iedw.exe virus & svchost.exe & generic host error
#1
Posted 06 November 2011 - 08:55 PM
Register to Remove
#2
Posted 11 November 2011 - 05:24 PM
My name is patndoris. I will be glad to take a look at your log and help you with solving any malware problems. It will be very helpful if you follow these guidelines:
- Malware logs are often lengthy and can take a lot of time to research and interpret. Please be patient while I review your logs.
- Please note that there is no "Quick Fix" to modern malware infections and we may need to use several different approaches to get your system clean.
- Please make sure to carefully read any instruction that I give you. If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
- Please follow my instructions carefully and in the order they are posted. You may also find it helpful to print out the instructions you receive.
- Please do not run any scans or install/uninstall any applications or delete anything without being directed to do so.
- Remember, absence of symptoms does not mean the infection is all gone. Please stick with me till you're given the "all clear".
- Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
- Please reply within 3 days. If I do not hear back from you in that time frame, I will post a reminder for you. Topics with no reply in 4 days are closed!
While you may see ComboFix being used quite often, and without incident, the tool should not be run unsupervised (as stated in the Disclaimer that is first displayed by ComboFix when you run the tool) Going forward, I highly recommend you heed such instructions.
Why we don't ask you to run ComboFix from the onset
As stated by the author of ComboFix:
ComboFix is a very powerful tool which when improperly used may render your machine to a doorstop.
We first need to verify if there's any rootkits present and how they could affect our tools. DDS & GMER are preliminary scans. We use their logs to map our strategy for attack.
With these logs we can determine the infections present & decide whether to deploy ComboFix.
With that warning in mind, there are times when you have trouble accessing the internet after running Combofix. The first thing to do is reboot your computer. If that does not fix the problem please do the following:
- Click on the Start button.
- Click on the Settings[/b] menu option.
- Click on the Control Panel option.
- When the Control Panel opens, double-click on the Network Connections icon. If your Control Panel is set to Category View, then double-click on Network and Internet Connections and then click on Network Connections at the bottom.
- You will now see a list of available network connections. Locate the connection for your Wireless or Lan adapter and right-click on it.
- You will now see a menu and you can simply click on the Repair menu option.
- Let the repair process perform its tasks and when it has finished, your Internet connection should be working again.
- Alternatively, if your network icon also appears on the Windows taskbar, then you can repair it by right-clicking on the icon and selecting Repair option
Please let me know if this helps to restore your internet connection
If Combofix was run correctly, it should have produced a log for you. Please include the C:\ComboFix.txt in your next reply so I can see what was removed and determine the next steps to ensure we properly clean your machine.
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online. http://www.whatthetech.com/donate
#3
Posted 11 November 2011 - 05:50 PM
Thank you for your assistance! I followed your directions and the Repair step did not work. Now I should mention that I can Ping an ip address. For example ping 8.8.8.8 and I get 4 packets sent and 4 packets received with 0% loss. However, if I ping www.google.com - it cannot find host.
awaiting further instructions.
Thank you again!
Roses
Here is the combofixlog:
ComboFix 11-11-06.02 - Roe 11/06/2011 14:25:46.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2037.1644 [GMT -8:00]
Running from: c:\documents and settings\Roe\Desktop\123CF.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\QueryScan
c:\documents and settings\All Users\Application Data\Tarma Installer
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Desktop\Security Protection.lnk
c:\documents and settings\NetworkService\Application Data\Minoral
c:\documents and settings\Roe\Application Data\Adobe\usanaz.exe
c:\documents and settings\Roe\Application Data\vso_ts_preview.xml
c:\documents and settings\Roe\g2mdlhlpx.exe
c:\documents and settings\Roe\Local Settings\Application Data\f82a2194
c:\documents and settings\Roe\Local Settings\Application Data\f82a2194\@
c:\documents and settings\Roe\Local Settings\Application Data\f82a2194\X
c:\documents and settings\Roe\My Documents\~WRL2024.tmp
c:\documents and settings\Roe\WINDOWS
c:\program files\MPAccess
c:\program files\QueryScan
c:\windows\$NtUninstallKB9793$\1974767318
c:\windows\$NtUninstallKB9793$\4163510676\@
c:\windows\$NtUninstallKB9793$\4163510676\L\dhkqheva
c:\windows\$NtUninstallKB9793$\4163510676\loader.tlb
c:\windows\$NtUninstallKB9793$\4163510676\U\@00000001
c:\windows\$NtUninstallKB9793$\4163510676\U\@000000c0
c:\windows\$NtUninstallKB9793$\4163510676\U\@000000cb
c:\windows\$NtUninstallKB9793$\4163510676\U\@000000cf
c:\windows\$NtUninstallKB9793$\4163510676\U\@80000000
c:\windows\$NtUninstallKB9793$\4163510676\U\@800000c0
c:\windows\$NtUninstallKB9793$\4163510676\U\@800000cb
c:\windows\$NtUninstallKB9793$\4163510676\U\@800000cf
c:\windows\assembly\GAC_MSIL\desktop.ini
H:\Autorun.inf
c:\windows\$NtUninstallKB9793$ . . . . Failed to delete
.
c:\windows\system32\drivers\vaxscsi.sys . . . is infected!! . . . Failed to find a valid replacement.
Infected copy of c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{681E7DC9-F614-4D8B-8879-2E9EE0C935F2}\RP947\A0175749.exe
.
Infected copy of c:\program files\Application Updater\ApplicationUpdater.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{681E7DC9-F614-4D8B-8879-2E9EE0C935F2}\RP947\A0175750.exe
.
Infected copy of c:\program files\Bonjour\mDNSResponder.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{681E7DC9-F614-4D8B-8879-2E9EE0C935F2}\RP947\A0175751.exe
.
Infected copy of c:\program files\Canon\CAL\CALMAIN.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{681E7DC9-F614-4D8B-8879-2E9EE0C935F2}\RP947\A0175758.exe
.
Infected copy of c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{681E7DC9-F614-4D8B-8879-2E9EE0C935F2}\RP947\A0175752.exe
.
Infected copy of c:\program files\Flip Video\FlipShare\FlipShareService.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{681E7DC9-F614-4D8B-8879-2E9EE0C935F2}\RP947\A0175753.exe
.
Infected copy of c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{681E7DC9-F614-4D8B-8879-2E9EE0C935F2}\RP947\A0175754.exe
.
Infected copy of c:\program files\iPod\bin\iPodService.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{681E7DC9-F614-4D8B-8879-2E9EE0C935F2}\RP947\A0175759.exe
.
Infected copy of c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{681E7DC9-F614-4D8B-8879-2E9EE0C935F2}\RP949\A0176955.exe
.
Infected copy of c:\program files\Canon\MultiPASS4\MPSERVIC.EXE was found and disinfected
Restored copy from - c:\system volume information\_restore{681E7DC9-F614-4D8B-8879-2E9EE0C935F2}\RP947\A0175755.exe
.
Infected copy of c:\program files\NeatWorks\exec\NeatWorksDatabaseController.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{681E7DC9-F614-4D8B-8879-2E9EE0C935F2}\RP947\A0175756.exe
.
Infected copy of c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{681E7DC9-F614-4D8B-8879-2E9EE0C935F2}\RP947\A0175757.exe
.
Infected copy of c:\program files\Canon\CAL\CALMAIN.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{681E7DC9-F614-4D8B-8879-2E9EE0C935F2}\RP947\A0175758.exe
Infected copy of c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{681E7DC9-F614-4D8B-8879-2E9EE0C935F2}\RP947\A0175752.exe
Infected copy of c:\program files\Canon\MultiPASS4\MPSERVIC.EXE was found and disinfected
Restored copy from - c:\system volume information\_restore{681E7DC9-F614-4D8B-8879-2E9EE0C935F2}\RP947\A0175755.exe
Infected copy of c:\program files\NeatWorks\exec\NeatWorksDatabaseController.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{681E7DC9-F614-4D8B-8879-2E9EE0C935F2}\RP947\A0175756.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_6TO4
-------\Legacy_USNJSVC
-------\Service_f82a2194
-------\Service_usnjsvc
.
.
((((((((((((((((((((((((( Files Created from 2011-10-06 to 2011-11-06 )))))))))))))))))))))))))))))))
.
.
2011-11-06 21:56 . 2011-11-06 21:57 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-11-06 21:56 . 2011-09-01 01:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-06 03:33 . 2011-11-06 03:33 -------- d-----w- c:\program files\WiseFixer
2011-11-05 19:29 . 2011-11-05 19:29 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2011-11-05 17:54 . 2011-11-05 19:29 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\YouTube Downloader
2011-11-01 20:15 . 2011-11-01 20:16 -------- d-----w- c:\documents and settings\Roe\Local Settings\Application Data\Canon Easy-PhotoPrint EX
2011-10-21 01:31 . 2011-10-21 01:31 -------- d-----w- c:\documents and settings\NetworkService\Application Data\McAfee
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-01 01:35 . 2011-06-05 17:52 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2010-01-27 06:11 . 2011-04-02 18:42 444283 ----a-w- c:\program files\Common Files\WinPcapNmap.exe
2011-06-16 04:17 . 2011-06-25 04:03 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 10:06 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 11:47 31232 --sha-r- c:\windows\system32\msfDX.dll
2007-12-17 13:43 27648 --sha-w- c:\windows\system32\Smab0.dll
2008-02-04 19:26 151040 --sha-w- c:\windows\system32\VistaUltm.dll
.
<pre> c:\program files\CANON\Canon IJ Network Scan Utility\CNMNSUT .exe </pre>.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-02-07 4670704]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-06-26 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-07 1848648]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-12-12 722256]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-08-10 421888]
"SearchSettings"="c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe" [2011-09-28 894304]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-09-01 449608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-03-15 15360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Palo Alto Software Update Manager 8.0.lnk]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
.
[HKLM\~\startupfolder\C:^Documents and Settings^Roe^Start Menu^Programs^Startup^..]
path=c:\documents and settings\Roe\Start Menu\Programs\Startup\..
.
[HKLM\~\startupfolder\C:^Documents and Settings^Roe^Start Menu^Programs^Startup^Cyber-shot Viewer Media Check Tool.lnk]
.
[HKLM\~\startupfolder\C:^Documents and Settings^Roe^Start Menu^Programs^Startup^scandisk.dll]
.
[HKLM\~\startupfolder\C:^Documents and Settings^Roe^Start Menu^Programs^Startup^scandisk.lnk]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ActiveCollector
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-11 03:51 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\Reader_SL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2009-04-21 04:21 2356088 ----a-w- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 10:43 69632 ------w- c:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\calc]
c:\windows\system32\calc.dll [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]
2007-03-13 23:38 39264 ----a-w- c:\progra~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
2009-05-14 22:47 2029640 ----a-w- c:\program files\ESET\ESET NOD32 Antivirus\egui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2004-08-10 11:04 59392 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-04-20 05:57 162584 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-04-20 05:57 142104 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-02-16 23:15 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-09-01 15:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2011-09-01 01:00 1047208 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
2009-01-16 23:31 181544 ----a-w- c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPTBox]
2008-02-06 20:46 151552 ----a-w- c:\progra~1\CANON\MULTIP~1\MPTBox.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-01-28 20:39 1667584 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nhuganew]
c:\windows\amiyadomipusovo.dll [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-04-20 05:57 138008 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2008-07-07 07:34 167936 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-08-10 12:15 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-04-12 09:33 16132608 ------w- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchSettings]
2011-09-28 04:34 894304 ----a-w- c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2007-12-07 23:08 21686568 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-06-10 11:27 144784 ----a-w- c:\program files\Java\jre1.6.0_07\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2009-10-13 04:24 2000112 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2011-06-26 18:21 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2011-06-26 18:21 273544 ----a-w- c:\program files\real\realplayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
2008-05-02 04:15 15872 ----a-w- c:\program files\Unlocker\UnlockerAssistant.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vhayex]
c:\windows\iasera.dll [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Button Manager]
2008-04-08 17:42 364544 ----a-w- c:\windows\system32\WDBtnMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2008-02-07 04:44 4670704 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
2007-06-08 14:59 224248 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ekrn"=2 (0x2)
"EhttpSrv"=3 (0x3)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\1stWORKS\\hotCommCL\\BIN\\HotComm.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"29244:TCP"= 29244:TCP:spport
"22656:TCP"= 22656:TCP:spport
"19524:TCP"= 19524:TCP:spport
"20029:TCP"= 20029:TCP:spport
"21011:TCP"= 21011:TCP:spport
"20714:TCP"= 20714:TCP:spport
"29667:TCP"= 29667:TCP:spport
"9445:TCP"= 9445:TCP:spport
"19243:TCP"= 19243:TCP:spport
"18089:TCP"= 18089:TCP:spport
"19753:TCP"= 19753:TCP:spport
"5306:TCP"= 5306:TCP:spport
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [4/7/2008 8:07 PM 642560]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 8:24 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 8:24 PM 74480]
R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [9/27/2011 7:08 PM 745880]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [1/16/2009 3:31 PM 161064]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/6/2011 1:56 PM 366152]
R2 NeatWorksDatabaseController;NeatWorks Database Controller;c:\program files\NeatWorks\exec\NeatWorksDatabaseController.exe [1/27/2009 7:25 PM 351376]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [1/26/2010 6:09 PM 50704]
R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [3/15/2006 4:00 AM 5120]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/6/2011 1:56 PM 22216]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [1/10/2008 7:03 PM 47360]
R3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [4/7/2008 8:10 PM 223128]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TFSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/27/2011 11:47 AM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/27/2011 11:47 AM 136176]
S3 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\McAfee Security Scan\2.0.189\McCHSvc.exe" --> c:\program files\McAfee Security Scan\2.0.189\McCHSvc.exe [?]
S3 MSSQL$NR2007;SQL Server (NR2007);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2/10/2007 5:29 AM 29178224]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 8:24 PM 7408]
S3 SymSnapService;SymSnapService; [x]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [9/7/2006 9:16 PM 10112]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Neat ADF Scanner 2008]
reg copy HKLM\Software\The Neat Company\Neat ADF Scanner 2008 HKCU\Software\The Neat Company\Neat ADF Scanner 2008 [N/A]
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-27 19:47]
.
2011-11-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-27 19:47]
.
2011-10-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-884357618-839522115-1003Core.job
- c:\documents and settings\Roe\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-24 22:35]
.
2011-11-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-884357618-839522115-1003UA.job
- c:\documents and settings\Roe\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-24 22:35]
.
2011-11-06 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 17:47]
.
2011-11-06 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-515967899-884357618-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 17:47]
.
2011-11-06 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 17:47]
.
