Originally i used Nod32 but 2 days ago i started getting these window security popups for all these trusted programs asking if i want to unblock them. then Nod32 real-time protection tells me there are over 200 threats and that only 1 was successfully cleaned...but it seemed like the the files being reported are legitimate files such as Apple mobile devices, adobe acrobat, google chrome etc...all these files failed to be cleaned according to nod32...
Assuming that nod32 had been compromised i tried to repair and then uninstall nod32 to no avail...then i tried to d/l and install various other AV products...stopzilla, avg, malwarebytes, bitdefender, etc....could not even complete installation for most...malwarebytes and stopzilla seemed to install but they could not launch any scanners... i have tried the above steps in normal and safemode...can't scan in safemode either
I downloaded and ran OTL...no problem downloading or executing OTL. However, when i click on Quick scan it will exit after like 3 seconds and afterwards the exe/scr/com files will not execute and i get the message:
"windows cannot access the specified device, path or file. you may not have the appropriate permissions to access the item."
I used exehelper which reset the file association and let me try to run OTL again. OTL did the same thing and exited again, after which, clicking on OTL again gives me the previous message again. I assumed this would loop forever so I stopped at this point. I do not have a OTL report to post but would love to be able to post one.
I got desperate and looked through other similar forum posts and tried some solutions & I was able to get combofix to run and here is the log.
Thank you for your time and help!
**UPDATE** - I was able to go in safe mode and change permissions on the files (xp home so i cannot change security permissions from normal windows) I was then able to run OTL, HijackThis, Win32kdiag, and rkill...just scans with the logs...i did not do any fixes or anything since i'm not sure what i should be removing etc. I tried to run them in normal windows as well but it seems once i went out of safemode the virus was able to change permissions again. OTL and HiJackThis both started but exited after a few secs...when i try to run them again their permissions had been changed to deny me access once again. I'm not sure if i should be attaching the logs yet and did not want to clutter up this post... i will attach or copy/paste if needed.
Thank You!
ComboFix 11-07-21.02 - Compaq_Owner 07/21/2011 16:34:40.3.1 - x86
Running from: c:\documents and settings\Compaq_Owner\Desktop\Combo-Fix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\assembly\GAC_MSIL\desktop.ini
.
---- Previous Run -------
.
c:\documents and settings\Administrator.FAMILY\WINDOWS
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\Compaq_Owner\Application Data\FFSJ
c:\documents and settings\Compaq_Owner\Application Data\FFSJ\FFSJ.cfg
c:\documents and settings\Compaq_Owner\WINDOWS
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\JP\WINDOWS
c:\program files\Mozilla Firefox\extensions\{1CE11043-9A15-4207-A565-0C94C42D590D}
c:\program files\Mozilla Firefox\extensions\{1CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{1CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
c:\windows\assembly\GAC_MSIL\desktop.ini
c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\ps2.bat
.
.
((((((((((((((((((((((((( Files Created from 2011-06-21 to 2011-07-21 )))))))))))))))))))))))))))))))
.
.
2011-07-21 13:40 . 2011-07-21 20:28 -------- d-----w- C:\Combo-Fix
2011-07-21 13:04 . 2011-07-21 13:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-07-21 05:36 . 2011-07-21 05:36 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com
