Edited by JoeGons, 25 November 2009 - 04:43 PM.
[Closed] Found CPAX20 (alg.exe) CPAX2.exe on my system.
#16
Posted 25 November 2009 - 04:42 PM
If we could do it alone, we wouldn’t need each other.
Register to Remove
#17
Posted 25 November 2009 - 07:16 PM
Yes, Combofix did that. You can delete that shortcut if you wish.It’s very interesting, There’s now a Short Cut to Internet Explorer on my Desktop.
I should be asking you that question. Why is OTC brought up here? Did I tell you to run it anywhere in this topic?What is OTC by Oldtimer?
--
Run ComboFix with CFScript
We will run ComboFix again. This time, the instructions are slightly different.
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
- Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
File:: c:\docume~1\Owner\LOCALS~1\Temp\FRM.exe c:\docume~1\Owner\LOCALS~1\Temp\JJ.exe c:\docume~1\Owner\LOCALS~1\Temp\LCKAQ.exe c:\windows\system32\1.tmp c:\docume~1\Owner\LOCALS~1\Temp\OJMCTAV.exe c:\docume~1\Owner\LOCALS~1\Temp\QEDMY.exe c:\windows\system32\42cAA.sys c:\docume~1\Owner\LOCALS~1\Temp\ELQQIN.exe c:\documents and settings\Owner\Desktop\SysProt\SysProtDrv.sys c:\windows\winlogon.exe Driver:: FRM JJ LCKAQ MEMSWEEP2 OJMCTAV QEDMY 42cAA ELQQIN SysProtDrv.sys Registry:: [-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{32544452-2241-2343-2313-245211031325}] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=- "FirewallOverride"=- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SpybotSD TeaTimer"=- RegLock:: [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
Refering to the picture above, drag CFScript into ComboFix.exe.
Do not mouseclick ComboFix's window while it's running. That may cause it to stall
Download a new copy of RootRepeal and see if you can run it. It so run it and post back with the log in your next reply.
Thanks.
~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.
The help you receive here is free. If you wish to show your appreciation, you may wish to
#18
Posted 26 November 2009 - 06:24 AM
Thanks for the follow up.
After this run, my windows Firewall and Virus Protection warnings have returned.
I use Sygate Firewall and Norton Anti Virus.
I have been made to understand that one should not run two Anti Virus programs at the same time.
Would you recommend turning on BOTH Windows Firewall and Windows Virus Protection along with my Sygate and Norton?
I downloaded a new copy of RootRepeal and tried to run it.
It never got past initializing.
At first there is a lot of hard drive activity. After about 5 minutes the hard drive activity stopped and nothing for the next 10 minutes.
Using Task Manager, I noticed it was using 99% CPU I stopped it.
Under “Applications” it showed “Busy” ---“Nor responding”
How long should it take to “Initialize?
----------------------------------------------------
ComboFix 09-11-25.01 - Owner 11/26/2009 5:41.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.765.349 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {B5510F6F-87E1-47F7-A411-360BC453007C}
FILE ::
"c:\docume~1\Owner\LOCALS~1\Temp\ELQQIN.exe"
"c:\docume~1\Owner\LOCALS~1\Temp\FRM.exe"
"c:\docume~1\Owner\LOCALS~1\Temp\JJ.exe"
"c:\docume~1\Owner\LOCALS~1\Temp\LCKAQ.exe"
"c:\docume~1\Owner\LOCALS~1\Temp\OJMCTAV.exe"
"c:\docume~1\Owner\LOCALS~1\Temp\QEDMY.exe"
"c:\documents and settings\Owner\Desktop\SysProt\SysProtDrv.sys"
"c:\windows\system32\1.tmp"
"c:\windows\system32\42cAA.sys"
"c:\windows\winlogon.exe"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\42cAA.sys
c:\windows\System32\Drivers\d347prt.sys . . . is infected!!
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\userinit.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_42CAA
-------\Legacy_ELQQIN
-------\Legacy_FRM
-------\Legacy_JJ
-------\Legacy_LCKAQ
-------\Legacy_MEMSWEEP2
-------\Legacy_OJMCTAV
-------\Legacy_QEDMY
-------\Legacy_SYSPROTDRV.SYS
-------\Service_42cAA
-------\Service_ELQQIN
-------\Service_FRM
-------\Service_JJ
-------\Service_LCKAQ
-------\Service_MEMSWEEP2
-------\Service_OJMCTAV
-------\Service_QEDMY
-------\Service_SysProtDrv.sys
((((((((((((((((((((((((( Files Created from 2009-10-26 to 2009-11-26 )))))))))))))))))))))))))))))))
.
2009-11-25 16:03 . 2009-11-25 16:17 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2009-11-25 12:49 . 2009-11-25 14:15 -------- d-----w- C:\Restore atapi.sys
2009-11-24 12:33 . 2009-11-24 12:33 4045527 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-11-24 12:32 . 2009-11-24 12:32 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-11-24 12:32 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-24 12:32 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-24 12:32 . 2009-11-24 12:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-24 12:32 . 2009-11-24 12:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-23 11:06 . 2009-11-23 11:06 -------- d-----w- c:\program files\Sophos
2009-11-21 20:41 . 2009-11-21 20:41 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-17 19:10 . 2009-11-17 19:10 34816 ----a-w- c:\windows\system32\drivers\rootrepeal1.3.3.sys
2009-11-17 16:08 . 2009-11-17 16:08 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2009-11-17 16:02 . 2009-11-17 16:02 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2009-11-17 16:02 . 2009-11-20 19:27 -------- d-----w- c:\documents and settings\LocalService\Application Data\HPAppData
2009-11-16 23:06 . 2009-11-18 23:17 -------- d-----w- c:\program files\ERUNT