2011-11-06 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-515967899-884357618-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 17:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.smartwebsearch.net/index.php?from=3
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar =
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Roe\Application Data\Mozilla\Firefox\Profiles\ozhxetbm.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.smartwebsearch.net/index.php?from=3
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=937811&p=
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
BHO-{FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Toolbar-{CDAD1382-C849-4928-B66C-BD194F4F7F51} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-06 14:51
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-515967899-884357618-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0B02ABBA-36EC-0AD5-60EA-16BF5004E04D}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):fd,e5,c5,e4,e5,6e,45,b1,20,3c,90,52,02,96,06,0f,d7,08,cc,04,c1,
d7,67,ff,55,02,df,49,73,4e,a3,55,21,9e,71,c6,4c,d8,d9,85,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{f223094d-6cd9-4a46-96f8-ba9a16d4229c}]
@Denied: (Full) (Everyone)
"Model"=dword:0000005e
"Therad"=dword:0000001e
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(844)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\windows\eHome\ehSched.exe
c:\program files\Flip Video\FlipShare\FlipShareService.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\msdtc.exe
c:\windows\system32\wscntfy.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-11-06 14:57:09 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-06 22:56
ComboFix2.txt 2009-11-21 04:54
ComboFix3.txt 2008-05-12 18:09
.
Pre-Run: 186,596,007,936 bytes free
Post-Run: 206,590,148,608 bytes free
.
- - End Of File - - 59CAF1F930FAB4101DC6BF308872A1A2
#4
Posted 11 November 2011 - 05:56 PM
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online. http://www.whatthetech.com/donate
#5
Posted 11 November 2011 - 10:22 PM
Just so you know, iedw.exe is a valid file. You do not need to try and remove it.
Since you have access to another computer, can you please save the relevant files on a USB and then transfer them to the desktop of the infected machine:
Download and Run DDS by sUBs
Please download DDS and save it to your desktop.
- Disable any script blocking protection
- Double click dds.scr to run the tool.
- When done, DDS.txt will open.
- Save both reports to your desktop.
Please Please copy / paste the scan reults.
DDS.txt and Attach.txt
Please read carefully and follow these steps. There is a difference between what you see in one of the images below and what I need you to do.
We are only creating a log - I do NOT want you to "cure" or try to fix anything in this step. It is very important that you don't choose Cure when presented with that option.
- Download TDSSKiller and save it to your Desktop.
- Extract its contents to your desktop.
- Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
- If an infected file is detected, the default action will be Cure but I want you to choose SKIP instead , click on Continue.
- If a suspicious file is detected, the default action will be Skip, click on Continue.
- It may ask you to reboot the computer to complete the process. Click on Reboot Now.
- If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
- If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online. http://www.whatthetech.com/donate
#6
Posted 11 November 2011 - 10:52 PM
dss.txt:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_07
Run by Roe at 20:40:16 on 2011-11-11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2037.1494 [GMT -8:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Application Updater\ApplicationUpdater.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\Program Files\NeatWorks\exec\NeatWorksDatabaseController.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mSearch Bar =
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: IE Developer Toolbar BHO: {cc7e636d-39aa-49b6-b511-65413da137a1} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 8\SnagItIEAddin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB: Ask Toolbar: {f4d76f09-7896-458a-890f-e1f05c46069f} -
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SearchSettings] "c:\program files\common files\spigot\search settings\SearchSettings.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
IE: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - {CC962137-2E78-4F94-975E-FC0C07DBD78F} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {00130000-B1BA-11CE-ABC6-F5B2E79D9E3F} - hxxp://aceonline.asicentral.com/ace/ltocx13n.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189988193562
DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} - hxxps://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: Interfaces\{0C4C2CD8-D480-482C-BEDA-2A9AAEA6491F} : NameServer = 8.8.8.8,8.8.4.4
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: Neat ADF Scanner 2008 - reg copy "HKLM\Software\The Neat Company\Neat ADF Scanner 2008" "HKCU\Software\The Neat Company\Neat ADF Scanner 2008" /s /f
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\roe\application data\mozilla\firefox\profiles\ozhxetbm.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.smartwebsearch.net/index.php?from=3
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=58757&ei=utf-8&yahoo_domain=search.yahoo.com&p=
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\roe\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdjvu.dll
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-10-12 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
R2 Application Updater;Application Updater;c:\program files\application updater\ApplicationUpdater.exe [2011-9-27 745880]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-1-16 161064]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-11-5 366152]
R2 NeatWorksDatabaseController;NeatWorks Database Controller;c:\program files\neatworks\exec\NeatWorksDatabaseController.exe [2009-1-27 351376]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-1-26 50704]
R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [2006-3-15 5120]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-11-6 22216]
R3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [2008-4-7 223128]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TFSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-4-27 136176]
S2 StarWindService;StarWind iSCSI Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindService.exe [2005-4-1 217600]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-4-27 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service; [x]
S3 MSSQL$NR2007;SQL Server (NR2007);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2007-2-10 29178224]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2011-11-9 332928]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 7408]
S3 SymSnapService;SymSnapService; [x]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2006-9-7 10112]
.
=============== Created Last 30 ================
.
2011-11-09 18:54:52 -------- d-----w- c:\program files\Free Window Registry Repair
2011-11-09 18:51:46 -------- d-s---w- C:\123CF
2011-11-09 18:09:11 332928 ----a-r- c:\windows\system32\drivers\RTL8187.sys
2011-11-08 02:39:41 -------- d-----w- C:\backups
2011-11-08 02:39:04 -------- d-----w- C:\ERDNT
2011-11-08 02:38:40 -------- d-----w- C:\Regbackup
2011-11-06 21:56:19 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-01 20:15:42 -------- d-----w- c:\documents and settings\roe\local settings\application data\Canon Easy-PhotoPrint EX
.
==================== Find3M ====================
.
2011-10-01 01:35:54 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2010-01-27 06:11:08 444283 ----a-w- c:\program files\common files\WinPcapNmap.exe
2006-05-03 10:06:54 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 11:47:16 31232 --sha-r- c:\windows\system32\msfDX.dll
2007-12-17 13:43:00 27648 --sha-w- c:\windows\system32\Smab0.dll
2008-02-04 19:26:34 151040 --sha-w- c:\windows\system32\VistaUltm.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD5000AAKS-22TMA0 rev.12.01C01 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe >>UNKNOWN [0x8A7C2688]<<
_asm { MOV EAX, 0x8a7c25a8; XCHG [ESP], EAX; PUSH EAX; PUSH 0x8a7c70d4; RET ; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; }
1 ntkrnlpa!IofCallDriver[0x804EF09C] -> \Device\Harddisk0\DR0[0x8A6E4AB8]
\Driver\Disk[0x8A77F240] -> IRP_MJ_CREATE -> 0x8A7C2688
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\Disk -> 0x8a7c2688
user & kernel MBR OK
Warning: possible MBR rootkit infection !
.
============= FINISH: 20:40:48.95 ===============
attack.txt:
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 9/16/2007 1:35:13 PM
System Uptime: 11/11/2011 3:34:15 PM (5 hours ago)
.
Motherboard: Gigabyte Technology Co., Ltd. | | G31MX-S2
Processor: Intel® Core2 Duo CPU E6550 @ 2.33GHz | Socket 775 | 2333/333mhz
Processor: Intel® Core2 Duo CPU E6550 @ 2.33GHz | Socket 775 | 2333/333mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 466 GiB total, 192.606 GiB free.
D: is CDROM ()
E: is Removable
F: is CDROM ()
G: is Removable
H: is FIXED (NTFS) - 699 GiB total, 599.162 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {6BDD1FC6-810F-11D0-BEC7-08002BE2092F}
Description: Canon MX860 ser Network
Device ID: ROOT\CANON_IJ_NETWORK\0000
Manufacturer: Canon
Name: Canon MX860 ser Network
PNP Device ID: ROOT\CANON_IJ_NETWORK\0000
Service: StillCam
.
==== System Restore Points ===================
.
RP891: 8/14/2011 11:18:00 AM - System Checkpoint
RP892: 8/15/2011 12:01:36 PM - System Checkpoint
RP893: 8/16/2011 12:42:54 PM - System Checkpoint
RP894: 8/17/2011 1:39:57 PM - System Checkpoint
RP895: 8/21/2011 6:47:42 PM - System Checkpoint
RP896: 8/23/2011 11:49:08 AM - System Checkpoint
RP897: 8/24/2011 1:26:44 PM - System Checkpoint
RP898: 8/25/2011 1:59:17 PM - System Checkpoint
RP899: 8/26/2011 3:23:18 PM - System Checkpoint
RP900: 8/27/2011 5:12:41 PM - System Checkpoint
RP901: 8/28/2011 5:23:40 PM - System Checkpoint
RP902: 8/29/2011 5:28:24 PM - System Checkpoint
RP903: 8/31/2011 12:56:26 PM - System Checkpoint
RP904: 9/1/2011 2:58:59 PM - System Checkpoint
RP905: 9/2/2011 3:47:24 PM - System Checkpoint
RP906: 9/3/2011 3:50:24 PM - System Checkpoint
RP907: 9/4/2011 3:58:54 PM - System Checkpoint
RP908: 9/5/2011 4:12:10 PM - System Checkpoint
RP909: 9/6/2011 5:10:32 PM - System Checkpoint
RP910: 9/7/2011 6:37:13 PM - System Checkpoint
RP911: 9/9/2011 6:23:12 PM - System Checkpoint
RP912: 9/11/2011 7:10:22 PM - System Checkpoint
RP913: 9/13/2011 1:54:44 PM - System Checkpoint
RP914: 9/16/2011 11:53:55 AM - System Checkpoint
RP915: 9/17/2011 12:25:08 PM - System Checkpoint
RP916: 9/18/2011 1:26:09 PM - System Checkpoint
RP917: 9/19/2011 1:50:00 PM - System Checkpoint
RP918: 9/20/2011 5:20:41 PM - System Checkpoint
RP919: 9/21/2011 6:44:08 PM - System Checkpoint
RP920: 9/24/2011 1:08:38 PM - System Checkpoint
RP921: 9/25/2011 2:51:53 PM - System Checkpoint
RP922: 10/2/2011 3:28:52 PM - System Checkpoint
RP923: 10/3/2011 5:14:42 PM - System Checkpoint
RP924: 10/5/2011 4:57:44 PM - System Checkpoint
RP925: 10/6/2011 7:41:47 PM - System Checkpoint
RP926: 10/8/2011 11:52:53 AM - System Checkpoint
RP927: 10/10/2011 12:00:58 PM - System Checkpoint
RP928: 10/11/2011 12:30:20 PM - System Checkpoint
RP929: 10/12/2011 1:15:17 PM - System Checkpoint
RP930: 10/14/2011 11:57:55 AM - System Checkpoint
RP931: 10/15/2011 7:20:31 PM - System Checkpoint
RP932: 10/16/2011 8:20:22 PM - System Checkpoint
RP933: 10/17/2011 10:38:42 PM - System Checkpoint
RP934: 10/19/2011 12:01:29 PM - System Checkpoint
RP935: 10/21/2011 2:01:19 PM - System Checkpoint
RP936: 10/22/2011 5:47:19 PM - System Checkpoint
RP937: 10/23/2011 6:31:59 PM - System Checkpoint
RP938: 10/24/2011 7:05:40 PM - System Checkpoint
RP939: 10/26/2011 1:18:27 PM - System Checkpoint
RP940: 10/27/2011 2:08:46 PM - System Checkpoint
RP941: 10/28/2011 2:21:35 PM - System Checkpoint
RP942: 10/29/2011 3:00:07 PM - System Checkpoint
RP943: 10/30/2011 3:34:28 PM - System Checkpoint
RP944: 10/31/2011 5:14:31 PM - System Checkpoint
RP945: 11/1/2011 9:17:38 PM - System Checkpoint
RP946: 11/3/2011 12:19:34 PM - System Checkpoint
RP947: 11/4/2011 12:40:06 PM - System Checkpoint
RP948: 11/5/2011 2:14:56 PM - Installed Windows XP KB894391.
RP949: 11/6/2011 2:04:49 PM - Restore Operation
RP950: 11/6/2011 3:47:38 PM - Restore Operation
RP951: 11/6/2011 4:11:35 PM - Restore Operation
RP952: 11/7/2011 4:46:33 PM - System Checkpoint
RP953: 11/8/2011 5:02:38 PM - System Checkpoint
RP954: 11/9/2011 7:59:13 PM - System Checkpoint
RP955: 11/11/2011 4:05:26 PM - System Checkpoint
.
==== Installed Programs ======================
.
3ivx MPEG-4 5.0.3 (remove only)
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Digital Editions
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Reader 8.1.3
Adobe Setup
Adobe Shockwave Player 11
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AnswerWorks 5.0 English Runtime
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bonjour
Business Plan Pro 2006
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera WIA Driver
Canon EOS 5D WIA Driver
Canon IJ Network Scan Utility
Canon IJ Network Tool
Canon MP Navigator EX 2.1
Canon MultiPASS Suite 4.00
Canon MX860 series MP Drivers
Canon MX860 series User Registration
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities Digital Photo Professional 3.2
Canon Utilities Easy-PhotoPrint EX
Canon Utilities EOS Utility
Canon Utilities My Printer
Canon Utilities MyCamera
Canon Utilities Original Data Security Tools
Canon Utilities PhotoStitch
Canon Utilities Picture Style Editor
Canon Utilities RAW Image Converter2
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities Solution Menu
Canon Utilities WFT-E1/E2/E3 Utility
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
Combined Community Codec Pack 2007-07-22
Compatibility Pack for the 2007 Office system
ConvertXtoDVD 2.2.3.258h
ConvertXtoDVD 3.0.0.9
Diskeeper 2007 Pro Premier
DVD Decrypter (Remove Only)
DVD Shrink 3.2
DVDFab Platinum 4.0.1.2 Ghosthunter release
ERUNT 1.1j
ESP Online
FileZilla (remove only)
FlipShare
Free Window Registry Repair
GIMP 2.4.6
Google Chrome
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
GoToMeeting/GoToWebinar 3.0.0.198
HijackThis 2.0.2
hotCommÆ CL
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows XP (KB954550-v5)
IIS6 Manager
Intel® Graphics Media Accelerator Driver
Internet Explorer Developer Toolbar
iTunes
Java 6 Update 6
Java 6 Update 7
JDownloader
K-Lite Codec Pack 6.5.0 (Basic)
Lizardtech DjVu Control
Macromedia Dreamweaver 8
Macromedia Extension Manager
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Office Professional Edition 2003
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (NR2007)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Web Publishing Wizard 1.52
MMConvert 1.0.5.236 Beta
Mozilla Firefox 5.0 (x86 en-US)
MSXML 6.0 Parser
My Book Device Driver
My Book RAID Manager
Neat ADF Scanner Driver
Neat Mobile Scanner (Silver) Driver
Neat Mobile Scanner 2008 Driver
NeatWorks
NeatWorks Core Files
Nero 7 Lite v7.7.5.1
Netscape Navigator (9.0.0.6)
OpenOffice.org Installer 1.0
PageRage 1.10.01
Palo Alto Software's Application Manager 8.2
PDF Password Remover v2.5
PDF Settings
PowerISO
Quicken 2008
QuickTime
RAIDar 4.3.0
RealPlayer
REALTEK GbE & FE Ethernet PCI NIC Driver
Realtek High Definition Audio Driver
RealUpgrade 1.1
Registry Mechanic 7.0
Safari
Seagate Manager Installer
Shockwave
Skypeô 3.6
SnagIt 8
Sony Picture Utility
Sony USB Driver
Stellar Phoenix (FAT & NTFS) 2.1
SUPERAntiSpyware Free Edition
Tango
The Print Shop 20
The Rosetta Stone
The Ultimate Troubleshooter
Turbo Lister 2
Tweak UI
Universal Document Converter
Unlocker 1.8.7
Update for Windows XP (KB911164)
VDownloader 3.0.752
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Media Encoder 9 Series
Windows Media Player Firefox Plugin
WinPcap 4.1.1
WinRAR archiver
WinZip 11.1
Xilisoft DVD Creator
XSite Pro
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Search Protection
Yahoo! Toolbar
YouTube Downloader 3.4
YouTube Downloader Toolbar v4.7
.
