Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93081 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

iedw.exe virus & svchost.exe & generic host error


  • This topic is locked This topic is locked
30 replies to this topic

#1 Roses

Roses

    Authentic Member

  • Authentic Member
  • PipPip
  • 20 posts

Posted 06 November 2011 - 08:55 PM

I have a XP media center edition SP2 machine that appeared to be infected with a virus. I would get a pop-up error stating iedw.exe error along with immediatly an IE error. IE would open about every 10 minutes with advertising - even though I do not use IE. Then these errors would pop up continuously making my machine unusable as I had to close them constantly. I ran COMBOFIX and I am not sure if the virus is removed or not because I cannot get onto the internet. I do have an ip of 192.168.x.xxx. Lastly, the file iedw.exe is unable to be deleted from c:\program file\internet explorer. I really don't know what to do at this point. I can post the combofix log if that helps. Can someone help me figure this out please? Thanks! :pullhair:

    Advertisements

Register to Remove


#2 patndoris

patndoris

    SuperMember

  • Malware Team
  • 2,593 posts

Posted 11 November 2011 - 05:24 PM

Hello and Posted Image

My name is patndoris. I will be glad to take a look at your log and help you with solving any malware problems. It will be very helpful if you follow these guidelines:
  • Malware logs are often lengthy and can take a lot of time to research and interpret. Please be patient while I review your logs.
  • Please note that there is no "Quick Fix" to modern malware infections and we may need to use several different approaches to get your system clean.
  • Please make sure to carefully read any instruction that I give you. If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • Please follow my instructions carefully and in the order they are posted. You may also find it helpful to print out the instructions you receive.
  • Please do not run any scans or install/uninstall any applications or delete anything without being directed to do so.
  • Remember, absence of symptoms does not mean the infection is all gone. Please stick with me till you're given the "all clear".
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • Please reply within 3 days. If I do not hear back from you in that time frame, I will post a reminder for you. Topics with no reply in 4 days are closed!



While you may see ComboFix being used quite often, and without incident, the tool should not be run unsupervised (as stated in the Disclaimer that is first displayed by ComboFix when you run the tool) Going forward, I highly recommend you heed such instructions.

Why we don't ask you to run ComboFix from the onset

As stated by the author of ComboFix:

ComboFix is a very powerful tool which when improperly used may render your machine to a doorstop.

We first need to verify if there's any rootkits present and how they could affect our tools. DDS & GMER are preliminary scans. We use their logs to map our strategy for attack.

With these logs we can determine the infections present & decide whether to deploy ComboFix.




With that warning in mind, there are times when you have trouble accessing the internet after running Combofix. The first thing to do is reboot your computer. If that does not fix the problem please do the following:

  • Click on the Start button.
  • Click on the Settings[/b] menu option.
  • Click on the Control Panel option.
  • When the Control Panel opens, double-click on the Network Connections icon. If your Control Panel is set to Category View, then double-click on Network and Internet Connections and then click on Network Connections at the bottom.
  • You will now see a list of available network connections. Locate the connection for your Wireless or Lan adapter and right-click on it.
  • You will now see a menu and you can simply click on the Repair menu option.
    Posted Image
  • Let the repair process perform its tasks and when it has finished, your Internet connection should be working again.
  • Alternatively, if your network icon also appears on the Windows taskbar, then you can repair it by right-clicking on the icon and selecting Repair option
    Posted Image

Please let me know if this helps to restore your internet connection

If Combofix was run correctly, it should have produced a log for you. Please include the C:\ComboFix.txt in your next reply so I can see what was removed and determine the next steps to ensure we properly clean your machine.
~Doris~

Proud Graduate of the WTT Classroom
Member of UNITE

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online. http://www.whatthetech.com/donate

#3 Roses

Roses

    Authentic Member

  • Authentic Member
  • PipPip
  • 20 posts

Posted 11 November 2011 - 05:50 PM

Hi Patndoris

Thank you for your assistance! I followed your directions and the Repair step did not work. Now I should mention that I can Ping an ip address. For example ping 8.8.8.8 and I get 4 packets sent and 4 packets received with 0% loss. However, if I ping www.google.com - it cannot find host.

awaiting further instructions.

Thank you again!

Roses


Here is the combofixlog:


ComboFix 11-11-06.02 - Roe 11/06/2011 14:25:46.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2037.1644 [GMT -8:00]
Running from: c:\documents and settings\Roe\Desktop\123CF.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\QueryScan
c:\documents and settings\All Users\Application Data\Tarma Installer
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Desktop\Security Protection.lnk
c:\documents and settings\NetworkService\Application Data\Minoral
c:\documents and settings\Roe\Application Data\Adobe\usanaz.exe
c:\documents and settings\Roe\Application Data\vso_ts_preview.xml
c:\documents and settings\Roe\g2mdlhlpx.exe
c:\documents and settings\Roe\Local Settings\Application Data\f82a2194
c:\documents and settings\Roe\Local Settings\Application Data\f82a2194\@
c:\documents and settings\Roe\Local Settings\Application Data\f82a2194\X
c:\documents and settings\Roe\My Documents\~WRL2024.tmp
c:\documents and settings\Roe\WINDOWS
c:\program files\MPAccess
c:\program files\QueryScan
c:\windows\$NtUninstallKB9793$\1974767318
c:\windows\$NtUninstallKB9793$\4163510676\@
c:\windows\$NtUninstallKB9793$\4163510676\L\dhkqheva
c:\windows\$NtUninstallKB9793$\4163510676\loader.tlb
c:\windows\$NtUninstallKB9793$\4163510676\U\@00000001
c:\windows\$NtUninstallKB9793$\4163510676\U\@000000c0
c:\windows\$NtUninstallKB9793$\4163510676\U\@000000cb
c:\windows\$NtUninstallKB9793$\4163510676\U\@000000cf
c:\windows\$NtUninstallKB9793$\4163510676\U\@80000000
c:\windows\$NtUninstallKB9793$\4163510676\U\@800000c0
c:\windows\$NtUninstallKB9793$\4163510676\U\@800000cb
c:\windows\$NtUninstallKB9793$\4163510676\U\@800000cf
c:\windows\assembly\GAC_MSIL\desktop.ini
H:\Autorun.inf
c:\windows\$NtUninstallKB9793$ . . . . Failed to delete
.
c:\windows\system32\drivers\vaxscsi.sys . . . is infected!! . . . Failed to find a valid replacement.
Infected copy of c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{681E7DC9-F614-4D8B-8879-2E9EE0C935F2}\RP947\A0175749.exe
.
Infected copy of c:\program files\Application Updater\ApplicationUpdater.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{681E7DC9-F614-4D8B-8879-2E9EE0C935F2}\RP947\A0175750.exe
.
Infected copy of c:\program files\Bonjour\mDNSResponder.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{681E7DC9-F614-4D8B-8879-2E9EE0C935F2}\RP947\A0175751.exe
.
Infected copy of c:\program files\Canon\CAL\CALMAIN.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{681E7DC9-F614-4D8B-8879-2E9EE0C935F2}\RP947\A0175758.exe
.
Infected copy of c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{681E7DC9-F614-4D8B-8879-2E9EE0C935F2}\RP947\A0175752.exe
.
Infected copy of c:\program files\Flip Video\FlipShare\FlipShareService.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{681E7DC9-F614-4D8B-8879-2E9EE0C935F2}\RP947\A0175753.exe
.
Infected copy of c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{681E7DC9-F614-4D8B-8879-2E9EE0C935F2}\RP947\A0175754.exe
.
Infected copy of c:\program files\iPod\bin\iPodService.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{681E7DC9-F614-4D8B-8879-2E9EE0C935F2}\RP947\A0175759.exe
.
Infected copy of c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{681E7DC9-F614-4D8B-8879-2E9EE0C935F2}\RP949\A0176955.exe
.
Infected copy of c:\program files\Canon\MultiPASS4\MPSERVIC.EXE was found and disinfected
Restored copy from - c:\system volume information\_restore{681E7DC9-F614-4D8B-8879-2E9EE0C935F2}\RP947\A0175755.exe
.
Infected copy of c:\program files\NeatWorks\exec\NeatWorksDatabaseController.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{681E7DC9-F614-4D8B-8879-2E9EE0C935F2}\RP947\A0175756.exe
.
Infected copy of c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{681E7DC9-F614-4D8B-8879-2E9EE0C935F2}\RP947\A0175757.exe
.
Infected copy of c:\program files\Canon\CAL\CALMAIN.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{681E7DC9-F614-4D8B-8879-2E9EE0C935F2}\RP947\A0175758.exe
Infected copy of c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{681E7DC9-F614-4D8B-8879-2E9EE0C935F2}\RP947\A0175752.exe
Infected copy of c:\program files\Canon\MultiPASS4\MPSERVIC.EXE was found and disinfected
Restored copy from - c:\system volume information\_restore{681E7DC9-F614-4D8B-8879-2E9EE0C935F2}\RP947\A0175755.exe
Infected copy of c:\program files\NeatWorks\exec\NeatWorksDatabaseController.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{681E7DC9-F614-4D8B-8879-2E9EE0C935F2}\RP947\A0175756.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_6TO4
-------\Legacy_USNJSVC
-------\Service_f82a2194
-------\Service_usnjsvc
.
.
((((((((((((((((((((((((( Files Created from 2011-10-06 to 2011-11-06 )))))))))))))))))))))))))))))))
.
.
2011-11-06 21:56 . 2011-11-06 21:57 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-11-06 21:56 . 2011-09-01 01:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-06 03:33 . 2011-11-06 03:33 -------- d-----w- c:\program files\WiseFixer
2011-11-05 19:29 . 2011-11-05 19:29 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2011-11-05 17:54 . 2011-11-05 19:29 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\YouTube Downloader
2011-11-01 20:15 . 2011-11-01 20:16 -------- d-----w- c:\documents and settings\Roe\Local Settings\Application Data\Canon Easy-PhotoPrint EX
2011-10-21 01:31 . 2011-10-21 01:31 -------- d-----w- c:\documents and settings\NetworkService\Application Data\McAfee
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-01 01:35 . 2011-06-05 17:52 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2010-01-27 06:11 . 2011-04-02 18:42 444283 ----a-w- c:\program files\Common Files\WinPcapNmap.exe
2011-06-16 04:17 . 2011-06-25 04:03 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 10:06 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 11:47 31232 --sha-r- c:\windows\system32\msfDX.dll
2007-12-17 13:43 27648 --sha-w- c:\windows\system32\Smab0.dll
2008-02-04 19:26 151040 --sha-w- c:\windows\system32\VistaUltm.dll
.
<pre>
c:\program files\CANON\Canon IJ Network Scan Utility\CNMNSUT .exe
</pre>
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-02-07 4670704]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-06-26 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-07 1848648]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-12-12 722256]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-08-10 421888]
"SearchSettings"="c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe" [2011-09-28 894304]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-09-01 449608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-03-15 15360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Palo Alto Software Update Manager 8.0.lnk]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
.
[HKLM\~\startupfolder\C:^Documents and Settings^Roe^Start Menu^Programs^Startup^..]
path=c:\documents and settings\Roe\Start Menu\Programs\Startup\..
.
[HKLM\~\startupfolder\C:^Documents and Settings^Roe^Start Menu^Programs^Startup^Cyber-shot Viewer Media Check Tool.lnk]
.
[HKLM\~\startupfolder\C:^Documents and Settings^Roe^Start Menu^Programs^Startup^scandisk.dll]
.
[HKLM\~\startupfolder\C:^Documents and Settings^Roe^Start Menu^Programs^Startup^scandisk.lnk]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ActiveCollector
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-11 03:51 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\Reader_SL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2009-04-21 04:21 2356088 ----a-w- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 10:43 69632 ------w- c:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\calc]
c:\windows\system32\calc.dll [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]
2007-03-13 23:38 39264 ----a-w- c:\progra~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
2009-05-14 22:47 2029640 ----a-w- c:\program files\ESET\ESET NOD32 Antivirus\egui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2004-08-10 11:04 59392 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-04-20 05:57 162584 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-04-20 05:57 142104 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-02-16 23:15 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-09-01 15:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2011-09-01 01:00 1047208 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
2009-01-16 23:31 181544 ----a-w- c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPTBox]
2008-02-06 20:46 151552 ----a-w- c:\progra~1\CANON\MULTIP~1\MPTBox.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-01-28 20:39 1667584 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nhuganew]
c:\windows\amiyadomipusovo.dll [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-04-20 05:57 138008 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2008-07-07 07:34 167936 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-08-10 12:15 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-04-12 09:33 16132608 ------w- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchSettings]
2011-09-28 04:34 894304 ----a-w- c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2007-12-07 23:08 21686568 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-06-10 11:27 144784 ----a-w- c:\program files\Java\jre1.6.0_07\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2009-10-13 04:24 2000112 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2011-06-26 18:21 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2011-06-26 18:21 273544 ----a-w- c:\program files\real\realplayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
2008-05-02 04:15 15872 ----a-w- c:\program files\Unlocker\UnlockerAssistant.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vhayex]
c:\windows\iasera.dll [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Button Manager]
2008-04-08 17:42 364544 ----a-w- c:\windows\system32\WDBtnMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2008-02-07 04:44 4670704 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
2007-06-08 14:59 224248 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ekrn"=2 (0x2)
"EhttpSrv"=3 (0x3)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\1stWORKS\\hotCommCL\\BIN\\HotComm.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"29244:TCP"= 29244:TCP:spport
"22656:TCP"= 22656:TCP:spport
"19524:TCP"= 19524:TCP:spport
"20029:TCP"= 20029:TCP:spport
"21011:TCP"= 21011:TCP:spport
"20714:TCP"= 20714:TCP:spport
"29667:TCP"= 29667:TCP:spport
"9445:TCP"= 9445:TCP:spport
"19243:TCP"= 19243:TCP:spport
"18089:TCP"= 18089:TCP:spport
"19753:TCP"= 19753:TCP:spport
"5306:TCP"= 5306:TCP:spport
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [4/7/2008 8:07 PM 642560]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 8:24 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 8:24 PM 74480]
R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [9/27/2011 7:08 PM 745880]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [1/16/2009 3:31 PM 161064]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/6/2011 1:56 PM 366152]
R2 NeatWorksDatabaseController;NeatWorks Database Controller;c:\program files\NeatWorks\exec\NeatWorksDatabaseController.exe [1/27/2009 7:25 PM 351376]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [1/26/2010 6:09 PM 50704]
R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [3/15/2006 4:00 AM 5120]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/6/2011 1:56 PM 22216]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [1/10/2008 7:03 PM 47360]
R3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [4/7/2008 8:10 PM 223128]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TFSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/27/2011 11:47 AM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/27/2011 11:47 AM 136176]
S3 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\McAfee Security Scan\2.0.189\McCHSvc.exe" --> c:\program files\McAfee Security Scan\2.0.189\McCHSvc.exe [?]
S3 MSSQL$NR2007;SQL Server (NR2007);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2/10/2007 5:29 AM 29178224]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 8:24 PM 7408]
S3 SymSnapService;SymSnapService; [x]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [9/7/2006 9:16 PM 10112]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Neat ADF Scanner 2008]
reg copy HKLM\Software\The Neat Company\Neat ADF Scanner 2008 HKCU\Software\The Neat Company\Neat ADF Scanner 2008 [N/A]
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-27 19:47]
.
2011-11-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-27 19:47]
.
2011-10-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-884357618-839522115-1003Core.job
- c:\documents and settings\Roe\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-24 22:35]
.
2011-11-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-884357618-839522115-1003UA.job
- c:\documents and settings\Roe\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-24 22:35]
.
2011-11-06 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 17:47]
.
2011-11-06 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-515967899-884357618-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 17:47]
.
2011-11-06 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 17:47]
.
2011-11-06 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-515967899-884357618-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 17:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.smartwebsearch.net/index.php?from=3
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar =
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Roe\Application Data\Mozilla\Firefox\Profiles\ozhxetbm.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.smartwebsearch.net/index.php?from=3
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=937811&p=
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
BHO-{FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Toolbar-{CDAD1382-C849-4928-B66C-BD194F4F7F51} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-06 14:51
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-515967899-884357618-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0B02ABBA-36EC-0AD5-60EA-16BF5004E04D}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):fd,e5,c5,e4,e5,6e,45,b1,20,3c,90,52,02,96,06,0f,d7,08,cc,04,c1,
d7,67,ff,55,02,df,49,73,4e,a3,55,21,9e,71,c6,4c,d8,d9,85,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{f223094d-6cd9-4a46-96f8-ba9a16d4229c}]
@Denied: (Full) (Everyone)
"Model"=dword:0000005e
"Therad"=dword:0000001e
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(844)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\windows\eHome\ehSched.exe
c:\program files\Flip Video\FlipShare\FlipShareService.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\msdtc.exe
c:\windows\system32\wscntfy.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-11-06 14:57:09 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-06 22:56
ComboFix2.txt 2009-11-21 04:54
ComboFix3.txt 2008-05-12 18:09
.
Pre-Run: 186,596,007,936 bytes free
Post-Run: 206,590,148,608 bytes free
.
- - End Of File - - 59CAF1F930FAB4101DC6BF308872A1A2

#4 patndoris

patndoris

    SuperMember

  • Malware Team
  • 2,593 posts

Posted 11 November 2011 - 05:56 PM

Thank you for the Combofix log. Please give me a bit to take a look at it and I'll be back to you shortly.
~Doris~

Proud Graduate of the WTT Classroom
Member of UNITE

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online. http://www.whatthetech.com/donate

#5 patndoris

patndoris

    SuperMember

  • Malware Team
  • 2,593 posts

Posted 11 November 2011 - 10:22 PM

From what I'm seeing in the log, we have a couple different types of malware to deal with here. I do need to be sure of what we are dealing with before we can move forward. So I'm going to ask that you run a couple of diagnostic scans to give me some additional information to determine the best course of action.

Just so you know, iedw.exe is a valid file. You do not need to try and remove it.