2009-11-16 15:34 . 2009-11-16 15:34 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\G DATA
2009-11-10 14:44 . 2009-11-10 14:44 -------- d-----w- c:\documents and settings\Owner\Application Data\XnView
2009-11-04 20:15 . 2009-11-04 20:15 0 ---ha-w- C:\aaw7boot.cmd
2009-11-03 20:56 . 2009-11-03 20:56 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-03 20:55 . 2009-11-03 20:55 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-11-03 19:32 . 2009-11-03 16:36 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-03 16:35 . 2009-11-03 16:35 815760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-11-03 16:35 . 2009-11-03 16:35 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-11-03 16:35 . 2009-11-03 16:35 1638104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-11-03 16:35 . 2009-11-03 16:35 788368 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-11-03 16:35 . 2009-11-03 16:35 1179232 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-11-03 15:35 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-03 14:17 . 2009-11-03 14:17 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-03 14:17 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-11-02 21:57 . 2007-12-04 08:59 151552 ----a-w- c:\windows\system32\SpamExpertsLSP.dll
2009-11-02 21:57 . 2009-11-26 09:36 -------- d-----w- c:\documents and settings\Owner\Application Data\SpamExperts
2009-11-02 21:57 . 2009-11-02 21:57 -------- d-----w- c:\program files\SpamExperts
2009-11-02 00:33 . 2009-11-02 11:49 -------- d-----w- c:\documents and settings\Owner\Application Data\gtk-2.0
2009-10-27 14:46 . 2009-10-27 14:48 -------- d-----w- C:\RSV3 - Portuguese (Brazil)
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-26 08:46 . 2009-05-07 00:03 -------- d-----w- c:\documents and settings\Owner\Application Data\HPAppData
2009-11-24 19:16 . 2005-03-04 13:11 -------- d-----w- c:\program files\PHOTOED
2009-11-22 14:16 . 2005-02-27 15:51 -------- d-----w- c:\program files\Common Files\Lanovation
2009-11-22 14:15 . 2005-02-27 15:31 -------- d-----w- c:\program files\Common Files\New Boundary
2009-11-21 23:30 . 2008-02-06 21:47 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2009-11-19 16:20 . 2005-02-27 15:42 -------- d-----w- c:\program files\Common Files\InstallShield
2009-11-16 02:21 . 2008-10-28 15:51 -------- d-----w- c:\documents and settings\Owner\Application Data\MyHeritage
2009-11-15 17:39 . 2007-07-19 13:26 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-11 21:04 . 2009-06-13 20:33 -------- d-----w- c:\program files\Norton AntiVirus
2009-11-09 15:21 . 2006-05-04 20:43 -------- d-----w- c:\program files\7-Zip
2009-11-03 14:17 . 2008-01-30 21:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-03 14:17 . 2005-09-24 15:43 -------- d-----w- c:\program files\Lavasoft
2009-11-03 12:05 . 2005-02-28 02:28 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-27 00:37 . 2009-03-21 22:11 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI
2009-10-24 21:27 . 2009-10-24 21:27 7680 ----a-w- c:\documents and settings\Owner\Application Data\Thinstall\Switch Sound File Converter\4000009000002i\switch.exe
2009-10-23 20:34 . 2009-10-23 20:34 7680 ----a-w- c:\documents and settings\Owner\Application Data\Thinstall\Switch Sound File Converter\4000008f00003i\mp3enc.exe
2009-10-23 20:34 . 2009-10-23 20:34 7680 ----a-w- c:\documents and settings\Owner\Application Data\Thinstall\Switch Sound File Converter\4000001e00002i\mp3el.exe
2009-10-23 19:39 . 2009-09-04 21:35 -------- d-----w- c:\documents and settings\Owner\Application Data\Thinstall
2009-10-15 14:12 . 2009-01-29 02:02 -------- d-----w- c:\documents and settings\Owner\Application Data\Ahead
2009-09-30 11:41 . 2006-01-13 14:46 -------- d-----w- c:\program files\FinePixViewer
2009-09-19 23:55 . 2009-09-19 23:55 7168 ----a-w- c:\documents and settings\Owner\Application Data\Thinstall\PowerISO\1000000500002i\regsvr32.exe
2009-09-11 14:18 . 2003-03-31 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-08 07:47 . 2009-09-08 07:47 33205 ----a-w- c:\program files\Common Files\alg.exet
2009-09-07 14:35 . 2009-09-07 14:35 9454 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{AFDFC350-C142-4790-BE12-8357AECD028F}\_6FEFF9B68218417F98F549.exe
2009-09-04 21:03 . 2003-03-31 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2003-03-31 12:00 916480 ------w- c:\windows\system32\wininet.dll
2007-06-19 19:59 . 2007-06-19 19:59 32 --sha-w- c:\windows\{0EF10811-87A3-49FB-90AC-9AA3A1180091}.dat
2007-02-06 09:44 . 2007-02-06 09:44 32 --sha-w- c:\windows\{20C5732B-278E-414F-9969-4B1B6F6B1074}.dat
2007-06-18 14:39 . 2007-06-18 14:39 32 --sha-w- c:\windows\{284C635E-CE35-4DBA-B923-F917A79E3158}.dat
2007-06-19 20:01 . 2007-06-19 20:01 32 --sha-w- c:\windows\{29F6F205-6349-440F-B858-619E577BE647}.dat
2007-06-19 19:59 . 2007-06-19 19:59 32 --sha-w- c:\windows\{2F2B7764-4C86-4116-9660-4949D5731615}.dat
2007-06-19 19:59 . 2007-06-19 19:59 32 --sha-w- c:\windows\{3AB1F9C7-0860-4561-8562-C508918D7781}.dat
2007-06-19 16:41 . 2007-06-19 16:41 32 --sha-w- c:\windows\{427F2E8C-2B7E-40EF-B90F-4D30B0722D47}.dat
2007-06-19 16:40 . 2007-06-19 16:40 32 --sha-w- c:\windows\{4D1E3325-E93C-4F2C-8870-5E9EDB834919}.dat
2007-02-06 09:45 . 2007-02-06 09:45 32 --sha-w- c:\windows\{4FD83288-7971-4F7B-BFA5-7E97B023888A}.dat
2007-06-18 14:38 . 2007-06-18 14:38 32 --sha-w- c:\windows\{70DD99C6-831E-407B-93D7-7D950103D147}.dat
2007-06-19 14:41 . 2007-06-19 14:41 32 --sha-w- c:\windows\{72CB7929-2EA1-4B0E-A425-873B8EFAF45F}.dat