==== Event Viewer Messages From Past Week ========
.
11/9/2011 10:49:17 AM, error: Srv [2000] - The server's call to a system service failed unexpectedly.
11/7/2011 8:08:12 AM, error: Service Control Manager [7024] - The Background Intelligent Transfer Service service terminated with service-specific error 2147952450 (0x80072742).
11/7/2011 7:46:54 AM, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: This operation returned because the timeout period expired.
11/7/2011 7:41:57 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: TfFsMon TFSysMon
11/7/2011 7:41:57 AM, error: Service Control Manager [7024] - The Bonjour Service service terminated with service-specific error 4294967295 (0xFFFFFFFF).
11/7/2011 7:41:57 AM, error: Service Control Manager [7023] - The World Wide Web Publishing service terminated with the following error: The specified module could not be found.
11/7/2011 7:41:57 AM, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: A socket operation encountered a dead network.
11/7/2011 7:41:57 AM, error: Service Control Manager [7023] - The Simple Mail Transfer Protocol (SMTP) service terminated with the following error: The specified module could not be found.
11/7/2011 7:41:57 AM, error: Service Control Manager [7023] - The IPSEC Services service terminated with the following error: A socket operation encountered a dead network.
11/7/2011 7:41:57 AM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: %%2147952450
11/6/2011 9:09:46 AM, error: Service Control Manager [7034] - The McAfee Security Scan Component Host Service service terminated unexpectedly. It has done this 1 time(s).
11/6/2011 4:06:59 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
11/6/2011 4:06:49 PM, error: DCOM [10005] - DCOM got error "%1068" attempting to start the service IISADMIN with arguments "" in order to run the server: {A9E69610-B80D-11D0-B9B9-00A0C922E750}
11/6/2011 4:05:33 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL SCDEmu Tcpip TfFsMon TFSysMon v2imount
11/6/2011 4:05:33 PM, error: Service Control Manager [7001] - The World Wide Web Publishing service depends on the IIS Admin service which failed to start because of the following error: The dependency service or group failed to start.
11/6/2011 4:05:33 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
11/6/2011 4:05:33 PM, error: Service Control Manager [7001] - The Simple Mail Transfer Protocol (SMTP) service depends on the IIS Admin service which failed to start because of the following error: The dependency service or group failed to start.
11/6/2011 4:05:33 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/6/2011 4:05:33 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/6/2011 4:05:33 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
11/6/2011 4:05:33 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/6/2011 4:05:33 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/6/2011 2:55:31 PM, error: Service Control Manager [7016] - The MpService service has reported an invalid current state 0.
11/6/2011 2:25:06 PM, error: NetBT [4311] - Initialization failed because the driver device could not be created.
11/6/2011 2:24:57 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s).
11/6/2011 2:24:57 PM, error: Service Control Manager [7009] - Timeout (300000 milliseconds) waiting for the NeatWorks Database Controller service to connect.
11/6/2011 2:17:26 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
11/6/2011 2:17:25 PM, error: Service Control Manager [7034] - The FlipShare Service service terminated unexpectedly. It has done this 1 time(s).
11/6/2011 2:17:25 PM, error: Service Control Manager [7034] - The Diskeeper service terminated unexpectedly. It has done this 1 time(s).
11/6/2011 2:17:22 PM, error: Service Control Manager [7034] - The Application Updater service terminated unexpectedly. It has done this 1 time(s).
11/6/2011 2:05:32 PM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
11/6/2011 2:04:11 PM, error: Service Control Manager [7023] - The World Wide Web Publishing service terminated with the following error: TCP/IP network protocol not installed.
11/6/2011 2:04:11 PM, error: Service Control Manager [7023] - The Simple Mail Transfer Protocol (SMTP) service terminated with the following error: TCP/IP network protocol not installed.
11/5/2011 12:16:55 PM, error: Service Control Manager [7000] - The MBAMService service failed to start due to the following error: Access is denied.
11/5/2011 10:46:45 AM, error: Service Control Manager [7034] - The MBAMService service terminated unexpectedly. It has done this 1 time(s).
11/10/2011 10:38:07 AM, error: Service Control Manager [7024] - The Background Intelligent Transfer Service service terminated with service-specific error 2147952447 (0x8007273F).
11/10/2011 10:38:07 AM, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: The system cannot find the file specified.
11/10/2011 10:38:07 AM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: %%2147952447
11/10/2011 10:38:07 AM, error: Service Control Manager [7003] - The Bonjour Service service depends on the following nonexistent service: Tcpip
11/10/2011 10:38:07 AM, error: Service Control Manager [7003] - The Apple Mobile Device service depends on the following nonexistent service: Tcpip
11/10/2011 10:37:42 AM, error: Workstation [5728] - Could not load any transport.
.
==== End Of File ===========================
Report.txt:
20:44:07.0234 1196 TDSS rootkit removing tool 2.6.18.0 Nov 11 2011 15:47:15
20:44:07.0250 1196 ============================================================
20:44:07.0250 1196 Current date / time: 2011/11/11 20:44:07.0250
20:44:07.0250 1196 SystemInfo:
20:44:07.0250 1196
20:44:07.0250 1196 OS Version: 5.1.2600 ServicePack: 2.0
20:44:07.0250 1196 Product type: Workstation
20:44:07.0250 1196 ComputerName: DAOFFICE
20:44:07.0250 1196 UserName: Roe
20:44:07.0250 1196 Windows directory: C:\WINDOWS
20:44:07.0250 1196 System windows directory: C:\WINDOWS
20:44:07.0250 1196 Processor architecture: Intel x86
20:44:07.0250 1196 Number of processors: 2
20:44:07.0250 1196 Page size: 0x1000
20:44:07.0250 1196 Boot type: Normal boot
20:44:07.0250 1196 ============================================================
20:44:08.0343 1196 Initialize success
20:44:20.0500 4000 ============================================================
20:44:20.0500 4000 Scan started
20:44:20.0500 4000 Mode: Manual;
20:44:20.0500 4000 ============================================================
20:44:20.0796 4000 Abiosdsk - ok
20:44:20.0796 4000 abp480n5 - ok
20:44:20.0859 4000 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
20:44:20.0859 4000 ACPI - ok
20:44:20.0906 4000 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
20:44:20.0906 4000 ACPIEC - ok
20:44:20.0906 4000 adpu160m - ok
20:44:20.0968 4000 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
20:44:20.0968 4000 aec - ok
20:44:21.0015 4000 AFD (604a70a5689cdc4325139caca5990673) C:\WINDOWS\System32\drivers\afd.sys
20:44:21.0015 4000 AFD ( Rootkit.Win32.ZAccess.g ) - infected
20:44:21.0015 4000 AFD - detected Rootkit.Win32.ZAccess.g (0)
20:44:21.0078 4000 AFS2K (0ebb674888cbdefd5773341c16dd6a07) C:\WINDOWS\system32\drivers\AFS2K.sys
20:44:21.0078 4000 AFS2K - ok
20:44:21.0078 4000 Aha154x - ok
20:44:21.0093 4000 aic78u2 - ok
20:44:21.0093 4000 aic78xx - ok
20:44:21.0109 4000 AliIde - ok
20:44:21.0109 4000 amsint - ok
20:44:21.0125 4000 asc - ok
20:44:21.0125 4000 asc3350p - ok
20:44:21.0125 4000 asc3550 - ok
20:44:21.0156 4000 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
20:44:21.0156 4000 AsyncMac - ok
20:44:21.0171 4000 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
20:44:21.0171 4000 atapi - ok
20:44:21.0171 4000 Atdisk - ok
20:44:21.0187 4000 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
20:44:21.0187 4000 Atmarpc - ok
20:44:21.0203 4000 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
20:44:21.0203 4000 audstub - ok
20:44:21.0234 4000 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
20:44:21.0234 4000 Beep - ok
20:44:21.0265 4000 catchme - ok
20:44:21.0312 4000 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
20:44:21.0312 4000 cbidf2k - ok
20:44:21.0343 4000 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
20:44:21.0343 4000 CCDECODE - ok
20:44:21.0343 4000 cd20xrnt - ok
20:44:21.0375 4000 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
20:44:21.0375 4000 Cdaudio - ok
20:44:21.0375 4000 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
20:44:21.0375 4000 Cdfs - ok
20:44:21.0390 4000 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
20:44:21.0390 4000 Cdrom - ok
20:44:21.0390 4000 Changer - ok
20:44:21.0437 4000 cis1284 (7e1d1616c7e2fbba784e5dbd05d88eca) C:\WINDOWS\system32\drivers\cis1284.sys
20:44:21.0437 4000 cis1284 - ok
20:44:21.0453 4000 CmdIde - ok
20:44:21.0453 4000 Cpqarray - ok
20:44:21.0468 4000 dac2w2k - ok
20:44:21.0468 4000 dac960nt - ok
20:44:21.0484 4000 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
20:44:21.0484 4000 Disk - ok
20:44:21.0546 4000 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
20:44:21.0546 4000 dmboot - ok
20:44:21.0578 4000 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
20:44:21.0578 4000 dmio - ok
20:44:21.0578 4000 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
20:44:21.0578 4000 dmload - ok
20:44:21.0593 4000 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
20:44:21.0593 4000 DMusic - ok
20:44:21.0593 4000 dpti2o - ok
20:44:21.0609 4000 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
20:44:21.0609 4000 drmkaud - ok
20:44:21.0640 4000 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
20:44:21.0640 4000 Fastfat - ok
20:44:21.0656 4000 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys
20:44:21.0671 4000 Fdc - ok
20:44:21.0671 4000 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
20:44:21.0671 4000 Fips - ok
20:44:21.0671 4000 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
20:44:21.0671 4000 Flpydisk - ok
20:44:21.0703 4000 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
20:44:21.0703 4000 FltMgr - ok
20:44:21.0718 4000 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
20:44:21.0718 4000 Fs_Rec - ok
20:44:21.0718 4000 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
20:44:21.0734 4000 Ftdisk - ok
20:44:21.0750 4000 gdrv (54789f9ba0d59072cdd4e7c200e122c4) C:\WINDOWS\gdrv.sys
20:44:21.0750 4000 gdrv - ok
20:44:21.0765 4000 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
20:44:21.0765 4000 GEARAspiWDM - ok
20:44:21.0781 4000 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
20:44:21.0781 4000 Gpc - ok
20:44:21.0828 4000 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
20:44:21.0828 4000 HDAudBus - ok
20:44:21.0875 4000 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
20:44:21.0875 4000 HidUsb - ok
20:44:21.0875 4000 hpn - ok
20:44:21.0921 4000 HTTP (cb77bb47e67e84deb17ba29632501730) C:\WINDOWS\system32\Drivers\HTTP.sys
20:44:21.0937 4000 HTTP - ok
20:44:21.0937 4000 i2omgmt - ok
20:44:21.0937 4000 i2omp - ok
20:44:22.0000 4000 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
20:44:22.0000 4000 i8042prt - ok
20:44:22.0203 4000 ialm (28423512370705aeda6a652fedb25468) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
20:44:22.0375 4000 ialm - ok
20:44:22.0390 4000 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
20:44:22.0390 4000 Imapi - ok
20:44:22.0406 4000 ini910u - ok
20:44:22.0546 4000 IntcAzAudAddService (e37589414437a60797e94c0f57c546db) C:\WINDOWS\system32\drivers\RtkHDAud.sys
20:44:22.0671 4000 IntcAzAudAddService - ok
20:44:22.0671 4000 IntelIde - ok
20:44:22.0718 4000 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
20:44:22.0718 4000 intelppm - ok
20:44:22.0734 4000 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
20:44:22.0734 4000 Ip6Fw - ok
20:44:22.0781 4000 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
20:44:22.0781 4000 IpFilterDriver - ok
20:44:22.0796 4000 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
20:44:22.0796 4000 IpInIp - ok
20:44:22.0843 4000 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
20:44:22.0843 4000 IpNat - ok
20:44:22.0859 4000 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
20:44:22.0859 4000 IPSec - ok
20:44:22.0890 4000 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
20:44:22.0890 4000 IRENUM - ok
20:44:22.0890 4000 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
20:44:22.0890 4000 isapnp - ok
20:44:22.0906 4000 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
20:44:22.0906 4000 Kbdclass - ok
20:44:22.0937 4000 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
20:44:22.0937 4000 kmixer - ok
20:44:22.0953 4000 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys
20:44:22.0953 4000 KSecDD - ok
20:44:22.0968 4000 lbrtfdc - ok
20:44:23.0000 4000 MBAMProtector (69a6268d7f81e53d568ab4e7e991caf3) C:\WINDOWS\system32\drivers\mbam.sys
20:44:23.0000 4000 MBAMProtector - ok
20:44:23.0000 4000 MBAMSwissArmy - ok
20:44:23.0015 4000 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
20:44:23.0015 4000 MHNDRV - ok
20:44:23.0031 4000 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
20:44:23.0031 4000 mnmdd - ok
20:44:23.0031 4000 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
20:44:23.0046 4000 Modem - ok
20:44:23.0062 4000 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
20:44:23.0062 4000 Mouclass - ok
20:44:23.0093 4000 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
20:44:23.0093 4000 mouhid - ok
20:44:23.0093 4000 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
20:44:23.0093 4000 MountMgr - ok
20:44:23.0109 4000 mraid35x - ok
20:44:23.0140 4000 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
20:44:23.0140 4000 MRxDAV - ok
20:44:23.0187 4000 MRxSmb (025af03ce51645c62f3b6907a7e2be5e) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
20:44:23.0203 4000 MRxSmb - ok
20:44:23.0250 4000 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
20:44:23.0250 4000 Msfs - ok
20:44:23.0250 4000 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
20:44:23.0250 4000 MSKSSRV - ok
20:44:23.0265 4000 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
20:44:23.0265 4000 MSPCLOCK - ok
20:44:23.0265 4000 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
20:44:23.0265 4000 MSPQM - ok
20:44:23.0312 4000 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
20:44:23.0312 4000 mssmbios - ok
20:44:23.0343 4000 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys
20:44:23.0343 4000 MSTEE - ok
20:44:23.0359 4000 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
20:44:23.0359 4000 Mup - ok
20:44:23.0359 4000 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
20:44:23.0359 4000 NABTSFEC - ok
20:44:23.0375 4000 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
20:44:23.0375 4000 NDIS - ok
20:44:23.0375 4000 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
20:44:23.0375 4000 NdisIP - ok
20:44:23.0406 4000 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
20:44:23.0406 4000 NdisTapi - ok
20:44:23.0468 4000 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