Since you have access to another computer, can you please save the relevant files on a USB and then transfer them to the desktop of the infected machine:


Download and Run DDS by sUBs

Please download DDS and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Save both reports to your desktop.
---------------------------------------------------

Please Please copy / paste the scan reults.

DDS.txt and Attach.txt



Please read carefully and follow these steps. There is a difference between what you see in one of the images below and what I need you to do.
We are only creating a log - I do NOT want you to "cure" or try to fix anything in this step. It is very important that you don't choose Cure when presented with that option.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure but I want you to choose SKIP instead , click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

~Doris~

Proud Graduate of the WTT Classroom
Member of UNITE

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online. http://www.whatthetech.com/donate

#6 Roses

Roses

    Authentic Member

  • Authentic Member
  • PipPip
  • 20 posts

Posted 11 November 2011 - 10:52 PM

Thank you again for such a quick reply. Here are the files you requested.

dss.txt:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_07
Run by Roe at 20:40:16 on 2011-11-11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2037.1494 [GMT -8:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Application Updater\ApplicationUpdater.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\Program Files\NeatWorks\exec\NeatWorksDatabaseController.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mSearch Bar =
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: IE Developer Toolbar BHO: {cc7e636d-39aa-49b6-b511-65413da137a1} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 8\SnagItIEAddin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB: Ask Toolbar: {f4d76f09-7896-458a-890f-e1f05c46069f} -
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SearchSettings] "c:\program files\common files\spigot\search settings\SearchSettings.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
IE: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - {CC962137-2E78-4F94-975E-FC0C07DBD78F} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {00130000-B1BA-11CE-ABC6-F5B2E79D9E3F} - hxxp://aceonline.asicentral.com/ace/ltocx13n.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189988193562
DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} - hxxps://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: Interfaces\{0C4C2CD8-D480-482C-BEDA-2A9AAEA6491F} : NameServer = 8.8.8.8,8.8.4.4
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: Neat ADF Scanner 2008 - reg copy "HKLM\Software\The Neat Company\Neat ADF Scanner 2008" "HKCU\Software\The Neat Company\Neat ADF Scanner 2008" /s /f
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\roe\application data\mozilla\firefox\profiles\ozhxetbm.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.smartwebsearch.net/index.php?from=3
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=58757&ei=utf-8&yahoo_domain=search.yahoo.com&p=
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\roe\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdjvu.dll
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-10-12 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
R2 Application Updater;Application Updater;c:\program files\application updater\ApplicationUpdater.exe [2011-9-27 745880]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-1-16 161064]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-11-5 366152]
R2 NeatWorksDatabaseController;NeatWorks Database Controller;c:\program files\neatworks\exec\NeatWorksDatabaseController.exe [2009-1-27 351376]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-1-26 50704]
R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [2006-3-15 5120]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-11-6 22216]
R3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [2008-4-7 223128]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TFSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-4-27 136176]
S2 StarWindService;StarWind iSCSI Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindService.exe [2005-4-1 217600]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-4-27 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service; [x]
S3 MSSQL$NR2007;SQL Server (NR2007);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2007-2-10 29178224]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2011-11-9 332928]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 7408]
S3 SymSnapService;SymSnapService; [x]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2006-9-7 10112]
.
=============== Created Last 30 ================
.
2011-11-09 18:54:52 -------- d-----w- c:\program files\Free Window Registry Repair
2011-11-09 18:51:46 -------- d-s---w- C:\123CF
2011-11-09 18:09:11 332928 ----a-r- c:\windows\system32\drivers\RTL8187.sys
2011-11-08 02:39:41 -------- d-----w- C:\backups
2011-11-08 02:39:04 -------- d-----w- C:\ERDNT
2011-11-08 02:38:40 -------- d-----w- C:\Regbackup
2011-11-06 21:56:19 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-01 20:15:42 -------- d-----w- c:\documents and settings\roe\local settings\application data\Canon Easy-PhotoPrint EX
.
==================== Find3M ====================
.
2011-10-01 01:35:54 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2010-01-27 06:11:08 444283 ----a-w- c:\program files\common files\WinPcapNmap.exe
2006-05-03 10:06:54 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 11:47:16 31232 --sha-r- c:\windows\system32\msfDX.dll
2007-12-17 13:43:00 27648 --sha-w- c:\windows\system32\Smab0.dll
2008-02-04 19:26:34 151040 --sha-w- c:\windows\system32\VistaUltm.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD5000AAKS-22TMA0 rev.12.01C01 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe >>UNKNOWN [0x8A7C2688]<<
_asm { MOV EAX, 0x8a7c25a8; XCHG [ESP], EAX; PUSH EAX; PUSH 0x8a7c70d4; RET ; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; }
1 ntkrnlpa!IofCallDriver[0x804EF09C] -> \Device\Harddisk0\DR0[0x8A6E4AB8]
\Driver\Disk[0x8A77F240] -> IRP_MJ_CREATE -> 0x8A7C2688
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\Disk -> 0x8a7c2688
user & kernel MBR OK
Warning: possible MBR rootkit infection !
.
============= FINISH: 20:40:48.95 ===============

attack.txt:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 9/16/2007 1:35:13 PM
System Uptime: 11/11/2011 3:34:15 PM (5 hours ago)
.
Motherboard: Gigabyte Technology Co., Ltd. | | G31MX-S2
Processor: Intel® Core™2 Duo CPU E6550 @ 2.33GHz | Socket 775 | 2333/333mhz
Processor: Intel® Core™2 Duo CPU E6550 @ 2.33GHz | Socket 775 | 2333/333mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 466 GiB total, 192.606 GiB free.
D: is CDROM ()
E: is Removable
F: is CDROM ()
G: is Removable
H: is FIXED (NTFS) - 699 GiB total, 599.162 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {6BDD1FC6-810F-11D0-BEC7-08002BE2092F}
Description: Canon MX860 ser Network
Device ID: ROOT\CANON_IJ_NETWORK\0000
Manufacturer: Canon
Name: Canon MX860 ser Network
PNP Device ID: ROOT\CANON_IJ_NETWORK\0000
Service: StillCam
.
==== System Restore Points ===================
.
RP891: 8/14/2011 11:18:00 AM - System Checkpoint
RP892: 8/15/2011 12:01:36 PM - System Checkpoint
RP893: 8/16/2011 12:42:54 PM - System Checkpoint
RP894: 8/17/2011 1:39:57 PM - System Checkpoint
RP895: 8/21/2011 6:47:42 PM - System Checkpoint
RP896: 8/23/2011 11:49:08 AM - System Checkpoint
RP897: 8/24/2011 1:26:44 PM - System Checkpoint
RP898: 8/25/2011 1:59:17 PM - System Checkpoint
RP899: 8/26/2011 3:23:18 PM - System Checkpoint
RP900: 8/27/2011 5:12:41 PM - System Checkpoint
RP901: 8/28/2011 5:23:40 PM - System Checkpoint
RP902: 8/29/2011 5:28:24 PM - System Checkpoint
RP903: 8/31/2011 12:56:26 PM - System Checkpoint
RP904: 9/1/2011 2:58:59 PM - System Checkpoint
RP905: 9/2/2011 3:47:24 PM - System Checkpoint
RP906: 9/3/2011 3:50:24 PM - System Checkpoint
RP907: 9/4/2011 3:58:54 PM - System Checkpoint
RP908: 9/5/2011 4:12:10 PM - System Checkpoint
RP909: 9/6/2011 5:10:32 PM - System Checkpoint
RP910: 9/7/2011 6:37:13 PM - System Checkpoint
RP911: 9/9/2011 6:23:12 PM - System Checkpoint
RP912: 9/11/2011 7:10:22 PM - System Checkpoint
RP913: 9/13/2011 1:54:44 PM - System Checkpoint
RP914: 9/16/2011 11:53:55 AM - System Checkpoint
RP915: 9/17/2011 12:25:08 PM - System Checkpoint
RP916: 9/18/2011 1:26:09 PM - System Checkpoint
RP917: 9/19/2011 1:50:00 PM - System Checkpoint
RP918: 9/20/2011 5:20:41 PM - System Checkpoint
RP919: 9/21/2011 6:44:08 PM - System Checkpoint
RP920: 9/24/2011 1:08:38 PM - System Checkpoint
RP921: 9/25/2011 2:51:53 PM - System Checkpoint
RP922: 10/2/2011 3:28:52 PM - System Checkpoint
RP923: 10/3/2011 5:14:42 PM - System Checkpoint
RP924: 10/5/2011 4:57:44 PM - System Checkpoint
RP925: 10/6/2011 7:41:47 PM - System Checkpoint
RP926: 10/8/2011 11:52:53 AM - System Checkpoint
RP927: 10/10/2011 12:00:58 PM - System Checkpoint
RP928: 10/11/2011 12:30:20 PM - System Checkpoint
RP929: 10/12/2011 1:15:17 PM - System Checkpoint
RP930: 10/14/2011 11:57:55 AM - System Checkpoint
RP931: 10/15/2011 7:20:31 PM - System Checkpoint
RP932: 10/16/2011 8:20:22 PM - System Checkpoint
RP933: 10/17/2011 10:38:42 PM - System Checkpoint
RP934: 10/19/2011 12:01:29 PM - System Checkpoint
RP935: 10/21/2011 2:01:19 PM - System Checkpoint
RP936: 10/22/2011 5:47:19 PM - System Checkpoint
RP937: 10/23/2011 6:31:59 PM - System Checkpoint
RP938: 10/24/2011 7:05:40 PM - System Checkpoint
RP939: 10/26/2011 1:18:27 PM - System Checkpoint
RP940: 10/27/2011 2:08:46 PM - System Checkpoint
RP941: 10/28/2011 2:21:35 PM - System Checkpoint
RP942: 10/29/2011 3:00:07 PM - System Checkpoint
RP943: 10/30/2011 3:34:28 PM - System Checkpoint
RP944: 10/31/2011 5:14:31 PM - System Checkpoint
RP945: 11/1/2011 9:17:38 PM - System Checkpoint
RP946: 11/3/2011 12:19:34 PM - System Checkpoint
RP947: 11/4/2011 12:40:06 PM - System Checkpoint
RP948: 11/5/2011 2:14:56 PM - Installed Windows XP KB894391.
RP949: 11/6/2011 2:04:49 PM - Restore Operation
RP950: 11/6/2011 3:47:38 PM - Restore Operation
RP951: 11/6/2011 4:11:35 PM - Restore Operation
RP952: 11/7/2011 4:46:33 PM - System Checkpoint
RP953: 11/8/2011 5:02:38 PM - System Checkpoint
RP954: 11/9/2011 7:59:13 PM - System Checkpoint
RP955: 11/11/2011 4:05:26 PM - System Checkpoint
.
==== Installed Programs ======================
.
3ivx MPEG-4 5.0.3 (remove only)
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Digital Editions
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Reader 8.1.3
Adobe Setup
Adobe Shockwave Player 11
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AnswerWorks 5.0 English Runtime
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bonjour
Business Plan Pro 2006
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera WIA Driver
Canon EOS 5D WIA Driver
Canon IJ Network Scan Utility
Canon IJ Network Tool
Canon MP Navigator EX 2.1
Canon MultiPASS Suite 4.00
Canon MX860 series MP Drivers
Canon MX860 series User Registration
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities Digital Photo Professional 3.2
Canon Utilities Easy-PhotoPrint EX
Canon Utilities EOS Utility
Canon Utilities My Printer
Canon Utilities MyCamera
Canon Utilities Original Data Security Tools
Canon Utilities PhotoStitch
Canon Utilities Picture Style Editor
Canon Utilities RAW Image Converter2
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities Solution Menu
Canon Utilities WFT-E1/E2/E3 Utility
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
Combined Community Codec Pack 2007-07-22
Compatibility Pack for the 2007 Office system
ConvertXtoDVD 2.2.3.258h
ConvertXtoDVD 3.0.0.9
Diskeeper 2007 Pro Premier
DVD Decrypter (Remove Only)
DVD Shrink 3.2
DVDFab Platinum 4.0.1.2 Ghosthunter release
ERUNT 1.1j
ESP Online
FileZilla (remove only)
FlipShare
Free Window Registry Repair
GIMP 2.4.6
Google Chrome
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
GoToMeeting/GoToWebinar 3.0.0.198
HijackThis 2.0.2
hotCommÆ CL
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows XP (KB954550-v5)
IIS6 Manager
Intel® Graphics Media Accelerator Driver
Internet Explorer Developer Toolbar
iTunes
Java™ 6 Update 6
Java™ 6 Update 7
JDownloader
K-Lite Codec Pack 6.5.0 (Basic)
Lizardtech DjVu Control
Macromedia Dreamweaver 8
Macromedia Extension Manager
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Office Professional Edition 2003
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (NR2007)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Web Publishing Wizard 1.52
MMConvert 1.0.5.236 Beta
Mozilla Firefox 5.0 (x86 en-US)
MSXML 6.0 Parser
My Book Device Driver
My Book RAID Manager
Neat ADF Scanner Driver
Neat Mobile Scanner (Silver) Driver
Neat Mobile Scanner 2008 Driver
NeatWorks
NeatWorks Core Files
Nero 7 Lite v7.7.5.1
Netscape Navigator (9.0.0.6)
OpenOffice.org Installer 1.0
PageRage 1.10.01
Palo Alto Software's Application Manager 8.2
PDF Password Remover v2.5
PDF Settings
PowerISO
Quicken 2008
QuickTime
RAIDar 4.3.0
RealPlayer
REALTEK GbE & FE Ethernet PCI NIC Driver
Realtek High Definition Audio Driver
RealUpgrade 1.1
Registry Mechanic 7.0
Safari
Seagate Manager Installer
Shockwave
Skypeô 3.6
SnagIt 8
Sony Picture Utility
Sony USB Driver
Stellar Phoenix (FAT & NTFS) 2.1
SUPERAntiSpyware Free Edition
Tango
The Print Shop 20
The Rosetta Stone
The Ultimate Troubleshooter
Turbo Lister 2
Tweak UI
Universal Document Converter
Unlocker 1.8.7
Update for Windows XP (KB911164)
VDownloader 3.0.752
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Media Encoder 9 Series
Windows Media Player Firefox Plugin
WinPcap 4.1.1
WinRAR archiver
WinZip 11.1
Xilisoft DVD Creator
XSite Pro
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Search Protection
Yahoo! Toolbar
YouTube Downloader 3.4
YouTube Downloader Toolbar v4.7
.
==== Event Viewer Messages From Past Week ========
.
11/9/2011 10:49:17 AM, error: Srv [2000] - The server's call to a system service failed unexpectedly.
11/7/2011 8:08:12 AM, error: Service Control Manager [7024] - The Background Intelligent Transfer Service service terminated with service-specific error 2147952450 (0x80072742).
11/7/2011 7:46:54 AM, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: This operation returned because the timeout period expired.
11/7/2011 7:41:57 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: TfFsMon TFSysMon
11/7/2011 7:41:57 AM, error: Service Control Manager [7024] - The Bonjour Service service terminated with service-specific error 4294967295 (0xFFFFFFFF).
11/7/2011 7:41:57 AM, error: Service Control Manager [7023] - The World Wide Web Publishing service terminated with the following error: The specified module could not be found.
11/7/2011 7:41:57 AM, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: A socket operation encountered a dead network.
11/7/2011 7:41:57 AM, error: Service Control Manager [7023] - The Simple Mail Transfer Protocol (SMTP) service terminated with the following error: The specified module could not be found.
11/7/2011 7:41:57 AM, error: Service Control Manager [7023] - The IPSEC Services service terminated with the following error: A socket operation encountered a dead network.
11/7/2011 7:41:57 AM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: %%2147952450
11/6/2011 9:09:46 AM, error: Service Control Manager [7034] - The McAfee Security Scan Component Host Service service terminated unexpectedly. It has done this 1 time(s).
11/6/2011 4:06:59 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
11/6/2011 4:06:49 PM, error: DCOM [10005] - DCOM got error "%1068" attempting to start the service IISADMIN with arguments "" in order to run the server: {A9E69610-B80D-11D0-B9B9-00A0C922E750}
11/6/2011 4:05:33 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL SCDEmu Tcpip TfFsMon TFSysMon v2imount
11/6/2011 4:05:33 PM, error: Service Control Manager [7001] - The World Wide Web Publishing service depends on the IIS Admin service which failed to start because of the following error: The dependency service or group failed to start.
11/6/2011 4:05:33 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
11/6/2011 4:05:33 PM, error: Service Control Manager [7001] - The Simple Mail Transfer Protocol (SMTP) service depends on the IIS Admin service which failed to start because of the following error: The dependency service or group failed to start.
11/6/2011 4:05:33 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/6/2011 4:05:33 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/6/2011 4:05:33 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
11/6/2011 4:05:33 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/6/2011 4:05:33 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/6/2011 2:55:31 PM, error: Service Control Manager [7016] - The MpService service has reported an invalid current state 0.
11/6/2011 2:25:06 PM, error: NetBT [4311] - Initialization failed because the driver device could not be created.
11/6/2011 2:24:57 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s).
11/6/2011 2:24:57 PM, error: Service Control Manager [7009] - Timeout (300000 milliseconds) waiting for the NeatWorks Database Controller service to connect.
11/6/2011 2:17:26 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
11/6/2011 2:17:25 PM, error: Service Control Manager [7034] - The FlipShare Service service terminated unexpectedly. It has done this 1 time(s).
11/6/2011 2:17:25 PM, error: Service Control Manager [7034] - The Diskeeper service terminated unexpectedly. It has done this 1 time(s).
11/6/2011 2:17:22 PM, error: Service Control Manager [7034] - The Application Updater service terminated unexpectedly. It has done this 1 time(s).
11/6/2011 2:05:32 PM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
11/6/2011 2:04:11 PM, error: Service Control Manager [7023] - The World Wide Web Publishing service terminated with the following error: TCP/IP network protocol not installed.
11/6/2011 2:04:11 PM, error: Service Control Manager [7023] - The Simple Mail Transfer Protocol (SMTP) service terminated with the following error: TCP/IP network protocol not installed.
11/5/2011 12:16:55 PM, error: Service Control Manager [7000] - The MBAMService service failed to start due to the following error: Access is denied.
11/5/2011 10:46:45 AM, error: Service Control Manager [7034] - The MBAMService service terminated unexpectedly. It has done this 1 time(s).
11/10/2011 10:38:07 AM, error: Service Control Manager [7024] - The Background Intelligent Transfer Service service terminated with service-specific error 2147952447 (0x8007273F).
11/10/2011 10:38:07 AM, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: The system cannot find the file specified.
11/10/2011 10:38:07 AM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: %%2147952447
11/10/2011 10:38:07 AM, error: Service Control Manager [7003] - The Bonjour Service service depends on the following nonexistent service: Tcpip
11/10/2011 10:38:07 AM, error: Service Control Manager [7003] - The Apple Mobile Device service depends on the following nonexistent service: Tcpip
11/10/2011 10:37:42 AM, error: Workstation [5728] - Could not load any transport.
.
==== End Of File ===========================