2007-06-19 16:42 . 2007-06-19 16:42 32 --sha-w- c:\windows\{740FE7C4-38FC-4884-8127-11EC56358F6C}.dat
2007-06-19 20:00 . 2007-06-19 20:00 32 --sha-w- c:\windows\{76AA0AB7-C176-4D3B-8605-32360E9F1526}.dat
2007-06-19 14:42 . 2007-06-19 14:42 32 --sha-w- c:\windows\{7A5CBF1A-020D-42E5-B460-7DB12206A266}.dat
2007-06-19 20:00 . 2007-06-19 20:00 32 --sha-w- c:\windows\{800608D0-F8E7-41E4-A412-8AD09184F5CA}.dat
2007-06-18 14:38 . 2007-06-18 14:38 32 --sha-w- c:\windows\{81A8AABF-795E-4E7F-8B35-FCD83C332C07}.dat
2007-06-19 16:40 . 2007-06-19 16:40 32 --sha-w- c:\windows\{927C7A09-0157-4E97-9BE9-DB374F207653}.dat
2007-02-06 09:46 . 2007-02-06 09:46 32 --sha-w- c:\windows\{9C6BC5BD-1D28-452B-96B0-51F812146D6E}.dat
2007-06-18 14:38 . 2007-06-18 14:38 32 --sha-w- c:\windows\{AE9C34FD-8EA6-459B-8BDF-D598B021A0A3}.dat
2007-02-06 09:44 . 2007-02-06 09:44 32 --sha-w- c:\windows\{B07660CF-B4A5-4405-9B00-44EE1A375ED1}.dat
2007-06-19 14:40 . 2007-06-19 14:40 32 --sha-w- c:\windows\{B56DC562-477B-4E50-8E7B-FD3172E841B2}.dat
2007-06-19 14:42 . 2007-06-19 14:42 32 --sha-w- c:\windows\{BAA44635-64E0-4B25-A1B0-A9C490DCF4D7}.dat
2007-02-06 09:45 . 2007-02-06 09:45 32 --sha-w- c:\windows\{BBAA2AF7-D61A-44A8-BA3D-EA7749D14EA3}.dat
2007-06-19 14:40 . 2007-06-19 14:40 32 --sha-w- c:\windows\{BC390267-5611-4E34-B0F9-6E0452330B2D}.dat
2007-02-06 09:44 . 2007-02-06 09:44 32 --sha-w- c:\windows\{D172EB0A-FEBF-464F-8C36-881A8AEEBC76}.dat
2007-06-18 14:39 . 2007-06-18 14:39 32 --sha-w- c:\windows\{D2B46CC4-4298-4E90-A23F-547657F2ED3F}.dat
2007-06-19 16:39 . 2007-06-19 16:39 32 --sha-w- c:\windows\{D4C1D427-33E1-457C-9D60-6D1BDF139805}.dat
2007-06-19 16:40 . 2007-06-19 16:40 32 --sha-w- c:\windows\{D4CC30C0-80A3-44E6-8395-0A4B35D89746}.dat
2007-06-18 14:38 . 2007-06-18 14:38 32 --sha-w- c:\windows\{D4DE64AE-BA96-4E9C-B219-5D01904A7E8C}.dat
2007-06-19 14:40 . 2007-06-19 14:40 32 --sha-w- c:\windows\{DDF7F8C6-0468-4A32-90C0-4CCCB835D1FB}.dat
2007-06-19 16:42 . 2007-06-19 16:42 32 --sha-w- c:\windows\{F439E292-3949-4A8C-90AA-E0ED6D1108CE}.dat
2007-06-18 14:39 . 2007-06-18 14:39 32 --sha-w- c:\windows\system32\{02AC961C-23ED-4F7B-A4EF-F84BC0600B68}.dat
2007-06-19 14:41 . 2007-06-19 14:41 32 --sha-w- c:\windows\system32\{0BAD9E4E-3EF2-4909-9F07-57E9867440DA}.dat
2007-06-19 16:40 . 2007-06-19 16:40 32 --sha-w- c:\windows\system32\{0CD7FDC8-662A-4E61-BCD1-59A21506A505}.dat
2007-06-19 14:42 . 2007-06-19 14:42 32 --sha-w- c:\windows\system32\{12D11B55-6089-4496-B7A0-FF6A12A32C25}.dat
2007-06-19 16:40 . 2007-06-19 16:40 32 --sha-w- c:\windows\system32\{206B7165-8FD4-4947-8376-B6CF436D9649}.dat
2007-06-19 14:40 . 2007-06-19 14:40 32 --sha-w- c:\windows\system32\{27477B90-8E61-4FCB-921F-B277A6E24760}.dat
2007-06-19 16:42 . 2007-06-19 16:42 32 --sha-w- c:\windows\system32\{308D7C35-E406-406B-89E1-86B5528AF6DC}.dat
2007-06-19 14:42 . 2007-06-19 14:42 32 --sha-w- c:\windows\system32\{34CB3D91-8727-4750-9772-CC8829D3C34A}.dat
2007-02-06 09:46 . 2007-02-06 09:46 32 --sha-w- c:\windows\system32\{3535C4DF-B280-4D45-8581-52867749979D}.dat
2007-06-19 20:00 . 2007-06-19 20:00 32 --sha-w- c:\windows\system32\{360E0E53-0260-4E6F-94C4-610F544830D2}.dat
2007-02-06 09:45 . 2007-02-06 09:45 32 --sha-w- c:\windows\system32\{3E3F97FD-92DB-40EB-857C-FDE131CE41A3}.dat
2007-06-19 16:39 . 2007-06-19 16:39 32 --sha-w- c:\windows\system32\{3F834989-B152-4991-9F9C-8D042E9EB505}.dat
2007-06-19 14:40 . 2007-06-19 14:40 32 --sha-w- c:\windows\system32\{54AE8BFC-44BF-446A-BD77-45CF251D4C2F}.dat
2007-06-18 14:38 . 2007-06-18 14:38 32 --sha-w- c:\windows\system32\{68E13551-3B92-43FB-A9C7-BD7297BE4F93}.dat
2007-02-06 09:44 . 2007-02-06 09:44 32 --sha-w- c:\windows\system32\{6B1FA805-43EC-4BD6-8724-C59849ED278A}.dat
2007-02-06 09:44 . 2007-02-06 09:44 32 --sha-w- c:\windows\system32\{73B58090-05BD-4455-BE49-0E3509D13A9A}.dat
2007-06-18 14:39 . 2007-06-18 14:39 32 --sha-w- c:\windows\system32\{8CB819E1-8293-4656-90B4-011ADF4A33DB}.dat
2007-06-19 19:59 . 2007-06-19 19:59 32 --sha-w- c:\windows\system32\{8DF1122C-E7DE-4C30-B0DD-B87809D84ED8}.dat
2007-06-18 14:38 . 2007-06-18 14:38 32 --sha-w- c:\windows\system32\{950FD490-E5BA-4C79-854B-A1B09FC8EC97}.dat
2007-06-18 14:38 . 2007-06-18 14:38 32 --sha-w- c:\windows\system32\{9D5C346F-3D80-42B9-8D3F-0C2F182E2F9D}.dat
2007-06-19 16:42 . 2007-06-19 16:42 32 --sha-w- c:\windows\system32\{9ED41E35-F8AB-4F3E-8B8D-E70935C4B3A3}.dat
2007-06-19 19:59 . 2007-06-19 19:59 32 --sha-w- c:\windows\system32\{9FF8B0DF-84E5-4DC6-9424-193E66D1C21E}.dat
2007-06-19 20:00 . 2007-06-19 20:00 32 --sha-w- c:\windows\system32\{B2F6F586-F122-40AF-A96C-86CEE7A3E55B}.dat
2007-02-06 09:45 . 2007-02-06 09:45 32 --sha-w- c:\windows\system32\{B587DFF3-4AA9-4929-B5EC-2D1F17114B04}.dat
2007-06-19 14:40 . 2007-06-19 14:40 32 --sha-w- c:\windows\system32\{B91D95DA-8799-4605-A8FA-62CB71E7FD5A}.dat
2007-06-19 20:01 . 2007-06-19 20:01 32 --sha-w- c:\windows\system32\{CA3D611C-0E96-4FB7-BE2E-745F5E65EC5C}.dat
2007-06-19 16:40 . 2007-06-19 16:40 32 --sha-w- c:\windows\system32\{E2D58C15-BBE6-4511-B994-C1C17E2AC9F5}.dat
2007-06-19 19:59 . 2007-06-19 19:59 32 --sha-w- c:\windows\system32\{F1699A0E-698C-46CD-8C4A-5B4D54E8359A}.dat
2007-06-18 14:38 . 2007-06-18 14:38 32 --sha-w- c:\windows\system32\{F53CCA35-8A86-4D42-9700-76E498CA6FDD}.dat
2007-06-19 16:41 . 2007-06-19 16:41 32 --sha-w- c:\windows\system32\{F73A793F-AC00-4B0E-9820-378E64BD44B6}.dat
2007-02-06 09:44 . 2007-02-06 09:44 32 --sha-w- c:\windows\system32\{FAB538C2-F03A-43FD-8220-CB73DF4EB3B3}.dat
.