20:44:23.0468 4000 Ndisuio - ok
20:44:23.0468 4000 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
20:44:23.0468 4000 NdisWan - ok
20:44:23.0484 4000 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
20:44:23.0484 4000 NDProxy - ok
20:44:23.0484 4000 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
20:44:23.0484 4000 NetBIOS - ok
20:44:23.0500 4000 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
20:44:23.0500 4000 NetBT - ok
20:44:23.0562 4000 npf (b9730495e0cf674680121e34bd95a73b) C:\WINDOWS\system32\drivers\npf.sys
20:44:23.0562 4000 npf - ok
20:44:23.0562 4000 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
20:44:23.0562 4000 Npfs - ok
20:44:23.0609 4000 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
20:44:23.0625 4000 Ntfs - ok
20:44:23.0640 4000 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
20:44:23.0640 4000 Null - ok
20:44:23.0687 4000 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
20:44:23.0687 4000 NwlnkFlt - ok
20:44:23.0687 4000 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
20:44:23.0687 4000 NwlnkFwd - ok
20:44:23.0718 4000 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
20:44:23.0718 4000 Parport - ok
20:44:23.0718 4000 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
20:44:23.0718 4000 PartMgr - ok
20:44:23.0734 4000 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
20:44:23.0734 4000 ParVdm - ok
20:44:23.0734 4000 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
20:44:23.0734 4000 PCI - ok
20:44:23.0750 4000 PCIDump - ok
20:44:23.0765 4000 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
20:44:23.0781 4000 PCIIde - ok
20:44:23.0796 4000 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
20:44:23.0796 4000 Pcmcia - ok
20:44:23.0828 4000 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys
20:44:23.0828 4000 pcouffin - ok
20:44:23.0843 4000 PDCOMP - ok
20:44:23.0843 4000 PDFRAME - ok
20:44:23.0859 4000 PDRELI - ok
20:44:23.0859 4000 PDRFRAME - ok
20:44:23.0859 4000 perc2 - ok
20:44:23.0875 4000 perc2hib - ok
20:44:23.0937 4000 PhilCam8116 (8754763a924639b9d07d4c8ea9990f1e) C:\WINDOWS\system32\DRIVERS\CamDrO21.sys
20:44:23.0937 4000 PhilCam8116 - ok
20:44:23.0937 4000 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
20:44:23.0953 4000 PptpMiniport - ok
20:44:23.0953 4000 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
20:44:23.0953 4000 Ptilink - ok
20:44:23.0984 4000 PxHelp20 (40f2031bd9148d3194353ea7dec97a07) C:\WINDOWS\system32\Drivers\PxHelp20.sys
20:44:23.0984 4000 PxHelp20 - ok
20:44:24.0000 4000 ql1080 - ok
20:44:24.0000 4000 Ql10wnt - ok
20:44:24.0000 4000 ql12160 - ok
20:44:24.0015 4000 ql1240 - ok
20:44:24.0015 4000 ql1280 - ok
20:44:24.0046 4000 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
20:44:24.0046 4000 RasAcd - ok
20:44:24.0062 4000 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
20:44:24.0062 4000 Rasl2tp - ok
20:44:24.0062 4000 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
20:44:24.0062 4000 RasPppoe - ok
20:44:24.0078 4000 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
20:44:24.0078 4000 Raspti - ok
20:44:24.0125 4000 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
20:44:24.0125 4000 Rdbss - ok
20:44:24.0140 4000 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
20:44:24.0140 4000 RDPCDD - ok
20:44:24.0171 4000 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
20:44:24.0171 4000 rdpdr - ok
20:44:24.0187 4000 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
20:44:24.0187 4000 RDPWD - ok
20:44:24.0218 4000 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
20:44:24.0218 4000 redbook - ok
20:44:24.0281 4000 RTL8023xp (1e11171c0b9989e1bdaa59e96b2e81c4) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
20:44:24.0281 4000 RTL8023xp - ok
20:44:24.0328 4000 RTLWUSB (5a850259b849a899990379a75460a4eb) C:\WINDOWS\system32\DRIVERS\RTL8187.sys
20:44:24.0328 4000 RTLWUSB - ok
20:44:24.0453 4000 SASDIFSV (5bf35c4ea3f00fa8d3f1e5bf03d24584) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
20:44:24.0453 4000 SASDIFSV - ok
20:44:24.0468 4000 SASENUM (a22f08c98ac2f44587bf3a1fb52bf8cd) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
20:44:24.0468 4000 SASENUM - ok
20:44:24.0484 4000 SASKUTIL (c7d81c10d3befeee41f3408714637438) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
20:44:24.0484 4000 SASKUTIL - ok
20:44:24.0546 4000 SCDEmu (3b35ce540758bbabb721e234cb5a4f3f) C:\WINDOWS\system32\drivers\SCDEmu.sys
20:44:24.0546 4000 SCDEmu - ok
20:44:24.0578 4000 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
20:44:24.0578 4000 Secdrv - ok
20:44:24.0578 4000 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
20:44:24.0593 4000 serenum - ok
20:44:24.0593 4000 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
20:44:24.0593 4000 Serial - ok
20:44:24.0609 4000 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
20:44:24.0609 4000 Sfloppy - ok
20:44:24.0609 4000 Simbad - ok
20:44:24.0640 4000 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
20:44:24.0640 4000 SLIP - ok
20:44:24.0656 4000 Sparrow - ok
20:44:24.0687 4000 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
20:44:24.0687 4000 splitter - ok
20:44:24.0750 4000 sptd (ee26b8860d226f8eec48aabbdae33e8c) C:\WINDOWS\system32\Drivers\sptd.sys
20:44:24.0750 4000 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: ee26b8860d226f8eec48aabbdae33e8c
20:44:24.0750 4000 sptd ( LockedFile.Multi.Generic ) - warning
20:44:24.0750 4000 sptd - detected LockedFile.Multi.Generic (1)
20:44:24.0781 4000 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
20:44:24.0781 4000 sr - ok
20:44:24.0796 4000 Srv (ea554a3ffc3f536fe8320eb38f5e4843) C:\WINDOWS\system32\DRIVERS\srv.sys
20:44:24.0796 4000 Srv - ok
20:44:24.0828 4000 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
20:44:24.0828 4000 StillCam - ok
20:44:24.0859 4000 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
20:44:24.0859 4000 streamip - ok
20:44:24.0875 4000 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
20:44:24.0875 4000 swenum - ok
20:44:24.0906 4000 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
20:44:24.0906 4000 swmidi - ok
20:44:24.0906 4000 symc810 - ok
20:44:24.0921 4000 symc8xx - ok
20:44:24.0921 4000 symsnap (c9273531eac75ee225e3170fb6107fa3) C:\WINDOWS\system32\DRIVERS\symsnap.sys
20:44:24.0937 4000 symsnap - ok
20:44:24.0937 4000 sym_hi - ok
20:44:24.0937 4000 sym_u3 - ok
20:44:24.0968 4000 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
20:44:24.0968 4000 sysaudio - ok
20:44:25.0031 4000 Tcpip (90caff4b094573449a0872a0f919b178) C:\WINDOWS\system32\DRIVERS\tcpip.sys
20:44:25.0031 4000 Tcpip - ok
20:44:25.0062 4000 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
20:44:25.0062 4000 TDPIPE - ok
20:44:25.0078 4000 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
20:44:25.0078 4000 TDTCP - ok
20:44:25.0093 4000 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
20:44:25.0093 4000 TermDD - ok
20:44:25.0109 4000 TfFsMon - ok
20:44:25.0109 4000 TfNetMon - ok
20:44:25.0109 4000 TFSysMon - ok
20:44:25.0125 4000 TosIde - ok
20:44:25.0156 4000 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
20:44:25.0156 4000 Udfs - ok
20:44:25.0171 4000 ultra - ok
20:44:25.0218 4000 Update (ced744117e91bdc0beb810f7d8608183) C:\WINDOWS\system32\DRIVERS\update.sys
20:44:25.0218 4000 Update - ok
20:44:25.0250 4000 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys
20:44:25.0250 4000 USBAAPL - ok
20:44:25.0296 4000 usbaudio (45a0d14b26c35497ad93bce7e15c9941) C:\WINDOWS\system32\drivers\usbaudio.sys
20:44:25.0296 4000 usbaudio - ok
20:44:25.0343 4000 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
20:44:25.0343 4000 usbccgp - ok
20:44:25.0406 4000 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
20:44:25.0406 4000 usbehci - ok
20:44:25.0406 4000 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
20:44:25.0406 4000 usbhub - ok
20:44:25.0421 4000 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
20:44:25.0421 4000 usbprint - ok
20:44:25.0437 4000 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
20:44:25.0453 4000 usbscan - ok
20:44:25.0453 4000 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
20:44:25.0453 4000 USBSTOR - ok
20:44:25.0500 4000 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
20:44:25.0500 4000 usbuhci - ok
20:44:25.0500 4000 v2imount (b4d63048d6358e7c6ab61b98b8cff263) C:\WINDOWS\system32\DRIVERS\v2imount.sys
20:44:25.0500 4000 v2imount - ok
20:44:25.0562 4000 vaxscsi (92cebc2bc7be2c8d49391b365569f306) C:\WINDOWS\System32\Drivers\vaxscsi.sys
20:44:25.0562 4000 Suspicious file (NoAccess): C:\WINDOWS\System32\Drivers\vaxscsi.sys. md5: 92cebc2bc7be2c8d49391b365569f306
20:44:25.0562 4000 vaxscsi ( LockedFile.Multi.Generic ) - warning
20:44:25.0562 4000 vaxscsi - detected LockedFile.Multi.Generic (1)
20:44:25.0562 4000 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
20:44:25.0562 4000 VgaSave - ok
20:44:25.0578 4000 ViaIde - ok
20:44:25.0578 4000 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
20:44:25.0578 4000 VolSnap - ok
20:44:25.0625 4000 VProEventMonitor (e78781b2c86c92a0a738df566460f716) C:\WINDOWS\system32\DRIVERS\vproeventmonitor.sys
20:44:25.0625 4000 VProEventMonitor - ok
20:44:25.0640 4000 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
20:44:25.0640 4000 Wanarp - ok
20:44:25.0687 4000 WDC_SAM (011e8a3e13dd7007353edbee4b180b50) C:\WINDOWS\system32\DRIVERS\wdcsam.sys
20:44:25.0687 4000 WDC_SAM - ok
20:44:25.0687 4000 WDICA - ok
20:44:25.0734 4000 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
20:44:25.0734 4000 wdmaud - ok
20:44:25.0750 4000 WimFltr (f9ad3a5e3fd7e0bdb18b8202b0fdd4e4) C:\WINDOWS\system32\DRIVERS\wimfltr.sys
20:44:25.0765 4000 WimFltr - ok
20:44:25.0812 4000 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
20:44:25.0812 4000 WS2IFSL - ok
20:44:25.0828 4000 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
20:44:25.0828 4000 WSTCODEC - ok
20:44:25.0859 4000 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
20:44:25.0953 4000 \Device\Harddisk0\DR0 - ok
20:44:25.0968 4000 MBR (0x1B8) (a4a15d6782e6fe1dce41a606cb3affe3) \Device\Harddisk1\DR2
20:44:26.0000 4000 \Device\Harddisk1\DR2 - ok
20:44:26.0000 4000 MBR (0x1B8) (e5fa06aca0d60ba9c870d0ef3d9898c9) \Device\Harddisk3\DR8
20:44:31.0156 4000 \Device\Harddisk3\DR8 - ok
20:44:31.0156 4000 Boot (0x1200) (f7b5ab6c14f1efeed5d4f9776ce984bb) \Device\Harddisk0\DR0\Partition0
20:44:31.0156 4000 \Device\Harddisk0\DR0\Partition0 - ok
20:44:31.0171 4000 Boot (0x1200) (929749ac877032ada46fea5e036cb138) \Device\Harddisk1\DR2\Partition0
20:44:31.0171 4000 \Device\Harddisk1\DR2\Partition0 - ok
20:44:31.0171 4000 Boot (0x1200) (78caf6819748ba73d36015a85cc04c86) \Device\Harddisk3\DR8\Partition0
20:44:31.0171 4000 \Device\Harddisk3\DR8\Partition0 - ok
20:44:31.0171 4000 ============================================================
20:44:31.0171 4000 Scan finished
20:44:31.0171 4000 ============================================================
20:44:31.0171 0432 Detected object count: 3
20:44:31.0171 0432 Actual detected object count: 3
20:45:07.0187 0432 AFD ( Rootkit.Win32.ZAccess.g ) - skipped by user
20:45:07.0187 0432 AFD ( Rootkit.Win32.ZAccess.g ) - User select action: Skip
20:45:07.0187 0432 sptd ( LockedFile.Multi.Generic ) - skipped by user
20:45:07.0187 0432 sptd ( LockedFile.Multi.Generic ) - User select action: Skip
20:45:07.0187 0432 vaxscsi ( LockedFile.Multi.Generic ) - skipped by user
20:45:07.0187 0432 vaxscsi ( LockedFile.Multi.Generic ) - User select action: Skip
#7
Posted 11 November 2011 - 10:52 PM
dss.txt:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_07
Run by Roe at 20:40:16 on 2011-11-11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2037.1494 [GMT -8:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Application Updater\ApplicationUpdater.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\Program Files\NeatWorks\exec\NeatWorksDatabaseController.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mSearch Bar =
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: IE Developer Toolbar BHO: {cc7e636d-39aa-49b6-b511-65413da137a1} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 8\SnagItIEAddin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB: Ask Toolbar: {f4d76f09-7896-458a-890f-e1f05c46069f} -
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SearchSettings] "c:\program files\common files\spigot\search settings\SearchSettings.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
IE: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - {CC962137-2E78-4F94-975E-FC0C07DBD78F} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {00130000-B1BA-11CE-ABC6-F5B2E79D9E3F} - hxxp://aceonline.asicentral.com/ace/ltocx13n.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189988193562
DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} - hxxps://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: Interfaces\{0C4C2CD8-D480-482C-BEDA-2A9AAEA6491F} : NameServer = 8.8.8.8,8.8.4.4
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: Neat ADF Scanner 2008 - reg copy "HKLM\Software\The Neat Company\Neat ADF Scanner 2008" "HKCU\Software\The Neat Company\Neat ADF Scanner 2008" /s /f
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\roe\application data\mozilla\firefox\profiles\ozhxetbm.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.smartwebsearch.net/index.php?from=3
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=58757&ei=utf-8&yahoo_domain=search.yahoo.com&p=
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\roe\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdjvu.dll
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-10-12 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
R2 Application Updater;Application Updater;c:\program files\application updater\ApplicationUpdater.exe [2011-9-27 745880]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-1-16 161064]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-11-5 366152]
R2 NeatWorksDatabaseController;NeatWorks Database Controller;c:\program files\neatworks\exec\NeatWorksDatabaseController.exe [2009-1-27 351376]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-1-26 50704]
R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [2006-3-15 5120]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-11-6 22216]
R3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [2008-4-7 223128]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TFSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-4-27 136176]
S2 StarWindService;StarWind iSCSI Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindService.exe [2005-4-1 217600]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-4-27 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service; [x]
S3 MSSQL$NR2007;SQL Server (NR2007);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2007-2-10 29178224]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2011-11-9 332928]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 7408]
S3 SymSnapService;SymSnapService; [x]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2006-9-7 10112]
.