Report.txt:


20:44:07.0234 1196 TDSS rootkit removing tool 2.6.18.0 Nov 11 2011 15:47:15
20:44:07.0250 1196 ============================================================
20:44:07.0250 1196 Current date / time: 2011/11/11 20:44:07.0250
20:44:07.0250 1196 SystemInfo:
20:44:07.0250 1196
20:44:07.0250 1196 OS Version: 5.1.2600 ServicePack: 2.0
20:44:07.0250 1196 Product type: Workstation
20:44:07.0250 1196 ComputerName: DAOFFICE
20:44:07.0250 1196 UserName: Roe
20:44:07.0250 1196 Windows directory: C:\WINDOWS
20:44:07.0250 1196 System windows directory: C:\WINDOWS
20:44:07.0250 1196 Processor architecture: Intel x86
20:44:07.0250 1196 Number of processors: 2
20:44:07.0250 1196 Page size: 0x1000
20:44:07.0250 1196 Boot type: Normal boot
20:44:07.0250 1196 ============================================================
20:44:08.0343 1196 Initialize success
20:44:20.0500 4000 ============================================================
20:44:20.0500 4000 Scan started
20:44:20.0500 4000 Mode: Manual;
20:44:20.0500 4000 ============================================================
20:44:20.0796 4000 Abiosdsk - ok
20:44:20.0796 4000 abp480n5 - ok
20:44:20.0859 4000 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
20:44:20.0859 4000 ACPI - ok
20:44:20.0906 4000 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
20:44:20.0906 4000 ACPIEC - ok
20:44:20.0906 4000 adpu160m - ok
20:44:20.0968 4000 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
20:44:20.0968 4000 aec - ok
20:44:21.0015 4000 AFD (604a70a5689cdc4325139caca5990673) C:\WINDOWS\System32\drivers\afd.sys
20:44:21.0015 4000 AFD ( Rootkit.Win32.ZAccess.g ) - infected
20:44:21.0015 4000 AFD - detected Rootkit.Win32.ZAccess.g (0)
20:44:21.0078 4000 AFS2K (0ebb674888cbdefd5773341c16dd6a07) C:\WINDOWS\system32\drivers\AFS2K.sys
20:44:21.0078 4000 AFS2K - ok
20:44:21.0078 4000 Aha154x - ok
20:44:21.0093 4000 aic78u2 - ok
20:44:21.0093 4000 aic78xx - ok
20:44:21.0109 4000 AliIde - ok
20:44:21.0109 4000 amsint - ok
20:44:21.0125 4000 asc - ok
20:44:21.0125 4000 asc3350p - ok
20:44:21.0125 4000 asc3550 - ok
20:44:21.0156 4000 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
20:44:21.0156 4000 AsyncMac - ok
20:44:21.0171 4000 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
20:44:21.0171 4000 atapi - ok
20:44:21.0171 4000 Atdisk - ok
20:44:21.0187 4000 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
20:44:21.0187 4000 Atmarpc - ok
20:44:21.0203 4000 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
20:44:21.0203 4000 audstub - ok
20:44:21.0234 4000 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
20:44:21.0234 4000 Beep - ok
20:44:21.0265 4000 catchme - ok
20:44:21.0312 4000 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
20:44:21.0312 4000 cbidf2k - ok
20:44:21.0343 4000 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
20:44:21.0343 4000 CCDECODE - ok
20:44:21.0343 4000 cd20xrnt - ok
20:44:21.0375 4000 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
20:44:21.0375 4000 Cdaudio - ok
20:44:21.0375 4000 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
20:44:21.0375 4000 Cdfs - ok
20:44:21.0390 4000 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
20:44:21.0390 4000 Cdrom - ok
20:44:21.0390 4000 Changer - ok
20:44:21.0437 4000 cis1284 (7e1d1616c7e2fbba784e5dbd05d88eca) C:\WINDOWS\system32\drivers\cis1284.sys
20:44:21.0437 4000 cis1284 - ok
20:44:21.0453 4000 CmdIde - ok
20:44:21.0453 4000 Cpqarray - ok
20:44:21.0468 4000 dac2w2k - ok
20:44:21.0468 4000 dac960nt - ok
20:44:21.0484 4000 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
20:44:21.0484 4000 Disk - ok
20:44:21.0546 4000 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
20:44:21.0546 4000 dmboot - ok
20:44:21.0578 4000 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
20:44:21.0578 4000 dmio - ok
20:44:21.0578 4000 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
20:44:21.0578 4000 dmload - ok
20:44:21.0593 4000 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
20:44:21.0593 4000 DMusic - ok
20:44:21.0593 4000 dpti2o - ok
20:44:21.0609 4000 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
20:44:21.0609 4000 drmkaud - ok
20:44:21.0640 4000 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
20:44:21.0640 4000 Fastfat - ok
20:44:21.0656 4000 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys
20:44:21.0671 4000 Fdc - ok
20:44:21.0671 4000 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
20:44:21.0671 4000 Fips - ok
20:44:21.0671 4000 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
20:44:21.0671 4000 Flpydisk - ok
20:44:21.0703 4000 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
20:44:21.0703 4000 FltMgr - ok
20:44:21.0718 4000 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
20:44:21.0718 4000 Fs_Rec - ok
20:44:21.0718 4000 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
20:44:21.0734 4000 Ftdisk - ok
20:44:21.0750 4000 gdrv (54789f9ba0d59072cdd4e7c200e122c4) C:\WINDOWS\gdrv.sys
20:44:21.0750 4000 gdrv - ok
20:44:21.0765 4000 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
20:44:21.0765 4000 GEARAspiWDM - ok
20:44:21.0781 4000 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
20:44:21.0781 4000 Gpc - ok
20:44:21.0828 4000 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
20:44:21.0828 4000 HDAudBus - ok
20:44:21.0875 4000 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
20:44:21.0875 4000 HidUsb - ok
20:44:21.0875 4000 hpn - ok
20:44:21.0921 4000 HTTP (cb77bb47e67e84deb17ba29632501730) C:\WINDOWS\system32\Drivers\HTTP.sys
20:44:21.0937 4000 HTTP - ok
20:44:21.0937 4000 i2omgmt - ok
20:44:21.0937 4000 i2omp - ok
20:44:22.0000 4000 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
20:44:22.0000 4000 i8042prt - ok
20:44:22.0203 4000 ialm (28423512370705aeda6a652fedb25468) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
20:44:22.0375 4000 ialm - ok
20:44:22.0390 4000 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
20:44:22.0390 4000 Imapi - ok
20:44:22.0406 4000 ini910u - ok
20:44:22.0546 4000 IntcAzAudAddService (e37589414437a60797e94c0f57c546db) C:\WINDOWS\system32\drivers\RtkHDAud.sys
20:44:22.0671 4000 IntcAzAudAddService - ok
20:44:22.0671 4000 IntelIde - ok
20:44:22.0718 4000 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
20:44:22.0718 4000 intelppm - ok
20:44:22.0734 4000 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
20:44:22.0734 4000 Ip6Fw - ok
20:44:22.0781 4000 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
20:44:22.0781 4000 IpFilterDriver - ok
20:44:22.0796 4000 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
20:44:22.0796 4000 IpInIp - ok
20:44:22.0843 4000 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
20:44:22.0843 4000 IpNat - ok
20:44:22.0859 4000 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
20:44:22.0859 4000 IPSec - ok
20:44:22.0890 4000 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
20:44:22.0890 4000 IRENUM - ok
20:44:22.0890 4000 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
20:44:22.0890 4000 isapnp - ok
20:44:22.0906 4000 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
20:44:22.0906 4000 Kbdclass - ok
20:44:22.0937 4000 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
20:44:22.0937 4000 kmixer - ok
20:44:22.0953 4000 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys
20:44:22.0953 4000 KSecDD - ok
20:44:22.0968 4000 lbrtfdc - ok
20:44:23.0000 4000 MBAMProtector (69a6268d7f81e53d568ab4e7e991caf3) C:\WINDOWS\system32\drivers\mbam.sys
20:44:23.0000 4000 MBAMProtector - ok
20:44:23.0000 4000 MBAMSwissArmy - ok
20:44:23.0015 4000 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
20:44:23.0015 4000 MHNDRV - ok
20:44:23.0031 4000 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
20:44:23.0031 4000 mnmdd - ok
20:44:23.0031 4000 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
20:44:23.0046 4000 Modem - ok
20:44:23.0062 4000 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
20:44:23.0062 4000 Mouclass - ok
20:44:23.0093 4000 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
20:44:23.0093 4000 mouhid - ok
20:44:23.0093 4000 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
20:44:23.0093 4000 MountMgr - ok
20:44:23.0109 4000 mraid35x - ok
20:44:23.0140 4000 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
20:44:23.0140 4000 MRxDAV - ok
20:44:23.0187 4000 MRxSmb (025af03ce51645c62f3b6907a7e2be5e) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
20:44:23.0203 4000 MRxSmb - ok
20:44:23.0250 4000 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
20:44:23.0250 4000 Msfs - ok
20:44:23.0250 4000 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
20:44:23.0250 4000 MSKSSRV - ok
20:44:23.0265 4000 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
20:44:23.0265 4000 MSPCLOCK - ok
20:44:23.0265 4000 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
20:44:23.0265 4000 MSPQM - ok
20:44:23.0312 4000 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
20:44:23.0312 4000 mssmbios - ok
20:44:23.0343 4000 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys
20:44:23.0343 4000 MSTEE - ok
20:44:23.0359 4000 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
20:44:23.0359 4000 Mup - ok
20:44:23.0359 4000 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
20:44:23.0359 4000 NABTSFEC - ok
20:44:23.0375 4000 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
20:44:23.0375 4000 NDIS - ok
20:44:23.0375 4000 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
20:44:23.0375 4000 NdisIP - ok
20:44:23.0406 4000 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
20:44:23.0406 4000 NdisTapi - ok
20:44:23.0468 4000 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
20:44:23.0468 4000 Ndisuio - ok
20:44:23.0468 4000 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
20:44:23.0468 4000 NdisWan - ok
20:44:23.0484 4000 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
20:44:23.0484 4000 NDProxy - ok
20:44:23.0484 4000 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
20:44:23.0484 4000 NetBIOS - ok
20:44:23.0500 4000 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
20:44:23.0500 4000 NetBT - ok
20:44:23.0562 4000 npf (b9730495e0cf674680121e34bd95a73b) C:\WINDOWS\system32\drivers\npf.sys
20:44:23.0562 4000 npf - ok
20:44:23.0562 4000 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
20:44:23.0562 4000 Npfs - ok
20:44:23.0609 4000 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
20:44:23.0625 4000 Ntfs - ok
20:44:23.0640 4000 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
20:44:23.0640 4000 Null - ok
20:44:23.0687 4000 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
20:44:23.0687 4000 NwlnkFlt - ok
20:44:23.0687 4000 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
20:44:23.0687 4000 NwlnkFwd - ok
20:44:23.0718 4000 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
20:44:23.0718 4000 Parport - ok
20:44:23.0718 4000 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
20:44:23.0718 4000 PartMgr - ok
20:44:23.0734 4000 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
20:44:23.0734 4000 ParVdm - ok
20:44:23.0734 4000 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
20:44:23.0734 4000 PCI - ok
20:44:23.0750 4000 PCIDump - ok
20:44:23.0765 4000 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
20:44:23.0781 4000 PCIIde - ok
20:44:23.0796 4000 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
20:44:23.0796 4000 Pcmcia - ok
20:44:23.0828 4000 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys
20:44:23.0828 4000 pcouffin - ok
20:44:23.0843 4000 PDCOMP - ok
20:44:23.0843 4000 PDFRAME - ok
20:44:23.0859 4000 PDRELI - ok
20:44:23.0859 4000 PDRFRAME - ok
20:44:23.0859 4000 perc2 - ok
20:44:23.0875 4000 perc2hib - ok
20:44:23.0937 4000 PhilCam8116 (8754763a924639b9d07d4c8ea9990f1e) C:\WINDOWS\system32\DRIVERS\CamDrO21.sys
20:44:23.0937 4000 PhilCam8116 - ok
20:44:23.0937 4000 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
20:44:23.0953 4000 PptpMiniport - ok
20:44:23.0953 4000 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
20:44:23.0953 4000 Ptilink - ok
20:44:23.0984 4000 PxHelp20 (40f2031bd9148d3194353ea7dec97a07) C:\WINDOWS\system32\Drivers\PxHelp20.sys
20:44:23.0984 4000 PxHelp20 - ok
20:44:24.0000 4000 ql1080 - ok
20:44:24.0000 4000 Ql10wnt - ok
20:44:24.0000 4000 ql12160 - ok
20:44:24.0015 4000 ql1240 - ok
20:44:24.0015 4000 ql1280 - ok
20:44:24.0046 4000 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
20:44:24.0046 4000 RasAcd - ok
20:44:24.0062 4000 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
20:44:24.0062 4000 Rasl2tp - ok
20:44:24.0062 4000 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
20:44:24.0062 4000 RasPppoe - ok
20:44:24.0078 4000 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
20:44:24.0078 4000 Raspti - ok
20:44:24.0125 4000 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
20:44:24.0125 4000 Rdbss - ok
20:44:24.0140 4000 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
20:44:24.0140 4000 RDPCDD - ok
20:44:24.0171 4000 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
20:44:24.0171 4000 rdpdr - ok
20:44:24.0187 4000 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
20:44:24.0187 4000 RDPWD - ok
20:44:24.0218 4000 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
20:44:24.0218 4000 redbook - ok
20:44:24.0281 4000 RTL8023xp (1e11171c0b9989e1bdaa59e96b2e81c4) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
20:44:24.0281 4000 RTL8023xp - ok
20:44:24.0328 4000 RTLWUSB (5a850259b849a899990379a75460a4eb) C:\WINDOWS\system32\DRIVERS\RTL8187.sys
20:44:24.0328 4000 RTLWUSB - ok
20:44:24.0453 4000 SASDIFSV (5bf35c4ea3f00fa8d3f1e5bf03d24584) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
20:44:24.0453 4000 SASDIFSV - ok
20:44:24.0468 4000 SASENUM (a22f08c98ac2f44587bf3a1fb52bf8cd) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
20:44:24.0468 4000 SASENUM - ok
20:44:24.0484 4000 SASKUTIL (c7d81c10d3befeee41f3408714637438) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
20:44:24.0484 4000 SASKUTIL - ok
20:44:24.0546 4000 SCDEmu (3b35ce540758bbabb721e234cb5a4f3f) C:\WINDOWS\system32\drivers\SCDEmu.sys
20:44:24.0546 4000 SCDEmu - ok
20:44:24.0578 4000 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
20:44:24.0578 4000 Secdrv - ok
20:44:24.0578 4000 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
20:44:24.0593 4000 serenum - ok
20:44:24.0593 4000 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
20:44:24.0593 4000 Serial - ok
20:44:24.0609 4000 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
20:44:24.0609 4000 Sfloppy - ok
20:44:24.0609 4000 Simbad - ok
20:44:24.0640 4000 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
20:44:24.0640 4000 SLIP - ok
20:44:24.0656 4000 Sparrow - ok
20:44:24.0687 4000 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
20:44:24.0687 4000 splitter - ok
20:44:24.0750 4000 sptd (ee26b8860d226f8eec48aabbdae33e8c) C:\WINDOWS\system32\Drivers\sptd.sys
20:44:24.0750 4000 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: ee26b8860d226f8eec48aabbdae33e8c
20:44:24.0750 4000 sptd ( LockedFile.Multi.Generic ) - warning
20:44:24.0750 4000 sptd - detected LockedFile.Multi.Generic (1)
20:44:24.0781 4000 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
20:44:24.0781 4000 sr - ok
20:44:24.0796 4000 Srv (ea554a3ffc3f536fe8320eb38f5e4843) C:\WINDOWS\system32\DRIVERS\srv.sys
20:44:24.0796 4000 Srv - ok
20:44:24.0828 4000 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
20:44:24.0828 4000 StillCam - ok
20:44:24.0859 4000 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
20:44:24.0859 4000 streamip - ok
20:44:24.0875 4000 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
20:44:24.0875 4000 swenum - ok
20:44:24.0906 4000 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
20:44:24.0906 4000 swmidi - ok
20:44:24.0906 4000 symc810 - ok
20:44:24.0921 4000 symc8xx - ok
20:44:24.0921 4000 symsnap (c9273531eac75ee225e3170fb6107fa3) C:\WINDOWS\system32\DRIVERS\symsnap.sys
20:44:24.0937 4000 symsnap - ok
20:44:24.0937 4000 sym_hi - ok
20:44:24.0937 4000 sym_u3 - ok
20:44:24.0968 4000 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
20:44:24.0968 4000 sysaudio - ok
20:44:25.0031 4000 Tcpip (90caff4b094573449a0872a0f919b178) C:\WINDOWS\system32\DRIVERS\tcpip.sys
20:44:25.0031 4000 Tcpip - ok
20:44:25.0062 4000 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
20:44:25.0062 4000 TDPIPE - ok
20:44:25.0078 4000 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
20:44:25.0078 4000 TDTCP - ok
20:44:25.0093 4000 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
20:44:25.0093 4000 TermDD - ok
20:44:25.0109 4000 TfFsMon - ok
20:44:25.0109 4000 TfNetMon - ok
20:44:25.0109 4000 TFSysMon - ok
20:44:25.0125 4000 TosIde - ok
20:44:25.0156 4000 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
20:44:25.0156 4000 Udfs - ok
20:44:25.0171 4000 ultra - ok
20:44:25.0218 4000 Update (ced744117e91bdc0beb810f7d8608183) C:\WINDOWS\system32\DRIVERS\update.sys
20:44:25.0218 4000 Update - ok
20:44:25.0250 4000 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys
20:44:25.0250 4000 USBAAPL - ok
20:44:25.0296 4000 usbaudio (45a0d14b26c35497ad93bce7e15c9941) C:\WINDOWS\system32\drivers\usbaudio.sys
20:44:25.0296 4000 usbaudio - ok
20:44:25.0343 4000 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
20:44:25.0343 4000 usbccgp - ok
20:44:25.0406 4000 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
20:44:25.0406 4000 usbehci - ok
20:44:25.0406 4000 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
20:44:25.0406 4000 usbhub - ok
20:44:25.0421 4000 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
20:44:25.0421 4000 usbprint - ok
20:44:25.0437 4000 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
20:44:25.0453 4000 usbscan - ok
20:44:25.0453 4000 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
20:44:25.0453 4000 USBSTOR - ok
20:44:25.0500 4000 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
20:44:25.0500 4000 usbuhci - ok
20:44:25.0500 4000 v2imount (b4d63048d6358e7c6ab61b98b8cff263) C:\WINDOWS\system32\DRIVERS\v2imount.sys
20:44:25.0500 4000 v2imount - ok
20:44:25.0562 4000 vaxscsi (92cebc2bc7be2c8d49391b365569f306) C:\WINDOWS\System32\Drivers\vaxscsi.sys
20:44:25.0562 4000 Suspicious file (NoAccess): C:\WINDOWS\System32\Drivers\vaxscsi.sys. md5: 92cebc2bc7be2c8d49391b365569f306
20:44:25.0562 4000 vaxscsi ( LockedFile.Multi.Generic ) - warning
20:44:25.0562 4000 vaxscsi - detected LockedFile.Multi.Generic (1)
20:44:25.0562 4000 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
20:44:25.0562 4000 VgaSave - ok
20:44:25.0578 4000 ViaIde - ok
20:44:25.0578 4000 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
20:44:25.0578 4000 VolSnap - ok
20:44:25.0625 4000 VProEventMonitor (e78781b2c86c92a0a738df566460f716) C:\WINDOWS\system32\DRIVERS\vproeventmonitor.sys
20:44:25.0625 4000 VProEventMonitor - ok
20:44:25.0640 4000 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
20:44:25.0640 4000 Wanarp - ok
20:44:25.0687 4000 WDC_SAM (011e8a3e13dd7007353edbee4b180b50) C:\WINDOWS\system32\DRIVERS\wdcsam.sys
20:44:25.0687 4000 WDC_SAM - ok
20:44:25.0687 4000 WDICA - ok
20:44:25.0734 4000 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
20:44:25.0734 4000 wdmaud - ok
20:44:25.0750 4000 WimFltr (f9ad3a5e3fd7e0bdb18b8202b0fdd4e4) C:\WINDOWS\system32\DRIVERS\wimfltr.sys
20:44:25.0765 4000 WimFltr - ok
20:44:25.0812 4000 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
20:44:25.0812 4000 WS2IFSL - ok
20:44:25.0828 4000 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
20:44:25.0828 4000 WSTCODEC - ok
20:44:25.0859 4000 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
20:44:25.0953 4000 \Device\Harddisk0\DR0 - ok
20:44:25.0968 4000 MBR (0x1B8) (a4a15d6782e6fe1dce41a606cb3affe3) \Device\Harddisk1\DR2
20:44:26.0000 4000 \Device\Harddisk1\DR2 - ok
20:44:26.0000 4000 MBR (0x1B8) (e5fa06aca0d60ba9c870d0ef3d9898c9) \Device\Harddisk3\DR8
20:44:31.0156 4000 \Device\Harddisk3\DR8 - ok
20:44:31.0156 4000 Boot (0x1200) (f7b5ab6c14f1efeed5d4f9776ce984bb) \Device\Harddisk0\DR0\Partition0
20:44:31.0156 4000 \Device\Harddisk0\DR0\Partition0 - ok
20:44:31.0171 4000 Boot (0x1200) (929749ac877032ada46fea5e036cb138) \Device\Harddisk1\DR2\Partition0
20:44:31.0171 4000 \Device\Harddisk1\DR2\Partition0 - ok
20:44:31.0171 4000 Boot (0x1200) (78caf6819748ba73d36015a85cc04c86) \Device\Harddisk3\DR8\Partition0
20:44:31.0171 4000 \Device\Harddisk3\DR8\Partition0 - ok
20:44:31.0171 4000 ============================================================
20:44:31.0171 4000 Scan finished
20:44:31.0171 4000 ============================================================
20:44:31.0171 0432 Detected object count: 3
20:44:31.0171 0432 Actual detected object count: 3
20:45:07.0187 0432 AFD ( Rootkit.Win32.ZAccess.g ) - skipped by user
20:45:07.0187 0432 AFD ( Rootkit.Win32.ZAccess.g ) - User select action: Skip
20:45:07.0187 0432 sptd ( LockedFile.Multi.Generic ) - skipped by user
20:45:07.0187 0432 sptd ( LockedFile.Multi.Generic ) - User select action: Skip
20:45:07.0187 0432 vaxscsi ( LockedFile.Multi.Generic ) - skipped by user
20:45:07.0187 0432 vaxscsi ( LockedFile.Multi.Generic ) - User select action: Skip