((((((((((((((((((((((((((((( SnapShot@2009-11-25_21.37.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-26 10:06 . 2009-11-26 10:06 16384 c:\windows\Temp\Perflib_Perfdata_b04.dat
+ 2009-11-26 10:06 . 2009-11-26 10:06 16384 c:\windows\Temp\Perflib_Perfdata_540.dat
+ 2009-11-26 09:39 . 2009-11-26 09:39 16384 c:\windows\Temp\Perflib_Perfdata_43c.dat
+ 2002-10-24 20:59 . 2008-04-13 18:40 96512 c:\windows\system32\dllcache\atapi.sys
+ 2009-11-26 08:29 . 2009-11-26 08:29 184320 c:\windows\ERDNT\AutoBackup\11-26-2009\Users\00000002\UsrClass.dat
+ 2009-11-26 08:29 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\11-26-2009\ERDNT.EXE
+ 2009-11-26 08:29 . 2009-11-26 08:29 14135296 c:\windows\ERDNT\AutoBackup\11-26-2009\Users\00000001\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-05 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-09 71328]
"DeadAIM"="c:\progra~1\AIM\\DeadAIM.ocm" [2003-02-24 266313]
"Gateway Ink Monitor"="c:\program files\Gateway Utilities\GWInkMonitor.exe" [2003-06-25 303180]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-03-13 81920]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2006-03-23 1398272]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-04-27 257088]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2004-10-08 221184]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-04 50688]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
"StartupDelayer"="e:\program files\Startup Delayer\Startup Launcher GUI.exe" [2004-03-01 45056]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2009-06-13 95960]
"TotalRecorderScheduler"="c:\program files\HighCriteria\TotalRecorder\TotRecSched.exe" [2005-10-13 81920]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-02-27 88363]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2008-02-21 152952]
c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Exif Launcher.lnk - c:\program files\FinePixViewer\QuickDCF.exe [2006-1-18 282624]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=DrvTrNTm.dll
"wave"=DrvTrNTm.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Symantec\\LiveUpdate\\LUALL.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Xenocode\\XSandbox\\Diskeeper Application Launcher\\13.0.3.0\\2008.12.07T11.56\\Virtual\\STUBEXE\\@PROGRAMFILES@\\Diskeeper Corporation\\Diskeeper\\DkService.exe"=
"e:\\Portable Diskeeper Pro Premier 2009 V.13.0 Build 835\\Virtual\\STUBEXE\\@PROGRAMFILES@\\Diskeeper Corporation\\Diskeeper\\DkService.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/3/2009 11:35 AM 64288]
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [3/21/2009 6:16 PM 22536]
R2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [3/21/2009 6:16 PM 4150840]
S1 oxser;OX16C95x Serial port driver;c:\windows\system32\drivers\xylocser.sys [4/18/2007 8:18 PM 55712]
S3 abcderr;abcderr;\??\c:\windows\system32\drivers\abcderr.sys --> c:\windows\system32\drivers\abcderr.sys [?]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [7/18/2009 2:39 PM 8704]
S3 EPPSCSIx;EPPSCSI Driver;c:\windows\system32\drivers\eppscan.sys [5/30/2005 2:32 PM 105124]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [7/18/2009 2:39 PM 3072]
S3 mr97310c;CIF Dual-Mode Camera;c:\windows\system32\drivers\mr97310c.sys [7/16/2009 10:28 AM 107904]
S3 QDFSDRV;QDFSDRV;\??\c:\windows\system32\drivers\qdfsdrv.sys --> c:\windows\system32\drivers\qdfsdrv.sys [?]
S3 STV673;STV0673 Camera;c:\windows\system32\drivers\STV673.SYS [4/21/2006 5:00 PM 122256]
S3 ultradfg;ultradfg;c:\windows\system32\drivers\ultradfg.sys [5/13/2009 10:37 AM 33792]
S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc.sys [2/27/2005 1:26 PM 15576]
--- Other Services/Drivers In Memory ---
*Deregistered* - uphcleanhlp
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
2009-11-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 21:13]
2009-11-23 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job
- c:\progra~1\NORTON~1\Navw32.exe [2003-10-09 22:22]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uInternet Connection Wizard,ShellNext = hxxp://www.gatewaybiz.com/
LSP: c:\windows\system32\SpamExpertsLSP.dll
TCP: {59202295-CE19-4883-A6D0-90355915FD97} = 196.3.132.153,196.3.132.154
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-26 06:07
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x83797A78]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf754af28
\Driver\ACPI -> ACPI.sys @ 0xf7467cb8
\Driver\atapi -> 0x83797a78
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
Warning: possible MBR rootkit infection !
user & kernel MBR OK
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-220523388-573735546-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(1216)
c:\windows\system32\SpamExpertsLSP.dll
- - - - - - - > 'explorer.exe'(2420)
c:\windows\system32\WININET.dll
c:\program files\Gateway Utilities\inkpeek.dll
c:\windows\system32\SSSensor.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Sygate\SPF\smc.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Norton AntiVirus\navapsvc.exe
c:\program files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
c:\program files\Norton AntiVirus\SAVScan.exe
c:\windows\System32\snmp.exe
e:\uphclean\uphclean.exe
c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\Messenger\msmsgs.exe
.
**************************************************************************
.
Completion time: 2009-11-26 06:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-26 10:20
ComboFix2.txt 2009-11-25 21:51
Pre-Run: 1,616,523,264 bytes free
Post-Run: 3,187,396,608 bytes free
- - End Of File - - F3163F4578E7C81C27AE80B03192DF7D
If we could do it alone, we wouldn’t need each other.
#19
Posted 27 November 2009 - 02:55 PM
Can you try running GMER for me and see if it works now?
Install and run MBAM..
Download and run MalwareBytes Anti-Malware
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
- Make sure you are connected to the Internet.
- Double-click on Download_mbam-setup.exe to install the application.
- When the installation begins, follow the prompts and do not make any changes to default settings.
- When installation has finished, make sure you leave both of these checked:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
- Then click Finish.
- MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
- On the Scanner tab:
- Make sure the "Perform Quick Scan" option is selected.
- Then click on the Scan button.
- If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
- The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
- When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
- Click OK to close the message box and continue with the removal process.
- Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
- Make sure that everything is checked, and click Remove Selected.
- When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
- The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
- Copy and paste the contents of that report in your next reply and exit MBAM.
For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link
Thanks.
~EB
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.
The help you receive here is free. If you wish to show your appreciation, you may wish to
#20
Posted 27 November 2009 - 06:43 PM
Edited by JoeGons, 27 November 2009 - 06:49 PM.
If we could do it alone, we wouldn’t need each other.
#21
Posted 28 November 2009 - 01:55 PM
Please download DeFogger to your desktop.
Double click DeFogger to run the tool.
- The application window will appear
- Click the Disable button to disable your CD Emulation drivers.
- Click Yes to continue
- A 'Finished!' message will appear
- Click OK
- DeFogger will now ask to reboot the machine - click OK
Do not re-enable these drivers until otherwise instructed.
---
Download a NEW copy of Combofix by clicking on one of the two links below and save it to your desktop. Please delete the copy of Combofix you have currently.
Link 1
Link 2
Run it and post the log once it's complete for me to review please.
Thanks.
~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.
The help you receive here is free. If you wish to show your appreciation, you may wish to
#22
Posted 28 November 2009 - 05:45 PM
-----------------------------
ComboFix 09-11-28.01 - Owner 11/28/2009 18:48.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.765.425 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {B5510F6F-87E1-47F7-A411-360BC453007C}
.