2011-07-21 05:36 . 2011-07-21 05:36 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-07-21 05:36 . 2011-07-21 05:36 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-07-21 04:50 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-21 04:49 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-21 02:54 . 2011-07-21 02:54 -------- d-----w- c:\program files\ACW
2011-07-21 02:28 . 2011-07-21 14:01 -------- d-----w- c:\documents and settings\JP
2011-07-20 14:35 . 2011-07-20 14:35 388096 ----a-r- c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-07-20 14:35 . 2011-07-20 14:35 -------- d-----w- c:\program files\Trend Micro
2011-07-19 23:53 . 2011-07-19 23:53 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\QuickScan
2011-07-19 22:13 . 2011-07-19 22:13 -------- d-----w- c:\program files\ESET
2011-07-19 16:18 . 2011-07-19 16:18 1152 ----a-w- c:\windows\system32\windrv.sys
2011-07-19 16:17 . 2011-07-20 20:28 -------- d-----w- c:\program files\SpyNoMore
2011-07-19 16:17 . 2011-07-19 16:17 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\GetRightToGo
2011-07-19 14:50 . 2011-07-19 14:50 -------- d-----w- c:\program files\Common Files\iS3
2011-07-19 14:50 . 2011-07-20 17:10 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2011-07-18 17:41 . 2011-07-18 17:41 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\ESET
2011-07-18 16:45 . 2011-07-18 16:45 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\RoboForm
2011-07-08 14:57 . 2011-07-08 14:57 532480 ----a-w- c:\windows\system32\WPB1003_ŽÑˆ»3.scr
2011-07-08 14:57 . 2011-07-08 14:57 -------- d-----w- c:\windows\system32\WPB1003_ŽÑˆ»3 dir
2011-07-08 14:57 . 2011-07-08 14:57 532480 ----a-w- c:\windows\system32\WPB1003_ŽÑˆ»2.scr
2011-07-08 14:57 . 2011-07-08 14:57 -------- d-----w- c:\windows\system32\WPB1003_ŽÑˆ»2 dir
2011-07-08 14:57 . 2011-07-08 14:57 532480 ----a-w- c:\windows\system32\WPB1003_ŽÑˆ»1.scr
2011-07-08 14:57 . 2011-07-08 14:57 -------- d-----w- c:\windows\system32\WPB1003_ŽÑˆ»1 dir
2011-07-08 14:51 . 2011-07-08 14:51 -------- d-----w- c:\windows\system32\v_269_ss2 dir
2011-07-08 14:51 . 2011-07-08 14:51 203264 ----a-w- c:\windows\system32\v_269_ss2.scr
2011-07-08 14:51 . 2011-07-08 14:52 -------- d-----w- c:\windows\system32\v_269_ss1 dir
2011-07-08 14:51 . 2011-07-08 14:51 203264 ----a-w- c:\windows\system32\v_269_ss1.scr
2011-07-08 14:44 . 2011-07-08 14:44 503892 ----a-w- c:\windows\v_322_ss2Uninst.exe
2011-07-08 14:44 . 2011-07-08 14:44 1308501 ----a-w- c:\windows\v_322_ss2.scr
2011-07-08 14:43 . 2011-07-08 14:43 503892 ----a-w- c:\windows\v_322_ss1Uninst.exe
2011-07-08 14:43 . 2011-07-08 14:43 1118130 ----a-w- c:\windows\v_322_ss1.scr
2011-07-08 14:43 . 2011-07-08 14:43 503892 ----a-w- c:\windows\v_360_ss2Uninst.exe
2011-07-08 14:43 . 2011-07-08 14:43 1422643 ----a-w- c:\windows\v_360_ss2.scr
2011-07-08 14:42 . 2011-07-08 14:42 503892 ----a-w- c:\windows\v_360_ss1Uninst.exe
2011-07-08 14:42 . 2011-07-08 14:42 1199595 ----a-w- c:\windows\v_360_ss1.scr
2011-07-08 14:36 . 2011-07-08 14:44 -------- d-----w- c:\windows\system32\WPB810_3 dir
2011-07-08 14:36 . 2011-07-08 14:36 532480 ----a-w- c:\windows\system32\WPB810_3.scr
2011-07-08 14:36 . 2011-07-08 14:54 -------- d-----w- c:\windows\system32\WPB810_ŽÑˆ»2 dir
2011-07-08 14:36 . 2011-07-08 14:36 532480 ----a-w- c:\windows\system32\WPB810_ŽÑˆ»2.scr
2011-07-08 14:35 . 2011-07-08 14:47 -------- d-----w- c:\windows\system32\WPB810_ŽÑˆ»1 dir
2011-07-08 14:35 . 2011-07-08 14:35 532480 ----a-w- c:\windows\system32\WPB810_ŽÑˆ»1.scr
2011-07-08 14:33 . 2011-07-08 14:33 503892 ----a-w- c:\windows\v_310_ss2Uninst.exe
2011-07-08 14:33 . 2011-07-08 14:33 1521079 ----a-w- c:\windows\v_310_ss2.scr
2011-07-08 14:32 . 2011-07-08 14:32 503892 ----a-w- c:\windows\v_310_ss1Uninst.exe
2011-07-08 14:32 . 2011-07-08 14:32 1217107 ----a-w- c:\windows\v_310_ss1.scr
2011-07-08 14:31 . 2011-07-08 14:31 503892 ----a-w- c:\windows\v_294_ss2Uninst.exe
2011-07-08 14:31 . 2011-07-08 14:31 1381093 ----a-w- c:\windows\v_294_ss2.scr