#7 Roses

Roses

    Authentic Member

  • Authentic Member
  • PipPip
  • 20 posts

Posted 11 November 2011 - 10:52 PM

Thank you again for such a quick reply. Here are the files you requested.

dss.txt:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_07
Run by Roe at 20:40:16 on 2011-11-11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2037.1494 [GMT -8:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Application Updater\ApplicationUpdater.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\Program Files\NeatWorks\exec\NeatWorksDatabaseController.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mSearch Bar =
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: IE Developer Toolbar BHO: {cc7e636d-39aa-49b6-b511-65413da137a1} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 8\SnagItIEAddin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB: Ask Toolbar: {f4d76f09-7896-458a-890f-e1f05c46069f} -
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SearchSettings] "c:\program files\common files\spigot\search settings\SearchSettings.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
IE: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - {CC962137-2E78-4F94-975E-FC0C07DBD78F} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {00130000-B1BA-11CE-ABC6-F5B2E79D9E3F} - hxxp://aceonline.asicentral.com/ace/ltocx13n.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189988193562
DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} - hxxps://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: Interfaces\{0C4C2CD8-D480-482C-BEDA-2A9AAEA6491F} : NameServer = 8.8.8.8,8.8.4.4
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: Neat ADF Scanner 2008 - reg copy "HKLM\Software\The Neat Company\Neat ADF Scanner 2008" "HKCU\Software\The Neat Company\Neat ADF Scanner 2008" /s /f
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\roe\application data\mozilla\firefox\profiles\ozhxetbm.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.smartwebsearch.net/index.php?from=3
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=58757&ei=utf-8&yahoo_domain=search.yahoo.com&p=
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\roe\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdjvu.dll
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-10-12 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
R2 Application Updater;Application Updater;c:\program files\application updater\ApplicationUpdater.exe [2011-9-27 745880]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-1-16 161064]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-11-5 366152]
R2 NeatWorksDatabaseController;NeatWorks Database Controller;c:\program files\neatworks\exec\NeatWorksDatabaseController.exe [2009-1-27 351376]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-1-26 50704]
R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [2006-3-15 5120]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-11-6 22216]
R3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [2008-4-7 223128]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TFSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-4-27 136176]
S2 StarWindService;StarWind iSCSI Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindService.exe [2005-4-1 217600]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-4-27 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service; [x]
S3 MSSQL$NR2007;SQL Server (NR2007);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2007-2-10 29178224]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2011-11-9 332928]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 7408]
S3 SymSnapService;SymSnapService; [x]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2006-9-7 10112]
.
=============== Created Last 30 ================
.
2011-11-09 18:54:52 -------- d-----w- c:\program files\Free Window Registry Repair
2011-11-09 18:51:46 -------- d-s---w- C:\123CF
2011-11-09 18:09:11 332928 ----a-r- c:\windows\system32\drivers\RTL8187.sys
2011-11-08 02:39:41 -------- d-----w- C:\backups
2011-11-08 02:39:04 -------- d-----w- C:\ERDNT
2011-11-08 02:38:40 -------- d-----w- C:\Regbackup
2011-11-06 21:56:19 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-01 20:15:42 -------- d-----w- c:\documents and settings\roe\local settings\application data\Canon Easy-PhotoPrint EX
.
==================== Find3M ====================
.
2011-10-01 01:35:54 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2010-01-27 06:11:08 444283 ----a-w- c:\program files\common files\WinPcapNmap.exe
2006-05-03 10:06:54 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 11:47:16 31232 --sha-r- c:\windows\system32\msfDX.dll
2007-12-17 13:43:00 27648 --sha-w- c:\windows\system32\Smab0.dll
2008-02-04 19:26:34 151040 --sha-w- c:\windows\system32\VistaUltm.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD5000AAKS-22TMA0 rev.12.01C01 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe >>UNKNOWN [0x8A7C2688]<<
_asm { MOV EAX, 0x8a7c25a8; XCHG [ESP], EAX; PUSH EAX; PUSH 0x8a7c70d4; RET ; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; }
1 ntkrnlpa!IofCallDriver[0x804EF09C] -> \Device\Harddisk0\DR0[0x8A6E4AB8]
\Driver\Disk[0x8A77F240] -> IRP_MJ_CREATE -> 0x8A7C2688
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\Disk -> 0x8a7c2688
user & kernel MBR OK
Warning: possible MBR rootkit infection !
.
============= FINISH: 20:40:48.95 ===============

attack.txt:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 9/16/2007 1:35:13 PM
System Uptime: 11/11/2011 3:34:15 PM (5 hours ago)
.
Motherboard: Gigabyte Technology Co., Ltd. | | G31MX-S2
Processor: Intel® Core™2 Duo CPU E6550 @ 2.33GHz | Socket 775 | 2333/333mhz
Processor: Intel® Core™2 Duo CPU E6550 @ 2.33GHz | Socket 775 | 2333/333mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 466 GiB total, 192.606 GiB free.
D: is CDROM ()
E: is Removable
F: is CDROM ()
G: is Removable
H: is FIXED (NTFS) - 699 GiB total, 599.162 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {6BDD1FC6-810F-11D0-BEC7-08002BE2092F}
Description: Canon MX860 ser Network
Device ID: ROOT\CANON_IJ_NETWORK\0000
Manufacturer: Canon
Name: Canon MX860 ser Network
PNP Device ID: ROOT\CANON_IJ_NETWORK\0000
Service: StillCam
.
==== System Restore Points ===================
.
RP891: 8/14/2011 11:18:00 AM - System Checkpoint
RP892: 8/15/2011 12:01:36 PM - System Checkpoint
RP893: 8/16/2011 12:42:54 PM - System Checkpoint
RP894: 8/17/2011 1:39:57 PM - System Checkpoint
RP895: 8/21/2011 6:47:42 PM - System Checkpoint
RP896: 8/23/2011 11:49:08 AM - System Checkpoint
RP897: 8/24/2011 1:26:44 PM - System Checkpoint
RP898: 8/25/2011 1:59:17 PM - System Checkpoint
RP899: 8/26/2011 3:23:18 PM - System Checkpoint
RP900: 8/27/2011 5:12:41 PM - System Checkpoint
RP901: 8/28/2011 5:23:40 PM - System Checkpoint
RP902: 8/29/2011 5:28:24 PM - System Checkpoint
RP903: 8/31/2011 12:56:26 PM - System Checkpoint
RP904: 9/1/2011 2:58:59 PM - System Checkpoint
RP905: 9/2/2011 3:47:24 PM - System Checkpoint
RP906: 9/3/2011 3:50:24 PM - System Checkpoint
RP907: 9/4/2011 3:58:54 PM - System Checkpoint
RP908: 9/5/2011 4:12:10 PM - System Checkpoint
RP909: 9/6/2011 5:10:32 PM - System Checkpoint
RP910: 9/7/2011 6:37:13 PM - System Checkpoint
RP911: 9/9/2011 6:23:12 PM - System Checkpoint
RP912: 9/11/2011 7:10:22 PM - System Checkpoint
RP913: 9/13/2011 1:54:44 PM - System Checkpoint
RP914: 9/16/2011 11:53:55 AM - System Checkpoint
RP915: 9/17/2011 12:25:08 PM - System Checkpoint
RP916: 9/18/2011 1:26:09 PM - System Checkpoint
RP917: 9/19/2011 1:50:00 PM - System Checkpoint
RP918: 9/20/2011 5:20:41 PM - System Checkpoint
RP919: 9/21/2011 6:44:08 PM - System Checkpoint
RP920: 9/24/2011 1:08:38 PM - System Checkpoint
RP921: 9/25/2011 2:51:53 PM - System Checkpoint
RP922: 10/2/2011 3:28:52 PM - System Checkpoint
RP923: 10/3/2011 5:14:42 PM - System Checkpoint
RP924: 10/5/2011 4:57:44 PM - System Checkpoint
RP925: 10/6/2011 7:41:47 PM - System Checkpoint
RP926: 10/8/2011 11:52:53 AM - System Checkpoint
RP927: 10/10/2011 12:00:58 PM - System Checkpoint
RP928: 10/11/2011 12:30:20 PM - System Checkpoint
RP929: 10/12/2011 1:15:17 PM - System Checkpoint
RP930: 10/14/2011 11:57:55 AM - System Checkpoint
RP931: 10/15/2011 7:20:31 PM - System Checkpoint
RP932: 10/16/2011 8:20:22 PM - System Checkpoint
RP933: 10/17/2011 10:38:42 PM - System Checkpoint
RP934: 10/19/2011 12:01:29 PM - System Checkpoint
RP935: 10/21/2011 2:01:19 PM - System Checkpoint
RP936: 10/22/2011 5:47:19 PM - System Checkpoint
RP937: 10/23/2011 6:31:59 PM - System Checkpoint
RP938: 10/24/2011 7:05:40 PM - System Checkpoint
RP939: 10/26/2011 1:18:27 PM - System Checkpoint
RP940: 10/27/2011 2:08:46 PM - System Checkpoint
RP941: 10/28/2011 2:21:35 PM - System Checkpoint
RP942: 10/29/2011 3:00:07 PM - System Checkpoint
RP943: 10/30/2011 3:34:28 PM - System Checkpoint
RP944: 10/31/2011 5:14:31 PM - System Checkpoint
RP945: 11/1/2011 9:17:38 PM - System Checkpoint
RP946: 11/3/2011 12:19:34 PM - System Checkpoint
RP947: 11/4/2011 12:40:06 PM - System Checkpoint
RP948: 11/5/2011 2:14:56 PM - Installed Windows XP KB894391.
RP949: 11/6/2011 2:04:49 PM - Restore Operation
RP950: 11/6/2011 3:47:38 PM - Restore Operation
RP951: 11/6/2011 4:11:35 PM - Restore Operation
RP952: 11/7/2011 4:46:33 PM - System Checkpoint
RP953: 11/8/2011 5:02:38 PM - System Checkpoint
RP954: 11/9/2011 7:59:13 PM - System Checkpoint
RP955: 11/11/2011 4:05:26 PM - System Checkpoint
.
==== Installed Programs ======================
.
3ivx MPEG-4 5.0.3 (remove only)
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Digital Editions
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Reader 8.1.3
Adobe Setup
Adobe Shockwave Player 11
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AnswerWorks 5.0 English Runtime
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bonjour
Business Plan Pro 2006
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera WIA Driver
Canon EOS 5D WIA Driver
Canon IJ Network Scan Utility
Canon IJ Network Tool
Canon MP Navigator EX 2.1
Canon MultiPASS Suite 4.00
Canon MX860 series MP Drivers
Canon MX860 series User Registration
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities Digital Photo Professional 3.2
Canon Utilities Easy-PhotoPrint EX
Canon Utilities EOS Utility
Canon Utilities My Printer
Canon Utilities MyCamera
Canon Utilities Original Data Security Tools
Canon Utilities PhotoStitch
Canon Utilities Picture Style Editor
Canon Utilities RAW Image Converter2
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities Solution Menu
Canon Utilities WFT-E1/E2/E3 Utility
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
Combined Community Codec Pack 2007-07-22
Compatibility Pack for the 2007 Office system
ConvertXtoDVD 2.2.3.258h
ConvertXtoDVD 3.0.0.9
Diskeeper 2007 Pro Premier
DVD Decrypter (Remove Only)
DVD Shrink 3.2
DVDFab Platinum 4.0.1.2 Ghosthunter release
ERUNT 1.1j
ESP Online
FileZilla (remove only)
FlipShare
Free Window Registry Repair
GIMP 2.4.6
Google Chrome
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
GoToMeeting/GoToWebinar 3.0.0.198
HijackThis 2.0.2
hotCommÆ CL
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows XP (KB954550-v5)
IIS6 Manager
Intel® Graphics Media Accelerator Driver
Internet Explorer Developer Toolbar
iTunes
Java™ 6 Update 6
Java™ 6 Update 7
JDownloader
K-Lite Codec Pack 6.5.0 (Basic)
Lizardtech DjVu Control
Macromedia Dreamweaver 8
Macromedia Extension Manager
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Office Professional Edition 2003
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (NR2007)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Web Publishing Wizard 1.52
MMConvert 1.0.5.236 Beta
Mozilla Firefox 5.0 (x86 en-US)
MSXML 6.0 Parser
My Book Device Driver
My Book RAID Manager
Neat ADF Scanner Driver
Neat Mobile Scanner (Silver) Driver
Neat Mobile Scanner 2008 Driver
NeatWorks
NeatWorks Core Files
Nero 7 Lite v7.7.5.1
Netscape Navigator (9.0.0.6)
OpenOffice.org Installer 1.0
PageRage 1.10.01
Palo Alto Software's Application Manager 8.2
PDF Password Remover v2.5
PDF Settings
PowerISO
Quicken 2008
QuickTime
RAIDar 4.3.0
RealPlayer
REALTEK GbE & FE Ethernet PCI NIC Driver
Realtek High Definition Audio Driver
RealUpgrade 1.1
Registry Mechanic 7.0
Safari
Seagate Manager Installer
Shockwave
Skypeô 3.6
SnagIt 8
Sony Picture Utility
Sony USB Driver
Stellar Phoenix (FAT & NTFS) 2.1
SUPERAntiSpyware Free Edition
Tango
The Print Shop 20
The Rosetta Stone
The Ultimate Troubleshooter
Turbo Lister 2
Tweak UI
Universal Document Converter
Unlocker 1.8.7
Update for Windows XP (KB911164)
VDownloader 3.0.752
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Media Encoder 9 Series
Windows Media Player Firefox Plugin
WinPcap 4.1.1
WinRAR archiver
WinZip 11.1
Xilisoft DVD Creator
XSite Pro
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Search Protection
Yahoo! Toolbar
YouTube Downloader 3.4
YouTube Downloader Toolbar v4.7
.
==== Event Viewer Messages From Past Week ========
.
11/9/2011 10:49:17 AM, error: Srv [2000] - The server's call to a system service failed unexpectedly.
11/7/2011 8:08:12 AM, error: Service Control Manager [7024] - The Background Intelligent Transfer Service service terminated with service-specific error 2147952450 (0x80072742).
11/7/2011 7:46:54 AM, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: This operation returned because the timeout period expired.
11/7/2011 7:41:57 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: TfFsMon TFSysMon
11/7/2011 7:41:57 AM, error: Service Control Manager [7024] - The Bonjour Service service terminated with service-specific error 4294967295 (0xFFFFFFFF).
11/7/2011 7:41:57 AM, error: Service Control Manager [7023] - The World Wide Web Publishing service terminated with the following error: The specified module could not be found.
11/7/2011 7:41:57 AM, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: A socket operation encountered a dead network.
11/7/2011 7:41:57 AM, error: Service Control Manager [7023] - The Simple Mail Transfer Protocol (SMTP) service terminated with the following error: The specified module could not be found.
11/7/2011 7:41:57 AM, error: Service Control Manager [7023] - The IPSEC Services service terminated with the following error: A socket operation encountered a dead network.
11/7/2011 7:41:57 AM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: %%2147952450
11/6/2011 9:09:46 AM, error: Service Control Manager [7034] - The McAfee Security Scan Component Host Service service terminated unexpectedly. It has done this 1 time(s).
11/6/2011 4:06:59 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
11/6/2011 4:06:49 PM, error: DCOM [10005] - DCOM got error "%1068" attempting to start the service IISADMIN with arguments "" in order to run the server: {A9E69610-B80D-11D0-B9B9-00A0C922E750}
11/6/2011 4:05:33 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL SCDEmu Tcpip TfFsMon TFSysMon v2imount
11/6/2011 4:05:33 PM, error: Service Control Manager [7001] - The World Wide Web Publishing service depends on the IIS Admin service which failed to start because of the following error: The dependency service or group failed to start.
11/6/2011 4:05:33 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
11/6/2011 4:05:33 PM, error: Service Control Manager [7001] - The Simple Mail Transfer Protocol (SMTP) service depends on the IIS Admin service which failed to start because of the following error: The dependency service or group failed to start.
11/6/2011 4:05:33 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/6/2011 4:05:33 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/6/2011 4:05:33 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
11/6/2011 4:05:33 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/6/2011 4:05:33 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/6/2011 2:55:31 PM, error: Service Control Manager [7016] - The MpService service has reported an invalid current state 0.
11/6/2011 2:25:06 PM, error: NetBT [4311] - Initialization failed because the driver device could not be created.
11/6/2011 2:24:57 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s).
11/6/2011 2:24:57 PM, error: Service Control Manager [7009] - Timeout (300000 milliseconds) waiting for the NeatWorks Database Controller service to connect.
11/6/2011 2:17:26 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
11/6/2011 2:17:25 PM, error: Service Control Manager [7034] - The FlipShare Service service terminated unexpectedly. It has done this 1 time(s).
11/6/2011 2:17:25 PM, error: Service Control Manager [7034] - The Diskeeper service terminated unexpectedly. It has done this 1 time(s).
11/6/2011 2:17:22 PM, error: Service Control Manager [7034] - The Application Updater service terminated unexpectedly. It has done this 1 time(s).
11/6/2011 2:05:32 PM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
11/6/2011 2:04:11 PM, error: Service Control Manager [7023] - The World Wide Web Publishing service terminated with the following error: TCP/IP network protocol not installed.
11/6/2011 2:04:11 PM, error: Service Control Manager [7023] - The Simple Mail Transfer Protocol (SMTP) service terminated with the following error: TCP/IP network protocol not installed.
11/5/2011 12:16:55 PM, error: Service Control Manager [7000] - The MBAMService service failed to start due to the following error: Access is denied.
11/5/2011 10:46:45 AM, error: Service Control Manager [7034] - The MBAMService service terminated unexpectedly. It has done this 1 time(s).
11/10/2011 10:38:07 AM, error: Service Control Manager [7024] - The Background Intelligent Transfer Service service terminated with service-specific error 2147952447 (0x8007273F).
11/10/2011 10:38:07 AM, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: The system cannot find the file specified.
11/10/2011 10:38:07 AM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: %%2147952447
11/10/2011 10:38:07 AM, error: Service Control Manager [7003] - The Bonjour Service service depends on the following nonexistent service: Tcpip
11/10/2011 10:38:07 AM, error: Service Control Manager [7003] - The Apple Mobile Device service depends on the following nonexistent service: Tcpip
11/10/2011 10:37:42 AM, error: Workstation [5728] - Could not load any transport.
.
==== End Of File ===========================