((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-28 )))))))))))))))))))))))))))))))
.
2009-11-25 16:03 . 2009-11-25 16:17 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2009-11-25 12:49 . 2009-11-25 14:15 -------- d-----w- C:\Restore atapi.sys
2009-11-24 12:33 . 2009-11-24 12:33 4045527 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-11-24 12:32 . 2009-11-24 12:32 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-11-24 12:32 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-24 12:32 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-24 12:32 . 2009-11-24 12:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-24 12:32 . 2009-11-24 12:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-23 11:06 . 2009-11-23 11:06 -------- d-----w- c:\program files\Sophos
2009-11-21 20:41 . 2009-11-21 20:41 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-17 16:08 . 2009-11-17 16:08 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2009-11-17 16:02 . 2009-11-17 16:02 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2009-11-17 16:02 . 2009-11-20 19:27 -------- d-----w- c:\documents and settings\LocalService\Application Data\HPAppData
2009-11-16 23:06 . 2009-11-18 23:17 -------- d-----w- c:\program files\ERUNT
2009-11-16 15:34 . 2009-11-16 15:34 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\G DATA
2009-11-10 14:44 . 2009-11-10 14:44 -------- d-----w- c:\documents and settings\Owner\Application Data\XnView
2009-11-04 20:15 . 2009-11-04 20:15 0 ---ha-w- C:\aaw7boot.cmd
2009-11-03 20:56 . 2009-11-03 20:56 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-03 20:55 . 2009-11-03 20:55 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-11-03 19:32 . 2009-11-03 16:36 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-03 16:35 . 2009-11-03 16:35 815760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-11-03 16:35 . 2009-11-03 16:35 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-11-03 16:35 . 2009-11-03 16:35 1638104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-11-03 16:35 . 2009-11-03 16:35 788368 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-11-03 16:35 . 2009-11-03 16:35 1179232 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-11-03 15:35 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-03 14:17 . 2009-11-03 14:17 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-03 14:17 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-11-02 21:57 . 2007-12-04 08:59 151552 ----a-w- c:\windows\system32\SpamExpertsLSP.dll
2009-11-02 21:57 . 2009-11-28 22:35 -------- d-----w- c:\documents and settings\Owner\Application Data\SpamExperts
2009-11-02 21:57 . 2009-11-02 21:57 -------- d-----w- c:\program files\SpamExperts
2009-11-02 00:33 . 2009-11-02 11:49 -------- d-----w- c:\documents and settings\Owner\Application Data\gtk-2.0
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-28 22:13 . 2009-05-07 00:03 -------- d-----w- c:\documents and settings\Owner\Application Data\HPAppData
2009-11-28 09:35 . 2005-09-24 15:43 -------- d-----w- c:\program files\Lavasoft
2009-11-27 14:57 . 2008-10-16 15:59 -------- d-----w- c:\program files\RecvMngr
2009-11-26 13:58 . 2009-07-16 14:38 -------- d-----w- c:\program files\Mars
2009-11-24 19:16 . 2005-03-04 13:11 -------- d-----w- c:\program files\PHOTOED
2009-11-22 14:16 . 2005-02-27 15:51 -------- d-----w- c:\program files\Common Files\Lanovation
2009-11-22 14:15 . 2005-02-27 15:31 -------- d-----w- c:\program files\Common Files\New Boundary
2009-11-21 23:30 . 2008-02-06 21:47 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2009-11-19 16:20 . 2005-02-27 15:42 -------- d-----w- c:\program files\Common Files\InstallShield
2009-11-16 02:21 . 2008-10-28 15:51 -------- d-----w- c:\documents and settings\Owner\Application Data\MyHeritage
2009-11-15 17:39 . 2007-07-19 13:26 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-11 21:04 . 2009-06-13 20:33 -------- d-----w- c:\program files\Norton AntiVirus
2009-11-09 15:21 . 2006-05-04 20:43 -------- d-----w- c:\program files\7-Zip
2009-11-03 14:17 . 2008-01-30 21:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-03 12:05 . 2005-02-28 02:28 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-27 00:37 . 2009-03-21 22:11 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI
2009-10-24 21:27 . 2009-10-24 21:27 7680 ----a-w- c:\documents and settings\Owner\Application Data\Thinstall\Switch Sound File Converter\4000009000002i\switch.exe
2009-10-23 20:34 . 2009-10-23 20:34 7680 ----a-w- c:\documents and settings\Owner\Application Data\Thinstall\Switch Sound File Converter\4000008f00003i\mp3enc.exe
2009-10-23 20:34 . 2009-10-23 20:34 7680 ----a-w- c:\documents and settings\Owner\Application Data\Thinstall\Switch Sound File Converter\4000001e00002i\mp3el.exe
2009-10-23 19:39 . 2009-09-04 21:35 -------- d-----w- c:\documents and settings\Owner\Application Data\Thinstall
2009-10-15 14:12 . 2009-01-29 02:02 -------- d-----w- c:\documents and settings\Owner\Application Data\Ahead
2009-09-30 11:41 . 2006-01-13 14:46 -------- d-----w- c:\program files\FinePixViewer
2009-09-19 23:55 . 2009-09-19 23:55 7168 ----a-w- c:\documents and settings\Owner\Application Data\Thinstall\PowerISO\1000000500002i\regsvr32.exe
2009-09-11 14:18 . 2003-03-31 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-08 07:47 . 2009-09-08 07:47 33205 ----a-w- c:\program files\Common Files\alg.exet
2009-09-07 14:35 . 2009-09-07 14:35 9454 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{AFDFC350-C142-4790-BE12-8357AECD028F}\_6FEFF9B68218417F98F549.exe
2009-09-04 21:03 . 2003-03-31 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2007-06-19 19:59 . 2007-06-19 19:59 32 --sha-w- c:\windows\{0EF10811-87A3-49FB-90AC-9AA3A1180091}.dat