=============== Created Last 30 ================
.
2011-11-09 18:54:52 -------- d-----w- c:\program files\Free Window Registry Repair
2011-11-09 18:51:46 -------- d-s---w- C:\123CF
2011-11-09 18:09:11 332928 ----a-r- c:\windows\system32\drivers\RTL8187.sys
2011-11-08 02:39:41 -------- d-----w- C:\backups
2011-11-08 02:39:04 -------- d-----w- C:\ERDNT
2011-11-08 02:38:40 -------- d-----w- C:\Regbackup
2011-11-06 21:56:19 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-01 20:15:42 -------- d-----w- c:\documents and settings\roe\local settings\application data\Canon Easy-PhotoPrint EX
.
==================== Find3M ====================
.
2011-10-01 01:35:54 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2010-01-27 06:11:08 444283 ----a-w- c:\program files\common files\WinPcapNmap.exe
2006-05-03 10:06:54 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 11:47:16 31232 --sha-r- c:\windows\system32\msfDX.dll
2007-12-17 13:43:00 27648 --sha-w- c:\windows\system32\Smab0.dll
2008-02-04 19:26:34 151040 --sha-w- c:\windows\system32\VistaUltm.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD5000AAKS-22TMA0 rev.12.01C01 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe >>UNKNOWN [0x8A7C2688]<<
_asm { MOV EAX, 0x8a7c25a8; XCHG [ESP], EAX; PUSH EAX; PUSH 0x8a7c70d4; RET ; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; }
1 ntkrnlpa!IofCallDriver[0x804EF09C] -> \Device\Harddisk0\DR0[0x8A6E4AB8]
\Driver\Disk[0x8A77F240] -> IRP_MJ_CREATE -> 0x8A7C2688
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\Disk -> 0x8a7c2688
user & kernel MBR OK
Warning: possible MBR rootkit infection !
.
============= FINISH: 20:40:48.95 ===============
attack.txt:
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 9/16/2007 1:35:13 PM
System Uptime: 11/11/2011 3:34:15 PM (5 hours ago)
.
Motherboard: Gigabyte Technology Co., Ltd. | | G31MX-S2
Processor: Intel® Core2 Duo CPU E6550 @ 2.33GHz | Socket 775 | 2333/333mhz
Processor: Intel® Core2 Duo CPU E6550 @ 2.33GHz | Socket 775 | 2333/333mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 466 GiB total, 192.606 GiB free.
D: is CDROM ()
E: is Removable
F: is CDROM ()
G: is Removable
H: is FIXED (NTFS) - 699 GiB total, 599.162 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {6BDD1FC6-810F-11D0-BEC7-08002BE2092F}
Description: Canon MX860 ser Network
Device ID: ROOT\CANON_IJ_NETWORK\0000
Manufacturer: Canon
Name: Canon MX860 ser Network
PNP Device ID: ROOT\CANON_IJ_NETWORK\0000
Service: StillCam
.
==== System Restore Points ===================
.
RP891: 8/14/2011 11:18:00 AM - System Checkpoint
RP892: 8/15/2011 12:01:36 PM - System Checkpoint
RP893: 8/16/2011 12:42:54 PM - System Checkpoint
RP894: 8/17/2011 1:39:57 PM - System Checkpoint
RP895: 8/21/2011 6:47:42 PM - System Checkpoint
RP896: 8/23/2011 11:49:08 AM - System Checkpoint
RP897: 8/24/2011 1:26:44 PM - System Checkpoint
RP898: 8/25/2011 1:59:17 PM - System Checkpoint
RP899: 8/26/2011 3:23:18 PM - System Checkpoint
RP900: 8/27/2011 5:12:41 PM - System Checkpoint
RP901: 8/28/2011 5:23:40 PM - System Checkpoint
RP902: 8/29/2011 5:28:24 PM - System Checkpoint
RP903: 8/31/2011 12:56:26 PM - System Checkpoint
RP904: 9/1/2011 2:58:59 PM - System Checkpoint
RP905: 9/2/2011 3:47:24 PM - System Checkpoint
RP906: 9/3/2011 3:50:24 PM - System Checkpoint
RP907: 9/4/2011 3:58:54 PM - System Checkpoint
RP908: 9/5/2011 4:12:10 PM - System Checkpoint
RP909: 9/6/2011 5:10:32 PM - System Checkpoint
RP910: 9/7/2011 6:37:13 PM - System Checkpoint
RP911: 9/9/2011 6:23:12 PM - System Checkpoint
RP912: 9/11/2011 7:10:22 PM - System Checkpoint
RP913: 9/13/2011 1:54:44 PM - System Checkpoint
RP914: 9/16/2011 11:53:55 AM - System Checkpoint
RP915: 9/17/2011 12:25:08 PM - System Checkpoint
RP916: 9/18/2011 1:26:09 PM - System Checkpoint
RP917: 9/19/2011 1:50:00 PM - System Checkpoint
RP918: 9/20/2011 5:20:41 PM - System Checkpoint
RP919: 9/21/2011 6:44:08 PM - System Checkpoint
RP920: 9/24/2011 1:08:38 PM - System Checkpoint
RP921: 9/25/2011 2:51:53 PM - System Checkpoint
RP922: 10/2/2011 3:28:52 PM - System Checkpoint
RP923: 10/3/2011 5:14:42 PM - System Checkpoint
RP924: 10/5/2011 4:57:44 PM - System Checkpoint
RP925: 10/6/2011 7:41:47 PM - System Checkpoint
RP926: 10/8/2011 11:52:53 AM - System Checkpoint
RP927: 10/10/2011 12:00:58 PM - System Checkpoint
RP928: 10/11/2011 12:30:20 PM - System Checkpoint
RP929: 10/12/2011 1:15:17 PM - System Checkpoint
RP930: 10/14/2011 11:57:55 AM - System Checkpoint
RP931: 10/15/2011 7:20:31 PM - System Checkpoint
RP932: 10/16/2011 8:20:22 PM - System Checkpoint
RP933: 10/17/2011 10:38:42 PM - System Checkpoint
RP934: 10/19/2011 12:01:29 PM - System Checkpoint
RP935: 10/21/2011 2:01:19 PM - System Checkpoint
RP936: 10/22/2011 5:47:19 PM - System Checkpoint
RP937: 10/23/2011 6:31:59 PM - System Checkpoint
RP938: 10/24/2011 7:05:40 PM - System Checkpoint
RP939: 10/26/2011 1:18:27 PM - System Checkpoint
RP940: 10/27/2011 2:08:46 PM - System Checkpoint
RP941: 10/28/2011 2:21:35 PM - System Checkpoint
RP942: 10/29/2011 3:00:07 PM - System Checkpoint
RP943: 10/30/2011 3:34:28 PM - System Checkpoint
RP944: 10/31/2011 5:14:31 PM - System Checkpoint
RP945: 11/1/2011 9:17:38 PM - System Checkpoint
RP946: 11/3/2011 12:19:34 PM - System Checkpoint
RP947: 11/4/2011 12:40:06 PM - System Checkpoint
RP948: 11/5/2011 2:14:56 PM - Installed Windows XP KB894391.
RP949: 11/6/2011 2:04:49 PM - Restore Operation
RP950: 11/6/2011 3:47:38 PM - Restore Operation
RP951: 11/6/2011 4:11:35 PM - Restore Operation
RP952: 11/7/2011 4:46:33 PM - System Checkpoint
RP953: 11/8/2011 5:02:38 PM - System Checkpoint
RP954: 11/9/2011 7:59:13 PM - System Checkpoint
RP955: 11/11/2011 4:05:26 PM - System Checkpoint
.
==== Installed Programs ======================
.
3ivx MPEG-4 5.0.3 (remove only)
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Digital Editions
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Reader 8.1.3
Adobe Setup
Adobe Shockwave Player 11
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AnswerWorks 5.0 English Runtime
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bonjour
Business Plan Pro 2006
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera WIA Driver
Canon EOS 5D WIA Driver
Canon IJ Network Scan Utility
Canon IJ Network Tool
Canon MP Navigator EX 2.1
Canon MultiPASS Suite 4.00
Canon MX860 series MP Drivers
Canon MX860 series User Registration
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities Digital Photo Professional 3.2
Canon Utilities Easy-PhotoPrint EX
Canon Utilities EOS Utility
Canon Utilities My Printer
Canon Utilities MyCamera
Canon Utilities Original Data Security Tools
Canon Utilities PhotoStitch
Canon Utilities Picture Style Editor
Canon Utilities RAW Image Converter2
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities Solution Menu
Canon Utilities WFT-E1/E2/E3 Utility
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
Combined Community Codec Pack 2007-07-22
Compatibility Pack for the 2007 Office system
ConvertXtoDVD 2.2.3.258h
ConvertXtoDVD 3.0.0.9
Diskeeper 2007 Pro Premier
DVD Decrypter (Remove Only)
DVD Shrink 3.2
DVDFab Platinum 4.0.1.2 Ghosthunter release
ERUNT 1.1j
ESP Online
FileZilla (remove only)
FlipShare
Free Window Registry Repair
GIMP 2.4.6
Google Chrome
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
GoToMeeting/GoToWebinar 3.0.0.198
HijackThis 2.0.2
hotCommÆ CL
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows XP (KB954550-v5)
IIS6 Manager
Intel® Graphics Media Accelerator Driver
Internet Explorer Developer Toolbar
iTunes
Java 6 Update 6
Java 6 Update 7
JDownloader
K-Lite Codec Pack 6.5.0 (Basic)
Lizardtech DjVu Control
Macromedia Dreamweaver 8
Macromedia Extension Manager
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Office Professional Edition 2003
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (NR2007)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Web Publishing Wizard 1.52
MMConvert 1.0.5.236 Beta
Mozilla Firefox 5.0 (x86 en-US)
MSXML 6.0 Parser
My Book Device Driver
My Book RAID Manager
Neat ADF Scanner Driver
Neat Mobile Scanner (Silver) Driver
Neat Mobile Scanner 2008 Driver
NeatWorks
NeatWorks Core Files
Nero 7 Lite v7.7.5.1
Netscape Navigator (9.0.0.6)
OpenOffice.org Installer 1.0
PageRage 1.10.01
Palo Alto Software's Application Manager 8.2
PDF Password Remover v2.5
PDF Settings
PowerISO
Quicken 2008
QuickTime
RAIDar 4.3.0
RealPlayer
REALTEK GbE & FE Ethernet PCI NIC Driver
Realtek High Definition Audio Driver
RealUpgrade 1.1
Registry Mechanic 7.0
Safari
Seagate Manager Installer
Shockwave
Skypeô 3.6
SnagIt 8
Sony Picture Utility
Sony USB Driver
Stellar Phoenix (FAT & NTFS) 2.1
SUPERAntiSpyware Free Edition
Tango
The Print Shop 20
The Rosetta Stone
The Ultimate Troubleshooter
Turbo Lister 2
Tweak UI
Universal Document Converter
Unlocker 1.8.7
Update for Windows XP (KB911164)
VDownloader 3.0.752
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Media Encoder 9 Series
Windows Media Player Firefox Plugin
WinPcap 4.1.1
WinRAR archiver
WinZip 11.1
Xilisoft DVD Creator
XSite Pro
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Search Protection
Yahoo! Toolbar
YouTube Downloader 3.4
YouTube Downloader Toolbar v4.7
.
==== Event Viewer Messages From Past Week ========
.
11/9/2011 10:49:17 AM, error: Srv [2000] - The server's call to a system service failed unexpectedly.
11/7/2011 8:08:12 AM, error: Service Control Manager [7024] - The Background Intelligent Transfer Service service terminated with service-specific error 2147952450 (0x80072742).
11/7/2011 7:46:54 AM, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: This operation returned because the timeout period expired.
11/7/2011 7:41:57 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: TfFsMon TFSysMon
11/7/2011 7:41:57 AM, error: Service Control Manager [7024] - The Bonjour Service service terminated with service-specific error 4294967295 (0xFFFFFFFF).
11/7/2011 7:41:57 AM, error: Service Control Manager [7023] - The World Wide Web Publishing service terminated with the following error: The specified module could not be found.
11/7/2011 7:41:57 AM, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: A socket operation encountered a dead network.
11/7/2011 7:41:57 AM, error: Service Control Manager [7023] - The Simple Mail Transfer Protocol (SMTP) service terminated with the following error: The specified module could not be found.
11/7/2011 7:41:57 AM, error: Service Control Manager [7023] - The IPSEC Services service terminated with the following error: A socket operation encountered a dead network.
11/7/2011 7:41:57 AM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: %%2147952450
11/6/2011 9:09:46 AM, error: Service Control Manager [7034] - The McAfee Security Scan Component Host Service service terminated unexpectedly. It has done this 1 time(s).
11/6/2011 4:06:59 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
11/6/2011 4:06:49 PM, error: DCOM [10005] - DCOM got error "%1068" attempting to start the service IISADMIN with arguments "" in order to run the server: {A9E69610-B80D-11D0-B9B9-00A0C922E750}
11/6/2011 4:05:33 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL SCDEmu Tcpip TfFsMon TFSysMon v2imount
11/6/2011 4:05:33 PM, error: Service Control Manager [7001] - The World Wide Web Publishing service depends on the IIS Admin service which failed to start because of the following error: The dependency service or group failed to start.
11/6/2011 4:05:33 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
11/6/2011 4:05:33 PM, error: Service Control Manager [7001] - The Simple Mail Transfer Protocol (SMTP) service depends on the IIS Admin service which failed to start because of the following error: The dependency service or group failed to start.
11/6/2011 4:05:33 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/6/2011 4:05:33 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/6/2011 4:05:33 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
11/6/2011 4:05:33 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/6/2011 4:05:33 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/6/2011 2:55:31 PM, error: Service Control Manager [7016] - The MpService service has reported an invalid current state 0.
11/6/2011 2:25:06 PM, error: NetBT [4311] - Initialization failed because the driver device could not be created.
11/6/2011 2:24:57 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s).
11/6/2011 2:24:57 PM, error: Service Control Manager [7009] - Timeout (300000 milliseconds) waiting for the NeatWorks Database Controller service to connect.
