32\DRVSTORE\TransferCa_FBC4C55696C581AE72F7C014EA9EA813252FB984\WdfCoinstaller01005.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]

"VSPDXP"="c:\program files\VSPD XP\vspdconfig.exe" [2003-11-13 974848]

"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]

"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-08-21 180269]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2004-08-23 35528]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

VPN Client.lnk - c:\windows\Installer\{21E247D4-5E27-4BEA-AA4D-19A81203FE2A}\Icon3E5562ED7.ico [2011-1-13 6144]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]

2005-03-01 23:49 24672 ----a-w- c:\windows\system32\ckpNotify.dll

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax DllCmd 3.5.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\eFax DllCmd 3.5.lnk

backup=c:\windows\pss\eFax DllCmd 3.5.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax Tray Menu 3.5.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\eFax Tray Menu 3.5.lnk

backup=c:\windows\pss\eFax Tray Menu 3.5.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NetScreen-Remote.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NetScreen-Remote.lnk

backup=c:\windows\pss\NetScreen-Remote.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]

2008-03-18 01:06 1848648 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]

2008-12-12 01:31 722256 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

2006-09-14 20:09 157592 ----a-w- c:\program files\DAEMON Tools\daemon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FLMK08KB]

2005-02-21 18:17 207360 ----a-w- c:\program files\Multimedia keyboard utility\1.3\MMKEYBD.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2006-10-30 14:36 256576 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2005-05-09 20:00 1658080 ----a-w- c:\program files\Messenger\Msmsgs.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]

2001-07-09 10:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTVOICE]

2001-08-18 05:36 86016 ----a-w- c:\windows\system32\pctspk.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ProxyPD]

2006-02-02 17:27 262144 ----a-w- c:\windows\system32\ProxyPD.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2006-10-25 23:58 282624 ----a-w- c:\program files\QuickTime\qttask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiS Tray]

2003-10-30 21:10 667648 ----a-w- c:\windows\system32\sistray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

2004-02-26 08:53 65024 ----a-r- c:\windows\SOUNDMAN.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

2010-12-18 19:53 1242448 ----a-w- c:\program files\Steam\Steam.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2004-08-21 21:11 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"ose"=3 (0x3)

"MpfService"=2 (0x2)

"mcupdmgr.exe"=3 (0x3)

"IDriverT"=3 (0x3)

"Neoteris Setup Service"=2 (0x2)

"iPod Service"=3 (0x3)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Azureus\\Azureus.exe"=

"c:\\Program Files\\WinMX\\WinMX.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32\\dpnsvr.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\StubInstaller.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=

"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=

"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=

"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=

"c:\\Program Files\\Steam\\Steam.exe"=

"c:\\Program Files\\Windows Easy Transfer 7\\migwiz.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"137:TCP"= 137:TCP:137

"138:TCP"= 138:TCP:138

"7000:TCP"= 7000:TCP:Windows Easy Transfer TCP port

"7000:UDP"= 7000:UDP:Windows Easy Transfer UDP port

.

R2 Scap;SecureClient Application Policy Module;c:\windows\system32\drivers\scap.sys [10/1/2010 6:10 PM 17456]

R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [10/1/2010 6:10 PM 670128]

R3 evserial;Virtual Serial Ports Driver (Eltima Softwate);c:\windows\system32\drivers\evserial.sys [4/27/2008 4:51 PM 54016]

R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [10/1/2010 6:10 PM 2041904]

R3 VSBC;Virtual Serial Bus Enumerator (Eltima Software);c:\windows\system32\drivers\evsbc.sys [4/27/2008 4:51 PM 26880]

S0 hurjc;hurjc;c:\windows\system32\drivers\qfdoxjhj.sys --> c:\windows\system32\drivers\qfdoxjhj.sys [?]

S2 Crypto;Crypto;\??\c:\windows\system32\Drivers\Crypto.sys --> c:\windows\system32\Drivers\Crypto.sys [?]

S3 ncvcp;Network Connect Virtual Com Port;c:\windows\system32\DRIVERS\nsvcp.sys --> c:\windows\system32\DRIVERS\nsvcp.sys [?]

S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [10/1/2010 6:10 PM 14924]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/10/2006 7:52 PM 611064]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mStart Page = about:blank

mWindow Title = Microsoft Internet Explorer provided by Comcast

mSearch Bar =

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Microsoft User\Application Data\Mozilla\Firefox\Profiles\o2kw9dxc.default\

FF - prefs.js: browser.search.selectedEngine - Answers.com

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

FF - prefs.js: network.proxy.http - proxy.etn.com

FF - prefs.js: network.proxy.http_port - 8080

FF - prefs.js: network.proxy.type - 4

.

- - - - ORPHANS REMOVED - - - -

.

BHO-{28CAEFF3-0F18-4036-B504-51D73BD81C3A} - REG_SZ

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-08-16 07:45

Windows 5.1.2600 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

.

c:\windows\msmqinst.log:shmewq 29278 bytes executable

c:\windows\nemo.jpg:rsnlg 89666 bytes executable

c:\windows\netfxocm.log:hwknmd 66560 bytes executable

c:\windows\NSUninst.exe:zcdyn 29278 bytes executable

c:\windows\setupapi.log.0.old:jgxkx 10240 bytes executable

c:\windows\setupapi.log.0.old:mabfp 10240 bytes executable

c:\windows\SiSport.sys:gaero 10240 bytes executable

c:\windows\Sti_Trace.log:xbeyl 10240 bytes executable

c:\windows\FaxSetup.log:nucll 56832 bytes executable

c:\windows\FeatherTexture.bmp:pdzbp 26624 bytes executable

c:\windows\iis6.log:lzjdr 56832 bytes executable

c:\windows\ukcqo.txt:qdoxhi 35544 bytes executable

c:\windows\UPGRADE.TXT:irfro 10240 bytes executable

c:\windows\vb.ini:fclyd 10240 bytes executable

c:\windows\vb.ini:mgtlv 10240 bytes executable

c:\windows\vejvw.txt:bspei 26624 bytes executable

c:\windows\vmmreg32.dll:ahzor 56832 bytes executable

c:\windows\winamp.ini:qmlfwf 12020 bytes executable

c:\windows\Windows Update.log:bftpb 93405 bytes executable

c:\windows\Windows Update.log:zjvsd 10240 bytes executable

c:\windows\comsetup.log:kstfok 12020 bytes executable

c:\windows\comsetup.log:pldwp 26624 bytes executable

c:\windows\comsetup.log:zarkr 26624 bytes executable

c:\windows\control.ini:owpse 10240 bytes executable

c:\windows\control.ini:sulgs 26624 bytes executable

c:\windows\desktop.ini:lqfft 10240 bytes executable

c:\windows\DHCPUPG.LOG:arpgk 10240 bytes executable

c:\windows\DHCPUPG.LOG:dtlkjv 35544 bytes executable

c:\windows\DHCPUPG.LOG:psdts 26624 bytes executable

c:\windows\oodcg.txt:qyetm 103850 bytes executable

c:\windows\winhelp.exe:uyevd 10240 bytes executable

c:\windows\Wininit.ini:hgoha 26624 bytes executable

c:\windows\Wininit.ini:jnelqp 35544 bytes executable

c:\windows\winnt256.bmp:ryhbwm 12020 bytes executable

c:\windows\WINNT32.LOG:gcwswu 35544 bytes executable

c:\windows\KB828741.log:ytmbuc 35544 bytes executable

c:\windows\clock.avi:vkuqn 56832 bytes executable

c:\windows\CMIRmDriver.dll:ylcfy 26624 bytes executable

c:\windows\CMISETUP.INI:ukcqo 10240 bytes executable

c:\windows\CMIUninstall.exe:wltru 10240 bytes executable

c:\windows\KB890175.log:rxlucb 12020 bytes executable

c:\windows\KB890859.log:pablhl 12020 bytes executable

c:\windows\KB891711.log:btzdwo 12020 bytes executable

c:\windows\KB891711.log:kxdzel 35544 bytes executable

c:\windows\KB891781.log:hbuqjv 12020 bytes executable

c:\windows\KB892944.log:nsruu 66560 bytes executable

c:\windows\KB893086.log:scewdg 35544 bytes executable

c:\windows\KB893086.log:ttjjqr 12020 bytes executable

c:\windows\KB893086.log:xzigjw 12020 bytes executable

c:\windows\KB893803.log:airhks 12020 bytes executable

c:\windows\n_flbfhk.log:ljmid 12020 bytes executable

c:\windows\n_gbxxaf.dat:cjyttk 12020 bytes executable

c:\windows\n_hhrfbs.log:mduupw 12020 bytes executable

c:\windows\n_hhrfbs.log:mndvgf 12020 bytes executable

c:\windows\n_hlfmxg.dat:hofyte 12020 bytes executable

c:\windows\n_hlfmxg.dat:inabpy 12020 bytes executable

c:\windows\n_qyyvul.txt:tpcaed 12020 bytes executable

c:\windows\n_rufgkq.dat:bzdqq 29278 bytes executable

c:\windows\n_rufgkq.dat:mqmngn 35544 bytes executable

c:\windows\n_keokaf.txt:ucgpfg 12020 bytes executable

c:\windows\n_kttfvh.dat:mdychr 12020 bytes executable

c:\windows\n_laxpuf.log:zxmfvr 35544 bytes executable

c:\windows\n_lolcwh.log:fdrhbb 35544 bytes executable

c:\windows\n_mwbwin.txt:blukgi 35544 bytes executable

c:\windows\n_mzqzcb.log:woqrhr 12020 bytes executable

c:\windows\n_nnfuhc.dat:xmlwna 12020 bytes executable

c:\windows\n_uupums.dat:mitfwz 12020 bytes executable

c:\windows\n_wggnfg.txt:fqdnfg 12020 bytes executable

c:\windows\n_yjvljc.dat:vbovsv 12020 bytes executable

c:\windows\n_zfpkte.log:xqoshq 35544 bytes executable

c:\windows\ocgen.log:othbug 12020 bytes executable

c:\windows\ocmsn.log:bahmae 66560 bytes executable

c:\windows\ocmsn.log:blluh 93405 bytes executable

c:\windows\ODBC.INI:oecofx 35544 bytes executable

c:\windows\ODBCINST.INI:gurooq 35544 bytes executable

c:\windows\KB896422.log:tjjmmd 35544 bytes executable

c:\windows\KB896426.log:aatzxj 35544 bytes executable

c:\windows\KB896426.log:wsjand 12020 bytes executable

c:\windows\KB897715-OE6SP1-20050503.210336.log:dxophr 12020 bytes executable

c:\windows\KB898461.log:olcghg 35544 bytes executable

c:\windows\KB899588.log:wygujt 35544 bytes executable

c:\windows\DtcInstall.log:hxayh 26624 bytes executable

c:\windows\TASKMAN.EXE:qcwdg 26624 bytes executable

c:\windows\tjjmm.dat:gcwsmg 12020 bytes executable

c:\windows\twain.dll:itxpa 10240 bytes executable

c:\windows\ntdtcsetup.log:yjsad 84825 bytes executable

c:\windows\kzsoy.dat:qdvlzb 35544 bytes executable

c:\windows\regedit(2).exe:jyfhr 93700 bytes executable

c:\windows\regedit(3).exe:bzhei 29278 bytes executable

c:\windows\regedit(3).exe:jyfhr 93700 bytes executable

c:\windows\regedit(4).exe:jyfhr 93700 bytes executable

c:\windows\regedit(5).exe:jyfhr 93700 bytes executable

c:\windows\Zapotec.bmp:pmyge 84825 bytes executable

c:\windows\_default.pif:bwgrhu 12020 bytes executable

c:\windows\_default.pif:bwklbt 35544 bytes executable

c:\windows\_default.pif:cidvsy 29278 bytes executable

c:\windows\_default.pif:dwbdgf 35544 bytes executable

c:\windows\_default.pif:eqqjpa 35544 bytes executable

c:\windows\_default.pif:etopxz 12020 bytes executable

c:\windows\_default.pif:fjyvfi 35544 bytes executable

c:\windows\_default.pif:gwgywn 12020 bytes executable

c:\windows\_default.pif:hsjcod 66560 bytes executable

c:\windows\_default.pif:ilajuy 29278 bytes executable

c:\windows\_default.pif:ivrghj 12020 bytes executable

c:\windows\_default.pif:khlipo 12020 bytes executable

c:\windows\_default.pif:kvqqmv 12020 bytes executable

c:\windows\_default.pif:kxnkvw 29278 bytes executable

c:\windows\_default.pif:lpxdvy 12020 bytes executable

c:\windows\_default.pif:nazhlt 35544 bytes executable

c:\windows\_default.pif:nroply 12020 bytes executable

c:\windows\_default.pif:oofcir 35544 bytes executable

c:\windows\_default.pif:qkhesw 12020 bytes executable

c:\windows\_default.pif:qvzbey 12020 bytes executable

c:\windows\_default.pif:swveat 12020 bytes executable

c:\windows\_default.pif:tpfytn 12020 bytes executable

c:\windows\_default.pif:txzejw 35544 bytes executable

c:\windows\_default.pif:vzgcqj 12020 bytes executable

c:\windows\_default.pif:wompoo 12020 bytes executable

c:\windows\_default.pif:xugurk 35544 bytes executable

c:\windows\_default.pif:xuonkw 12020 bytes executable

c:\windows\_default.pif:zxydyq 35544 bytes executable

c:\windows\KB899591.log:xcdgfq 12020 bytes executable

c:\windows\msdfmap.ini:pegzj 56832 bytes executable

c:\windows\n_cqfzwd.dat:ujzvta 35544 bytes executable

c:\windows\n_hscwhb.log:femzjg 35544 bytes executable

c:\windows\n_hscwhb.log:xnwiaq 12020 bytes executable

c:\windows\preInsMM.exe:jdehn 56832 bytes executable

c:\windows\Santa Fe Stucco.bmp:homqc 26624 bytes executable

c:\windows\twunk_32.exe:auquu 26624 bytes executable

c:\windows\WindowsUpdate.log:nbemuj 12020 bytes executable

c:\windows\WindowsUpdate.log:wyvms 56832 bytes executable

c:\windows\WindowsUpdate.log:zypwcc 12020 bytes executable

c:\windows\blocklist.reg:gxdxw 10240 bytes executable

c:\windows\blocklist.reg:njrmc 93405 bytes executable

c:\windows\KB893803v2.log:izaldg 12020 bytes executable

c:\windows\KB893803v2.log:mucosb 35544 bytes executable

.

scan completed successfully

hidden files: 136

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-299502267-329068152-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F2C6A728-99B6-9E70-ECCD-B16FE0B39194}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"iafijmabgajgabfild"=hex:6a,61,67,70,67,6d,68,67,67,67,66,6c,65,68,6a,69,61,6b,

6f,67,00,00

"haphphdgoikhlnhd"=hex:6a,61,67,70,67,6d,68,67,67,67,66,6c,65,68,6a,69,61,6b,

6f,67,00,a6

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(2120)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\program files\Canon\IJPLM\IJPLMSVC.EXE

c:\program files\CheckPoint\SecuRemote\bin\SR_Service.exe

c:\program files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe

c:\windows\system32\wscntfy.exe

c:\program files\CheckPoint\SecuRemote\bin\SR_GUI.Exe

c:\program files\Internet Explorer\iexplore.exe

c:\windows\system32\RUNDLL32.EXE

c:\progra~1\LINKSY~1\LinksysAdvisor.exe

.

**************************************************************************

.

Completion time: 2011-08-16 07:51:06 - machine was rebooted

ComboFix-quarantined-files.txt 2011-08-16 11:50

ComboFix2.txt 2011-08-11 11:05

ComboFix3.txt 2011-08-06 10:54

ComboFix4.txt 2011-08-03 11:28

.

Pre-Run: 471,105,536 bytes free

Post-Run: 492,929,024 bytes free

.

- - End Of File - - BD0EC39D102B2A776468B34565244CBE

Upload was successful

Link to post
Share on other sites

  • Staff

Hi,

You must first verify that you can logon to the Windows Recovery Console.

To do so, you must have the Recovery Console installed or use the Windows XP installation cd.

How to install and use the Windows XP Recovery Console

Next, please download maxlook, saving the file to your desktop.

Double click maxlook.exe to run it. Note - you must run it only once!

As instructed when the tool runs, restart the computer and logon to the Recovery Console.

Execute the following bolded command at the x:\windows> prompt <--- the red x represents your operating system drive letter, usually C

batch look.bat

lookXP.gif

You will see 1 file copied many times then return to the x:\windows> prompt.

Type Exit to restart your computer then logon in normal mode.

Next, click Start--> Run, and enter the following command: Note - you must run it only once!

maxlook.exe -sig

It will produce looklog.txt on the desktop and open it.

Please post the results here.