2007-02-06 09:44 . 2007-02-06 09:44 32 --sha-w- c:\windows\{20C5732B-278E-414F-9969-4B1B6F6B1074}.dat
2007-06-18 14:39 . 2007-06-18 14:39 32 --sha-w- c:\windows\{284C635E-CE35-4DBA-B923-F917A79E3158}.dat
2007-06-19 20:01 . 2007-06-19 20:01 32 --sha-w- c:\windows\{29F6F205-6349-440F-B858-619E577BE647}.dat
2007-06-19 19:59 . 2007-06-19 19:59 32 --sha-w- c:\windows\{2F2B7764-4C86-4116-9660-4949D5731615}.dat
2007-06-19 19:59 . 2007-06-19 19:59 32 --sha-w- c:\windows\{3AB1F9C7-0860-4561-8562-C508918D7781}.dat
2007-06-19 16:41 . 2007-06-19 16:41 32 --sha-w- c:\windows\{427F2E8C-2B7E-40EF-B90F-4D30B0722D47}.dat
2007-06-19 16:40 . 2007-06-19 16:40 32 --sha-w- c:\windows\{4D1E3325-E93C-4F2C-8870-5E9EDB834919}.dat
2007-02-06 09:45 . 2007-02-06 09:45 32 --sha-w- c:\windows\{4FD83288-7971-4F7B-BFA5-7E97B023888A}.dat
2007-06-18 14:38 . 2007-06-18 14:38 32 --sha-w- c:\windows\{70DD99C6-831E-407B-93D7-7D950103D147}.dat
2007-06-19 14:41 . 2007-06-19 14:41 32 --sha-w- c:\windows\{72CB7929-2EA1-4B0E-A425-873B8EFAF45F}.dat
2007-06-19 16:42 . 2007-06-19 16:42 32 --sha-w- c:\windows\{740FE7C4-38FC-4884-8127-11EC56358F6C}.dat
2007-06-19 20:00 . 2007-06-19 20:00 32 --sha-w- c:\windows\{76AA0AB7-C176-4D3B-8605-32360E9F1526}.dat
2007-06-19 14:42 . 2007-06-19 14:42 32 --sha-w- c:\windows\{7A5CBF1A-020D-42E5-B460-7DB12206A266}.dat
2007-06-19 20:00 . 2007-06-19 20:00 32 --sha-w- c:\windows\{800608D0-F8E7-41E4-A412-8AD09184F5CA}.dat
2007-06-18 14:38 . 2007-06-18 14:38 32 --sha-w- c:\windows\{81A8AABF-795E-4E7F-8B35-FCD83C332C07}.dat
2007-06-19 16:40 . 2007-06-19 16:40 32 --sha-w- c:\windows\{927C7A09-0157-4E97-9BE9-DB374F207653}.dat
2007-02-06 09:46 . 2007-02-06 09:46 32 --sha-w- c:\windows\{9C6BC5BD-1D28-452B-96B0-51F812146D6E}.dat
2007-06-18 14:38 . 2007-06-18 14:38 32 --sha-w- c:\windows\{AE9C34FD-8EA6-459B-8BDF-D598B021A0A3}.dat
2007-02-06 09:44 . 2007-02-06 09:44 32 --sha-w- c:\windows\{B07660CF-B4A5-4405-9B00-44EE1A375ED1}.dat
2007-06-19 14:40 . 2007-06-19 14:40 32 --sha-w- c:\windows\{B56DC562-477B-4E50-8E7B-FD3172E841B2}.dat
2007-06-19 14:42 . 2007-06-19 14:42 32 --sha-w- c:\windows\{BAA44635-64E0-4B25-A1B0-A9C490DCF4D7}.dat
2007-02-06 09:45 . 2007-02-06 09:45 32 --sha-w- c:\windows\{BBAA2AF7-D61A-44A8-BA3D-EA7749D14EA3}.dat
2007-06-19 14:40 . 2007-06-19 14:40 32 --sha-w- c:\windows\{BC390267-5611-4E34-B0F9-6E0452330B2D}.dat
2007-02-06 09:44 . 2007-02-06 09:44 32 --sha-w- c:\windows\{D172EB0A-FEBF-464F-8C36-881A8AEEBC76}.dat
2007-06-18 14:39 . 2007-06-18 14:39 32 --sha-w- c:\windows\{D2B46CC4-4298-4E90-A23F-547657F2ED3F}.dat
2007-06-19 16:39 . 2007-06-19 16:39 32 --sha-w- c:\windows\{D4C1D427-33E1-457C-9D60-6D1BDF139805}.dat
2007-06-19 16:40 . 2007-06-19 16:40 32 --sha-w- c:\windows\{D4CC30C0-80A3-44E6-8395-0A4B35D89746}.dat
2007-06-18 14:38 . 2007-06-18 14:38 32 --sha-w- c:\windows\{D4DE64AE-BA96-4E9C-B219-5D01904A7E8C}.dat
2007-06-19 14:40 . 2007-06-19 14:40 32 --sha-w- c:\windows\{DDF7F8C6-0468-4A32-90C0-4CCCB835D1FB}.dat
2007-06-19 16:42 . 2007-06-19 16:42 32 --sha-w- c:\windows\{F439E292-3949-4A8C-90AA-E0ED6D1108CE}.dat
2007-06-18 14:39 . 2007-06-18 14:39 32 --sha-w- c:\windows\system32\{02AC961C-23ED-4F7B-A4EF-F84BC0600B68}.dat
2007-06-19 14:41 . 2007-06-19 14:41 32 --sha-w- c:\windows\system32\{0BAD9E4E-3EF2-4909-9F07-57E9867440DA}.dat
2007-06-19 16:40 . 2007-06-19 16:40 32 --sha-w- c:\windows\system32\{0CD7FDC8-662A-4E61-BCD1-59A21506A505}.dat
2007-06-19 14:42 . 2007-06-19 14:42 32 --sha-w- c:\windows\system32\{12D11B55-6089-4496-B7A0-FF6A12A32C25}.dat
2007-06-19 16:40 . 2007-06-19 16:40 32 --sha-w- c:\windows\system32\{206B7165-8FD4-4947-8376-B6CF436D9649}.dat
2007-06-19 14:40 . 2007-06-19 14:40 32 --sha-w- c:\windows\system32\{27477B90-8E61-4FCB-921F-B277A6E24760}.dat
2007-06-19 16:42 . 2007-06-19 16:42 32 --sha-w- c:\windows\system32\{308D7C35-E406-406B-89E1-86B5528AF6DC}.dat
2007-06-19 14:42 . 2007-06-19 14:42 32 --sha-w- c:\windows\system32\{34CB3D91-8727-4750-9772-CC8829D3C34A}.dat
2007-02-06 09:46 . 2007-02-06 09:46 32 --sha-w- c:\windows\system32\{3535C4DF-B280-4D45-8581-52867749979D}.dat
2007-06-19 20:00 . 2007-06-19 20:00 32 --sha-w- c:\windows\system32\{360E0E53-0260-4E6F-94C4-610F544830D2}.dat
2007-02-06 09:45 . 2007-02-06 09:45 32 --sha-w- c:\windows\system32\{3E3F97FD-92DB-40EB-857C-FDE131CE41A3}.dat
2007-06-19 16:39 . 2007-06-19 16:39 32 --sha-w- c:\windows\system32\{3F834989-B152-4991-9F9C-8D042E9EB505}.dat
2007-06-19 14:40 . 2007-06-19 14:40 32 --sha-w- c:\windows\system32\{54AE8BFC-44BF-446A-BD77-45CF251D4C2F}.dat
2007-06-18 14:38 . 2007-06-18 14:38 32 --sha-w- c:\windows\system32\{68E13551-3B92-43FB-A9C7-BD7297BE4F93}.dat
2007-02-06 09:44 . 2007-02-06 09:44 32 --sha-w- c:\windows\system32\{6B1FA805-43EC-4BD6-8724-C59849ED278A}.dat
2007-02-06 09:44 . 2007-02-06 09:44 32 --sha-w- c:\windows\system32\{73B58090-05BD-4455-BE49-0E3509D13A9A}.dat
2007-06-18 14:39 . 2007-06-18 14:39 32 --sha-w- c:\windows\system32\{8CB819E1-8293-4656-90B4-011ADF4A33DB}.dat
2007-06-19 19:59 . 2007-06-19 19:59 32 --sha-w- c:\windows\system32\{8DF1122C-E7DE-4C30-B0DD-B87809D84ED8}.dat
2007-06-18 14:38 . 2007-06-18 14:38 32 --sha-w- c:\windows\system32\{950FD490-E5BA-4C79-854B-A1B09FC8EC97}.dat
2007-06-18 14:38 . 2007-06-18 14:38 32 --sha-w- c:\windows\system32\{9D5C346F-3D80-42B9-8D3F-0C2F182E2F9D}.dat
2007-06-19 16:42 . 2007-06-19 16:42 32 --sha-w- c:\windows\system32\{9ED41E35-F8AB-4F3E-8B8D-E70935C4B3A3}.dat
2007-06-19 19:59 . 2007-06-19 19:59 32 --sha-w- c:\windows\system32\{9FF8B0DF-84E5-4DC6-9424-193E66D1C21E}.dat
2007-06-19 20:00 . 2007-06-19 20:00 32 --sha-w- c:\windows\system32\{B2F6F586-F122-40AF-A96C-86CEE7A3E55B}.dat
2007-02-06 09:45 . 2007-02-06 09:45 32 --sha-w- c:\windows\system32\{B587DFF3-4AA9-4929-B5EC-2D1F17114B04}.dat