11/6/2011 2:17:26 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
11/6/2011 2:17:25 PM, error: Service Control Manager [7034] - The FlipShare Service service terminated unexpectedly. It has done this 1 time(s).
11/6/2011 2:17:25 PM, error: Service Control Manager [7034] - The Diskeeper service terminated unexpectedly. It has done this 1 time(s).
11/6/2011 2:17:22 PM, error: Service Control Manager [7034] - The Application Updater service terminated unexpectedly. It has done this 1 time(s).
11/6/2011 2:05:32 PM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
11/6/2011 2:04:11 PM, error: Service Control Manager [7023] - The World Wide Web Publishing service terminated with the following error: TCP/IP network protocol not installed.
11/6/2011 2:04:11 PM, error: Service Control Manager [7023] - The Simple Mail Transfer Protocol (SMTP) service terminated with the following error: TCP/IP network protocol not installed.
11/5/2011 12:16:55 PM, error: Service Control Manager [7000] - The MBAMService service failed to start due to the following error: Access is denied.
11/5/2011 10:46:45 AM, error: Service Control Manager [7034] - The MBAMService service terminated unexpectedly. It has done this 1 time(s).
11/10/2011 10:38:07 AM, error: Service Control Manager [7024] - The Background Intelligent Transfer Service service terminated with service-specific error 2147952447 (0x8007273F).
11/10/2011 10:38:07 AM, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: The system cannot find the file specified.
11/10/2011 10:38:07 AM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: %%2147952447
11/10/2011 10:38:07 AM, error: Service Control Manager [7003] - The Bonjour Service service depends on the following nonexistent service: Tcpip
11/10/2011 10:38:07 AM, error: Service Control Manager [7003] - The Apple Mobile Device service depends on the following nonexistent service: Tcpip
11/10/2011 10:37:42 AM, error: Workstation [5728] - Could not load any transport.
.
==== End Of File ===========================
Report.txt:
20:44:07.0234 1196 TDSS rootkit removing tool 2.6.18.0 Nov 11 2011 15:47:15
20:44:07.0250 1196 ============================================================
20:44:07.0250 1196 Current date / time: 2011/11/11 20:44:07.0250
20:44:07.0250 1196 SystemInfo:
20:44:07.0250 1196
20:44:07.0250 1196 OS Version: 5.1.2600 ServicePack: 2.0
20:44:07.0250 1196 Product type: Workstation
20:44:07.0250 1196 ComputerName: DAOFFICE
20:44:07.0250 1196 UserName: Roe
20:44:07.0250 1196 Windows directory: C:\WINDOWS
20:44:07.0250 1196 System windows directory: C:\WINDOWS
20:44:07.0250 1196 Processor architecture: Intel x86
20:44:07.0250 1196 Number of processors: 2
20:44:07.0250 1196 Page size: 0x1000
20:44:07.0250 1196 Boot type: Normal boot
20:44:07.0250 1196 ============================================================
20:44:08.0343 1196 Initialize success
20:44:20.0500 4000 ============================================================
20:44:20.0500 4000 Scan started
20:44:20.0500 4000 Mode: Manual;
20:44:20.0500 4000 ============================================================
20:44:20.0796 4000 Abiosdsk - ok
20:44:20.0796 4000 abp480n5 - ok
20:44:20.0859 4000 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
20:44:20.0859 4000 ACPI - ok
20:44:20.0906 4000 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
20:44:20.0906 4000 ACPIEC - ok
20:44:20.0906 4000 adpu160m - ok
20:44:20.0968 4000 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
20:44:20.0968 4000 aec - ok
20:44:21.0015 4000 AFD (604a70a5689cdc4325139caca5990673) C:\WINDOWS\System32\drivers\afd.sys
20:44:21.0015 4000 AFD ( Rootkit.Win32.ZAccess.g ) - infected
20:44:21.0015 4000 AFD - detected Rootkit.Win32.ZAccess.g (0)
20:44:21.0078 4000 AFS2K (0ebb674888cbdefd5773341c16dd6a07) C:\WINDOWS\system32\drivers\AFS2K.sys
20:44:21.0078 4000 AFS2K - ok
20:44:21.0078 4000 Aha154x - ok
20:44:21.0093 4000 aic78u2 - ok
20:44:21.0093 4000 aic78xx - ok
20:44:21.0109 4000 AliIde - ok
20:44:21.0109 4000 amsint - ok
20:44:21.0125 4000 asc - ok
20:44:21.0125 4000 asc3350p - ok
20:44:21.0125 4000 asc3550 - ok
20:44:21.0156 4000 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
20:44:21.0156 4000 AsyncMac - ok
20:44:21.0171 4000 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
20:44:21.0171 4000 atapi - ok
20:44:21.0171 4000 Atdisk - ok
20:44:21.0187 4000 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
20:44:21.0187 4000 Atmarpc - ok
20:44:21.0203 4000 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
20:44:21.0203 4000 audstub - ok
20:44:21.0234 4000 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
20:44:21.0234 4000 Beep - ok
20:44:21.0265 4000 catchme - ok
20:44:21.0312 4000 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
20:44:21.0312 4000 cbidf2k - ok
20:44:21.0343 4000 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
20:44:21.0343 4000 CCDECODE - ok
20:44:21.0343 4000 cd20xrnt - ok
20:44:21.0375 4000 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
20:44:21.0375 4000 Cdaudio - ok
20:44:21.0375 4000 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
20:44:21.0375 4000 Cdfs - ok
20:44:21.0390 4000 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
20:44:21.0390 4000 Cdrom - ok
20:44:21.0390 4000 Changer - ok
20:44:21.0437 4000 cis1284 (7e1d1616c7e2fbba784e5dbd05d88eca) C:\WINDOWS\system32\drivers\cis1284.sys
20:44:21.0437 4000 cis1284 - ok
20:44:21.0453 4000 CmdIde - ok
20:44:21.0453 4000 Cpqarray - ok
20:44:21.0468 4000 dac2w2k - ok
20:44:21.0468 4000 dac960nt - ok
20:44:21.0484 4000 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
20:44:21.0484 4000 Disk - ok
20:44:21.0546 4000 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
20:44:21.0546 4000 dmboot - ok
20:44:21.0578 4000 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
20:44:21.0578 4000 dmio - ok
20:44:21.0578 4000 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
20:44:21.0578 4000 dmload - ok
20:44:21.0593 4000 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
20:44:21.0593 4000 DMusic - ok
20:44:21.0593 4000 dpti2o - ok
20:44:21.0609 4000 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
20:44:21.0609 4000 drmkaud - ok
20:44:21.0640 4000 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
20:44:21.0640 4000 Fastfat - ok
20:44:21.0656 4000 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys
20:44:21.0671 4000 Fdc - ok
20:44:21.0671 4000 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
20:44:21.0671 4000 Fips - ok
20:44:21.0671 4000 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
20:44:21.0671 4000 Flpydisk - ok
20:44:21.0703 4000 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
20:44:21.0703 4000 FltMgr - ok
20:44:21.0718 4000 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
20:44:21.0718 4000 Fs_Rec - ok
20:44:21.0718 4000 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
20:44:21.0734 4000 Ftdisk - ok
20:44:21.0750 4000 gdrv (54789f9ba0d59072cdd4e7c200e122c4) C:\WINDOWS\gdrv.sys
20:44:21.0750 4000 gdrv - ok
20:44:21.0765 4000 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
20:44:21.0765 4000 GEARAspiWDM - ok
20:44:21.0781 4000 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
20:44:21.0781 4000 Gpc - ok
20:44:21.0828 4000 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
20:44:21.0828 4000 HDAudBus - ok
20:44:21.0875 4000 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
20:44:21.0875 4000 HidUsb - ok
20:44:21.0875 4000 hpn - ok
20:44:21.0921 4000 HTTP (cb77bb47e67e84deb17ba29632501730) C:\WINDOWS\system32\Drivers\HTTP.sys
20:44:21.0937 4000 HTTP - ok
20:44:21.0937 4000 i2omgmt - ok
20:44:21.0937 4000 i2omp - ok
20:44:22.0000 4000 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
20:44:22.0000 4000 i8042prt - ok
20:44:22.0203 4000 ialm (28423512370705aeda6a652fedb25468) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
20:44:22.0375 4000 ialm - ok
20:44:22.0390 4000 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
20:44:22.0390 4000 Imapi - ok
20:44:22.0406 4000 ini910u - ok
20:44:22.0546 4000 IntcAzAudAddService (e37589414437a60797e94c0f57c546db) C:\WINDOWS\system32\drivers\RtkHDAud.sys
20:44:22.0671 4000 IntcAzAudAddService - ok
20:44:22.0671 4000 IntelIde - ok
20:44:22.0718 4000 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
20:44:22.0718 4000 intelppm - ok
20:44:22.0734 4000 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
20:44:22.0734 4000 Ip6Fw - ok
20:44:22.0781 4000 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
20:44:22.0781 4000 IpFilterDriver - ok
20:44:22.0796 4000 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
20:44:22.0796 4000 IpInIp - ok
20:44:22.0843 4000 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
20:44:22.0843 4000 IpNat - ok
20:44:22.0859 4000 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
20:44:22.0859 4000 IPSec - ok
20:44:22.0890 4000 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
20:44:22.0890 4000 IRENUM - ok
20:44:22.0890 4000 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
20:44:22.0890 4000 isapnp - ok
20:44:22.0906 4000 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
20:44:22.0906 4000 Kbdclass - ok
20:44:22.0937 4000 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
20:44:22.0937 4000 kmixer - ok
20:44:22.0953 4000 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys
20:44:22.0953 4000 KSecDD - ok
20:44:22.0968 4000 lbrtfdc - ok
20:44:23.0000 4000 MBAMProtector (69a6268d7f81e53d568ab4e7e991caf3) C:\WINDOWS\system32\drivers\mbam.sys
20:44:23.0000 4000 MBAMProtector - ok
20:44:23.0000 4000 MBAMSwissArmy - ok
20:44:23.0015 4000 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
20:44:23.0015 4000 MHNDRV - ok
20:44:23.0031 4000 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
20:44:23.0031 4000 mnmdd - ok
20:44:23.0031 4000 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
20:44:23.0046 4000 Modem - ok
20:44:23.0062 4000 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
20:44:23.0062 4000 Mouclass - ok
20:44:23.0093 4000 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
20:44:23.0093 4000 mouhid - ok
20:44:23.0093 4000 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
20:44:23.0093 4000 MountMgr - ok
20:44:23.0109 4000 mraid35x - ok
20:44:23.0140 4000 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
20:44:23.0140 4000 MRxDAV - ok
20:44:23.0187 4000 MRxSmb (025af03ce51645c62f3b6907a7e2be5e) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
20:44:23.0203 4000 MRxSmb - ok
20:44:23.0250 4000 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
20:44:23.0250 4000 Msfs - ok
20:44:23.0250 4000 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
20:44:23.0250 4000 MSKSSRV - ok
20:44:23.0265 4000 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
20:44:23.0265 4000 MSPCLOCK - ok
20:44:23.0265 4000 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
20:44:23.0265 4000 MSPQM - ok
20:44:23.0312 4000 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
20:44:23.0312 4000 mssmbios - ok
20:44:23.0343 4000 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys
20:44:23.0343 4000 MSTEE - ok
20:44:23.0359 4000 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
20:44:23.0359 4000 Mup - ok
20:44:23.0359 4000 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
20:44:23.0359 4000 NABTSFEC - ok
20:44:23.0375 4000 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
20:44:23.0375 4000 NDIS - ok
20:44:23.0375 4000 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
20:44:23.0375 4000 NdisIP - ok
20:44:23.0406 4000 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
20:44:23.0406 4000 NdisTapi - ok
20:44:23.0468 4000 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
20:44:23.0468 4000 Ndisuio - ok
20:44:23.0468 4000 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
20:44:23.0468 4000 NdisWan - ok
20:44:23.0484 4000 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
20:44:23.0484 4000 NDProxy - ok
20:44:23.0484 4000 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
20:44:23.0484 4000 NetBIOS - ok
20:44:23.0500 4000 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
20:44:23.0500 4000 NetBT - ok
20:44:23.0562 4000 npf (b9730495e0cf674680121e34bd95a73b) C:\WINDOWS\system32\drivers\npf.sys
20:44:23.0562 4000 npf - ok
20:44:23.0562 4000 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
20:44:23.0562 4000 Npfs - ok
20:44:23.0609 4000 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
20:44:23.0625 4000 Ntfs - ok
20:44:23.0640 4000 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
20:44:23.0640 4000 Null - ok
20:44:23.0687 4000 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
20:44:23.0687 4000 NwlnkFlt - ok
20:44:23.0687 4000 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
20:44:23.0687 4000 NwlnkFwd - ok
20:44:23.0718 4000 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
20:44:23.0718 4000 Parport - ok
20:44:23.0718 4000 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
20:44:23.0718 4000 PartMgr - ok
20:44:23.0734 4000 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
20:44:23.0734 4000 ParVdm - ok
20:44:23.0734 4000 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
20:44:23.0734 4000 PCI - ok
20:44:23.0750 4000 PCIDump - ok
20:44:23.0765 4000 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
20:44:23.0781 4000 PCIIde - ok
20:44:23.0796 4000 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
20:44:23.0796 4000 Pcmcia - ok
20:44:23.0828 4000 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys
20:44:23.0828 4000 pcouffin - ok
20:44:23.0843 4000 PDCOMP - ok
20:44:23.0843 4000 PDFRAME - ok
20:44:23.0859 4000 PDRELI - ok
20:44:23.0859 4000 PDRFRAME - ok
20:44:23.0859 4000 perc2 - ok
20:44:23.0875 4000 perc2hib - ok
20:44:23.0937 4000 PhilCam8116 (8754763a924639b9d07d4c8ea9990f1e) C:\WINDOWS\system32\DRIVERS\CamDrO21.sys
20:44:23.0937 4000 PhilCam8116 - ok
20:44:23.0937 4000 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
20:44:23.0953 4000 PptpMiniport - ok
20:44:23.0953 4000 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
20:44:23.0953 4000 Ptilink - ok
20:44:23.0984 4000 PxHelp20 (40f2031bd9148d3194353ea7dec97a07) C:\WINDOWS\system32\Drivers\PxHelp20.sys
20:44:23.0984 4000 PxHelp20 - ok
20:44:24.0000 4000 ql1080 - ok