Link to post
Share on other sites

Hello,

As requested:

Run from C:\Documents and Settings\Microsoft User\Desktop\maxlook.exe on Fri 08/19/2011 at 20:58:42.64

--------- maxlook unsigned files ---------

c:\windows\maxdrive\aspi32.sys:
Verified: Unsigned
File date: 8:06 AM 9/10/1999
Publisher: Adaptec
Description: ASPI for WIN32 Kernel Driver
Product: Adaptec's ASPI Layer
Version: 4.60 (1021)
File version: 4.60 (1021)
c:\windows\maxdrive\CVPNDRVA.sys:
Verified: Unsigned
File date: 1:07 PM 11/17/2009
Publisher: Cisco Systems, Inc.
Description: Cisco Systems VPN Client IPSec Driver
Product: Cisco Systems VPN Client
Version: 5.0.06.0160
File version: 5.0.06.0160
c:\windows\maxdrive\OXSER.SYS:
Verified: Unsigned
File date: 11:31 AM 4/28/2003
Publisher: OEM
Description: OX16C95x Serial Device Driver
Product: OX16C95x
Version: 3.0.4.001
File version: 3.0.4.001
c:\windows\maxdrive\ptserial.sys:
Verified: Unsigned
File date: 9:41 PM 9/23/2003
Publisher: PCTEL, INC.
Description: HSP Modem Serial Device Driver
Product: HSP Modem Serial Device
Version: 11.0300.0021
File version: 11.0300.0021
c:\windows\maxdrive\scap.sys:
Verified: Unsigned
File date: 7:49 PM 3/1/2005
Publisher: Check Point Software Technologies
Description:
Product: desktop
Version: 5.0
File version: 54,8,000,619
c:\windows\maxdrive\Sio9502k.sys:
Verified: Unsigned
File date: 11:29 PM 2/10/2004
Publisher: Socket Communications, Inc.
Description: WDM serial port device driver
Product: SIO9502K
Version: 1, 0, 0, 1
File version: 1, 0, 3, 5
c:\windows\maxdrive\SktBt2k.sys:
Verified: Unsigned
File date: 8:26 PM 3/22/2004
Publisher: Socket Communications, Inc.
Description: WDM serial port device driver
Product: SIO9502K
Version: 1, 0, 0, 1
File version: 1, 0, 3, 7
c:\windows\maxdrive\snapman.sys:
Verified: Unsigned
File date: 12:48 PM 6/3/2005
Publisher: Acronis
Description: Acronis Snapshot API
Product: Acronis Snapshot API
Version: 1.04 build 80
File version: 1.04 build 80
c:\windows\maxdrive\volsnap.sys:
Verified: Unsigned
File date: 2:00 AM 8/4/2004
Publisher: n/a
Description: n/a
Product: n/a
Version: n/a
File version: n/a
c:\windows\maxdrive\vpn.sys:
Verified: Unsigned
File date: 7:49 PM 3/1/2005
Publisher: Check Point Software Technologies
Description:
Product: vpn1
Version: 5.0
File version: 54,8,000,603
c:\windows\maxdrive\vsb.sys:
Verified: Unsigned
File date: 11:49 AM 10/7/2003
Publisher: ELTIMA Software
Description: Virtual Serial Bus
Product: ELTIMA Virtual Serial Bus
Version: 3.1.103
File version: 3.1.103
c:\windows\maxdrive\vserial.sys:
Verified: Unsigned
File date: 1:44 PM 11/12/2003
Publisher: ELTIMA Software
Description: Virtual Serial Port Driver
Product: ELTIMA Virtual Serial Ports
Version: 3.1.103
File version: 3.1.103
c:\windows\maxdrive\wssbtr1f.sys:
Verified: Unsigned
File date: 12:58 PM 7/3/2003
Publisher: National Semiconductor Sweden AB
Description: wssbt
Product: National Semiconductor Sweden AB BlueCard PCMCIA driver
Version: 2, 0, 0, 57
File version: 2, 0, 0, 57

--------- system32\drivers unsigned files ---------

c:\windows\system32\drivers\aspi32.sys:
Verified: Unsigned
File date: 8:06 AM 9/10/1999
Publisher: Adaptec
Description: ASPI for WIN32 Kernel Driver
Product: Adaptec's ASPI Layer
Version: 4.60 (1021)
File version: 4.60 (1021)
c:\windows\system32\drivers\CVPNDRVA.sys:
Verified: Unsigned
File date: 1:07 PM 11/17/2009
Publisher: Cisco Systems, Inc.
Description: Cisco Systems VPN Client IPSec Driver
Product: Cisco Systems VPN Client
Version: 5.0.06.0160
File version: 5.0.06.0160
c:\windows\system32\drivers\OXSER.SYS:
Verified: Unsigned
File date: 11:31 AM 4/28/2003
Publisher: OEM
Description: OX16C95x Serial Device Driver
Product: OX16C95x
Version: 3.0.4.001
File version: 3.0.4.001
c:\windows\system32\drivers\ptserial.sys:
Verified: Unsigned
File date: 9:41 PM 9/23/2003
Publisher: PCTEL, INC.
Description: HSP Modem Serial Device Driver
Product: HSP Modem Serial Device
Version: 11.0300.0021
File version: 11.0300.0021
c:\windows\system32\drivers\scap.sys:
Verified: Unsigned
File date: 7:49 PM 3/1/2005
Publisher: Check Point Software Technologies
Description:
Product: desktop
Version: 5.0
File version: 54,8,000,619
c:\windows\system32\drivers\Sio9502k.sys:
Verified: Unsigned
File date: 11:29 PM 2/10/2004
Publisher: Socket Communications, Inc.
Description: WDM serial port device driver
Product: SIO9502K
Version: 1, 0, 0, 1
File version: 1, 0, 3, 5
c:\windows\system32\drivers\SktBt2k.sys:
Verified: Unsigned
File date: 8:26 PM 3/22/2004
Publisher: Socket Communications, Inc.
Description: WDM serial port device driver
Product: SIO9502K
Version: 1, 0, 0, 1
File version: 1, 0, 3, 7
c:\windows\system32\drivers\snapman.sys:
Verified: Unsigned
File date: 12:48 PM 6/3/2005
Publisher: Acronis
Description: Acronis Snapshot API
Product: Acronis Snapshot API
Version: 1.04 build 80
File version: 1.04 build 80
c:\windows\system32\drivers\vpn.sys:
Verified: Unsigned
File date: 7:49 PM 3/1/2005
Publisher: Check Point Software Technologies
Description:
Product: vpn1
Version: 5.0
File version: 54,8,000,603
c:\windows\system32\drivers\vsb.sys:
Verified: Unsigned
File date: 11:49 AM 10/7/2003
Publisher: ELTIMA Software
Description: Virtual Serial Bus
Product: ELTIMA Virtual Serial Bus
Version: 3.1.103
File version: 3.1.103
c:\windows\system32\drivers\vserial.sys:
Verified: Unsigned
File date: 1:44 PM 11/12/2003
Publisher: ELTIMA Software
Description: Virtual Serial Port Driver
Product: ELTIMA Virtual Serial Ports
Version: 3.1.103
File version: 3.1.103
c:\windows\system32\drivers\wssbtr1f.sys:
Verified: Unsigned
File date: 12:58 PM 7/3/2003
Publisher: National Semiconductor Sweden AB
Description: wssbt
Product: National Semiconductor Sweden AB BlueCard PCMCIA driver
Version: 2, 0, 0, 57
File version: 2, 0, 0, 57

Link to post
Share on other sites

As of late, the most consistent issue I have seen with this, aside from the Google re-direct, is that anytime I'm connected to the internet, IE gets called (remotely?) and continues to run until I kill the iexplore.exe process via Task Mgr. While running, I will get numerous instances of IE's pop-up stating "When you send information to the Internet, it might be possible for others to see that information. Do you want to continue?". Occasionally, if left online for an extended amount of time, I'll get IE browser windows opened linking to specific sites (can't remember the URLs off hand) and sometimes I'll find Itunes opened.

Here's the Combofix log:

ComboFix 11-08-23.01 - Microsoft User 08/23/2011 7:47.5.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.301 [GMT -4:00]

Running from: c:\documents and settings\Microsoft User\Desktop\ComboFix.exe

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Microsoft User\My Documents\103.doc

c:\windows\look.bat

.

.

((((((((((((((((((((((((( Files Created from 2011-07-23 to 2011-08-23 )))))))))))))))))))))))))))))))

.

.

2011-08-20 00:58 . 2010-10-12 16:56 220024 ----a-w- c:\windows\sigcheck.exe

2011-08-20 00:53 . 2011-08-19 20:56 -------- d-----w- c:\windows\maxdrive

2011-08-07 13:37 . 2011-08-07 13:51 -------- dc----w- c:\documents and settings\Microsoft User\Local Settings\Application Data\MigWiz

2011-08-07 13:12 . 2006-11-02 12:07 581192 ----a-w- c:\windows\system32\WinusbCoInstaller.dll

2011-08-07 13:12 . 2011-08-07 13:12 -------- dc----w- c:\windows\system32\DRVSTORE

2011-08-07 13:12 . 2006-11-02 13:09 1419232 ----a-w- c:\windows\system32\WdfCoInstaller01005.dll

2011-08-07 13:12 . 2011-08-07 13:12 -------- d-----w- c:\program files\Windows Easy Transfer 7

2011-08-07 04:53 . 2011-08-07 04:53 1409 ----a-w- c:\windows\QTFont.for

2011-07-26 11:19 . 2011-07-26 11:20 -------- d-----w- c:\program files\new

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-06 23:52 . 2011-04-23 13:40 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-02 17:53 . 2011-06-02 17:53 94208 ----a-w- c:\windows\system32\dpl100.dll

2006-02-23 13:16 . 2009-01-11 16:33 34048 ----a-w- c:\program files\mozilla firefox\plugins\upd62i9x.dll

2006-02-23 13:16 . 2009-01-11 16:33 45056 ----a-w- c:\program files\mozilla firefox\plugins\upd62int.dll

2011-06-25 17:36 . 2011-05-08 13:19 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((( SnapShot@2011-08-03_11.25.06 )))))))))))))))))))))))))))))))))))))))))

.

+ 2006-11-02 11:00 . 2006-11-02 11:00 24136 c:\windows\system32\winusb.dll

+ 2005-06-30 11:29 . 2008-12-22 16:54 26144 c:\windows\system32\spupdsvc.exe

+ 2009-01-11 17:42 . 2008-12-22 16:54 16928 c:\windows\system32\spmsg.dll

+ 2009-07-13 22:20 . 2009-07-13 22:20 91728 c:\windows\system32\MigAutoPlay.exe

+ 2006-11-02 11:00 . 2006-11-02 11:00 39368 c:\windows\system32\drivers\winusb.sys

+ 2006-11-02 11:22 . 2006-11-02 11:22 32224 c:\windows\system32\drivers\wdfldr.sys