2007-06-19 14:40 . 2007-06-19 14:40 32 --sha-w- c:\windows\system32\{B91D95DA-8799-4605-A8FA-62CB71E7FD5A}.dat
2007-06-19 20:01 . 2007-06-19 20:01 32 --sha-w- c:\windows\system32\{CA3D611C-0E96-4FB7-BE2E-745F5E65EC5C}.dat
2007-06-19 16:40 . 2007-06-19 16:40 32 --sha-w- c:\windows\system32\{E2D58C15-BBE6-4511-B994-C1C17E2AC9F5}.dat
2007-06-19 19:59 . 2007-06-19 19:59 32 --sha-w- c:\windows\system32\{F1699A0E-698C-46CD-8C4A-5B4D54E8359A}.dat
2007-06-18 14:38 . 2007-06-18 14:38 32 --sha-w- c:\windows\system32\{F53CCA35-8A86-4D42-9700-76E498CA6FDD}.dat
2007-06-19 16:41 . 2007-06-19 16:41 32 --sha-w- c:\windows\system32\{F73A793F-AC00-4B0E-9820-378E64BD44B6}.dat
2007-02-06 09:44 . 2007-02-06 09:44 32 --sha-w- c:\windows\system32\{FAB538C2-F03A-43FD-8220-CB73DF4EB3B3}.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-05 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-09 71328]
"DeadAIM"="c:\progra~1\AIM\\DeadAIM.ocm" [2003-02-24 266313]
"Gateway Ink Monitor"="c:\program files\Gateway Utilities\GWInkMonitor.exe" [2003-06-25 303180]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-03-13 81920]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2006-03-23 1398272]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-04-27 257088]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2004-10-08 221184]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-04 50688]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2009-06-13 95960]
"TotalRecorderScheduler"="c:\program files\HighCriteria\TotalRecorder\TotRecSched.exe" [2005-10-13 81920]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-02-27 88363]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2008-02-21 152952]
c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Exif Launcher.lnk - c:\program files\FinePixViewer\QuickDCF.exe [2006-1-18 282624]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=DrvTrNTm.dll
"wave"=DrvTrNTm.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0autocheck lsdelete
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Symantec\\LiveUpdate\\LUALL.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Xenocode\\XSandbox\\Diskeeper Application Launcher\\13.0.3.0\\2008.12.07T11.56\\Virtual\\STUBEXE\\@PROGRAMFILES@\\Diskeeper Corporation\\Diskeeper\\DkService.exe"=
"e:\\Portable Diskeeper Pro Premier 2009 V.13.0 Build 835\\Virtual\\STUBEXE\\@PROGRAMFILES@\\Diskeeper Corporation\\Diskeeper\\DkService.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\SpamExperts\\SpamExperts.exe"=
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/3/2009 11:35 AM 64288]
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [3/21/2009 6:16 PM 22536]
R2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [3/21/2009 6:16 PM 4150840]
S1 oxser;OX16C95x Serial port driver;c:\windows\system32\drivers\xylocser.sys [4/18/2007 8:18 PM 55712]
S3 abcderr;abcderr;\??\c:\windows\system32\drivers\abcderr.sys --> c:\windows\system32\drivers\abcderr.sys [?]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [7/18/2009 2:39 PM 8704]
S3 EPPSCSIx;EPPSCSI Driver;c:\windows\system32\drivers\eppscan.sys [5/30/2005 2:32 PM 105124]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [7/18/2009 2:39 PM 3072]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 7:17 AM 1179232]
S3 mr97310c;CIF Dual-Mode Camera;c:\windows\system32\drivers\mr97310c.sys [7/16/2009 10:28 AM 107904]
S3 QDFSDRV;QDFSDRV;\??\c:\windows\system32\drivers\qdfsdrv.sys --> c:\windows\system32\drivers\qdfsdrv.sys [?]
S3 STV673;STV0673 Camera;c:\windows\system32\drivers\STV673.SYS [4/21/2006 5:00 PM 122256]
S3 ultradfg;ultradfg;c:\windows\system32\drivers\ultradfg.sys [5/13/2009 10:37 AM 33792]
S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc.sys [2/27/2005 1:26 PM 15576]
--- Other Services/Drivers In Memory ---
*Deregistered* - uphcleanhlp
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
2009-11-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 21:13]
2009-11-28 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job
- c:\progra~1\NORTON~1\Navw32.exe [2003-10-09 22:22]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uInternet Connection Wizard,ShellNext = hxxp://www.gatewaybiz.com/
LSP: c:\windows\system32\SpamExpertsLSP.dll
TCP: {59202295-CE19-4883-A6D0-90355915FD97} = 196.3.132.153,196.3.132.154
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-28 19:05
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8371D008]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf750cf28
\Driver\ACPI -> ACPI.sys @ 0xf7429cb8
\Driver\atapi -> 0x8371d008
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
Warning: possible MBR rootkit infection !
user & kernel MBR OK
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-220523388-573735546-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1148)
c:\windows\system32\SpamExpertsLSP.dll
- - - - - - - > 'lsass.exe'(1204)
c:\windows\system32\SpamExpertsLSP.dll
- - - - - - - > 'explorer.exe'(3684)
c:\windows\system32\WININET.dll
c:\program files\Gateway Utilities\inkpeek.dll
c:\windows\system32\SSSensor.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-28 19:12
ComboFix-quarantined-files.txt 2009-11-28 23:10
ComboFix2.txt 2009-11-26 10:20
ComboFix3.txt 2009-11-25 21:51
Pre-Run: 4,808,097,792 bytes free
Post-Run: 4,767,182,848 bytes free
- - End Of File - - 4B3A7057406C2F27C5121CB9EEA60A62
If we could do it alone, we wouldn’t need each other.
#23
Posted 30 November 2009 - 03:40 PM
I suggest you uninstall your Daemon Tools via add/remove.
Then follow the instructions under the "How can I remove SPTD driver on 32-bit OS?" heading and download and run the tool http://www.duplexsecure.com/en/faq
We can always install it back later if you need it as CD Emulators, can interfere with some of our tools.