20:44:24.0000 4000 Ql10wnt - ok
20:44:24.0000 4000 ql12160 - ok
20:44:24.0015 4000 ql1240 - ok
20:44:24.0015 4000 ql1280 - ok
20:44:24.0046 4000 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
20:44:24.0046 4000 RasAcd - ok
20:44:24.0062 4000 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
20:44:24.0062 4000 Rasl2tp - ok
20:44:24.0062 4000 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
20:44:24.0062 4000 RasPppoe - ok
20:44:24.0078 4000 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
20:44:24.0078 4000 Raspti - ok
20:44:24.0125 4000 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
20:44:24.0125 4000 Rdbss - ok
20:44:24.0140 4000 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
20:44:24.0140 4000 RDPCDD - ok
20:44:24.0171 4000 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
20:44:24.0171 4000 rdpdr - ok
20:44:24.0187 4000 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
20:44:24.0187 4000 RDPWD - ok
20:44:24.0218 4000 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
20:44:24.0218 4000 redbook - ok
20:44:24.0281 4000 RTL8023xp (1e11171c0b9989e1bdaa59e96b2e81c4) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
20:44:24.0281 4000 RTL8023xp - ok
20:44:24.0328 4000 RTLWUSB (5a850259b849a899990379a75460a4eb) C:\WINDOWS\system32\DRIVERS\RTL8187.sys
20:44:24.0328 4000 RTLWUSB - ok
20:44:24.0453 4000 SASDIFSV (5bf35c4ea3f00fa8d3f1e5bf03d24584) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
20:44:24.0453 4000 SASDIFSV - ok
20:44:24.0468 4000 SASENUM (a22f08c98ac2f44587bf3a1fb52bf8cd) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
20:44:24.0468 4000 SASENUM - ok
20:44:24.0484 4000 SASKUTIL (c7d81c10d3befeee41f3408714637438) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
20:44:24.0484 4000 SASKUTIL - ok
20:44:24.0546 4000 SCDEmu (3b35ce540758bbabb721e234cb5a4f3f) C:\WINDOWS\system32\drivers\SCDEmu.sys
20:44:24.0546 4000 SCDEmu - ok
20:44:24.0578 4000 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
20:44:24.0578 4000 Secdrv - ok
20:44:24.0578 4000 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
20:44:24.0593 4000 serenum - ok
20:44:24.0593 4000 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
20:44:24.0593 4000 Serial - ok
20:44:24.0609 4000 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
20:44:24.0609 4000 Sfloppy - ok
20:44:24.0609 4000 Simbad - ok
20:44:24.0640 4000 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
20:44:24.0640 4000 SLIP - ok
20:44:24.0656 4000 Sparrow - ok
20:44:24.0687 4000 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
20:44:24.0687 4000 splitter - ok
20:44:24.0750 4000 sptd (ee26b8860d226f8eec48aabbdae33e8c) C:\WINDOWS\system32\Drivers\sptd.sys
20:44:24.0750 4000 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: ee26b8860d226f8eec48aabbdae33e8c
20:44:24.0750 4000 sptd ( LockedFile.Multi.Generic ) - warning
20:44:24.0750 4000 sptd - detected LockedFile.Multi.Generic (1)
20:44:24.0781 4000 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
20:44:24.0781 4000 sr - ok
20:44:24.0796 4000 Srv (ea554a3ffc3f536fe8320eb38f5e4843) C:\WINDOWS\system32\DRIVERS\srv.sys
20:44:24.0796 4000 Srv - ok
20:44:24.0828 4000 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
20:44:24.0828 4000 StillCam - ok
20:44:24.0859 4000 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
20:44:24.0859 4000 streamip - ok
20:44:24.0875 4000 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
20:44:24.0875 4000 swenum - ok
20:44:24.0906 4000 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
20:44:24.0906 4000 swmidi - ok
20:44:24.0906 4000 symc810 - ok
20:44:24.0921 4000 symc8xx - ok
20:44:24.0921 4000 symsnap (c9273531eac75ee225e3170fb6107fa3) C:\WINDOWS\system32\DRIVERS\symsnap.sys
20:44:24.0937 4000 symsnap - ok
20:44:24.0937 4000 sym_hi - ok
20:44:24.0937 4000 sym_u3 - ok
20:44:24.0968 4000 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
20:44:24.0968 4000 sysaudio - ok
20:44:25.0031 4000 Tcpip (90caff4b094573449a0872a0f919b178) C:\WINDOWS\system32\DRIVERS\tcpip.sys
20:44:25.0031 4000 Tcpip - ok
20:44:25.0062 4000 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
20:44:25.0062 4000 TDPIPE - ok
20:44:25.0078 4000 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
20:44:25.0078 4000 TDTCP - ok
20:44:25.0093 4000 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
20:44:25.0093 4000 TermDD - ok
20:44:25.0109 4000 TfFsMon - ok
20:44:25.0109 4000 TfNetMon - ok
20:44:25.0109 4000 TFSysMon - ok
20:44:25.0125 4000 TosIde - ok
20:44:25.0156 4000 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
20:44:25.0156 4000 Udfs - ok
20:44:25.0171 4000 ultra - ok
20:44:25.0218 4000 Update (ced744117e91bdc0beb810f7d8608183) C:\WINDOWS\system32\DRIVERS\update.sys
20:44:25.0218 4000 Update - ok
20:44:25.0250 4000 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys
20:44:25.0250 4000 USBAAPL - ok
20:44:25.0296 4000 usbaudio (45a0d14b26c35497ad93bce7e15c9941) C:\WINDOWS\system32\drivers\usbaudio.sys
20:44:25.0296 4000 usbaudio - ok
20:44:25.0343 4000 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
20:44:25.0343 4000 usbccgp - ok
20:44:25.0406 4000 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
20:44:25.0406 4000 usbehci - ok
20:44:25.0406 4000 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
20:44:25.0406 4000 usbhub - ok
20:44:25.0421 4000 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
20:44:25.0421 4000 usbprint - ok
20:44:25.0437 4000 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
20:44:25.0453 4000 usbscan - ok
20:44:25.0453 4000 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
20:44:25.0453 4000 USBSTOR - ok
20:44:25.0500 4000 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
20:44:25.0500 4000 usbuhci - ok
20:44:25.0500 4000 v2imount (b4d63048d6358e7c6ab61b98b8cff263) C:\WINDOWS\system32\DRIVERS\v2imount.sys
20:44:25.0500 4000 v2imount - ok
20:44:25.0562 4000 vaxscsi (92cebc2bc7be2c8d49391b365569f306) C:\WINDOWS\System32\Drivers\vaxscsi.sys
20:44:25.0562 4000 Suspicious file (NoAccess): C:\WINDOWS\System32\Drivers\vaxscsi.sys. md5: 92cebc2bc7be2c8d49391b365569f306
20:44:25.0562 4000 vaxscsi ( LockedFile.Multi.Generic ) - warning
20:44:25.0562 4000 vaxscsi - detected LockedFile.Multi.Generic (1)
20:44:25.0562 4000 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
20:44:25.0562 4000 VgaSave - ok
20:44:25.0578 4000 ViaIde - ok
20:44:25.0578 4000 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
20:44:25.0578 4000 VolSnap - ok
20:44:25.0625 4000 VProEventMonitor (e78781b2c86c92a0a738df566460f716) C:\WINDOWS\system32\DRIVERS\vproeventmonitor.sys
20:44:25.0625 4000 VProEventMonitor - ok
20:44:25.0640 4000 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
20:44:25.0640 4000 Wanarp - ok
20:44:25.0687 4000 WDC_SAM (011e8a3e13dd7007353edbee4b180b50) C:\WINDOWS\system32\DRIVERS\wdcsam.sys
20:44:25.0687 4000 WDC_SAM - ok
20:44:25.0687 4000 WDICA - ok
20:44:25.0734 4000 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
20:44:25.0734 4000 wdmaud - ok
20:44:25.0750 4000 WimFltr (f9ad3a5e3fd7e0bdb18b8202b0fdd4e4) C:\WINDOWS\system32\DRIVERS\wimfltr.sys
20:44:25.0765 4000 WimFltr - ok
20:44:25.0812 4000 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
20:44:25.0812 4000 WS2IFSL - ok
20:44:25.0828 4000 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
20:44:25.0828 4000 WSTCODEC - ok
20:44:25.0859 4000 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
20:44:25.0953 4000 \Device\Harddisk0\DR0 - ok
20:44:25.0968 4000 MBR (0x1B8) (a4a15d6782e6fe1dce41a606cb3affe3) \Device\Harddisk1\DR2
20:44:26.0000 4000 \Device\Harddisk1\DR2 - ok
20:44:26.0000 4000 MBR (0x1B8) (e5fa06aca0d60ba9c870d0ef3d9898c9) \Device\Harddisk3\DR8
20:44:31.0156 4000 \Device\Harddisk3\DR8 - ok
20:44:31.0156 4000 Boot (0x1200) (f7b5ab6c14f1efeed5d4f9776ce984bb) \Device\Harddisk0\DR0\Partition0
20:44:31.0156 4000 \Device\Harddisk0\DR0\Partition0 - ok
20:44:31.0171 4000 Boot (0x1200) (929749ac877032ada46fea5e036cb138) \Device\Harddisk1\DR2\Partition0
20:44:31.0171 4000 \Device\Harddisk1\DR2\Partition0 - ok
20:44:31.0171 4000 Boot (0x1200) (78caf6819748ba73d36015a85cc04c86) \Device\Harddisk3\DR8\Partition0
20:44:31.0171 4000 \Device\Harddisk3\DR8\Partition0 - ok
20:44:31.0171 4000 ============================================================
20:44:31.0171 4000 Scan finished
20:44:31.0171 4000 ============================================================
20:44:31.0171 0432 Detected object count: 3
20:44:31.0171 0432 Actual detected object count: 3
20:45:07.0187 0432 AFD ( Rootkit.Win32.ZAccess.g ) - skipped by user
20:45:07.0187 0432 AFD ( Rootkit.Win32.ZAccess.g ) - User select action: Skip
20:45:07.0187 0432 sptd ( LockedFile.Multi.Generic ) - skipped by user
20:45:07.0187 0432 sptd ( LockedFile.Multi.Generic ) - User select action: Skip
20:45:07.0187 0432 vaxscsi ( LockedFile.Multi.Generic ) - skipped by user
20:45:07.0187 0432 vaxscsi ( LockedFile.Multi.Generic ) - User select action: Skip
#8
Posted 12 November 2011 - 02:29 PM
In dialog that appears press "Uninstall" button and then SPTD will remove itself from your Windows installation.
If you want to install it again then execute same setup and press "Install".
Download the most recent version of ComboFix from one of the following locations to your USB drive:
Link 1
Link 2
Please delete the old copy from the desktop of the infected machine (by right-clicking and choosing delete) and then transfer the new Combofix file to your desktop but do NOT run it.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
File::
c:\windows\system32\drivers\vaxscsi.sys
C:\Program Files\Application Updater\ApplicationUpdater.exe
C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe
Folder::
C:\Program Files\Common Files\Spigot\Search Settings
C:\Program Files\Application Updater
RenV::
c:\program files\CANON\Canon IJ Network Scan Utility\CNMNSUT .exe
Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe. ComboFix may request an update; please allow it.
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online. http://www.whatthetech.com/donate
#9
Posted 12 November 2011 - 03:27 PM
ComboFix 11-11-12.04 - Roe 11/12/2011 13:06:24.7.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2037.1486 [GMT -8:00]
Running from: c:\documents and settings\Roe\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Roe\Desktop\cfscript.txt
.
FILE ::
"c:\program files\Application Updater\ApplicationUpdater.exe"
"c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe"
"c:\windows\system32\drivers\vaxscsi.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Application Updater
c:\program files\Application Updater\ApplicationUpdater.exe
c:\program files\Application Updater\config.ini
c:\program files\Common Files\Spigot\Search Settings
c:\program files\Common Files\Spigot\Search Settings\baidu_ff.xml
c:\program files\Common Files\Spigot\Search Settings\baidu_ie.xml
c:\program files\Common Files\Spigot\Search Settings\config.ini
c:\program files\Common Files\Spigot\Search Settings\Lang\res1031.ini
c:\program files\Common Files\Spigot\Search Settings\Lang\res1033.ini
c:\program files\Common Files\Spigot\Search Settings\Lang\res1034.ini
c:\program files\Common Files\Spigot\Search Settings\Lang\res1036.ini
c:\program files\Common Files\Spigot\Search Settings\Lang\res1040.ini
c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe
c:\program files\Common Files\Spigot\Search Settings\yahoo_ff.xml
c:\program files\Common Files\Spigot\Search Settings\yahoo_ie.xml
c:\program files\Common Files\Spigot\Search Settings\yandex_ff.xml
c:\program files\Common Files\Spigot\Search Settings\yandex_ie.xml
c:\windows\system32\drivers\vaxscsi.sys
H:\Autorun.inf
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_Application_Updater
-------\Legacy_Application_Updater
-------\Service_Application Updater
-------\Service_vaxscsi
-------\Service_Application Updater
.
.
((((((((((((((((((((((((( Files Created from 2011-10-12 to 2011-11-12 )))))))))))))))))))))))))))))))
.
.
2011-11-09 18:54 . 2011-11-09 18:58 -------- d-----w- c:\program files\Free Window Registry Repair
2011-11-09 18:09 . 2008-06-27 21:39 332928 ----a-r- c:\windows\system32\drivers\RTL8187.sys
2011-11-08 02:39 . 2011-11-08 02:40 -------- d-----w- C:\backups
2011-11-08 02:39 . 2011-11-08 02:39 -------- d-----w- C:\ERDNT
2011-11-08 02:38 . 2011-11-08 02:38 -------- d-----w- C:\Regbackup
2011-11-05 19:29 . 2011-11-05 19:29 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2011-11-05 17:54 . 2011-11-05 19:29 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\YouTube Downloader
2011-11-01 20:15 . 2011-11-01 20:16 -------- d-----w- c:\documents and settings\Roe\Local Settings\Application Data\Canon Easy-PhotoPrint EX
2011-10-21 01:31 . 2011-10-21 01:31 -------- d-----w- c:\documents and settings\NetworkService\Application Data\McAfee
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-01 01:35 . 2011-06-05 17:52 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2010-01-27 06:11 . 2011-04-02 18:42 444283 ----a-w- c:\program files\Common Files\WinPcapNmap.exe
2011-06-16 04:17 . 2011-06-25 04:03 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 10:06 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 11:47 31232 --sha-r- c:\windows\system32\msfDX.dll
2007-12-17 13:43 27648 --sha-w- c:\windows\system32\Smab0.dll
2008-02-04 19:26 151040 --sha-w- c:\windows\system32\VistaUltm.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-02-07 4670704]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-06-26 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-07 1848648]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-12-12 722256]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-08-10 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-03-15 15360]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Palo Alto Software Update Manager 8.0.lnk]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
.
[HKLM\~\startupfolder\C:^Documents and Settings^Roe^Start Menu^Programs^Startup^..]
path=c:\documents and settings\Roe\Start Menu\Programs\Startup\..
.
[HKLM\~\startupfolder\C:^Documents and Settings^Roe^Start Menu^Programs^Startup^Cyber-shot Viewer Media Check Tool.lnk]
.
[HKLM\~\startupfolder\C:^Documents and Settings^Roe^Start Menu^Programs^Startup^scandisk.dll]
.