2011-07-08 14:31 . 2011-07-08 14:31 503892 ----a-w- c:\windows\v_294_ss1Uninst.exe
2011-07-08 14:31 . 2011-07-08 14:31 1136767 ----a-w- c:\windows\v_294_ss1.scr
2011-07-08 14:30 . 2011-07-08 14:30 503891 ----a-w- c:\windows\v_287_ss2Uninst.exe
2011-07-08 14:30 . 2011-07-08 14:30 1714122 ----a-w- c:\windows\v_287_ss2.scr
2011-07-08 14:29 . 2011-07-08 14:29 503892 ----a-w- c:\windows\v_287_ss1Uninst.exe
2011-07-08 14:29 . 2011-07-08 14:29 1170379 ----a-w- c:\windows\v_287_ss1.scr
2011-07-08 14:26 . 2011-07-08 14:26 -------- d-----w- c:\windows\system32\v_273_ss2 dir
2011-07-08 14:23 . 2011-07-08 14:26 203264 ----a-w- c:\windows\system32\v_273_ss2.scr
2011-07-08 14:22 . 2011-07-08 14:23 -------- d-----w- c:\windows\system32\v_273_ss1 dir
2011-07-08 14:22 . 2011-07-08 14:22 203264 ----a-w- c:\windows\system32\v_273_ss1.scr
2011-07-08 14:19 . 2011-07-08 14:19 -------- d-----w- c:\windows\system32\v_239_ss1 dir
2011-07-08 14:19 . 2011-07-08 14:19 201728 ----a-w- c:\windows\system32\v_239_ss1.scr
2011-07-08 14:17 . 2011-07-08 14:18 4727391 ----a-w- c:\windows\WPB603_ŽÑˆ»3.exe
2011-07-08 14:17 . 2011-07-08 14:18 467536 ----a-w- c:\windows\WPB603_ŽÑˆ»3.scr
2011-07-08 14:17 . 2011-07-08 14:18 5338153 ----a-w- c:\windows\WPB603_ŽÑˆ»2.exe
2011-07-08 14:17 . 2011-07-08 14:18 467536 ----a-w- c:\windows\WPB603_ŽÑˆ»2.scr
2011-07-08 14:15 . 2011-07-08 14:17 4788965 ----a-w- c:\windows\WPB603_ŽÑˆ»1.exe
2011-07-08 14:15 . 2011-07-08 14:18 29696 ----a-w- c:\windows\mickey32.dll
2011-07-08 14:15 . 2011-07-08 14:17 467536 ----a-w- c:\windows\WPB603_ŽÑˆ»1.scr
2011-06-25 14:52 . 2011-07-21 02:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-08 14:57 . 2011-07-08 14:57 532480 ----a-w- c:\windows\system32\WPB1003_ŽÑˆ»3.scr
2011-07-08 14:57 . 2011-07-08 14:57 532480 ----a-w- c:\windows\system32\WPB1003_ŽÑˆ»2.scr
2011-07-08 14:57 . 2011-07-08 14:57 532480 ----a-w- c:\windows\system32\WPB1003_ŽÑˆ»1.scr
2011-07-08 14:36 . 2011-07-08 14:36 532480 ----a-w- c:\windows\system32\WPB810_ŽÑˆ»2.scr
2011-07-08 14:35 . 2011-07-08 14:35 532480 ----a-w- c:\windows\system32\WPB810_ŽÑˆ»1.scr
2011-07-08 14:18 . 2011-07-08 14:17 4727391 ----a-w- c:\windows\WPB603_ŽÑˆ»3.exe
2011-07-08 14:18 . 2011-07-08 14:17 467536 ----a-w- c:\windows\WPB603_ŽÑˆ»3.scr
2011-07-08 14:18 . 2011-07-08 14:17 5338153 ----a-w- c:\windows\WPB603_ŽÑˆ»2.exe
2011-07-08 14:18 . 2011-07-08 14:17 467536 ----a-w- c:\windows\WPB603_ŽÑˆ»2.scr
2011-07-08 14:17 . 2011-07-08 14:15 4788965 ----a-w- c:\windows\WPB603_ŽÑˆ»1.exe
2011-07-08 14:17 . 2011-07-08 14:15 467536 ----a-w- c:\windows\WPB603_ŽÑˆ»1.scr
2011-06-06 19:55 . 2011-06-06 19:55 47512 ----a-w- c:\windows\system32\AdobePDF.dll
2011-06-06 19:55 . 2011-06-06 19:55 22936 ----a-w- c:\windows\system32\AdobePDFUI.dll
2011-06-06 00:58 . 2011-06-06 00:58 53248 ----a-r- c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2011-06-06 00:57 . 2011-06-06 00:57 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2011-06-02 14:02 . 2004-08-04 05:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-04 08:52 . 2010-09-23 01:28 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-04 06:25 . 2009-08-21 22:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-02 15:31 . 2004-08-04 05:00 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2004-08-04 05:00 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2004-08-04 05:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-26 11:07 . 2004-08-04 05:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-04-26 11:07 . 2004-08-04 05:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-04-25 16:11 . 2004-08-04 05:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2004-08-04 05:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2004-08-04 05:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2004-08-04 05:00 385024 ----a-w- c:\windows\system32\html.iec