+ 2006-09-29 00:00 . 2006-09-29 00:00 82944 c:\windows\maxdrive\WudfRd.sys

+ 2006-09-28 23:55 . 2006-09-28 23:55 77568 c:\windows\maxdrive\WudfPf.sys

+ 2003-07-03 16:58 . 2003-07-03 16:58 63488 c:\windows\maxdrive\wssbtr1f.sys

+ 2003-03-31 12:00 . 2003-03-31 12:00 12032 c:\windows\maxdrive\ws2ifsl.sys

+ 2004-10-11 16:20 . 2006-10-19 01:00 38528 c:\windows\maxdrive\wpdusb.sys

+ 2006-11-02 11:00 . 2006-11-02 11:00 39368 c:\windows\maxdrive\winusb.sys

+ 2004-08-07 09:19 . 2006-06-14 09:00 82944 c:\windows\maxdrive\wdmaud.sys

+ 2006-11-02 11:22 . 2006-11-02 11:22 32224 c:\windows\maxdrive\wdfldr.sys

+ 2004-08-04 05:29 . 2004-08-04 05:29 25471 c:\windows\maxdrive\watv10nt.sys

+ 2004-08-04 05:29 . 2004-08-04 05:29 22271 c:\windows\maxdrive\watv06nt.sys

+ 2003-03-31 12:00 . 2004-08-04 06:04 34560 c:\windows\maxdrive\wanarp.sys

+ 2004-08-04 05:29 . 2004-08-04 05:29 11935 c:\windows\maxdrive\wadv11nt.sys

+ 2004-08-04 05:29 . 2004-08-04 05:29 11871 c:\windows\maxdrive\wadv09nt.sys

+ 2004-08-04 05:29 . 2004-08-04 05:29 11295 c:\windows\maxdrive\wadv08nt.sys

+ 2004-08-04 05:29 . 2004-08-04 05:29 11807 c:\windows\maxdrive\wadv07nt.sys

+ 2004-08-04 06:04 . 2004-08-04 06:04 13568 c:\windows\maxdrive\wacompen.sys

+ 2004-08-07 09:20 . 2001-08-17 20:28 64605 c:\windows\maxdrive\vvoice.sys

+ 2003-11-12 18:44 . 2003-11-12 17:44 47104 c:\windows\maxdrive\vserial.sys

+ 2003-10-07 16:49 . 2003-10-07 15:49 18167 c:\windows\maxdrive\vsb.sys

+ 2003-03-31 12:00 . 2004-08-04 06:00 52352 c:\windows\maxdrive\volsnap.sys

+ 2003-03-31 12:00 . 2004-08-04 06:07 79744 c:\windows\maxdrive\videoprt.sys

+ 2004-08-04 06:07 . 2004-08-04 06:07 42240 c:\windows\maxdrive\viaagp.sys

+ 2007-03-05 10:57 . 2007-03-05 10:57 19472 c:\windows\maxdrive\VHIDMini.sys

+ 2003-03-31 12:00 . 2004-08-04 06:07 20992 c:\windows\maxdrive\vga.sys

+ 2001-08-17 14:02 . 2003-03-31 12:00 58112 c:\windows\maxdrive\vdmindvd.sys

+ 2007-03-05 10:53 . 2007-03-05 10:53 44304 c:\windows\maxdrive\VcommMgr.sys

+ 2007-03-05 10:52 . 2007-03-05 10:52 34448 c:\windows\maxdrive\VComm.sys

+ 2007-03-05 10:55 . 2007-03-05 10:55 20880 c:\windows\maxdrive\vbtenum.sys

+ 2007-01-17 02:46 . 2001-12-14 20:26 36188 c:\windows\maxdrive\vap.sys

+ 2004-08-04 06:10 . 2004-08-04 06:10 78464 c:\windows\maxdrive\usbvideo.sys

+ 2005-05-13 21:09 . 2004-08-04 06:08 26496 c:\windows\maxdrive\usbstor.sys

+ 2008-03-16 15:43 . 2004-08-04 04:58 15104 c:\windows\maxdrive\usbscan.sys

+ 2004-08-31 16:21 . 2004-08-04 06:01 25856 c:\windows\maxdrive\usbprint.sys

+ 2003-03-31 12:00 . 2004-08-04 06:08 17024 c:\windows\maxdrive\usbohci.sys

+ 2002-08-29 01:32 . 2004-08-04 06:08 16000 c:\windows\maxdrive\usbintel.sys

+ 2003-03-31 12:00 . 2004-08-04 06:08 57600 c:\windows\maxdrive\usbhub.sys

+ 2003-03-31 12:00 . 2004-08-04 06:08 26624 c:\windows\maxdrive\usbehci.sys

+ 2006-06-29 21:52 . 2004-08-04 05:08 31616 c:\windows\maxdrive\usbccgp.sys

+ 2001-08-17 14:03 . 2003-03-31 12:00 23936 c:\windows\maxdrive\usbcamd2.sys

+ 2001-08-17 14:03 . 2003-03-31 12:00 23808 c:\windows\maxdrive\usbcamd.sys

+ 2006-06-29 21:52 . 2004-08-04 05:07 59264 c:\windows\maxdrive\USBAUDIO.sys

+ 2004-08-04 06:04 . 2004-08-04 06:04 12672 c:\windows\maxdrive\usb8023x.sys

+ 2003-03-31 12:00 . 2004-08-04 06:04 12672 c:\windows\maxdrive\usb8023.sys

+ 2003-03-31 12:00 . 2004-08-04 06:00 66176 c:\windows\maxdrive\udfs.sys

+ 2004-08-04 06:07 . 2004-08-04 06:07 44672 c:\windows\maxdrive\uagp35.sys

+ 2002-08-29 01:35 . 2004-08-04 06:03 12416 c:\windows\maxdrive\tunmp.sys

+ 2001-08-17 14:06 . 2003-03-31 12:00 21376 c:\windows\maxdrive\tsbvcap.sys

+ 2001-08-17 14:01 . 2003-03-31 12:00 51712 c:\windows\maxdrive\tosdvd.sys

+ 2004-08-07 09:01 . 2004-08-04 08:01 40840 c:\windows\maxdrive\termdd.sys

+ 2004-08-07 09:02 . 2004-08-04 08:01 21896 c:\windows\maxdrive\tdtcp.sys

+ 2004-08-07 09:02 . 2004-08-04 08:01 12040 c:\windows\maxdrive\tdpipe.sys

+ 2003-03-31 12:00 . 2004-08-04 06:07 18560 c:\windows\maxdrive\tdi.sys

+ 2003-03-31 12:00 . 2004-08-04 05:59 14976 c:\windows\maxdrive\tape.sys

+ 2004-08-07 09:19 . 2004-08-04 06:15 60800 c:\windows\maxdrive\sysaudio.sys

+ 2004-08-07 09:19 . 2001-08-17 21:00 54272 c:\windows\maxdrive\swmidi.sys

+ 2004-08-07 09:19 . 2004-08-04 06:08 48640 c:\windows\maxdrive\stream.sys

+ 2004-08-07 09:17 . 2003-10-29 19:36 11264 c:\windows\maxdrive\srvkp.sys

+ 2004-08-07 09:03 . 2004-08-04 06:06 73472 c:\windows\maxdrive\sr.sys

+ 2003-03-31 12:00 . 2004-08-04 05:59 96256 c:\windows\maxdrive\sptddrv1.sys

+ 2002-08-29 01:33 . 2004-08-04 06:09 25472 c:\windows\maxdrive\sonydcam.sys

+ 2005-06-03 16:48 . 2005-06-03 16:48 77728 c:\windows\maxdrive\snapman.sys

+ 2003-03-31 12:00 . 2003-03-31 12:00 14592 c:\windows\maxdrive\smclib.sys

+ 2004-08-04 05:41 . 2004-08-04 05:41 13240 c:\windows\maxdrive\slwdmsup.sys

+ 2004-08-04 05:41 . 2004-08-04 05:41 95424 c:\windows\maxdrive\slnthal.sys

+ 2004-03-23 00:26 . 2004-03-23 00:26 48556 c:\windows\maxdrive\SktBt2k.sys

+ 2004-08-07 09:20 . 2002-07-10 15:39 32256 c:\windows\maxdrive\sisnic.sys

+ 2004-08-07 09:14 . 2003-07-18 01:58 36992 c:\windows\maxdrive\SISAGPX.SYS

+ 2004-08-04 06:07 . 2004-08-04 06:07 41088 c:\windows\maxdrive\sisagp.sys

+ 2004-02-11 03:29 . 2004-02-11 03:29 48076 c:\windows\maxdrive\Sio9502k.sys

+ 2003-03-31 12:00 . 2004-08-04 05:59 11392 c:\windows\maxdrive\sfloppy.sys

+ 2004-08-04 05:59 . 2004-08-04 05:59 10240 c:\windows\maxdrive\sffp_sd.sys

+ 2004-08-04 05:59 . 2004-08-04 05:59 11136 c:\windows\maxdrive\sffdisk.sys

+ 2003-03-31 12:00 . 2004-08-04 06:15 64896 c:\windows\maxdrive\serial.sys

+ 2003-03-31 12:00 . 2004-08-04 05:59 15488 c:\windows\maxdrive\serenum.sys

+ 2003-03-31 12:00 . 2007-11-13 10:25 20480 c:\windows\maxdrive\secdrv.sys

+ 2004-08-04 06:07 . 2004-08-04 06:07 67584 c:\windows\maxdrive\sdbus.sys

+ 2003-03-31 12:00 . 2004-08-04 05:59 96256 c:\windows\maxdrive\scsiport.sys

+ 2010-10-01 22:10 . 2005-03-01 23:49 17456 c:\windows\maxdrive\scap.sys

+ 2009-06-07 14:55 . 2006-11-08 08:51 62336 c:\windows\maxdrive\rspndr.sys

+ 2004-08-04 06:04 . 2004-08-04 06:04 30080 c:\windows\maxdrive\rndismpx.sys

+ 2003-03-31 12:00 . 2004-08-04 06:04 30080 c:\windows\maxdrive\rndismp.sys

+ 2001-08-17 13:24 . 2003-03-31 12:00 12032 c:\windows\maxdrive\riodrv.sys

+ 2001-08-17 13:24 . 2003-03-31 12:00 12032 c:\windows\maxdrive\rio8drv.sys

+ 2005-07-05 14:42 . 2005-07-05 14:42 20608 c:\windows\maxdrive\RimUsb.sys

+ 2004-08-04 06:10 . 2004-08-04 06:10 59648 c:\windows\maxdrive\rfcomm.sys

+ 2004-08-07 01:58 . 2004-08-04 05:59 57472 c:\windows\maxdrive\redbook.sys

+ 2004-08-04 05:41 . 2004-08-04 05:41 13776 c:\windows\maxdrive\recagent.sys

+ 2003-03-31 12:00 . 2003-03-31 12:00 34432 c:\windows\maxdrive\rawwan.sys

+ 2003-03-31 12:00 . 2003-03-31 12:00 16512 c:\windows\maxdrive\raspti.sys

+ 2003-03-31 12:00 . 2004-08-04 06:14 48384 c:\windows\maxdrive\raspptp.sys

+ 2003-03-31 12:00 . 2004-08-04 06:05 41472 c:\windows\maxdrive\raspppoe.sys

+ 2003-03-31 12:00 . 2004-08-04 06:14 51328 c:\windows\maxdrive\rasl2tp.sys

+ 2004-08-13 02:46 . 2011-03-04 19:44 45648 c:\windows\maxdrive\pxhelp20.sys

+ 2003-03-31 12:00 . 2003-03-31 12:00 17792 c:\windows\maxdrive\ptilink.sys

+ 2003-03-31 12:00 . 2004-08-04 06:04 69120 c:\windows\maxdrive\psched.sys

+ 2002-08-29 01:05 . 2004-08-04 05:59 35328 c:\windows\maxdrive\processr.sys

+ 2003-03-31 12:00 . 2004-08-04 05:59 25088 c:\windows\maxdrive\pciidex.sys

+ 2003-03-31 12:00 . 2004-08-04 06:07 68224 c:\windows\maxdrive\pci.sys

+ 2003-03-31 12:00 . 2003-03-31 12:00 18688 c:\windows\maxdrive\partmgr.sys

+ 2002-08-29 01:27 . 2004-08-04 05:59 80128 c:\windows\maxdrive\parport.sys

+ 2002-08-29 01:05 . 2004-08-04 05:59 42496 c:\windows\maxdrive\p3.sys

+ 2003-04-28 15:31 . 2003-04-28 15:31 51169 c:\windows\maxdrive\OXSER.SYS

+ 2010-10-01 22:10 . 2005-03-01 23:49 14924 c:\windows\maxdrive\OMVA.sys

+ 2003-03-31 12:00 . 2003-03-31 12:00 55936 c:\windows\maxdrive\nwlnkspx.sys

+ 2003-03-31 12:00 . 2003-03-31 12:00 63232 c:\windows\maxdrive\nwlnknb.sys

+ 2003-03-31 12:00 . 2004-08-04 06:03 88448 c:\windows\maxdrive\nwlnkipx.sys

+ 2003-03-31 12:00 . 2003-03-31 12:00 32512 c:\windows\maxdrive\nwlnkfwd.sys

+ 2003-03-31 12:00 . 2003-03-31 12:00 12416 c:\windows\maxdrive\nwlnkflt.sys

+ 2003-03-31 12:00 . 2004-08-04 06:00 30848 c:\windows\maxdrive\npfs.sys

+ 2003-03-31 12:00 . 2004-08-04 05:59 40320 c:\windows\maxdrive\nmnt.sys

+ 2001-08-17 13:24 . 2003-03-31 12:00 12032 c:\windows\maxdrive\nikedrv.sys

+ 2002-08-29 01:33 . 2004-08-04 05:58 61824 c:\windows\maxdrive\nic1394.sys

+ 2003-03-31 12:00 . 2004-08-04 06:03 34560 c:\windows\maxdrive\netbios.sys

+ 2003-03-31 12:00 . 2003-03-31 12:00 38016 c:\windows\maxdrive\ndproxy.sys

+ 2003-03-31 12:00 . 2004-08-04 06:14 91776 c:\windows\maxdrive\ndiswan.sys

+ 2002-08-29 01:35 . 2004-08-04 06:03 12928 c:\windows\maxdrive\ndisuio.sys

+ 2004-08-04 06:04 . 2004-08-04 06:04 12672 c:\windows\maxdrive\mutohpen.sys

+ 2004-08-04 06:07 . 2004-08-04 06:07 15488 c:\windows\maxdrive\mssmbios.sys

+ 2003-03-31 12:00 . 2004-08-04 06:04 35072 c:\windows\maxdrive\msgpc.sys

+ 2003-03-31 12:00 . 2004-08-04 06:00 19072 c:\windows\maxdrive\msfs.sys

+ 2003-03-31 12:00 . 2009-06-22 11:48 91776 c:\windows\maxdrive\mqac.sys

+ 2003-03-31 12:00 . 2004-08-04 05:58 42240 c:\windows\maxdrive\mountmgr.sys

+ 2005-08-24 01:38 . 2001-08-17 20:48 12160 c:\windows\maxdrive\mouhid.sys

+ 2002-08-29 01:27 . 2004-08-04 05:58 23040 c:\windows\maxdrive\mouclass.sys

+ 2004-08-07 09:20 . 2001-08-17 20:57 16128 c:\windows\maxdrive\MODEMCSA.sys

+ 2001-08-17 13:57 . 2004-08-04 06:08 30080 c:\windows\maxdrive\modem.sys

+ 2001-08-17 13:58 . 2004-08-04 06:07 63744 c:\windows\maxdrive\mf.sys

+ 2004-08-04 05:41 . 2004-08-04 05:41 11868 c:\windows\maxdrive\mdmxsdk.sys

+ 2011-04-23 13:40 . 2011-07-06 23:52 41272 c:\windows\maxdrive\mbamswissarmy.sys

+ 2003-03-31 12:00 . 2004-08-04 05:59 92032 c:\windows\maxdrive\ksecdd.sys

+ 2009-07-01 20:00 . 2004-08-04 04:58 14848 c:\windows\maxdrive\kbdhid.sys

+ 2003-03-31 12:00 . 2004-08-04 05:58 24576 c:\windows\maxdrive\kbdclass.sys

+ 2003-03-31 12:00 . 2003-03-31 12:00 35840 c:\windows\maxdrive\isapnp.sys

+ 2004-08-07 01:57 . 2004-08-04 06:00 11264 c:\windows\maxdrive\irenum.sys

+ 2004-08-04 06:08 . 2004-08-04 06:08 40832 c:\windows\maxdrive\irbus.sys

+ 2003-03-31 12:00 . 2004-08-04 06:14 74752 c:\windows\maxdrive\ipsec.sys

+ 2003-03-31 12:00 . 2004-08-04 06:04 20992 c:\windows\maxdrive\ipinip.sys

+ 2003-03-31 12:00 . 2003-03-31 12:00 32896 c:\windows\maxdrive\ipfltdrv.sys

+ 2004-08-04 06:00 . 2004-08-04 06:00 29056 c:\windows\maxdrive\ip6fw.sys

+ 2004-08-04 05:59 . 2004-08-04 05:59 36096 c:\windows\maxdrive\intelppm.sys

+ 2003-03-31 12:00 . 2004-08-04 06:00 41856 c:\windows\maxdrive\imapi.sys

+ 2003-03-31 12:00 . 2004-08-04 06:14 52736 c:\windows\maxdrive\i8042prt.sys

+ 2003-03-31 12:00 . 2004-08-04 06:08 24960 c:\windows\maxdrive\hidparse.sys

+ 2004-08-04 06:08 . 2004-08-04 06:08 15104 c:\windows\maxdrive\hidir.sys

+ 2003-03-31 12:00 . 2004-08-04 06:08 36224 c:\windows\maxdrive\hidclass.sys

+ 2004-08-04 06:10 . 2004-08-04 06:10 25600 c:\windows\maxdrive\hidbth.sys

+ 2006-09-19 20:44 . 2006-09-19 20:44 15664 c:\windows\maxdrive\GEARAspiWDM.sys

+ 2007-09-30 01:22 . 2004-08-04 05:08 10624 c:\windows\maxdrive\gameenum.sys

+ 2004-08-04 06:07 . 2004-08-04 06:07 46464 c:\windows\maxdrive\gagp30kx.sys

+ 2001-08-17 13:57 . 2003-03-31 12:00 12160 c:\windows\maxdrive\fsvga.sys

+ 2003-03-31 12:00 . 2004-08-04 05:59 20480 c:\windows\maxdrive\flpydisk.sys

+ 2003-03-31 12:00 . 2003-03-31 12:00 34944 c:\windows\maxdrive\fips.sys

+ 2003-03-31 12:00 . 2004-08-04 05:59 27392 c:\windows\maxdrive\fdc.sys

+ 2008-04-27 20:51 . 2008-03-14 19:49 54016 c:\windows\maxdrive\evserial.sys

+ 2008-04-27 20:51 . 2008-03-14 19:49 26880 c:\windows\maxdrive\evsbc.sys

+ 2007-09-30 01:23 . 2001-08-17 16:11 66591 c:\windows\maxdrive\el90xbc5.sys

+ 2003-03-31 12:00 . 2004-08-04 06:00 71040 c:\windows\maxdrive\dxg.sys

+ 2003-03-31 12:00 . 2003-03-31 12:00 10496 c:\windows\maxdrive\dxapi.sys

+ 2004-08-07 09:19 . 2004-08-04 06:07 60288 c:\windows\maxdrive\drmk.sys

+ 2004-08-07 09:19 . 2004-08-04 06:07 52864 c:\windows\maxdrive\dmusic.sys

+ 2003-03-31 12:00 . 2004-08-04 05:59 14208 c:\windows\maxdrive\diskdump.sys

+ 2003-03-31 12:00 . 2004-08-04 05:59 36352 c:\windows\maxdrive\disk.sys

+ 2002-08-29 01:05 . 2004-08-04 05:59 36480 c:\windows\maxdrive\crusoe.sys

+ 2001-08-17 13:24 . 2003-03-31 12:00 11776 c:\windows\maxdrive\cpqdap01.sys

+ 2003-03-31 12:00 . 2004-08-04 06:14 49664 c:\windows\maxdrive\classpnp.sys

+ 2003-03-31 12:00 . 2004-08-04 05:59 49536 c:\windows\maxdrive\cdrom.sys

+ 2003-03-31 12:00 . 2004-08-04 06:14 63744 c:\windows\maxdrive\cdfs.sys

+ 2001-08-17 13:52 . 2003-03-31 12:00 18688 c:\windows\maxdrive\cdaudio.sys

+ 2003-03-31 12:00 . 2003-03-31 12:00 13952 c:\windows\maxdrive\cbidf2k.sys

+ 2006-11-22 03:41 . 2006-11-22 03:41 22416 c:\windows\maxdrive\BTNetFilter.sys

+ 2007-03-05 10:59 . 2007-03-05 10:59 18320 c:\windows\maxdrive\btnetdrv.sys

+ 2004-08-04 06:10 . 2004-08-04 06:10 18944 c:\windows\maxdrive\bthusb.sys

+ 2004-08-04 06:10 . 2004-08-04 06:10 35456 c:\windows\maxdrive\bthprint.sys

+ 2004-08-04 06:10 . 2004-08-04 06:10 38016 c:\windows\maxdrive\bthmodem.sys

+ 2007-03-05 10:56 . 2007-03-05 10:56 35600 c:\windows\maxdrive\BTHidMgr.sys

+ 2004-08-04 06:10 . 2004-08-04 06:10 17024 c:\windows\maxdrive\bthenum.sys

+ 2007-05-09 06:59 . 2007-05-09 06:59 36496 c:\windows\maxdrive\btcusb.sys

+ 2003-03-31 12:00 . 2004-08-04 05:59 71552 c:\windows\maxdrive\bridge.sys

+ 2007-03-05 11:00 . 2007-03-05 11:00 27792 c:\windows\maxdrive\BlueletSCOAudio.sys

+ 2007-05-11 08:10 . 2007-05-11 08:10 34704 c:\windows\maxdrive\blueletaudio.sys

+ 2003-03-31 12:00 . 2004-08-04 05:58 55936 c:\windows\maxdrive\atmlane.sys

+ 2003-03-31 12:00 . 2003-03-31 12:00 31360 c:\windows\maxdrive\atmepvc.sys

+ 2003-03-31 12:00 . 2004-08-04 05:58 59904 c:\windows\maxdrive\atmarpc.sys

+ 2004-08-04 05:29 . 2004-08-04 05:29 63488 c:\windows\maxdrive\atinxsxx.sys

+ 2004-08-04 05:29 . 2004-08-04 05:29 31744 c:\windows\maxdrive\atinxbxx.sys

+ 2004-08-04 05:29 . 2004-08-04 05:29 73216 c:\windows\maxdrive\atintuxx.sys

+ 2004-08-04 05:29 . 2004-08-04 05:29 13824 c:\windows\maxdrive\atinttxx.sys

+ 2004-08-04 05:29 . 2004-08-04 05:29 28672 c:\windows\maxdrive\atinsnxx.sys

+ 2004-08-04 05:29 . 2004-08-04 05:29 52224 c:\windows\maxdrive\atinraxx.sys

+ 2004-08-04 05:29 . 2004-08-04 05:29 14336 c:\windows\maxdrive\atinpdxx.sys

+ 2004-08-04 05:29 . 2004-08-04 05:29 13824 c:\windows\maxdrive\atinmdxx.sys

+ 2004-08-04 05:29 . 2004-08-04 05:29 57856 c:\windows\maxdrive\atinbtxx.sys

+ 2004-08-04 05:29 . 2004-08-04 05:29 34735 c:\windows\maxdrive\ati1xsxx.sys

+ 2004-08-04 05:29 . 2004-08-04 05:29 29455 c:\windows\maxdrive\ati1xbxx.sys

+ 2004-08-04 05:29 . 2004-08-04 05:29 36463 c:\windows\maxdrive\ati1tuxx.sys

+ 2004-08-04 05:29 . 2004-08-04 05:29 21343 c:\windows\maxdrive\ati1ttxx.sys

+ 2004-08-04 05:29 . 2004-08-04 05:29 26367 c:\windows\maxdrive\ati1snxx.sys

+ 2004-08-04 05:29 . 2004-08-04 05:29 63663 c:\windows\maxdrive\ati1rvxx.sys

+ 2004-08-04 05:29 . 2004-08-04 05:29 30671 c:\windows\maxdrive\ati1raxx.sys

+ 2004-08-04 05:29 . 2004-08-04 05:29 12047 c:\windows\maxdrive\ati1pdxx.sys

+ 2004-08-04 05:29 . 2004-08-04 05:29 11615 c:\windows\maxdrive\ati1mdxx.sys

+ 2004-08-04 05:29 . 2004-08-04 05:29 56623 c:\windows\maxdrive\ati1btxx.sys

+ 2003-03-31 12:00 . 2004-08-04 05:59 95360 c:\windows\maxdrive\atapi.sys

+ 2003-03-31 12:00 . 2004-08-04 06:05 14336 c:\windows\maxdrive\asyncmac.sys

+ 2006-02-02 02:28 . 1999-09-10 12:06 25244 c:\windows\maxdrive\aspi32.sys

+ 2002-08-29 01:33 . 2004-08-04 05:58 60800 c:\windows\maxdrive\arp1394.sys

+ 2002-08-29 01:05 . 2004-08-04 05:59 37376 c:\windows\maxdrive\amdk7.sys

+ 2002-08-29 01:05 . 2004-08-04 05:59 36992 c:\windows\maxdrive\amdk6.sys

+ 2004-08-04 06:07 . 2004-08-04 06:07 43008 c:\windows\maxdrive\amdagp.sys

+ 2004-08-04 06:07 . 2004-08-04 06:07 42752 c:\windows\maxdrive\alim1541.sys

+ 2004-08-04 06:07 . 2004-08-04 06:07 44928 c:\windows\maxdrive\agpcpq.sys

+ 2004-08-04 06:07 . 2004-08-04 06:07 42368 c:\windows\maxdrive\agp440.sys

+ 2003-03-31 12:00 . 2003-03-31 12:00 11648 c:\windows\maxdrive\acpiec.sys

+ 2003-03-31 12:00 . 2003-03-31 12:00 4352 c:\windows\maxdrive\wmilib.sys

+ 2003-03-31 12:00 . 2003-03-31 12:00 4736 c:\windows\maxdrive\usbd.sys

+ 2001-08-17 13:48 . 2004-08-04 05:58 4352 c:\windows\maxdrive\swenum.sys

+ 2004-08-07 09:19 . 2006-06-14 08:47 6400 c:\windows\maxdrive\splitter.sys

+ 2004-08-04 06:07 . 2004-08-04 06:07 6016 c:\windows\maxdrive\smbali.sys

+ 2010-10-01 23:56 . 2001-08-17 17:53 6784 c:\windows\maxdrive\serscan.sys

+ 2003-03-31 12:00 . 2003-03-31 12:00 5888 c:\windows\maxdrive\rootmdm.sys

+ 2003-03-31 12:00 . 2003-03-31 12:00 4224 c:\windows\maxdrive\rdpcdd.sys

+ 2003-03-31 12:00 . 2003-03-31 12:00 8832 c:\windows\maxdrive\rasacd.sys

+ 2003-03-31 12:00 . 2003-03-31 12:00 3328 c:\windows\maxdrive\pciide.sys

+ 2003-03-31 12:00 . 2003-03-31 12:00 6784 c:\windows\maxdrive\parvdm.sys

+ 2003-03-31 12:00 . 2003-03-31 12:00 3456 c:\windows\maxdrive\oprghdlr.sys

+ 2003-03-31 12:00 . 2003-03-31 12:00 2944 c:\windows\maxdrive\null.sys

+ 2003-03-31 12:00 . 2003-03-31 12:00 9600 c:\windows\maxdrive\ndistapi.sys

+ 2004-08-07 09:19 . 2004-08-04 05:58 4992 c:\windows\maxdrive\mspqm.sys

+ 2004-08-07 09:19 . 2004-08-04 05:58 5376 c:\windows\maxdrive\mspclock.sys

+ 2004-08-07 09:19 . 2004-08-04 05:58 7552 c:\windows\maxdrive\mskssrv.sys

+ 2003-03-31 12:00 . 2003-03-31 12:00 4224 c:\windows\maxdrive\mnmdd.sys

+ 2003-03-31 12:00 . 2003-03-31 12:00 7680 c:\windows\maxdrive\mcd.sys

+ 2005-08-24 01:38 . 2001-08-17 21:02 9600 c:\windows\maxdrive\hidusb.sys

+ 2003-03-31 12:00 . 2003-03-31 12:00 7936 c:\windows\maxdrive\fs_rec.sys

+ 2003-03-31 12:00 . 2003-03-31 12:00 3328 c:\windows\maxdrive\dxgthk.sys

+ 2004-08-07 09:19 . 2004-08-04 06:07 2944 c:\windows\maxdrive\drmkaud.sys

+ 2003-03-31 12:00 . 2003-03-31 12:00 5888 c:\windows\maxdrive\dmload.sys

+ 2007-01-19 01:28 . 2007-01-19 01:28 5275 c:\windows\maxdrive\CVirtA.sys

+ 2011-04-04 23:23 . 2011-03-04 19:44 9200 c:\windows\maxdrive\cdralw2k.sys

+ 2011-04-04 23:23 . 2011-03-04 19:44 9072 c:\windows\maxdrive\cdr4_xp.sys

+ 2003-03-31 12:00 . 2003-03-31 12:00 4224 c:\windows\maxdrive\beep.sys

+ 2004-08-07 01:59 . 2001-08-17 13:59 3072 c:\windows\maxdrive\audstub.sys

+ 2011-08-07 13:12 . 2006-11-02 12:07 581192 c:\windows\system32\DRVSTORE\TransferCa_FBC4C55696C581AE72F7C014EA9EA813252FB984\WinusbCoInstaller.dll

+ 2006-11-02 11:22 . 2006-11-02 11:22 492000 c:\windows\system32\drivers\wdf01000.sys