[HKLM\~\startupfolder\C:^Documents and Settings^Roe^Start Menu^Programs^Startup^scandisk.lnk]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\calc
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nhuganew
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vhayex
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-11 03:51 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\Reader_SL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2009-04-21 04:21 2356088 ----a-w- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 10:43 69632 ------w- c:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]
2007-03-13 23:38 39264 ----a-w- c:\progra~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
2009-05-14 22:47 2029640 ----a-w- c:\program files\ESET\ESET NOD32 Antivirus\egui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2004-08-10 11:04 59392 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-04-20 05:57 162584 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-04-20 05:57 142104 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-02-16 23:15 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-09-01 15:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
2009-01-16 23:31 181544 ----a-w- c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPTBox]
2008-02-06 20:46 151552 ----a-w- c:\progra~1\CANON\MULTIP~1\MPTBox.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-01-28 20:39 1667584 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-04-20 05:57 138008 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2008-07-07 07:34 167936 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-08-10 12:15 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-04-12 09:33 16132608 ------w- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2007-12-07 23:08 21686568 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-06-10 11:27 144784 ----a-w- c:\program files\Java\jre1.6.0_07\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2009-10-13 04:24 2000112 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2011-06-26 18:21 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2011-06-26 18:21 273544 ----a-w- c:\program files\real\realplayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
2008-05-02 04:15 15872 ----a-w- c:\program files\Unlocker\UnlockerAssistant.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Button Manager]
2008-04-08 17:42 364544 ----a-w- c:\windows\system32\WDBtnMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2008-02-07 04:44 4670704 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
2007-06-08 14:59 224248 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ekrn"=2 (0x2)
"EhttpSrv"=3 (0x3)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\1stWORKS\\hotCommCL\\BIN\\HotComm.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"29244:TCP"= 29244:TCP:spport
"22656:TCP"= 22656:TCP:spport
"19524:TCP"= 19524:TCP:spport
"20029:TCP"= 20029:TCP:spport
"21011:TCP"= 21011:TCP:spport
"20714:TCP"= 20714:TCP:spport
"29667:TCP"= 29667:TCP:spport
"9445:TCP"= 9445:TCP:spport
"19243:TCP"= 19243:TCP:spport
"18089:TCP"= 18089:TCP:spport
"19753:TCP"= 19753:TCP:spport
"5306:TCP"= 5306:TCP:spport
.
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [1/16/2009 3:31 PM 161064]
R2 NeatWorksDatabaseController;NeatWorks Database Controller;c:\program files\NeatWorks\exec\NeatWorksDatabaseController.exe [1/27/2009 7:25 PM 351376]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [1/26/2010 6:09 PM 50704]
R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [3/15/2006 4:00 AM 5120]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [1/10/2008 7:03 PM 47360]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TFSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/27/2011 11:47 AM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/27/2011 11:47 AM 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service; [x]
S3 MSSQL$NR2007;SQL Server (NR2007);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2/10/2007 5:29 AM 29178224]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [11/9/2011 10:09 AM 332928]
S3 SymSnapService;SymSnapService; [x]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [9/7/2006 9:16 PM 10112]
S4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-27 19:47]
.
2011-11-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-27 19:47]
.
2011-11-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-884357618-839522115-1003Core.job
- c:\documents and settings\Roe\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-24 22:35]
.
2011-11-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-884357618-839522115-1003UA.job
- c:\documents and settings\Roe\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-24 22:35]
.
2011-11-12 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 17:47]
.
2011-11-12 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-515967899-884357618-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 17:47]
.
2011-11-06 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 17:47]
.
2011-11-06 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-515967899-884357618-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 17:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar =
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: Interfaces\{0C4C2CD8-D480-482C-BEDA-2A9AAEA6491F}: NameServer = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\documents and settings\Roe\Application Data\Mozilla\Firefox\Profiles\ozhxetbm.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.smartwebsearch.net/index.php?from=3
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=58757&ei=utf-8&yahoo_domain=search.yahoo.com&p=
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SearchSettings - c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
MSConfigStartUp-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
MSConfigStartUp-SearchSettings - c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe
HKLM_ActiveSetup-Neat ADF Scanner 2008 - reg copy HKLM\Software\The Neat Company\Neat ADF Scanner 2008 HKCU\Software\The Neat Company\Neat ADF Scanner 2008
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-12 13:19
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-515967899-884357618-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0B02ABBA-36EC-0AD5-60EA-16BF5004E04D}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):fd,e5,c5,e4,e5,6e,45,b1,20,3c,90,52,02,96,06,0f,d7,08,cc,04,c1,
d7,67,ff,55,02,df,49,73,4e,a3,55,21,9e,71,c6,4c,d8,d9,85,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{f223094d-6cd9-4a46-96f8-ba9a16d4229c}]
@Denied: (Full) (Everyone)
"Model"=dword:0000005e
"Therad"=dword:0000001e
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3168)
c:\program files\Unlocker\UnlockerCOM.dll
c:\program files\WinZip\wzshlstb.dll
c:\program files\WinZip\wzshlex1.dll
c:\program files\WinZip\WZCAB3.DLL
c:\program files\WinRAR\rarext.dll
c:\program files\TechSmith\SnagIt 8\SnagItShellExt.dll
c:\program files\PowerISO\PWRISOSH.DLL
c:\windows\system32\browselc.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\windows\system32\shdoclc.dll
c:\windows\system32\WMVCore.DLL
c:\windows\system32\WMASF.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\windows\eHome\ehSched.exe
c:\program files\Flip Video\FlipShare\FlipShareService.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\msdtc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-11-12 13:24:10 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-12 21:23
ComboFix2.txt 2011-11-06 22:57
ComboFix3.txt 2009-11-21 04:54
ComboFix4.txt 2008-05-12 18:09
.
Pre-Run: 206,798,647,296 bytes free
Post-Run: 206,783,651,840 bytes free
.
- - End Of File - - 9C574F8BA22B9494EBD03EE5C07A5249
#10
Posted 12 November 2011 - 06:03 PM
You should already have TDSSKiller on your desktop, but you will need to download and transfer GMER via USB.
Please read carefully and follow these steps. There is a difference between what you see in one of the images below and what I need you to do.
We are only creating a log - I do NOT want you to "cure" or try to fix anything in this step. It is very important that you don't choose Cure when presented with that option.
- Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
- If an infected file is detected, the default action will be Cure but I want you to choose SKIP instead , click on Continue.
- If a suspicious file is detected, the default action will be Skip, click on Continue.
- It may ask you to reboot the computer to complete the process. Click on Reboot Now.
- If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
- If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
Download and Run GMER
Download GMER Rootkit Scanner from here or here.
- Extract the contents of the zipped file to desktop.
- Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
- If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
Click the image to enlarge it
- In the right panel, you will see several boxes that may have been checked. Uncheck the following ...
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one - make sure it is UNCHECKED)
- Then click the Scan button & wait for it to finish.
- Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
- Save it where you can easily find it, such as your desktop, and paste it in your reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online. http://www.whatthetech.com/donate
Register to Remove
#11
Posted 12 November 2011 - 08:33 PM
#12
Posted 12 November 2011 - 09:22 PM
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online. http://www.whatthetech.com/donate
#13
Posted 15 November 2011 - 03:20 PM
#14
Posted 15 November 2011 - 03:26 PM
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-11-15 13:24:57
Windows 5.1.2600 Service Pack 2 Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-c WDC_WD5000AAKS-22TMA0 rev.12.01C01
Running: gmer.exe; Driver: C:\DOCUME~1\Roe\LOCALS~1\Temp\kxtcapob.sys
---- Kernel code sections - GMER 1.0.15 ----
.text PCIIDEX.SYS!PciIdeXSetBusData + B29 BA32945D 4 Bytes JMP 89A82344
.text PCIIDEX.SYS!PciIdeXSetBusData + D72 BA3296A6 4 Bytes JMP 89B1EC64
.text PCIIDEX.SYS!PciIdeXDebugPrint + 23 BA3296DD 4 Bytes JMP 89A82344
.text PCIIDEX.SYS!PciIdeXDebugPrint + 173 BA32982D 4 Bytes JMP 89B1EC64
.text PCIIDEX.SYS!PciIdeXDebugPrint + 1A8 BA329862 4 Bytes JMP 89B1EC64
PAGE PCIIDEX.SYS!PciIdeXDebugPrint + 7CB BA329E85 4 Bytes JMP 89A82344
PAGE PCIIDEX.SYS!PciIdeXDebugPrint + 1065 BA32A71F 4 Bytes JMP 89A82344
PAGE ...
PAGE PCIIDEX.SYS!PciIdeXInitialize + 288 BA32CC64 4 Bytes JMP 89A82344
.text atapi.sys B9F0EE49 4 Bytes JMP 89B435A4
.text atapi.sys B9F0F09D 4 Bytes JMP 89B435A4
.text atapi.sys B9F0F53F 4 Bytes JMP 89B435A4
.text atapi.sys B9F0F6CD 4 Bytes JMP 89B435A4
.text atapi.sys B9F0F79D 4 Bytes JMP 89B435A4
.text ...
.text CLASSPNP.SYS!ClassReleaseRemoveLock + 198 BA0E85C8 4 Bytes JMP 8A3CD9E4
.text CLASSPNP.SYS!ClassCompleteRequest + D BA0E8C6C 4 Bytes JMP 89B235A4
.text CLASSPNP.SYS!ClassCompleteRequest + 3FE BA0E905D 4 Bytes JMP 8A3CD9E4
.text CLASSPNP.SYS!ClassSendSrbSynchronous + EE BA0E9210 4 Bytes JMP 8A3CD9E4
.text CLASSPNP.SYS!ClassDeviceControl + BD BA0E9627 4 Bytes JMP 89B235A4
.text CLASSPNP.SYS!ClassDeviceControl + 2B4 BA0E981E 4 Bytes JMP 8A3CD9E4
.text CLASSPNP.SYS!ClassReleaseQueue + EA BA0EA5DD 4 Bytes JMP 8A3CD9E4
.text CLASSPNP.SYS!ClassReleaseChildLock + 66 BA0EAC36 4 Bytes JMP 8A3CD9E4
.text CLASSPNP.SYS!ClassSendIrpSynchronous + 3A BA0EAE01 4 Bytes JMP 8A3CD9E4
.text CLASSPNP.SYS!ClassGetDriverExtension + 15E BA0EB3A8 4 Bytes JMP 8A3CD9E4
.text CLASSPNP.SYS!ClassFindModePage + 5AD BA0EBDC5 4 Bytes JMP 8A3CD9E4
.text CLASSPNP.SYS!ClassFindModePage + 7D4 BA0EBFEC 4 Bytes JMP 89B4DFFC
.text CLASSPNP.SYS!ClassFindModePage + 90E BA0EC126 4 Bytes JMP 89BE23DC
.text CLASSPNP.SYS!ClassFindModePage + 938 BA0EC150 4 Bytes JMP 8A3CD9E4
.text CLASSPNP.SYS!ClassFindModePage + A7D BA0EC295 4 Bytes JMP 89B4DFFC
.text ...
.text CLASSPNP.SYS!ClassInternalIoControl + 87 BA0ED04A 4 Bytes JMP 8A3CD9E4
.text CLASSPNP.SYS!ClassGetVpb + 167 BA0ED24B 4 Bytes JMP 8A3CD9E4
.text CLASSPNP.SYS!ClassSendStartUnit + C9 BA0ED4C1 4 Bytes JMP 8A3CD9E4
.text CLASSPNP.SYS!ClassSendSrbAsynchronous + 10D BA0ED610 4 Bytes JMP 8A3CD9E4
.text CLASSPNP.SYS!ClassWmiFireEvent + 3A9 BA0EDABA 4 Bytes JMP 8A3CD9E4
.text CLASSPNP.SYS!ClassWmiFireEvent + 807 BA0EDF18 4 Bytes JMP 8A3CD9E4
.text CLASSPNP.SYS!ClassIoCompleteAssociated + 18B BA0EE551 4 Bytes JMP 89B4DFFC
PAGE CLASSPNP.SYS!ClassDebugPrint + 5B1 BA0EEBB3 4 Bytes JMP 8A3CD9E4
PAGE CLASSPNP.SYS!ClassDebugPrint + 7CD BA0EEDCF 4 Bytes JMP 8A3CD9E4
PAGE CLASSPNP.SYS!ClassInvalidateBusRelations + 203 BA0EF2C0 4 Bytes JMP 8A3CD9E4
PAGE CLASSPNP.SYS!ClassInitialize + 6C0 BA0EFA7E 4 Bytes JMP 8A3CD9E4
PAGE CLASSPNP.SYS!ClassClaimDevice + 7A BA0F0F59 4 Bytes JMP 8A3CD9E4
PAGE CLASSPNP.SYS!ClassModeSense + 57D BA0F1BF6 4 Bytes JMP 8A3CD9E4
.PAGE C:\WINDOWS\System32\drivers\afd.sys unknown last section [0xBA256800, 0x100, 0xC0000040]
.text USBSTOR.SYS BA3A8375 4 Bytes JMP 89B1E62C
.text USBSTOR.SYS BA3A83C1 4 Bytes JMP 89B43E04
.text USBSTOR.SYS BA3A8459 4 Bytes JMP 89B43E04
.text USBSTOR.SYS BA3A85AB 4 Bytes JMP 89B43E04
.text USBSTOR.SYS BA3A8660 4 Bytes JMP 89B215E4
.text ...
? system32\drivers\65874267.sys The system cannot find the path specified. !
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
Device \Driver\92931298 \Device\KLMD14092011_206080 65874267.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \FileSystem\Fastfat \Fat symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
Device \Driver\00000563 \GLOBAL??\ACPI#PNP0303#2&da1a3ff&0 89FE3B80
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x99 0xB3 0x7D 0x05 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xA9 0xC6 0x5B 0xA0 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x43 0x32 0x07 0xA1 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x96 0x31 0x6D 0x5D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xA9 0xC6 0x5B 0xA0 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x43 0x32 0x07 0xA1 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x96 0x31 0x6D 0x5D ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xA9 0xC6 0x5B 0xA0 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x43 0x32 0x07 0xA1 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}@scansk 0xFD 0xE5 0xC5 0xE4 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{f223094d-6cd9-4a46-96f8-ba9a16d4229c}@Model 94
Reg HKLM\SOFTWARE\Classes\CLSID\{f223094d-6cd9-4a46-96f8-ba9a16d4229c}@Therad 30
Reg HKLM\SOFTWARE\Classes\CLSID\{f223094d-6cd9-4a46-96f8-ba9a16d4229c}@MData 0x2B 0x8F 0x78 0x29 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0B02ABBA-36EC-0AD5-60EA-16BF5004E04D}
---- EOF - GMER 1.0.15 ----
#15
Posted 15 November 2011 - 05:37 PM
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
- Double-click SystemLook.exe to run it.
- Copy the content of the following codebox into the main textfield:
:filefind AFD.sys :reg hkey_local_machine\system\currentcontrolset\services\afd
- Click the Look button to start the scan.
- When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online. http://www.whatthetech.com/donate
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users