Report.txt:


20:44:07.0234 1196 TDSS rootkit removing tool 2.6.18.0 Nov 11 2011 15:47:15
20:44:07.0250 1196 ============================================================
20:44:07.0250 1196 Current date / time: 2011/11/11 20:44:07.0250
20:44:07.0250 1196 SystemInfo:
20:44:07.0250 1196
20:44:07.0250 1196 OS Version: 5.1.2600 ServicePack: 2.0
20:44:07.0250 1196 Product type: Workstation
20:44:07.0250 1196 ComputerName: DAOFFICE
20:44:07.0250 1196 UserName: Roe
20:44:07.0250 1196 Windows directory: C:\WINDOWS
20:44:07.0250 1196 System windows directory: C:\WINDOWS
20:44:07.0250 1196 Processor architecture: Intel x86
20:44:07.0250 1196 Number of processors: 2
20:44:07.0250 1196 Page size: 0x1000
20:44:07.0250 1196 Boot type: Normal boot
20:44:07.0250 1196 ============================================================
20:44:08.0343 1196 Initialize success
20:44:20.0500 4000 ============================================================
20:44:20.0500 4000 Scan started
20:44:20.0500 4000 Mode: Manual;
20:44:20.0500 4000 ============================================================
20:44:20.0796 4000 Abiosdsk - ok
20:44:20.0796 4000 abp480n5 - ok
20:44:20.0859 4000 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
20:44:20.0859 4000 ACPI - ok
20:44:20.0906 4000 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
20:44:20.0906 4000 ACPIEC - ok
20:44:20.0906 4000 adpu160m - ok
20:44:20.0968 4000 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
20:44:20.0968 4000 aec - ok
20:44:21.0015 4000 AFD (604a70a5689cdc4325139caca5990673) C:\WINDOWS\System32\drivers\afd.sys
20:44:21.0015 4000 AFD ( Rootkit.Win32.ZAccess.g ) - infected
20:44:21.0015 4000 AFD - detected Rootkit.Win32.ZAccess.g (0)
20:44:21.0078 4000 AFS2K (0ebb674888cbdefd5773341c16dd6a07) C:\WINDOWS\system32\drivers\AFS2K.sys
20:44:21.0078 4000 AFS2K - ok
20:44:21.0078 4000 Aha154x - ok
20:44:21.0093 4000 aic78u2 - ok
20:44:21.0093 4000 aic78xx - ok
20:44:21.0109 4000 AliIde - ok
20:44:21.0109 4000 amsint - ok
20:44:21.0125 4000 asc - ok
20:44:21.0125 4000 asc3350p - ok
20:44:21.0125 4000 asc3550 - ok
20:44:21.0156 4000 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
20:44:21.0156 4000 AsyncMac - ok
20:44:21.0171 4000 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
20:44:21.0171 4000 atapi - ok
20:44:21.0171 4000 Atdisk - ok
20:44:21.0187 4000 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
20:44:21.0187 4000 Atmarpc - ok
20:44:21.0203 4000 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
20:44:21.0203 4000 audstub - ok
20:44:21.0234 4000 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
20:44:21.0234 4000 Beep - ok
20:44:21.0265 4000 catchme - ok
20:44:21.0312 4000 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
20:44:21.0312 4000 cbidf2k - ok
20:44:21.0343 4000 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
20:44:21.0343 4000 CCDECODE - ok
20:44:21.0343 4000 cd20xrnt - ok
20:44:21.0375 4000 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
20:44:21.0375 4000 Cdaudio - ok
20:44:21.0375 4000 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
20:44:21.0375 4000 Cdfs - ok
20:44:21.0390 4000 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
20:44:21.0390 4000 Cdrom - ok
20:44:21.0390 4000 Changer - ok
20:44:21.0437 4000 cis1284 (7e1d1616c7e2fbba784e5dbd05d88eca) C:\WINDOWS\system32\drivers\cis1284.sys
20:44:21.0437 4000 cis1284 - ok
20:44:21.0453 4000 CmdIde - ok
20:44:21.0453 4000 Cpqarray - ok
20:44:21.0468 4000 dac2w2k - ok
20:44:21.0468 4000 dac960nt - ok
20:44:21.0484 4000 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
20:44:21.0484 4000 Disk - ok
20:44:21.0546 4000 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
20:44:21.0546 4000 dmboot - ok
20:44:21.0578 4000 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
20:44:21.0578 4000 dmio - ok
20:44:21.0578 4000 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
20:44:21.0578 4000 dmload - ok
20:44:21.0593 4000 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
20:44:21.0593 4000 DMusic - ok
20:44:21.0593 4000 dpti2o - ok
20:44:21.0609 4000 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
20:44:21.0609 4000 drmkaud - ok
20:44:21.0640 4000 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
20:44:21.0640 4000 Fastfat - ok
20:44:21.0656 4000 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys
20:44:21.0671 4000 Fdc - ok
20:44:21.0671 4000 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
20:44:21.0671 4000 Fips - ok
20:44:21.0671 4000 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
20:44:21.0671 4000 Flpydisk - ok
20:44:21.0703 4000 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
20:44:21.0703 4000 FltMgr - ok
20:44:21.0718 4000 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
20:44:21.0718 4000 Fs_Rec - ok
20:44:21.0718 4000 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
20:44:21.0734 4000 Ftdisk - ok
20:44:21.0750 4000 gdrv (54789f9ba0d59072cdd4e7c200e122c4) C:\WINDOWS\gdrv.sys
20:44:21.0750 4000 gdrv - ok
20:44:21.0765 4000 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
20:44:21.0765 4000 GEARAspiWDM - ok
20:44:21.0781 4000 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
20:44:21.0781 4000 Gpc - ok
20:44:21.0828 4000 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
20:44:21.0828 4000 HDAudBus - ok
20:44:21.0875 4000 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
20:44:21.0875 4000 HidUsb - ok
20:44:21.0875 4000 hpn - ok
20:44:21.0921 4000 HTTP (cb77bb47e67e84deb17ba29632501730) C:\WINDOWS\system32\Drivers\HTTP.sys
20:44:21.0937 4000 HTTP - ok
20:44:21.0937 4000 i2omgmt - ok
20:44:21.0937 4000 i2omp - ok
20:44:22.0000 4000 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
20:44:22.0000 4000 i8042prt - ok
20:44:22.0203 4000 ialm (28423512370705aeda6a652fedb25468) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
20:44:22.0375 4000 ialm - ok
20:44:22.0390 4000 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
20:44:22.0390 4000 Imapi - ok
20:44:22.0406 4000 ini910u - ok
20:44:22.0546 4000 IntcAzAudAddService (e37589414437a60797e94c0f57c546db) C:\WINDOWS\system32\drivers\RtkHDAud.sys
20:44:22.0671 4000 IntcAzAudAddService - ok
20:44:22.0671 4000 IntelIde - ok
20:44:22.0718 4000 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
20:44:22.0718 4000 intelppm - ok
20:44:22.0734 4000 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
20:44:22.0734 4000 Ip6Fw - ok
20:44:22.0781 4000 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
20:44:22.0781 4000 IpFilterDriver - ok
20:44:22.0796 4000 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
20:44:22.0796 4000 IpInIp - ok
20:44:22.0843 4000 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
20:44:22.0843 4000 IpNat - ok
20:44:22.0859 4000 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
20:44:22.0859 4000 IPSec - ok
20:44:22.0890 4000 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
20:44:22.0890 4000 IRENUM - ok
20:44:22.0890 4000 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
20:44:22.0890 4000 isapnp - ok
20:44:22.0906 4000 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
20:44:22.0906 4000 Kbdclass - ok
20:44:22.0937 4000 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
20:44:22.0937 4000 kmixer - ok
20:44:22.0953 4000 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys
20:44:22.0953 4000 KSecDD - ok
20:44:22.0968 4000 lbrtfdc - ok
20:44:23.0000 4000 MBAMProtector (69a6268d7f81e53d568ab4e7e991caf3) C:\WINDOWS\system32\drivers\mbam.sys
20:44:23.0000 4000 MBAMProtector - ok
20:44:23.0000 4000 MBAMSwissArmy - ok
20:44:23.0015 4000 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
20:44:23.0015 4000 MHNDRV - ok
20:44:23.0031 4000 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
20:44:23.0031 4000 mnmdd - ok
20:44:23.0031 4000 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
20:44:23.0046 4000 Modem - ok
20:44:23.0062 4000 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
20:44:23.0062 4000 Mouclass - ok
20:44:23.0093 4000 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
20:44:23.0093 4000 mouhid - ok
20:44:23.0093 4000 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
20:44:23.0093 4000 MountMgr - ok
20:44:23.0109 4000 mraid35x - ok
20:44:23.0140 4000 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
20:44:23.0140 4000 MRxDAV - ok
20:44:23.0187 4000 MRxSmb (025af03ce51645c62f3b6907a7e2be5e) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
20:44:23.0203 4000 MRxSmb - ok
20:44:23.0250 4000 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
20:44:23.0250 4000 Msfs - ok
20:44:23.0250 4000 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
20:44:23.0250 4000 MSKSSRV - ok
20:44:23.0265 4000 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
20:44:23.0265 4000 MSPCLOCK - ok
20:44:23.0265 4000 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
20:44:23.0265 4000 MSPQM - ok
20:44:23.0312 4000 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
20:44:23.0312 4000 mssmbios - ok
20:44:23.0343 4000 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys
20:44:23.0343 4000 MSTEE - ok
20:44:23.0359 4000 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
20:44:23.0359 4000 Mup - ok
20:44:23.0359 4000 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
20:44:23.0359 4000 NABTSFEC - ok
20:44:23.0375 4000 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
20:44:23.0375 4000 NDIS - ok
20:44:23.0375 4000 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
20:44:23.0375 4000 NdisIP - ok
20:44:23.0406 4000 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
20:44:23.0406 4000 NdisTapi - ok
20:44:23.0468 4000 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
20:44:23.0468 4000 Ndisuio - ok
20:44:23.0468 4000 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
20:44:23.0468 4000 NdisWan - ok
20:44:23.0484 4000 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
20:44:23.0484 4000 NDProxy - ok
20:44:23.0484 4000 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
20:44:23.0484 4000 NetBIOS - ok
20:44:23.0500 4000 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
20:44:23.0500 4000 NetBT - ok
20:44:23.0562 4000 npf (b9730495e0cf674680121e34bd95a73b) C:\WINDOWS\system32\drivers\npf.sys
20:44:23.0562 4000 npf - ok
20:44:23.0562 4000 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
20:44:23.0562 4000 Npfs - ok
20:44:23.0609 4000 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
20:44:23.0625 4000 Ntfs - ok
20:44:23.0640 4000 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
20:44:23.0640 4000 Null - ok
20:44:23.0687 4000 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
20:44:23.0687 4000 NwlnkFlt - ok
20:44:23.0687 4000 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
20:44:23.0687 4000 NwlnkFwd - ok
20:44:23.0718 4000 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
20:44:23.0718 4000 Parport - ok
20:44:23.0718 4000 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
20:44:23.0718 4000 PartMgr - ok
20:44:23.0734 4000 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
20:44:23.0734 4000 ParVdm - ok
20:44:23.0734 4000 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
20:44:23.0734 4000 PCI - ok
20:44:23.0750 4000 PCIDump - ok
20:44:23.0765 4000 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
20:44:23.0781 4000 PCIIde - ok
20:44:23.0796 4000 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
20:44:23.0796 4000 Pcmcia - ok
20:44:23.0828 4000 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys
20:44:23.0828 4000 pcouffin - ok
20:44:23.0843 4000 PDCOMP - ok
20:44:23.0843 4000 PDFRAME - ok
20:44:23.0859 4000 PDRELI - ok
20:44:23.0859 4000 PDRFRAME - ok
20:44:23.0859 4000 perc2 - ok
20:44:23.0875 4000 perc2hib - ok
20:44:23.0937 4000 PhilCam8116 (8754763a924639b9d07d4c8ea9990f1e) C:\WINDOWS\system32\DRIVERS\CamDrO21.sys
20:44:23.0937 4000 PhilCam8116 - ok
20:44:23.0937 4000 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
20:44:23.0953 4000 PptpMiniport - ok
20:44:23.0953 4000 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
20:44:23.0953 4000 Ptilink - ok
20:44:23.0984 4000 PxHelp20 (40f2031bd9148d3194353ea7dec97a07) C:\WINDOWS\system32\Drivers\PxHelp20.sys
20:44:23.0984 4000 PxHelp20 - ok
20:44:24.0000 4000 ql1080 - ok
20:44:24.0000 4000 Ql10wnt - ok
20:44:24.0000 4000 ql12160 - ok
20:44:24.0015 4000 ql1240 - ok
20:44:24.0015 4000 ql1280 - ok
20:44:24.0046 4000 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
20:44:24.0046 4000 RasAcd - ok
20:44:24.0062 4000 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
20:44:24.0062 4000 Rasl2tp - ok
20:44:24.0062 4000 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
20:44:24.0062 4000 RasPppoe - ok
20:44:24.0078 4000 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
20:44:24.0078 4000 Raspti - ok
20:44:24.0125 4000 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
20:44:24.0125 4000 Rdbss - ok
20:44:24.0140 4000 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
20:44:24.0140 4000 RDPCDD - ok
20:44:24.0171 4000 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
20:44:24.0171 4000 rdpdr - ok
20:44:24.0187 4000 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
20:44:24.0187 4000 RDPWD - ok
20:44:24.0218 4000 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
20:44:24.0218 4000 redbook - ok
20:44:24.0281 4000 RTL8023xp (1e11171c0b9989e1bdaa59e96b2e81c4) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
20:44:24.0281 4000 RTL8023xp - ok
20:44:24.0328 4000 RTLWUSB (5a850259b849a899990379a75460a4eb) C:\WINDOWS\system32\DRIVERS\RTL8187.sys
20:44:24.0328 4000 RTLWUSB - ok
20:44:24.0453 4000 SASDIFSV (5bf35c4ea3f00fa8d3f1e5bf03d24584) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
20:44:24.0453 4000 SASDIFSV - ok
20:44:24.0468 4000 SASENUM (a22f08c98ac2f44587bf3a1fb52bf8cd) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
20:44:24.0468 4000 SASENUM - ok
20:44:24.0484 4000 SASKUTIL (c7d81c10d3befeee41f3408714637438) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
20:44:24.0484 4000 SASKUTIL - ok
20:44:24.0546 4000 SCDEmu (3b35ce540758bbabb721e234cb5a4f3f) C:\WINDOWS\system32\drivers\SCDEmu.sys
20:44:24.0546 4000 SCDEmu - ok
20:44:24.0578 4000 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
20:44:24.0578 4000 Secdrv - ok
20:44:24.0578 4000 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
20:44:24.0593 4000 serenum - ok
20:44:24.0593 4000 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
20:44:24.0593 4000 Serial - ok
20:44:24.0609 4000 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
20:44:24.0609 4000 Sfloppy - ok
20:44:24.0609 4000 Simbad - ok
20:44:24.0640 4000 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
20:44:24.0640 4000 SLIP - ok
20:44:24.0656 4000 Sparrow - ok
20:44:24.0687 4000 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
20:44:24.0687 4000 splitter - ok
20:44:24.0750 4000 sptd (ee26b8860d226f8eec48aabbdae33e8c) C:\WINDOWS\system32\Drivers\sptd.sys
20:44:24.0750 4000 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: ee26b8860d226f8eec48aabbdae33e8c
20:44:24.0750 4000 sptd ( LockedFile.Multi.Generic ) - warning
20:44:24.0750 4000 sptd - detected LockedFile.Multi.Generic (1)
20:44:24.0781 4000 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
20:44:24.0781 4000 sr - ok
20:44:24.0796 4000 Srv (ea554a3ffc3f536fe8320eb38f5e4843) C:\WINDOWS\system32\DRIVERS\srv.sys
20:44:24.0796 4000 Srv - ok
20:44:24.0828 4000 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
20:44:24.0828 4000 StillCam - ok
20:44:24.0859 4000 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
20:44:24.0859 4000 streamip - ok
20:44:24.0875 4000 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
20:44:24.0875 4000 swenum - ok
20:44:24.0906 4000 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
20:44:24.0906 4000 swmidi - ok
20:44:24.0906 4000 symc810 - ok
20:44:24.0921 4000 symc8xx - ok
20:44:24.0921 4000 symsnap (c9273531eac75ee225e3170fb6107fa3) C:\WINDOWS\system32\DRIVERS\symsnap.sys
20:44:24.0937 4000 symsnap - ok
20:44:24.0937 4000 sym_hi - ok
20:44:24.0937 4000 sym_u3 - ok
20:44:24.0968 4000 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
20:44:24.0968 4000 sysaudio - ok
20:44:25.0031 4000 Tcpip (90caff4b094573449a0872a0f919b178) C:\WINDOWS\system32\DRIVERS\tcpip.sys
20:44:25.0031 4000 Tcpip - ok
20:44:25.0062 4000 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
20:44:25.0062 4000 TDPIPE - ok
20:44:25.0078 4000 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
20:44:25.0078 4000 TDTCP - ok
20:44:25.0093 4000 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
20:44:25.0093 4000 TermDD - ok
20:44:25.0109 4000 TfFsMon - ok
20:44:25.0109 4000 TfNetMon - ok
20:44:25.0109 4000 TFSysMon - ok
20:44:25.0125 4000 TosIde - ok
20:44:25.0156 4000 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
20:44:25.0156 4000 Udfs - ok
20:44:25.0171 4000 ultra - ok
20:44:25.0218 4000 Update (ced744117e91bdc0beb810f7d8608183) C:\WINDOWS\system32\DRIVERS\update.sys
20:44:25.0218 4000 Update - ok
20:44:25.0250 4000 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys
20:44:25.0250 4000 USBAAPL - ok
20:44:25.0296 4000 usbaudio (45a0d14b26c35497ad93bce7e15c9941) C:\WINDOWS\system32\drivers\usbaudio.sys
20:44:25.0296 4000 usbaudio - ok
20:44:25.0343 4000 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
20:44:25.0343 4000 usbccgp - ok
20:44:25.0406 4000 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
20:44:25.0406 4000 usbehci - ok
20:44:25.0406 4000 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
20:44:25.0406 4000 usbhub - ok
20:44:25.0421 4000 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
20:44:25.0421 4000 usbprint - ok
20:44:25.0437 4000 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
20:44:25.0453 4000 usbscan - ok
20:44:25.0453 4000 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
20:44:25.0453 4000 USBSTOR - ok
20:44:25.0500 4000 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
20:44:25.0500 4000 usbuhci - ok
20:44:25.0500 4000 v2imount (b4d63048d6358e7c6ab61b98b8cff263) C:\WINDOWS\system32\DRIVERS\v2imount.sys
20:44:25.0500 4000 v2imount - ok
20:44:25.0562 4000 vaxscsi (92cebc2bc7be2c8d49391b365569f306) C:\WINDOWS\System32\Drivers\vaxscsi.sys
20:44:25.0562 4000 Suspicious file (NoAccess): C:\WINDOWS\System32\Drivers\vaxscsi.sys. md5: 92cebc2bc7be2c8d49391b365569f306
20:44:25.0562 4000 vaxscsi ( LockedFile.Multi.Generic ) - warning
20:44:25.0562 4000 vaxscsi - detected LockedFile.Multi.Generic (1)
20:44:25.0562 4000 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
20:44:25.0562 4000 VgaSave - ok
20:44:25.0578 4000 ViaIde - ok
20:44:25.0578 4000 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
20:44:25.0578 4000 VolSnap - ok
20:44:25.0625 4000 VProEventMonitor (e78781b2c86c92a0a738df566460f716) C:\WINDOWS\system32\DRIVERS\vproeventmonitor.sys
20:44:25.0625 4000 VProEventMonitor - ok
20:44:25.0640 4000 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
20:44:25.0640 4000 Wanarp - ok
20:44:25.0687 4000 WDC_SAM (011e8a3e13dd7007353edbee4b180b50) C:\WINDOWS\system32\DRIVERS\wdcsam.sys
20:44:25.0687 4000 WDC_SAM - ok
20:44:25.0687 4000 WDICA - ok
20:44:25.0734 4000 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
20:44:25.0734 4000 wdmaud - ok
20:44:25.0750 4000 WimFltr (f9ad3a5e3fd7e0bdb18b8202b0fdd4e4) C:\WINDOWS\system32\DRIVERS\wimfltr.sys
20:44:25.0765 4000 WimFltr - ok
20:44:25.0812 4000 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
20:44:25.0812 4000 WS2IFSL - ok
20:44:25.0828 4000 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
20:44:25.0828 4000 WSTCODEC - ok
20:44:25.0859 4000 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
20:44:25.0953 4000 \Device\Harddisk0\DR0 - ok
20:44:25.0968 4000 MBR (0x1B8) (a4a15d6782e6fe1dce41a606cb3affe3) \Device\Harddisk1\DR2
20:44:26.0000 4000 \Device\Harddisk1\DR2 - ok
20:44:26.0000 4000 MBR (0x1B8) (e5fa06aca0d60ba9c870d0ef3d9898c9) \Device\Harddisk3\DR8
20:44:31.0156 4000 \Device\Harddisk3\DR8 - ok
20:44:31.0156 4000 Boot (0x1200) (f7b5ab6c14f1efeed5d4f9776ce984bb) \Device\Harddisk0\DR0\Partition0
20:44:31.0156 4000 \Device\Harddisk0\DR0\Partition0 - ok
20:44:31.0171 4000 Boot (0x1200) (929749ac877032ada46fea5e036cb138) \Device\Harddisk1\DR2\Partition0
20:44:31.0171 4000 \Device\Harddisk1\DR2\Partition0 - ok
20:44:31.0171 4000 Boot (0x1200) (78caf6819748ba73d36015a85cc04c86) \Device\Harddisk3\DR8\Partition0
20:44:31.0171 4000 \Device\Harddisk3\DR8\Partition0 - ok
20:44:31.0171 4000 ============================================================
20:44:31.0171 4000 Scan finished
20:44:31.0171 4000 ============================================================
20:44:31.0171 0432 Detected object count: 3
20:44:31.0171 0432 Actual detected object count: 3
20:45:07.0187 0432 AFD ( Rootkit.Win32.ZAccess.g ) - skipped by user
20:45:07.0187 0432 AFD ( Rootkit.Win32.ZAccess.g ) - User select action: Skip
20:45:07.0187 0432 sptd ( LockedFile.Multi.Generic ) - skipped by user
20:45:07.0187 0432 sptd ( LockedFile.Multi.Generic ) - User select action: Skip
20:45:07.0187 0432 vaxscsi ( LockedFile.Multi.Generic ) - skipped by user
20:45:07.0187 0432 vaxscsi ( LockedFile.Multi.Generic ) - User select action: Skip