+ 2006-11-02 11:22 . 2006-11-02 11:22 492000 c:\windows\maxdrive\wdf01000.sys

+ 2010-10-01 22:10 . 2005-03-01 23:49 670128 c:\windows\maxdrive\vpn.sys

+ 2004-08-07 09:20 . 2001-08-17 20:28 397502 c:\windows\maxdrive\vpctcom.sys

+ 2004-08-07 09:20 . 2001-08-17 20:28 604253 c:\windows\maxdrive\vmodem.sys

+ 2003-03-31 12:00 . 2004-08-04 06:08 142976 c:\windows\maxdrive\usbport.sys

+ 2003-03-31 12:00 . 2004-08-04 05:58 209408 c:\windows\maxdrive\update.sys

+ 2003-03-31 12:00 . 2008-06-20 09:52 225920 c:\windows\maxdrive\tcpip6.sys

+ 2003-03-31 12:00 . 2008-06-20 10:45 360320 c:\windows\maxdrive\tcpip.sys

+ 2003-03-31 12:00 . 2008-12-11 11:57 333184 c:\windows\maxdrive\srv.sys

+ 2006-10-10 23:52 . 2006-10-10 23:52 611064 c:\windows\maxdrive\sptd.sys

+ 2004-08-04 05:41 . 2004-08-04 05:41 404990 c:\windows\maxdrive\slntamr.sys

+ 2004-08-04 05:41 . 2004-08-04 05:41 129535 c:\windows\maxdrive\slnt7554.sys

+ 2004-08-07 09:17 . 2003-10-29 18:54 427776 c:\windows\maxdrive\sisgrp.sys

+ 2004-08-04 05:29 . 2004-08-04 05:29 166912 c:\windows\maxdrive\s3gnbm.sys

+ 2003-03-31 12:00 . 2008-05-08 12:28 202752 c:\windows\maxdrive\rmcast.sys

+ 2004-08-07 09:01 . 2005-06-10 04:09 139528 c:\windows\maxdrive\rdpwd.sys

+ 2004-08-07 09:01 . 2004-08-04 06:01 196864 c:\windows\maxdrive\rdpdr.sys

+ 2003-03-31 12:00 . 2006-05-05 09:47 174592 c:\windows\maxdrive\rdbss.sys

+ 2004-08-07 09:20 . 2003-09-24 01:41 354287 c:\windows\maxdrive\ptserial.sys

+ 2004-08-07 09:19 . 2004-08-04 06:15 145792 c:\windows\maxdrive\portcls.sys

+ 2003-03-31 12:00 . 2004-08-04 06:07 119936 c:\windows\maxdrive\pcmcia.sys

+ 2003-03-31 12:00 . 2006-10-13 10:23 163584 c:\windows\maxdrive\nwrdr.sys

+ 2004-08-04 05:41 . 2004-08-04 05:41 180360 c:\windows\maxdrive\ntmtlfax.sys

+ 2003-03-31 12:00 . 2007-02-09 11:10 574464 c:\windows\maxdrive\ntfs.sys

+ 2003-03-31 12:00 . 2004-08-04 06:14 162816 c:\windows\maxdrive\netbt.sys

+ 2003-03-31 12:00 . 2004-08-04 06:14 182912 c:\windows\maxdrive\ndis.sys

+ 2003-03-31 12:00 . 2004-08-04 06:15 107904 c:\windows\maxdrive\mup.sys

+ 2004-08-04 05:29 . 2004-08-04 05:29 452736 c:\windows\maxdrive\mtxparhm.sys

+ 2004-08-04 05:41 . 2004-08-04 05:41 126686 c:\windows\maxdrive\mtlmnt5.sys

+ 2003-03-31 12:00 . 2008-10-24 11:10 453632 c:\windows\maxdrive\mrxsmb.sys

+ 2003-03-31 12:00 . 2007-12-18 09:51 179584 c:\windows\maxdrive\mrxdav.sys

+ 2004-08-07 09:19 . 2004-08-04 06:15 140928 c:\windows\maxdrive\ks.sys

+ 2004-08-07 09:19 . 2006-06-14 08:47 172416 c:\windows\maxdrive\kmixer.sys

+ 2003-03-31 12:00 . 2004-09-29 22:28 134912 c:\windows\maxdrive\ipnat.sys

+ 2004-08-04 06:00 . 2006-03-17 00:33 262784 c:\windows\maxdrive\http.sys

+ 2004-08-04 05:41 . 2004-08-04 05:41 685056 c:\windows\maxdrive\hsfcxts2.sys

+ 2004-08-04 05:41 . 2004-08-04 05:41 220032 c:\windows\maxdrive\hsfbs2s2.sys

+ 2003-03-31 12:00 . 2003-03-31 12:00 125056 c:\windows\maxdrive\ftdisk.sys

+ 2004-08-04 06:01 . 2006-08-21 09:14 128896 c:\windows\maxdrive\fltmgr.sys

+ 2003-03-31 12:00 . 2004-08-04 06:14 143360 c:\windows\maxdrive\fastfat.sys

+ 2007-01-17 02:46 . 2008-11-16 23:39 131984 c:\windows\maxdrive\dne2000.sys

+ 2003-03-31 12:00 . 2004-08-04 06:07 153344 c:\windows\maxdrive\dmio.sys

+ 2003-03-31 12:00 . 2004-08-04 06:07 799744 c:\windows\maxdrive\dmboot.sys

+ 2009-11-17 17:07 . 2009-11-17 17:07 308859 c:\windows\maxdrive\CVPNDRVA.sys

+ 2001-08-17 14:02 . 2003-03-31 12:00 262528 c:\windows\maxdrive\cinemst2.sys

+ 2004-08-04 06:10 . 2008-06-13 13:10 272128 c:\windows\maxdrive\bthport.sys

+ 2004-08-04 05:58 . 2004-08-04 05:58 100992 c:\windows\maxdrive\bthpan.sys

+ 2003-03-31 12:00 . 2003-03-31 12:00 352256 c:\windows\maxdrive\atmuni.sys

+ 2004-08-04 05:29 . 2004-08-04 05:29 104960 c:\windows\maxdrive\atinrvxx.sys

+ 2004-08-04 05:29 . 2004-08-04 05:29 701440 c:\windows\maxdrive\ati2mtag.sys

+ 2004-08-04 05:29 . 2004-08-04 05:29 327040 c:\windows\maxdrive\ati2mtaa.sys

+ 2007-07-28 14:04 . 2004-03-19 12:02 613244 c:\windows\maxdrive\ALCXWDM.SYS

+ 2007-07-28 14:04 . 2004-02-24 03:08 400384 c:\windows\maxdrive\ALCXSENS.SYS

+ 2003-03-31 12:00 . 2008-08-14 09:51 138368 c:\windows\maxdrive\afd.sys

+ 2004-08-07 09:19 . 2006-02-15 00:22 142464 c:\windows\maxdrive\aec.sys

+ 2003-03-31 12:00 . 2004-08-04 06:07 187776 c:\windows\maxdrive\acpi.sys

+ 2011-08-07 13:12 . 2006-11-02 13:09 1419232 c:\windows\system32\DRVSTORE\TransferCa_FBC4C55696C581AE72F7C014EA9EA813252FB984\WdfCoinstaller01005.dll

+ 2004-08-04 05:41 . 2004-08-04 05:41 1309184 c:\windows\maxdrive\mtlstrm.sys

+ 2004-08-04 05:41 . 2004-08-04 05:41 1041536 c:\windows\maxdrive\hsfdpsp2.sys

+ 2010-10-01 22:10 . 2005-03-01 23:49 2041904 c:\windows\maxdrive\fw.sys

+ 2005-12-15 18:57 . 2006-06-10 02:58 1373120 c:\windows\maxdrive\cmuda.sys

+ 2004-08-04 05:29 . 2010-07-09 22:38 10604128 c:\windows\maxdrive\nv4_mini.sys

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]

"VSPDXP"="c:\program files\VSPD XP\vspdconfig.exe" [2003-11-13 974848]

"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]

"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-08-21 180269]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2004-08-23 35528]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

VPN Client.lnk - c:\windows\Installer\{21E247D4-5E27-4BEA-AA4D-19A81203FE2A}\Icon3E5562ED7.ico [2011-1-13 6144]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]

2005-03-01 23:49 24672 ----a-w- c:\windows\system32\ckpNotify.dll

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax DllCmd 3.5.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\eFax DllCmd 3.5.lnk

backup=c:\windows\pss\eFax DllCmd 3.5.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax Tray Menu 3.5.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\eFax Tray Menu 3.5.lnk

backup=c:\windows\pss\eFax Tray Menu 3.5.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NetScreen-Remote.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NetScreen-Remote.lnk

backup=c:\windows\pss\NetScreen-Remote.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]

2008-03-18 01:06 1848648 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]

2008-12-12 01:31 722256 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

2006-09-14 20:09 157592 ----a-w- c:\program files\DAEMON Tools\daemon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FLMK08KB]

2005-02-21 18:17 207360 ----a-w- c:\program files\Multimedia keyboard utility\1.3\MMKEYBD.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2006-10-30 14:36 256576 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2005-05-09 20:00 1658080 ----a-w- c:\program files\Messenger\Msmsgs.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]

2001-07-09 10:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTVOICE]

2001-08-18 05:36 86016 ----a-w- c:\windows\system32\pctspk.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ProxyPD]

2006-02-02 17:27 262144 ----a-w- c:\windows\system32\ProxyPD.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2006-10-25 23:58 282624 ----a-w- c:\program files\QuickTime\qttask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiS Tray]

2003-10-30 21:10 667648 ----a-w- c:\windows\system32\sistray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

2004-02-26 08:53 65024 ----a-r- c:\windows\SOUNDMAN.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

2010-12-18 19:53 1242448 ----a-w- c:\program files\Steam\Steam.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2004-08-21 21:11 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"ose"=3 (0x3)

"MpfService"=2 (0x2)

"mcupdmgr.exe"=3 (0x3)

"IDriverT"=3 (0x3)

"Neoteris Setup Service"=2 (0x2)

"iPod Service"=3 (0x3)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Azureus\\Azureus.exe"=

"c:\\Program Files\\WinMX\\WinMX.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32\\dpnsvr.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\StubInstaller.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=

"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=

"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=

"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=

"c:\\Program Files\\Steam\\Steam.exe"=

"c:\\Program Files\\Windows Easy Transfer 7\\migwiz.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"137:TCP"= 137:TCP:137

"138:TCP"= 138:TCP:138

"7000:TCP"= 7000:TCP:Windows Easy Transfer TCP port

"7000:UDP"= 7000:UDP:Windows Easy Transfer UDP port

.

R2 Scap;SecureClient Application Policy Module;c:\windows\system32\drivers\scap.sys [10/1/2010 6:10 PM 17456]

R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [10/1/2010 6:10 PM 670128]

R3 evserial;Virtual Serial Ports Driver (Eltima Softwate);c:\windows\system32\drivers\evserial.sys [4/27/2008 4:51 PM 54016]

R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [10/1/2010 6:10 PM 2041904]

R3 VSBC;Virtual Serial Bus Enumerator (Eltima Software);c:\windows\system32\drivers\evsbc.sys [4/27/2008 4:51 PM 26880]

S0 hurjc;hurjc;c:\windows\system32\drivers\qfdoxjhj.sys --> c:\windows\system32\drivers\qfdoxjhj.sys [?]

S2 Crypto;Crypto;\??\c:\windows\system32\Drivers\Crypto.sys --> c:\windows\system32\Drivers\Crypto.sys [?]

S3 ncvcp;Network Connect Virtual Com Port;c:\windows\system32\DRIVERS\nsvcp.sys --> c:\windows\system32\DRIVERS\nsvcp.sys [?]

S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [10/1/2010 6:10 PM 14924]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/10/2006 7:52 PM 611064]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mStart Page = about:blank

mWindow Title = Microsoft Internet Explorer provided by Comcast

mSearch Bar =

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Microsoft User\Application Data\Mozilla\Firefox\Profiles\o2kw9dxc.default\

FF - prefs.js: browser.search.selectedEngine - Answers.com

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

FF - prefs.js: network.proxy.http - proxy.etn.com

FF - prefs.js: network.proxy.http_port - 8080

FF - prefs.js: network.proxy.type - 4

.

- - - - ORPHANS REMOVED - - - -

.

BHO-{28CAEFF3-0F18-4036-B504-51D73BD81C3A} - REG_SZ

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-08-23 08:01

Windows 5.1.2600 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

.

c:\windows\msmqinst.log:shmewq 29278 bytes executable

c:\windows\nemo.jpg:rsnlg 89666 bytes executable

c:\windows\netfxocm.log:hwknmd 66560 bytes executable

c:\windows\NSUninst.exe:zcdyn 29278 bytes executable

c:\windows\setupapi.log.0.old:jgxkx 10240 bytes executable

c:\windows\setupapi.log.0.old:mabfp 10240 bytes executable

c:\windows\SiSport.sys:gaero 10240 bytes executable

c:\windows\Sti_Trace.log:xbeyl 10240 bytes executable

c:\windows\FaxSetup.log:nucll 56832 bytes executable

c:\windows\FeatherTexture.bmp:pdzbp 26624 bytes executable

c:\windows\iis6.log:lzjdr 56832 bytes executable

c:\windows\ukcqo.txt:qdoxhi 35544 bytes executable

c:\windows\UPGRADE.TXT:irfro 10240 bytes executable

c:\windows\vb.ini:fclyd 10240 bytes executable

c:\windows\vb.ini:mgtlv 10240 bytes executable

c:\windows\vejvw.txt:bspei 26624 bytes executable

c:\windows\vmmreg32.dll:ahzor 56832 bytes executable

c:\windows\winamp.ini:qmlfwf 12020 bytes executable

c:\windows\Windows Update.log:bftpb 93405 bytes executable

c:\windows\Windows Update.log:zjvsd 10240 bytes executable

c:\windows\comsetup.log:kstfok 12020 bytes executable

c:\windows\comsetup.log:pldwp 26624 bytes executable

c:\windows\comsetup.log:zarkr 26624 bytes executable

c:\windows\control.ini:owpse 10240 bytes executable

c:\windows\control.ini:sulgs 26624 bytes executable

c:\windows\desktop.ini:lqfft 10240 bytes executable

c:\windows\DHCPUPG.LOG:arpgk 10240 bytes executable

c:\windows\DHCPUPG.LOG:dtlkjv 35544 bytes executable

c:\windows\DHCPUPG.LOG:psdts 26624 bytes executable

c:\windows\oodcg.txt:qyetm 103850 bytes executable

c:\windows\winhelp.exe:uyevd 10240 bytes executable

c:\windows\Wininit.ini:hgoha 26624 bytes executable

c:\windows\Wininit.ini:jnelqp 35544 bytes executable

c:\windows\winnt256.bmp:ryhbwm 12020 bytes executable

c:\windows\WINNT32.LOG:gcwswu 35544 bytes executable

c:\windows\KB828741.log:ytmbuc 35544 bytes executable

c:\windows\clock.avi:vkuqn 56832 bytes executable

c:\windows\CMIRmDriver.dll:ylcfy 26624 bytes executable

c:\windows\CMISETUP.INI:ukcqo 10240 bytes executable

c:\windows\CMIUninstall.exe:wltru 10240 bytes executable

c:\windows\KB890175.log:rxlucb 12020 bytes executable

c:\windows\KB890859.log:pablhl 12020 bytes executable

c:\windows\KB891711.log:btzdwo 12020 bytes executable

c:\windows\KB891711.log:kxdzel 35544 bytes executable

c:\windows\KB891781.log:hbuqjv 12020 bytes executable

c:\windows\KB892944.log:nsruu 66560 bytes executable

c:\windows\KB893086.log:scewdg 35544 bytes executable

c:\windows\KB893086.log:ttjjqr 12020 bytes executable

c:\windows\KB893086.log:xzigjw 12020 bytes executable

c:\windows\KB893803.log:airhks 12020 bytes executable

c:\windows\n_flbfhk.log:ljmid 12020 bytes executable

c:\windows\n_gbxxaf.dat:cjyttk 12020 bytes executable

c:\windows\n_hhrfbs.log:mduupw 12020 bytes executable

c:\windows\n_hhrfbs.log:mndvgf 12020 bytes executable

c:\windows\n_hlfmxg.dat:hofyte 12020 bytes executable

c:\windows\n_hlfmxg.dat:inabpy 12020 bytes executable

c:\windows\n_qyyvul.txt:tpcaed 12020 bytes executable

c:\windows\n_rufgkq.dat:bzdqq 29278 bytes executable

c:\windows\n_rufgkq.dat:mqmngn 35544 bytes executable

c:\windows\n_keokaf.txt:ucgpfg 12020 bytes executable

c:\windows\n_kttfvh.dat:mdychr 12020 bytes executable

c:\windows\n_laxpuf.log:zxmfvr 35544 bytes executable

c:\windows\n_lolcwh.log:fdrhbb 35544 bytes executable

c:\windows\n_mwbwin.txt:blukgi 35544 bytes executable

c:\windows\n_mzqzcb.log:woqrhr 12020 bytes executable

c:\windows\n_nnfuhc.dat:xmlwna 12020 bytes executable

c:\windows\n_uupums.dat:mitfwz 12020 bytes executable

c:\windows\n_wggnfg.txt:fqdnfg 12020 bytes executable

c:\windows\n_yjvljc.dat:vbovsv 12020 bytes executable

c:\windows\n_zfpkte.log:xqoshq 35544 bytes executable

c:\windows\ocgen.log:othbug 12020 bytes executable

c:\windows\ocmsn.log:bahmae 66560 bytes executable

c:\windows\ocmsn.log:blluh 93405 bytes executable

c:\windows\ODBC.INI:oecofx 35544 bytes executable

c:\windows\ODBCINST.INI:gurooq 35544 bytes executable

c:\windows\KB896422.log:tjjmmd 35544 bytes executable

c:\windows\KB896426.log:aatzxj 35544 bytes executable

c:\windows\KB896426.log:wsjand 12020 bytes executable

c:\windows\KB897715-OE6SP1-20050503.210336.log:dxophr 12020 bytes executable

c:\windows\KB898461.log:olcghg 35544 bytes executable

c:\windows\KB899588.log:wygujt 35544 bytes executable

c:\windows\DtcInstall.log:hxayh 26624 bytes executable

c:\windows\TASKMAN.EXE:qcwdg 26624 bytes executable

c:\windows\tjjmm.dat:gcwsmg 12020 bytes executable

c:\windows\twain.dll:itxpa 10240 bytes executable

c:\windows\ntdtcsetup.log:yjsad 84825 bytes executable

c:\windows\kzsoy.dat:qdvlzb 35544 bytes executable

c:\windows\regedit(2).exe:jyfhr 93700 bytes executable

c:\windows\regedit(3).exe:bzhei 29278 bytes executable

c:\windows\regedit(3).exe:jyfhr 93700 bytes executable

c:\windows\regedit(4).exe:jyfhr 93700 bytes executable

c:\windows\regedit(5).exe:jyfhr 93700 bytes executable

c:\windows\Zapotec.bmp:pmyge 84825 bytes executable

c:\windows\_default.pif:bwgrhu 12020 bytes executable

c:\windows\_default.pif:bwklbt 35544 bytes executable

c:\windows\_default.pif:cidvsy 29278 bytes executable

c:\windows\_default.pif:dwbdgf 35544 bytes executable

c:\windows\_default.pif:eqqjpa 35544 bytes executable

c:\windows\_default.pif:etopxz 12020 bytes executable

c:\windows\_default.pif:fjyvfi 35544 bytes executable

c:\windows\_default.pif:gwgywn 12020 bytes executable

c:\windows\_default.pif:hsjcod 66560 bytes executable

c:\windows\_default.pif:ilajuy 29278 bytes executable

c:\windows\_default.pif:ivrghj 12020 bytes executable

c:\windows\_default.pif:khlipo 12020 bytes executable

c:\windows\_default.pif:kvqqmv 12020 bytes executable

c:\windows\_default.pif:kxnkvw 29278 bytes executable

c:\windows\_default.pif:lpxdvy 12020 bytes executable

c:\windows\_default.pif:nazhlt 35544 bytes executable

c:\windows\_default.pif:nroply 12020 bytes executable

c:\windows\_default.pif:oofcir 35544 bytes executable

c:\windows\_default.pif:qkhesw 12020 bytes executable

c:\windows\_default.pif:qvzbey 12020 bytes executable

c:\windows\_default.pif:swveat 12020 bytes executable

c:\windows\_default.pif:tpfytn 12020 bytes executable

c:\windows\_default.pif:txzejw 35544 bytes executable

c:\windows\_default.pif:vzgcqj 12020 bytes executable

c:\windows\_default.pif:wompoo 12020 bytes executable

c:\windows\_default.pif:xugurk 35544 bytes executable

c:\windows\_default.pif:xuonkw 12020 bytes executable

c:\windows\_default.pif:zxydyq 35544 bytes executable

c:\windows\KB899591.log:xcdgfq 12020 bytes executable

c:\windows\msdfmap.ini:pegzj 56832 bytes executable

c:\windows\n_cqfzwd.dat:ujzvta 35544 bytes executable

c:\windows\n_hscwhb.log:femzjg 35544 bytes executable

c:\windows\n_hscwhb.log:xnwiaq 12020 bytes executable

c:\windows\preInsMM.exe:jdehn 56832 bytes executable

c:\windows\Santa Fe Stucco.bmp:homqc 26624 bytes executable

c:\windows\twunk_32.exe:auquu 26624 bytes executable

c:\windows\WindowsUpdate.log:nbemuj 12020 bytes executable

c:\windows\WindowsUpdate.log:wyvms 56832 bytes executable

c:\windows\WindowsUpdate.log:zypwcc 12020 bytes executable

c:\windows\blocklist.reg:gxdxw 10240 bytes executable

c:\windows\blocklist.reg:njrmc 93405 bytes executable

c:\windows\KB893803v2.log:izaldg 12020 bytes executable

c:\windows\KB893803v2.log:mucosb 35544 bytes executable

.

scan completed successfully

hidden files: 136

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-299502267-329068152-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F2C6A728-99B6-9E70-ECCD-B16FE0B39194}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"iafijmabgajgabfild"=hex:6a,61,67,70,67,6d,68,67,67,67,66,6c,65,68,6a,69,61,6b,

6f,67,00,00

"haphphdgoikhlnhd"=hex:6a,61,67,70,67,6d,68,67,67,67,66,6c,65,68,6a,69,61,6b,

6f,67,00,a6

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(772)

c:\windows\System32\wbem\fastprox.dll

.