2006-05-03 16:06 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 17:47 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 19:30 216064 --sha-r- c:\windows\system32\nbDX.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2009-06-29 . 02E2754D3E566C11A4934825920C47DD . 634632 . . [7.00.6000.21073] . . c:\windows\$hf_mig$\KB972260-IE7\SP3QFE\iexplore.exe
[7] 2009-04-25 . 092A7F2B49A19ECCE5369D3CB2276148 . 636088 . . [7.00.6000.16850] . . c:\windows\ie7updates\KB972260-IE7\iexplore.exe
[7] 2009-04-25 . C0503FD8D163652735C1EE900672A75C . 636088 . . [7.00.6000.21045] . . c:\windows\$hf_mig$\KB969897-IE7\SP3QFE\iexplore.exe
[7] 2009-03-08 . B60DDDD2D63CE41CB8C487FCFBB6419E . 638816 . . [8.00.6001.18702] . . c:\windows\system32\dllcache\iexplore.exe
[7] 2009-02-28 . BCD8E48709BE4A79606F0B6E8E9A6162 . 636088 . . [7.00.6000.21020] . . c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\iexplore.exe
[7] 2009-02-28 . A251068640DDB69FD7805B57D89D7FF7 . 636072 . . [7.00.6000.16827] . . c:\windows\ie7updates\KB969897-IE7\iexplore.exe
[7] 2008-12-19 . 15E8A89499741D5CF59A9CF6463A4339 . 634024 . . [7.00.6000.20978] . . c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\iexplore.exe
[7] 2008-12-19 . 030D78FE84A086ED376EFCBD2D72C522 . 634024 . . [7.00.6000.16791] . . c:\windows\ie7updates\KB963027-IE7\iexplore.exe
[7] 2008-10-15 . 9D3DB9ADFABD2F0BC778EC03250A3ABB . 633632 . . [7.00.6000.16762] . . c:\windows\ie7updates\KB961260-IE7\iexplore.exe
[7] 2008-10-15 . 056C927CF7207857E8B34F7A8FFD9B9E . 633632 . . [7.00.6000.20935] . . c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\iexplore.exe
[7] 2008-08-23 . E8305C30D35E85D6657ED3E9934CB302 . 635848 . . [7.00.6000.20900] . . c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\iexplore.exe
[7] 2008-08-23 . 1F03216084447F990AE797317D0A6E70 . 635848 . . [7.00.6000.16735] . . c:\windows\ie7updates\KB958215-IE7\iexplore.exe
[7] 2008-06-23 . 64E376A47763DAEABCDA14BD5B6EA286 . 625664 . . [7.00.6000.16705] . . c:\windows\ie7updates\KB956390-IE7\iexplore.exe
[7] 2008-06-23 . 64E376A47763DAEABCDA14BD5B6EA286 . 625664 . . [7.00.6000.16705] . . c:\windows\SoftwareDistribution\Download\13d5d266d7681d26b42f8dff88cadc20\SP2GDR\iexplore.exe
[7] 2008-06-23 . C52A9EF571E91535EB78DB4B8B95EA07 . 625664 . . [7.00.6000.20861] . . c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\iexplore.exe
[7] 2008-06-23 . C52A9EF571E91535EB78DB4B8B95EA07 . 625664 . . [7.00.6000.20861] . . c:\windows\SoftwareDistribution\Download\13d5d266d7681d26b42f8dff88cadc20\SP2QFE\iexplore.exe
[7] 2008-04-14 . 55794B97A7FAABD2910873C85274F409 . 93184 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\iexplore.exe
[7] 2007-08-13 . DE49B348A18369B4626FBA1D49B07FB4 . 622080 . . [7.00.5730.13] . . c:\windows\ie7updates\KB953838-IE7\iexplore.exe
[7] 2004-08-04 . E7484514C0464642BE7B4DC2689354C8 . 93184 . . [6.00.2900.2180] . . c:\windows\ie7\iexplore.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-13 323392]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-10 216520]
"Advanced SystemCare 4"="c:\program files\IObit\Advanced SystemCare 4\ASCTray.exe" [2011-05-28 412560]
"SmartRAM"="c:\program files\IObit\Advanced SystemCare 4\Suo10_SmartRAM.exe" [2011-05-28 512400]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-06-30 2424192]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-25 245760]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 56080]
"PS2"="c:\windows\system32\ps2.exe" [2004-10-25 90112]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2010-03-12 119152]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2011-06-06 36760]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2011-06-06 2903448]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-11 61440]
"EvtMgr6"="c:\program files\Logi\SetPointP\SetPoint.exe" [2010-10-28 1352272]
"TkBellExe1"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-08-19 202256]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-08-19 202256]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"SNM"="c:\program files\SpyNoMore\SNM.exe" [2010-07-12 1067984]