#8 patndoris

patndoris

    SuperMember

  • Malware Team
  • 2,593 posts

Posted 12 November 2011 - 02:29 PM

There is a CD Emulation driver on your machine that may be interfering with the running of our tools. To remove SPTD, simply download SPTD setup file "SPTDinst-v179-x86.exe" for Windows 2000/XP/2003/Vista/Windows 7 (32-bit) [607,288 bytes] and execute it.

In dialog that appears press "Uninstall" button and then SPTD will remove itself from your Windows installation.

If you want to install it again then execute same setup and press "Install".



Download the most recent version of ComboFix from one of the following locations to your USB drive:
Link 1
Link 2

Please delete the old copy from the desktop of the infected machine (by right-clicking and choosing delete) and then transfer the new Combofix file to your desktop but do NOT run it.


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\drivers\vaxscsi.sys
C:\Program Files\Application Updater\ApplicationUpdater.exe
C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe

Folder::
C:\Program Files\Common Files\Spigot\Search Settings
C:\Program Files\Application Updater

RenV::
c:\program files\CANON\Canon IJ Network Scan Utility\CNMNSUT .exe


Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe. ComboFix may request an update; please allow it.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
~Doris~

Proud Graduate of the WTT Classroom
Member of UNITE

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online. http://www.whatthetech.com/donate

#9 Roses

Roses

    Authentic Member

  • Authentic Member
  • PipPip
  • 20 posts

Posted 12 November 2011 - 03:27 PM

Thank you again for your reply. I ran your instructions exactly as stated and here is the log:


ComboFix 11-11-12.04 - Roe 11/12/2011 13:06:24.7.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2037.1486 [GMT -8:00]
Running from: c:\documents and settings\Roe\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Roe\Desktop\cfscript.txt
.
FILE ::
"c:\program files\Application Updater\ApplicationUpdater.exe"
"c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe"
"c:\windows\system32\drivers\vaxscsi.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Application Updater
c:\program files\Application Updater\ApplicationUpdater.exe
c:\program files\Application Updater\config.ini
c:\program files\Common Files\Spigot\Search Settings
c:\program files\Common Files\Spigot\Search Settings\baidu_ff.xml
c:\program files\Common Files\Spigot\Search Settings\baidu_ie.xml
c:\program files\Common Files\Spigot\Search Settings\config.ini
c:\program files\Common Files\Spigot\Search Settings\Lang\res1031.ini
c:\program files\Common Files\Spigot\Search Settings\Lang\res1033.ini
c:\program files\Common Files\Spigot\Search Settings\Lang\res1034.ini
c:\program files\Common Files\Spigot\Search Settings\Lang\res1036.ini
c:\program files\Common Files\Spigot\Search Settings\Lang\res1040.ini
c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe
c:\program files\Common Files\Spigot\Search Settings\yahoo_ff.xml
c:\program files\Common Files\Spigot\Search Settings\yahoo_ie.xml
c:\program files\Common Files\Spigot\Search Settings\yandex_ff.xml
c:\program files\Common Files\Spigot\Search Settings\yandex_ie.xml
c:\windows\system32\drivers\vaxscsi.sys
H:\Autorun.inf
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_Application_Updater
-------\Legacy_Application_Updater
-------\Service_Application Updater
-------\Service_vaxscsi
-------\Service_Application Updater
.
.
((((((((((((((((((((((((( Files Created from 2011-10-12 to 2011-11-12 )))))))))))))))))))))))))))))))
.
.
2011-11-09 18:54 . 2011-11-09 18:58 -------- d-----w- c:\program files\Free Window Registry Repair
2011-11-09 18:09 . 2008-06-27 21:39 332928 ----a-r- c:\windows\system32\drivers\RTL8187.sys
2011-11-08 02:39 . 2011-11-08 02:40 -------- d-----w- C:\backups
2011-11-08 02:39 . 2011-11-08 02:39 -------- d-----w- C:\ERDNT
2011-11-08 02:38 . 2011-11-08 02:38 -------- d-----w- C:\Regbackup
2011-11-05 19:29 . 2011-11-05 19:29 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2011-11-05 17:54 . 2011-11-05 19:29 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\YouTube Downloader
2011-11-01 20:15 . 2011-11-01 20:16 -------- d-----w- c:\documents and settings\Roe\Local Settings\Application Data\Canon Easy-PhotoPrint EX
2011-10-21 01:31 . 2011-10-21 01:31 -------- d-----w- c:\documents and settings\NetworkService\Application Data\McAfee
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-01 01:35 . 2011-06-05 17:52 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2010-01-27 06:11 . 2011-04-02 18:42 444283 ----a-w- c:\program files\Common Files\WinPcapNmap.exe
2011-06-16 04:17 . 2011-06-25 04:03 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 10:06 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 11:47 31232 --sha-r- c:\windows\system32\msfDX.dll
2007-12-17 13:43 27648 --sha-w- c:\windows\system32\Smab0.dll
2008-02-04 19:26 151040 --sha-w- c:\windows\system32\VistaUltm.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-02-07 4670704]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-06-26 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-07 1848648]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-12-12 722256]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-08-10 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-03-15 15360]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Palo Alto Software Update Manager 8.0.lnk]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
.
[HKLM\~\startupfolder\C:^Documents and Settings^Roe^Start Menu^Programs^Startup^..]
path=c:\documents and settings\Roe\Start Menu\Programs\Startup\..
.
[HKLM\~\startupfolder\C:^Documents and Settings^Roe^Start Menu^Programs^Startup^Cyber-shot Viewer Media Check Tool.lnk]
.
[HKLM\~\startupfolder\C:^Documents and Settings^Roe^Start Menu^Programs^Startup^scandisk.dll]
.
[HKLM\~\startupfolder\C:^Documents and Settings^Roe^Start Menu^Programs^Startup^scandisk.lnk]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\calc
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nhuganew
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vhayex
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-11 03:51 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\Reader_SL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2009-04-21 04:21 2356088 ----a-w- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 10:43 69632 ------w- c:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]
2007-03-13 23:38 39264 ----a-w- c:\progra~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
2009-05-14 22:47 2029640 ----a-w- c:\program files\ESET\ESET NOD32 Antivirus\egui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2004-08-10 11:04 59392 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-04-20 05:57 162584 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-04-20 05:57 142104 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-02-16 23:15 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-09-01 15:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
2009-01-16 23:31 181544 ----a-w- c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPTBox]
2008-02-06 20:46 151552 ----a-w- c:\progra~1\CANON\MULTIP~1\MPTBox.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-01-28 20:39 1667584 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-04-20 05:57 138008 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2008-07-07 07:34 167936 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-08-10 12:15 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-04-12 09:33 16132608 ------w- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2007-12-07 23:08 21686568 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-06-10 11:27 144784 ----a-w- c:\program files\Java\jre1.6.0_07\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2009-10-13 04:24 2000112 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2011-06-26 18:21 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2011-06-26 18:21 273544 ----a-w- c:\program files\real\realplayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
2008-05-02 04:15 15872 ----a-w- c:\program files\Unlocker\UnlockerAssistant.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Button Manager]
2008-04-08 17:42 364544 ----a-w- c:\windows\system32\WDBtnMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2008-02-07 04:44 4670704 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
2007-06-08 14:59 224248 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ekrn"=2 (0x2)
"EhttpSrv"=3 (0x3)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\1stWORKS\\hotCommCL\\BIN\\HotComm.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"29244:TCP"= 29244:TCP:spport
"22656:TCP"= 22656:TCP:spport
"19524:TCP"= 19524:TCP:spport
"20029:TCP"= 20029:TCP:spport
"21011:TCP"= 21011:TCP:spport
"20714:TCP"= 20714:TCP:spport
"29667:TCP"= 29667:TCP:spport
"9445:TCP"= 9445:TCP:spport
"19243:TCP"= 19243:TCP:spport
"18089:TCP"= 18089:TCP:spport
"19753:TCP"= 19753:TCP:spport
"5306:TCP"= 5306:TCP:spport
.
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [1/16/2009 3:31 PM 161064]
R2 NeatWorksDatabaseController;NeatWorks Database Controller;c:\program files\NeatWorks\exec\NeatWorksDatabaseController.exe [1/27/2009 7:25 PM 351376]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [1/26/2010 6:09 PM 50704]
R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [3/15/2006 4:00 AM 5120]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [1/10/2008 7:03 PM 47360]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TFSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/27/2011 11:47 AM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/27/2011 11:47 AM 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service; [x]
S3 MSSQL$NR2007;SQL Server (NR2007);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2/10/2007 5:29 AM 29178224]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [11/9/2011 10:09 AM 332928]
S3 SymSnapService;SymSnapService; [x]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [9/7/2006 9:16 PM 10112]
S4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-27 19:47]
.
2011-11-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-27 19:47]
.
2011-11-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-884357618-839522115-1003Core.job
- c:\documents and settings\Roe\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-24 22:35]
.
2011-11-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-884357618-839522115-1003UA.job
- c:\documents and settings\Roe\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-24 22:35]
.
2011-11-12 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 17:47]
.
2011-11-12 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-515967899-884357618-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 17:47]
.
2011-11-06 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 17:47]
.
2011-11-06 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-515967899-884357618-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 17:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar =
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: Interfaces\{0C4C2CD8-D480-482C-BEDA-2A9AAEA6491F}: NameServer = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\documents and settings\Roe\Application Data\Mozilla\Firefox\Profiles\ozhxetbm.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.smartwebsearch.net/index.php?from=3
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=58757&ei=utf-8&yahoo_domain=search.yahoo.com&p=
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SearchSettings - c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
MSConfigStartUp-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
MSConfigStartUp-SearchSettings - c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe
HKLM_ActiveSetup-Neat ADF Scanner 2008 - reg copy HKLM\Software\The Neat Company\Neat ADF Scanner 2008 HKCU\Software\The Neat Company\Neat ADF Scanner 2008
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-12 13:19
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-515967899-884357618-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0B02ABBA-36EC-0AD5-60EA-16BF5004E04D}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):fd,e5,c5,e4,e5,6e,45,b1,20,3c,90,52,02,96,06,0f,d7,08,cc,04,c1,
d7,67,ff,55,02,df,49,73,4e,a3,55,21,9e,71,c6,4c,d8,d9,85,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{f223094d-6cd9-4a46-96f8-ba9a16d4229c}]
@Denied: (Full) (Everyone)
"Model"=dword:0000005e
"Therad"=dword:0000001e
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3168)
c:\program files\Unlocker\UnlockerCOM.dll
c:\program files\WinZip\wzshlstb.dll
c:\program files\WinZip\wzshlex1.dll
c:\program files\WinZip\WZCAB3.DLL
c:\program files\WinRAR\rarext.dll
c:\program files\TechSmith\SnagIt 8\SnagItShellExt.dll
c:\program files\PowerISO\PWRISOSH.DLL
c:\windows\system32\browselc.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\windows\system32\shdoclc.dll
c:\windows\system32\WMVCore.DLL
c:\windows\system32\WMASF.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\windows\eHome\ehSched.exe
c:\program files\Flip Video\FlipShare\FlipShareService.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\msdtc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-11-12 13:24:10 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-12 21:23
ComboFix2.txt 2011-11-06 22:57
ComboFix3.txt 2009-11-21 04:54
ComboFix4.txt 2008-05-12 18:09
.
Pre-Run: 206,798,647,296 bytes free
Post-Run: 206,783,651,840 bytes free
.
- - End Of File - - 9C574F8BA22B9494EBD03EE5C07A5249