Completion time: 2011-08-23 08:05:07

ComboFix-quarantined-files.txt 2011-08-23 12:04

ComboFix2.txt 2011-08-16 17:52

ComboFix3.txt 2011-08-11 11:05

ComboFix4.txt 2011-08-06 10:54

ComboFix5.txt 2011-08-23 11:44

.

Pre-Run: 783,810,560 bytes free

Post-Run: 840,454,144 bytes free

.

- - End Of File - - A7FA1310E5B823CD9DCF9BEC78EFE65E

Link to post
Share on other sites

  • Staff

Hi,

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the box below into Notepad:

ADS::
c:\windows\msmqinst.log
c:\windows\nemo.jpg
c:\windows\netfxocm.log
c:\windows\NSUninst.exe
c:\windows\setupapi.log.0.old
c:\windows\SiSport.sys
c:\windows\Sti_Trace.log
c:\windows\FaxSetup.log
c:\windows\FeatherTexture.bmp
c:\windows\iis6.log
c:\windows\ukcqo.txt
c:\windows\UPGRADE.TXT
c:\windows\vb.ini
c:\windows\vb.ini
c:\windows\vejvw.txt
c:\windows\vmmreg32.dll
c:\windows\winamp.ini
c:\windows\Windows Update.log
c:\windows\comsetup.log
c:\windows\control.ini
c:\windows\desktop.ini
c:\windows\DHCPUPG.LOG
c:\windows\oodcg.txt
c:\windows\winhelp.exe
c:\windows\Wininit.ini
c:\windows\winnt256.bmp
c:\windows\WINNT32.LOG
c:\windows\KB828741.log
c:\windows\clock.avi
c:\windows\CMIRmDriver.dll
c:\windows\CMISETUP.INI
c:\windows\CMIUninstall.exe
c:\windows\KB890175.log
c:\windows\KB890859.log
c:\windows\KB891711.log
c:\windows\KB891711.log
c:\windows\KB891781.log
c:\windows\KB892944.log
c:\windows\KB893086.log
c:\windows\KB893803.log
c:\windows\n_flbfhk.log
c:\windows\n_gbxxaf.dat
c:\windows\n_hhrfbs.log
c:\windows\n_hlfmxg.dat
c:\windows\n_qyyvul.txt
c:\windows\n_rufgkq.dat
c:\windows\n_keokaf.txt
c:\windows\n_kttfvh.dat
c:\windows\n_laxpuf.log
c:\windows\n_lolcwh.log
c:\windows\n_mwbwin.txt
c:\windows\n_mzqzcb.log
c:\windows\n_nnfuhc.dat
c:\windows\n_uupums.dat
c:\windows\n_wggnfg.txt
c:\windows\n_yjvljc.dat
c:\windows\n_zfpkte.log
c:\windows\ocgen.log
c:\windows\ocmsn.log
c:\windows\ocmsn.log
c:\windows\ODBC.INI
c:\windows\ODBCINST.INI
c:\windows\KB896422.log
c:\windows\KB896426.log
c:\windows\KB897715-OE6SP1-20050503.210336.log
c:\windows\KB898461.log
c:\windows\KB899588.log
c:\windows\DtcInstall.log
c:\windows\TASKMAN.EXE
c:\windows\tjjmm.dat
c:\windows\twain.dll
c:\windows\ntdtcsetup.log
c:\windows\kzsoy.dat
c:\windows\regedit(2).exe
c:\windows\regedit(3).exe
c:\windows\regedit(3).exe
c:\windows\regedit(4).exe
c:\windows\regedit(5).exe
c:\windows\Zapotec.bmp
c:\windows\_default.pif
c:\windows\KB899591.log
c:\windows\msdfmap.ini
c:\windows\n_cqfzwd.dat
c:\windows\n_hscwhb.log
c:\windows\preInsMM.exe
c:\windows\Santa Fe Stucco.bmp
c:\windows\twunk_32.exe
c:\windows\WindowsUpdate.log
c:\windows\blocklist.reg
c:\windows\KB893803v2.log

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.

-screen317

Link to post
Share on other sites

Hello,

ComboFix 11-08-29.03 - Microsoft User 08/29/2011 13:59:04.6.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.149 [GMT -4:00]

Running from: c:\documents and settings\Microsoft User\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Microsoft User\Desktop\CFScript.txt

.

ADS - _default.pif: deleted 869494 bytes in 31 streams.

ADS - blocklist.reg: deleted 103645 bytes in 2 streams.

ADS - clock.avi: deleted 56832 bytes in 1 streams.

ADS - CMIRmDriver.dll: deleted 26624 bytes in 1 streams.

ADS - CMISETUP.INI: deleted 21831 bytes in 2 streams.

ADS - CMIUninstall.exe: deleted 10240 bytes in 1 streams.

ADS - comsetup.log: deleted 65268 bytes in 3 streams.

ADS - control.ini: deleted 48455 bytes in 3 streams.

ADS - desktop.ini: deleted 10240 bytes in 1 streams.

ADS - DHCPUPG.LOG: deleted 95590 bytes in 5 streams.

ADS - DtcInstall.log: deleted 38215 bytes in 2 streams.

ADS - FaxSetup.log: deleted 56832 bytes in 1 streams.

ADS - FeatherTexture.bmp: deleted 38012 bytes in 2 streams.

ADS - iis6.log: deleted 56832 bytes in 1 streams.

ADS - KB828741.log: deleted 35544 bytes in 1 streams.

ADS - KB890175.log: deleted 12020 bytes in 1 streams.

ADS - KB890859.log: deleted 12020 bytes in 1 streams.

ADS - KB891711.log: deleted 47564 bytes in 2 streams.

ADS - KB891781.log: deleted 12020 bytes in 1 streams.

ADS - KB892944.log: deleted 66560 bytes in 1 streams.

ADS - KB893086.log: deleted 59584 bytes in 3 streams.

ADS - KB893803.log: deleted 12020 bytes in 1 streams.

ADS - KB893803v2.log: deleted 47564 bytes in 2 streams.

ADS - KB896422.log: deleted 35544 bytes in 1 streams.

ADS - KB896426.log: deleted 47564 bytes in 2 streams.

ADS - KB897715-OE6SP1-20050503.210336.log: deleted 12020 bytes in 1 streams.

ADS - KB898461.log: deleted 35544 bytes in 1 streams.

ADS - KB899588.log: deleted 49125 bytes in 2 streams.

ADS - KB899591.log: deleted 12020 bytes in 1 streams.

ADS - kzsoy.dat: deleted 35544 bytes in 1 streams.

ADS - msdfmap.ini: deleted 56832 bytes in 1 streams.

ADS - msmqinst.log: deleted 29278 bytes in 1 streams.

ADS - n_cqfzwd.dat: deleted 35544 bytes in 1 streams.

ADS - n_flbfhk.log: deleted 12020 bytes in 1 streams.

ADS - n_gbxxaf.dat: deleted 12020 bytes in 1 streams.

ADS - n_hhrfbs.log: deleted 24040 bytes in 2 streams.

ADS - n_hlfmxg.dat: deleted 24040 bytes in 2 streams.

ADS - n_hscwhb.log: deleted 47564 bytes in 2 streams.

ADS - n_keokaf.txt: deleted 12020 bytes in 1 streams.

ADS - n_kttfvh.dat: deleted 12020 bytes in 1 streams.

ADS - n_laxpuf.log: deleted 35544 bytes in 1 streams.

ADS - n_lolcwh.log: deleted 35544 bytes in 1 streams.

ADS - n_mwbwin.txt: deleted 35544 bytes in 1 streams.

ADS - n_mzqzcb.log: deleted 12020 bytes in 1 streams.

ADS - n_nnfuhc.dat: deleted 12020 bytes in 1 streams.

ADS - n_qyyvul.txt: deleted 12020 bytes in 1 streams.

ADS - n_rufgkq.dat: deleted 64822 bytes in 2 streams.

ADS - n_uupums.dat: deleted 12020 bytes in 1 streams.

ADS - n_wggnfg.txt: deleted 209775 bytes in 2 streams.

ADS - n_yjvljc.dat: deleted 12020 bytes in 1 streams.

ADS - n_zfpkte.log: deleted 39111 bytes in 2 streams.

ADS - nemo.jpg: deleted 89666 bytes in 1 streams.

ADS - netfxocm.log: deleted 66560 bytes in 2 streams.

ADS - NSUninst.exe: deleted 29278 bytes in 1 streams.

ADS - ntdtcsetup.log: deleted 84825 bytes in 1 streams.

ADS - ocgen.log: deleted 23611 bytes in 2 streams.

ADS - ocmsn.log: deleted 159965 bytes in 2 streams.

ADS - ODBC.INI: deleted 35544 bytes in 1 streams.

ADS - ODBCINST.INI: deleted 35544 bytes in 1 streams.

ADS - oodcg.txt: deleted 103850 bytes in 1 streams.

ADS - preInsMM.exe: deleted 56832 bytes in 1 streams.

ADS - regedit(2).exe: deleted 93700 bytes in 1 streams.

ADS - regedit(3).exe: deleted 122978 bytes in 2 streams.

ADS - regedit(4).exe: deleted 93700 bytes in 1 streams.

ADS - regedit(5).exe: deleted 93700 bytes in 1 streams.

ADS - Santa Fe Stucco.bmp: deleted 38215 bytes in 2 streams.

ADS - setupapi.log.0.old: deleted 20480 bytes in 2 streams.

ADS - SiSport.sys: deleted 10240 bytes in 1 streams.

ADS - Sti_Trace.log: deleted 10240 bytes in 1 streams.

ADS - TASKMAN.EXE: deleted 38215 bytes in 2 streams.

ADS - tjjmm.dat: deleted 12020 bytes in 1 streams.

ADS - twain.dll: deleted 21831 bytes in 2 streams.

ADS - twunk_32.exe: deleted 38012 bytes in 2 streams.

ADS - ukcqo.txt: deleted 35544 bytes in 1 streams.

ADS - UPGRADE.TXT: deleted 21831 bytes in 2 streams.

ADS - vb.ini: deleted 32071 bytes in 3 streams.

ADS - vejvw.txt: deleted 26624 bytes in 1 streams.

ADS - vmmreg32.dll: deleted 56832 bytes in 1 streams.

ADS - winamp.ini: deleted 23408 bytes in 2 streams.

ADS - Windows Update.log: deleted 103645 bytes in 2 streams.

ADS - WindowsUpdate.log: deleted 80872 bytes in 3 streams.

ADS - winhelp.exe: deleted 10240 bytes in 1 streams.

ADS - Wininit.ini: deleted 62168 bytes in 2 streams.

ADS - winnt256.bmp: deleted 23611 bytes in 2 streams.

ADS - WINNT32.LOG: deleted 35544 bytes in 1 streams.

ADS - Zapotec.bmp: deleted 96416 bytes in 2 streams.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\cdfo860.dll

c:\windows\clhsadb.exe

c:\windows\oqareciyo.dll

.

.

((((((((((((((((((((((((( Files Created from 2011-07-28 to 2011-08-29 )))))))))))))))))))))))))))))))

.

.

2011-08-25 01:53 . 2011-08-29 05:21 0 ----a-w- c:\windows\Vqoruxoxuxuvij.bin

2011-08-25 01:53 . 2011-08-25 01:53 -------- d-----w- c:\documents and settings\Microsoft User\Local Settings\Application Data\{7170C094-441A-435C-95B0-C112BC2BA10E}

2011-08-20 00:58 . 2010-10-12 16:56 220024 ----a-w- c:\windows\sigcheck.exe

2011-08-20 00:53 . 2011-08-19 20:56 -------- d-----w- c:\windows\maxdrive

2011-08-07 13:37 . 2011-08-07 13:51 -------- dc----w- c:\documents and settings\Microsoft User\Local Settings\Application Data\MigWiz

2011-08-07 13:12 . 2006-11-02 12:07 581192 ----a-w- c:\windows\system32\WinusbCoInstaller.dll

2011-08-07 13:12 . 2011-08-07 13:12 -------- dc----w- c:\windows\system32\DRVSTORE

2011-08-07 13:12 . 2006-11-02 13:09 1419232 ----a-w- c:\windows\system32\WdfCoInstaller01005.dll

2011-08-07 13:12 . 2011-08-07 13:12 -------- d-----w- c:\program files\Windows Easy Transfer 7

2011-08-07 04:53 . 2011-08-07 04:53 1409 ----a-w- c:\windows\QTFont.for

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-06 23:52 . 2011-04-23 13:40 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-02 17:53 . 2011-06-02 17:53 94208 ----a-w- c:\windows\system32\dpl100.dll

2006-02-23 13:16 . 2009-01-11 16:33 34048 ----a-w- c:\program files\mozilla firefox\plugins\upd62i9x.dll

2006-02-23 13:16 . 2009-01-11 16:33 45056 ----a-w- c:\program files\mozilla firefox\plugins\upd62int.dll

2011-06-25 17:36 . 2011-05-08 13:19 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]

"VSPDXP"="c:\program files\VSPD XP\vspdconfig.exe" [2003-11-13 974848]

"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]

"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-08-21 180269]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2004-08-23 35528]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

VPN Client.lnk - c:\windows\Installer\{21E247D4-5E27-4BEA-AA4D-19A81203FE2A}\Icon3E5562ED7.ico [2011-1-13 6144]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]

2005-03-01 23:49 24672 ----a-w- c:\windows\system32\ckpNotify.dll

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax DllCmd 3.5.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\eFax DllCmd 3.5.lnk

backup=c:\windows\pss\eFax DllCmd 3.5.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax Tray Menu 3.5.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\eFax Tray Menu 3.5.lnk

backup=c:\windows\pss\eFax Tray Menu 3.5.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NetScreen-Remote.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NetScreen-Remote.lnk

backup=c:\windows\pss\NetScreen-Remote.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]

2008-03-18 01:06 1848648 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]

2008-12-12 01:31 722256 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

2006-09-14 20:09 157592 ----a-w- c:\program files\DAEMON Tools\daemon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FLMK08KB]

2005-02-21 18:17 207360 ----a-w- c:\program files\Multimedia keyboard utility\1.3\MMKEYBD.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2006-10-30 14:36 256576 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2005-05-09 20:00 1658080 ----a-w- c:\program files\Messenger\Msmsgs.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]

2001-07-09 10:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTVOICE]

2001-08-18 05:36 86016 ----a-w- c:\windows\system32\pctspk.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ProxyPD]

2006-02-02 17:27 262144 ----a-w- c:\windows\system32\ProxyPD.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2006-10-25 23:58 282624 ----a-w- c:\program files\QuickTime\qttask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiS Tray]

2003-10-30 21:10 667648 ----a-w- c:\windows\system32\sistray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

2004-02-26 08:53 65024 ----a-r- c:\windows\SOUNDMAN.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

2010-12-18 19:53 1242448 ----a-w- c:\program files\Steam\Steam.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2004-08-21 21:11 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"ose"=3 (0x3)

"MpfService"=2 (0x2)

"mcupdmgr.exe"=3 (0x3)

"IDriverT"=3 (0x3)

"Neoteris Setup Service"=2 (0x2)

"iPod Service"=3 (0x3)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Azureus\\Azureus.exe"=

"c:\\Program Files\\WinMX\\WinMX.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32\\dpnsvr.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\StubInstaller.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=

"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=

"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=

"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=

"c:\\Program Files\\Steam\\Steam.exe"=

"c:\\Program Files\\Windows Easy Transfer 7\\migwiz.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"137:TCP"= 137:TCP:137

"138:TCP"= 138:TCP:138

"7000:TCP"= 7000:TCP:Windows Easy Transfer TCP port

"7000:UDP"= 7000:UDP:Windows Easy Transfer UDP port

.

R2 Scap;SecureClient Application Policy Module;c:\windows\system32\drivers\scap.sys [10/1/2010 6:10 PM 17456]

R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [10/1/2010 6:10 PM 670128]

R3 evserial;Virtual Serial Ports Driver (Eltima Softwate);c:\windows\system32\drivers\evserial.sys [4/27/2008 4:51 PM 54016]

R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [10/1/2010 6:10 PM 2041904]

R3 VSBC;Virtual Serial Bus Enumerator (Eltima Software);c:\windows\system32\drivers\evsbc.sys [4/27/2008 4:51 PM 26880]

S0 hurjc;hurjc;c:\windows\system32\drivers\qfdoxjhj.sys --> c:\windows\system32\drivers\qfdoxjhj.sys [?]

S2 Crypto;Crypto;\??\c:\windows\system32\Drivers\Crypto.sys --> c:\windows\system32\Drivers\Crypto.sys [?]

S3 ncvcp;Network Connect Virtual Com Port;c:\windows\system32\DRIVERS\nsvcp.sys --> c:\windows\system32\DRIVERS\nsvcp.sys [?]

S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [10/1/2010 6:10 PM 14924]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/10/2006 7:52 PM 611064]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mStart Page = about:blank

mWindow Title = Microsoft Internet Explorer provided by Comcast

mSearch Bar =

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 68.87.68.166 68.87.74.166

FF - ProfilePath - c:\documents and settings\Microsoft User\Application Data\Mozilla\Firefox\Profiles\o2kw9dxc.default\

FF - prefs.js: browser.search.selectedEngine - Answers.com

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

FF - prefs.js: network.proxy.http - proxy.etn.com

FF - prefs.js: network.proxy.http_port - 8080

FF - prefs.js: network.proxy.type - 4

.