.
c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-3-18 4742184]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Wireless Configuration Utility HW.51.lnk - c:\program files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe [2004-12-14 454656]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRealMode"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-10-28 10:13 64592 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SmartDefragBootTime.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]
path=c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
backup=c:\windows\pss\OpenOffice.org 3.2.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^setup_9.0.0.722_20.08.2010_21-52.lnk]
backup=c:\windows\pss\setup_9.0.0.722_20.08.2010_21-52.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopUpKiller
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShredAgent
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
2005-05-10 17:50 253952 -c--a-w- c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 15:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2005-01-24 02:56 544768 -c--a-w- c:\windows\sm56hlpr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 16:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-08-19 07:06 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TapiSrv"=3 (0x3)
"MDM"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Yahoo!\\Widgets\\YahooWidgets.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Documents and Settings\\Compaq_Owner\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\real\\RealUpgrade\\realupgrade.exe"=
"c:\\Program Files\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe"=
"c:\\Program Files\\IObit\\Advanced SystemCare 4\\AutoUpdate.exe"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\IObit\\Password Folder\\PasswordFolder.exe"=
"c:\\Program Files\\VideoStream\\VideoStream.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5010:UDP"= 5010:UDP:emule udp
"110:TCP"= 110:TCP:BT
"110:UDP"= 110:UDP:BT1
"5000:TCP"= 5000:TCP:emule tcp
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 54343852;54343852 Boot Guard Driver;c:\windows\system32\DRIVERS\54343852.sys [x]
R0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [x]
R1 54343851;54343851;c:\windows\system32\DRIVERS\54343851.sys [x]
R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\IObit\Advanced SystemCare 4\ASCService.exe [2011-05-28 351232]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24576]
R3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\System32\DRIVERS\ASPI32.sys [2002-07-17 16512]
R3 jumi;%Jumi%;c:\windows\system32\DRIVERS\jumi.sys [2010-06-03 13112]
R3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2010-02-26 137344]
R3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2010-02-26 8320]
R3 RegGuard;RegGuard;c:\windows\system32\Drivers\regguard.sys [2010-01-29 24416]
R3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe [2008-04-14 14336]
R3 WipeFile;WipeFile;c:\windows\system32\DRIVERS\WipeFile.sys [2007-03-03 57472]
S0 SmartDefragDriver;SmartDefragDriver;c:\windows\System32\Drivers\SmartDefragDriver.sys [2011-02-23 13496]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2008-12-19 717296]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-12 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
S2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\Drivers\LBeepKE.sys [2010-08-24 10448]
S2 PfFilter;PfFilter;c:\program files\IObit\Password Folder\pffilter.sys [2011-01-12 163648]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\Drivers\nx6000.sys [2010-03-12 30576]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
2011-07-20 c:\windows\Tasks\ASC4_AutoUpdate.job
- c:\program files\IObit\Advanced SystemCare 4\AutoUpdate.exe [2011-05-11 18:46]
.