#10 patndoris

patndoris

    SuperMember

  • Malware Team
  • 2,593 posts

Posted 12 November 2011 - 06:03 PM

You have a very stubborn infection. It affects, each machine differently making it very difficult to clean, so it may take several more steps to get this cleared up. It may seem as if we are running the same tools multiple times, but it is necessary I assure you.

You should already have TDSSKiller on your desktop, but you will need to download and transfer GMER via USB.

Please read carefully and follow these steps. There is a difference between what you see in one of the images below and what I need you to do.
We are only creating a log - I do NOT want you to "cure" or try to fix anything in this step. It is very important that you don't choose Cure when presented with that option.

  • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure but I want you to choose SKIP instead , click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.



Download and Run GMER

Posted Image
Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

    Posted Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that may have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one - make sure it is UNCHECKED)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and paste it in your reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

~Doris~

Proud Graduate of the WTT Classroom
Member of UNITE

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online. http://www.whatthetech.com/donate

    Advertisements

Register to Remove


#11 Roses

Roses

    Authentic Member

  • Authentic Member
  • PipPip
  • 20 posts

Posted 12 November 2011 - 08:33 PM

Thank you for the quick reply. Unfortunately, something urgent came up and I won't be able to run this step until Monday. I will post the requested files as soon as I can run it! Thank you again!

#12 patndoris

patndoris

    SuperMember

  • Malware Team
  • 2,593 posts

Posted 12 November 2011 - 09:22 PM

Thanks for letting me know. I'll keep this open until you can run the steps.
~Doris~

Proud Graduate of the WTT Classroom
Member of UNITE

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online. http://www.whatthetech.com/donate

#13 Roses

Roses

    Authentic Member

  • Authentic Member
  • PipPip
  • 20 posts

Posted 15 November 2011 - 03:20 PM

Sorry for the delay in running this. My aunt died unexpectedly and I had to deal with that. I appreciate your time and patience. Here is the TDSSKiller log 13:06:54.0781 3760 TDSS rootkit removing tool 2.6.18.0 Nov 11 2011 15:47:15 13:06:54.0781 3760 ============================================================ 13:06:54.0781 3760 Current date / time: 2011/11/15 13:06:54.0781 13:06:54.0781 3760 SystemInfo: 13:06:54.0781 3760 13:06:54.0781 3760 OS Version: 5.1.2600 ServicePack: 2.0 13:06:54.0781 3760 Product type: Workstation 13:06:54.0781 3760 ComputerName: DAOFFICE 13:06:54.0781 3760 UserName: Roe 13:06:54.0781 3760 Windows directory: C:\WINDOWS 13:06:54.0781 3760 System windows directory: C:\WINDOWS 13:06:54.0781 3760 Processor architecture: Intel x86 13:06:54.0781 3760 Number of processors: 2 13:06:54.0781 3760 Page size: 0x1000 13:06:54.0781 3760 Boot type: Normal boot 13:06:54.0781 3760 ============================================================ 13:06:55.0968 3760 Initialize success 13:07:04.0453 3800 ============================================================ 13:07:04.0453 3800 Scan started 13:07:04.0453 3800 Mode: Manual; 13:07:04.0453 3800 ============================================================ 13:07:05.0671 3800 Abiosdsk - ok 13:07:05.0687 3800 abp480n5 - ok 13:07:05.0734 3800 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys 13:07:05.0734 3800 ACPI - ok 13:07:05.0781 3800 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys 13:07:05.0781 3800 ACPIEC - ok 13:07:05.0781 3800 adpu160m - ok 13:07:05.0828 3800 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys 13:07:05.0843 3800 aec - ok 13:07:05.0890 3800 AFD (604a70a5689cdc4325139caca5990673) C:\WINDOWS\System32\drivers\afd.sys 13:07:05.0890 3800 AFD ( Rootkit.Win32.ZAccess.g ) - infected 13:07:05.0890 3800 AFD - detected Rootkit.Win32.ZAccess.g (0) 13:07:05.0953 3800 AFS2K (0ebb674888cbdefd5773341c16dd6a07) C:\WINDOWS\system32\drivers\AFS2K.sys 13:07:05.0953 3800 AFS2K - ok 13:07:05.0953 3800 Aha154x - ok 13:07:05.0968 3800 aic78u2 - ok 13:07:05.0968 3800 aic78xx - ok 13:07:05.0968 3800 AliIde - ok 13:07:05.0984 3800 amsint - ok 13:07:05.0984 3800 asc - ok 13:07:06.0000 3800 asc3350p - ok 13:07:06.0000 3800 asc3550 - ok 13:07:06.0031 3800 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys 13:07:06.0031 3800 AsyncMac - ok 13:07:06.0046 3800 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys 13:07:06.0046 3800 atapi - ok 13:07:06.0062 3800 Atdisk - ok 13:07:06.0062 3800 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys 13:07:06.0062 3800 Atmarpc - ok 13:07:06.0093 3800 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys 13:07:06.0093 3800 audstub - ok 13:07:06.0140 3800 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys 13:07:06.0140 3800 Beep - ok 13:07:06.0156 3800 catchme - ok 13:07:06.0203 3800 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys 13:07:06.0203 3800 cbidf2k - ok 13:07:06.0218 3800 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys 13:07:06.0234 3800 CCDECODE - ok 13:07:06.0234 3800 cd20xrnt - ok 13:07:06.0265 3800 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys 13:07:06.0265 3800 Cdaudio - ok 13:07:06.0281 3800 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys 13:07:06.0281 3800 Cdfs - ok 13:07:06.0281 3800 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys 13:07:06.0281 3800 Cdrom - ok 13:07:06.0281 3800 Changer - ok 13:07:06.0328 3800 cis1284 (7e1d1616c7e2fbba784e5dbd05d88eca) C:\WINDOWS\system32\drivers\cis1284.sys 13:07:06.0343 3800 cis1284 - ok 13:07:06.0343 3800 CmdIde - ok 13:07:06.0359 3800 Cpqarray - ok 13:07:06.0359 3800 dac2w2k - ok 13:07:06.0359 3800 dac960nt - ok 13:07:06.0375 3800 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys 13:07:06.0375 3800 Disk - ok 13:07:06.0406 3800 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys 13:07:06.0421 3800 dmboot - ok 13:07:06.0437 3800 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys 13:07:06.0437 3800 dmio - ok 13:07:06.0437 3800 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys 13:07:06.0437 3800 dmload - ok 13:07:06.0453 3800 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys 13:07:06.0453 3800 DMusic - ok 13:07:06.0453 3800 dpti2o - ok 13:07:06.0468 3800 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys 13:07:06.0468 3800 drmkaud - ok 13:07:06.0484 3800 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys 13:07:06.0484 3800 Fastfat - ok 13:07:06.0515 3800 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys 13:07:06.0515 3800 Fdc - ok 13:07:06.0515 3800 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys 13:07:06.0515 3800 Fips - ok 13:07:06.0531 3800 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys 13:07:06.0531 3800 Flpydisk - ok 13:07:06.0578 3800 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys 13:07:06.0578 3800 FltMgr - ok 13:07:06.0593 3800 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys 13:07:06.0593 3800 Fs_Rec - ok 13:07:06.0593 3800 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys 13:07:06.0609 3800 Ftdisk - ok 13:07:06.0640 3800 gdrv (54789f9ba0d59072cdd4e7c200e122c4) C:\WINDOWS\gdrv.sys 13:07:06.0640 3800 gdrv - ok 13:07:06.0656 3800 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys 13:07:06.0656 3800 GEARAspiWDM - ok 13:07:06.0671 3800 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys 13:07:06.0671 3800 Gpc - ok 13:07:06.0703 3800 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 13:07:06.0718 3800 HDAudBus - ok 13:07:06.0750 3800 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys 13:07:06.0750 3800 HidUsb - ok 13:07:06.0781 3800 hpn - ok 13:07:06.0828 3800 HTTP (cb77bb47e67e84deb17ba29632501730) C:\WINDOWS\system32\Drivers\HTTP.sys 13:07:06.0828 3800 HTTP - ok 13:07:06.0828 3800 i2omgmt - ok 13:07:06.0843 3800 i2omp - ok 13:07:06.0890 3800 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys 13:07:06.0890 3800 i8042prt - ok 13:07:07.0062 3800 ialm (28423512370705aeda6a652fedb25468) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys 13:07:07.0203 3800 ialm - ok 13:07:07.0218 3800 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys 13:07:07.0218 3800 Imapi - ok 13:07:07.0234 3800 ini910u - ok 13:07:07.0359 3800 IntcAzAudAddService (e37589414437a60797e94c0f57c546db) C:\WINDOWS\system32\drivers\RtkHDAud.sys 13:07:07.0484 3800 IntcAzAudAddService - ok 13:07:07.0484 3800 IntelIde - ok 13:07:07.0500 3800 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys 13:07:07.0500 3800 intelppm - ok 13:07:07.0515 3800 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys 13:07:07.0515 3800 Ip6Fw - ok 13:07:07.0578 3800 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 13:07:07.0578 3800 IpFilterDriver - ok 13:07:07.0578 3800 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys 13:07:07.0578 3800 IpInIp - ok 13:07:07.0625 3800 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys 13:07:07.0625 3800 IpNat - ok 13:07:07.0640 3800 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys 13:07:07.0656 3800 IPSec - ok 13:07:07.0671 3800 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys 13:07:07.0671 3800 IRENUM - ok 13:07:07.0687 3800 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys 13:07:07.0687 3800 isapnp - ok 13:07:07.0687 3800 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys 13:07:07.0687 3800 Kbdclass - ok 13:07:07.0718 3800 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys 13:07:07.0718 3800 kmixer - ok 13:07:07.0734 3800 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys 13:07:07.0734 3800 KSecDD - ok 13:07:07.0750 3800 lbrtfdc - ok 13:07:07.0750 3800 MBAMSwissArmy - ok 13:07:07.0781 3800 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys 13:07:07.0781 3800 MHNDRV - ok 13:07:07.0781 3800 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys 13:07:07.0781 3800 mnmdd - ok 13:07:07.0796 3800 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys 13:07:07.0796 3800 Modem - ok 13:07:07.0812 3800 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys 13:07:07.0812 3800 Mouclass - ok 13:07:07.0875 3800 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys 13:07:07.0875 3800 mouhid - ok 13:07:07.0875 3800 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys 13:07:07.0875 3800 MountMgr - ok 13:07:07.0890 3800 mraid35x - ok 13:07:07.0906 3800 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys 13:07:07.0921 3800 MRxDAV - ok 13:07:07.0953 3800 MRxSmb (025af03ce51645c62f3b6907a7e2be5e) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 13:07:07.0968 3800 MRxSmb - ok 13:07:07.0968 3800 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys 13:07:07.0968 3800 Msfs - ok 13:07:07.0984 3800 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys 13:07:07.0984 3800 MSKSSRV - ok 13:07:07.0984 3800 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys 13:07:07.0984 3800 MSPCLOCK - ok 13:07:08.0000 3800 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys 13:07:08.0000 3800 MSPQM - ok 13:07:08.0000 3800 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys 13:07:08.0000 3800 mssmbios - ok 13:07:08.0031 3800 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys 13:07:08.0031 3800 MSTEE - ok 13:07:08.0046 3800 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys 13:07:08.0046 3800 Mup - ok 13:07:08.0046 3800 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys 13:07:08.0046 3800 NABTSFEC - ok 13:07:08.0093 3800 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys 13:07:08.0093 3800 NDIS - ok 13:07:08.0093 3800 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys 13:07:08.0093 3800 NdisIP - ok 13:07:08.0140 3800 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys 13:07:08.0140 3800 NdisTapi - ok 13:07:08.0203 3800 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys 13:07:08.0203 3800 Ndisuio - ok 13:07:08.0203 3800 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys 13:07:08.0203 3800 NdisWan - ok 13:07:08.0218 3800 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys 13:07:08.0218 3800 NDProxy - ok 13:07:08.0218 3800 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys 13:07:08.0218 3800 NetBIOS - ok 13:07:08.0265 3800 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys 13:07:08.0265 3800 NetBT - ok 13:07:08.0312 3800 npf (b9730495e0cf674680121e34bd95a73b) C:\WINDOWS\system32\drivers\npf.sys 13:07:08.0312 3800 npf - ok 13:07:08.0328 3800 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys 13:07:08.0328 3800 Npfs - ok 13:07:08.0375 3800 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys 13:07:08.0390 3800 Ntfs - ok 13:07:08.0406 3800 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys 13:07:08.0406 3800 Null - ok 13:07:08.0453 3800 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys 13:07:08.0453 3800 NwlnkFlt - ok 13:07:08.0453 3800 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys 13:07:08.0453 3800 NwlnkFwd - ok 13:07:08.0484 3800 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys 13:07:08.0484 3800 Parport - ok 13:07:08.0484 3800 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys 13:07:08.0484 3800 PartMgr - ok 13:07:08.0500 3800 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys 13:07:08.0500 3800 ParVdm - ok 13:07:08.0515 3800 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys 13:07:08.0515 3800 PCI - ok 13:07:08.0515 3800 PCIDump - ok 13:07:08.0546 3800 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys 13:07:08.0546 3800 PCIIde - ok 13:07:08.0562 3800 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys 13:07:08.0562 3800 Pcmcia - ok 13:07:08.0609 3800 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys 13:07:08.0609 3800 pcouffin - ok 13:07:08.0609 3800 PDCOMP - ok 13:07:08.0625 3800 PDFRAME - ok 13:07:08.0625 3800 PDRELI - ok 13:07:08.0625 3800 PDRFRAME - ok 13:07:08.0640 3800 perc2 - ok 13:07:08.0640 3800 perc2hib - ok 13:07:08.0687 3800 PhilCam8116 (8754763a924639b9d07d4c8ea9990f1e) C:\WINDOWS\system32\DRIVERS\CamDrO21.sys 13:07:08.0687 3800 PhilCam8116 - ok 13:07:08.0703 3800 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys 13:07:08.0703 3800 PptpMiniport - ok 13:07:08.0718 3800 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys 13:07:08.0718 3800 Ptilink - ok 13:07:08.0765 3800 PxHelp20 (40f2031bd9148d3194353ea7dec97a07) C:\WINDOWS\system32\Drivers\PxHelp20.sys 13:07:08.0765 3800 PxHelp20 - ok 13:07:08.0765 3800 ql1080 - ok 13:07:08.0765 3800 Ql10wnt - ok 13:07:08.0781 3800 ql12160 - ok 13:07:08.0781 3800 ql1240 - ok 13:07:08.0796 3800 ql1280 - ok 13:07:08.0828 3800 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys 13:07:08.0828 3800 RasAcd - ok 13:07:08.0843 3800 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 13:07:08.0843 3800 Rasl2tp - ok 13:07:08.0843 3800 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys 13:07:08.0843 3800 RasPppoe - ok 13:07:08.0859 3800 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys 13:07:08.0859 3800 Raspti - ok 13:07:08.0875 3800 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys 13:07:08.0875 3800 Rdbss - ok 13:07:08.0906 3800 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys 13:07:08.0906 3800 RDPCDD - ok 13:07:08.0937 3800 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys 13:07:08.0937 3800 rdpdr - ok 13:07:08.0953 3800 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys 13:07:08.0953 3800 RDPWD - ok 13:07:08.0968 3800 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys 13:07:08.0968 3800 redbook - ok 13:07:09.0000 3800 RTL8023xp (1e11171c0b9989e1bdaa59e96b2e81c4) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys 13:07:09.0000 3800 RTL8023xp - ok 13:07:09.0046 3800 RTLWUSB (5a850259b849a899990379a75460a4eb) C:\WINDOWS\system32\DRIVERS\RTL8187.sys 13:07:09.0046 3800 RTLWUSB - ok 13:07:09.0093 3800 SCDEmu (3b35ce540758bbabb721e234cb5a4f3f) C:\WINDOWS\system32\drivers\SCDEmu.sys 13:07:09.0093 3800 SCDEmu - ok 13:07:09.0140 3800 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys 13:07:09.0140 3800 Secdrv - ok 13:07:09.0156 3800 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys 13:07:09.0156 3800 serenum - ok 13:07:09.0156 3800 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys 13:07:09.0156 3800 Serial - ok 13:07:09.0171 3800 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys 13:07:09.0171 3800 Sfloppy - ok 13:07:09.0171 3800 Simbad - ok 13:07:09.0203 3800 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys 13:07:09.0203 3800 SLIP - ok 13:07:09.0218 3800 Sparrow - ok 13:07:09.0234 3800 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys 13:07:09.0234 3800 splitter - ok 13:07:09.0250 3800 sptd - ok 13:07:09.0296 3800 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys 13:07:09.0312 3800 sr - ok 13:07:09.0312 3800 Srv (ea554a3ffc3f536fe8320eb38f5e4843) C:\WINDOWS\system32\DRIVERS\srv.sys 13:07:09.0328 3800 Srv - ok 13:07:09.0359 3800 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys 13:07:09.0359 3800 StillCam - ok 13:07:09.0375 3800 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys 13:07:09.0390 3800 streamip - ok 13:07:09.0390 3800 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys 13:07:09.0390 3800 swenum - ok 13:07:09.0406 3800 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys 13:07:09.0406 3800 swmidi - ok 13:07:09.0421 3800 symc810 - ok 13:07:09.0421 3800 symc8xx - ok 13:07:09.0437 3800 symsnap (c9273531eac75ee225e3170fb6107fa3) C:\WINDOWS\system32\DRIVERS\symsnap.sys 13:07:09.0437 3800 symsnap - ok 13:07:09.0437 3800 sym_hi - ok 13:07:09.0453 3800 sym_u3 - ok 13:07:09.0484 3800 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys 13:07:09.0484 3800 sysaudio - ok 13:07:09.0515 3800 Tcpip (90caff4b094573449a0872a0f919b178) C:\WINDOWS\system32\DRIVERS\tcpip.sys 13:07:09.0515 3800 Tcpip - ok 13:07:09.0546 3800 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys 13:07:09.0546 3800 TDPIPE - ok 13:07:09.0562 3800 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys 13:07:09.0562 3800 TDTCP - ok 13:07:09.0562 3800 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys 13:07:09.0562 3800 TermDD - ok 13:07:09.0578 3800 TfFsMon - ok 13:07:09.0578 3800 TfNetMon - ok 13:07:09.0593 3800 TFSysMon - ok 13:07:09.0593 3800 TosIde - ok 13:07:09.0625 3800 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys 13:07:09.0625 3800 Udfs - ok 13:07:09.0625 3800 ultra - ok 13:07:09.0671 3800 Update (ced744117e91bdc0beb810f7d8608183) C:\WINDOWS\system32\DRIVERS\update.sys 13:07:09.0687 3800 Update - ok 13:07:09.0718 3800 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys 13:07:09.0718 3800 USBAAPL - ok 13:07:09.0796 3800 usbaudio (45a0d14b26c35497ad93bce7e15c9941) C:\WINDOWS\system32\drivers\usbaudio.sys 13:07:09.0796 3800 usbaudio - ok 13:07:09.0968 3800 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys 13:07:09.0968 3800 usbccgp - ok 13:07:10.0109 3800 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys 13:07:10.0109 3800 usbehci - ok 13:07:10.0125 3800 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys 13:07:10.0125 3800 usbhub - ok 13:07:10.0125 3800 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys 13:07:10.0125 3800 usbprint - ok 13:07:10.0156 3800 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys 13:07:10.0156 3800 usbscan - ok 13:07:10.0156 3800 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 13:07:10.0156 3800 USBSTOR - ok 13:07:10.0187 3800 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys 13:07:10.0187 3800 usbuhci - ok 13:07:10.0203 3800 v2imount (b4d63048d6358e7c6ab61b98b8cff263) C:\WINDOWS\system32\DRIVERS\v2imount.sys 13:07:10.0203 3800 v2imount - ok 13:07:10.0218 3800 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys 13:07:10.0218 3800 VgaSave - ok 13:07:10.0218 3800 ViaIde - ok 13:07:10.0234 3800 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys 13:07:10.0234 3800 VolSnap - ok 13:07:10.0265 3800 VProEventMonitor (e78781b2c86c92a0a738df566460f716) C:\WINDOWS\system32\DRIVERS\vproeventmonitor.sys 13:07:10.0265 3800 VProEventMonitor - ok 13:07:10.0296 3800 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys 13:07:10.0296 3800 Wanarp - ok 13:07:10.0343 3800 WDC_SAM (011e8a3e13dd7007353edbee4b180b50) C:\WINDOWS\system32\DRIVERS\wdcsam.sys 13:07:10.0359 3800 WDC_SAM - ok 13:07:10.0359 3800 WDICA - ok 13:07:10.0406 3800 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys 13:07:10.0406 3800 wdmaud - ok 13:07:10.0421 3800 WimFltr (f9ad3a5e3fd7e0bdb18b8202b0fdd4e4) C:\WINDOWS\system32\DRIVERS\wimfltr.sys 13:07:10.0437 3800 WimFltr - ok 13:07:10.0484 3800 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys 13:07:10.0484 3800 WS2IFSL - ok 13:07:10.0500 3800 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS 13:07:10.0500 3800 WSTCODEC - ok 13:07:10.0515 3800 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0 13:07:10.0515 3800 \Device\Harddisk0\DR0 - ok 13:07:10.0531 3800 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR1 13:07:10.0640 3800 \Device\Harddisk1\DR1 - ok 13:07:10.0640 3800 Boot (0x1200) (120e3c91a7a6968dae14c3a379dca019) \Device\Harddisk0\DR0\Partition0 13:07:10.0656 3800 \Device\Harddisk0\DR0\Partition0 - ok 13:07:10.0656 3800 Boot (0x1200) (642302f81f9add18242a75a453806a0b) \Device\Harddisk0\DR0\Partition1 13:07:10.0656 3800 \Device\Harddisk0\DR0\Partition1 - ok 13:07:10.0656 3800 Boot (0x1200) (f7b5ab6c14f1efeed5d4f9776ce984bb) \Device\Harddisk1\DR1\Partition0 13:07:10.0656 3800 \Device\Harddisk1\DR1\Partition0 - ok 13:07:10.0656 3800 ============================================================ 13:07:10.0656 3800 Scan finished 13:07:10.0656 3800 ============================================================ 13:07:10.0656 3792 Detected object count: 1 13:07:10.0656 3792 Actual detected object count: 1 13:08:20.0718 3792 AFD ( Rootkit.Win32.ZAccess.g ) - skipped by user 13:08:20.0718 3792 AFD ( Rootkit.Win32.ZAccess.g ) - User select action: Skip I will post the gmer log when finished. Thanks!