- - - - ORPHANS REMOVED - - - -

.

BHO-{28CAEFF3-0F18-4036-B504-51D73BD81C3A} - REG_SZ

HKCU-Run-Hzinojoqoziy - c:\windows\cdfo860.dll

HKLM-Run-Igurej - c:\windows\oqareciyo.dll

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-08-29 14:17

Windows 5.1.2600 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-299502267-329068152-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F2C6A728-99B6-9E70-ECCD-B16FE0B39194}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"iafijmabgajgabfild"=hex:6a,61,67,70,67,6d,68,67,67,67,66,6c,65,68,6a,69,61,6b,

6f,67,00,00

"haphphdgoikhlnhd"=hex:6a,61,67,70,67,6d,68,67,67,67,66,6c,65,68,6a,69,61,6b,

6f,67,00,a6

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(1744)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\program files\Canon\IJPLM\IJPLMSVC.EXE

c:\program files\CheckPoint\SecuRemote\bin\SR_Service.exe

c:\program files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe

c:\program files\CheckPoint\SecuRemote\bin\SR_GUI.Exe

c:\windows\system32\wscntfy.exe

c:\program files\Internet Explorer\iexplore.exe

c:\windows\system32\RUNDLL32.EXE

.

**************************************************************************

.

Completion time: 2011-08-29 14:22:59 - machine was rebooted

ComboFix-quarantined-files.txt 2011-08-29 18:22

ComboFix2.txt 2011-08-23 12:05

ComboFix3.txt 2011-08-16 17:52

ComboFix4.txt 2011-08-11 11:05

ComboFix5.txt 2011-08-29 17:55

.

Pre-Run: 699,432,960 bytes free

Post-Run: 797,089,792 bytes free

.

- - End Of File - - 1DC5D5D305C646BEE3F43D854041F846

DDS

.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 6.0.2900.2180

Run by Microsoft User at 14:23:19 on 2011-08-29

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.234 [GMT -4:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE

C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe

C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\DivX\DivX Update\DivXUpdate.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\explorer.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

mStart Page = about:blank

mWindow Title = Microsoft Internet Explorer provided by Comcast

mSearch Bar =

mURLSearchHooks: H - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup

mRun: [sunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe

mRun: [VSPDXP] c:\program files\vspd xp\vspdconfig.exe /quiet

mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [iJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.EXE

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{21e247d4-5e27-4bea-aa4d-19a81203fe2a}\Icon3E5562ED7.ico

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\microsoft user\start menu\programs\ultimatebet\UltimateBet.lnk

IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\documents and settings\microsoft user\desktop\PartyPoker.lnk

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}

DPF: {0000000A-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB

DPF: {01118400-3E00-11D2-8470-0060089874ED} - hxxp://activex.microsoft.com/objects/ocget.dll

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab

DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} - hxxp://easohseroom02.napa.ad.etn.com/eRoomSetup/client.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-150-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-150-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} - hxxps://disney.go.com/games/downloads/gamemanager/DIGGameManager.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://na2.eportal.eaton.com/dana-cached/setup/JuniperSetupSP1.cab

TCP: DhcpNameServer = 68.87.68.166 68.87.74.166

TCP: Interfaces\{307A9912-EE77-40A9-A0C5-C8741FEFA5E1} : DhcpNameServer = 68.87.68.166 68.87.74.166

TCP: Interfaces\{70C0F37E-27F5-4474-A658-17252A36550C} : DhcpNameServer = 68.87.68.162 68.87.74.162

TCP: Interfaces\{DB5C870E-D776-49AA-8C26-5CE4A43A6754} : DhcpNameServer = 68.87.68.166 68.87.74.166

TCP: Interfaces\{FFE176FB-D77D-4EC7-A33A-8C1AC0EC8A9B} : DhcpNameServer = 68.87.68.162 68.87.74.162

Notify: ckpNotify - ckpNotify.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\microsoft user\application data\mozilla\firefox\profiles\o2kw9dxc.default\

FF - prefs.js: browser.search.selectedEngine - Answers.com

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

FF - prefs.js: network.proxy.http - proxy.etn.com

FF - prefs.js: network.proxy.http_port - 8080

FF - prefs.js: network.proxy.type - 4

FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npmnqmp07030901.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll

.

============= SERVICES / DRIVERS ===============

.

R2 Scap;SecureClient Application Policy Module;c:\windows\system32\drivers\scap.sys [2010-10-1 17456]

R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [2010-10-1 670128]

R3 evserial;Virtual Serial Ports Driver (Eltima Softwate);c:\windows\system32\drivers\evserial.sys [2008-4-27 54016]

R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [2010-10-1 2041904]

R3 VSBC;Virtual Serial Bus Enumerator (Eltima Software);c:\windows\system32\drivers\evsbc.sys [2008-4-27 26880]

S0 hurjc;hurjc;c:\windows\system32\drivers\qfdoxjhj.sys --> c:\windows\system32\drivers\qfdoxjhj.sys [?]

S2 Crypto;Crypto;\??\c:\windows\system32\drivers\crypto.sys --> c:\windows\system32\drivers\Crypto.sys [?]

S3 ncvcp;Network Connect Virtual Com Port;c:\windows\system32\drivers\nsvcp.sys --> c:\windows\system32\drivers\nsvcp.sys [?]

S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [2010-10-1 14924]

.

=============== Created Last 30 ================

.

2011-08-25 01:53:39 0 ----a-w- c:\windows\Vqoruxoxuxuvij.bin

2011-08-25 01:53:35 -------- d-----w- c:\documents and settings\microsoft user\local settings\application data\{7170C094-441A-435C-95B0-C112BC2BA10E}

2011-08-20 00:58:42 220024 ----a-w- c:\windows\sigcheck.exe

2011-08-20 00:53:41 -------- d-----w- c:\windows\maxdrive

2011-08-07 13:37:53 -------- dc----w- c:\documents and settings\microsoft user\local settings\application data\MigWiz

2011-08-07 13:12:40 581192 ----a-w- c:\windows\system32\WinusbCoInstaller.dll

2011-08-07 13:12:39 1419232 ----a-w- c:\windows\system32\WdfCoInstaller01005.dll

2011-08-07 13:12:18 -------- d-----w- c:\program files\Windows Easy Transfer 7

2011-08-07 04:53:00 1409 ----a-w- c:\windows\QTFont.for

2011-08-03 11:06:28 98816 ----a-w- c:\windows\sed.exe

2011-08-03 11:06:28 518144 ----a-w- c:\windows\SWREG.exe

2011-08-03 11:06:28 256000 ----a-w- c:\windows\PEV.exe

2011-08-03 11:06:28 208896 ----a-w- c:\windows\MBR.exe

.

==================== Find3M ====================

.

2011-07-06 23:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-02 17:53:02 94208 ----a-w- c:\windows\system32\dpl100.dll

.

============= FINISH: 14:23:38.28 ===============

Link to post
Share on other sites

  • Staff

Hi,

Things are looking better!

Delete this file:

c:\windows\Vqoruxoxuxuvij.bin

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

ESET

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6528

# api_version=3.0.2

# EOSSerial=947201f3f99c9743bf3573c717bf74fc

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-09-08 07:38:43

# local_time=2011-09-08 03:38:43 (-0500, Eastern Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 2

# compatibility_mode=512 16777215 100 0 0 0 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=143992

# found=70

# cleaned=70

# scan_time=3911

C:\Documents and Settings\Microsoft User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\time.class-480448a5-2ae2841e.class Win32/TrojanDownloader.Small.NEU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Microsoft User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\VerifierBug.class-36d0366-6d36e643.class Java/Exploit.Bytverify trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Microsoft User\Desktop\0.28061398038753793.exe Win32/Cimag.DU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\USA Wipes\Desktop\usawipes.com\images\items\CmdAsp.asp ASP/Ace.Q trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\hijackthis\backups\backup-20051023-083348-137.dll Win32/Adware.WinAd application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Program Files\Internet Explorer\fta.exe probably a variant of Win32/TrojanDownloader.Agent.NAJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\Microsoft User\Application Data\ebrs.exe.vir Win32/TrojanDownloader.PurityScan.E trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\plugins\npclntax.dll.vir Win32/Adware.180Solutions application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\cdfo860.dll.vir Win32/Cimag.DU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\dillf.dll.vir Win32/TrojanDownloader.WinShow.AK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\ldwpn.dll.vir Win32/TrojanDownloader.WinShow.AK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\mzuok.dll.vir Win32/TrojanDownloader.WinShow.AK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\nwndi.dll.vir Win32/TrojanDownloader.WinShow.AK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\ohsxy.dll.vir Win32/TrojanDownloader.WinShow.AK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\pnhru.dll.vir Win32/Adware.SearchAid.D application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\vjpys.dll.vir Win32/TrojanDownloader.WinShow.AK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\aafrs.dll.vir Win32/Adware.SearchAid.D application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\dapve.dll.vir Win32/TrojanDownloader.WinShow.AK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\ecxcy.dll.vir Win32/TrojanDownloader.WinShow.AK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\glsuc.dll.vir Win32/TrojanDownloader.WinShow.AK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\hmzvg.dll.vir Win32/TrojanDownloader.WinShow.AK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\lvwif.dll.vir Win32/TrojanDownloader.WinShow.AK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\nrjbj.dll.vir Win32/TrojanDownloader.WinShow.AK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\psept.dll.vir Win32/TrojanDownloader.WinShow.AK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\qxbij.dll.vir Win32/TrojanDownloader.WinShow.AK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\slrhh.dll.vir Win32/TrojanDownloader.WinShow.AK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\vbggb.dll.vir Win32/TrojanDownloader.WinShow.AK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\vynkt.dll.vir Win32/TrojanDownloader.WinShow.AK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{CA2AF20F-727B-4F9B-8CC3-A3C21FF32FB0}\RP360\A0244344.exe Win32/Cimag.DU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{CA2AF20F-727B-4F9B-8CC3-A3C21FF32FB0}\RP360\A0244345.dll Win32/Adware.WinAd application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{CA2AF20F-727B-4F9B-8CC3-A3C21FF32FB0}\RP360\A0244346.exe probably a variant of Win32/TrojanDownloader.Agent.NAJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\users\temp\EDow.exe a variant of Win32/TrojanDownloader.QDown.AF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\users\temp\EDowPack.exe Win32/TrojanDropper.Agent.HV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\users\temp\salmhook.dll Win32/Adware.180Solutions application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\nfprh.dll Win32/TrojanDownloader.WinShow.AK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\preInsMM.exe Win32/Adware.SearchCentriX application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\$NtServicePackUninstall$\explorer.exe:kbgmk Win32/Adware.SearchAid.D application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\$NtServicePackUninstall$\explorer.exe:ssiue Win32/TrojanDownloader.Agent.CD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\$NtServicePackUninstall$\regedit.exe:jyfhr Win32/TrojanDownloader.Agent.NAM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\$NtUninstallKB896358_0$\hh.exe:sboqv Win32/TrojanDownloader.WinShow.AK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\crap\d3kg.exe Win32/TrojanDownloader.Agent.BC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\crap\d3kg.exe.bak Win32/TrojanDownloader.Agent.CD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\crap\javawx.exe Win32/TrojanDownloader.Agent.CD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\crap\mfcdw.dll Win32/TrojanDownloader.Agent.NAM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\crap\msbbhook.dll Win32/Adware.180Solutions application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\crap\msopt311.dll Win32/TrojanDownloader.Small.KQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\crap\netpq.dll Win32/TrojanDownloader.Agent.NAK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\crap\netpq.exe Win32/TrojanDownloader.Agent.CD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\crap\wsem301.dll Win32/TrojanDownloader.Dyfica.DD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\Downloaded Program Files\bridge.dll Win32/Spy.Briss.G trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\Downloaded Program Files\jao.dll Win32/Spy.Briss.G trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\maxdrive\volsnap.sys Win32/Olmasco.E trojan (deleted - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\system32\apuc.dll Win32/Adware.BargainBuddy application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\system32\bhosave.dat a variant of Win32/Adware.EliteBar application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\system32\doolsav.dat a variant of Win32/Adware.EliteBar application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0J8T4X0D\silent_install[1].exe a variant of Win32/Adware.EliteBar application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\S10J49IX\silent_install[1].exe Win32/Adware.EliteBar.B application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\system32\crap\apiul32.exe Win32/TrojanDownloader.Agent.BC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\system32\crap\appoe32.exe Win32/TrojanDownloader.Agent.CD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\system32\crap\exdl.exe Win32/Adware.BargainBuddy application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\system32\crap\exul.exe Win32/Adware.BargainBuddy application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\system32\crap\javaje.exe Win32/TrojanDownloader.Agent.CD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\system32\crap\melpxv.exe Win32/TrojanDownloader.PurityScan.J trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\system32\crap\mfcuv32.exe Win32/TrojanDownloader.Agent.BC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\system32\crap\msbe.dll Win32/Adware.BargainBuddy application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\system32\crap\mscb.dll Win32/Adware.BargainBuddy application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\system32\crap\nvms.dll Win32/Adware.BargainBuddy application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

F:\My Documents\Caver\Downloads\setup.exe Win32/TrojanDownloader.Zlob.BZD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

F:\My Documents\Caver\Downloads\videomp3_setup_3912996-1.exe probably a variant of Win32/TrojanDownloader.Delf.FPGRWBG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

F:\My Documents\Caver\Downloads\videomp3_setup_3912996.exe probably a variant of Win32/TrojanDownloader.Delf.FPGRWBG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Link to post
Share on other sites

Security Check

Results of screen317's Security Check version 0.99.18

Windows XP Service Pack 2

Out of date service pack!!

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

ESET Online Scanner v3

WMI entry may not exist for antivirus; attempting automatic update.

```````````````````````````````

Anti-malware/Other Utilities Check:

Out of date Spybot installed!

Out of date HijackThis installed!

Malwarebytes' Anti-Malware

HijackThis 1.99.1

Flash Player Out of Date!

Adobe Flash Player 10.1.82.76

Mozilla Firefox (x86 en-US..)

````````````````````````````````

Process Check:

objlist.exe by Laurent

``````````End of Log````````````

Link to post
Share on other sites

Still experiencing Google redirects and the iexplore.exe process constantly (once every 2-3 minutes) opening in the background.

Occasionally, the browser(IE) will launch and direct itself to a particular site. At times, Outlook will open a new composition email msg. And at other times, iTunes will randomly launch. These symptoms tend to occur if the computer is left idle for an extended amount of time AND connected to the network/internet. I've made a habit of disconnecting the network cable each time I'm not online. The only activity I'll observe is the iexplore.exe process initiating in the background.

Thanks for all of the help so far!

Link to post
Share on other sites

  • Staff

Hi,

Hmm.

Delete your copy of ComboFix, grab a fresh copy, run it, and post its log.

  • Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  • Execute the file TDSSKiller.exe by double-clicking on it.
  • Wait for the scan and disinfection process to be over.
  • When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

Link to post
Share on other sites

ComboFix 11-09-12.05 - Microsoft User 09/13/2011 5:48.7.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.233 [GMT -4:00]

Running from: c:\documents and settings\Microsoft User\Desktop\ComboFix.exe

.

.

((((((((((((((((((((((((( Files Created from 2011-08-13 to 2011-09-13 )))))))))))))))))))))))))))))))

.

.

2011-09-08 11:46 . 2011-09-08 11:46 -------- d-sh--w- c:\documents and settings\Microsoft User\PrivacIE

2011-09-08 11:45 . 2011-09-08 11:45 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2011-09-08 11:45 . 2011-09-08 11:45 -------- d-sh--w- c:\documents and settings\Microsoft User\IETldCache

2011-09-08 11:38 . 2011-09-08 11:38 -------- d-----w- c:\documents and settings\Microsoft User\Local Settings\Application Data\PCHealth

2011-09-08 11:36 . 2011-09-08 11:36 -------- dc-h--w- c:\windows\ie8

2011-09-08 11:28 . 2010-05-06 10:41 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll

2011-09-08 11:28 . 2010-05-06 10:41 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll

2011-09-08 11:28 . 2010-05-06 10:41 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2011-09-08 11:28 . 2010-05-06 10:41 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2011-09-08 11:28 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2011-09-08 11:28 . 2010-05-06 10:41 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll

2011-09-08 11:28 . 2010-05-06 10:41 11076096 -c----w- c:\windows\system32\dllcache\ieframe.dll

2011-09-07 11:39 . 2011-09-07 11:39 -------- d-----w- c:\program files\ESET

2011-08-25 01:53 . 2011-08-25 01:53 -------- d-----w- c:\documents and settings\Microsoft User\Local Settings\Application Data\{7170C094-441A-435C-95B0-C112BC2BA10E}

2011-08-20 00:58 . 2010-10-12 16:56 220024 ----a-w- c:\windows\sigcheck.exe

2011-08-20 00:53 . 2011-09-08 19:18 -------- d-----w- c:\windows\maxdrive

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-08-07 04:53 . 2011-08-07 04:53 1409 ----a-w- c:\windows\QTFont.for

2011-07-06 23:52 . 2011-04-23 13:40 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2006-02-23 13:16 . 2009-01-11 16:33 34048 ----a-w- c:\program files\mozilla firefox\plugins\upd62i9x.dll

2006-02-23 13:16 . 2009-01-11 16:33 45056 ----a-w- c:\program files\mozilla firefox\plugins\upd62int.dll

2011-09-12 11:10 . 2011-05-08 13:19 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((( SnapShot_2011-08-23_12.01.40 )))))))))))))))))))))))))))))))))))))))))

.

- 2005-06-30 11:29 . 2008-12-22 16:54 26144 c:\windows\system32\spupdsvc.exe

+ 2005-06-30 11:29 . 2009-01-07 22:21 26144 c:\windows\system32\spupdsvc.exe

- 2009-01-11 17:42 . 2008-12-22 16:54 16928 c:\windows\system32\spmsg.dll

+ 2009-01-11 17:42 . 2009-01-07 22:20 16928 c:\windows\system32\spmsg.dll

+ 2004-08-27 01:02 . 2009-03-08 08:31 46592 c:\windows\system32\pngfilt.dll

+ 2009-01-07 22:20 . 2009-01-07 22:20 23552 c:\windows\system32\normaliz.dll

+ 2009-01-07 22:20 . 2009-01-07 22:20 24576 c:\windows\system32\nlsdl.dll

+ 2004-08-27 01:02 . 2009-03-08 08:31 48128 c:\windows\system32\mshtmler.dll

+ 2004-08-27 01:02 . 2009-03-08 08:31 66560 c:\windows\system32\mshtmled.dll

+ 2004-08-27 01:02 . 2009-03-08 08:31 45568 c:\windows\system32\mshta.exe

+ 2009-03-08 08:31 . 2009-03-08 08:31 13312 c:\windows\system32\msfeedssync.exe

+ 2009-03-08 08:31 . 2010-05-06 10:41 55296 c:\windows\system32\msfeedsbs.dll

+ 2003-03-31 12:00 . 2009-03-08 08:34 43008 c:\windows\system32\licmgr10.dll

+ 2004-08-27 01:02 . 2010-05-06 10:41 25600 c:\windows\system32\jsproxy.dll

+ 2004-08-26 18:53 . 2009-03-08 08:32 94720 c:\windows\system32\inseng.dll

+ 2004-08-27 01:02 . 2009-03-08 08:31 34816 c:\windows\system32\imgutil.dll

+ 2009-03-08 08:32 . 2009-03-08 08:32 36864 c:\windows\system32\ieudinit.exe

+ 2004-08-27 01:02 . 2009-03-08 08:32 71680 c:\windows\system32\iesetup.dll

+ 2003-03-31 12:00 . 2009-03-08 08:32 55808 c:\windows\system32\iernonce.dll

+ 2009-01-07 22:20 . 2009-01-07 22:20 26112 c:\windows\system32\idndl.dll

+ 2009-03-08 08:31 . 2009-03-08 08:31 59904 c:\windows\system32\icardie.dll

+ 2006-05-10 05:23 . 2009-03-08 08:31 46592 c:\windows\system32\dllcache\pngfilt.dll

+ 2009-03-08 08:31 . 2009-03-08 08:31 48128 c:\windows\system32\dllcache\mshtmler.dll

+ 2006-05-10 05:23 . 2009-03-08 08:31 66560 c:\windows\system32\dllcache\mshtmled.dll

+ 2009-03-08 08:31 . 2009-03-08 08:31 45568 c:\windows\system32\dllcache\mshta.exe

+ 2009-03-08 08:34 . 2009-03-08 08:34 43008 c:\windows\system32\dllcache\licmgr10.dll

+ 2006-05-10 05:22 . 2010-05-06 10:41 25600 c:\windows\system32\dllcache\jsproxy.dll

+ 2006-05-10 05:22 . 2009-03-08 08:32 94720 c:\windows\system32\dllcache\inseng.dll

+ 2009-03-08 08:31 . 2009-03-08 08:31 34816 c:\windows\system32\dllcache\imgutil.dll

+ 2009-03-08 08:32 . 2009-03-08 08:32 71680 c:\windows\system32\dllcache\iesetup.dll

+ 2009-03-08 08:32 . 2009-03-08 08:32 55808 c:\windows\system32\dllcache\iernonce.dll

+ 2009-03-08 08:24 . 2009-03-08 08:24 68608 c:\windows\system32\dllcache\hmmapi.dll

+ 2009-03-08 08:33 . 2009-03-08 08:33 18944 c:\windows\system32\dllcache\corpol.dll

+ 2009-03-08 08:32 . 2009-03-08 08:32 72704 c:\windows\system32\dllcache\admparse.dll

+ 2003-03-31 12:00 . 2009-03-08 08:33 18944 c:\windows\system32\corpol.dll

+ 2003-03-31 12:00 . 2009-03-08 08:32 72704 c:\windows\system32\admparse.dll

+ 2011-09-08 11:40 . 2009-03-08 08:33 12288 c:\windows\ie8updates\KB982381-IE8\xpshims.dll

+ 2011-09-08 11:40 . 2009-03-08 08:31 55296 c:\windows\ie8updates\KB982381-IE8\msfeedsbs.dll

+ 2011-09-08 11:40 . 2009-03-08 08:33 25600 c:\windows\ie8updates\KB982381-IE8\jsproxy.dll

+ 2011-09-08 11:36 . 2004-08-04 07:56 37888 c:\windows\ie8\url.dll

+ 2011-09-08 11:36 . 2009-03-08 18:23 58464 c:\windows\ie8\spuninst\iecustom.dll

+ 2011-09-08 11:36 . 2009-06-26 16:18 39424 c:\windows\ie8\pngfilt.dll

+ 2011-09-08 11:36 . 2004-08-04 07:56 96256 c:\windows\ie8\occache.dll

+ 2011-09-08 11:36 . 2004-08-04 07:56 56832 c:\windows\ie8\mshtmler.dll

+ 2011-09-08 11:36 . 2004-08-04 07:56 29184 c:\windows\ie8\mshta.exe

+ 2011-09-08 11:36 . 2004-08-04 07:56 22016 c:\windows\ie8\licmgr10.dll

+ 2011-09-08 11:36 . 2009-06-26 16:18 16384 c:\windows\ie8\jsproxy.dll

+ 2011-09-08 11:36 . 2009-06-26 16:18 96256 c:\windows\ie8\inseng.dll

+ 2011-09-08 11:36 . 2004-08-04 07:56 35840 c:\windows\ie8\imgutil.dll

+ 2011-09-08 11:36 . 2004-08-04 07:56 93184 c:\windows\ie8\iexplore.exe

+ 2011-09-08 11:36 . 2004-08-04 07:56 62976 c:\windows\ie8\iesetup.dll

+ 2011-09-08 11:36 . 2004-08-04 07:56 48640 c:\windows\ie8\iernonce.dll

+ 2011-09-08 11:36 . 2009-06-26 16:18 81920 c:\windows\ie8\ieencode.dll

+ 2011-09-08 11:36 . 2004-08-04 07:56 34304 c:\windows\ie8\ie4uinit.exe

+ 2011-09-08 11:36 . 2004-08-04 07:56 38912 c:\windows\ie8\hmmapi.dll

+ 2011-09-08 11:36 . 2004-08-04 07:56 35328 c:\windows\ie8\corpol.dll

+ 2011-09-08 11:36 . 2004-08-04 07:56 99840 c:\windows\ie8\advpack.dll

+ 2011-09-08 11:36 . 2004-08-04 07:56 61440 c:\windows\ie8\admparse.dll

+ 2009-01-07 22:21 . 2009-01-07 22:21 121856 c:\windows\system32\xmllite.dll

+ 2005-10-21 17:51 . 2010-05-06 10:41 916480 c:\windows\system32\wininet.dll

+ 2009-03-08 08:34 . 2009-03-08 08:34 208384 c:\windows\system32\WinFXDocObj.exe

+ 2004-08-27 01:02 . 2009-03-08 08:34 236544 c:\windows\system32\webcheck.dll

+ 2002-02-26 22:58 . 2009-03-08 08:33 420352 c:\windows\system32\vbscript.dll

+ 2004-08-27 01:02 . 2009-03-08 08:34 105984 c:\windows\system32\url.dll

+ 2004-08-27 01:02 . 2010-05-06 10:41 206848 c:\windows\system32\occache.dll

+ 2004-08-27 01:02 . 2010-05-06 10:41 611840 c:\windows\system32\mstime.dll

+ 2004-08-27 01:02 . 2009-03-08 08:34 193536 c:\windows\system32\msrating.dll

+ 2003-03-31 12:00 . 2009-03-08 08:22 156160 c:\windows\system32\msls31.dll

+ 2009-03-08 08:32 . 2010-05-06 10:41 599040 c:\windows\system32\msfeeds.dll

+ 2009-01-07 22:20 . 2009-01-07 22:20 265720 c:\windows\system32\msdbg2.dll

+ 2003-01-13 21:57 . 2009-03-08 08:33 726528 c:\windows\system32\jscript.dll

+ 2009-03-08 08:22 . 2009-03-08 08:22 164352 c:\windows\system32\ieui.dll

+ 2004-12-07 19:51 . 2010-05-06 10:41 184320 c:\windows\system32\iepeers.dll

+ 2004-08-27 01:03 . 2010-05-06 10:41 387584 c:\windows\system32\iedkcs32.dll

+ 2009-03-08 08:11 . 2009-03-08 08:11 445952 c:\windows\system32\ieapfltr.dll

+ 2003-03-31 12:00 . 2009-03-08 08:32 163840 c:\windows\system32\ieakui.dll

+ 2003-03-31 12:00 . 2009-03-08 08:33 229376 c:\windows\system32\ieaksie.dll

+ 2003-03-31 12:00 . 2009-03-08 08:33 125952 c:\windows\system32\ieakeng.dll

+ 2004-08-27 01:03 . 2010-05-05 13:30 173056 c:\windows\system32\ie4uinit.exe

+ 2004-08-27 01:03 . 2009-03-08 08:31 216064 c:\windows\system32\dxtrans.dll

+ 2004-08-27 01:03 . 2009-03-08 08:31 348160 c:\windows\system32\dxtmsft.dll

+ 2006-05-10 05:23 . 2010-05-06 10:41 916480 c:\windows\system32\dllcache\wininet.dll

+ 2009-03-08 08:34 . 2009-03-08 08:34 236544 c:\windows\system32\dllcache\webcheck.dll

+ 2006-09-18 14:15 . 2009-03-08 08:33 759296 c:\windows\system32\dllcache\VGX.dll

+ 2007-12-18 14:40 . 2009-03-08 08:33 420352 c:\windows\system32\dllcache\vbscript.dll

+ 2009-03-08 08:34 . 2009-03-08 08:34 105984 c:\windows\system32\dllcache\url.dll

+ 2009-01-07 22:20 . 2009-01-07 22:20 134144 c:\windows\system32\dllcache\sqmapi.dll

+ 2009-03-08 08:34 . 2010-05-06 10:41 206848 c:\windows\system32\dllcache\occache.dll

+ 2006-05-10 05:23 . 2010-05-06 10:41 611840 c:\windows\system32\dllcache\mstime.dll

+ 2006-05-10 05:23 . 2009-03-08 08:34 193536 c:\windows\system32\dllcache\msrating.dll

+ 2003-03-31 12:00 . 2009-03-08 08:22 156160 c:\windows\system32\dllcache\msls31.dll

+ 2006-05-18 05:24 . 2009-03-08 08:33 726528 c:\windows\system32\dllcache\jscript.dll

+ 2009-03-08 18:09 . 2009-03-08 18:09 638816 c:\windows\system32\dllcache\iexplore.exe

+ 2006-05-10 05:22 . 2010-05-06 10:41 184320 c:\windows\system32\dllcache\iepeers.dll

+ 2009-03-08 18:09 . 2010-05-06 10:41 387584 c:\windows\system32\dllcache\iedkcs32.dll

+ 2003-03-31 12:00 . 2009-03-08 08:32 163840 c:\windows\system32\dllcache\ieakui.dll

+ 2009-03-08 08:33 . 2009-03-08 08:33 229376 c:\windows\system32\dllcache\ieaksie.dll

+ 2009-03-08 08:33 . 2009-03-08 08:33 125952 c:\windows\system32\dllcache\ieakeng.dll

+ 2009-03-08 08:32 . 2010-05-05 13:30 173056 c:\windows\system32\dllcache\ie4uinit.exe

+ 2006-05-10 05:22 . 2009-03-08 08:31 216064 c:\windows\system32\dllcache\dxtrans.dll

+ 2006-05-10 05:22 . 2009-03-08 08:31 348160 c:\windows\system32\dllcache\dxtmsft.dll

+ 2009-03-08 08:32 . 2009-03-08 08:32 128512 c:\windows\system32\dllcache\advpack.dll

+ 2004-08-27 01:03 . 2009-03-08 08:32 128512 c:\windows\system32\advpack.dll

+ 2011-09-08 11:40 . 2009-03-08 08:34 914944 c:\windows\ie8updates\KB982381-IE8\wininet.dll

+ 2011-09-08 11:40 . 2010-02-22 14:23 382840 c:\windows\ie8updates\KB982381-IE8\spuninst\updspapi.dll

+ 2011-09-08 11:40 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB982381-IE8\spuninst\spuninst.exe

+ 2011-09-08 11:40 . 2009-03-08 08:34 109568 c:\windows\ie8updates\KB982381-IE8\occache.dll

+ 2011-09-08 11:40 . 2009-03-08 08:32 611840 c:\windows\ie8updates\KB982381-IE8\mstime.dll

+ 2011-09-08 11:40 . 2009-03-08 08:32 594432 c:\windows\ie8updates\KB982381-IE8\msfeeds.dll

+ 2011-09-08 11:40 . 2009-03-08 08:33 246784 c:\windows\ie8updates\KB982381-IE8\ieproxy.dll

+ 2011-09-08 11:40 . 2009-03-08 08:31 183808 c:\windows\ie8updates\KB982381-IE8\iepeers.dll

+ 2011-09-08 11:40 . 2009-03-08 08:35 742912 c:\windows\ie8updates\KB982381-IE8\iedvtool.dll

+ 2011-09-08 11:40 . 2009-03-08 18:09 391536 c:\windows\ie8updates\KB982381-IE8\iedkcs32.dll

+ 2011-09-08 11:40 . 2009-03-08 08:32 173056 c:\windows\ie8updates\KB982381-IE8\ie4uinit.exe

+ 2011-09-08 11:36 . 2009-06-26 16:18 659456 c:\windows\ie8\wininet.dll

+ 2011-09-08 11:36 . 2004-08-04 07:56 276480 c:\windows\ie8\webcheck.dll

+ 2011-09-08 11:36 . 2007-06-26 15:13 851968 c:\windows\ie8\vgx.dll

+ 2011-09-08 11:36 . 2007-12-18 14:40 417792 c:\windows\ie8\vbscript.dll

+ 2011-09-08 11:36 . 2009-06-26 16:18 616448 c:\windows\ie8\urlmon.dll

+ 2011-09-08 11:36 . 2009-01-07 22:21 382496 c:\windows\ie8\spuninst\updspapi.dll

+ 2011-09-08 11:36 . 2009-01-07 22:20 231456 c:\windows\ie8\spuninst\spuninst.exe

+ 2011-09-08 11:36 . 2009-06-26 16:18 532480 c:\windows\ie8\mstime.dll

+ 2011-09-08 11:36 . 2009-06-26 16:18 146432 c:\windows\ie8\msrating.dll

+ 2011-09-08 11:36 . 2003-03-31 12:00 146432 c:\windows\ie8\msls31.dll

+ 2011-09-08 11:36 . 2009-06-26 16:18 449024 c:\windows\ie8\mshtmled.dll

+ 2011-09-08 11:36 . 2009-08-21 09:46 450560 c:\windows\ie8\jscript.dll

+ 2011-09-08 11:36 . 2009-06-26 16:18 251392 c:\windows\ie8\iepeers.dll

+ 2011-09-08 11:36 . 2004-08-04 07:56 323584 c:\windows\ie8\iedkcs32.dll

+ 2011-09-08 11:36 . 2003-03-31 12:00 221184 c:\windows\ie8\ieakui.dll

+ 2011-09-08 11:36 . 2004-08-04 07:56 216576 c:\windows\ie8\ieaksie.dll

+ 2011-09-08 11:36 . 2004-08-04 07:56 139264 c:\windows\ie8\ieakeng.dll

+ 2011-09-08 11:36 . 2009-06-26 16:18 205312 c:\windows\ie8\dxtrans.dll

+ 2011-09-08 11:36 . 2009-06-26 16:18 357888 c:\windows\ie8\dxtmsft.dll

+ 2005-10-21 17:51 . 2010-05-06 10:41 1209344 c:\windows\system32\urlmon.dll

+ 2005-01-27 23:35 . 2010-05-06 10:41 5950976 c:\windows\system32\mshtml.dll

+ 2009-03-08 08:32 . 2010-05-06 10:41 1985536 c:\windows\system32\iertutil.dll

+ 2009-02-07 01:07 . 2009-02-07 01:07 3698584 c:\windows\system32\ieapfltr.dat

+ 2006-05-10 05:23 . 2010-05-06 10:41 1209344 c:\windows\system32\dllcache\urlmon.dll

+ 2006-05-19 15:08 . 2010-05-06 10:41 5950976 c:\windows\system32\dllcache\mshtml.dll

+ 2011-09-08 11:40 . 2009-03-08 08:34 1206784 c:\windows\ie8updates\KB982381-IE8\urlmon.dll

+ 2011-09-08 11:40 . 2009-03-08 08:41 5937152 c:\windows\ie8updates\KB982381-IE8\mshtml.dll

+ 2011-09-08 11:40 . 2009-03-08 08:32 1985024 c:\windows\ie8updates\KB982381-IE8\iertutil.dll

+ 2011-09-08 11:36 . 2009-07-18 16:20 3062272 c:\windows\ie8\mshtml.dll

+ 2006-01-08 15:05 . 2011-07-30 14:05 52390856 c:\windows\system32\MRT.exe

+ 2009-03-08 08:39 . 2010-05-06 10:41 11076096 c:\windows\system32\ieframe.dll

+ 2011-09-08 11:40 . 2009-03-08 08:39 11063808 c:\windows\ie8updates\KB982381-IE8\ieframe.dll

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]

"VSPDXP"="c:\program files\VSPD XP\vspdconfig.exe" [2003-11-13 974848]

"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]

"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-08-21 180269]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2004-08-23 35528]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

VPN Client.lnk - c:\windows\Installer\{21E247D4-5E27-4BEA-AA4D-19A81203FE2A}\Icon3E5562ED7.ico [2011-1-13 6144]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]

2005-03-01 23:49 24672 ----a-w- c:\windows\system32\ckpNotify.dll

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax DllCmd 3.5.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\eFax DllCmd 3.5.lnk

backup=c:\windows\pss\eFax DllCmd 3.5.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax Tray Menu 3.5.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\eFax Tray Menu 3.5.lnk

backup=c:\windows\pss\eFax Tray Menu 3.5.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NetScreen-Remote.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NetScreen-Remote.lnk

backup=c:\windows\pss\NetScreen-Remote.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]

2008-03-18 01:06 1848648 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]

2008-12-12 01:31 722256 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

2006-09-14 20:09 157592 ----a-w- c:\program files\DAEMON Tools\daemon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FLMK08KB]

2005-02-21 18:17 207360 ----a-w- c:\program files\Multimedia keyboard utility\1.3\MMKEYBD.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2006-10-30 14:36 256576 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2005-05-09 20:00 1658080 ----a-w- c:\program files\Messenger\Msmsgs.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]

2001-07-09 10:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTVOICE]

2001-08-18 05:36 86016 ----a-w- c:\windows\system32\pctspk.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ProxyPD]

2006-02-02 17:27 262144 ----a-w- c:\windows\system32\ProxyPD.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2006-10-25 23:58 282624 ----a-w- c:\program files\QuickTime\qttask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiS Tray]

2003-10-30 21:10 667648 ----a-w- c:\windows\system32\sistray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

2004-02-26 08:53 65024 ----a-r- c:\windows\SOUNDMAN.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

2010-12-18 19:53 1242448 ----a-w- c:\program files\Steam\Steam.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2004-08-21 21:11 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"ose"=3 (0x3)

"MpfService"=2 (0x2)

"mcupdmgr.exe"=3 (0x3)

"IDriverT"=3 (0x3)

"Neoteris Setup Service"=2 (0x2)

"iPod Service"=3 (0x3)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Azureus\\Azureus.exe"=

"c:\\Program Files\\WinMX\\WinMX.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32\\dpnsvr.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\StubInstaller.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=

"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=

"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=

"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=

"c:\\Program Files\\Steam\\Steam.exe"=

"c:\\Program Files\\Windows Easy Transfer 7\\migwiz.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"137:TCP"= 137:TCP:137

"138:TCP"= 138:TCP:138

"7000:TCP"= 7000:TCP:Windows Easy Transfer TCP port

"7000:UDP"= 7000:UDP:Windows Easy Transfer UDP port

.

R2 Scap;SecureClient Application Policy Module;c:\windows\system32\drivers\scap.sys [10/1/2010 6:10 PM 17456]

R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [10/1/2010 6:10 PM 670128]

R3 evserial;Virtual Serial Ports Driver (Eltima Softwate);c:\windows\system32\drivers\evserial.sys [4/27/2008 4:51 PM 54016]

R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [10/1/2010 6:10 PM 2041904]

R3 VSBC;Virtual Serial Bus Enumerator (Eltima Software);c:\windows\system32\drivers\evsbc.sys [4/27/2008 4:51 PM 26880]

S0 hurjc;hurjc;c:\windows\system32\drivers\qfdoxjhj.sys --> c:\windows\system32\drivers\qfdoxjhj.sys [?]

S2 Crypto;Crypto;\??\c:\windows\system32\Drivers\Crypto.sys --> c:\windows\system32\Drivers\Crypto.sys [?]