2011-07-21 c:\windows\Tasks\ASC4_PerformanceMonitor.job
- c:\program files\IObit\Advanced SystemCare 4\PMonitor.exe [2011-05-11 18:46]
.
2011-07-18 c:\windows\Tasks\Game_Booster_AutoUpdate.job
- c:\program files\IObit\Game Booster\AutoUpdate.exe [2011-03-31 23:07]
.
2011-07-21 c:\windows\Tasks\Game_Booster_Startup.job
- c:\program files\IObit\Game Booster\GameBox.exe [2011-07-15 23:08]
.
2011-07-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2637110039-1654121908-4178984955-1009Core.job
- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-27 05:30]
.
2011-07-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2637110039-1654121908-4178984955-1009UA.job
- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-27 05:30]
.
2011-07-21 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]
.
2011-07-21 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2637110039-1654121908-4178984955-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]
.
2011-07-17 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]
.
2011-07-21 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2637110039-1654121908-4178984955-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]
.
2011-07-18 c:\windows\Tasks\SmartDefrag_Schedule.job
- c:\program files\IObit\Smart Defrag 2\SmartDefrag.exe [2011-03-31 22:19]
.
2011-07-21 c:\windows\Tasks\SmartDefrag_Startup.job
- c:\program files\IObit\Smart Defrag 2\SmartDefrag.exe [2011-03-31 22:19]
.
2011-07-21 c:\windows\Tasks\User_Feed_Synchronization-{D4801835-F956-4975-AEF8-0E5592BA2263}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\0gma2n4r.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
FF - prefs.js: keyword.URL - hxxp://search.search-star.net/?sid=10101045100&s=
FF - prefs.js: network.proxy.type - 4
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.search-star.net/?sid=10101045100&s=);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
- - - - ORPHANS REMOVED - - - -
.
HKU-Default-Run-RoboForm - c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
ShellExecuteHooks-{F552DDE6-2090-4bf4-B924-6141E87789A5} - (no file)
Notify-TPSvc - TPSvc.dll
SafeBoot-Wdf01000.sys
SafeBoot-WudfPf
SafeBoot-WudfRd
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-21 16:41
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\$NtUninstallKB3255$:SummaryInformation 0 bytes hidden from API
.
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,93,b8,13,18,95,fa,b5,43,8a,e8,b5,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,93,b8,13,18,95,fa,b5,43,8a,e8,b5,\
.
[HKEY_USERS\S-1-5-21-2637110039-1654121908-4178984955-1009\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{97D1B5A3-39C5-C0D4-0C0C-0066D4EBC639}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\SUPER *]
"DisplayName"="SUPER ?Version 2009.bld.36 (June 10, 2009)"
"UninstallString"="c:\\PROGRA~1\\ERIGHT~1\\SUPER\\Setup.exe /remove /q0"
"InstallDate"="2009-06-22 20:22"
"InstallLocation"="c:\\Program Files\\eRightSoft\\SUPER"
"InstallSource"="c:\\Documents and Settings\\Compaq_Owner\\Desktop"
"DisplayIcon"="c:\\Program Files\\eRightSoft\\SUPER\\SUPER.exe"
"DisplayVersion"="Version 2009.bld.36 (June 10, 2009)"
"VersionMajor"=dword:00000000
"VersionMinor"=dword:00000000
"Publisher"="eRightSoft"
"HelpLink"="http://www.eRightSoft.com"
"URLInfoAbout"="http://www.eRightSoft.com"
"URLUpdateInfo"="http://www.eRightSoft.com"
"Contact"="[email protected]"
.
Completion time: 2011-07-21 16:44:26
ComboFix-quarantined-files.txt 2011-07-21 20:44
ComboFix2.txt 2010-08-21 07:51
.
Pre-Run: 6,291,963,904 bytes free
Post-Run: 6,249,820,160 bytes free
.
Current=18 Default=18 Failed=17 LastKnownGood=19 Sets=,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19
- - End Of File - - A9AB07EDEDD5F3CE4B823230AFC984CA
Edited by nycmon, 22 July 2011 - 02:47 PM.