#14 Roses

Roses

    Authentic Member

  • Authentic Member
  • PipPip
  • 20 posts

Posted 15 November 2011 - 03:26 PM

Here is the gmer.rxt file:


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-11-15 13:24:57
Windows 5.1.2600 Service Pack 2 Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-c WDC_WD5000AAKS-22TMA0 rev.12.01C01
Running: gmer.exe; Driver: C:\DOCUME~1\Roe\LOCALS~1\Temp\kxtcapob.sys


---- Kernel code sections - GMER 1.0.15 ----

.text PCIIDEX.SYS!PciIdeXSetBusData + B29 BA32945D 4 Bytes JMP 89A82344
.text PCIIDEX.SYS!PciIdeXSetBusData + D72 BA3296A6 4 Bytes JMP 89B1EC64
.text PCIIDEX.SYS!PciIdeXDebugPrint + 23 BA3296DD 4 Bytes JMP 89A82344
.text PCIIDEX.SYS!PciIdeXDebugPrint + 173 BA32982D 4 Bytes JMP 89B1EC64
.text PCIIDEX.SYS!PciIdeXDebugPrint + 1A8 BA329862 4 Bytes JMP 89B1EC64
PAGE PCIIDEX.SYS!PciIdeXDebugPrint + 7CB BA329E85 4 Bytes JMP 89A82344
PAGE PCIIDEX.SYS!PciIdeXDebugPrint + 1065 BA32A71F 4 Bytes JMP 89A82344
PAGE ...
PAGE PCIIDEX.SYS!PciIdeXInitialize + 288 BA32CC64 4 Bytes JMP 89A82344
.text atapi.sys B9F0EE49 4 Bytes JMP 89B435A4
.text atapi.sys B9F0F09D 4 Bytes JMP 89B435A4
.text atapi.sys B9F0F53F 4 Bytes JMP 89B435A4
.text atapi.sys B9F0F6CD 4 Bytes JMP 89B435A4
.text atapi.sys B9F0F79D 4 Bytes JMP 89B435A4
.text ...
.text CLASSPNP.SYS!ClassReleaseRemoveLock + 198 BA0E85C8 4 Bytes JMP 8A3CD9E4
.text CLASSPNP.SYS!ClassCompleteRequest + D BA0E8C6C 4 Bytes JMP 89B235A4
.text CLASSPNP.SYS!ClassCompleteRequest + 3FE BA0E905D 4 Bytes JMP 8A3CD9E4
.text CLASSPNP.SYS!ClassSendSrbSynchronous + EE BA0E9210 4 Bytes JMP 8A3CD9E4
.text CLASSPNP.SYS!ClassDeviceControl + BD BA0E9627 4 Bytes JMP 89B235A4
.text CLASSPNP.SYS!ClassDeviceControl + 2B4 BA0E981E 4 Bytes JMP 8A3CD9E4
.text CLASSPNP.SYS!ClassReleaseQueue + EA BA0EA5DD 4 Bytes JMP 8A3CD9E4
.text CLASSPNP.SYS!ClassReleaseChildLock + 66 BA0EAC36 4 Bytes JMP 8A3CD9E4
.text CLASSPNP.SYS!ClassSendIrpSynchronous + 3A BA0EAE01 4 Bytes JMP 8A3CD9E4
.text CLASSPNP.SYS!ClassGetDriverExtension + 15E BA0EB3A8 4 Bytes JMP 8A3CD9E4
.text CLASSPNP.SYS!ClassFindModePage + 5AD BA0EBDC5 4 Bytes JMP 8A3CD9E4
.text CLASSPNP.SYS!ClassFindModePage + 7D4 BA0EBFEC 4 Bytes JMP 89B4DFFC
.text CLASSPNP.SYS!ClassFindModePage + 90E BA0EC126 4 Bytes JMP 89BE23DC
.text CLASSPNP.SYS!ClassFindModePage + 938 BA0EC150 4 Bytes JMP 8A3CD9E4
.text CLASSPNP.SYS!ClassFindModePage + A7D BA0EC295 4 Bytes JMP 89B4DFFC
.text ...
.text CLASSPNP.SYS!ClassInternalIoControl + 87 BA0ED04A 4 Bytes JMP 8A3CD9E4
.text CLASSPNP.SYS!ClassGetVpb + 167 BA0ED24B 4 Bytes JMP 8A3CD9E4
.text CLASSPNP.SYS!ClassSendStartUnit + C9 BA0ED4C1 4 Bytes JMP 8A3CD9E4
.text CLASSPNP.SYS!ClassSendSrbAsynchronous + 10D BA0ED610 4 Bytes JMP 8A3CD9E4
.text CLASSPNP.SYS!ClassWmiFireEvent + 3A9 BA0EDABA 4 Bytes JMP 8A3CD9E4
.text CLASSPNP.SYS!ClassWmiFireEvent + 807 BA0EDF18 4 Bytes JMP 8A3CD9E4
.text CLASSPNP.SYS!ClassIoCompleteAssociated + 18B BA0EE551 4 Bytes JMP 89B4DFFC
PAGE CLASSPNP.SYS!ClassDebugPrint + 5B1 BA0EEBB3 4 Bytes JMP 8A3CD9E4
PAGE CLASSPNP.SYS!ClassDebugPrint + 7CD BA0EEDCF 4 Bytes JMP 8A3CD9E4
PAGE CLASSPNP.SYS!ClassInvalidateBusRelations + 203 BA0EF2C0 4 Bytes JMP 8A3CD9E4
PAGE CLASSPNP.SYS!ClassInitialize + 6C0 BA0EFA7E 4 Bytes JMP 8A3CD9E4
PAGE CLASSPNP.SYS!ClassClaimDevice + 7A BA0F0F59 4 Bytes JMP 8A3CD9E4
PAGE CLASSPNP.SYS!ClassModeSense + 57D BA0F1BF6 4 Bytes JMP 8A3CD9E4
.PAGE C:\WINDOWS\System32\drivers\afd.sys unknown last section [0xBA256800, 0x100, 0xC0000040]
.text USBSTOR.SYS BA3A8375 4 Bytes JMP 89B1E62C
.text USBSTOR.SYS BA3A83C1 4 Bytes JMP 89B43E04
.text USBSTOR.SYS BA3A8459 4 Bytes JMP 89B43E04
.text USBSTOR.SYS BA3A85AB 4 Bytes JMP 89B43E04
.text USBSTOR.SYS BA3A8660 4 Bytes JMP 89B215E4
.text ...
? system32\drivers\65874267.sys The system cannot find the path specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \Driver\92931298 \Device\KLMD14092011_206080 65874267.sys

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \FileSystem\Fastfat \Fat symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \Driver\00000563 \GLOBAL??\ACPI#PNP0303#2&da1a3ff&0 89FE3B80

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x99 0xB3 0x7D 0x05 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xA9 0xC6 0x5B 0xA0 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x43 0x32 0x07 0xA1 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x96 0x31 0x6D 0x5D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xA9 0xC6 0x5B 0xA0 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x43 0x32 0x07 0xA1 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x96 0x31 0x6D 0x5D ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xA9 0xC6 0x5B 0xA0 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x43 0x32 0x07 0xA1 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}@scansk 0xFD 0xE5 0xC5 0xE4 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{f223094d-6cd9-4a46-96f8-ba9a16d4229c}@Model 94
Reg HKLM\SOFTWARE\Classes\CLSID\{f223094d-6cd9-4a46-96f8-ba9a16d4229c}@Therad 30
Reg HKLM\SOFTWARE\Classes\CLSID\{f223094d-6cd9-4a46-96f8-ba9a16d4229c}@MData 0x2B 0x8F 0x78 0x29 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0B02ABBA-36EC-0AD5-60EA-16BF5004E04D}

---- EOF - GMER 1.0.15 ----

#15 patndoris

patndoris

    SuperMember

  • Malware Team
  • 2,593 posts

Posted 15 November 2011 - 05:37 PM

I'm very sorry to hear about your loss. I appreciate you letting me know about being away so I could keep the thread open for you.


Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    AFD.sys
    
    :reg
    hkey_local_machine\system\currentcontrolset\services\afd
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
~Doris~

Proud Graduate of the WTT Classroom
Member of UNITE

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online. http://www.whatthetech.com/donate

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users