--
Download and Run SystemLook
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
- Double-click SystemLook.exe to run it. (If you are using Vista, please right-click and select run as administartor)
- A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
- Copy and Paste the content of the following codebox into the main textfield under "File":
:filefind atapi.sys :dir C:\Restore atapi.sys
- Please Confirm everything is copied and Pasted as I have provided above
- Click the Look button to start the scan.
- When finished, a notepad window will open with the results of the scan.
- Please post this log in your next reply.
2nd Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task
Let me know what symptoms or problems you currently have with the system. Also, try downloading a NEW copy of GMER and see if you can run it. If so, post the logs in your next reply.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.
The help you receive here is free. If you wish to show your appreciation, you may wish to
#24
Posted 30 November 2009 - 05:45 PM
If we could do it alone, we wouldn’t need each other.
#25
Posted 01 December 2009 - 10:00 AM
Edited by JoeGons, 01 December 2009 - 10:01 AM.
If we could do it alone, we wouldn’t need each other.
Register to Remove
#26
Posted 01 December 2009 - 07:17 PM
Remember I ran DeFogger before. I don’t know if that is of any importance.
In any case, I ran SPTDinst-v162-x86.exe.
It said “No SPTD version was detected.”
I then tried to run a new GMER.
The odd thing is that it starts to scan as soon as it is launched.
It runs for about 10 seconds and then gets a problem.
There is no “Stop” or “Pause” button so I am unable to deselect any items.
I then tried it in Safe mode.
While “Safe Mode” was booting. I stopped “d347 Bus” from loading.
I ran GMER and all went well. For 8 ½ hours!!!
The problem was that I have a program for BMW parts.
It has over 71000 files. I also have a backup for the same program on my C: Drive.
Anyway, after it finished, there was only three interesting detections on the main screen.
The rest was files from my BMW program with file extension xx.ITW.
In safe mode I could not see a save button.
The resolution does not work for this program in Safe Mode.
I started to see if I could copy the Scan Results and, in short, it crashed.
I had to force a shut down and start again.
I uninstalled Daemon.
I removed the folders with the large file count and ran GMER.
When it started it ran some sort of initial scan.
I am happy to observe that I do not think I have a Root Kit problem.
After starting GMER.
GMER 1.0.15.15252 - http://www.gmer.net
Rootkit quick scan 2009-12-01 18:01:44
Windows 5.1.2600 Service Pack 3
Running: xh9pbsme.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kwdoiuoc.sys
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
Device \Driver\Tcpip \Device\Ip wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device \Driver\Tcpip \Device\Udp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
---- EOF - GMER 1.0.15 ----
I then did a scan as per the instructions.
GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-01 20:34:55
Windows 5.1.2600 Service Pack 3
Running: xh9pbsme.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kwdoiuoc.sys
---- System - GMER 1.0.15 ----
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwAllocateVirtualMemory [0xF675BB30]
SSDT E1BED498 ZwConnectPort
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF751887E]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwCreateThread [0xF675B6F0]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwMapViewOfSection [0xF675B470]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwProtectVirtualMemory [0xF675BC50]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7518BFE]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwShutdownSystem [0xF675B990]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwTerminateProcess [0xF675B8D0]
SSDT \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys ZwUnloadKey [0xED81E6D0]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwWriteVirtualMemory [0xF675BD60]
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
Device \Driver\Tcpip \Device\Ip wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device \Driver\Tcpip \Device\Udp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device \Driver\Tcpip \Device\IPMULTICAST wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
---- EOF - GMER 1.0.15 ----
Have fun with this but I think we can call this solved!!
J
If we could do it alone, we wouldn’t need each other.
#27
Posted 02 December 2009 - 08:24 PM
I suggest you run an online scan and see if there's anything...
Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)
If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
- Open the Kaspersky WebScanner
page. - Click on the button on the main page.
- The program will launch and fill in the Information section on the left.
- Read the "Requirements and Limitations" then press the button.
- The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
- Once the files have been downloaded, click on the ...button.
In the scan settings make sure the following are selected:- Detect malicious programs of the following categories:
Viruses, Worms, Trojan Horses, Rootkits
Spyware, Adware, Dialers and other potentially dangerous programs - Scan compound files (doesn't apply to the File scan area):
Archives
Mail databases
By default the above items should already be checked. - Click the button, if you made any changes.
- Detect malicious programs of the following categories:
- Now under the Scan section on the left:
Select My Computer
- The program will now start and scan your system. This will run for a while, be patient and let it finish.
- Once the scan is complete, click on View scan report
- Now, click on the Save Report as button.
- Save the file to your desktop.
- Copy and paste that information in your next post.
If Kaspersky doesn't work run ESET:
Run ESET Online Scan
- Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan - Click the button.
- For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on to download the ESET Smart Installer. Save it to your desktop.
- Double click on the icon on your desktop.
- Check
- Click the button.
- Accept any security warnings from your browser.
- Check
- Push the Start button.
- ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
- When the scan completes, push
- Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
- Push the button.
- Push
Post the results in your next reply and a new DDS log.
Thanks.
~EB
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.
The help you receive here is free. If you wish to show your appreciation, you may wish to
#28
Posted 03 December 2009 - 05:56 PM
If we could do it alone, we wouldn’t need each other.
#29
Posted 05 December 2009 - 06:44 AM
If we could do it alone, we wouldn’t need each other.
#30
Posted 05 December 2009 - 11:59 AM
If that doesn't work due to the connection, try running this AVP downloaded tool..
Download and Run Kaspersky Virus Removal Tool
I suggest you read over the instructions and then print/save the instructions onto notepad or somewhere so you can have a reference and follow the instructions correctly when in Safe Mode; since you won't have access to this page anymore
- Please download Kaspersky Virus-Removal Tool and save it to your desktop.
- Alternate Download Mirror 2
- Reboot your computer into SafeMode.
You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Then, use your up arrow key to highlight SafeMode then hit enter. Additional instructions can be found over here
- Please disable all anti-malware protection before running this tool. Refer to this page if you are not sure how.
- Double click the installer on your desktop and follow the prompts. Kaspersky Virus Removal Tool will open after the installation. If you are using Vista, please right-click and select run as administrator
- Click Next to continue.
- It will by default install it to your desktop folder. Click Next.
- Hit Ok at the prompt for scanning in Safe Mode.
- It will then open a box There will be a tab that says Automatic scan.
- Under Automatic scan make sure these are checked.
- System Memory
- Startup Objects
- Disk Boot Sectors.
- My Computer.
- Also any other drives (Removable that you may have)
After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok. Then choose OK again then you are back to the main screen.
- Then click on Scan at the to right hand Corner. Please be patient while the scan completes. It may take a while.
- It will automatically Neutralize any objects found.
- If some objects are left un-neutralized then click the button that says Neutralize all
- If it says it cannot be Neutralized then chooose The delete option when prompted.
- When the scan is finished, click the Report... button in the lower middle, select Save to file..., and save it onto your desktop as "KasReport".
- Close out of the program. When asked to uninstall, select Yes. <- Make sure you have save the log file on your desktop before uninstalling it.
- Attach back with the KasReport in your next reply please.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.
The help you receive here is free. If you wish to show your appreciation, you may wish to
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users