S3 ncvcp;Network Connect Virtual Com Port;c:\windows\system32\DRIVERS\nsvcp.sys --> c:\windows\system32\DRIVERS\nsvcp.sys [?]

S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [10/1/2010 6:10 PM 14924]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/10/2006 7:52 PM 611064]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mWindow Title = Microsoft Internet Explorer provided by Comcast

mSearch Bar =

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 68.87.68.166 68.87.74.166

FF - ProfilePath - c:\documents and settings\Microsoft User\Application Data\Mozilla\Firefox\Profiles\o2kw9dxc.default\

FF - prefs.js: browser.search.selectedEngine - Answers.com

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

FF - prefs.js: network.proxy.http - proxy.etn.com

FF - prefs.js: network.proxy.http_port - 8080

FF - prefs.js: network.proxy.type - 4

.

- - - - ORPHANS REMOVED - - - -

.

BHO-{28CAEFF3-0F18-4036-B504-51D73BD81C3A} - REG_SZ

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-09-13 06:02

Windows 5.1.2600 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-299502267-329068152-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F2C6A728-99B6-9E70-ECCD-B16FE0B39194}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"iafijmabgajgabfild"=hex:6a,61,67,70,67,6d,68,67,67,67,66,6c,65,68,6a,69,61,6b,

6f,67,00,00

"haphphdgoikhlnhd"=hex:6a,61,67,70,67,6d,68,67,67,67,66,6c,65,68,6a,69,61,6b,

6f,67,00,a6

.

Completion time: 2011-09-13 06:06:23

ComboFix-quarantined-files.txt 2011-09-13 10:06

ComboFix2.txt 2011-08-29 18:23

ComboFix3.txt 2011-08-23 12:05

ComboFix4.txt 2011-08-16 17:52

ComboFix5.txt 2011-09-13 09:44

.

Pre-Run: 293,695,488 bytes free

Post-Run: 406,036,480 bytes free

.

- - End Of File - - 2704D5F6E89DFB999B5CD2DE64F49009

Link to post
Share on other sites

2011/09/13 06:20:24.0718 0664 TDSS rootkit removing tool 2.5.21.0 Sep 10 2011 21:07:05

2011/09/13 06:20:24.0968 0664 ================================================================================

2011/09/13 06:20:24.0968 0664 SystemInfo:

2011/09/13 06:20:24.0968 0664

2011/09/13 06:20:24.0968 0664 OS Version: 5.1.2600 ServicePack: 2.0

2011/09/13 06:20:24.0968 0664 Product type: Workstation

2011/09/13 06:20:24.0968 0664 ComputerName: HOME_MEDIA

2011/09/13 06:20:24.0968 0664 UserName: Microsoft User

2011/09/13 06:20:24.0968 0664 Windows directory: C:\WINDOWS

2011/09/13 06:20:24.0968 0664 System windows directory: C:\WINDOWS

2011/09/13 06:20:24.0968 0664 Processor architecture: Intel x86

2011/09/13 06:20:24.0968 0664 Number of processors: 1

2011/09/13 06:20:24.0968 0664 Page size: 0x1000

2011/09/13 06:20:24.0968 0664 Boot type: Normal boot

2011/09/13 06:20:24.0968 0664 ================================================================================

2011/09/13 06:20:26.0171 0664 Initialize success

2011/09/13 06:20:29.0578 3448 ================================================================================

2011/09/13 06:20:29.0578 3448 Scan started

2011/09/13 06:20:29.0578 3448 Mode: Manual;

2011/09/13 06:20:29.0578 3448 ================================================================================

2011/09/13 06:20:30.0734 3448 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/09/13 06:20:30.0875 3448 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2011/09/13 06:20:31.0234 3448 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys

2011/09/13 06:20:31.0375 3448 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys

2011/09/13 06:20:31.0859 3448 ALCXSENS (ba88534a3ceb6161e7432438b9ea4f54) C:\WINDOWS\system32\drivers\ALCXSENS.SYS

2011/09/13 06:20:32.0046 3448 ALCXWDM (9a6a99f0d75b457e3a2267776ebe9f47) C:\WINDOWS\system32\drivers\ALCXWDM.SYS

2011/09/13 06:20:32.0281 3448 AmdK7 (680ad1c1bb16239e28d8f33a54a7a3c7) C:\WINDOWS\system32\DRIVERS\amdk7.sys

2011/09/13 06:20:32.0734 3448 ASPI32 (b979979ab8027f7f53fb16ec4229b7db) C:\WINDOWS\system32\drivers\ASPI32.sys

2011/09/13 06:20:32.0828 3448 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/09/13 06:20:32.0921 3448 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/09/13 06:20:33.0109 3448 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/09/13 06:20:33.0218 3448 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/09/13 06:20:33.0312 3448 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/09/13 06:20:33.0421 3448 BlueletAudio (852a1bd08e7dfeb9e30b5440881c0501) C:\WINDOWS\system32\DRIVERS\blueletaudio.sys

2011/09/13 06:20:33.0515 3448 BlueletSCOAudio (8fc27b12a02b43947787f0ef1885df9b) C:\WINDOWS\system32\DRIVERS\BlueletSCOAudio.sys

2011/09/13 06:20:33.0640 3448 BT (c5cce2b26f73f8cf7f3c82159e79aa08) C:\WINDOWS\system32\DRIVERS\btnetdrv.sys

2011/09/13 06:20:33.0734 3448 Btcsrusb (da473d279420234170da795f1cad4479) C:\WINDOWS\system32\Drivers\btcusb.sys

2011/09/13 06:20:33.0843 3448 BTHidEnum (ce643d0918123d76a5caab008fca9663) C:\WINDOWS\system32\Drivers\vbtenum.sys

2011/09/13 06:20:34.0000 3448 BTHidMgr (dfca4fe4c8aec786b4d0f432eb730f48) C:\WINDOWS\system32\Drivers\BTHidMgr.sys

2011/09/13 06:20:34.0187 3448 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/09/13 06:20:34.0375 3448 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/09/13 06:20:34.0468 3448 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/09/13 06:20:34.0562 3448 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/09/13 06:20:34.0875 3448 cmuda (53f4cc55f3c255439c5973e31f0adce7) C:\WINDOWS\system32\drivers\cmuda.sys

2011/09/13 06:20:35.0234 3448 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\WINDOWS\system32\DRIVERS\CVirtA.sys

2011/09/13 06:20:35.0375 3448 CVPNDRVA (c23025ac5ae45a105d63bd6e2408edd4) C:\WINDOWS\system32\Drivers\CVPNDRVA.sys

2011/09/13 06:20:35.0687 3448 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/09/13 06:20:35.0812 3448 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys

2011/09/13 06:20:35.0968 3448 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys

2011/09/13 06:20:36.0093 3448 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/09/13 06:20:36.0187 3448 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys

2011/09/13 06:20:36.0296 3448 DNE (b5aa5aa5ac327bd7c1aec0c58f0c1144) C:\WINDOWS\system32\DRIVERS\dne2000.sys

2011/09/13 06:20:36.0765 3448 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/09/13 06:20:36.0937 3448 EL90XBC (6e883bf518296a40959131c2304af714) C:\WINDOWS\system32\DRIVERS\el90xbc5.sys

2011/09/13 06:20:37.0046 3448 elagopro (7ec42ec12a4bac14bcca99fb06f2d125) C:\WINDOWS\system32\DRIVERS\elagopro.sys

2011/09/13 06:20:37.0156 3448 elaunidr (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\elaunidr.sys

2011/09/13 06:20:37.0281 3448 evserial (abb227b67dc58c687bac8f7f27ed7d9b) C:\WINDOWS\system32\DRIVERS\evserial.sys

2011/09/13 06:20:37.0375 3448 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/09/13 06:20:37.0484 3448 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys

2011/09/13 06:20:37.0578 3448 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys

2011/09/13 06:20:37.0671 3448 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2011/09/13 06:20:37.0796 3448 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\drivers\fltmgr.sys

2011/09/13 06:20:37.0906 3448 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/09/13 06:20:38.0000 3448 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/09/13 06:20:38.0250 3448 FW1 (7441f96680ac1fad27ae34ff8076d594) C:\WINDOWS\system32\DRIVERS\fw.sys

2011/09/13 06:20:38.0421 3448 gameenum (5f92fd09e5610a5995da7d775eadcd12) C:\WINDOWS\system32\DRIVERS\gameenum.sys

2011/09/13 06:20:38.0515 3448 GEARAspiWDM (4ac51459805264affd5f6fdfb9d9235f) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

2011/09/13 06:20:38.0640 3448 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/09/13 06:20:38.0750 3448 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/09/13 06:20:38.0953 3448 HTTP (cb77bb47e67e84deb17ba29632501730) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/09/13 06:20:39.0343 3448 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/09/13 06:20:39.0671 3448 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/09/13 06:20:39.0968 3448 ip6fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\drivers\ip6fw.sys

2011/09/13 06:20:40.0078 3448 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/09/13 06:20:40.0187 3448 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/09/13 06:20:40.0296 3448 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/09/13 06:20:40.0406 3448 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/09/13 06:20:40.0531 3448 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/09/13 06:20:40.0656 3448 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/09/13 06:20:40.0765 3448 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2011/09/13 06:20:40.0859 3448 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys

2011/09/13 06:20:40.0968 3448 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/09/13 06:20:41.0187 3448 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/09/13 06:20:41.0296 3448 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys

2011/09/13 06:20:41.0390 3448 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys

2011/09/13 06:20:41.0500 3448 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/09/13 06:20:41.0609 3448 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/09/13 06:20:41.0687 3448 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/09/13 06:20:41.0906 3448 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/09/13 06:20:42.0015 3448 MRxSmb (6f2d483b97b395544e59749c47963c6a) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/09/13 06:20:42.0156 3448 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys

2011/09/13 06:20:42.0265 3448 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/09/13 06:20:42.0359 3448 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/09/13 06:20:42.0500 3448 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/09/13 06:20:42.0609 3448 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/09/13 06:20:42.0703 3448 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys

2011/09/13 06:20:42.0906 3448 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys

2011/09/13 06:20:43.0000 3448 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/09/13 06:20:43.0093 3448 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/09/13 06:20:43.0187 3448 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/09/13 06:20:43.0296 3448 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/09/13 06:20:43.0390 3448 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/09/13 06:20:43.0500 3448 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/09/13 06:20:43.0640 3448 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys

2011/09/13 06:20:43.0765 3448 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/09/13 06:20:43.0921 3448 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/09/13 06:20:44.0546 3448 nv (ed9816dbaf6689542ea7d022631906a1) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

2011/09/13 06:20:45.0218 3448 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/09/13 06:20:45.0421 3448 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/09/13 06:20:45.0656 3448 OMVA (73c74eb8b231974b7a961fddd878ae01) C:\WINDOWS\system32\DRIVERS\OMVA.sys

2011/09/13 06:20:45.0953 3448 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys

2011/09/13 06:20:46.0218 3448 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/09/13 06:20:46.0421 3448 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/09/13 06:20:46.0625 3448 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/09/13 06:20:47.0171 3448 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2011/09/13 06:20:47.0593 3448 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys

2011/09/13 06:20:49.0593 3448 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/09/13 06:20:49.0875 3448 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/09/13 06:20:49.0953 3448 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/09/13 06:20:50.0093 3448 Ptserial (bfa7131e36b166f6a9afedc27b0ab29b) C:\WINDOWS\system32\DRIVERS\ptserial.sys

2011/09/13 06:20:50.0234 3448 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys

2011/09/13 06:20:50.0781 3448 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/09/13 06:20:50.0906 3448 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/09/13 06:20:51.0015 3448 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/09/13 06:20:51.0125 3448 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/09/13 06:20:51.0250 3448 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/09/13 06:20:51.0375 3448 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/09/13 06:20:51.0468 3448 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2011/09/13 06:20:51.0625 3448 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/09/13 06:20:51.0750 3448 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/09/13 06:20:51.0875 3448 RimUsb (913966a94de5fa40f0948c65221f08cc) C:\WINDOWS\system32\Drivers\RimUsb.sys

2011/09/13 06:20:51.0968 3448 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys

2011/09/13 06:20:52.0093 3448 rspndr (a3b23fb3f295694091f51865f98588b2) C:\WINDOWS\system32\DRIVERS\rspndr.sys

2011/09/13 06:20:52.0218 3448 Scap (8c3d61bb8f35264e14fb76856fefad62) C:\WINDOWS\system32\DRIVERS\Scap.sys

2011/09/13 06:20:52.0375 3448 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/09/13 06:20:52.0515 3448 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys

2011/09/13 06:20:52.0609 3448 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys

2011/09/13 06:20:52.0703 3448 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys

2011/09/13 06:20:52.0921 3448 SiS315 (31d0cfcced484c10b30381c25d149c63) C:\WINDOWS\system32\DRIVERS\sisgrp.sys

2011/09/13 06:20:53.0046 3448 SISAGP (61ca562def09a782d26b3e7edec5369a) C:\WINDOWS\system32\DRIVERS\SISAGPX.sys

2011/09/13 06:20:53.0156 3448 SiSkp (4a1b7fe21eba582f3c7d6036cb089c06) C:\WINDOWS\system32\DRIVERS\srvkp.sys

2011/09/13 06:20:53.0281 3448 SISNIC (8204c49cde112f7b9c2f15707fe2cc5a) C:\WINDOWS\system32\DRIVERS\sisnic.sys

2011/09/13 06:20:53.0421 3448 snapman (69e112b1b180c4c037a27a432d678abf) C:\WINDOWS\system32\DRIVERS\snapman.sys

2011/09/13 06:20:53.0609 3448 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys

2011/09/13 06:20:53.0750 3448 sptd (090adc3d9b5730ac3b20bdd5a54e2d28) C:\WINDOWS\System32\Drivers\sptd.sys

2011/09/13 06:20:53.0890 3448 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/09/13 06:20:54.0015 3448 Srv (ab9c79ed12d65e800aaad3d72a04792f) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/09/13 06:20:54.0265 3448 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys

2011/09/13 06:20:54.0375 3448 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/09/13 06:20:54.0484 3448 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys

2011/09/13 06:20:54.0921 3448 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/09/13 06:20:55.0078 3448 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/09/13 06:20:55.0218 3448 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/09/13 06:20:55.0328 3448 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/09/13 06:20:55.0437 3448 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/09/13 06:20:55.0656 3448 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys

2011/09/13 06:20:55.0828 3448 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys

2011/09/13 06:20:56.0000 3448 usbaudio (45a0d14b26c35497ad93bce7e15c9941) C:\WINDOWS\system32\drivers\usbaudio.sys

2011/09/13 06:20:56.0140 3448 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2011/09/13 06:20:56.0265 3448 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/09/13 06:20:56.0390 3448 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/09/13 06:20:56.0515 3448 usbohci (bdfe799a8531bad8a5a985821fe78760) C:\WINDOWS\system32\DRIVERS\usbohci.sys

2011/09/13 06:20:56.0625 3448 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2011/09/13 06:20:56.0750 3448 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2011/09/13 06:20:56.0843 3448 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/09/13 06:20:56.0937 3448 VComm (51750b0539986186c6931fc40d171521) C:\WINDOWS\system32\DRIVERS\VComm.sys

2011/09/13 06:20:57.0093 3448 VcommMgr (6d9c891c0a761afed1f3609c2e56f2b9) C:\WINDOWS\system32\Drivers\VcommMgr.sys

2011/09/13 06:20:57.0171 3448 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys

2011/09/13 06:20:57.0406 3448 Vmodem (b289d19df6103352d3c4b13c0ed79331) C:\WINDOWS\system32\DRIVERS\vmodem.sys

2011/09/13 06:20:57.0546 3448 VolSnap (e33edbb864a22f7474d2b297e44ee0b6) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/09/13 06:20:57.0546 3448 Suspicious file (Forged): C:\WINDOWS\system32\drivers\VolSnap.sys. Real md5: e33edbb864a22f7474d2b297e44ee0b6, Fake md5: ee4660083deba849ff6c485d944b379b

2011/09/13 06:20:57.0562 3448 VolSnap - detected Rootkit.Win32.TDSS.tdl3 (0)

2011/09/13 06:20:57.0687 3448 Vpctcom (4a4448332075c5a909df123c21616b2a) C:\WINDOWS\system32\DRIVERS\vpctcom.sys

2011/09/13 06:20:57.0875 3448 VPN-1 (793b9aed2fc908fdfc93f0afa07f59cf) C:\WINDOWS\System32\drivers\vpn.sys

2011/09/13 06:20:58.0093 3448 VSBC (850787f696865f8cf8a8adea463423b7) C:\WINDOWS\system32\DRIVERS\evsbc.sys

2011/09/13 06:20:58.0218 3448 vsbus (3995d1e95f3c621467da4bce868cdc90) C:\WINDOWS\system32\DRIVERS\vsb.sys

2011/09/13 06:20:58.0375 3448 VSerial (3feb02f2eebaa3f099e279c258ef786e) C:\WINDOWS\system32\DRIVERS\vserial.sys

2011/09/13 06:20:58.0484 3448 Vvoice (120e61aac05f00c867a32de493dab9b4) C:\WINDOWS\system32\DRIVERS\vvoice.sys

2011/09/13 06:20:58.0609 3448 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/09/13 06:20:58.0734 3448 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys

2011/09/13 06:20:58.0953 3448 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/09/13 06:20:59.0125 3448 winusb (fd600b032e741eb6aab509fc630f7c42) C:\WINDOWS\system32\DRIVERS\WinUSB.SYS

2011/09/13 06:20:59.0343 3448 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0

2011/09/13 06:20:59.0484 3448 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR1

2011/09/13 06:20:59.0546 3448 Boot (0x1200) (8bea5aa339f04d66f2e32f740740e35d) \Device\Harddisk0\DR0\Partition0

2011/09/13 06:20:59.0578 3448 Boot (0x1200) (318d29297a6efe2c85a9ff81c304a8a3) \Device\Harddisk0\DR0\Partition1

2011/09/13 06:20:59.0593 3448 Boot (0x1200) (b2541778272989a8a4205225d5033a7c) \Device\Harddisk1\DR1\Partition0

2011/09/13 06:20:59.0609 3448 ================================================================================

2011/09/13 06:20:59.0609 3448 Scan finished

2011/09/13 06:20:59.0609 3448 ================================================================================

2011/09/13 06:20:59.0656 2848 Detected object count: 1

2011/09/13 06:20:59.0656 2848 Actual detected object count: 1

2011/09/13 06:49:29.0515 2848 VolSnap (e33edbb864a22f7474d2b297e44ee0b6) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/09/13 06:49:29.0515 2848 Suspicious file (Forged): C:\WINDOWS\system32\drivers\VolSnap.sys. Real md5: e33edbb864a22f7474d2b297e44ee0b6, Fake md5: ee4660083deba849ff6c485d944b379b

2011/09/13 06:49:30.0531 2848 Backup copy found, using it..

2011/09/13 06:49:30.0546 2848 C:\WINDOWS\system32\drivers\VolSnap.sys - will be cured after reboot

2011/09/13 06:49:30.0546 2848 Rootkit.Win32.TDSS.tdl3(VolSnap) - User select action: Cure

2011/09/13 06:49:36.0140 1956 Deinitialize success

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.